add namespaced role bindings

plugin/pkg/auth/authorizer/rbac/bootstrappolicy/namespace_policy.go

@@ -28,6 +28,9 @@ import (
 var (
 	// namespaceRoles is a map of namespace to slice of roles to create
 	namespaceRoles = map[string][]rbac.Role{}
+
+	// namespaceRoleBindings is a map of namespace to slice of roleBindings to create
+	namespaceRoleBindings = map[string][]rbac.RoleBinding{}
 )
 
 func addNamespaceRole(namespace string, role rbac.Role) {
@@ -48,6 +51,24 @@ func addNamespaceRole(namespace string, role rbac.Role) {
 	namespaceRoles[namespace] = existingRoles
 }
 
+func addNamespaceRoleBinding(namespace string, roleBinding rbac.RoleBinding) {
+	if !strings.HasPrefix(namespace, "kube-") {
+		glog.Fatalf(`roles can only be bootstrapped into reserved namespaces starting with "kube-", not %q`, namespace)
+	}
+
+	existingRoleBindings := namespaceRoleBindings[namespace]
+	for _, existingRoleBinding := range existingRoleBindings {
+		if roleBinding.Name == existingRoleBinding.Name {
+			glog.Fatalf("rolebinding %q was already registered in %q", roleBinding.Name, namespace)
+		}
+	}
+
+	roleBinding.Namespace = namespace
+	addDefaultMetadata(&roleBinding)
+	existingRoleBindings = append(existingRoleBindings, roleBinding)
+	namespaceRoleBindings[namespace] = existingRoleBindings
+}
+
 func init() {
 	addNamespaceRole(metav1.NamespaceSystem, rbac.Role{
 		// role for finding authentication config info for starting a server
@@ -63,3 +84,8 @@ func init() {
 func NamespaceRoles() map[string][]rbac.Role {
 	return namespaceRoles
 }
+
+// NamespaceRoleBindings returns a map of namespace to slice of roles to create
+func NamespaceRoleBindings() map[string][]rbac.RoleBinding {
+	return namespaceRoleBindings
+}

plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy_test.go

@@ -173,6 +173,28 @@ func TestBootstrapNamespaceRoles(t *testing.T) {
 	testObjects(t, list, "namespace-roles.yaml")
 }
 
+func TestBootstrapNamespaceRoleBindings(t *testing.T) {
+	list := &api.List{}
+	names := sets.NewString()
+	roleBindings := map[string]runtime.Object{}
+
+	namespaceRoleBindings := bootstrappolicy.NamespaceRoleBindings()
+	for _, namespace := range sets.StringKeySet(namespaceRoleBindings).List() {
+		bootstrapRoleBindings := namespaceRoleBindings[namespace]
+		for i := range bootstrapRoleBindings {
+			roleBinding := bootstrapRoleBindings[i]
+			names.Insert(roleBinding.Name)
+			roleBindings[roleBinding.Name] = &roleBinding
+		}
+
+		for _, name := range names.List() {
+			list.Items = append(list.Items, roleBindings[name])
+		}
+	}
+
+	testObjects(t, list, "namespace-role-bindings.yaml")
+}
+
 func TestBootstrapClusterRoles(t *testing.T) {
 	list := &api.List{}
 	names := sets.NewString()

plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/namespace-role-bindings.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+items: null
+kind: List
+metadata: {}