Merge pull request #51011 from xilabao/rbac-v1-in-yaml

Automatic merge from submit-queue (batch tested with PRs 50489, 51070, 51011, 51022, 51141)

update to rbac v1 in yaml file

**What this PR does / why we need it**:
ref to https://github.com/kubernetes/kubernetes/pull/49642
ref https://github.com/kubernetes/features/issues/2

**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #

**Special notes for your reviewer**:
cc @liggitt 

**Release note**:

```release-note
NONE
```

cluster/addons/cluster-monitoring/heapster-rbac.yaml

@@ -1,4 +1,4 @@
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: heapster-binding
@@ -16,7 +16,7 @@ subjects:
 ---
 # Heapster's pod_nanny monitors the heapster deployment & its pod(s), and scales
 # the resources of the deployment if necessary.
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: system:pod-nanny
@@ -39,7 +39,7 @@ rules:
   - get
   - update
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: heapster-binding

cluster/addons/dns-horizontal-autoscaler/dns-horizontal-autoscaler-rbac.yaml

@@ -21,7 +21,7 @@ metadata:
     addonmanager.kubernetes.io/mode: Reconcile
 ---
 kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: system:kube-dns-autoscaler
   labels:
@@ -43,7 +43,7 @@ rules:
     verbs: ["get", "create"]
 ---
 kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: system:kube-dns-autoscaler
   labels:

cluster/addons/fluentd-elasticsearch/es-statefulset.yaml

@@ -10,7 +10,7 @@ metadata:
     addonmanager.kubernetes.io/mode: Reconcile
 ---
 kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: elasticsearch-logging
   labels:
@@ -28,7 +28,7 @@ rules:
   - "get"
 ---
 kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   namespace: kube-system
   name: elasticsearch-logging

cluster/addons/fluentd-elasticsearch/fluentd-es-ds.yaml

@@ -9,7 +9,7 @@ metadata:
     addonmanager.kubernetes.io/mode: Reconcile
 ---
 kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: fluentd-es
   labels:
@@ -28,7 +28,7 @@ rules:
   - "list"
 ---
 kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: fluentd-es
   labels:

cluster/addons/fluentd-gcp/event-exporter.yaml

@@ -8,7 +8,7 @@ metadata:
     kubernetes.io/cluster-service: "true"
     addonmanager.kubernetes.io/mode: Reconcile
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: event-exporter-rb

cluster/addons/node-problem-detector/npd.yaml

@@ -7,7 +7,7 @@ metadata:
     kubernetes.io/cluster-service: "true"
     addonmanager.kubernetes.io/mode: Reconcile
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: npd-binding

cluster/addons/node-problem-detector/standalone/npd-binding.yaml

@@ -1,4 +1,4 @@
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: npd-binding

cluster/addons/rbac/kube-apiserver-kubelet-api-admin-binding.yaml

@@ -1,5 +1,5 @@
 # This binding gives the kube-apiserver user full access to the kubelet API
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: kube-apiserver-kubelet-api-admin

cluster/addons/rbac/kubelet-api-admin-role.yaml

@@ -1,5 +1,5 @@
 # This role allows full access to the kubelet API
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: kubelet-api-admin

cluster/addons/rbac/kubelet-binding.yaml

@@ -2,7 +2,7 @@
 # identify the system:nodes group.  They use the kubelet identity
 # TODO: remove this once new nodes are granted individual identities and the
 # NodeAuthorizer is enabled.
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: kubelet-cluster-admin

cluster/addons/rbac/kubelet-certificate-management.yaml

@@ -1,4 +1,4 @@
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: gce:beta:kubelet-certificate-bootstrap
@@ -14,7 +14,7 @@ subjects:
   kind: User
   name: kubelet
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: gce:beta:kubelet-certificate-rotation
@@ -30,7 +30,7 @@ subjects:
   kind: Group
   name: system:nodes
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: gce:beta:kubelet-certificate-bootstrap
@@ -45,7 +45,7 @@ rules:
   verbs:
   - "create"
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: gce:beta:kubelet-certificate-rotation

examples/podsecuritypolicy/rbac/bindings.yaml

@@ -1,6 +1,6 @@
 # privilegedPSP gives the privilegedPSP role
 # to the group privileged.
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
     name: privileged-psp-users
@@ -15,7 +15,7 @@ roleRef:
 ---
 # restrictedPSP grants the restrictedPSP role to
 # the groups restricted and privileged.
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
     name: restricted-psp-users
@@ -33,7 +33,7 @@ roleRef:
 ---
 # edit grants edit role to the groups
 # restricted and privileged.
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
     name: edit

examples/podsecuritypolicy/rbac/roles.yaml

@@ -1,6 +1,6 @@
 # restrictedPSP grants access to use
 # the restricted PSP.
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: restricted-psp-user
@@ -16,7 +16,7 @@ rules:
 ---
 # privilegedPSP grants access to use the privileged
 # PSP.
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: privileged-psp-user

test/kubemark/resources/manifests/addons/kubemark-rbac-bindings/heapster-binding.yaml

@@ -1,5 +1,5 @@
 # This is the role binding for the kubemark heapster.
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: heapster-view-binding

test/kubemark/resources/manifests/addons/kubemark-rbac-bindings/kubecfg-binding.yaml

@@ -2,7 +2,7 @@
 # used for listing hollow-nodes in start-kubemark.sh and
 # send resource creation requests, etc in run-e2e-tests.sh.
 # Also useful if you manually want to use local kubectl.
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: kubecfg-cluster-admin

test/kubemark/resources/manifests/addons/kubemark-rbac-bindings/kubelet-binding.yaml

@@ -2,7 +2,7 @@
 #
 # TODO: give each kubelet a credential in the system:nodes group with username system:node:<nodeName>,
 # to exercise the Node authorizer and admission, then remove this binding
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: kubelet-node

test/kubemark/resources/manifests/addons/kubemark-rbac-bindings/npd-binding.yaml

@@ -1,5 +1,5 @@
 # This is the role binding for the node-problem-detector.
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: node-problem-detector-binding