NodeTopologyResource ClusterRole and ClusterRoleBinding

 - Required to access NodeResourceTopology CRD instances
 - Update minor formatting issues

Signed-off-by: Swati Sehgal <[email protected]>
Signed-off-by: Alexey Perevalov <[email protected]>

Author: swatisehgal

keps/sig-node/20200619-provisioning-resources-with-numa-topology.md

@@ -10,11 +10,12 @@ participating-sigs:
 reviewers:
   - "@dchen1107"
   - "@derekwaynecarr"
+  - "@klueska"
 approvers:
   - "@dchen1107"
   - "@derekwaynecarr"
 creation-date: 2020-06-19
-last-updated: 2020-06-19
+last-updated: 2020-08-12
 status: implementable
 see-also:
   - "/keps/sig-scheduling/20200612-deducted-topology-manager.md"
@@ -169,6 +170,41 @@ One CRD instance contains information of available resources of the appropriate
 
 ### Integration into Node Feature Discovery
 
+In order to allow the NFD-master Daemon to create, get, update, delete NodeResourceTopology CRD instances, ClusterRole and ClusterRoleBinding would have to be configured as below:
+
+``` yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: noderesourcetopology-handler
+rules:
+- apiGroups: ["topology.node.k8s.io"]
+  resources: ["noderesourcetopologies"]
+  verbs: ["*"]
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources: ["*"]
+  verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: handle-noderesourcetopology
+subjects:
+- kind: ServiceAccount
+  name: noderesourcetopology-account
+  namespace: default
+roleRef:
+  kind: ClusterRole
+  name: noderesourcetopology-handler
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: noderesourcetopology-account
+```
+
+`serviceAccountName: noderesourcetopology-account` would have to be added to the manifest file of the Daemon.
 
 ### Graduation Criteria