Enable calico CNI kubeconfig token monitor

[emiran-orange]

What type of PR is this?
/kind bug

What this PR does / why we need it:
It enables Calico serviceAccount token monitoring and update of /etc/cni/net.d/calico-kubeconfig if need be.

Which issue(s) this PR fixes:
None

Special notes for your reviewer:
Since K8S 1.21, BoundServiceAccountTokenVolume feature gate is in beta stage, thus activated by default (anyone who follows CSI guidelines has enabled AllAlpha and faced the issue before 1.21).
With this feature, SA tokens are regenerated every hour.
As a consequence for Calico CNI, token in /etc/cni/net.d/calico-kubeconfig copied from /var/run/secrets/kubernetes.io/serviceaccount in install-cni initContainer expires after one hour and any pod creation fails due to unauthorization.
Calico pods need to be restarted so that /etc/cni/net.d/calico-kubeconfig is updated with the new SA token.

Does this PR introduce a user-facing change?:
None that I know of

[k8s-ci-robot]

Hi @emiran-orange. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[oomichi]

/ok-to-test

[emiran-orange]

@oomichi Seems like tf-elastx_ubuntu18-calico job failure is unrelated with the changes in the PR. Any hint ?

[oomichi]

@oomichi Seems like tf-elastx_ubuntu18-calico job failure is unrelated with the changes in the PR. Any hint ?

You are right.
The job was failed like

PLAY [all] *********************************************************************
TASK [Wait until SSH is available] *********************************************
Thursday 06 May 2021  15:47:57 +0000 (0:00:00.036)       0:00:00.036 ********** 
fatal: [1242024190-k8s-node-1]: FAILED! => {"changed": false, "elapsed": 240, "msg": "Timeout when waiting for 185.141.30.212:22"}
fatal: [1242024190-k8s-master-1]: FAILED! => {"changed": false, "elapsed": 240, "msg": "Timeout when waiting for 185.141.30.163:22"}
PLAY RECAP *********************************************************************

That seems unrelated to this pr, let me rerun the job again.

[champtar]

@emiran-orange your PR description makes a good job explaining the problem, it would be really nice to have all that in the commit message, so all the informations are available from git without going to github

[emiran-orange]

@champtar Sorry I forgot (again). Is it ok now ?

[champtar]

Yes, thanks
/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: emiran-orange, floryut

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [floryut]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment