Track bootstrap policy updates / migration

[liggitt]

Need to document and determine how to update bootstrap roles with new permissions per release.

Updates since 1.0.0:

Roles	Changes	PR
cluster-status	added /oapi	#3633
admin, edit	added post on pods/portforward, pods/exec	#3716

[liggitt]

@deads2k fyi

[deads2k]

@adellape We're adding a command to update the bootstrap roles as a post-update step. Final shape is tbd, but #3810 is where it lives. Do you know where we'd normally document this sort of command?

@sdodson @detiber This command has a dry-run functionality that produces empty output when no changes are needed and json or yaml output with new roles when it is needed. Can you make use of this sort of a command to help users know they might want to look at updating their policy?

[adellape]

@deads2k At first glance, I would think an initial mention / explanation of the situation & command near the end of https://docs.openshift.org/latest/architecture/additional_concepts/authorization.html#roles.

And if the use case is mostly within the context of cluster upgrades, then tasks / example usage probably should be part of the WIP upgrade docs @sdodson has started here: openshift/openshift-docs#731 (and cross-link between the Arch topic).

[deads2k]

Opened openshift/openshift-docs#792

Added a comment to openshift/openshift-docs#731.

Once #3810 merges, I think we're good.

[sdodson]

@deads2k Copied things into the upgrade doc, i'll gather some example output once your change merges and it's easy for me to gather.

[bparees]

fixed.