From 87ff84a7b0d7e6ab927880576b7703516881fbbf Mon Sep 17 00:00:00 2001
From: deads2k <deads@redhat.com>
Date: Thu, 22 Sep 2016 14:59:52 -0400
Subject: [PATCH] add system:discovery role

---
 plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
index 2540d3b59f5..592b5f8668f 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
@@ -32,11 +32,19 @@ var (
 func ClusterRoles() []rbac.ClusterRole {
 	return []rbac.ClusterRole{
 		{
+			// a "root" role which can do absolutely anything
 			ObjectMeta: api.ObjectMeta{Name: "cluster-admin"},
 			Rules: []rbac.PolicyRule{
 				rbac.NewRule("*").Groups("*").Resources("*").RuleOrDie(),
 				rbac.NewRule("*").URLs("*").RuleOrDie(),
 			},
 		},
+		{
+			// a role which provides just enough power to discovery API versions for negotiation
+			ObjectMeta: api.ObjectMeta{Name: "system:discovery"},
+			Rules: []rbac.PolicyRule{
+				rbac.NewRule("get").URLs("/version", "/api", "/api/*", "/apis", "/apis/*").RuleOrDie(),
+			},
+		},
 	}
 }