add custom rbac role for system:nodes

roles/rbac/tasks/main.yml

@@ -18,6 +18,8 @@
     - {name: kubedns, file: kubedns-clusterrolebinding.yml, type: clusterrolebinding}
     - {name: 'custom:system:kube-dns', file: 'custom:system:kube-dns-clusterrole.yml', type: clusterrole}
     - {name: 'custom:system:kube-dns', file: 'custom:system:kube-dns-clusterrolebinding.yml', type: clusterrolebinding}
+    - {name: 'custom:system:node', file: 'custom:system:node-clusterrole.yml', type: clusterrole}
+    - {name: 'custom:system:node', file: 'custom:system:node-clusterrolebinding.yml', type: clusterrolebinding}
     - {name: fluentd, file: fluentd-clusterrole.yml, type: clusterrole}
     - {name: fluentd, file: fluentd-clusterrolebinding.yml, type: clusterrolebinding}
   register: manifests

roles/rbac/templates/custom:system:node-clusterrole.yml

@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: custom:system:node
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - endpoints
+  verbs:
+  - list
+  - watch

roles/rbac/templates/custom:system:node-clusterrolebinding.yml

@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: custom:system:node
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: custom:system:node
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:nodes