Merge pull request #64541 from mrogers950/additive-flag

Automatic merge from submit-queue (batch tested with PRs 63580, 63744, 64541, 64502, 64100). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Add more kubectl auth reconcile flags ```release-note The --remove-extra-subjects and --remove-extra-permissions flags have been enabled for kubectl auth reconcile ``` /assign @deads2k cc @enj @juanvallejo
2018-06-20 01:27:36 -07:00 · 2018-06-20 01:27:36 -07:00 · 5e31112d69
parent 65819a8f92 9f3b97572a
commit 5e31112d69
1 changed files with 11 additions and 7 deletions
--- a/pkg/kubectl/cmd/auth/reconcile.go
+++ b/pkg/kubectl/cmd/auth/reconcile.go
@ -40,6 +40,8 @@ type ReconcileOptions struct {
 	PrintFlags             *genericclioptions.PrintFlags
 	FilenameOptions        *resource.FilenameOptions
 	DryRun                 bool
+	RemoveExtraPermissions bool
+	RemoveExtraSubjects    bool

 	Visitor         resource.Visitor
 	RBACClient      rbacv1client.RbacV1Interface
@ -89,6 +91,8 @@ func NewCmdReconcile(f cmdutil.Factory, streams genericclioptions.IOStreams) *co

 	cmdutil.AddFilenameOptionFlags(cmd, o.FilenameOptions, "identifying the resource to reconcile.")
 	cmd.Flags().BoolVar(&o.DryRun, "dry-run", o.DryRun, "If true, display results but do not submit changes")
+	cmd.Flags().BoolVar(&o.RemoveExtraPermissions, "remove-extra-permissions", o.RemoveExtraPermissions, "If true, removes extra permissions added to roles")
+	cmd.Flags().BoolVar(&o.RemoveExtraSubjects, "remove-extra-subjects", o.RemoveExtraSubjects, "If true, removes extra subjects added to rolebindings")
 	cmd.MarkFlagRequired("filename")

 	return cmd
@ -174,7 +178,7 @@ func (o *ReconcileOptions) RunReconcile() error {
 		case *rbacv1.Role:
 			reconcileOptions := reconciliation.ReconcileRoleOptions{
 				Confirm:                !o.DryRun,
-				RemoveExtraPermissions: false,
+				RemoveExtraPermissions: o.RemoveExtraPermissions,
 				Role: reconciliation.RoleRuleOwner{Role: t},
 				Client: reconciliation.RoleModifier{
 					NamespaceClient: o.NamespaceClient.Namespaces(),
@ -190,7 +194,7 @@ func (o *ReconcileOptions) RunReconcile() error {
 		case *rbacv1.ClusterRole:
 			reconcileOptions := reconciliation.ReconcileRoleOptions{
 				Confirm:                !o.DryRun,
-				RemoveExtraPermissions: false,
+				RemoveExtraPermissions: o.RemoveExtraPermissions,
 				Role: reconciliation.ClusterRoleRuleOwner{ClusterRole: t},
 				Client: reconciliation.ClusterRoleModifier{
 					Client: o.RBACClient.ClusterRoles(),
@ -205,7 +209,7 @@ func (o *ReconcileOptions) RunReconcile() error {
 		case *rbacv1.RoleBinding:
 			reconcileOptions := reconciliation.ReconcileRoleBindingOptions{
 				Confirm:             !o.DryRun,
-				RemoveExtraSubjects: false,
+				RemoveExtraSubjects: o.RemoveExtraSubjects,
 				RoleBinding:         reconciliation.RoleBindingAdapter{RoleBinding: t},
 				Client: reconciliation.RoleBindingClientAdapter{
 					Client:          o.RBACClient,
@ -221,7 +225,7 @@ func (o *ReconcileOptions) RunReconcile() error {
 		case *rbacv1.ClusterRoleBinding:
 			reconcileOptions := reconciliation.ReconcileRoleBindingOptions{
 				Confirm:             !o.DryRun,
-				RemoveExtraSubjects: false,
+				RemoveExtraSubjects: o.RemoveExtraSubjects,
 				RoleBinding:         reconciliation.ClusterRoleBindingAdapter{ClusterRoleBinding: t},
 				Client: reconciliation.ClusterRoleBindingClientAdapter{
 					Client: o.RBACClient.ClusterRoleBindings(),