Merge pull request #784 from diegs/checkpointer-e2e

e2e: make checkpointer tests more robust.

Author: dghubble

cmd/checkpoint/README.md

@@ -88,14 +88,15 @@ Once it reaches the API server and finds out that it's no longer being scheduled
 ### RBAC Requirements
 
 By default, the pod checkpoint runs with service account credentials, checkpointing its own
-service account secret for reboots. That service account must be bound to a ClusterRole that
-lets the pod checkpoint watch for Pods with the checkpoint annotation, then save ConfigMaps and
-Secrets referenced by those Pods.
+service account secret for reboots. That service account must be bound to a Role that lets the
+pod checkpoint watch for Pods with the checkpoint annotation, then save ConfigMaps and Secrets
+referenced by those Pods.
 
 ```yaml
-kind: ClusterRole
+kind: Role
 metadata:
   name: pod-checkpointer
+  namespace: kube-system
 rules:
 - apiGroups: [""] # "" indicates the core API group
   resources: ["pods"]
@@ -104,6 +105,3 @@ rules:
   resources: ["secrets", "configmaps"]
   verbs: ["get"]
 ```
-
-Currently the pod checkpoint watches all pods in all namespaces, and requires a ClusterRole and
-ClusterRoleBinding. In the future the pod checkpoint may be restricted to `kube-system`.