Add ServiceAccount for svclb pods

For 1.24 and earlier, the svclb pods need a ServiceAccount so that we can allow their sysctls in PSPs

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

pkg/cloudprovider/servicelb.go

@@ -56,6 +56,10 @@ func (k *k3s) Register(ctx context.Context,
 		return err
 	}
 
+	if err := k.createServiceLBServiceAccount(ctx); err != nil {
+		return err
+	}
+
 	go wait.Until(k.runWorker, time.Second, ctx.Done())
 
 	return k.removeServiceFinalizers(ctx)
@@ -74,6 +78,20 @@ func (k *k3s) createServiceLBNamespace(ctx context.Context) error {
 	return err
 }
 
+// createServiceLBServiceAccount ensures that the ServiceAccount used by pods exists
+func (k *k3s) createServiceLBServiceAccount(ctx context.Context) error {
+	_, err := k.client.CoreV1().ServiceAccounts(k.LBNamespace).Create(ctx, &core.ServiceAccount{
+		ObjectMeta: meta.ObjectMeta{
+			Name:      "svclb",
+			Namespace: k.LBNamespace,
+		},
+	}, meta.CreateOptions{})
+	if apierrors.IsAlreadyExists(err) {
+		return nil
+	}
+	return err
+}
+
 // onChangePod handles changes to Pods.
 // If the pod has labels that tie it to a service, and the pod has an IP assigned,
 // enqueue an update to the service's status.
@@ -422,6 +440,7 @@ func (k *k3s) newDaemonSet(svc *core.Service) (*apps.DaemonSet, error) {
 					},
 				},
 				Spec: core.PodSpec{
+					ServiceAccountName:           "svclb",
 					AutomountServiceAccountToken: utilpointer.Bool(false),
 				},
 			},