kubernetes · k8s-github-robot · Feb 14, 2017 · Feb 10, 2017 · Feb 13, 2017
diff --git a/api/openapi-spec/swagger.json b/api/openapi-spec/swagger.json
@@ -42724,7 +42724,7 @@
     ],
     "properties": {
      "apiVersion": {
-      "description": "APIVersion holds the API group and version of the referenced object.",
+      "description": "APIVersion holds the API group and version of the referenced subject. Defaults to \"v1\" for ServiceAccount subjects. Defaults to \"rbac.authorization.k8s.io/v1alpha1\" for User and Group subjects.",
       "type": "string"
      },
      "kind": {
@@ -43095,8 +43095,8 @@
      "name"
     ],
     "properties": {
-     "apiVersion": {
-      "description": "APIVersion holds the API group and version of the referenced object.",
+     "apiGroup": {
+      "description": "APIGroup holds the API group of the referenced subject. Defaults to \"\" for ServiceAccount subjects. Defaults to \"rbac.authorization.k8s.io\" for User and Group subjects.",
       "type": "string"
      },
      "kind": {

diff --git a/api/swagger-spec/rbac.authorization.k8s.io_v1alpha1.json b/api/swagger-spec/rbac.authorization.k8s.io_v1alpha1.json
@@ -2924,7 +2924,7 @@
      },
      "apiVersion": {
       "type": "string",
-      "description": "APIVersion holds the API group and version of the referenced object."
+      "description": "APIVersion holds the API group and version of the referenced subject. Defaults to \"v1\" for ServiceAccount subjects. Defaults to \"rbac.authorization.k8s.io/v1alpha1\" for User and Group subjects."
      },
      "name": {
       "type": "string",

diff --git a/api/swagger-spec/rbac.authorization.k8s.io_v1beta1.json b/api/swagger-spec/rbac.authorization.k8s.io_v1beta1.json
@@ -2922,9 +2922,9 @@
       "type": "string",
       "description": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\". If the Authorizer does not recognized the kind value, the Authorizer should report an error."
      },
-     "apiVersion": {
+     "apiGroup": {
       "type": "string",
-      "description": "APIVersion holds the API group and version of the referenced object."
+      "description": "APIGroup holds the API group of the referenced subject. Defaults to \"\" for ServiceAccount subjects. Defaults to \"rbac.authorization.k8s.io\" for User and Group subjects."
      },
      "name": {
       "type": "string",

diff --git a/cluster/addons/rbac/apiserver-node-proxy-binding.yaml b/cluster/addons/rbac/apiserver-node-proxy-binding.yaml
@@ -9,6 +9,6 @@ roleRef:
   kind: ClusterRole
   name: node-proxy
 subjects:
-- apiVersion: rbac/v1beta1
+- apiGroup: rbac.authorization.k8s.io
   kind: User
   name: kube-apiserver
diff --git a/docs/api-reference/rbac.authorization.k8s.io/v1alpha1/definitions.html b/docs/api-reference/rbac.authorization.k8s.io/v1alpha1/definitions.html
@@ -802,7 +802,7 @@ <h3 id="_v1alpha1_subject">v1alpha1.Subject</h3>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">apiVersion</p></td>
-<td class="tableblock halign-left valign-top"><p class="tableblock">APIVersion holds the API group and version of the referenced object.</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">APIVersion holds the API group and version of the referenced subject. Defaults to "v1" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io/v1alpha1" for User and Group subjects.</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
 <td class="tableblock halign-left valign-top"></td>
@@ -1737,7 +1737,7 @@ <h3 id="_any">any</h3>
 </div>
 <div id="footer">
 <div id="footer-text">
-Last updated 2017-01-25 20:39:16 UTC
+Last updated 2017-02-13 18:31:15 UTC
 </div>
 </div>
 </body>

diff --git a/docs/api-reference/rbac.authorization.k8s.io/v1beta1/definitions.html b/docs/api-reference/rbac.authorization.k8s.io/v1beta1/definitions.html
@@ -1302,8 +1302,8 @@ <h3 id="_v1beta1_subject">v1beta1.Subject</h3>
 <td class="tableblock halign-left valign-top"></td>
 </tr>
 <tr>
-<td class="tableblock halign-left valign-top"><p class="tableblock">apiVersion</p></td>
-<td class="tableblock halign-left valign-top"><p class="tableblock">APIVersion holds the API group and version of the referenced object.</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">apiGroup</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects.</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
 <td class="tableblock halign-left valign-top"></td>
@@ -1737,7 +1737,7 @@ <h3 id="_any">any</h3>
 </div>
 <div id="footer">
 <div id="footer-text">
-Last updated 2017-01-25 20:39:12 UTC
+Last updated 2017-02-13 18:31:09 UTC
 </div>
 </div>
 </body>

diff --git a/federation/pkg/kubefed/init/init_test.go b/federation/pkg/kubefed/init/init_test.go
@@ -718,10 +718,10 @@ func fakeInitHostFactory(apiserverServiceType v1.ServiceType, federationName, na
 		},
 		Subjects: []rbacv1beta1.Subject{
 			{
-				Kind:       "ServiceAccount",
-				APIVersion: "",
-				Name:       "federation-controller-manager",
-				Namespace:  "federation-system",
+				Kind:      "ServiceAccount",
+				APIGroup:  "",
+				Name:      "federation-controller-manager",
+				Namespace: "federation-system",
 			},
 		},
 		RoleRef: rbacv1beta1.RoleRef{

diff --git a/pkg/api/testing/fuzzer.go b/pkg/api/testing/fuzzer.go
@@ -590,6 +590,23 @@ func rbacFuncs(t apitesting.TestingCommon) []interface{} {
 				r.APIGroup = rbac.GroupName
 			}
 		},
+		func(r *rbac.Subject, c fuzz.Continue) {
+			switch c.Int31n(3) {
+			case 0:
+				r.Kind = rbac.ServiceAccountKind
+				r.APIGroup = ""
+				c.FuzzNoCustom(&r.Name)
+				c.FuzzNoCustom(&r.Namespace)
+			case 1:
+				r.Kind = rbac.UserKind
+				r.APIGroup = rbac.GroupName
+				c.FuzzNoCustom(&r.Name)
+			case 2:
+				r.Kind = rbac.GroupKind
+				r.APIGroup = rbac.GroupName
+				c.FuzzNoCustom(&r.Name)
+			}
+		},
 	}
 }
 

diff --git a/pkg/apis/rbac/helpers.go b/pkg/apis/rbac/helpers.go
@@ -220,14 +220,14 @@ func NewClusterBinding(clusterRoleName string) *ClusterRoleBindingBuilder {
 
 func (r *ClusterRoleBindingBuilder) Groups(groups ...string) *ClusterRoleBindingBuilder {
 	for _, group := range groups {
-		r.ClusterRoleBinding.Subjects = append(r.ClusterRoleBinding.Subjects, Subject{Kind: GroupKind, Name: group})
+		r.ClusterRoleBinding.Subjects = append(r.ClusterRoleBinding.Subjects, Subject{Kind: GroupKind, APIGroup: GroupName, Name: group})
 	}
 	return r
 }
 
 func (r *ClusterRoleBindingBuilder) Users(users ...string) *ClusterRoleBindingBuilder {
 	for _, user := range users {
-		r.ClusterRoleBinding.Subjects = append(r.ClusterRoleBinding.Subjects, Subject{Kind: UserKind, Name: user})
+		r.ClusterRoleBinding.Subjects = append(r.ClusterRoleBinding.Subjects, Subject{Kind: UserKind, APIGroup: GroupName, Name: user})
 	}
 	return r
 }

diff --git a/pkg/apis/rbac/types.go b/pkg/apis/rbac/types.go
@@ -63,9 +63,10 @@ type Subject struct {
 	// Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
 	// If the Authorizer does not recognized the kind value, the Authorizer should report an error.
 	Kind string
-	// APIVersion holds the API group and version of the referenced object. For non-object references such as "Group" and "User" this is
-	// expected to be API version of this API group. For example, "rbac/v1alpha1".
-	APIVersion string
+	// APIGroup holds the API group of the referenced subject.
+	// Defaults to "" for ServiceAccount subjects.
+	// Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+	APIGroup string
 	// Name of the object being referenced.
 	Name string
 	// Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty

diff --git a/pkg/apis/rbac/v1alpha1/conversion.go b/pkg/apis/rbac/v1alpha1/conversion.go
@@ -18,6 +18,7 @@ package v1alpha1
 
 import (
 	"k8s.io/apimachinery/pkg/conversion"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	api "k8s.io/kubernetes/pkg/apis/rbac"
 )
 
@@ -30,13 +31,51 @@ func Convert_v1alpha1_Subject_To_rbac_Subject(in *Subject, out *api.Subject, s c
 		return err
 	}
 
+	// specifically set the APIGroup for the three subjects recognized in v1alpha1
+	switch {
+	case in.Kind == ServiceAccountKind:
+		out.APIGroup = ""
+	case in.Kind == UserKind:
+		out.APIGroup = GroupName
+	case in.Kind == GroupKind:
+		out.APIGroup = GroupName
+	default:
+		// For unrecognized kinds, use the group portion of the APIVersion if we can get it
+		if gv, err := schema.ParseGroupVersion(in.APIVersion); err == nil {
+			out.APIGroup = gv.Group
+		}
+	}
+
 	// User * in v1alpha1 will only match all authenticated users
 	// This is only for compatibility with old RBAC bindings
 	// Special treatment for * should not be included in v1beta1
-	if out.Kind == UserKind && out.Name == "*" {
+	if out.Kind == UserKind && out.APIGroup == GroupName && out.Name == "*" {
 		out.Kind = GroupKind
 		out.Name = allAuthenticated
 	}
 
 	return nil
 }
+
+func Convert_rbac_Subject_To_v1alpha1_Subject(in *api.Subject, out *Subject, s conversion.Scope) error {
+	if err := autoConvert_rbac_Subject_To_v1alpha1_Subject(in, out, s); err != nil {
+		return err
+	}
+
+	switch {
+	case in.Kind == ServiceAccountKind && in.APIGroup == "":
+		// Make service accounts v1
+		out.APIVersion = "v1"
+	case in.Kind == UserKind && in.APIGroup == GroupName:
+		// users in the rbac API group get v1alpha
+		out.APIVersion = SchemeGroupVersion.String()
+	case in.Kind == GroupKind && in.APIGroup == GroupName:
+		// groups in the rbac API group get v1alpha
+		out.APIVersion = SchemeGroupVersion.String()
+	default:
+		// otherwise, they get an unspecified version of a group
+		out.APIVersion = schema.GroupVersion{Group: in.APIGroup}.String()
+	}
+
+	return nil
+}
diff --git a/pkg/apis/rbac/v1alpha1/conversion_test.go b/pkg/apis/rbac/v1alpha1/conversion_test.go
@@ -34,21 +34,63 @@ func TestConversion(t *testing.T) {
 		"specific user": {
 			old: &v1alpha1.RoleBinding{
 				RoleRef:  v1alpha1.RoleRef{Name: "foo", APIGroup: v1alpha1.GroupName},
-				Subjects: []v1alpha1.Subject{{Kind: "User", Name: "bob"}},
+				Subjects: []v1alpha1.Subject{{Kind: "User", APIVersion: v1alpha1.SchemeGroupVersion.String(), Name: "bob"}},
 			},
 			expected: &rbacapi.RoleBinding{
 				RoleRef:  rbacapi.RoleRef{Name: "foo", APIGroup: v1alpha1.GroupName},
-				Subjects: []rbacapi.Subject{{Kind: "User", Name: "bob"}},
+				Subjects: []rbacapi.Subject{{Kind: "User", APIGroup: v1alpha1.GroupName, Name: "bob"}},
 			},
 		},
 		"wildcard user matches authenticated": {
 			old: &v1alpha1.RoleBinding{
 				RoleRef:  v1alpha1.RoleRef{Name: "foo", APIGroup: v1alpha1.GroupName},
-				Subjects: []v1alpha1.Subject{{Kind: "User", Name: "*"}},
+				Subjects: []v1alpha1.Subject{{Kind: "User", APIVersion: v1alpha1.SchemeGroupVersion.String(), Name: "*"}},
 			},
 			expected: &rbacapi.RoleBinding{
 				RoleRef:  rbacapi.RoleRef{Name: "foo", APIGroup: v1alpha1.GroupName},
-				Subjects: []rbacapi.Subject{{Kind: "Group", Name: "system:authenticated"}},
+				Subjects: []rbacapi.Subject{{Kind: "Group", APIGroup: v1alpha1.GroupName, Name: "system:authenticated"}},
+			},
+		},
+		"missing api group gets defaulted": {
+			old: &v1alpha1.RoleBinding{
+				RoleRef: v1alpha1.RoleRef{Name: "foo", APIGroup: v1alpha1.GroupName},
+				Subjects: []v1alpha1.Subject{
+					{Kind: "User", Name: "myuser"},
+					{Kind: "Group", Name: "mygroup"},
+					{Kind: "ServiceAccount", Name: "mysa", Namespace: "myns"},
+				},
+			},
+			expected: &rbacapi.RoleBinding{
+				RoleRef: rbacapi.RoleRef{Name: "foo", APIGroup: v1alpha1.GroupName},
+				Subjects: []rbacapi.Subject{
+					{Kind: "User", APIGroup: v1alpha1.GroupName, Name: "myuser"},
+					{Kind: "Group", APIGroup: v1alpha1.GroupName, Name: "mygroup"},
+					{Kind: "ServiceAccount", APIGroup: "", Name: "mysa", Namespace: "myns"},
+				},
+			},
+		},
+		"bad api group gets defaulted": {
+			old: &v1alpha1.RoleBinding{
+				RoleRef: v1alpha1.RoleRef{Name: "foo", APIGroup: v1alpha1.GroupName},
+				Subjects: []v1alpha1.Subject{
+					{Kind: "User", APIVersion: "rbac", Name: "myuser"},
+					{Kind: "Group", APIVersion: "rbac", Name: "mygroup"},
+					{Kind: "ServiceAccount", APIVersion: "rbac", Name: "mysa", Namespace: "myns"},
+					{Kind: "User", APIVersion: "rbac/v8", Name: "myuser"},
+					{Kind: "Group", APIVersion: "rbac/v8", Name: "mygroup"},
+					{Kind: "ServiceAccount", APIVersion: "rbac/v8", Name: "mysa", Namespace: "myns"},
+				},
+			},
+			expected: &rbacapi.RoleBinding{
+				RoleRef: rbacapi.RoleRef{Name: "foo", APIGroup: v1alpha1.GroupName},
+				Subjects: []rbacapi.Subject{
+					{Kind: "User", APIGroup: v1alpha1.GroupName, Name: "myuser"},
+					{Kind: "Group", APIGroup: v1alpha1.GroupName, Name: "mygroup"},
+					{Kind: "ServiceAccount", APIGroup: "", Name: "mysa", Namespace: "myns"},
+					{Kind: "User", APIGroup: v1alpha1.GroupName, Name: "myuser"},
+					{Kind: "Group", APIGroup: v1alpha1.GroupName, Name: "mygroup"},
+					{Kind: "ServiceAccount", APIGroup: "", Name: "mysa", Namespace: "myns"},
+				},
 			},
 		},
 	}

diff --git a/pkg/apis/rbac/v1alpha1/defaults.go b/pkg/apis/rbac/v1alpha1/defaults.go
@@ -25,6 +25,7 @@ func addDefaultingFuncs(scheme *runtime.Scheme) error {
 	return scheme.AddDefaultingFuncs(
 		SetDefaults_ClusterRoleBinding,
 		SetDefaults_RoleBinding,
+		SetDefaults_Subject,
 	)
 }
 
@@ -38,3 +39,15 @@ func SetDefaults_RoleBinding(obj *RoleBinding) {
 		obj.RoleRef.APIGroup = GroupName
 	}
 }
+func SetDefaults_Subject(obj *Subject) {
+	if len(obj.APIVersion) == 0 {
+		switch obj.Kind {
+		case ServiceAccountKind:
+			obj.APIVersion = "v1"
+		case UserKind:
+			obj.APIVersion = SchemeGroupVersion.String()
+		case GroupKind:
+			obj.APIVersion = SchemeGroupVersion.String()
+		}
+	}
+}
diff --git a/pkg/apis/rbac/v1alpha1/generated.proto b/pkg/apis/rbac/v1alpha1/generated.proto
diff --git a/pkg/apis/rbac/v1alpha1/types.go b/pkg/apis/rbac/v1alpha1/types.go
@@ -72,7 +72,10 @@ type Subject struct {
 	// Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
 	// If the Authorizer does not recognized the kind value, the Authorizer should report an error.
 	Kind string `json:"kind" protobuf:"bytes,1,opt,name=kind"`
-	// APIVersion holds the API group and version of the referenced object.
+	// APIVersion holds the API group and version of the referenced subject.
+	// Defaults to "v1" for ServiceAccount subjects.
+	// Defaults to "rbac.authorization.k8s.io/v1alpha1" for User and Group subjects.
+	// +k8s:conversion-gen=false
 	// +optional
 	APIVersion string `json:"apiVersion,omitempty" protobuf:"bytes,2,opt.name=apiVersion"`
 	// Name of the object being referenced.

diff --git a/pkg/apis/rbac/v1alpha1/types_swagger_doc_generated.go b/pkg/apis/rbac/v1alpha1/types_swagger_doc_generated.go
@@ -136,7 +136,7 @@ func (RoleRef) SwaggerDoc() map[string]string {
 var map_Subject = map[string]string{
 	"":           "Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference, or a value for non-objects such as user and group names.",
 	"kind":       "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\". If the Authorizer does not recognized the kind value, the Authorizer should report an error.",
-	"apiVersion": "APIVersion holds the API group and version of the referenced object.",
+	"apiVersion": "APIVersion holds the API group and version of the referenced subject. Defaults to \"v1\" for ServiceAccount subjects. Defaults to \"rbac.authorization.k8s.io/v1alpha1\" for User and Group subjects.",
 	"name":       "Name of the object being referenced.",
 	"namespace":  "Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty the Authorizer should report an error.",
 }

diff --git a/pkg/apis/rbac/v1alpha1/zz_generated.conversion.go b/pkg/apis/rbac/v1alpha1/zz_generated.conversion.go
@@ -410,20 +410,16 @@ func Convert_rbac_RoleRef_To_v1alpha1_RoleRef(in *rbac.RoleRef, out *RoleRef, s
 
 func autoConvert_v1alpha1_Subject_To_rbac_Subject(in *Subject, out *rbac.Subject, s conversion.Scope) error {
 	out.Kind = in.Kind
-	out.APIVersion = in.APIVersion
+	// INFO: in.APIVersion opted out of conversion generation
 	out.Name = in.Name
 	out.Namespace = in.Namespace
 	return nil
 }
 
 func autoConvert_rbac_Subject_To_v1alpha1_Subject(in *rbac.Subject, out *Subject, s conversion.Scope) error {
 	out.Kind = in.Kind
-	out.APIVersion = in.APIVersion
+	// WARNING: in.APIGroup requires manual conversion: does not exist in peer-type
 	out.Name = in.Name
 	out.Namespace = in.Namespace
 	return nil
 }
-
-func Convert_rbac_Subject_To_v1alpha1_Subject(in *rbac.Subject, out *Subject, s conversion.Scope) error {
-	return autoConvert_rbac_Subject_To_v1alpha1_Subject(in, out, s)
-}
diff --git a/pkg/apis/rbac/v1alpha1/zz_generated.defaults.go b/pkg/apis/rbac/v1alpha1/zz_generated.defaults.go
@@ -37,6 +37,10 @@ func RegisterDefaults(scheme *runtime.Scheme) error {
 
 func SetObjectDefaults_ClusterRoleBinding(in *ClusterRoleBinding) {
 	SetDefaults_ClusterRoleBinding(in)
+	for i := range in.Subjects {
+		a := &in.Subjects[i]
+		SetDefaults_Subject(a)
+	}
 }
 
 func SetObjectDefaults_ClusterRoleBindingList(in *ClusterRoleBindingList) {
@@ -48,6 +52,10 @@ func SetObjectDefaults_ClusterRoleBindingList(in *ClusterRoleBindingList) {
 
 func SetObjectDefaults_RoleBinding(in *RoleBinding) {
 	SetDefaults_RoleBinding(in)
+	for i := range in.Subjects {
+		a := &in.Subjects[i]
+		SetDefaults_Subject(a)
+	}
 }
 
 func SetObjectDefaults_RoleBindingList(in *RoleBindingList) {