Even with `--force-namespace-isolation`, nginx-ingress-controller still queries for it's own namespace, so give it access to querying namespaces within it's namespace in the nginx-ingress-role.
Using gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.7
the nginx-controller needs to handle leader-election via configmaps.
To perform the leader-election the nginx-controller needs to have the
appropiate RBAC permissions.
Previously to this fix, the following errors occured:
- cannot get configmaps in the namespace "NAMESPACE_PLACEHOLDER". (get configmaps ingress-controller-leader-nginx)
- initially creating leader election record: User "system:serviceaccount:NAMESPACE_PLACEHOLDER" cannot create configmaps in the namespace "NAMESPACE_PLACEHOLDER". (post configmaps)
fix ingress rbac roles
There was 2 things that the current IC (0.9 beta7) needs.
The ClusterRole was missing `get nodes`:
```
RBAC DENY: user "system:serviceaccount:kube-system:nginx-ingress-controller" groups [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] cannot "get" resource "nodes" named "xxx" cluster-wide
```
The Role was missing `update configmaps`:
```RBAC DENY: user "system:serviceaccount:kube-system:nginx-ingress-controller" groups [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] cannot "update" resource "configmaps" named "ingress-controller-leader-nginx" in namespace "kube-system"```
removed update configmap because of #798
rebased on master, moved get nodes to own rule
added get nodes to cluster permissions
