Merge pull request #41184 from liggitt/subject-apigroup

Automatic merge from submit-queue (batch tested with PRs 41357, 41178, 41280, 41184, 41278)

Switch RBAC subject apiVersion to apiGroup in v1beta1

Referencing a subject from an RBAC role binding, the API group and kind of the subject is needed to fully-qualify the reference.

The version is not, and adds complexity around re-writing the reference when returning the binding from different versions of the API, and when reconciling subjects.

This PR:
* v1beta1: change the subject `apiVersion` field to `apiGroup` (to match roleRef)
* v1alpha1: convert apiVersion to apiGroup for backwards compatibility
* all versions: add defaulting for the three allowed subject kinds
* all versions: add validation to the field so we can count on the data in etcd being good until we decide to relax the apiGroup restriction

```release-note
RBAC `v1beta1` RoleBinding/ClusterRoleBinding subjects changed `apiVersion` to `apiGroup` to fully-qualify a subject. ServiceAccount subjects default to an apiGroup of `""`, User and Group subjects default to an apiGroup of `"rbac.authorization.k8s.io"`.
```

@deads2k @kubernetes/sig-auth-api-reviews @kubernetes/sig-auth-pr-reviews

api/openapi-spec/swagger.json

@@ -42731,7 +42731,7 @@
     ],
     "properties": {
      "apiVersion": {
-      "description": "APIVersion holds the API group and version of the referenced object.",
+      "description": "APIVersion holds the API group and version of the referenced subject. Defaults to \"v1\" for ServiceAccount subjects. Defaults to \"rbac.authorization.k8s.io/v1alpha1\" for User and Group subjects.",
       "type": "string"
      },
      "kind": {
@@ -43102,8 +43102,8 @@
      "name"
     ],
     "properties": {
-     "apiVersion": {
-      "description": "APIVersion holds the API group and version of the referenced object.",
+     "apiGroup": {
+      "description": "APIGroup holds the API group of the referenced subject. Defaults to \"\" for ServiceAccount subjects. Defaults to \"rbac.authorization.k8s.io\" for User and Group subjects.",
       "type": "string"
      },
      "kind": {

api/swagger-spec/rbac.authorization.k8s.io_v1alpha1.json

@@ -2924,7 +2924,7 @@
      },
      "apiVersion": {
       "type": "string",
-      "description": "APIVersion holds the API group and version of the referenced object."
+      "description": "APIVersion holds the API group and version of the referenced subject. Defaults to \"v1\" for ServiceAccount subjects. Defaults to \"rbac.authorization.k8s.io/v1alpha1\" for User and Group subjects."
      },
      "name": {
       "type": "string",

api/swagger-spec/rbac.authorization.k8s.io_v1beta1.json

@@ -2922,9 +2922,9 @@
       "type": "string",
       "description": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\". If the Authorizer does not recognized the kind value, the Authorizer should report an error."
      },
-     "apiVersion": {
+     "apiGroup": {
       "type": "string",
-      "description": "APIVersion holds the API group and version of the referenced object."
+      "description": "APIGroup holds the API group of the referenced subject. Defaults to \"\" for ServiceAccount subjects. Defaults to \"rbac.authorization.k8s.io\" for User and Group subjects."
      },
      "name": {
       "type": "string",