update bootstrappolicy/dead addDeadClusterRole to include systemOnly annotation

Roles that have been replaced by kube controller roles should receive
the systemOnly annotation to ensure they are not visible to typical
end users (such as those who would use the web console).

- updates bootstrappolicy/dead addDeadClusterRole
- updates bootstrappolicy/web_console_role_test TestSystemOnlyRoles
	- still skips controller roles (maintenance simplicity), but will throw an error if the annotation is missing

Author: benjaminapetersen

pkg/cmd/server/bootstrappolicy/dead.go

@@ -21,7 +21,13 @@ func addDeadClusterRole(name string) {
 
 	deadClusterRoles = append(deadClusterRoles,
 		authorizationapi.ClusterRole{
-			ObjectMeta: metav1.ObjectMeta{Name: name},
+			ObjectMeta: metav1.ObjectMeta{
+				Name: name,
+				Annotations: map[string]string{
+					// typical users should not see dead cluster roles
+					roleSystemOnly: roleIsSystemOnly,
+				},
+			},
 		},
 	)
 }

pkg/cmd/server/bootstrappolicy/web_console_role_test.go

@@ -62,9 +62,12 @@ func TestSystemOnlyRoles(t *testing.T) {
 
 	for _, role := range GetBootstrapClusterRoles() {
 		if isControllerRole(&role) {
-			continue // assume all controller roles can be ignored
+			if !isSystemOnlyRole(&role) {
+				t.Errorf("Controller role %q is missing the system only annotation", role.Name)
+			}
+			continue // assume all controller roles can be ignored even though we require the annotation
 		}
-		if isSystemOnlyRole(role) {
+		if isSystemOnlyRole(&role) {
 			hide.Insert(role.Name)
 		} else {
 			show.Insert(role.Name)
@@ -86,7 +89,7 @@ func TestSystemOnlyRoles(t *testing.T) {
 
 // this logic must stay in sync w/the web console for this test to be valid/valuable
 // it is the same logic that is run on the membership page
-func isSystemOnlyRole(role authorizationapi.ClusterRole) bool {
+func isSystemOnlyRole(role *authorizationapi.ClusterRole) bool {
 	return role.Annotations[roleSystemOnly] == roleIsSystemOnly
 }