@@ -9,6 +9,7 @@ const (

 	NodeMetricsResource = "nodes/metrics"

 	NodeStatsResource   = "nodes/stats"

+	NodeSpecResource    = "nodes/spec"

 	NodeLogResource     = "nodes/log"

 	RestrictedEndpointsResource = "endpoints/restricted"

@@ -154,7 +154,7 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole {

 					"selfsubjectrulesreviews", "subjectaccessreviews").RuleOrDie(),

 				authorizationapi.NewRule("create").Groups("authentication.k8s.io").Resources("tokenreviews").RuleOrDie(),

 				// Allow read access to node metrics

-				authorizationapi.NewRule("get").Groups(kapiGroup).Resources(authorizationapi.NodeMetricsResource).RuleOrDie(),

+				authorizationapi.NewRule("get").Groups(kapiGroup).Resources(authorizationapi.NodeMetricsResource, authorizationapi.NodeSpecResource).RuleOrDie(),

 				// Allow read access to stats

 				// Node stats requests are submitted as POSTs.  These creates are non-mutating

 				authorizationapi.NewRule("get", "create").Groups(kapiGroup).Resources(authorizationapi.NodeStatsResource).RuleOrDie(),

@@ -547,7 +547,7 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole {

 				authorizationapi.NewRule(read...).Groups(kapiGroup).Resources("nodes").RuleOrDie(),

 				// Allow all API calls to the nodes

 				authorizationapi.NewRule("proxy").Groups(kapiGroup).Resources("nodes").RuleOrDie(),

-				authorizationapi.NewRule("*").Groups(kapiGroup).Resources("nodes/proxy", authorizationapi.NodeMetricsResource, authorizationapi.NodeStatsResource, authorizationapi.NodeLogResource).RuleOrDie(),

+				authorizationapi.NewRule("*").Groups(kapiGroup).Resources("nodes/proxy", authorizationapi.NodeMetricsResource, authorizationapi.NodeSpecResource, authorizationapi.NodeStatsResource, authorizationapi.NodeLogResource).RuleOrDie(),

 			},

 		},

 		{

@@ -558,7 +558,7 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole {

 				// Allow read-only access to the API objects

 				authorizationapi.NewRule(read...).Groups(kapiGroup).Resources("nodes").RuleOrDie(),

 				// Allow read access to node metrics

-				authorizationapi.NewRule("get").Groups(kapiGroup).Resources(authorizationapi.NodeMetricsResource).RuleOrDie(),

+				authorizationapi.NewRule("get").Groups(kapiGroup).Resources(authorizationapi.NodeMetricsResource, authorizationapi.NodeSpecResource).RuleOrDie(),

 				// Allow read access to stats

 				// Node stats requests are submitted as POSTs.  These creates are non-mutating

 				authorizationapi.NewRule("get", "create").Groups(kapiGroup).Resources(authorizationapi.NodeStatsResource).RuleOrDie(),

@@ -125,6 +125,9 @@ func (n NodeAuthorizerAttributesGetter) GetRequestAttributes(u user.Info, r *htt

 	// Override verb/resource for specific paths

 	// Updates to these rules require updating NodeAdminRole and NodeReaderRole in bootstrap policy

 	switch {

+	case isSubpath(r, "/spec"):

+		attrs.Verb = apiVerb

+		attrs.Resource = authorizationapi.NodeSpecResource

 	case isSubpath(r, "/stats"):

 		attrs.Verb = apiVerb

 		attrs.Resource = authorizationapi.NodeStatsResource

@@ -294,6 +294,7 @@ items:

     attributeRestrictions: null

     resources:

     - nodes/metrics

+    - nodes/spec

     verbs:

     - get

   - apiGroups:

@@ -1801,6 +1802,7 @@ items:

     - nodes/log

     - nodes/metrics

     - nodes/proxy

+    - nodes/spec

     - nodes/stats

     verbs:

     - '*'

@@ -1824,6 +1826,7 @@ items:

     attributeRestrictions: null

     resources:

     - nodes/metrics

+    - nodes/spec

     verbs:

     - get

   - apiGroups: