UPSTREAM: <carry>: Remove write permissions on daemonsets from Kubernetes bootstrap policy

Due to how daemonsets interact with the project node selector,
we need to limit write access to them to the cluster admin.

Bug 1536304
Bug 1501514

Signed-off-by: Monis Khan <[email protected]>

Author: enj

test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml

@@ -4857,7 +4857,6 @@ items:
   - apiGroups:
     - apps
     resources:
-    - daemonsets
     - deployments
     - deployments/rollback
     - deployments/scale
@@ -4873,6 +4872,14 @@ items:
     - patch
     - update
     - watch
+  - apiGroups:
+    - apps
+    resources:
+    - daemonsets
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - autoscaling
     resources:
@@ -4903,7 +4910,6 @@ items:
   - apiGroups:
     - extensions
     resources:
-    - daemonsets
     - deployments
     - deployments/rollback
     - deployments/scale
@@ -4920,6 +4926,14 @@ items:
     - patch
     - update
     - watch
+  - apiGroups:
+    - extensions
+    resources:
+    - daemonsets
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - policy
     resources:
@@ -5036,7 +5050,6 @@ items:
   - apiGroups:
     - apps
     resources:
-    - daemonsets
     - deployments
     - deployments/rollback
     - deployments/scale
@@ -5052,6 +5065,14 @@ items:
     - patch
     - update
     - watch
+  - apiGroups:
+    - apps
+    resources:
+    - daemonsets
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - autoscaling
     resources:
@@ -5082,7 +5103,6 @@ items:
   - apiGroups:
     - extensions
     resources:
-    - daemonsets
     - deployments
     - deployments/rollback
     - deployments/scale
@@ -5099,6 +5119,14 @@ items:
     - patch
     - update
     - watch
+  - apiGroups:
+    - extensions
+    resources:
+    - daemonsets
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - policy
     resources:

test/testdata/bootstrappolicy/bootstrap_policy_file.yaml

@@ -5319,7 +5319,6 @@ items:
     - apps
     attributeRestrictions: null
     resources:
-    - daemonsets
     - deployments
     - deployments/rollback
     - deployments/scale
@@ -5335,6 +5334,15 @@ items:
     - patch
     - update
     - watch
+  - apiGroups:
+    - apps
+    attributeRestrictions: null
+    resources:
+    - daemonsets
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - autoscaling
     attributeRestrictions: null
@@ -5368,7 +5376,6 @@ items:
     - extensions
     attributeRestrictions: null
     resources:
-    - daemonsets
     - deployments
     - deployments/rollback
     - deployments/scale
@@ -5385,6 +5392,15 @@ items:
     - patch
     - update
     - watch
+  - apiGroups:
+    - extensions
+    attributeRestrictions: null
+    resources:
+    - daemonsets
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - policy
     attributeRestrictions: null
@@ -5510,7 +5526,6 @@ items:
     - apps
     attributeRestrictions: null
     resources:
-    - daemonsets
     - deployments
     - deployments/rollback
     - deployments/scale
@@ -5526,6 +5541,15 @@ items:
     - patch
     - update
     - watch
+  - apiGroups:
+    - apps
+    attributeRestrictions: null
+    resources:
+    - daemonsets
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - autoscaling
     attributeRestrictions: null
@@ -5559,7 +5583,6 @@ items:
     - extensions
     attributeRestrictions: null
     resources:
-    - daemonsets
     - deployments
     - deployments/rollback
     - deployments/scale
@@ -5576,6 +5599,15 @@ items:
     - patch
     - update
     - watch
+  - apiGroups:
+    - extensions
+    attributeRestrictions: null
+    resources:
+    - daemonsets
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - policy
     attributeRestrictions: null