pods fail to start in an a fresh aks clister

[paulgrav]

Steps to reproduce

1. Provision an aks cluster az aks create --name testregwrite -g testregwrite
2. Grab creds az aks get-credentials -g testregwrite --name testregwrite
3. Create a service account for tiller:

kubectl create serviceaccount --namespace kube-system tiller 
kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller

4. Install helm helm init --service-account tiller
5. Install registry rewriter:
   helm install -n registry-writer --namespace kube-system --set containerRegistryUrl=<url>--set caBundle=<caBundle> --set webhookImage=lawrencegripper/imagenamemutatingcontroller:30 \ --set imagePullSecretName=cluster-local-image-secret https://github.com/lawrencegripper/MutatingAdmissionsController/releases/download/v0.1.1/registry-rewriter-0.1.0.tgz

Actual results:

kubectl logs registry-writer-registry-rewriter-bqng5 -n kube-system

creating certs in tmpdir /tmp/tmp.Mw4KoGqRGu 
Generating RSA private key, 2048 bit long modulus
...................................+++
................+++
e is 65537 (0x10001)
Error from server (Forbidden): error when creating "STDIN": certificatesigningrequests.certificates.k8s.io is forbidden: User "system:serviceaccount:kube-system:default" cannot create certificatesigningrequests.certificates.k8s.io at the cluster scope

Notes:

I can work around this issue by granting kube-system:default cluster-admin but I’m guessing this isn’t good practice. E.g., kubectl create clusterrolebinding add-on-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:default
The software works fine if I helm install after the above.

Is the fix to update the deployment.yaml to allow a service-account to be specified? Then is there a particular clusterrole that we can use beside cluster-admin?