diff --git a/api/openapi-spec/swagger.json b/api/openapi-spec/swagger.json
index 10347bc4981..4b2c5579626 100644
--- a/api/openapi-spec/swagger.json
+++ b/api/openapi-spec/swagger.json
@@ -82147,7 +82147,6 @@
"io.k8s.api.rbac.v1.ClusterRoleBinding": {
"description": "ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, and adds who information via Subject.",
"required": [
- "subjects",
"roleRef"
],
"properties": {
@@ -82331,7 +82330,6 @@
"io.k8s.api.rbac.v1.RoleBinding": {
"description": "RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given namespace only have effect in that namespace.",
"required": [
- "subjects",
"roleRef"
],
"properties": {
@@ -82535,7 +82533,6 @@
"io.k8s.api.rbac.v1alpha1.ClusterRoleBinding": {
"description": "ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, and adds who information via Subject.",
"required": [
- "subjects",
"roleRef"
],
"properties": {
@@ -82719,7 +82716,6 @@
"io.k8s.api.rbac.v1alpha1.RoleBinding": {
"description": "RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given namespace only have effect in that namespace.",
"required": [
- "subjects",
"roleRef"
],
"properties": {
@@ -82923,7 +82919,6 @@
"io.k8s.api.rbac.v1beta1.ClusterRoleBinding": {
"description": "ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, and adds who information via Subject.",
"required": [
- "subjects",
"roleRef"
],
"properties": {
@@ -83107,7 +83102,6 @@
"io.k8s.api.rbac.v1beta1.RoleBinding": {
"description": "RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given namespace only have effect in that namespace.",
"required": [
- "subjects",
"roleRef"
],
"properties": {
diff --git a/api/swagger-spec/rbac.authorization.k8s.io_v1.json b/api/swagger-spec/rbac.authorization.k8s.io_v1.json
index b5fdb605d3d..e1f93d1e8a9 100644
--- a/api/swagger-spec/rbac.authorization.k8s.io_v1.json
+++ b/api/swagger-spec/rbac.authorization.k8s.io_v1.json
@@ -3351,7 +3351,6 @@
"id": "v1.ClusterRoleBinding",
"description": "ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, and adds who information via Subject.",
"required": [
- "subjects",
"roleRef"
],
"properties": {
@@ -3927,7 +3926,6 @@
"id": "v1.RoleBinding",
"description": "RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given namespace only have effect in that namespace.",
"required": [
- "subjects",
"roleRef"
],
"properties": {
diff --git a/api/swagger-spec/rbac.authorization.k8s.io_v1alpha1.json b/api/swagger-spec/rbac.authorization.k8s.io_v1alpha1.json
index bae9fa9faa2..73a4ab4f5a2 100644
--- a/api/swagger-spec/rbac.authorization.k8s.io_v1alpha1.json
+++ b/api/swagger-spec/rbac.authorization.k8s.io_v1alpha1.json
@@ -3351,7 +3351,6 @@
"id": "v1alpha1.ClusterRoleBinding",
"description": "ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, and adds who information via Subject.",
"required": [
- "subjects",
"roleRef"
],
"properties": {
@@ -3927,7 +3926,6 @@
"id": "v1alpha1.RoleBinding",
"description": "RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given namespace only have effect in that namespace.",
"required": [
- "subjects",
"roleRef"
],
"properties": {
diff --git a/api/swagger-spec/rbac.authorization.k8s.io_v1beta1.json b/api/swagger-spec/rbac.authorization.k8s.io_v1beta1.json
index c51d9e77c10..eb3bd1d1dad 100644
--- a/api/swagger-spec/rbac.authorization.k8s.io_v1beta1.json
+++ b/api/swagger-spec/rbac.authorization.k8s.io_v1beta1.json
@@ -3351,7 +3351,6 @@
"id": "v1beta1.ClusterRoleBinding",
"description": "ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, and adds who information via Subject.",
"required": [
- "subjects",
"roleRef"
],
"properties": {
@@ -3927,7 +3926,6 @@
"id": "v1beta1.RoleBinding",
"description": "RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given namespace only have effect in that namespace.",
"required": [
- "subjects",
"roleRef"
],
"properties": {
diff --git a/docs/api-reference/rbac.authorization.k8s.io/v1/definitions.html b/docs/api-reference/rbac.authorization.k8s.io/v1/definitions.html
index 2972fea36b8..204669f59a6 100755
--- a/docs/api-reference/rbac.authorization.k8s.io/v1/definitions.html
+++ b/docs/api-reference/rbac.authorization.k8s.io/v1/definitions.html
@@ -502,7 +502,7 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }
subjects |
Subjects holds references to the objects the role applies to. |
-true |
+false |
v1.Subject array |
|
@@ -1443,7 +1443,7 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }
subjects |
Subjects holds references to the objects the role applies to. |
-true |
+false |
v1.Subject array |
|
diff --git a/docs/api-reference/rbac.authorization.k8s.io/v1alpha1/definitions.html b/docs/api-reference/rbac.authorization.k8s.io/v1alpha1/definitions.html
index 9a95c068557..8605a9c9537 100755
--- a/docs/api-reference/rbac.authorization.k8s.io/v1alpha1/definitions.html
+++ b/docs/api-reference/rbac.authorization.k8s.io/v1alpha1/definitions.html
@@ -924,7 +924,7 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }
subjects |
Subjects holds references to the objects the role applies to. |
-true |
+false |
v1alpha1.Subject array |
|
@@ -1791,7 +1791,7 @@ When an object is created, the system will populate this list with the current s
subjects |
Subjects holds references to the objects the role applies to. |
-true |
+false |
v1alpha1.Subject array |
|
diff --git a/docs/api-reference/rbac.authorization.k8s.io/v1beta1/definitions.html b/docs/api-reference/rbac.authorization.k8s.io/v1beta1/definitions.html
index 86664748e15..5007ef02fc6 100755
--- a/docs/api-reference/rbac.authorization.k8s.io/v1beta1/definitions.html
+++ b/docs/api-reference/rbac.authorization.k8s.io/v1beta1/definitions.html
@@ -1196,7 +1196,7 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }
subjects |
Subjects holds references to the objects the role applies to. |
-true |
+false |
v1beta1.Subject array |
|
@@ -1930,7 +1930,7 @@ Examples:
subjects |
Subjects holds references to the objects the role applies to. |
-true |
+false |
v1beta1.Subject array |
|
diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml
index 55a88317272..ab116df5fe1 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml
@@ -138,7 +138,6 @@ items:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:node
- subjects: null
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
diff --git a/staging/src/k8s.io/api/rbac/v1/generated.proto b/staging/src/k8s.io/api/rbac/v1/generated.proto
index 35acc643412..78aca15bce7 100644
--- a/staging/src/k8s.io/api/rbac/v1/generated.proto
+++ b/staging/src/k8s.io/api/rbac/v1/generated.proto
@@ -62,6 +62,7 @@ message ClusterRoleBinding {
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
// Subjects holds references to the objects the role applies to.
+ // +optional
repeated Subject subjects = 2;
// RoleRef can only reference a ClusterRole in the global namespace.
@@ -134,6 +135,7 @@ message RoleBinding {
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
// Subjects holds references to the objects the role applies to.
+ // +optional
repeated Subject subjects = 2;
// RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace.
diff --git a/staging/src/k8s.io/api/rbac/v1/types.go b/staging/src/k8s.io/api/rbac/v1/types.go
index 91990548bc4..17163cbb269 100644
--- a/staging/src/k8s.io/api/rbac/v1/types.go
+++ b/staging/src/k8s.io/api/rbac/v1/types.go
@@ -124,7 +124,8 @@ type RoleBinding struct {
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
// Subjects holds references to the objects the role applies to.
- Subjects []Subject `json:"subjects" protobuf:"bytes,2,rep,name=subjects"`
+ // +optional
+ Subjects []Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"`
// RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace.
// If the RoleRef cannot be resolved, the Authorizer must return an error.
@@ -199,7 +200,8 @@ type ClusterRoleBinding struct {
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
// Subjects holds references to the objects the role applies to.
- Subjects []Subject `json:"subjects" protobuf:"bytes,2,rep,name=subjects"`
+ // +optional
+ Subjects []Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"`
// RoleRef can only reference a ClusterRole in the global namespace.
// If the RoleRef cannot be resolved, the Authorizer must return an error.
diff --git a/staging/src/k8s.io/api/rbac/v1alpha1/generated.proto b/staging/src/k8s.io/api/rbac/v1alpha1/generated.proto
index 4a1835d9b5c..d7b29486361 100644
--- a/staging/src/k8s.io/api/rbac/v1alpha1/generated.proto
+++ b/staging/src/k8s.io/api/rbac/v1alpha1/generated.proto
@@ -61,6 +61,7 @@ message ClusterRoleBinding {
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
// Subjects holds references to the objects the role applies to.
+ // +optional
repeated Subject subjects = 2;
// RoleRef can only reference a ClusterRole in the global namespace.
@@ -134,6 +135,7 @@ message RoleBinding {
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
// Subjects holds references to the objects the role applies to.
+ // +optional
repeated Subject subjects = 2;
// RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace.
diff --git a/staging/src/k8s.io/api/rbac/v1alpha1/types.go b/staging/src/k8s.io/api/rbac/v1alpha1/types.go
index 843d998ec9e..398d6a169cb 100644
--- a/staging/src/k8s.io/api/rbac/v1alpha1/types.go
+++ b/staging/src/k8s.io/api/rbac/v1alpha1/types.go
@@ -126,7 +126,8 @@ type RoleBinding struct {
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
// Subjects holds references to the objects the role applies to.
- Subjects []Subject `json:"subjects" protobuf:"bytes,2,rep,name=subjects"`
+ // +optional
+ Subjects []Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"`
// RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace.
// If the RoleRef cannot be resolved, the Authorizer must return an error.
@@ -201,7 +202,8 @@ type ClusterRoleBinding struct {
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
// Subjects holds references to the objects the role applies to.
- Subjects []Subject `json:"subjects" protobuf:"bytes,2,rep,name=subjects"`
+ // +optional
+ Subjects []Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"`
// RoleRef can only reference a ClusterRole in the global namespace.
// If the RoleRef cannot be resolved, the Authorizer must return an error.
diff --git a/staging/src/k8s.io/api/rbac/v1beta1/generated.proto b/staging/src/k8s.io/api/rbac/v1beta1/generated.proto
index 2a893060c3c..494aff8b393 100644
--- a/staging/src/k8s.io/api/rbac/v1beta1/generated.proto
+++ b/staging/src/k8s.io/api/rbac/v1beta1/generated.proto
@@ -62,6 +62,7 @@ message ClusterRoleBinding {
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
// Subjects holds references to the objects the role applies to.
+ // +optional
repeated Subject subjects = 2;
// RoleRef can only reference a ClusterRole in the global namespace.
@@ -135,6 +136,7 @@ message RoleBinding {
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
// Subjects holds references to the objects the role applies to.
+ // +optional
repeated Subject subjects = 2;
// RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace.
diff --git a/staging/src/k8s.io/api/rbac/v1beta1/types.go b/staging/src/k8s.io/api/rbac/v1beta1/types.go
index 091fc1dc95f..857b67a6f84 100644
--- a/staging/src/k8s.io/api/rbac/v1beta1/types.go
+++ b/staging/src/k8s.io/api/rbac/v1beta1/types.go
@@ -125,7 +125,8 @@ type RoleBinding struct {
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
// Subjects holds references to the objects the role applies to.
- Subjects []Subject `json:"subjects" protobuf:"bytes,2,rep,name=subjects"`
+ // +optional
+ Subjects []Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"`
// RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace.
// If the RoleRef cannot be resolved, the Authorizer must return an error.
@@ -199,7 +200,8 @@ type ClusterRoleBinding struct {
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
// Subjects holds references to the objects the role applies to.
- Subjects []Subject `json:"subjects" protobuf:"bytes,2,rep,name=subjects"`
+ // +optional
+ Subjects []Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"`
// RoleRef can only reference a ClusterRole in the global namespace.
// If the RoleRef cannot be resolved, the Authorizer must return an error.