Allow aws-iam-authenticator to be scheduled onto dedicated apiserver nodes

[rifelpet]

Also adding the CCM toleration to match dns-controller in #12389

Fixes #12390

[justinsb]

Makes sense to me to tolerate the apiserver taint; apiserver talks to the authentication webhook over a localhost URL, so it has to run on every apiserver pod.

One question would be whether we should be running it with a universal toleration, but we can discuss this at office hours sometime. Would be good to get some rules here!

/approve
/lgtm

I think we should @olemarkus approve though, as IIRC they were the main author of the dedicated apiserver nodes.

/hold for olemarkus to take a look

/assign @olemarkus

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: justinsb

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [justinsb]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[olemarkus]

Looks good

/hold cancel

[k8s-triage-robot]

The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass.

This bot retests PRs for certain kubernetes repos according to the following rules:

• The PR does have any do-not-merge/* labels
• The PR does not have the needs-ok-to-test label
• The PR is mergeable (does not have a needs-rebase label)
• The PR is approved (has cncf-cla: yes, lgtm, approved labels)
• The PR is failing tests required for merge

You can:

• Review the full test history for this PR
• Prevent this bot from retesting with /lgtm cancel or /hold
• Help make our tests less flaky by following our Flaky Tests Guide

/retest