Reconcile roles

[deads2k]

Fixes #3802.

This adds oadm policy reconcile-cluster-roles. This command ensures that every recommended bootstrap cluster role exists with the correct ruleset. You can pass an -o yaml|json to output what would be changed instead of actually making the changes. That list can then be passed to oc replace --force to make the changes.

[liggitt]

For use during a rolling update, we'd also need an additive-only mode. I'd envision the flow as

reconcile-cluster-roles --add-only
# do the master upgrades
reconcile-cluster-roles

[deads2k]

For use during a rolling update, we'd also need an additive-only mode. I'd envision the flow as

That requires a covers evaluation, so it won't actually share code with this command. To illustrate: v1 grants get on foo. v2 grants get on bar. The --add-only grants get on foo and bar. I'd like to push that to another issue.

[liggitt]

Follow up is ok, but I think we need both before the upgrade scenario is complete

[deads2k]

Follow up is ok, but I think we need both before the upgrade scenario is complete

It's not a stop-ship problem for 3.0.1 because our changes were strictly additive.

[deads2k]

@smarterclayton This is for a p1 issue (default policy changed between levels). Who can review?

[smarterclayton]

Make the default a dry run, and add --confirm

[deads2k]

Make the default a dry run, and add --confirm

done.

[smarterclayton]

LGTM [merge]

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin/3723/) (Image: devenv-fedora_2048)

[openshift-bot]

[Test]ing while waiting on the merge queue

[openshift-bot]

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin/3723/)

[openshift-bot]

Evaluated for origin up to a7b0509