ark sa always needs namespace create perms

[MansM]

What steps did you take and what happened:
We want to run ark without any restore permissions at this moment in time.
We are running openshift 3.9 (in this case on minishift)
I created a copy of cluster-reader clusterrole and added:

- apiGroups:
  - ark.heptio.com
  resources:
  - '*'
  verbs:
  - '*'

when starting ark:
An error occurred: error creating namespace config-hist: namespaces is forbidden: User "system:serviceaccount:config-hist:ark" cannot create namespaces at the cluster scope: User "system:serviceaccount:config-hist:ark" cannot create namespaces at the cluster scope

What did you expect to happen:
running ark, able to make backups

Anything else you would like to add:

Environment:

• Ark version 0.9.0
• Kubernetes version:
  oc v3.9.0+191fece
  kubernetes v1.9.1+a0ce1bc657
  features: Basic-Auth

Server https://192.168.99.110:8443
openshift v3.9.0+71543b2-33
kubernetes v1.9.1+a0ce1bc657

• Kubernetes installer & version: minishift v1.21.0+a8c8b37 with centos image
• Cloud provider or hardware configuration: apple macbook
• OS (e.g. from /etc/os-release): minishift start --iso-url centos

[ncdc]

@MansM Ark currently attempts to create the namespace in which it runs. We should probably remove this logic and require you to create the namespace first. @skriss @nrb wdyt?

[MansM]

Or make the auto creation configurable. Though I wonder how it can even create the namespace. As an deployment should run in a namespace to even be able to access the sa to connect to the api. I can be mistaken....

[nrb]

I think requiring the namespace be created beforehand is fine.

[skriss]

@ncdc @nrb agree, I think we can remove the attempt to create. I'll get a patch in for this, and we can include it in v0.9.1 which I think we'll probably try to release next week. Thanks for reporting this @MansM !