diff --git a/pkg/cmd/server/bootstrappolicy/constants.go b/pkg/cmd/server/bootstrappolicy/constants.go
index a21557ae1cad..9e4926d4a747 100644
--- a/pkg/cmd/server/bootstrappolicy/constants.go
+++ b/pkg/cmd/server/bootstrappolicy/constants.go
@@ -84,6 +84,7 @@ const (
 	MasterRoleName            = "system:master"
 	NodeRoleName              = "system:node"
 	NodeProxierRoleName       = "system:node-proxier"
+	SDNIntegratedRouterRole   = "system:sdn-integrated-router"
 	SDNReaderRoleName         = "system:sdn-reader"
 	SDNManagerRoleName        = "system:sdn-manager"
 	OAuthTokenDeleterRoleName = "system:oauth-token-deleter"
diff --git a/pkg/cmd/server/bootstrappolicy/policy.go b/pkg/cmd/server/bootstrappolicy/policy.go
index 94203377043b..309038e05965 100644
--- a/pkg/cmd/server/bootstrappolicy/policy.go
+++ b/pkg/cmd/server/bootstrappolicy/policy.go
@@ -546,6 +546,14 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole {
 				authorizationapi.NewRule("update").Groups(routeGroup).Resources("routes/status").RuleOrDie(),
 			},
 		},
+		{
+			ObjectMeta: kapi.ObjectMeta{
+				Name: SDNIntegratedRouterRole,
+			},
+			Rules: []authorizationapi.PolicyRule{
+				authorizationapi.NewRule("list", "watch").Groups(kapiGroup).Resources("nodes").RuleOrDie(),
+			},
+		},
 		{
 			ObjectMeta: kapi.ObjectMeta{
 				Name: RegistryRoleName,