Merge pull request #65070 from davidz627/fix/externalProvisionerClusterRole

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Added PV GET api rule to external-provisioner

Adds the PV GET API rule to the system:external-provisioner cluster role. It is required because the provisioner does a GET here:
https://github.com/kubernetes-incubator/external-storage/blob/master/lib/controller/controller.go#L1121

Fixes #65058

/sig storage
/kind bug
/priority critical-urgent
/cc @msau42 @sbezverk 

```release-note
NONE
```

plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go

@@ -466,7 +466,7 @@ func ClusterRoles() []rbacv1.ClusterRole {
 			// a role for the csi external provisioner
 			ObjectMeta: metav1.ObjectMeta{Name: "system:csi-external-provisioner"},
 			Rules: []rbacv1.PolicyRule{
-				rbacv1helpers.NewRule("create", "delete", "list", "watch").Groups(legacyGroup).Resources("persistentvolumes").RuleOrDie(),
+				rbacv1helpers.NewRule("create", "delete", "get", "list", "watch").Groups(legacyGroup).Resources("persistentvolumes").RuleOrDie(),
 				rbacv1helpers.NewRule("get", "list", "watch", "update", "patch").Groups(legacyGroup).Resources("persistentvolumeclaims").RuleOrDie(),
 				rbacv1helpers.NewRule("list", "watch").Groups(storageGroup).Resources("storageclasses").RuleOrDie(),
 				rbacv1helpers.NewRule("get", "list", "watch", "create", "update", "patch").Groups(legacyGroup).Resources("events").RuleOrDie(),

plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml

@@ -688,6 +688,7 @@ items:
     verbs:
     - create
     - delete
+    - get
     - list
     - watch
   - apiGroups: