Move cluster roles and system namespace to new role

This should be done after kubeconfig is set for admin and
before network plugins are up.