diff --git a/pkg/authorization/registry/etcd/etcd.go b/pkg/authorization/registry/etcd/etcd.go
index 934ebea62e66..620201d50136 100644
--- a/pkg/authorization/registry/etcd/etcd.go
+++ b/pkg/authorization/registry/etcd/etcd.go
@@ -11,6 +11,7 @@ import (
 	etcdgeneric "github.com/GoogleCloudPlatform/kubernetes/pkg/registry/generic/etcd"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/runtime"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/tools"
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/watch"
 
 	authorizationapi "github.com/openshift/origin/pkg/authorization/api"
 )
@@ -103,6 +104,10 @@ func (r *Etcd) DeletePolicy(ctx kapi.Context, name string) error {
 	return r.policyRegistry.Delete(ctx, name)
 }
 
+func (r *Etcd) WatchPolicies(ctx kapi.Context, label, field klabels.Selector, resourceVersion string) (watch.Interface, error) {
+	return r.policyRegistry.Watch(ctx, &generic.SelectionPredicate{label, field, getAttrs}, resourceVersion)
+}
+
 func makePolicyBindingListKey(ctx kapi.Context) string {
 	return kubeetcd.MakeEtcdListKey(ctx, PolicyBindingPath)
 }
@@ -148,3 +153,7 @@ func (r *Etcd) UpdatePolicyBinding(ctx kapi.Context, newPolicyBinding *authoriza
 func (r *Etcd) DeletePolicyBinding(ctx kapi.Context, name string) error {
 	return r.policyBindingRegistry.Delete(ctx, name)
 }
+
+func (r *Etcd) WatchPolicyBindings(ctx kapi.Context, label, field klabels.Selector, resourceVersion string) (watch.Interface, error) {
+	return r.policyBindingRegistry.Watch(ctx, &generic.SelectionPredicate{label, field, getAttrs}, resourceVersion)
+}
diff --git a/pkg/authorization/registry/policy/registry.go b/pkg/authorization/registry/policy/registry.go
index 0b3a8665acae..5ccc3a300d01 100644
--- a/pkg/authorization/registry/policy/registry.go
+++ b/pkg/authorization/registry/policy/registry.go
@@ -3,6 +3,7 @@ package policy
 import (
 	kapi "github.com/GoogleCloudPlatform/kubernetes/pkg/api"
 	klabels "github.com/GoogleCloudPlatform/kubernetes/pkg/labels"
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/watch"
 
 	authorizationapi "github.com/openshift/origin/pkg/authorization/api"
 )
@@ -19,4 +20,6 @@ type Registry interface {
 	UpdatePolicy(ctx kapi.Context, policy *authorizationapi.Policy) error
 	// DeletePolicy deletes a policy.
 	DeletePolicy(ctx kapi.Context, id string) error
+	// WatchPolicyBindings watches policyBindings.
+	WatchPolicies(ctx kapi.Context, label, field klabels.Selector, resourceVersion string) (watch.Interface, error)
 }
diff --git a/pkg/authorization/registry/policy/rest.go b/pkg/authorization/registry/policy/rest.go
index eeafcdf7107e..64a6735edad5 100644
--- a/pkg/authorization/registry/policy/rest.go
+++ b/pkg/authorization/registry/policy/rest.go
@@ -5,6 +5,7 @@ import (
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/apiserver"
 	klabels "github.com/GoogleCloudPlatform/kubernetes/pkg/labels"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/runtime"
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/watch"
 
 	authorizationapi "github.com/openshift/origin/pkg/authorization/api"
 )
@@ -52,3 +53,8 @@ func (r *REST) Delete(ctx kapi.Context, id string) (<-chan apiserver.RESTResult,
 		return &kapi.Status{Status: kapi.StatusSuccess}, r.registry.DeletePolicy(ctx, id)
 	}), nil
 }
+
+// Watch begins watching for new, changed, or deleted PolicyBindings.
+func (r *REST) Watch(ctx kapi.Context, label, field klabels.Selector, resourceVersion string) (watch.Interface, error) {
+	return r.registry.WatchPolicies(ctx, label, field, resourceVersion)
+}
diff --git a/pkg/authorization/registry/policybinding/registry.go b/pkg/authorization/registry/policybinding/registry.go
index dbcf57302126..d38b69c391db 100644
--- a/pkg/authorization/registry/policybinding/registry.go
+++ b/pkg/authorization/registry/policybinding/registry.go
@@ -3,6 +3,7 @@ package policybinding
 import (
 	kapi "github.com/GoogleCloudPlatform/kubernetes/pkg/api"
 	klabels "github.com/GoogleCloudPlatform/kubernetes/pkg/labels"
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/watch"
 
 	authorizationapi "github.com/openshift/origin/pkg/authorization/api"
 )
@@ -19,4 +20,6 @@ type Registry interface {
 	UpdatePolicyBinding(ctx kapi.Context, policyBinding *authorizationapi.PolicyBinding) error
 	// DeletePolicyBinding deletes a policyBinding.
 	DeletePolicyBinding(ctx kapi.Context, id string) error
+	// WatchPolicyBindings watches policyBindings.
+	WatchPolicyBindings(ctx kapi.Context, label, field klabels.Selector, resourceVersion string) (watch.Interface, error)
 }
diff --git a/pkg/authorization/registry/policybinding/rest.go b/pkg/authorization/registry/policybinding/rest.go
index 6757daca092c..3acd436b0404 100644
--- a/pkg/authorization/registry/policybinding/rest.go
+++ b/pkg/authorization/registry/policybinding/rest.go
@@ -9,6 +9,7 @@ import (
 	klabels "github.com/GoogleCloudPlatform/kubernetes/pkg/labels"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/runtime"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/util"
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/watch"
 
 	authorizationapi "github.com/openshift/origin/pkg/authorization/api"
 	"github.com/openshift/origin/pkg/authorization/api/validation"
@@ -84,6 +85,11 @@ func (r *REST) Create(ctx kapi.Context, obj runtime.Object) (<-chan apiserver.RE
 	}), nil
 }
 
+// Watch begins watching for new, changed, or deleted PolicyBindings.
+func (r *REST) Watch(ctx kapi.Context, label, field klabels.Selector, resourceVersion string) (watch.Interface, error) {
+	return r.registry.WatchPolicyBindings(ctx, label, field, resourceVersion)
+}
+
 func NewEmptyPolicyBinding(namespace, policyNamespace string) *authorizationapi.PolicyBinding {
 	policyBinding := &authorizationapi.PolicyBinding{}
 	policyBinding.Name = policyNamespace
diff --git a/pkg/authorization/registry/test/policy.go b/pkg/authorization/registry/test/policy.go
index f43165a4ce46..b8b472092135 100644
--- a/pkg/authorization/registry/test/policy.go
+++ b/pkg/authorization/registry/test/policy.go
@@ -6,6 +6,7 @@ import (
 
 	kapi "github.com/GoogleCloudPlatform/kubernetes/pkg/api"
 	klabels "github.com/GoogleCloudPlatform/kubernetes/pkg/labels"
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/watch"
 
 	authorizationapi "github.com/openshift/origin/pkg/authorization/api"
 )
@@ -76,3 +77,7 @@ func (r *PolicyRegistry) DeletePolicy(ctx kapi.Context, id string) error {
 	r.DeletedPolicyName = id
 	return r.Err
 }
+
+func (r *PolicyRegistry) WatchPolicies(ctx kapi.Context, label, field klabels.Selector, resourceVersion string) (watch.Interface, error) {
+	return nil, r.Err
+}
diff --git a/pkg/authorization/registry/test/policybinding.go b/pkg/authorization/registry/test/policybinding.go
index f1b89daa53e3..88b542c63e35 100644
--- a/pkg/authorization/registry/test/policybinding.go
+++ b/pkg/authorization/registry/test/policybinding.go
@@ -6,6 +6,7 @@ import (
 
 	kapi "github.com/GoogleCloudPlatform/kubernetes/pkg/api"
 	klabels "github.com/GoogleCloudPlatform/kubernetes/pkg/labels"
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/watch"
 
 	authorizationapi "github.com/openshift/origin/pkg/authorization/api"
 )
@@ -79,3 +80,7 @@ func (r *PolicyBindingRegistry) DeletePolicyBinding(ctx kapi.Context, id string)
 	r.DeletedPolicyBindingName = id
 	return r.Err
 }
+
+func (r *PolicyBindingRegistry) WatchPolicyBindings(ctx kapi.Context, label, field klabels.Selector, resourceVersion string) (watch.Interface, error) {
+	return nil, r.Err
+}
diff --git a/pkg/client/fake_policies.go b/pkg/client/fake_policies.go
index 2cdc0e416dbf..082516c750fd 100644
--- a/pkg/client/fake_policies.go
+++ b/pkg/client/fake_policies.go
@@ -2,6 +2,7 @@ package client
 
 import (
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/labels"
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/watch"
 
 	authorizationapi "github.com/openshift/origin/pkg/authorization/api"
 )
@@ -24,3 +25,8 @@ func (c *FakePolicies) Delete(name string) error {
 	c.Fake.Actions = append(c.Fake.Actions, FakeAction{Action: "delete-policy", Value: name})
 	return nil
 }
+
+func (c *FakePolicies) Watch(label, field labels.Selector, resourceVersion string) (watch.Interface, error) {
+	c.Fake.Actions = append(c.Fake.Actions, FakeAction{Action: "watch-policy"})
+	return nil, nil
+}
diff --git a/pkg/client/fake_policybindings.go b/pkg/client/fake_policybindings.go
index c41bcfc41c24..4eed75e50664 100644
--- a/pkg/client/fake_policybindings.go
+++ b/pkg/client/fake_policybindings.go
@@ -2,6 +2,7 @@ package client
 
 import (
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/labels"
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/watch"
 
 	authorizationapi "github.com/openshift/origin/pkg/authorization/api"
 )
@@ -29,3 +30,8 @@ func (c *FakePolicyBindings) Delete(name string) error {
 	c.Fake.Actions = append(c.Fake.Actions, FakeAction{Action: "delete-policyBinding", Value: name})
 	return nil
 }
+
+func (c *FakePolicyBindings) Watch(label, field labels.Selector, resourceVersion string) (watch.Interface, error) {
+	c.Fake.Actions = append(c.Fake.Actions, FakeAction{Action: "watch-policyBinding"})
+	return nil, nil
+}
diff --git a/pkg/client/policies.go b/pkg/client/policies.go
index e3230af7334e..cae998686e5d 100644
--- a/pkg/client/policies.go
+++ b/pkg/client/policies.go
@@ -2,6 +2,7 @@ package client
 
 import (
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/labels"
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/watch"
 
 	authorizationapi "github.com/openshift/origin/pkg/authorization/api"
 )
@@ -16,6 +17,7 @@ type PolicyInterface interface {
 	List(label, field labels.Selector) (*authorizationapi.PolicyList, error)
 	Get(name string) (*authorizationapi.Policy, error)
 	Delete(name string) error
+	Watch(label, field labels.Selector, resourceVersion string) (watch.Interface, error)
 }
 
 // policies implements PoliciesNamespacer interface
@@ -51,3 +53,8 @@ func (c *policies) Delete(name string) (err error) {
 	err = c.r.Delete().Namespace(c.ns).Resource("policies").Name(name).Do().Error()
 	return
 }
+
+// Watch returns a watch.Interface that watches the requested policies
+func (c *policies) Watch(label, field labels.Selector, resourceVersion string) (watch.Interface, error) {
+	return c.r.Get().Prefix("watch").Namespace(c.ns).Resource("policies").Param("resourceVersion", resourceVersion).SelectorParam("labels", label).SelectorParam("fields", field).Watch()
+}
diff --git a/pkg/client/policybindings.go b/pkg/client/policybindings.go
index 883611dc94f2..1b9a573ba69d 100644
--- a/pkg/client/policybindings.go
+++ b/pkg/client/policybindings.go
@@ -2,6 +2,7 @@ package client
 
 import (
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/labels"
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/watch"
 
 	authorizationapi "github.com/openshift/origin/pkg/authorization/api"
 )
@@ -17,6 +18,7 @@ type PolicyBindingInterface interface {
 	Get(name string) (*authorizationapi.PolicyBinding, error)
 	Create(policyBinding *authorizationapi.PolicyBinding) (*authorizationapi.PolicyBinding, error)
 	Delete(name string) error
+	Watch(label, field labels.Selector, resourceVersion string) (watch.Interface, error)
 }
 
 // policyBindings implements PolicyBindingsNamespacer interface
@@ -59,3 +61,8 @@ func (c *policyBindings) Delete(name string) (err error) {
 	err = c.r.Delete().Namespace(c.ns).Resource("policyBindings").Name(name).Do().Error()
 	return
 }
+
+// Watch returns a watch.Interface that watches the requested policyBindings
+func (c *policyBindings) Watch(label, field labels.Selector, resourceVersion string) (watch.Interface, error) {
+	return c.r.Get().Prefix("watch").Namespace(c.ns).Resource("policyBindings").Param("resourceVersion", resourceVersion).SelectorParam("labels", label).SelectorParam("fields", field).Watch()
+}