Currently, while defining ACLs for master or agents, there is a boolean field permissive that can be set on the global level that applies to all acls.
It defines the behavior when no ACL matches to the request made. If set to true (which is the default) it will allow by default all non-matching requests, if set to false it will reject all non-matching requests.
We should consider supporting a local permissive field specific to each ACL which would override the global permissive field if the local permissive field is set.
The use case is that if support for a new ACL is added to master or agent, and a cluster uses the global permissive field set to false, that would imply that the authorization for the newly added ACL shall fail unless the operator adds the corresponding entry for the newly added ACL, which leads to a upgrade issue.
If we have both the global as well as local permissive bit, then the global permissive bit can be set to true, whereas the local permissive bit can be set to true or false based on the use case. With this approach, it would not be mandatory to add an entry for the new ACL entry unless the operator chooses to do so.
That obviously also leads to the fact that maybe we should not have the global permissive bit in the first place.