TL;DR: If you have an existing dev cluster and policy in etcd, run these commands after updating to master:
oadm policy reconcile-cluster-roles --confirm
oadm policy reconcile-cluster-role-bindings --confirm
Authentication/authorization to the Kubelet API in OpenShift has changed with https://github.com/openshift/origin/pull/4873
Previously, a client certificate gained you full access to the Kubelet API. Now, the same authn/authz chain used in the master API applies to the Kubelet API. This means that OAuth and service account tokens can now be used to authenticate Kubelet API calls. It also requires running the above commands when upgrading to make sure the newly defined roles and default permissions are in place.