Built-in user-facing clusterroles (admin, edit, etc.) missing rules for controller revisions

[andor44]

What happened: User has role binding to clusterroles/admin in the namespace.

$ kubectl rollout undo statefulset foo
error: unable to find history controlled by StatefulSet foo: controllerrevisions.apps is forbidden: User "bar" cannot list controllerrevisions.apps in the namespace "baz"

What you expected to happen: To roll back successfully. How to reproduce it (as minimally and precisely as possible): A 1.10 cluster (haven't tested 1.11 but I suspect it's the same) and a 1.12 kubectl Anything else we need to know?: It seems that the built in admin and edit clusterroles don't cover controllerrevisions.apps, which is needed in >=1.12 for kubectl to interact with revision history? Environment:

• Kubernetes version (use kubectl version):

  $ kubectl version --short
  Client Version: v1.12.2
  Server Version: v1.10.8

• Install tools: Self-written ansible roles

/kind bug /sig auth /sig cli /sig apps

[liggitt]

opened https://github.com/kubernetes/kubernetes/pull/70699 and picks to 1.10, 1.11, 1.12