From 9f3b97572a90b42db4333e2a897f18a5c794e04a Mon Sep 17 00:00:00 2001
From: Matt Rogers <mrogers@redhat.com>
Date: Wed, 30 May 2018 22:55:32 -0400
Subject: [PATCH] Add more kubectl auth reconcile flags

Adds --remove-extra-permissions and --remove-extra-subjects

Signed-off-by: Matt Rogers <mrogers@redhat.com>
---
 pkg/kubectl/cmd/auth/reconcile.go | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/pkg/kubectl/cmd/auth/reconcile.go b/pkg/kubectl/cmd/auth/reconcile.go
index 3346812deef52..a58c67e7bb2c9 100644
--- a/pkg/kubectl/cmd/auth/reconcile.go
+++ b/pkg/kubectl/cmd/auth/reconcile.go
@@ -37,9 +37,11 @@ import (
 // ReconcileOptions is the start of the data required to perform the operation.  As new fields are added, add them here instead of
 // referencing the cmd.Flags()
 type ReconcileOptions struct {
-	PrintFlags      *genericclioptions.PrintFlags
-	FilenameOptions *resource.FilenameOptions
-	DryRun          bool
+	PrintFlags             *genericclioptions.PrintFlags
+	FilenameOptions        *resource.FilenameOptions
+	DryRun                 bool
+	RemoveExtraPermissions bool
+	RemoveExtraSubjects    bool
 
 	Visitor         resource.Visitor
 	RBACClient      rbacv1client.RbacV1Interface
@@ -89,6 +91,8 @@ func NewCmdReconcile(f cmdutil.Factory, streams genericclioptions.IOStreams) *co
 
 	cmdutil.AddFilenameOptionFlags(cmd, o.FilenameOptions, "identifying the resource to reconcile.")
 	cmd.Flags().BoolVar(&o.DryRun, "dry-run", o.DryRun, "If true, display results but do not submit changes")
+	cmd.Flags().BoolVar(&o.RemoveExtraPermissions, "remove-extra-permissions", o.RemoveExtraPermissions, "If true, removes extra permissions added to roles")
+	cmd.Flags().BoolVar(&o.RemoveExtraSubjects, "remove-extra-subjects", o.RemoveExtraSubjects, "If true, removes extra subjects added to rolebindings")
 	cmd.MarkFlagRequired("filename")
 
 	return cmd
@@ -174,7 +178,7 @@ func (o *ReconcileOptions) RunReconcile() error {
 		case *rbacv1.Role:
 			reconcileOptions := reconciliation.ReconcileRoleOptions{
 				Confirm:                !o.DryRun,
-				RemoveExtraPermissions: false,
+				RemoveExtraPermissions: o.RemoveExtraPermissions,
 				Role: reconciliation.RoleRuleOwner{Role: t},
 				Client: reconciliation.RoleModifier{
 					NamespaceClient: o.NamespaceClient.Namespaces(),
@@ -190,7 +194,7 @@ func (o *ReconcileOptions) RunReconcile() error {
 		case *rbacv1.ClusterRole:
 			reconcileOptions := reconciliation.ReconcileRoleOptions{
 				Confirm:                !o.DryRun,
-				RemoveExtraPermissions: false,
+				RemoveExtraPermissions: o.RemoveExtraPermissions,
 				Role: reconciliation.ClusterRoleRuleOwner{ClusterRole: t},
 				Client: reconciliation.ClusterRoleModifier{
 					Client: o.RBACClient.ClusterRoles(),
@@ -205,7 +209,7 @@ func (o *ReconcileOptions) RunReconcile() error {
 		case *rbacv1.RoleBinding:
 			reconcileOptions := reconciliation.ReconcileRoleBindingOptions{
 				Confirm:             !o.DryRun,
-				RemoveExtraSubjects: false,
+				RemoveExtraSubjects: o.RemoveExtraSubjects,
 				RoleBinding:         reconciliation.RoleBindingAdapter{RoleBinding: t},
 				Client: reconciliation.RoleBindingClientAdapter{
 					Client:          o.RBACClient,
@@ -221,7 +225,7 @@ func (o *ReconcileOptions) RunReconcile() error {
 		case *rbacv1.ClusterRoleBinding:
 			reconcileOptions := reconciliation.ReconcileRoleBindingOptions{
 				Confirm:             !o.DryRun,
-				RemoveExtraSubjects: false,
+				RemoveExtraSubjects: o.RemoveExtraSubjects,
 				RoleBinding:         reconciliation.ClusterRoleBindingAdapter{ClusterRoleBinding: t},
 				Client: reconciliation.ClusterRoleBindingClientAdapter{
 					Client: o.RBACClient.ClusterRoleBindings(),