Merge pull request #24900 from ericchiang/rbac_types

Automatic merge from submit-queue

pkg/apis/rbac: Add Openshift authorization API types

This PR updates #23396 by adding the Openshift RBAC types to a new API group.

Changes from Openshift:

* Omission of [ResourceGroups](4589987883/pkg/authorization/api/types.go (L32-L104)) as most of these were Openshift specific. Would like to add the concept back in for a later release of the API.
* Omission of IsPersonalSubjectAccessReview as its implementation relied on Openshift capability.
* Omission of SubjectAccessReview and ResourceAccessReview types. These are defined in `authorization.k8s.io`

~~API group is named `rbac.authorization.openshift.com` as we omitted the AccessReview stuff and that seemed to be the lest controversial based on conversations in #23396. Would be happy to change it if there's a dislike for the name.~~ Edit: API groups is named `rbac`, sorry misread the original thread.

As discussed in #18762, creating a new API group is kind difficult right now and the documentation is very out of date. Got a little help from @soltysh but I'm sure I'm missing some things. Also still need to add validation and a RESTStorage registry interface. Hence "WIP".

Any initial comments welcome.

cc @erictune @deads2k @sym3tri @philips

cmd/libs/go2idl/conversion-gen/main.go

@@ -54,6 +54,8 @@ func main() {
 		"k8s.io/kubernetes/pkg/apis/extensions/v1beta1",
 		"k8s.io/kubernetes/pkg/apis/metrics",
 		"k8s.io/kubernetes/pkg/apis/metrics/v1alpha1",
+		"k8s.io/kubernetes/pkg/apis/rbac",
+		"k8s.io/kubernetes/pkg/apis/rbac/v1alpha1",
 		"k8s.io/kubernetes/federation/apis/federation",
 		"k8s.io/kubernetes/federation/apis/federation/v1alpha1",
 		"k8s.io/kubernetes/pkg/conversion",

cmd/libs/go2idl/deepcopy-gen/main.go

@@ -54,6 +54,8 @@ func main() {
 		"k8s.io/kubernetes/pkg/apis/extensions/v1beta1",
 		"k8s.io/kubernetes/pkg/apis/metrics",
 		"k8s.io/kubernetes/pkg/apis/metrics/v1alpha1",
+		"k8s.io/kubernetes/pkg/apis/rbac",
+		"k8s.io/kubernetes/pkg/apis/rbac/v1alpha1",
 		"k8s.io/kubernetes/federation/apis/federation",
 		"k8s.io/kubernetes/federation/apis/federation/v1alpha1",
 	}

cmd/libs/go2idl/go-to-protobuf/protobuf/cmd.go

@@ -72,6 +72,7 @@ func New() *Generator {
 			`k8s.io/kubernetes/pkg/apis/batch/v1`,
 			`k8s.io/kubernetes/pkg/apis/batch/v2alpha1`,
 			`k8s.io/kubernetes/pkg/apis/apps/v1alpha1`,
+			`k8s.io/kubernetes/pkg/apis/rbac/v1alpha1`,
 			`k8s.io/kubernetes/federation/apis/federation/v1alpha1`,
 		}, ","),
 		DropEmbeddedFields: "k8s.io/kubernetes/pkg/api/unversioned.TypeMeta",

hack/update-generated-swagger-docs.sh

@@ -57,7 +57,7 @@ EOF
   mv "$TMPFILE" "pkg/$(kube::util::group-version-to-pkg-path "${group_version}")/types_swagger_doc_generated.go"
 }
 
-GROUP_VERSIONS=(unversioned v1 authorization/v1beta1 autoscaling/v1 batch/v1 batch/v2alpha1 extensions/v1beta1 apps/v1alpha1)
+GROUP_VERSIONS=(unversioned v1 authorization/v1beta1 autoscaling/v1 batch/v1 batch/v2alpha1 extensions/v1beta1 apps/v1alpha1 rbac/v1alpha1)
 # To avoid compile errors, remove the currently existing files.
 for group_version in "${GROUP_VERSIONS[@]}"; do
   rm -f "pkg/$(kube::util::group-version-to-pkg-path "${group_version}")/types_swagger_doc_generated.go"

pkg/apis/rbac/deep_copy_generated.go

@@ -0,0 +1,274 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2016 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package rbac
+
+import (
+	api "k8s.io/kubernetes/pkg/api"
+	unversioned "k8s.io/kubernetes/pkg/api/unversioned"
+	conversion "k8s.io/kubernetes/pkg/conversion"
+	runtime "k8s.io/kubernetes/pkg/runtime"
+)
+
+func init() {
+	if err := api.Scheme.AddGeneratedDeepCopyFuncs(
+		DeepCopy_rbac_ClusterRole,
+		DeepCopy_rbac_ClusterRoleBinding,
+		DeepCopy_rbac_ClusterRoleBindingList,
+		DeepCopy_rbac_ClusterRoleList,
+		DeepCopy_rbac_PolicyRule,
+		DeepCopy_rbac_Role,
+		DeepCopy_rbac_RoleBinding,
+		DeepCopy_rbac_RoleBindingList,
+		DeepCopy_rbac_RoleList,
+		DeepCopy_rbac_Subject,
+	); err != nil {
+		// if one of the deep copy functions is malformed, detect it immediately.
+		panic(err)
+	}
+}
+
+func DeepCopy_rbac_ClusterRole(in ClusterRole, out *ClusterRole, c *conversion.Cloner) error {
+	if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil {
+		return err
+	}
+	if err := api.DeepCopy_api_ObjectMeta(in.ObjectMeta, &out.ObjectMeta, c); err != nil {
+		return err
+	}
+	if in.Rules != nil {
+		in, out := in.Rules, &out.Rules
+		*out = make([]PolicyRule, len(in))
+		for i := range in {
+			if err := DeepCopy_rbac_PolicyRule(in[i], &(*out)[i], c); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Rules = nil
+	}
+	return nil
+}
+
+func DeepCopy_rbac_ClusterRoleBinding(in ClusterRoleBinding, out *ClusterRoleBinding, c *conversion.Cloner) error {
+	if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil {
+		return err
+	}
+	if err := api.DeepCopy_api_ObjectMeta(in.ObjectMeta, &out.ObjectMeta, c); err != nil {
+		return err
+	}
+	if in.Subjects != nil {
+		in, out := in.Subjects, &out.Subjects
+		*out = make([]Subject, len(in))
+		for i := range in {
+			if err := DeepCopy_rbac_Subject(in[i], &(*out)[i], c); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Subjects = nil
+	}
+	if err := api.DeepCopy_api_ObjectReference(in.RoleRef, &out.RoleRef, c); err != nil {
+		return err
+	}
+	return nil
+}
+
+func DeepCopy_rbac_ClusterRoleBindingList(in ClusterRoleBindingList, out *ClusterRoleBindingList, c *conversion.Cloner) error {
+	if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil {
+		return err
+	}
+	if err := unversioned.DeepCopy_unversioned_ListMeta(in.ListMeta, &out.ListMeta, c); err != nil {
+		return err
+	}
+	if in.Items != nil {
+		in, out := in.Items, &out.Items
+		*out = make([]ClusterRoleBinding, len(in))
+		for i := range in {
+			if err := DeepCopy_rbac_ClusterRoleBinding(in[i], &(*out)[i], c); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Items = nil
+	}
+	return nil
+}
+
+func DeepCopy_rbac_ClusterRoleList(in ClusterRoleList, out *ClusterRoleList, c *conversion.Cloner) error {
+	if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil {
+		return err
+	}
+	if err := unversioned.DeepCopy_unversioned_ListMeta(in.ListMeta, &out.ListMeta, c); err != nil {
+		return err
+	}
+	if in.Items != nil {
+		in, out := in.Items, &out.Items
+		*out = make([]ClusterRole, len(in))
+		for i := range in {
+			if err := DeepCopy_rbac_ClusterRole(in[i], &(*out)[i], c); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Items = nil
+	}
+	return nil
+}
+
+func DeepCopy_rbac_PolicyRule(in PolicyRule, out *PolicyRule, c *conversion.Cloner) error {
+	if in.Verbs != nil {
+		in, out := in.Verbs, &out.Verbs
+		*out = make([]string, len(in))
+		copy(*out, in)
+	} else {
+		out.Verbs = nil
+	}
+	if in.AttributeRestrictions == nil {
+		out.AttributeRestrictions = nil
+	} else if newVal, err := c.DeepCopy(in.AttributeRestrictions); err != nil {
+		return err
+	} else {
+		out.AttributeRestrictions = newVal.(runtime.Object)
+	}
+	if in.APIGroups != nil {
+		in, out := in.APIGroups, &out.APIGroups
+		*out = make([]string, len(in))
+		copy(*out, in)
+	} else {
+		out.APIGroups = nil
+	}
+	if in.Resources != nil {
+		in, out := in.Resources, &out.Resources
+		*out = make([]string, len(in))
+		copy(*out, in)
+	} else {
+		out.Resources = nil
+	}
+	if in.ResourceNames != nil {
+		in, out := in.ResourceNames, &out.ResourceNames
+		*out = make([]string, len(in))
+		copy(*out, in)
+	} else {
+		out.ResourceNames = nil
+	}
+	if in.NonResourceURLs != nil {
+		in, out := in.NonResourceURLs, &out.NonResourceURLs
+		*out = make([]string, len(in))
+		copy(*out, in)
+	} else {
+		out.NonResourceURLs = nil
+	}
+	return nil
+}
+
+func DeepCopy_rbac_Role(in Role, out *Role, c *conversion.Cloner) error {
+	if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil {
+		return err
+	}
+	if err := api.DeepCopy_api_ObjectMeta(in.ObjectMeta, &out.ObjectMeta, c); err != nil {
+		return err
+	}
+	if in.Rules != nil {
+		in, out := in.Rules, &out.Rules
+		*out = make([]PolicyRule, len(in))
+		for i := range in {
+			if err := DeepCopy_rbac_PolicyRule(in[i], &(*out)[i], c); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Rules = nil
+	}
+	return nil
+}
+
+func DeepCopy_rbac_RoleBinding(in RoleBinding, out *RoleBinding, c *conversion.Cloner) error {
+	if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil {
+		return err
+	}
+	if err := api.DeepCopy_api_ObjectMeta(in.ObjectMeta, &out.ObjectMeta, c); err != nil {
+		return err
+	}
+	if in.Subjects != nil {
+		in, out := in.Subjects, &out.Subjects
+		*out = make([]Subject, len(in))
+		for i := range in {
+			if err := DeepCopy_rbac_Subject(in[i], &(*out)[i], c); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Subjects = nil
+	}
+	if err := api.DeepCopy_api_ObjectReference(in.RoleRef, &out.RoleRef, c); err != nil {
+		return err
+	}
+	return nil
+}
+
+func DeepCopy_rbac_RoleBindingList(in RoleBindingList, out *RoleBindingList, c *conversion.Cloner) error {
+	if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil {
+		return err
+	}
+	if err := unversioned.DeepCopy_unversioned_ListMeta(in.ListMeta, &out.ListMeta, c); err != nil {
+		return err
+	}
+	if in.Items != nil {
+		in, out := in.Items, &out.Items
+		*out = make([]RoleBinding, len(in))
+		for i := range in {
+			if err := DeepCopy_rbac_RoleBinding(in[i], &(*out)[i], c); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Items = nil
+	}
+	return nil
+}
+
+func DeepCopy_rbac_RoleList(in RoleList, out *RoleList, c *conversion.Cloner) error {
+	if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil {
+		return err
+	}
+	if err := unversioned.DeepCopy_unversioned_ListMeta(in.ListMeta, &out.ListMeta, c); err != nil {
+		return err
+	}
+	if in.Items != nil {
+		in, out := in.Items, &out.Items
+		*out = make([]Role, len(in))
+		for i := range in {
+			if err := DeepCopy_rbac_Role(in[i], &(*out)[i], c); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Items = nil
+	}
+	return nil
+}
+
+func DeepCopy_rbac_Subject(in Subject, out *Subject, c *conversion.Cloner) error {
+	out.Kind = in.Kind
+	out.APIVersion = in.APIVersion
+	out.Name = in.Name
+	out.Namespace = in.Namespace
+	return nil
+}

pkg/apis/rbac/install/install.go

@@ -0,0 +1,130 @@
+/*
+Copyright 2016 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package install installs the batch API group, making it available as
+// an option to all of the API encoding/decoding machinery.
+package install
+
+import (
+	"fmt"
+
+	"github.com/golang/glog"
+
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/api/meta"
+	"k8s.io/kubernetes/pkg/api/unversioned"
+	"k8s.io/kubernetes/pkg/apimachinery"
+	"k8s.io/kubernetes/pkg/apimachinery/registered"
+	"k8s.io/kubernetes/pkg/apis/rbac"
+	"k8s.io/kubernetes/pkg/apis/rbac/v1alpha1"
+	"k8s.io/kubernetes/pkg/runtime"
+	"k8s.io/kubernetes/pkg/util/sets"
+)
+
+const importPrefix = "k8s.io/kubernetes/pkg/apis/rbac"
+
+var accessor = meta.NewAccessor()
+
+// availableVersions lists all known external versions for this group from most preferred to least preferred
+var availableVersions = []unversioned.GroupVersion{v1alpha1.SchemeGroupVersion}
+
+func init() {
+	registered.RegisterVersions(availableVersions)
+	externalVersions := []unversioned.GroupVersion{}
+	for _, v := range availableVersions {
+		if registered.IsAllowedVersion(v) {
+			externalVersions = append(externalVersions, v)
+		}
+	}
+	if len(externalVersions) == 0 {
+		glog.V(4).Infof("No version is registered for group %v", rbac.GroupName)
+		return
+	}
+
+	if err := registered.EnableVersions(externalVersions...); err != nil {
+		glog.V(4).Infof("%v", err)
+		return
+	}
+	if err := enableVersions(externalVersions); err != nil {
+		glog.V(4).Infof("%v", err)
+		return
+	}
+}
+
+// TODO: enableVersions should be centralized rather than spread in each API
+// group.
+// We can combine registered.RegisterVersions, registered.EnableVersions and
+// registered.RegisterGroup once we have moved enableVersions there.
+func enableVersions(externalVersions []unversioned.GroupVersion) error {
+	addVersionsToScheme(externalVersions...)
+	preferredExternalVersion := externalVersions[0]
+
+	groupMeta := apimachinery.GroupMeta{
+		GroupVersion:  preferredExternalVersion,
+		GroupVersions: externalVersions,
+		RESTMapper:    newRESTMapper(externalVersions),
+		SelfLinker:    runtime.SelfLinker(accessor),
+		InterfacesFor: interfacesFor,
+	}
+
+	if err := registered.RegisterGroup(groupMeta); err != nil {
+		return err
+	}
+	api.RegisterRESTMapper(groupMeta.RESTMapper)
+	return nil
+}
+
+func newRESTMapper(externalVersions []unversioned.GroupVersion) meta.RESTMapper {
+	rootScoped := sets.NewString(
+		"ClusterRole",
+		"ClusterRoleBinding",
+	)
+
+	ignoredKinds := sets.NewString()
+
+	return api.NewDefaultRESTMapper(externalVersions, interfacesFor, importPrefix, ignoredKinds, rootScoped)
+}
+
+// interfacesFor returns the default Codec and ResourceVersioner for a given version
+// string, or an error if the version is not known.
+func interfacesFor(version unversioned.GroupVersion) (*meta.VersionInterfaces, error) {
+	switch version {
+	case v1alpha1.SchemeGroupVersion:
+		return &meta.VersionInterfaces{
+			ObjectConvertor:  api.Scheme,
+			MetadataAccessor: accessor,
+		}, nil
+	default:
+		g, _ := registered.Group(rbac.GroupName)
+		return nil, fmt.Errorf("unsupported storage version: %s (valid: %v)", version, g.GroupVersions)
+	}
+}
+
+func addVersionsToScheme(externalVersions ...unversioned.GroupVersion) {
+	// add the internal version to Scheme
+	rbac.AddToScheme(api.Scheme)
+	// add the enabled external versions to Scheme
+	for _, v := range externalVersions {
+		if !registered.IsEnabledVersion(v) {
+			glog.Errorf("Version %s is not enabled, so it will not be added to the Scheme.", v)
+			continue
+		}
+		switch v {
+		case v1alpha1.SchemeGroupVersion:
+			v1alpha1.AddToScheme(api.Scheme)
+		}
+	}
+}

pkg/apis/rbac/register.go

@@ -0,0 +1,69 @@
+/*
+Copyright 2016 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rbac
+
+import (
+	"k8s.io/kubernetes/pkg/api/unversioned"
+	"k8s.io/kubernetes/pkg/runtime"
+	"k8s.io/kubernetes/pkg/watch/versioned"
+)
+
+const GroupName = "rbac.authorization.k8s.io"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = unversioned.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal}
+
+// Kind takes an unqualified kind and returns back a Group qualified GroupKind
+func Kind(kind string) unversioned.GroupKind {
+	return SchemeGroupVersion.WithKind(kind).GroupKind()
+}
+
+// Resource takes an unqualified resource and returns back a Group qualified GroupResource
+func Resource(resource string) unversioned.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+func AddToScheme(scheme *runtime.Scheme) {
+	// Add the API to Scheme.
+	addKnownTypes(scheme)
+}
+
+// Adds the list of known types to api.Scheme.
+func addKnownTypes(scheme *runtime.Scheme) {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&Role{},
+		&RoleBinding{},
+		&RoleBindingList{},
+		&RoleList{},
+
+		&ClusterRole{},
+		&ClusterRoleBinding{},
+		&ClusterRoleBindingList{},
+		&ClusterRoleList{},
+	)
+	versioned.AddToGroupVersion(scheme, SchemeGroupVersion)
+}
+
+func (obj *ClusterRole) GetObjectKind() unversioned.ObjectKind            { return &obj.TypeMeta }
+func (obj *ClusterRoleBinding) GetObjectKind() unversioned.ObjectKind     { return &obj.TypeMeta }
+func (obj *ClusterRoleBindingList) GetObjectKind() unversioned.ObjectKind { return &obj.TypeMeta }
+func (obj *ClusterRoleList) GetObjectKind() unversioned.ObjectKind        { return &obj.TypeMeta }
+
+func (obj *Role) GetObjectKind() unversioned.ObjectKind            { return &obj.TypeMeta }
+func (obj *RoleBinding) GetObjectKind() unversioned.ObjectKind     { return &obj.TypeMeta }
+func (obj *RoleBindingList) GetObjectKind() unversioned.ObjectKind { return &obj.TypeMeta }
+func (obj *RoleList) GetObjectKind() unversioned.ObjectKind        { return &obj.TypeMeta }

pkg/apis/rbac/types.go

@@ -0,0 +1,166 @@
+/*
+Copyright 2016 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rbac
+
+import (
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/api/unversioned"
+	"k8s.io/kubernetes/pkg/runtime"
+)
+
+// Authorization is calculated against
+// 1. evaluation of ClusterRoleBindings - short circuit on match
+// 2. evaluation of RoleBindings in the namespace requested - short circuit on match
+// 3. deny by default
+
+const (
+	APIGroupAll    = "*"
+	ResourceAll    = "*"
+	VerbAll        = "*"
+	NonResourceAll = "*"
+
+	GroupKind          = "Group"
+	ServiceAccountKind = "ServiceAccount"
+	UserKind           = "User"
+)
+
+// PolicyRule holds information that describes a policy rule, but does not contain information
+// about who the rule applies to or which namespace the rule applies to.
+type PolicyRule struct {
+	// Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule.  VerbAll represents all kinds.
+	Verbs []string
+	// AttributeRestrictions will vary depending on what the Authorizer/AuthorizationAttributeBuilder pair supports.
+	// If the Authorizer does not recognize how to handle the AttributeRestrictions, the Authorizer should report an error.
+	AttributeRestrictions runtime.Object
+	// APIGroups is the name of the APIGroup that contains the resources.
+	// If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.
+	APIGroups []string
+	// Resources is a list of resources this rule applies to.  ResourceAll represents all resources.
+	Resources []string
+	// ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
+	ResourceNames []string
+	// NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path
+	// If an action is not a resource API request, then the URL is split on '/' and is checked against the NonResourceURLs to look for a match.
+	// Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
+	NonResourceURLs []string
+}
+
+// Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+// or a value for non-objects such as user and group names.
+type Subject struct {
+	// Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+	// If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+	Kind string
+	// APIVersion holds the API group and version of the referenced object. For non-object references such as "Group" and "User" this is
+	// expected to be API version of this API group. For example "rbac.authorization.k8s.io/v1alpha1".
+	APIVersion string
+	// Name of the object being referenced.
+	Name string
+	// Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+	// the Authorizer should report an error.
+	Namespace string
+}
+
+// Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.
+type Role struct {
+	unversioned.TypeMeta
+	// Standard object's metadata.
+	api.ObjectMeta
+
+	// Rules holds all the PolicyRules for this Role
+	Rules []PolicyRule
+}
+
+// RoleBinding references a role, but does not contain it.  It can reference a Role in the same namespace or a ClusterRole in the global namespace.
+// It adds who information via Subjects and namespace information by which namespace it exists in.  RoleBindings in a given
+// namespace only have effect in that namespace.
+type RoleBinding struct {
+	unversioned.TypeMeta
+	api.ObjectMeta
+
+	// Subjects holds references to the objects the role applies to.
+	Subjects []Subject
+
+	// RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace.
+	// If the RoleRef cannot be resolved, the Authorizer must return an error.
+	RoleRef api.ObjectReference
+}
+
+// RoleBindingList is a collection of RoleBindings
+type RoleBindingList struct {
+	unversioned.TypeMeta
+	// Standard object's metadata.
+	unversioned.ListMeta
+
+	// Items is a list of roleBindings
+	Items []RoleBinding
+}
+
+// RoleList is a collection of Roles
+type RoleList struct {
+	unversioned.TypeMeta
+	// Standard object's metadata.
+	unversioned.ListMeta
+
+	// Items is a list of roles
+	Items []Role
+}
+
+// ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.
+type ClusterRole struct {
+	unversioned.TypeMeta
+	// Standard object's metadata.
+	api.ObjectMeta
+
+	// Rules holds all the PolicyRules for this ClusterRole
+	Rules []PolicyRule
+}
+
+// ClusterRoleBinding references a ClusterRole, but not contain it.  It can reference a ClusterRole in the global namespace,
+// and adds who information via Subject.
+type ClusterRoleBinding struct {
+	unversioned.TypeMeta
+	// Standard object's metadata.
+	api.ObjectMeta
+
+	// Subjects holds references to the objects the role applies to.
+	Subjects []Subject
+
+	// RoleRef can only reference a ClusterRole in the global namespace.
+	// If the RoleRef cannot be resolved, the Authorizer must return an error.
+	RoleRef api.ObjectReference
+}
+
+// ClusterRoleBindingList is a collection of ClusterRoleBindings
+type ClusterRoleBindingList struct {
+	unversioned.TypeMeta
+	// Standard object's metadata.
+	unversioned.ListMeta
+
+	// Items is a list of ClusterRoleBindings
+	Items []ClusterRoleBinding
+}
+
+// ClusterRoleList is a collection of ClusterRoles
+type ClusterRoleList struct {
+	unversioned.TypeMeta
+	// Standard object's metadata.
+	unversioned.ListMeta
+
+	// Items is a list of ClusterRoles
+	Items []ClusterRole
+}

pkg/apis/rbac/v1alpha1/conversion_generated.go

@@ -0,0 +1,596 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2016 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by conversion-gen. Do not edit it manually!
+
+package v1alpha1
+
+import (
+	api "k8s.io/kubernetes/pkg/api"
+	rbac "k8s.io/kubernetes/pkg/apis/rbac"
+	conversion "k8s.io/kubernetes/pkg/conversion"
+	runtime "k8s.io/kubernetes/pkg/runtime"
+)
+
+func init() {
+	if err := api.Scheme.AddGeneratedConversionFuncs(
+		Convert_v1alpha1_ClusterRole_To_rbac_ClusterRole,
+		Convert_rbac_ClusterRole_To_v1alpha1_ClusterRole,
+		Convert_v1alpha1_ClusterRoleBinding_To_rbac_ClusterRoleBinding,
+		Convert_rbac_ClusterRoleBinding_To_v1alpha1_ClusterRoleBinding,
+		Convert_v1alpha1_ClusterRoleBindingList_To_rbac_ClusterRoleBindingList,
+		Convert_rbac_ClusterRoleBindingList_To_v1alpha1_ClusterRoleBindingList,
+		Convert_v1alpha1_ClusterRoleList_To_rbac_ClusterRoleList,
+		Convert_rbac_ClusterRoleList_To_v1alpha1_ClusterRoleList,
+		Convert_v1alpha1_PolicyRule_To_rbac_PolicyRule,
+		Convert_rbac_PolicyRule_To_v1alpha1_PolicyRule,
+		Convert_v1alpha1_Role_To_rbac_Role,
+		Convert_rbac_Role_To_v1alpha1_Role,
+		Convert_v1alpha1_RoleBinding_To_rbac_RoleBinding,
+		Convert_rbac_RoleBinding_To_v1alpha1_RoleBinding,
+		Convert_v1alpha1_RoleBindingList_To_rbac_RoleBindingList,
+		Convert_rbac_RoleBindingList_To_v1alpha1_RoleBindingList,
+		Convert_v1alpha1_RoleList_To_rbac_RoleList,
+		Convert_rbac_RoleList_To_v1alpha1_RoleList,
+		Convert_v1alpha1_Subject_To_rbac_Subject,
+		Convert_rbac_Subject_To_v1alpha1_Subject,
+	); err != nil {
+		// if one of the conversion functions is malformed, detect it immediately.
+		panic(err)
+	}
+}
+
+func autoConvert_v1alpha1_ClusterRole_To_rbac_ClusterRole(in *ClusterRole, out *rbac.ClusterRole, s conversion.Scope) error {
+	if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil {
+		return err
+	}
+	// TODO: Inefficient conversion - can we improve it?
+	if err := s.Convert(&in.ObjectMeta, &out.ObjectMeta, 0); err != nil {
+		return err
+	}
+	if in.Rules != nil {
+		in, out := &in.Rules, &out.Rules
+		*out = make([]rbac.PolicyRule, len(*in))
+		for i := range *in {
+			if err := Convert_v1alpha1_PolicyRule_To_rbac_PolicyRule(&(*in)[i], &(*out)[i], s); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Rules = nil
+	}
+	return nil
+}
+
+func Convert_v1alpha1_ClusterRole_To_rbac_ClusterRole(in *ClusterRole, out *rbac.ClusterRole, s conversion.Scope) error {
+	return autoConvert_v1alpha1_ClusterRole_To_rbac_ClusterRole(in, out, s)
+}
+
+func autoConvert_rbac_ClusterRole_To_v1alpha1_ClusterRole(in *rbac.ClusterRole, out *ClusterRole, s conversion.Scope) error {
+	if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil {
+		return err
+	}
+	// TODO: Inefficient conversion - can we improve it?
+	if err := s.Convert(&in.ObjectMeta, &out.ObjectMeta, 0); err != nil {
+		return err
+	}
+	if in.Rules != nil {
+		in, out := &in.Rules, &out.Rules
+		*out = make([]PolicyRule, len(*in))
+		for i := range *in {
+			if err := Convert_rbac_PolicyRule_To_v1alpha1_PolicyRule(&(*in)[i], &(*out)[i], s); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Rules = nil
+	}
+	return nil
+}
+
+func Convert_rbac_ClusterRole_To_v1alpha1_ClusterRole(in *rbac.ClusterRole, out *ClusterRole, s conversion.Scope) error {
+	return autoConvert_rbac_ClusterRole_To_v1alpha1_ClusterRole(in, out, s)
+}
+
+func autoConvert_v1alpha1_ClusterRoleBinding_To_rbac_ClusterRoleBinding(in *ClusterRoleBinding, out *rbac.ClusterRoleBinding, s conversion.Scope) error {
+	if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil {
+		return err
+	}
+	// TODO: Inefficient conversion - can we improve it?
+	if err := s.Convert(&in.ObjectMeta, &out.ObjectMeta, 0); err != nil {
+		return err
+	}
+	if in.Subjects != nil {
+		in, out := &in.Subjects, &out.Subjects
+		*out = make([]rbac.Subject, len(*in))
+		for i := range *in {
+			if err := Convert_v1alpha1_Subject_To_rbac_Subject(&(*in)[i], &(*out)[i], s); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Subjects = nil
+	}
+	// TODO: Inefficient conversion - can we improve it?
+	if err := s.Convert(&in.RoleRef, &out.RoleRef, 0); err != nil {
+		return err
+	}
+	return nil
+}
+
+func Convert_v1alpha1_ClusterRoleBinding_To_rbac_ClusterRoleBinding(in *ClusterRoleBinding, out *rbac.ClusterRoleBinding, s conversion.Scope) error {
+	return autoConvert_v1alpha1_ClusterRoleBinding_To_rbac_ClusterRoleBinding(in, out, s)
+}
+
+func autoConvert_rbac_ClusterRoleBinding_To_v1alpha1_ClusterRoleBinding(in *rbac.ClusterRoleBinding, out *ClusterRoleBinding, s conversion.Scope) error {
+	if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil {
+		return err
+	}
+	// TODO: Inefficient conversion - can we improve it?
+	if err := s.Convert(&in.ObjectMeta, &out.ObjectMeta, 0); err != nil {
+		return err
+	}
+	if in.Subjects != nil {
+		in, out := &in.Subjects, &out.Subjects
+		*out = make([]Subject, len(*in))
+		for i := range *in {
+			if err := Convert_rbac_Subject_To_v1alpha1_Subject(&(*in)[i], &(*out)[i], s); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Subjects = nil
+	}
+	// TODO: Inefficient conversion - can we improve it?
+	if err := s.Convert(&in.RoleRef, &out.RoleRef, 0); err != nil {
+		return err
+	}
+	return nil
+}
+
+func Convert_rbac_ClusterRoleBinding_To_v1alpha1_ClusterRoleBinding(in *rbac.ClusterRoleBinding, out *ClusterRoleBinding, s conversion.Scope) error {
+	return autoConvert_rbac_ClusterRoleBinding_To_v1alpha1_ClusterRoleBinding(in, out, s)
+}
+
+func autoConvert_v1alpha1_ClusterRoleBindingList_To_rbac_ClusterRoleBindingList(in *ClusterRoleBindingList, out *rbac.ClusterRoleBindingList, s conversion.Scope) error {
+	if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil {
+		return err
+	}
+	if err := api.Convert_unversioned_ListMeta_To_unversioned_ListMeta(&in.ListMeta, &out.ListMeta, s); err != nil {
+		return err
+	}
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]rbac.ClusterRoleBinding, len(*in))
+		for i := range *in {
+			if err := Convert_v1alpha1_ClusterRoleBinding_To_rbac_ClusterRoleBinding(&(*in)[i], &(*out)[i], s); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Items = nil
+	}
+	return nil
+}
+
+func Convert_v1alpha1_ClusterRoleBindingList_To_rbac_ClusterRoleBindingList(in *ClusterRoleBindingList, out *rbac.ClusterRoleBindingList, s conversion.Scope) error {
+	return autoConvert_v1alpha1_ClusterRoleBindingList_To_rbac_ClusterRoleBindingList(in, out, s)
+}
+
+func autoConvert_rbac_ClusterRoleBindingList_To_v1alpha1_ClusterRoleBindingList(in *rbac.ClusterRoleBindingList, out *ClusterRoleBindingList, s conversion.Scope) error {
+	if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil {
+		return err
+	}
+	if err := api.Convert_unversioned_ListMeta_To_unversioned_ListMeta(&in.ListMeta, &out.ListMeta, s); err != nil {
+		return err
+	}
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ClusterRoleBinding, len(*in))
+		for i := range *in {
+			if err := Convert_rbac_ClusterRoleBinding_To_v1alpha1_ClusterRoleBinding(&(*in)[i], &(*out)[i], s); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Items = nil
+	}
+	return nil
+}
+
+func Convert_rbac_ClusterRoleBindingList_To_v1alpha1_ClusterRoleBindingList(in *rbac.ClusterRoleBindingList, out *ClusterRoleBindingList, s conversion.Scope) error {
+	return autoConvert_rbac_ClusterRoleBindingList_To_v1alpha1_ClusterRoleBindingList(in, out, s)
+}
+
+func autoConvert_v1alpha1_ClusterRoleList_To_rbac_ClusterRoleList(in *ClusterRoleList, out *rbac.ClusterRoleList, s conversion.Scope) error {
+	if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil {
+		return err
+	}
+	if err := api.Convert_unversioned_ListMeta_To_unversioned_ListMeta(&in.ListMeta, &out.ListMeta, s); err != nil {
+		return err
+	}
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]rbac.ClusterRole, len(*in))
+		for i := range *in {
+			if err := Convert_v1alpha1_ClusterRole_To_rbac_ClusterRole(&(*in)[i], &(*out)[i], s); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Items = nil
+	}
+	return nil
+}
+
+func Convert_v1alpha1_ClusterRoleList_To_rbac_ClusterRoleList(in *ClusterRoleList, out *rbac.ClusterRoleList, s conversion.Scope) error {
+	return autoConvert_v1alpha1_ClusterRoleList_To_rbac_ClusterRoleList(in, out, s)
+}
+
+func autoConvert_rbac_ClusterRoleList_To_v1alpha1_ClusterRoleList(in *rbac.ClusterRoleList, out *ClusterRoleList, s conversion.Scope) error {
+	if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil {
+		return err
+	}
+	if err := api.Convert_unversioned_ListMeta_To_unversioned_ListMeta(&in.ListMeta, &out.ListMeta, s); err != nil {
+		return err
+	}
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ClusterRole, len(*in))
+		for i := range *in {
+			if err := Convert_rbac_ClusterRole_To_v1alpha1_ClusterRole(&(*in)[i], &(*out)[i], s); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Items = nil
+	}
+	return nil
+}
+
+func Convert_rbac_ClusterRoleList_To_v1alpha1_ClusterRoleList(in *rbac.ClusterRoleList, out *ClusterRoleList, s conversion.Scope) error {
+	return autoConvert_rbac_ClusterRoleList_To_v1alpha1_ClusterRoleList(in, out, s)
+}
+
+func autoConvert_v1alpha1_PolicyRule_To_rbac_PolicyRule(in *PolicyRule, out *rbac.PolicyRule, s conversion.Scope) error {
+	if in.Verbs != nil {
+		in, out := &in.Verbs, &out.Verbs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	} else {
+		out.Verbs = nil
+	}
+	if err := runtime.Convert_runtime_RawExtension_To_runtime_Object(&in.AttributeRestrictions, &out.AttributeRestrictions, s); err != nil {
+		return err
+	}
+	if in.APIGroups != nil {
+		in, out := &in.APIGroups, &out.APIGroups
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	} else {
+		out.APIGroups = nil
+	}
+	if in.Resources != nil {
+		in, out := &in.Resources, &out.Resources
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	} else {
+		out.Resources = nil
+	}
+	if in.ResourceNames != nil {
+		in, out := &in.ResourceNames, &out.ResourceNames
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	} else {
+		out.ResourceNames = nil
+	}
+	if in.NonResourceURLs != nil {
+		in, out := &in.NonResourceURLs, &out.NonResourceURLs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	} else {
+		out.NonResourceURLs = nil
+	}
+	return nil
+}
+
+func Convert_v1alpha1_PolicyRule_To_rbac_PolicyRule(in *PolicyRule, out *rbac.PolicyRule, s conversion.Scope) error {
+	return autoConvert_v1alpha1_PolicyRule_To_rbac_PolicyRule(in, out, s)
+}
+
+func autoConvert_rbac_PolicyRule_To_v1alpha1_PolicyRule(in *rbac.PolicyRule, out *PolicyRule, s conversion.Scope) error {
+	if in.Verbs != nil {
+		in, out := &in.Verbs, &out.Verbs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	} else {
+		out.Verbs = nil
+	}
+	if err := runtime.Convert_runtime_Object_To_runtime_RawExtension(&in.AttributeRestrictions, &out.AttributeRestrictions, s); err != nil {
+		return err
+	}
+	if in.APIGroups != nil {
+		in, out := &in.APIGroups, &out.APIGroups
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	} else {
+		out.APIGroups = nil
+	}
+	if in.Resources != nil {
+		in, out := &in.Resources, &out.Resources
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	} else {
+		out.Resources = nil
+	}
+	if in.ResourceNames != nil {
+		in, out := &in.ResourceNames, &out.ResourceNames
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	} else {
+		out.ResourceNames = nil
+	}
+	if in.NonResourceURLs != nil {
+		in, out := &in.NonResourceURLs, &out.NonResourceURLs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	} else {
+		out.NonResourceURLs = nil
+	}
+	return nil
+}
+
+func Convert_rbac_PolicyRule_To_v1alpha1_PolicyRule(in *rbac.PolicyRule, out *PolicyRule, s conversion.Scope) error {
+	return autoConvert_rbac_PolicyRule_To_v1alpha1_PolicyRule(in, out, s)
+}
+
+func autoConvert_v1alpha1_Role_To_rbac_Role(in *Role, out *rbac.Role, s conversion.Scope) error {
+	if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil {
+		return err
+	}
+	// TODO: Inefficient conversion - can we improve it?
+	if err := s.Convert(&in.ObjectMeta, &out.ObjectMeta, 0); err != nil {
+		return err
+	}
+	if in.Rules != nil {
+		in, out := &in.Rules, &out.Rules
+		*out = make([]rbac.PolicyRule, len(*in))
+		for i := range *in {
+			if err := Convert_v1alpha1_PolicyRule_To_rbac_PolicyRule(&(*in)[i], &(*out)[i], s); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Rules = nil
+	}
+	return nil
+}
+
+func Convert_v1alpha1_Role_To_rbac_Role(in *Role, out *rbac.Role, s conversion.Scope) error {
+	return autoConvert_v1alpha1_Role_To_rbac_Role(in, out, s)
+}
+
+func autoConvert_rbac_Role_To_v1alpha1_Role(in *rbac.Role, out *Role, s conversion.Scope) error {
+	if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil {
+		return err
+	}
+	// TODO: Inefficient conversion - can we improve it?
+	if err := s.Convert(&in.ObjectMeta, &out.ObjectMeta, 0); err != nil {
+		return err
+	}
+	if in.Rules != nil {
+		in, out := &in.Rules, &out.Rules
+		*out = make([]PolicyRule, len(*in))
+		for i := range *in {
+			if err := Convert_rbac_PolicyRule_To_v1alpha1_PolicyRule(&(*in)[i], &(*out)[i], s); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Rules = nil
+	}
+	return nil
+}
+
+func Convert_rbac_Role_To_v1alpha1_Role(in *rbac.Role, out *Role, s conversion.Scope) error {
+	return autoConvert_rbac_Role_To_v1alpha1_Role(in, out, s)
+}
+
+func autoConvert_v1alpha1_RoleBinding_To_rbac_RoleBinding(in *RoleBinding, out *rbac.RoleBinding, s conversion.Scope) error {
+	if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil {
+		return err
+	}
+	// TODO: Inefficient conversion - can we improve it?
+	if err := s.Convert(&in.ObjectMeta, &out.ObjectMeta, 0); err != nil {
+		return err
+	}
+	if in.Subjects != nil {
+		in, out := &in.Subjects, &out.Subjects
+		*out = make([]rbac.Subject, len(*in))
+		for i := range *in {
+			if err := Convert_v1alpha1_Subject_To_rbac_Subject(&(*in)[i], &(*out)[i], s); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Subjects = nil
+	}
+	// TODO: Inefficient conversion - can we improve it?
+	if err := s.Convert(&in.RoleRef, &out.RoleRef, 0); err != nil {
+		return err
+	}
+	return nil
+}
+
+func Convert_v1alpha1_RoleBinding_To_rbac_RoleBinding(in *RoleBinding, out *rbac.RoleBinding, s conversion.Scope) error {
+	return autoConvert_v1alpha1_RoleBinding_To_rbac_RoleBinding(in, out, s)
+}
+
+func autoConvert_rbac_RoleBinding_To_v1alpha1_RoleBinding(in *rbac.RoleBinding, out *RoleBinding, s conversion.Scope) error {
+	if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil {
+		return err
+	}
+	// TODO: Inefficient conversion - can we improve it?
+	if err := s.Convert(&in.ObjectMeta, &out.ObjectMeta, 0); err != nil {
+		return err
+	}
+	if in.Subjects != nil {
+		in, out := &in.Subjects, &out.Subjects
+		*out = make([]Subject, len(*in))
+		for i := range *in {
+			if err := Convert_rbac_Subject_To_v1alpha1_Subject(&(*in)[i], &(*out)[i], s); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Subjects = nil
+	}
+	// TODO: Inefficient conversion - can we improve it?
+	if err := s.Convert(&in.RoleRef, &out.RoleRef, 0); err != nil {
+		return err
+	}
+	return nil
+}
+
+func Convert_rbac_RoleBinding_To_v1alpha1_RoleBinding(in *rbac.RoleBinding, out *RoleBinding, s conversion.Scope) error {
+	return autoConvert_rbac_RoleBinding_To_v1alpha1_RoleBinding(in, out, s)
+}
+
+func autoConvert_v1alpha1_RoleBindingList_To_rbac_RoleBindingList(in *RoleBindingList, out *rbac.RoleBindingList, s conversion.Scope) error {
+	if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil {
+		return err
+	}
+	if err := api.Convert_unversioned_ListMeta_To_unversioned_ListMeta(&in.ListMeta, &out.ListMeta, s); err != nil {
+		return err
+	}
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]rbac.RoleBinding, len(*in))
+		for i := range *in {
+			if err := Convert_v1alpha1_RoleBinding_To_rbac_RoleBinding(&(*in)[i], &(*out)[i], s); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Items = nil
+	}
+	return nil
+}
+
+func Convert_v1alpha1_RoleBindingList_To_rbac_RoleBindingList(in *RoleBindingList, out *rbac.RoleBindingList, s conversion.Scope) error {
+	return autoConvert_v1alpha1_RoleBindingList_To_rbac_RoleBindingList(in, out, s)
+}
+
+func autoConvert_rbac_RoleBindingList_To_v1alpha1_RoleBindingList(in *rbac.RoleBindingList, out *RoleBindingList, s conversion.Scope) error {
+	if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil {
+		return err
+	}
+	if err := api.Convert_unversioned_ListMeta_To_unversioned_ListMeta(&in.ListMeta, &out.ListMeta, s); err != nil {
+		return err
+	}
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]RoleBinding, len(*in))
+		for i := range *in {
+			if err := Convert_rbac_RoleBinding_To_v1alpha1_RoleBinding(&(*in)[i], &(*out)[i], s); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Items = nil
+	}
+	return nil
+}
+
+func Convert_rbac_RoleBindingList_To_v1alpha1_RoleBindingList(in *rbac.RoleBindingList, out *RoleBindingList, s conversion.Scope) error {
+	return autoConvert_rbac_RoleBindingList_To_v1alpha1_RoleBindingList(in, out, s)
+}
+
+func autoConvert_v1alpha1_RoleList_To_rbac_RoleList(in *RoleList, out *rbac.RoleList, s conversion.Scope) error {
+	if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil {
+		return err
+	}
+	if err := api.Convert_unversioned_ListMeta_To_unversioned_ListMeta(&in.ListMeta, &out.ListMeta, s); err != nil {
+		return err
+	}
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]rbac.Role, len(*in))
+		for i := range *in {
+			if err := Convert_v1alpha1_Role_To_rbac_Role(&(*in)[i], &(*out)[i], s); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Items = nil
+	}
+	return nil
+}
+
+func Convert_v1alpha1_RoleList_To_rbac_RoleList(in *RoleList, out *rbac.RoleList, s conversion.Scope) error {
+	return autoConvert_v1alpha1_RoleList_To_rbac_RoleList(in, out, s)
+}
+
+func autoConvert_rbac_RoleList_To_v1alpha1_RoleList(in *rbac.RoleList, out *RoleList, s conversion.Scope) error {
+	if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil {
+		return err
+	}
+	if err := api.Convert_unversioned_ListMeta_To_unversioned_ListMeta(&in.ListMeta, &out.ListMeta, s); err != nil {
+		return err
+	}
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Role, len(*in))
+		for i := range *in {
+			if err := Convert_rbac_Role_To_v1alpha1_Role(&(*in)[i], &(*out)[i], s); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Items = nil
+	}
+	return nil
+}
+
+func Convert_rbac_RoleList_To_v1alpha1_RoleList(in *rbac.RoleList, out *RoleList, s conversion.Scope) error {
+	return autoConvert_rbac_RoleList_To_v1alpha1_RoleList(in, out, s)
+}
+
+func autoConvert_v1alpha1_Subject_To_rbac_Subject(in *Subject, out *rbac.Subject, s conversion.Scope) error {
+	out.Kind = in.Kind
+	out.APIVersion = in.APIVersion
+	out.Name = in.Name
+	out.Namespace = in.Namespace
+	return nil
+}
+
+func Convert_v1alpha1_Subject_To_rbac_Subject(in *Subject, out *rbac.Subject, s conversion.Scope) error {
+	return autoConvert_v1alpha1_Subject_To_rbac_Subject(in, out, s)
+}
+
+func autoConvert_rbac_Subject_To_v1alpha1_Subject(in *rbac.Subject, out *Subject, s conversion.Scope) error {
+	out.Kind = in.Kind
+	out.APIVersion = in.APIVersion
+	out.Name = in.Name
+	out.Namespace = in.Namespace
+	return nil
+}
+
+func Convert_rbac_Subject_To_v1alpha1_Subject(in *rbac.Subject, out *Subject, s conversion.Scope) error {
+	return autoConvert_rbac_Subject_To_v1alpha1_Subject(in, out, s)
+}

pkg/apis/rbac/v1alpha1/deep_copy_generated.go

@@ -0,0 +1,271 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2016 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package v1alpha1
+
+import (
+	api "k8s.io/kubernetes/pkg/api"
+	unversioned "k8s.io/kubernetes/pkg/api/unversioned"
+	v1 "k8s.io/kubernetes/pkg/api/v1"
+	conversion "k8s.io/kubernetes/pkg/conversion"
+	runtime "k8s.io/kubernetes/pkg/runtime"
+)
+
+func init() {
+	if err := api.Scheme.AddGeneratedDeepCopyFuncs(
+		DeepCopy_v1alpha1_ClusterRole,
+		DeepCopy_v1alpha1_ClusterRoleBinding,
+		DeepCopy_v1alpha1_ClusterRoleBindingList,
+		DeepCopy_v1alpha1_ClusterRoleList,
+		DeepCopy_v1alpha1_PolicyRule,
+		DeepCopy_v1alpha1_Role,
+		DeepCopy_v1alpha1_RoleBinding,
+		DeepCopy_v1alpha1_RoleBindingList,
+		DeepCopy_v1alpha1_RoleList,
+		DeepCopy_v1alpha1_Subject,
+	); err != nil {
+		// if one of the deep copy functions is malformed, detect it immediately.
+		panic(err)
+	}
+}
+
+func DeepCopy_v1alpha1_ClusterRole(in ClusterRole, out *ClusterRole, c *conversion.Cloner) error {
+	if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil {
+		return err
+	}
+	if err := v1.DeepCopy_v1_ObjectMeta(in.ObjectMeta, &out.ObjectMeta, c); err != nil {
+		return err
+	}
+	if in.Rules != nil {
+		in, out := in.Rules, &out.Rules
+		*out = make([]PolicyRule, len(in))
+		for i := range in {
+			if err := DeepCopy_v1alpha1_PolicyRule(in[i], &(*out)[i], c); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Rules = nil
+	}
+	return nil
+}
+
+func DeepCopy_v1alpha1_ClusterRoleBinding(in ClusterRoleBinding, out *ClusterRoleBinding, c *conversion.Cloner) error {
+	if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil {
+		return err
+	}
+	if err := v1.DeepCopy_v1_ObjectMeta(in.ObjectMeta, &out.ObjectMeta, c); err != nil {
+		return err
+	}
+	if in.Subjects != nil {
+		in, out := in.Subjects, &out.Subjects
+		*out = make([]Subject, len(in))
+		for i := range in {
+			if err := DeepCopy_v1alpha1_Subject(in[i], &(*out)[i], c); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Subjects = nil
+	}
+	if err := v1.DeepCopy_v1_ObjectReference(in.RoleRef, &out.RoleRef, c); err != nil {
+		return err
+	}
+	return nil
+}
+
+func DeepCopy_v1alpha1_ClusterRoleBindingList(in ClusterRoleBindingList, out *ClusterRoleBindingList, c *conversion.Cloner) error {
+	if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil {
+		return err
+	}
+	if err := unversioned.DeepCopy_unversioned_ListMeta(in.ListMeta, &out.ListMeta, c); err != nil {
+		return err
+	}
+	if in.Items != nil {
+		in, out := in.Items, &out.Items
+		*out = make([]ClusterRoleBinding, len(in))
+		for i := range in {
+			if err := DeepCopy_v1alpha1_ClusterRoleBinding(in[i], &(*out)[i], c); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Items = nil
+	}
+	return nil
+}
+
+func DeepCopy_v1alpha1_ClusterRoleList(in ClusterRoleList, out *ClusterRoleList, c *conversion.Cloner) error {
+	if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil {
+		return err
+	}
+	if err := unversioned.DeepCopy_unversioned_ListMeta(in.ListMeta, &out.ListMeta, c); err != nil {
+		return err
+	}
+	if in.Items != nil {
+		in, out := in.Items, &out.Items
+		*out = make([]ClusterRole, len(in))
+		for i := range in {
+			if err := DeepCopy_v1alpha1_ClusterRole(in[i], &(*out)[i], c); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Items = nil
+	}
+	return nil
+}
+
+func DeepCopy_v1alpha1_PolicyRule(in PolicyRule, out *PolicyRule, c *conversion.Cloner) error {
+	if in.Verbs != nil {
+		in, out := in.Verbs, &out.Verbs
+		*out = make([]string, len(in))
+		copy(*out, in)
+	} else {
+		out.Verbs = nil
+	}
+	if err := runtime.DeepCopy_runtime_RawExtension(in.AttributeRestrictions, &out.AttributeRestrictions, c); err != nil {
+		return err
+	}
+	if in.APIGroups != nil {
+		in, out := in.APIGroups, &out.APIGroups
+		*out = make([]string, len(in))
+		copy(*out, in)
+	} else {
+		out.APIGroups = nil
+	}
+	if in.Resources != nil {
+		in, out := in.Resources, &out.Resources
+		*out = make([]string, len(in))
+		copy(*out, in)
+	} else {
+		out.Resources = nil
+	}
+	if in.ResourceNames != nil {
+		in, out := in.ResourceNames, &out.ResourceNames
+		*out = make([]string, len(in))
+		copy(*out, in)
+	} else {
+		out.ResourceNames = nil
+	}
+	if in.NonResourceURLs != nil {
+		in, out := in.NonResourceURLs, &out.NonResourceURLs
+		*out = make([]string, len(in))
+		copy(*out, in)
+	} else {
+		out.NonResourceURLs = nil
+	}
+	return nil
+}
+
+func DeepCopy_v1alpha1_Role(in Role, out *Role, c *conversion.Cloner) error {
+	if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil {
+		return err
+	}
+	if err := v1.DeepCopy_v1_ObjectMeta(in.ObjectMeta, &out.ObjectMeta, c); err != nil {
+		return err
+	}
+	if in.Rules != nil {
+		in, out := in.Rules, &out.Rules
+		*out = make([]PolicyRule, len(in))
+		for i := range in {
+			if err := DeepCopy_v1alpha1_PolicyRule(in[i], &(*out)[i], c); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Rules = nil
+	}
+	return nil
+}
+
+func DeepCopy_v1alpha1_RoleBinding(in RoleBinding, out *RoleBinding, c *conversion.Cloner) error {
+	if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil {
+		return err
+	}
+	if err := v1.DeepCopy_v1_ObjectMeta(in.ObjectMeta, &out.ObjectMeta, c); err != nil {
+		return err
+	}
+	if in.Subjects != nil {
+		in, out := in.Subjects, &out.Subjects
+		*out = make([]Subject, len(in))
+		for i := range in {
+			if err := DeepCopy_v1alpha1_Subject(in[i], &(*out)[i], c); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Subjects = nil
+	}
+	if err := v1.DeepCopy_v1_ObjectReference(in.RoleRef, &out.RoleRef, c); err != nil {
+		return err
+	}
+	return nil
+}
+
+func DeepCopy_v1alpha1_RoleBindingList(in RoleBindingList, out *RoleBindingList, c *conversion.Cloner) error {
+	if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil {
+		return err
+	}
+	if err := unversioned.DeepCopy_unversioned_ListMeta(in.ListMeta, &out.ListMeta, c); err != nil {
+		return err
+	}
+	if in.Items != nil {
+		in, out := in.Items, &out.Items
+		*out = make([]RoleBinding, len(in))
+		for i := range in {
+			if err := DeepCopy_v1alpha1_RoleBinding(in[i], &(*out)[i], c); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Items = nil
+	}
+	return nil
+}
+
+func DeepCopy_v1alpha1_RoleList(in RoleList, out *RoleList, c *conversion.Cloner) error {
+	if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil {
+		return err
+	}
+	if err := unversioned.DeepCopy_unversioned_ListMeta(in.ListMeta, &out.ListMeta, c); err != nil {
+		return err
+	}
+	if in.Items != nil {
+		in, out := in.Items, &out.Items
+		*out = make([]Role, len(in))
+		for i := range in {
+			if err := DeepCopy_v1alpha1_Role(in[i], &(*out)[i], c); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Items = nil
+	}
+	return nil
+}
+
+func DeepCopy_v1alpha1_Subject(in Subject, out *Subject, c *conversion.Cloner) error {
+	out.Kind = in.Kind
+	out.APIVersion = in.APIVersion
+	out.Name = in.Name
+	out.Namespace = in.Namespace
+	return nil
+}

pkg/apis/rbac/v1alpha1/doc.go

@@ -0,0 +1,18 @@
+/*
+Copyright 2016 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +genconversion=true
+package v1alpha1

pkg/apis/rbac/v1alpha1/generated.proto

@@ -0,0 +1,160 @@
+/*
+Copyright 2016 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+// This file was autogenerated by go-to-protobuf. Do not edit it manually!
+
+syntax = 'proto2';
+
+package k8s.io.kubernetes.pkg.apis.rbac.v1alpha1;
+
+import "k8s.io/kubernetes/pkg/api/resource/generated.proto";
+import "k8s.io/kubernetes/pkg/api/unversioned/generated.proto";
+import "k8s.io/kubernetes/pkg/api/v1/generated.proto";
+import "k8s.io/kubernetes/pkg/runtime/generated.proto";
+import "k8s.io/kubernetes/pkg/util/intstr/generated.proto";
+
+// Package-wide variables from generator "generated".
+option go_package = "v1alpha1";
+
+// ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.
+message ClusterRole {
+  // Standard object's metadata.
+  optional k8s.io.kubernetes.pkg.api.v1.ObjectMeta metadata = 1;
+
+  // Rules holds all the PolicyRules for this ClusterRole
+  repeated PolicyRule rules = 2;
+}
+
+// ClusterRoleBinding references a ClusterRole, but not contain it.  It can reference a ClusterRole in the global namespace,
+// and adds who information via Subject.
+message ClusterRoleBinding {
+  // Standard object's metadata.
+  optional k8s.io.kubernetes.pkg.api.v1.ObjectMeta metadata = 1;
+
+  // Subjects holds references to the objects the role applies to.
+  repeated Subject subject = 2;
+
+  // RoleRef can only reference a ClusterRole in the global namespace.
+  // If the RoleRef cannot be resolved, the Authorizer must return an error.
+  optional k8s.io.kubernetes.pkg.api.v1.ObjectReference roleRef = 3;
+}
+
+// ClusterRoleBindingList is a collection of ClusterRoleBindings
+message ClusterRoleBindingList {
+  // Standard object's metadata.
+  optional k8s.io.kubernetes.pkg.api.unversioned.ListMeta metadata = 1;
+
+  // Items is a list of ClusterRoleBindings
+  repeated ClusterRoleBinding items = 2;
+}
+
+// ClusterRoleList is a collection of ClusterRoles
+message ClusterRoleList {
+  // Standard object's metadata.
+  optional k8s.io.kubernetes.pkg.api.unversioned.ListMeta metadata = 1;
+
+  // Items is a list of ClusterRoles
+  repeated ClusterRole items = 2;
+}
+
+// PolicyRule holds information that describes a policy rule, but does not contain information
+// about who the rule applies to or which namespace the rule applies to.
+message PolicyRule {
+  // Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule.  VerbAll represents all kinds.
+  repeated string verbs = 1;
+
+  // AttributeRestrictions will vary depending on what the Authorizer/AuthorizationAttributeBuilder pair supports.
+  // If the Authorizer does not recognize how to handle the AttributeRestrictions, the Authorizer should report an error.
+  optional k8s.io.kubernetes.pkg.runtime.RawExtension attributeRestrictions = 2;
+
+  // APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of
+  // the enumerated resources in any API group will be allowed.
+  repeated string apiGroups = 3;
+
+  // Resources is a list of resources this rule applies to.  ResourceAll represents all resources.
+  repeated string resources = 4;
+
+  // ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
+  repeated string resourceNames = 5;
+
+  // NonResourceURLsSlice is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path
+  // This name is intentionally different than the internal type so that the DefaultConvert works nicely and because the ordering may be different.
+  // Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
+  repeated string nonResourceURLs = 6;
+}
+
+// Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.
+message Role {
+  // Standard object's metadata.
+  optional k8s.io.kubernetes.pkg.api.v1.ObjectMeta metadata = 1;
+
+  // Rules holds all the PolicyRules for this Role
+  repeated PolicyRule rules = 2;
+}
+
+// RoleBinding references a role, but does not contain it.  It can reference a Role in the same namespace or a ClusterRole in the global namespace.
+// It adds who information via Subjects and namespace information by which namespace it exists in.  RoleBindings in a given
+// namespace only have effect in that namespace.
+message RoleBinding {
+  // Standard object's metadata.
+  optional k8s.io.kubernetes.pkg.api.v1.ObjectMeta metadata = 1;
+
+  // Subjects holds references to the objects the role applies to.
+  repeated Subject subject = 2;
+
+  // RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace.
+  // If the RoleRef cannot be resolved, the Authorizer must return an error.
+  optional k8s.io.kubernetes.pkg.api.v1.ObjectReference roleRef = 3;
+}
+
+// RoleBindingList is a collection of RoleBindings
+message RoleBindingList {
+  // Standard object's metadata.
+  optional k8s.io.kubernetes.pkg.api.unversioned.ListMeta metadata = 1;
+
+  // Items is a list of RoleBindings
+  repeated RoleBinding items = 2;
+}
+
+// RoleList is a collection of Roles
+message RoleList {
+  // Standard object's metadata.
+  optional k8s.io.kubernetes.pkg.api.unversioned.ListMeta metadata = 1;
+
+  // Items is a list of Roles
+  repeated Role items = 2;
+}
+
+// Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+// or a value for non-objects such as user and group names.
+message Subject {
+  // Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+  // If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+  optional string kind = 1;
+
+  // APIVersion holds the API group and version of the referenced object. For non-object references such as "Group" and "User" this is
+  // expected to be API version of this API group. For example "rbac.authorization.k8s.io/v1alpha1".
+  optional string apiVersion = 2;
+
+  // Name of the object being referenced.
+  optional string name = 3;
+
+  // Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+  // the Authorizer should report an error.
+  optional string namespace = 4;
+}
+

pkg/apis/rbac/v1alpha1/register.go

@@ -0,0 +1,57 @@
+/*
+Copyright 2016 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"k8s.io/kubernetes/pkg/api/unversioned"
+	"k8s.io/kubernetes/pkg/apis/rbac"
+	"k8s.io/kubernetes/pkg/runtime"
+	"k8s.io/kubernetes/pkg/watch/versioned"
+)
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = unversioned.GroupVersion{Group: rbac.GroupName, Version: "v1alpha"}
+
+func AddToScheme(scheme *runtime.Scheme) {
+	addKnownTypes(scheme)
+}
+
+// Adds the list of known types to api.Scheme.
+func addKnownTypes(scheme *runtime.Scheme) {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&Role{},
+		&RoleBinding{},
+		&RoleBindingList{},
+		&RoleList{},
+
+		&ClusterRole{},
+		&ClusterRoleBinding{},
+		&ClusterRoleBindingList{},
+		&ClusterRoleList{},
+	)
+	versioned.AddToGroupVersion(scheme, SchemeGroupVersion)
+}
+
+func (obj *ClusterRole) GetObjectKind() unversioned.ObjectKind            { return &obj.TypeMeta }
+func (obj *ClusterRoleBinding) GetObjectKind() unversioned.ObjectKind     { return &obj.TypeMeta }
+func (obj *ClusterRoleBindingList) GetObjectKind() unversioned.ObjectKind { return &obj.TypeMeta }
+func (obj *ClusterRoleList) GetObjectKind() unversioned.ObjectKind        { return &obj.TypeMeta }
+
+func (obj *Role) GetObjectKind() unversioned.ObjectKind            { return &obj.TypeMeta }
+func (obj *RoleBinding) GetObjectKind() unversioned.ObjectKind     { return &obj.TypeMeta }
+func (obj *RoleBindingList) GetObjectKind() unversioned.ObjectKind { return &obj.TypeMeta }
+func (obj *RoleList) GetObjectKind() unversioned.ObjectKind        { return &obj.TypeMeta }

pkg/apis/rbac/v1alpha1/types.go

@@ -0,0 +1,156 @@
+/*
+Copyright 2016 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"k8s.io/kubernetes/pkg/api/unversioned"
+	"k8s.io/kubernetes/pkg/api/v1"
+	"k8s.io/kubernetes/pkg/runtime"
+)
+
+// Authorization is calculated against
+// 1. evaluation of ClusterRoleBindings - short circuit on match
+// 2. evaluation of RoleBindings in the namespace requested - short circuit on match
+// 3. deny by default
+
+// PolicyRule holds information that describes a policy rule, but does not contain information
+// about who the rule applies to or which namespace the rule applies to.
+type PolicyRule struct {
+	// Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule.  VerbAll represents all kinds.
+	Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"`
+	// AttributeRestrictions will vary depending on what the Authorizer/AuthorizationAttributeBuilder pair supports.
+	// If the Authorizer does not recognize how to handle the AttributeRestrictions, the Authorizer should report an error.
+	AttributeRestrictions runtime.RawExtension `json:"attributeRestrictions,omitempty" protobuf:"bytes,2,opt,name=attributeRestrictions"`
+	// APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of
+	// the enumerated resources in any API group will be allowed.
+	APIGroups []string `json:"apiGroups" protobuf:"bytes,3,rep,name=apiGroups"`
+	// Resources is a list of resources this rule applies to.  ResourceAll represents all resources.
+	Resources []string `json:"resources" protobuf:"bytes,4,rep,name=resources"`
+	// ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
+	ResourceNames []string `json:"resourceNames,omitempty" protobuf:"bytes,5,rep,name=resourceNames"`
+	// NonResourceURLsSlice is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path
+	// This name is intentionally different than the internal type so that the DefaultConvert works nicely and because the ordering may be different.
+	// Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
+	NonResourceURLs []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,6,rep,name=nonResourceURLs"`
+}
+
+// Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+// or a value for non-objects such as user and group names.
+type Subject struct {
+	// Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+	// If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+	Kind string `json:"kind" protobuf:"bytes,1,opt,name=kind"`
+	// APIVersion holds the API group and version of the referenced object. For non-object references such as "Group" and "User" this is
+	// expected to be API version of this API group. For example "rbac.authorization.k8s.io/v1alpha1".
+	APIVersion string `json:"apiVersion" protobuf:"bytes,2,opt.name=apiVersion"`
+	// Name of the object being referenced.
+	Name string `json:"name" protobuf:"bytes,3,opt,name=name"`
+	// Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+	// the Authorizer should report an error.
+	Namespace string `json:"namespace,omitempty" protobuf:"bytes,4,opt,name=namespace"`
+}
+
+// Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.
+type Role struct {
+	unversioned.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	v1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Rules holds all the PolicyRules for this Role
+	Rules []PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"`
+}
+
+// RoleBinding references a role, but does not contain it.  It can reference a Role in the same namespace or a ClusterRole in the global namespace.
+// It adds who information via Subjects and namespace information by which namespace it exists in.  RoleBindings in a given
+// namespace only have effect in that namespace.
+type RoleBinding struct {
+	unversioned.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	v1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Subjects holds references to the objects the role applies to.
+	Subjects []Subject `json:"subject" protobuf:"bytes,2,rep,name=subjects"`
+
+	// RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace.
+	// If the RoleRef cannot be resolved, the Authorizer must return an error.
+	RoleRef v1.ObjectReference `json:"roleRef" protobuf:"bytes,3,opt,name=roleRef"`
+}
+
+// RoleBindingList is a collection of RoleBindings
+type RoleBindingList struct {
+	unversioned.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	unversioned.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Items is a list of RoleBindings
+	Items []RoleBinding `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// RoleList is a collection of Roles
+type RoleList struct {
+	unversioned.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	unversioned.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Items is a list of Roles
+	Items []Role `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.
+type ClusterRole struct {
+	unversioned.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	v1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Rules holds all the PolicyRules for this ClusterRole
+	Rules []PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"`
+}
+
+// ClusterRoleBinding references a ClusterRole, but not contain it.  It can reference a ClusterRole in the global namespace,
+// and adds who information via Subject.
+type ClusterRoleBinding struct {
+	unversioned.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	v1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Subjects holds references to the objects the role applies to.
+	Subjects []Subject `json:"subject" protobuf:"bytes,2,rep,name=subjects"`
+
+	// RoleRef can only reference a ClusterRole in the global namespace.
+	// If the RoleRef cannot be resolved, the Authorizer must return an error.
+	RoleRef v1.ObjectReference `json:"roleRef" protobuf:"bytes,3,opt,name=roleRef"`
+}
+
+// ClusterRoleBindingList is a collection of ClusterRoleBindings
+type ClusterRoleBindingList struct {
+	unversioned.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	unversioned.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Items is a list of ClusterRoleBindings
+	Items []ClusterRoleBinding `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// ClusterRoleList is a collection of ClusterRoles
+type ClusterRoleList struct {
+	unversioned.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	unversioned.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Items is a list of ClusterRoles
+	Items []ClusterRole `json:"items" protobuf:"bytes,2,rep,name=items"`
+}

pkg/apis/rbac/v1alpha1/types_swagger_doc_generated.go

@@ -0,0 +1,138 @@
+/*
+Copyright 2015 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+// This file contains a collection of methods that can be used from go-restful to
+// generate Swagger API documentation for its models. Please read this PR for more
+// information on the implementation: https://github.com/emicklei/go-restful/pull/215
+//
+// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
+// they are on one line! For multiple line or blocks that you want to ignore use ---.
+// Any context after a --- is ignored.
+//
+// Those methods can be generated by using hack/update-generated-swagger-docs.sh
+
+// AUTO-GENERATED FUNCTIONS START HERE
+var map_ClusterRole = map[string]string{
+	"":         "ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.",
+	"metadata": "Standard object's metadata.",
+	"rules":    "Rules holds all the PolicyRules for this ClusterRole",
+}
+
+func (ClusterRole) SwaggerDoc() map[string]string {
+	return map_ClusterRole
+}
+
+var map_ClusterRoleBinding = map[string]string{
+	"":         "ClusterRoleBinding references a ClusterRole, but not contain it.  It can reference a ClusterRole in the global namespace, and adds who information via Subject.",
+	"metadata": "Standard object's metadata.",
+	"subject":  "Subjects holds references to the objects the role applies to.",
+	"roleRef":  "RoleRef can only reference a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error.",
+}
+
+func (ClusterRoleBinding) SwaggerDoc() map[string]string {
+	return map_ClusterRoleBinding
+}
+
+var map_ClusterRoleBindingList = map[string]string{
+	"":         "ClusterRoleBindingList is a collection of ClusterRoleBindings",
+	"metadata": "Standard object's metadata.",
+	"items":    "Items is a list of ClusterRoleBindings",
+}
+
+func (ClusterRoleBindingList) SwaggerDoc() map[string]string {
+	return map_ClusterRoleBindingList
+}
+
+var map_ClusterRoleList = map[string]string{
+	"":         "ClusterRoleList is a collection of ClusterRoles",
+	"metadata": "Standard object's metadata.",
+	"items":    "Items is a list of ClusterRoles",
+}
+
+func (ClusterRoleList) SwaggerDoc() map[string]string {
+	return map_ClusterRoleList
+}
+
+var map_PolicyRule = map[string]string{
+	"":                      "PolicyRule holds information that describes a policy rule, but does not contain information about who the rule applies to or which namespace the rule applies to.",
+	"verbs":                 "Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule.  VerbAll represents all kinds.",
+	"attributeRestrictions": "AttributeRestrictions will vary depending on what the Authorizer/AuthorizationAttributeBuilder pair supports. If the Authorizer does not recognize how to handle the AttributeRestrictions, the Authorizer should report an error.",
+	"apiGroups":             "APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.",
+	"resources":             "Resources is a list of resources this rule applies to.  ResourceAll represents all resources.",
+	"resourceNames":         "ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.",
+	"nonResourceURLs":       "NonResourceURLsSlice is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path This name is intentionally different than the internal type so that the DefaultConvert works nicely and because the ordering may be different. Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.",
+}
+
+func (PolicyRule) SwaggerDoc() map[string]string {
+	return map_PolicyRule
+}
+
+var map_Role = map[string]string{
+	"":         "Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.",
+	"metadata": "Standard object's metadata.",
+	"rules":    "Rules holds all the PolicyRules for this Role",
+}
+
+func (Role) SwaggerDoc() map[string]string {
+	return map_Role
+}
+
+var map_RoleBinding = map[string]string{
+	"":         "RoleBinding references a role, but does not contain it.  It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in.  RoleBindings in a given namespace only have effect in that namespace.",
+	"metadata": "Standard object's metadata.",
+	"subject":  "Subjects holds references to the objects the role applies to.",
+	"roleRef":  "RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error.",
+}
+
+func (RoleBinding) SwaggerDoc() map[string]string {
+	return map_RoleBinding
+}
+
+var map_RoleBindingList = map[string]string{
+	"":         "RoleBindingList is a collection of RoleBindings",
+	"metadata": "Standard object's metadata.",
+	"items":    "Items is a list of RoleBindings",
+}
+
+func (RoleBindingList) SwaggerDoc() map[string]string {
+	return map_RoleBindingList
+}
+
+var map_RoleList = map[string]string{
+	"":         "RoleList is a collection of Roles",
+	"metadata": "Standard object's metadata.",
+	"items":    "Items is a list of Roles",
+}
+
+func (RoleList) SwaggerDoc() map[string]string {
+	return map_RoleList
+}
+
+var map_Subject = map[string]string{
+	"":           "Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference, or a value for non-objects such as user and group names.",
+	"kind":       "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\". If the Authorizer does not recognized the kind value, the Authorizer should report an error.",
+	"apiVersion": "APIVersion holds the API group and version of the referenced object. For non-object references such as \"Group\" and \"User\" this is expected to be API version of this API group. For example \"rbac.authorization.k8s.io/v1alpha1\".",
+	"name":       "Name of the object being referenced.",
+	"namespace":  "Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty the Authorizer should report an error.",
+}
+
+func (Subject) SwaggerDoc() map[string]string {
+	return map_Subject
+}
+
+// AUTO-GENERATED FUNCTIONS END HERE

pkg/apis/rbac/validation/cast.go

@@ -0,0 +1,107 @@
+/*
+Copyright 2016 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package validation
+
+import "k8s.io/kubernetes/pkg/apis/rbac"
+
+// Casting utilities to and from "Cluster" level equivalents.
+
+func toClusterRole(in *rbac.Role) *rbac.ClusterRole {
+	if in == nil {
+		return nil
+	}
+
+	ret := &rbac.ClusterRole{}
+	ret.ObjectMeta = in.ObjectMeta
+	ret.Rules = in.Rules
+
+	return ret
+}
+
+func toClusterRoleList(in *rbac.RoleList) *rbac.ClusterRoleList {
+	ret := &rbac.ClusterRoleList{}
+	for _, curr := range in.Items {
+		ret.Items = append(ret.Items, *toClusterRole(&curr))
+	}
+
+	return ret
+}
+
+func toClusterRoleBinding(in *rbac.RoleBinding) *rbac.ClusterRoleBinding {
+	if in == nil {
+		return nil
+	}
+
+	ret := &rbac.ClusterRoleBinding{}
+	ret.ObjectMeta = in.ObjectMeta
+	ret.Subjects = in.Subjects
+	ret.RoleRef = in.RoleRef
+
+	return ret
+}
+
+func toClusterRoleBindingList(in *rbac.RoleBindingList) *rbac.ClusterRoleBindingList {
+	ret := &rbac.ClusterRoleBindingList{}
+	for _, curr := range in.Items {
+		ret.Items = append(ret.Items, *toClusterRoleBinding(&curr))
+	}
+
+	return ret
+}
+
+func toRole(in *rbac.ClusterRole) *rbac.Role {
+	if in == nil {
+		return nil
+	}
+
+	ret := &rbac.Role{}
+	ret.ObjectMeta = in.ObjectMeta
+	ret.Rules = in.Rules
+
+	return ret
+}
+
+func toRoleList(in *rbac.ClusterRoleList) *rbac.RoleList {
+	ret := &rbac.RoleList{}
+	for _, curr := range in.Items {
+		ret.Items = append(ret.Items, *toRole(&curr))
+	}
+
+	return ret
+}
+
+func toRoleBinding(in *rbac.ClusterRoleBinding) *rbac.RoleBinding {
+	if in == nil {
+		return nil
+	}
+
+	ret := &rbac.RoleBinding{}
+	ret.ObjectMeta = in.ObjectMeta
+	ret.Subjects = in.Subjects
+	ret.RoleRef = in.RoleRef
+
+	return ret
+}
+
+func toRoleBindingList(in *rbac.ClusterRoleBindingList) *rbac.RoleBindingList {
+	ret := &rbac.RoleBindingList{}
+	for _, curr := range in.Items {
+		ret.Items = append(ret.Items, *toRoleBinding(&curr))
+	}
+
+	return ret
+}

pkg/apis/rbac/validation/validation.go

@@ -0,0 +1,157 @@
+/*
+Copyright 2016 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package validation
+
+import (
+	"k8s.io/kubernetes/pkg/api/validation"
+	"k8s.io/kubernetes/pkg/apis/rbac"
+	"k8s.io/kubernetes/pkg/util/validation/field"
+)
+
+// Minimal validation of names for roles and bindings. Identical to the validation for Openshift. See:
+// * https://github.com/kubernetes/kubernetes/blob/60db50/pkg/api/validation/name.go
+// * https://github.com/openshift/origin/blob/388478/pkg/api/helpers.go
+func minimalNameRequirements(name string, prefix bool) (bool, string) {
+	return validation.IsValidPathSegmentName(name)
+}
+
+func ValidateLocalRole(policy *rbac.Role) field.ErrorList {
+	return ValidateRole(policy, true)
+}
+
+func ValidateLocalRoleUpdate(policy *rbac.Role, oldRole *rbac.Role) field.ErrorList {
+	return ValidateRoleUpdate(policy, oldRole, true)
+}
+
+func ValidateClusterRole(policy *rbac.ClusterRole) field.ErrorList {
+	return ValidateRole(toRole(policy), false)
+}
+
+func ValidateClusterRoleUpdate(policy *rbac.ClusterRole, oldRole *rbac.ClusterRole) field.ErrorList {
+	return ValidateRoleUpdate(toRole(policy), toRole(oldRole), false)
+}
+
+func ValidateRole(role *rbac.Role, isNamespaced bool) field.ErrorList {
+	return validateRole(role, isNamespaced, nil)
+}
+
+func validateRole(role *rbac.Role, isNamespaced bool, fldPath *field.Path) field.ErrorList {
+	return validation.ValidateObjectMeta(&role.ObjectMeta, isNamespaced, minimalNameRequirements, fldPath.Child("metadata"))
+}
+
+func ValidateRoleUpdate(role *rbac.Role, oldRole *rbac.Role, isNamespaced bool) field.ErrorList {
+	allErrs := ValidateRole(role, isNamespaced)
+	allErrs = append(allErrs, validation.ValidateObjectMetaUpdate(&role.ObjectMeta, &oldRole.ObjectMeta, field.NewPath("metadata"))...)
+
+	return allErrs
+}
+
+func ValidateLocalRoleBinding(policy *rbac.RoleBinding) field.ErrorList {
+	return ValidateRoleBinding(policy, true)
+}
+
+func ValidateLocalRoleBindingUpdate(policy *rbac.RoleBinding, oldRoleBinding *rbac.RoleBinding) field.ErrorList {
+	return ValidateRoleBindingUpdate(policy, oldRoleBinding, true)
+}
+
+func ValidateClusterRoleBinding(policy *rbac.ClusterRoleBinding) field.ErrorList {
+	return ValidateRoleBinding(toRoleBinding(policy), false)
+}
+
+func ValidateClusterRoleBindingUpdate(policy *rbac.ClusterRoleBinding, oldRoleBinding *rbac.ClusterRoleBinding) field.ErrorList {
+	return ValidateRoleBindingUpdate(toRoleBinding(policy), toRoleBinding(oldRoleBinding), false)
+}
+
+func ValidateRoleBinding(roleBinding *rbac.RoleBinding, isNamespaced bool) field.ErrorList {
+	return validateRoleBinding(roleBinding, isNamespaced, nil)
+}
+
+func validateRoleBinding(roleBinding *rbac.RoleBinding, isNamespaced bool, fldPath *field.Path) field.ErrorList {
+	allErrs := field.ErrorList{}
+	allErrs = append(allErrs, validation.ValidateObjectMeta(&roleBinding.ObjectMeta, isNamespaced, minimalNameRequirements, fldPath.Child("metadata"))...)
+
+	// roleRef namespace is empty when referring to global policy.
+	if len(roleBinding.RoleRef.Namespace) > 0 {
+		if ok, reason := validation.ValidateNamespaceName(roleBinding.RoleRef.Namespace, false); !ok {
+			allErrs = append(allErrs, field.Invalid(fldPath.Child("roleRef", "namespace"), roleBinding.RoleRef.Namespace, reason))
+		}
+	}
+
+	if len(roleBinding.RoleRef.Name) == 0 {
+		allErrs = append(allErrs, field.Required(fldPath.Child("roleRef", "name"), ""))
+	} else {
+		if valid, err := minimalNameRequirements(roleBinding.RoleRef.Name, false); !valid {
+			allErrs = append(allErrs, field.Invalid(fldPath.Child("roleRef", "name"), roleBinding.RoleRef.Name, err))
+		}
+	}
+
+	subjectsPath := field.NewPath("subjects")
+	for i, subject := range roleBinding.Subjects {
+		allErrs = append(allErrs, validateRoleBindingSubject(subject, isNamespaced, subjectsPath.Index(i))...)
+	}
+
+	return allErrs
+}
+
+func validateRoleBindingSubject(subject rbac.Subject, isNamespaced bool, fldPath *field.Path) field.ErrorList {
+	allErrs := field.ErrorList{}
+
+	if len(subject.Name) == 0 {
+		allErrs = append(allErrs, field.Required(fldPath.Child("name"), ""))
+	}
+	if len(subject.APIVersion) != 0 {
+		allErrs = append(allErrs, field.Forbidden(fldPath.Child("apiVersion"), subject.APIVersion))
+	}
+
+	switch subject.Kind {
+	case rbac.ServiceAccountKind:
+		if valid, reason := validation.ValidateServiceAccountName(subject.Name, false); len(subject.Name) > 0 && !valid {
+			allErrs = append(allErrs, field.Invalid(fldPath.Child("name"), subject.Name, reason))
+		}
+		if !isNamespaced && len(subject.Namespace) == 0 {
+			allErrs = append(allErrs, field.Required(fldPath.Child("namespace"), ""))
+		}
+
+	case rbac.UserKind:
+		// TODO(ericchiang): What other restrictions on user name are there?
+		if len(subject.Name) == 0 {
+			allErrs = append(allErrs, field.Invalid(fldPath.Child("name"), subject.Name, "user name cannot be empty"))
+		}
+
+	case rbac.GroupKind:
+		// TODO(ericchiang): What other restrictions on group name are there?
+		if len(subject.Name) == 0 {
+			allErrs = append(allErrs, field.Invalid(fldPath.Child("name"), subject.Name, "group name cannot be empty"))
+		}
+
+	default:
+		allErrs = append(allErrs, field.NotSupported(fldPath.Child("kind"), subject.Kind, []string{rbac.ServiceAccountKind, rbac.UserKind, rbac.GroupKind}))
+	}
+
+	return allErrs
+}
+
+func ValidateRoleBindingUpdate(roleBinding *rbac.RoleBinding, oldRoleBinding *rbac.RoleBinding, isNamespaced bool) field.ErrorList {
+	allErrs := ValidateRoleBinding(roleBinding, isNamespaced)
+	allErrs = append(allErrs, validation.ValidateObjectMetaUpdate(&roleBinding.ObjectMeta, &oldRoleBinding.ObjectMeta, field.NewPath("metadata"))...)
+
+	if oldRoleBinding.RoleRef != roleBinding.RoleRef {
+		allErrs = append(allErrs, field.Invalid(field.NewPath("roleRef"), roleBinding.RoleRef, "cannot change roleRef"))
+	}
+
+	return allErrs
+}

pkg/apis/rbac/validation/validation_test.go

@@ -0,0 +1,230 @@
+/*
+Copyright 2016 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package validation
+
+import (
+	"testing"
+
+	api "k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/apis/rbac"
+	"k8s.io/kubernetes/pkg/util/validation/field"
+)
+
+func TestValidateRoleBinding(t *testing.T) {
+	errs := ValidateRoleBinding(
+		&rbac.RoleBinding{
+			ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "master"},
+			RoleRef:    api.ObjectReference{Namespace: "master", Name: "valid"},
+			Subjects: []rbac.Subject{
+				{Name: "validsaname", Kind: rbac.ServiceAccountKind},
+				{Name: "valid@username", Kind: rbac.UserKind},
+				{Name: "valid@groupname", Kind: rbac.GroupKind},
+			},
+		},
+		true,
+	)
+	if len(errs) != 0 {
+		t.Errorf("expected success: %v", errs)
+	}
+
+	errorCases := map[string]struct {
+		A rbac.RoleBinding
+		T field.ErrorType
+		F string
+	}{
+		"zero-length namespace": {
+			A: rbac.RoleBinding{
+				ObjectMeta: api.ObjectMeta{Name: "default"},
+				RoleRef:    api.ObjectReference{Namespace: "master", Name: "valid"},
+			},
+			T: field.ErrorTypeRequired,
+			F: "metadata.namespace",
+		},
+		"zero-length name": {
+			A: rbac.RoleBinding{
+				ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault},
+				RoleRef:    api.ObjectReference{Namespace: "master", Name: "valid"},
+			},
+			T: field.ErrorTypeRequired,
+			F: "metadata.name",
+		},
+		"invalid ref": {
+			A: rbac.RoleBinding{
+				ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "name"},
+				RoleRef:    api.ObjectReference{Namespace: "-192083", Name: "valid"},
+			},
+			T: field.ErrorTypeInvalid,
+			F: "roleRef.namespace",
+		},
+		"bad role": {
+			A: rbac.RoleBinding{
+				ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "default"},
+				RoleRef:    api.ObjectReference{Namespace: "default"},
+			},
+			T: field.ErrorTypeRequired,
+			F: "roleRef.name",
+		},
+		"bad subject kind": {
+			A: rbac.RoleBinding{
+				ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "master"},
+				RoleRef:    api.ObjectReference{Namespace: "master", Name: "valid"},
+				Subjects:   []rbac.Subject{{Name: "subject"}},
+			},
+			T: field.ErrorTypeNotSupported,
+			F: "subjects[0].kind",
+		},
+		"bad subject name": {
+			A: rbac.RoleBinding{
+				ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "master"},
+				RoleRef:    api.ObjectReference{Namespace: "master", Name: "valid"},
+				Subjects:   []rbac.Subject{{Name: "subject:bad", Kind: rbac.ServiceAccountKind}},
+			},
+			T: field.ErrorTypeInvalid,
+			F: "subjects[0].name",
+		},
+		"forbidden fields": {
+			A: rbac.RoleBinding{
+				ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "master"},
+				RoleRef:    api.ObjectReference{Namespace: "master", Name: "valid"},
+				Subjects:   []rbac.Subject{{Name: "subject", Kind: rbac.ServiceAccountKind, APIVersion: "foo"}},
+			},
+			T: field.ErrorTypeForbidden,
+			F: "subjects[0].apiVersion",
+		},
+		"missing subject name": {
+			A: rbac.RoleBinding{
+				ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "master"},
+				RoleRef:    api.ObjectReference{Namespace: "master", Name: "valid"},
+				Subjects:   []rbac.Subject{{Kind: rbac.ServiceAccountKind}},
+			},
+			T: field.ErrorTypeRequired,
+			F: "subjects[0].name",
+		},
+	}
+	for k, v := range errorCases {
+		errs := ValidateRoleBinding(&v.A, true)
+		if len(errs) == 0 {
+			t.Errorf("expected failure %s for %v", k, v.A)
+			continue
+		}
+		for i := range errs {
+			if errs[i].Type != v.T {
+				t.Errorf("%s: expected errors to have type %s: %v", k, v.T, errs[i])
+			}
+			if errs[i].Field != v.F {
+				t.Errorf("%s: expected errors to have field %s: %v", k, v.F, errs[i])
+			}
+		}
+	}
+}
+
+func TestValidateRoleBindingUpdate(t *testing.T) {
+	old := &rbac.RoleBinding{
+		ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "master", ResourceVersion: "1"},
+		RoleRef:    api.ObjectReference{Namespace: "master", Name: "valid"},
+	}
+
+	errs := ValidateRoleBindingUpdate(
+		&rbac.RoleBinding{
+			ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "master", ResourceVersion: "1"},
+			RoleRef:    api.ObjectReference{Namespace: "master", Name: "valid"},
+		},
+		old,
+		true,
+	)
+	if len(errs) != 0 {
+		t.Errorf("expected success: %v", errs)
+	}
+
+	errorCases := map[string]struct {
+		A rbac.RoleBinding
+		T field.ErrorType
+		F string
+	}{
+		"changedRef": {
+			A: rbac.RoleBinding{
+				ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "master", ResourceVersion: "1"},
+				RoleRef:    api.ObjectReference{Namespace: "master", Name: "changed"},
+			},
+			T: field.ErrorTypeInvalid,
+			F: "roleRef",
+		},
+	}
+	for k, v := range errorCases {
+		errs := ValidateRoleBindingUpdate(&v.A, old, true)
+		if len(errs) == 0 {
+			t.Errorf("expected failure %s for %v", k, v.A)
+			continue
+		}
+		for i := range errs {
+			if errs[i].Type != v.T {
+				t.Errorf("%s: expected errors to have type %s: %v", k, v.T, errs[i])
+			}
+			if errs[i].Field != v.F {
+				t.Errorf("%s: expected errors to have field %s: %v", k, v.F, errs[i])
+			}
+		}
+	}
+}
+
+func TestValidateRole(t *testing.T) {
+	errs := ValidateRole(
+		&rbac.Role{
+			ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "master"},
+		},
+		true,
+	)
+	if len(errs) != 0 {
+		t.Errorf("expected success: %v", errs)
+	}
+
+	errorCases := map[string]struct {
+		A rbac.Role
+		T field.ErrorType
+		F string
+	}{
+		"zero-length namespace": {
+			A: rbac.Role{
+				ObjectMeta: api.ObjectMeta{Name: "default"},
+			},
+			T: field.ErrorTypeRequired,
+			F: "metadata.namespace",
+		},
+		"zero-length name": {
+			A: rbac.Role{
+				ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault},
+			},
+			T: field.ErrorTypeRequired,
+			F: "metadata.name",
+		},
+	}
+	for k, v := range errorCases {
+		errs := ValidateRole(&v.A, true)
+		if len(errs) == 0 {
+			t.Errorf("expected failure %s for %v", k, v.A)
+			continue
+		}
+		for i := range errs {
+			if errs[i].Type != v.T {
+				t.Errorf("%s: expected errors to have type %s: %v", k, v.T, errs[i])
+			}
+			if errs[i].Field != v.F {
+				t.Errorf("%s: expected errors to have field %s: %v", k, v.F, errs[i])
+			}
+		}
+	}
+}