@@ -96,26 +96,34 @@ message ClusterRole {

 }

 // ClusterRoleBinding references a ClusterRole, but not contain it.  It can reference any ClusterRole in the same namespace or in the global namespace.

-// It adds who information via Users and Groups and namespace information by which namespace it exists in.  ClusterRoleBindings in a given

-// namespace only have effect in that namespace (excepting the master namespace which has power in all namespaces).

+// It adds who information via (Users and Groups) OR Subjects and namespace information by which namespace it exists in.

+// ClusterRoleBindings in a given namespace only have effect in that namespace (excepting the master namespace which has power in all namespaces).

 message ClusterRoleBinding {

   // Standard object's metadata.

   optional k8s.io.kubernetes.pkg.api.v1.ObjectMeta metadata = 1;

-  // UserNames holds all the usernames directly bound to the role

+  // UserNames holds all the usernames directly bound to the role.

+  // This field should only be specified when supporting legacy clients and servers.

+  // See Subjects for further details.

   // +k8s:conversion-gen=false

   optional OptionalNames userNames = 2;

-  // GroupNames holds all the groups directly bound to the role

+  // GroupNames holds all the groups directly bound to the role.

+  // This field should only be specified when supporting legacy clients and servers.

+  // See Subjects for further details.

   // +k8s:conversion-gen=false

   optional OptionalNames groupNames = 3;

-  // Subjects hold object references to authorize with this rule

+  // Subjects hold object references to authorize with this rule.

+  // This field is ignored if UserNames or GroupNames are specified to support legacy clients and servers.

+  // Thus newer clients that do not need to support backwards compatibility should send

+  // only fully qualified Subjects and should omit the UserNames and GroupNames fields.

+  // Clients that need to support backwards compatibility can use this field to build the UserNames and GroupNames.

   repeated k8s.io.kubernetes.pkg.api.v1.ObjectReference subjects = 4;

-  // RoleRef can only reference the current namespace and the global namespace

+  // RoleRef can only reference the current namespace and the global namespace.

   // If the ClusterRoleRef cannot be resolved, the Authorizer must return an error.

-  // Since Policy is a singleton, this is sufficient knowledge to locate a role

+  // Since Policy is a singleton, this is sufficient knowledge to locate a role.

   optional k8s.io.kubernetes.pkg.api.v1.ObjectReference roleRef = 5;

 }

@@ -328,26 +336,34 @@ message Role {

 }

 // RoleBinding references a Role, but not contain it.  It can reference any Role in the same namespace or in the global namespace.

-// It adds who information via Users and Groups and namespace information by which namespace it exists in.  RoleBindings in a given

-// namespace only have effect in that namespace (excepting the master namespace which has power in all namespaces).

+// It adds who information via (Users and Groups) OR Subjects and namespace information by which namespace it exists in.

+// RoleBindings in a given namespace only have effect in that namespace (excepting the master namespace which has power in all namespaces).

 message RoleBinding {

   // Standard object's metadata.

   optional k8s.io.kubernetes.pkg.api.v1.ObjectMeta metadata = 1;

-  // UserNames holds all the usernames directly bound to the role

+  // UserNames holds all the usernames directly bound to the role.

+  // This field should only be specified when supporting legacy clients and servers.

+  // See Subjects for further details.

   // +k8s:conversion-gen=false

   optional OptionalNames userNames = 2;

-  // GroupNames holds all the groups directly bound to the role

+  // GroupNames holds all the groups directly bound to the role.

+  // This field should only be specified when supporting legacy clients and servers.

+  // See Subjects for further details.

   // +k8s:conversion-gen=false

   optional OptionalNames groupNames = 3;

-  // Subjects hold object references to authorize with this rule

+  // Subjects hold object references to authorize with this rule.

+  // This field is ignored if UserNames or GroupNames are specified to support legacy clients and servers.

+  // Thus newer clients that do not need to support backwards compatibility should send

+  // only fully qualified Subjects and should omit the UserNames and GroupNames fields.

+  // Clients that need to support backwards compatibility can use this field to build the UserNames and GroupNames.

   repeated k8s.io.kubernetes.pkg.api.v1.ObjectReference subjects = 4;

-  // RoleRef can only reference the current namespace and the global namespace

+  // RoleRef can only reference the current namespace and the global namespace.

   // If the RoleRef cannot be resolved, the Authorizer must return an error.

-  // Since Policy is a singleton, this is sufficient knowledge to locate a role

+  // Since Policy is a singleton, this is sufficient knowledge to locate a role.

   optional k8s.io.kubernetes.pkg.api.v1.ObjectReference roleRef = 5;

 }

@@ -22891,7 +22891,7 @@

    },

    "v1.ClusterRoleBinding": {

     "id": "v1.ClusterRoleBinding",

-    "description": "ClusterRoleBinding references a ClusterRole, but not contain it.  It can reference any ClusterRole in the same namespace or in the global namespace. It adds who information via Users and Groups and namespace information by which namespace it exists in.  ClusterRoleBindings in a given namespace only have effect in that namespace (excepting the master namespace which has power in all namespaces).",

+    "description": "ClusterRoleBinding references a ClusterRole, but not contain it.  It can reference any ClusterRole in the same namespace or in the global namespace. It adds who information via (Users and Groups) OR Subjects and namespace information by which namespace it exists in. ClusterRoleBindings in a given namespace only have effect in that namespace (excepting the master namespace which has power in all namespaces).",

     "required": [

      "userNames",

      "groupNames",

@@ -22916,25 +22916,25 @@

       "items": {

        "type": "string"

       },

-      "description": "UserNames holds all the usernames directly bound to the role"

+      "description": "UserNames holds all the usernames directly bound to the role. This field should only be specified when supporting legacy clients and servers. See Subjects for further details."

      },

      "groupNames": {

       "type": "array",

       "items": {

        "type": "string"

       },

-      "description": "GroupNames holds all the groups directly bound to the role"

+      "description": "GroupNames holds all the groups directly bound to the role. This field should only be specified when supporting legacy clients and servers. See Subjects for further details."

      },

      "subjects": {

       "type": "array",

       "items": {

        "$ref": "v1.ObjectReference"

       },

-      "description": "Subjects hold object references to authorize with this rule"

+      "description": "Subjects hold object references to authorize with this rule. This field is ignored if UserNames or GroupNames are specified to support legacy clients and servers. Thus newer clients that do not need to support backwards compatibility should send only fully qualified Subjects and should omit the UserNames and GroupNames fields. Clients that need to support backwards compatibility can use this field to build the UserNames and GroupNames."

      },

      "roleRef": {

       "$ref": "v1.ObjectReference",

-      "description": "RoleRef can only reference the current namespace and the global namespace If the ClusterRoleRef cannot be resolved, the Authorizer must return an error. Since Policy is a singleton, this is sufficient knowledge to locate a role"

+      "description": "RoleRef can only reference the current namespace and the global namespace. If the ClusterRoleRef cannot be resolved, the Authorizer must return an error. Since Policy is a singleton, this is sufficient knowledge to locate a role."

      }

     }

    },

@@ -26982,7 +26982,7 @@

    },

    "v1.RoleBinding": {

     "id": "v1.RoleBinding",

-    "description": "RoleBinding references a Role, but not contain it.  It can reference any Role in the same namespace or in the global namespace. It adds who information via Users and Groups and namespace information by which namespace it exists in.  RoleBindings in a given namespace only have effect in that namespace (excepting the master namespace which has power in all namespaces).",

+    "description": "RoleBinding references a Role, but not contain it.  It can reference any Role in the same namespace or in the global namespace. It adds who information via (Users and Groups) OR Subjects and namespace information by which namespace it exists in. RoleBindings in a given namespace only have effect in that namespace (excepting the master namespace which has power in all namespaces).",

     "required": [

      "userNames",

      "groupNames",

@@ -27007,25 +27007,25 @@

       "items": {

        "type": "string"

       },

-      "description": "UserNames holds all the usernames directly bound to the role"

+      "description": "UserNames holds all the usernames directly bound to the role. This field should only be specified when supporting legacy clients and servers. See Subjects for further details."

      },

      "groupNames": {

       "type": "array",

       "items": {

        "type": "string"

       },

-      "description": "GroupNames holds all the groups directly bound to the role"

+      "description": "GroupNames holds all the groups directly bound to the role. This field should only be specified when supporting legacy clients and servers. See Subjects for further details."

      },

      "subjects": {

       "type": "array",

       "items": {

        "$ref": "v1.ObjectReference"

       },

-      "description": "Subjects hold object references to authorize with this rule"

+      "description": "Subjects hold object references to authorize with this rule. This field is ignored if UserNames or GroupNames are specified to support legacy clients and servers. Thus newer clients that do not need to support backwards compatibility should send only fully qualified Subjects and should omit the UserNames and GroupNames fields. Clients that need to support backwards compatibility can use this field to build the UserNames and GroupNames."

      },

      "roleRef": {

       "$ref": "v1.ObjectReference",

-      "description": "RoleRef can only reference the current namespace and the global namespace If the RoleRef cannot be resolved, the Authorizer must return an error. Since Policy is a singleton, this is sufficient knowledge to locate a role"

+      "description": "RoleRef can only reference the current namespace and the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error. Since Policy is a singleton, this is sufficient knowledge to locate a role."

      }

     }

    },

@@ -45447,7 +45447,7 @@

     }

    },

    "v1.ClusterRoleBinding": {

-    "description": "ClusterRoleBinding references a ClusterRole, but not contain it.  It can reference any ClusterRole in the same namespace or in the global namespace. It adds who information via Users and Groups and namespace information by which namespace it exists in.  ClusterRoleBindings in a given namespace only have effect in that namespace (excepting the master namespace which has power in all namespaces).",

+    "description": "ClusterRoleBinding references a ClusterRole, but not contain it.  It can reference any ClusterRole in the same namespace or in the global namespace. It adds who information via (Users and Groups) OR Subjects and namespace information by which namespace it exists in. ClusterRoleBindings in a given namespace only have effect in that namespace (excepting the master namespace which has power in all namespaces).",

     "required": [

      "userNames",

      "groupNames",

@@ -45460,7 +45460,7 @@

       "type": "string"

      },

      "groupNames": {

-      "description": "GroupNames holds all the groups directly bound to the role",

+      "description": "GroupNames holds all the groups directly bound to the role. This field should only be specified when supporting legacy clients and servers. See Subjects for further details.",

       "type": "array",

       "items": {

        "type": "string"

@@ -45477,14 +45477,14 @@

       "$ref": "#/definitions/v1.ObjectReference"

      },

      "subjects": {

-      "description": "Subjects hold object references to authorize with this rule",

+      "description": "Subjects hold object references to authorize with this rule. This field is ignored if UserNames or GroupNames are specified to support legacy clients and servers. Thus newer clients that do not need to support backwards compatibility should send only fully qualified Subjects and should omit the UserNames and GroupNames fields. Clients that need to support backwards compatibility can use this field to build the UserNames and GroupNames.",

       "type": "array",

       "items": {

        "$ref": "#/definitions/v1.ObjectReference"

       }

      },

      "userNames": {

-      "description": "UserNames holds all the usernames directly bound to the role",

+      "description": "UserNames holds all the usernames directly bound to the role. This field should only be specified when supporting legacy clients and servers. See Subjects for further details.",

       "type": "array",

       "items": {

        "type": "string"

@@ -51067,7 +51067,7 @@

     }

    },

    "v1.RoleBinding": {

-    "description": "RoleBinding references a Role, but not contain it.  It can reference any Role in the same namespace or in the global namespace. It adds who information via Users and Groups and namespace information by which namespace it exists in.  RoleBindings in a given namespace only have effect in that namespace (excepting the master namespace which has power in all namespaces).",

+    "description": "RoleBinding references a Role, but not contain it.  It can reference any Role in the same namespace or in the global namespace. It adds who information via (Users and Groups) OR Subjects and namespace information by which namespace it exists in. RoleBindings in a given namespace only have effect in that namespace (excepting the master namespace which has power in all namespaces).",

     "required": [

      "userNames",

      "groupNames",

@@ -51080,7 +51080,7 @@

       "type": "string"

      },

      "groupNames": {

-      "description": "GroupNames holds all the groups directly bound to the role",

+      "description": "GroupNames holds all the groups directly bound to the role. This field should only be specified when supporting legacy clients and servers. See Subjects for further details.",

       "type": "array",

       "items": {

        "type": "string"

@@ -51097,14 +51097,14 @@

       "$ref": "#/definitions/v1.ObjectReference"

      },

      "subjects": {

-      "description": "Subjects hold object references to authorize with this rule",

+      "description": "Subjects hold object references to authorize with this rule. This field is ignored if UserNames or GroupNames are specified to support legacy clients and servers. Thus newer clients that do not need to support backwards compatibility should send only fully qualified Subjects and should omit the UserNames and GroupNames fields. Clients that need to support backwards compatibility can use this field to build the UserNames and GroupNames.",

       "type": "array",

       "items": {

        "$ref": "#/definitions/v1.ObjectReference"

       }

      },

      "userNames": {

-      "description": "UserNames holds all the usernames directly bound to the role",

+      "description": "UserNames holds all the usernames directly bound to the role. This field should only be specified when supporting legacy clients and servers. See Subjects for further details.",

       "type": "array",

       "items": {

        "type": "string"

@@ -96,26 +96,34 @@ message ClusterRole {

 }

 // ClusterRoleBinding references a ClusterRole, but not contain it.  It can reference any ClusterRole in the same namespace or in the global namespace.

-// It adds who information via Users and Groups and namespace information by which namespace it exists in.  ClusterRoleBindings in a given

-// namespace only have effect in that namespace (excepting the master namespace which has power in all namespaces).

+// It adds who information via (Users and Groups) OR Subjects and namespace information by which namespace it exists in.

+// ClusterRoleBindings in a given namespace only have effect in that namespace (excepting the master namespace which has power in all namespaces).

 message ClusterRoleBinding {

   // Standard object's metadata.

   optional k8s.io.kubernetes.pkg.api.v1.ObjectMeta metadata = 1;

-  // UserNames holds all the usernames directly bound to the role

+  // UserNames holds all the usernames directly bound to the role.

+  // This field should only be specified when supporting legacy clients and servers.

+  // See Subjects for further details.

   // +k8s:conversion-gen=false

   optional OptionalNames userNames = 2;

-  // GroupNames holds all the groups directly bound to the role

+  // GroupNames holds all the groups directly bound to the role.

+  // This field should only be specified when supporting legacy clients and servers.

+  // See Subjects for further details.

   // +k8s:conversion-gen=false

   optional OptionalNames groupNames = 3;

-  // Subjects hold object references to authorize with this rule

+  // Subjects hold object references to authorize with this rule.

+  // This field is ignored if UserNames or GroupNames are specified to support legacy clients and servers.

+  // Thus newer clients that do not need to support backwards compatibility should send

+  // only fully qualified Subjects and should omit the UserNames and GroupNames fields.

+  // Clients that need to support backwards compatibility can use this field to build the UserNames and GroupNames.

   repeated k8s.io.kubernetes.pkg.api.v1.ObjectReference subjects = 4;

-  // RoleRef can only reference the current namespace and the global namespace

+  // RoleRef can only reference the current namespace and the global namespace.

   // If the ClusterRoleRef cannot be resolved, the Authorizer must return an error.

-  // Since Policy is a singleton, this is sufficient knowledge to locate a role

+  // Since Policy is a singleton, this is sufficient knowledge to locate a role.

   optional k8s.io.kubernetes.pkg.api.v1.ObjectReference roleRef = 5;

 }

@@ -328,26 +336,34 @@ message Role {

 }

 // RoleBinding references a Role, but not contain it.  It can reference any Role in the same namespace or in the global namespace.

-// It adds who information via Users and Groups and namespace information by which namespace it exists in.  RoleBindings in a given

-// namespace only have effect in that namespace (excepting the master namespace which has power in all namespaces).

+// It adds who information via (Users and Groups) OR Subjects and namespace information by which namespace it exists in.

+// RoleBindings in a given namespace only have effect in that namespace (excepting the master namespace which has power in all namespaces).

 message RoleBinding {

   // Standard object's metadata.

   optional k8s.io.kubernetes.pkg.api.v1.ObjectMeta metadata = 1;

-  // UserNames holds all the usernames directly bound to the role

+  // UserNames holds all the usernames directly bound to the role.

+  // This field should only be specified when supporting legacy clients and servers.

+  // See Subjects for further details.

   // +k8s:conversion-gen=false

   optional OptionalNames userNames = 2;

-  // GroupNames holds all the groups directly bound to the role

+  // GroupNames holds all the groups directly bound to the role.

+  // This field should only be specified when supporting legacy clients and servers.

+  // See Subjects for further details.

   // +k8s:conversion-gen=false

   optional OptionalNames groupNames = 3;

-  // Subjects hold object references to authorize with this rule

+  // Subjects hold object references to authorize with this rule.

+  // This field is ignored if UserNames or GroupNames are specified to support legacy clients and servers.

+  // Thus newer clients that do not need to support backwards compatibility should send

+  // only fully qualified Subjects and should omit the UserNames and GroupNames fields.

+  // Clients that need to support backwards compatibility can use this field to build the UserNames and GroupNames.

   repeated k8s.io.kubernetes.pkg.api.v1.ObjectReference subjects = 4;

-  // RoleRef can only reference the current namespace and the global namespace

+  // RoleRef can only reference the current namespace and the global namespace.

   // If the RoleRef cannot be resolved, the Authorizer must return an error.

-  // Since Policy is a singleton, this is sufficient knowledge to locate a role

+  // Since Policy is a singleton, this is sufficient knowledge to locate a role.

   optional k8s.io.kubernetes.pkg.api.v1.ObjectReference roleRef = 5;

 }

@@ -74,12 +74,12 @@ func (ClusterRole) SwaggerDoc() map[string]string {

 }

 var map_ClusterRoleBinding = map[string]string{

-	"":           "ClusterRoleBinding references a ClusterRole, but not contain it.  It can reference any ClusterRole in the same namespace or in the global namespace. It adds who information via Users and Groups and namespace information by which namespace it exists in.  ClusterRoleBindings in a given namespace only have effect in that namespace (excepting the master namespace which has power in all namespaces).",

+	"":           "ClusterRoleBinding references a ClusterRole, but not contain it.  It can reference any ClusterRole in the same namespace or in the global namespace. It adds who information via (Users and Groups) OR Subjects and namespace information by which namespace it exists in. ClusterRoleBindings in a given namespace only have effect in that namespace (excepting the master namespace which has power in all namespaces).",

 	"metadata":   "Standard object's metadata.",

-	"userNames":  "UserNames holds all the usernames directly bound to the role",

-	"groupNames": "GroupNames holds all the groups directly bound to the role",

-	"subjects":   "Subjects hold object references to authorize with this rule",

-	"roleRef":    "RoleRef can only reference the current namespace and the global namespace If the ClusterRoleRef cannot be resolved, the Authorizer must return an error. Since Policy is a singleton, this is sufficient knowledge to locate a role",

+	"userNames":  "UserNames holds all the usernames directly bound to the role. This field should only be specified when supporting legacy clients and servers. See Subjects for further details.",

+	"groupNames": "GroupNames holds all the groups directly bound to the role. This field should only be specified when supporting legacy clients and servers. See Subjects for further details.",

+	"subjects":   "Subjects hold object references to authorize with this rule. This field is ignored if UserNames or GroupNames are specified to support legacy clients and servers. Thus newer clients that do not need to support backwards compatibility should send only fully qualified Subjects and should omit the UserNames and GroupNames fields. Clients that need to support backwards compatibility can use this field to build the UserNames and GroupNames.",

+	"roleRef":    "RoleRef can only reference the current namespace and the global namespace. If the ClusterRoleRef cannot be resolved, the Authorizer must return an error. Since Policy is a singleton, this is sufficient knowledge to locate a role.",

 }

 func (ClusterRoleBinding) SwaggerDoc() map[string]string {

@@ -261,12 +261,12 @@ func (Role) SwaggerDoc() map[string]string {

 }

 var map_RoleBinding = map[string]string{

-	"":           "RoleBinding references a Role, but not contain it.  It can reference any Role in the same namespace or in the global namespace. It adds who information via Users and Groups and namespace information by which namespace it exists in.  RoleBindings in a given namespace only have effect in that namespace (excepting the master namespace which has power in all namespaces).",

+	"":           "RoleBinding references a Role, but not contain it.  It can reference any Role in the same namespace or in the global namespace. It adds who information via (Users and Groups) OR Subjects and namespace information by which namespace it exists in. RoleBindings in a given namespace only have effect in that namespace (excepting the master namespace which has power in all namespaces).",

 	"metadata":   "Standard object's metadata.",

-	"userNames":  "UserNames holds all the usernames directly bound to the role",

-	"groupNames": "GroupNames holds all the groups directly bound to the role",

-	"subjects":   "Subjects hold object references to authorize with this rule",

-	"roleRef":    "RoleRef can only reference the current namespace and the global namespace If the RoleRef cannot be resolved, the Authorizer must return an error. Since Policy is a singleton, this is sufficient knowledge to locate a role",

+	"userNames":  "UserNames holds all the usernames directly bound to the role. This field should only be specified when supporting legacy clients and servers. See Subjects for further details.",

+	"groupNames": "GroupNames holds all the groups directly bound to the role. This field should only be specified when supporting legacy clients and servers. See Subjects for further details.",

+	"subjects":   "Subjects hold object references to authorize with this rule. This field is ignored if UserNames or GroupNames are specified to support legacy clients and servers. Thus newer clients that do not need to support backwards compatibility should send only fully qualified Subjects and should omit the UserNames and GroupNames fields. Clients that need to support backwards compatibility can use this field to build the UserNames and GroupNames.",

+	"roleRef":    "RoleRef can only reference the current namespace and the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error. Since Policy is a singleton, this is sufficient knowledge to locate a role.",

 }

 func (RoleBinding) SwaggerDoc() map[string]string {

@@ -61,25 +61,33 @@ func (t OptionalNames) String() string {

 }

 // RoleBinding references a Role, but not contain it.  It can reference any Role in the same namespace or in the global namespace.

-// It adds who information via Users and Groups and namespace information by which namespace it exists in.  RoleBindings in a given

-// namespace only have effect in that namespace (excepting the master namespace which has power in all namespaces).

+// It adds who information via (Users and Groups) OR Subjects and namespace information by which namespace it exists in.

+// RoleBindings in a given namespace only have effect in that namespace (excepting the master namespace which has power in all namespaces).

 type RoleBinding struct {

 	unversioned.TypeMeta `json:",inline"`

 	// Standard object's metadata.

 	kapi.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`

-	// UserNames holds all the usernames directly bound to the role

+	// UserNames holds all the usernames directly bound to the role.

+	// This field should only be specified when supporting legacy clients and servers.

+	// See Subjects for further details.

 	// +k8s:conversion-gen=false

 	UserNames OptionalNames `json:"userNames" protobuf:"bytes,2,rep,name=userNames"`

-	// GroupNames holds all the groups directly bound to the role

+	// GroupNames holds all the groups directly bound to the role.

+	// This field should only be specified when supporting legacy clients and servers.

+	// See Subjects for further details.

 	// +k8s:conversion-gen=false

 	GroupNames OptionalNames `json:"groupNames" protobuf:"bytes,3,rep,name=groupNames"`

-	// Subjects hold object references to authorize with this rule

+	// Subjects hold object references to authorize with this rule.

+	// This field is ignored if UserNames or GroupNames are specified to support legacy clients and servers.

+	// Thus newer clients that do not need to support backwards compatibility should send

+	// only fully qualified Subjects and should omit the UserNames and GroupNames fields.

+	// Clients that need to support backwards compatibility can use this field to build the UserNames and GroupNames.

 	Subjects []kapi.ObjectReference `json:"subjects" protobuf:"bytes,4,rep,name=subjects"`

-	// RoleRef can only reference the current namespace and the global namespace

+	// RoleRef can only reference the current namespace and the global namespace.

 	// If the RoleRef cannot be resolved, the Authorizer must return an error.

-	// Since Policy is a singleton, this is sufficient knowledge to locate a role

+	// Since Policy is a singleton, this is sufficient knowledge to locate a role.

 	RoleRef kapi.ObjectReference `json:"roleRef" protobuf:"bytes,5,opt,name=roleRef"`

 }

@@ -349,25 +357,33 @@ type ClusterRole struct {

 }

 // ClusterRoleBinding references a ClusterRole, but not contain it.  It can reference any ClusterRole in the same namespace or in the global namespace.

-// It adds who information via Users and Groups and namespace information by which namespace it exists in.  ClusterRoleBindings in a given

-// namespace only have effect in that namespace (excepting the master namespace which has power in all namespaces).

+// It adds who information via (Users and Groups) OR Subjects and namespace information by which namespace it exists in.

+// ClusterRoleBindings in a given namespace only have effect in that namespace (excepting the master namespace which has power in all namespaces).

 type ClusterRoleBinding struct {

 	unversioned.TypeMeta `json:",inline"`

 	// Standard object's metadata.

 	kapi.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`

-	// UserNames holds all the usernames directly bound to the role

+	// UserNames holds all the usernames directly bound to the role.

+	// This field should only be specified when supporting legacy clients and servers.

+	// See Subjects for further details.

 	// +k8s:conversion-gen=false

 	UserNames OptionalNames `json:"userNames" protobuf:"bytes,2,rep,name=userNames"`

-	// GroupNames holds all the groups directly bound to the role

+	// GroupNames holds all the groups directly bound to the role.

+	// This field should only be specified when supporting legacy clients and servers.

+	// See Subjects for further details.

 	// +k8s:conversion-gen=false

 	GroupNames OptionalNames `json:"groupNames" protobuf:"bytes,3,rep,name=groupNames"`

-	// Subjects hold object references to authorize with this rule

+	// Subjects hold object references to authorize with this rule.

+	// This field is ignored if UserNames or GroupNames are specified to support legacy clients and servers.

+	// Thus newer clients that do not need to support backwards compatibility should send

+	// only fully qualified Subjects and should omit the UserNames and GroupNames fields.

+	// Clients that need to support backwards compatibility can use this field to build the UserNames and GroupNames.

 	Subjects []kapi.ObjectReference `json:"subjects" protobuf:"bytes,4,rep,name=subjects"`

-	// RoleRef can only reference the current namespace and the global namespace

+	// RoleRef can only reference the current namespace and the global namespace.

 	// If the ClusterRoleRef cannot be resolved, the Authorizer must return an error.

-	// Since Policy is a singleton, this is sufficient knowledge to locate a role

+	// Since Policy is a singleton, this is sufficient knowledge to locate a role.

 	RoleRef kapi.ObjectReference `json:"roleRef" protobuf:"bytes,5,opt,name=roleRef"`

 }