From c4e63cb77787bba92a9ee911b10af2f9075c6e34 Mon Sep 17 00:00:00 2001
From: Jordan Liggitt <jliggitt@redhat.com>
Date: Wed, 13 Dec 2017 21:56:18 -0500
Subject: [PATCH] gce: split legacy kubelet node role binding and bootstrapper
 role binding

---
 .../kubelet-binding.yaml                           | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/cluster/addons/rbac/legacy-kubelet-user-disable/kubelet-binding.yaml b/cluster/addons/rbac/legacy-kubelet-user-disable/kubelet-binding.yaml
index 1d1832763b409..4cd7174eafc82 100644
--- a/cluster/addons/rbac/legacy-kubelet-user-disable/kubelet-binding.yaml
+++ b/cluster/addons/rbac/legacy-kubelet-user-disable/kubelet-binding.yaml
@@ -7,6 +7,20 @@ metadata:
   labels:
     kubernetes.io/cluster-service: "true"
     addonmanager.kubernetes.io/mode: EnsureExists
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:node
+subjects: []
+---
+# This is required so that new clusters still have bootstrap permissions
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kubelet-bootstrap
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole