diff --git a/api/openapi-spec/swagger.json b/api/openapi-spec/swagger.json index 10347bc4981..4b2c5579626 100644 --- a/api/openapi-spec/swagger.json +++ b/api/openapi-spec/swagger.json @@ -82147,7 +82147,6 @@ "io.k8s.api.rbac.v1.ClusterRoleBinding": { "description": "ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, and adds who information via Subject.", "required": [ - "subjects", "roleRef" ], "properties": { @@ -82331,7 +82330,6 @@ "io.k8s.api.rbac.v1.RoleBinding": { "description": "RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given namespace only have effect in that namespace.", "required": [ - "subjects", "roleRef" ], "properties": { @@ -82535,7 +82533,6 @@ "io.k8s.api.rbac.v1alpha1.ClusterRoleBinding": { "description": "ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, and adds who information via Subject.", "required": [ - "subjects", "roleRef" ], "properties": { @@ -82719,7 +82716,6 @@ "io.k8s.api.rbac.v1alpha1.RoleBinding": { "description": "RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given namespace only have effect in that namespace.", "required": [ - "subjects", "roleRef" ], "properties": { @@ -82923,7 +82919,6 @@ "io.k8s.api.rbac.v1beta1.ClusterRoleBinding": { "description": "ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, and adds who information via Subject.", "required": [ - "subjects", "roleRef" ], "properties": { @@ -83107,7 +83102,6 @@ "io.k8s.api.rbac.v1beta1.RoleBinding": { "description": "RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given namespace only have effect in that namespace.", "required": [ - "subjects", "roleRef" ], "properties": { diff --git a/api/swagger-spec/rbac.authorization.k8s.io_v1.json b/api/swagger-spec/rbac.authorization.k8s.io_v1.json index b5fdb605d3d..e1f93d1e8a9 100644 --- a/api/swagger-spec/rbac.authorization.k8s.io_v1.json +++ b/api/swagger-spec/rbac.authorization.k8s.io_v1.json @@ -3351,7 +3351,6 @@ "id": "v1.ClusterRoleBinding", "description": "ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, and adds who information via Subject.", "required": [ - "subjects", "roleRef" ], "properties": { @@ -3927,7 +3926,6 @@ "id": "v1.RoleBinding", "description": "RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given namespace only have effect in that namespace.", "required": [ - "subjects", "roleRef" ], "properties": { diff --git a/api/swagger-spec/rbac.authorization.k8s.io_v1alpha1.json b/api/swagger-spec/rbac.authorization.k8s.io_v1alpha1.json index bae9fa9faa2..73a4ab4f5a2 100644 --- a/api/swagger-spec/rbac.authorization.k8s.io_v1alpha1.json +++ b/api/swagger-spec/rbac.authorization.k8s.io_v1alpha1.json @@ -3351,7 +3351,6 @@ "id": "v1alpha1.ClusterRoleBinding", "description": "ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, and adds who information via Subject.", "required": [ - "subjects", "roleRef" ], "properties": { @@ -3927,7 +3926,6 @@ "id": "v1alpha1.RoleBinding", "description": "RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given namespace only have effect in that namespace.", "required": [ - "subjects", "roleRef" ], "properties": { diff --git a/api/swagger-spec/rbac.authorization.k8s.io_v1beta1.json b/api/swagger-spec/rbac.authorization.k8s.io_v1beta1.json index c51d9e77c10..eb3bd1d1dad 100644 --- a/api/swagger-spec/rbac.authorization.k8s.io_v1beta1.json +++ b/api/swagger-spec/rbac.authorization.k8s.io_v1beta1.json @@ -3351,7 +3351,6 @@ "id": "v1beta1.ClusterRoleBinding", "description": "ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, and adds who information via Subject.", "required": [ - "subjects", "roleRef" ], "properties": { @@ -3927,7 +3926,6 @@ "id": "v1beta1.RoleBinding", "description": "RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given namespace only have effect in that namespace.", "required": [ - "subjects", "roleRef" ], "properties": { diff --git a/docs/api-reference/rbac.authorization.k8s.io/v1/definitions.html b/docs/api-reference/rbac.authorization.k8s.io/v1/definitions.html index 2972fea36b8..204669f59a6 100755 --- a/docs/api-reference/rbac.authorization.k8s.io/v1/definitions.html +++ b/docs/api-reference/rbac.authorization.k8s.io/v1/definitions.html @@ -502,7 +502,7 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }

subjects

Subjects holds references to the objects the role applies to.

-

true

+

false

v1.Subject array

@@ -1443,7 +1443,7 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }

subjects

Subjects holds references to the objects the role applies to.

-

true

+

false

v1.Subject array

diff --git a/docs/api-reference/rbac.authorization.k8s.io/v1alpha1/definitions.html b/docs/api-reference/rbac.authorization.k8s.io/v1alpha1/definitions.html index 9a95c068557..8605a9c9537 100755 --- a/docs/api-reference/rbac.authorization.k8s.io/v1alpha1/definitions.html +++ b/docs/api-reference/rbac.authorization.k8s.io/v1alpha1/definitions.html @@ -924,7 +924,7 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }

subjects

Subjects holds references to the objects the role applies to.

-

true

+

false

v1alpha1.Subject array

@@ -1791,7 +1791,7 @@ When an object is created, the system will populate this list with the current s

subjects

Subjects holds references to the objects the role applies to.

-

true

+

false

v1alpha1.Subject array

diff --git a/docs/api-reference/rbac.authorization.k8s.io/v1beta1/definitions.html b/docs/api-reference/rbac.authorization.k8s.io/v1beta1/definitions.html index 86664748e15..5007ef02fc6 100755 --- a/docs/api-reference/rbac.authorization.k8s.io/v1beta1/definitions.html +++ b/docs/api-reference/rbac.authorization.k8s.io/v1beta1/definitions.html @@ -1196,7 +1196,7 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }

subjects

Subjects holds references to the objects the role applies to.

-

true

+

false

v1beta1.Subject array

@@ -1930,7 +1930,7 @@ Examples:

subjects

Subjects holds references to the objects the role applies to.

-

true

+

false

v1beta1.Subject array

diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml index 55a88317272..ab116df5fe1 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml @@ -138,7 +138,6 @@ items: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:node - subjects: null - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/staging/src/k8s.io/api/rbac/v1/generated.proto b/staging/src/k8s.io/api/rbac/v1/generated.proto index 35acc643412..78aca15bce7 100644 --- a/staging/src/k8s.io/api/rbac/v1/generated.proto +++ b/staging/src/k8s.io/api/rbac/v1/generated.proto @@ -62,6 +62,7 @@ message ClusterRoleBinding { optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1; // Subjects holds references to the objects the role applies to. + // +optional repeated Subject subjects = 2; // RoleRef can only reference a ClusterRole in the global namespace. @@ -134,6 +135,7 @@ message RoleBinding { optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1; // Subjects holds references to the objects the role applies to. + // +optional repeated Subject subjects = 2; // RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. diff --git a/staging/src/k8s.io/api/rbac/v1/types.go b/staging/src/k8s.io/api/rbac/v1/types.go index 91990548bc4..17163cbb269 100644 --- a/staging/src/k8s.io/api/rbac/v1/types.go +++ b/staging/src/k8s.io/api/rbac/v1/types.go @@ -124,7 +124,8 @@ type RoleBinding struct { metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` // Subjects holds references to the objects the role applies to. - Subjects []Subject `json:"subjects" protobuf:"bytes,2,rep,name=subjects"` + // +optional + Subjects []Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"` // RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. // If the RoleRef cannot be resolved, the Authorizer must return an error. @@ -199,7 +200,8 @@ type ClusterRoleBinding struct { metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` // Subjects holds references to the objects the role applies to. - Subjects []Subject `json:"subjects" protobuf:"bytes,2,rep,name=subjects"` + // +optional + Subjects []Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"` // RoleRef can only reference a ClusterRole in the global namespace. // If the RoleRef cannot be resolved, the Authorizer must return an error. diff --git a/staging/src/k8s.io/api/rbac/v1alpha1/generated.proto b/staging/src/k8s.io/api/rbac/v1alpha1/generated.proto index 4a1835d9b5c..d7b29486361 100644 --- a/staging/src/k8s.io/api/rbac/v1alpha1/generated.proto +++ b/staging/src/k8s.io/api/rbac/v1alpha1/generated.proto @@ -61,6 +61,7 @@ message ClusterRoleBinding { optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1; // Subjects holds references to the objects the role applies to. + // +optional repeated Subject subjects = 2; // RoleRef can only reference a ClusterRole in the global namespace. @@ -134,6 +135,7 @@ message RoleBinding { optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1; // Subjects holds references to the objects the role applies to. + // +optional repeated Subject subjects = 2; // RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. diff --git a/staging/src/k8s.io/api/rbac/v1alpha1/types.go b/staging/src/k8s.io/api/rbac/v1alpha1/types.go index 843d998ec9e..398d6a169cb 100644 --- a/staging/src/k8s.io/api/rbac/v1alpha1/types.go +++ b/staging/src/k8s.io/api/rbac/v1alpha1/types.go @@ -126,7 +126,8 @@ type RoleBinding struct { metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` // Subjects holds references to the objects the role applies to. - Subjects []Subject `json:"subjects" protobuf:"bytes,2,rep,name=subjects"` + // +optional + Subjects []Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"` // RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. // If the RoleRef cannot be resolved, the Authorizer must return an error. @@ -201,7 +202,8 @@ type ClusterRoleBinding struct { metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` // Subjects holds references to the objects the role applies to. - Subjects []Subject `json:"subjects" protobuf:"bytes,2,rep,name=subjects"` + // +optional + Subjects []Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"` // RoleRef can only reference a ClusterRole in the global namespace. // If the RoleRef cannot be resolved, the Authorizer must return an error. diff --git a/staging/src/k8s.io/api/rbac/v1beta1/generated.proto b/staging/src/k8s.io/api/rbac/v1beta1/generated.proto index 2a893060c3c..494aff8b393 100644 --- a/staging/src/k8s.io/api/rbac/v1beta1/generated.proto +++ b/staging/src/k8s.io/api/rbac/v1beta1/generated.proto @@ -62,6 +62,7 @@ message ClusterRoleBinding { optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1; // Subjects holds references to the objects the role applies to. + // +optional repeated Subject subjects = 2; // RoleRef can only reference a ClusterRole in the global namespace. @@ -135,6 +136,7 @@ message RoleBinding { optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1; // Subjects holds references to the objects the role applies to. + // +optional repeated Subject subjects = 2; // RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. diff --git a/staging/src/k8s.io/api/rbac/v1beta1/types.go b/staging/src/k8s.io/api/rbac/v1beta1/types.go index 091fc1dc95f..857b67a6f84 100644 --- a/staging/src/k8s.io/api/rbac/v1beta1/types.go +++ b/staging/src/k8s.io/api/rbac/v1beta1/types.go @@ -125,7 +125,8 @@ type RoleBinding struct { metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` // Subjects holds references to the objects the role applies to. - Subjects []Subject `json:"subjects" protobuf:"bytes,2,rep,name=subjects"` + // +optional + Subjects []Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"` // RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. // If the RoleRef cannot be resolved, the Authorizer must return an error. @@ -199,7 +200,8 @@ type ClusterRoleBinding struct { metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` // Subjects holds references to the objects the role applies to. - Subjects []Subject `json:"subjects" protobuf:"bytes,2,rep,name=subjects"` + // +optional + Subjects []Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"` // RoleRef can only reference a ClusterRole in the global namespace. // If the RoleRef cannot be resolved, the Authorizer must return an error.