rbac: correctly deploy karydia in the control plane

[alban]

This fixes the scripts and the documentation to install karydia in the Gardener control plane.

• use RBAC instead of giving admin privileges
  • the rbac config is different than the main one because the {,Cluster}RoleBindings apply to different subjects
• this use a different script to install in the control plane because:
  • we need to use a kubeconfig rather than a ServiceAccount, since it runs in a different Kubernetes cluster
  • we apply a different karydia configuration

This follows similar work in #36 Fixes https://github.com/kinvolk/karydia/issues/38

[alban]

PR updated.

I made some progress: kube-mgmt now connects to the correct API server and it recognises its certificate. However, there is still something wrong with kube-mgmt client certificate, as the API server does not recognise it.

$ kubectl --kubeconfig=seed.kubeconfig  -n shoot--core--$NAME exec -ti  karydia-775f7579fd-5szx2 -c kube-mgmt -- ./kubectl -v 10  --kubeconfig=/var/lib/kube-mgmt/kubeconfig get pods
...
Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}

The error in the API Server logs:

[x509: certificate signed by unknown authority, x509: certificate specifies an incompatible key usage]

[alban]

PR updated.

• the kubeconfigs now work fine

TODO:

• [x] rbac-cp.yaml needs fixes. I need separate rbac rules because the subjects are different (ServiceAccount vs User with a signed certificate)

[alban]

@schu updated