From 18a909edf88145ad98a78a1b5743f510ae579f4f Mon Sep 17 00:00:00 2001
From: deads2k <deads@redhat.com>
Date: Thu, 17 Nov 2016 14:42:21 -0500
Subject: [PATCH] auth delegation role

---
 .../pkg/auth/authorizer/rbac/bootstrappolicy/policy.go   | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
index 01fa5e5789a..259a32bd986 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
@@ -194,6 +194,15 @@ func ClusterRoles() []rbac.ClusterRole {
 				rbac.NewRule("list", "watch").Groups(legacyGroup).Resources("services", "endpoints").RuleOrDie(),
 			},
 		},
+		{
+			// a role to use for allowing authentication and authorization delegation
+			ObjectMeta: api.ObjectMeta{Name: "system:auth-delegator"},
+			Rules: []rbac.PolicyRule{
+				// These creates are non-mutating
+				rbac.NewRule("create").Groups(authenticationGroup).Resources("tokenreviews").RuleOrDie(),
+				rbac.NewRule("create").Groups(authorizationGroup).Resources("subjectaccessreviews").RuleOrDie(),
+			},
+		},
 	}
 }