Update RBAC rules for Armada API

We are getting the following errors [0] while using the
Armada Client to execute 'Armada Apply'

This patch set is meant to grant watch/get/list rights
to armada-api

[0] Error messages:

armada.exceptions.api_exceptions.ClientError: Error - received 500: {"message": "Failed to apply manifest: (403)\nReason: Forbidden\nHTTP response headers: HTTPHeaderDict({'X-Content-Type-Options': 'nosniff', 'Content-Length': '243', 'Content-Type': 'application/json', 'Date': 'Sat, 27 Jan 2018 19:26:09 GMT'})\nHTTP response body: b'{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"pods is forbidden: User \\\\\"system:serviceaccount:ucp:armada-api\\\\\" cannot watch pods at the cluster scope\",\"reason\":\"Forbidden\",\"details\":{\"kind\":\"pods\"},\"code\":403}\\n'\n", "type": "error", "retry": false}

Change-Id: I71c23021c08fc4c79f2f33d71c140e23987160fe

charts/armada/templates/deployment-api.yaml

@@ -22,6 +22,37 @@ limitations under the License.
 {{- $serviceAccountName := "armada-api" }}
 {{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: armada-api-runner
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+      - nodes/proxy
+      - services
+      - endpoints
+      - pods
+    verbs:
+      - get
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: run-armada-api
+subjects:
+  - kind: ServiceAccount
+    name: {{ $serviceAccountName }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: armada-api-runner
+  apiGroup: rbac.authorization.k8s.io
+---
 apiVersion: apps/v1beta1
 kind: Deployment
 metadata: