binding clusterrole system:kube-scheduler to sa tidb-scheduler

[shonge]

What problem does this PR solve?

#1252

What is changed and how does it work?

Service account tidb-scheduler is bound three roles/clusterroles :

1. tidb-scheduler (role or cluster-role)
2. system:kube-scheduler (cluster-role)
3. system:volume-scheduler (cluster-role)

Check List

Tests

• Unit test
• E2E test
• Manual test (add detailed scripts or steps below)
• No code

Code changes

• Has Helm charts change

Side effects

• Breaking backward compatibility
  
  Related changes

• Need to cherry-pick to the release branch

• Need to update the documentation

Does this PR introduce a user-facing change?:

Use cluster-role system:kube-scheduler to binding service account tidb-scheduler.

[cofyc]

/run-e2e-test

[cofyc]

xref: #1356

[cofyc]

hi, tidb-scheduler pod has two components:

• tidb-scheduler/kube-scheduler needs permission of clusterrole system:kube-scheduler
• tidb-scheduler/tidb-scheduler needs some extra permissions (our CRDs, etc).

So, in addition to bind the the service account of tidb-scheduler to clusterrole system:kube-scheduler, we need to create a clusterrole for tidb-scheduler/tidb-scheduler.

[shonge]

@cofyc PTAL

[cofyc]

permissions for kube-scheduler can be removed from {{ .Release.Name }}:{{ .Values.scheduler.schedulerName }} because the service account has been bound to system:kube-scheduler, you can go through tidb-scheduler code to check what permission it needs.

is it ok to remove non-clusterScoped support? cc @tennix @weekface @aylei

[cofyc]

/run-e2e-test

[cofyc]

/run-e2e-test

[aylei]

LGTM

[cofyc]

LGTM Thanks for you contributions!

[sre-bot]

cherry pick to release-1.0 failed

[cofyc]

@shonge can you help cherry-pick this PR into release-1.0? /hack/cherry_pick_pull.sh can help you to create a cherry-pick PR if you have hub installed locally.