Permission to create servcice account tokens

* We need the ability to create service account token
  because this is required by clientbuilder/controller-manager
  framework which we will be using in 1.21.
* This is required for the CCM to use 1 SA per controller, which
  follows principle of least privilege and makes audit logs easier
  to understand
* Restricts token creation to resource names "node-controller",
  "service-controller", and "route-controller".

upup/models/cloudup/resources/addons/aws-cloud-controller.addons.k8s.io/k8s-1.18.yaml.template

@@ -145,6 +145,16 @@ rules:
   verbs:
   - list
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts/token
+  resourceNames:
+  - node-controller
+  - service-controller
+  - route-controller
+  verbs:
+  - create
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1

upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awscloudcontroller/aws-cloud-controller.addons.k8s.io-k8s-1.18.yaml

@@ -173,6 +173,16 @@ rules:
   verbs:
   - list
   - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - node-controller
+  - service-controller
+  - route-controller
+  resources:
+  - serviceaccounts/token
+  verbs:
+  - create
 
 ---
 

upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awscloudcontroller/manifest.yaml

@@ -55,7 +55,7 @@ spec:
   - id: k8s-1.18
     kubernetesVersion: '>=1.18.0'
     manifest: aws-cloud-controller.addons.k8s.io/k8s-1.18.yaml
-    manifestHash: f3798709f4bc0eec2e211fda6f629fdae0e0b297
+    manifestHash: c0a92fc15661776506a8861a5600315b930a599b
     name: aws-cloud-controller.addons.k8s.io
     selector:
       k8s-addon: aws-cloud-controller.addons.k8s.io