@@ -170,7 +170,7 @@ func (o *ReconcileClusterRoleBindingsOptions) ChangedClusterRoleBindings() ([]*a

 		actualClusterRoleBinding, err := o.RoleBindingClient.Get(expectedClusterRoleBinding.Name)

 		if kapierrors.IsNotFound(err) {

 			// Remove excluded subjects from the new role binding

-			expectedClusterRoleBinding.Subjects, _ = Diff(expectedClusterRoleBinding.Subjects, o.ExcludeSubjects)

+			expectedClusterRoleBinding.Subjects, _ = DiffObjectReferenceLists(expectedClusterRoleBinding.Subjects, o.ExcludeSubjects)

 			changedRoleBindings = append(changedRoleBindings, expectedClusterRoleBinding)

 			continue

 		}

@@ -249,11 +249,11 @@ func computeUpdatedBinding(expected authorizationapi.ClusterRoleBinding, actual

 	}

 	// compute the list of subjects we should not add roles for (existing subjects in the exclude list should be preserved)

-	doNotAddSubjects, _ := Diff(excludeSubjects, actual.Subjects)

+	doNotAddSubjects, _ := DiffObjectReferenceLists(excludeSubjects, actual.Subjects)

 	// remove any excluded subjects that do not exist from our expected subject list (so we don't add them)

-	expectedSubjects, _ := Diff(expected.Subjects, doNotAddSubjects)

+	expectedSubjects, _ := DiffObjectReferenceLists(expected.Subjects, doNotAddSubjects)

-	missingSubjects, extraSubjects := Diff(expectedSubjects, actual.Subjects)

+	missingSubjects, extraSubjects := DiffObjectReferenceLists(expectedSubjects, actual.Subjects)

 	// Always add missing expected subjects

 	if len(missingSubjects) > 0 {

 		needsUpdating = true

@@ -284,11 +284,11 @@ func contains(list []kapi.ObjectReference, item kapi.ObjectReference) bool {

 	return false

 }

-// Diff returns lists containing the items unique to each provided list:

+// DiffObjectReferenceLists returns lists containing the items unique to each provided list:

 //   list1Only = list1 - list2

 //   list2Only = list2 - list1

 // if both returned lists are empty, the provided lists are equal

-func Diff(list1 []kapi.ObjectReference, list2 []kapi.ObjectReference) (list1Only []kapi.ObjectReference, list2Only []kapi.ObjectReference) {

+func DiffObjectReferenceLists(list1 []kapi.ObjectReference, list2 []kapi.ObjectReference) (list1Only []kapi.ObjectReference, list2Only []kapi.ObjectReference) {

 	for _, list1Item := range list1 {

 		if !contains(list2, list1Item) {

 			if !contains(list1Only, list1Item) {

@@ -24,7 +24,7 @@ func refs(names ...string) []kapi.ObjectReference {

 	return r

 }

-func TestDiff(t *testing.T) {

+func TestDiffObjectReferenceLists(t *testing.T) {

 	tests := map[string]struct {

 		A             []kapi.ObjectReference

 		B             []kapi.ObjectReference

@@ -61,7 +61,7 @@ func TestDiff(t *testing.T) {

 	}

 	for k, tc := range tests {

-		onlyA, onlyB := diff(tc.A, tc.B)

+		onlyA, onlyB := DiffObjectReferenceLists(tc.A, tc.B)

 		if !kapi.Semantic.DeepEqual(onlyA, tc.ExpectedOnlyA) {

 			t.Errorf("%s: Expected %#v, got %#v", k, tc.ExpectedOnlyA, onlyA)

 		}

@@ -27,7 +27,7 @@ func (d *ClusterRoleBindings) Name() string {

 }

 func (d *ClusterRoleBindings) Description() string {

-	return "Check that the ClusterRoleBindings are up-to-date"

+	return "Check that the default ClusterRoleBindings are present and contain the expected subjects"

 }

 func (d *ClusterRoleBindings) CanRun() (bool, error) {

@@ -57,6 +57,7 @@ func (d *ClusterRoleBindings) Check() types.DiagnosticResult {

 	changedClusterRoleBindings, err := reconcileOptions.ChangedClusterRoleBindings()

 	if err != nil {

 		r.Error("CRBD1000", err, fmt.Sprintf("Error inspecting ClusterRoleBindings: %v", err))

+		return r

 	}

 	// success

@@ -74,14 +75,14 @@ func (d *ClusterRoleBindings) Check() types.DiagnosticResult {

 			r.Error("CRBD1002", err, fmt.Sprintf("Unable to get clusterrolebinding/%s: %v", changedClusterRoleBinding.Name, err))

 		}

-		missingSubjects, extraSubjects := policycmd.Diff(changedClusterRoleBinding.Subjects, actualClusterRole.Subjects)

+		missingSubjects, extraSubjects := policycmd.DiffObjectReferenceLists(changedClusterRoleBinding.Subjects, actualClusterRole.Subjects)

 		switch {

 		case len(missingSubjects) > 0:

 			// Only a warning, because they can remove things like self-provisioner role from system:unauthenticated, and it's not an error

-			r.Warn("CRBD1003", nil, fmt.Sprintf("clusterrolebinding/%s is missing expected subjects.\n\nUse the `oadm policy reconcile-cluster-role bindings` command to update the role binding to include expected subjects.", changedClusterRoleBinding.Name))

+			r.Warn("CRBD1003", nil, fmt.Sprintf("clusterrolebinding/%s is missing expected subjects.\n\nUse the `oadm policy reconcile-cluster-role-bindings` command to update the role binding to include expected subjects.", changedClusterRoleBinding.Name))

 		case len(extraSubjects) > 0:

 			// Only info, because it is normal to use policy to grant cluster roles to users

-			r.Info("CRBD1004", fmt.Sprintf("clusterrolebinding/%s has more subjects than expected.\n\nUse the `oadm policy reconcile-cluster-role bindings` command to update the role binding to remove extra subjects.", changedClusterRoleBinding.Name))

+			r.Info("CRBD1004", fmt.Sprintf("clusterrolebinding/%s has more subjects than expected.\n\nUse the `oadm policy reconcile-cluster-role-bindings` command to update the role binding to remove extra subjects.", changedClusterRoleBinding.Name))

 		}

 		for _, missingSubject := range missingSubjects {

@@ -28,7 +28,7 @@ func (d *ClusterRoles) Name() string {

 }

 func (d *ClusterRoles) Description() string {

-	return "Check that the ClusterRoles are up-to-date"

+	return "Check that the default ClusterRoles are present and contain the expected permissions"

 }

 func (d *ClusterRoles) CanRun() (bool, error) {

@@ -58,6 +58,7 @@ func (d *ClusterRoles) Check() types.DiagnosticResult {

 	changedClusterRoles, err := reconcileOptions.ChangedClusterRoles()

 	if err != nil {

 		r.Error("CRD1000", err, fmt.Sprintf("Error inspecting ClusterRoles: %v", err))

+		return r

 	}

 	// success

@@ -277,8 +277,9 @@ wait_for_url "${API_SCHEME}://${API_HOST}:${API_PORT}/healthz" "apiserver: " 0.2

 wait_for_url "${API_SCHEME}://${API_HOST}:${API_PORT}/healthz/ready" "apiserver(ready): " 0.25 80

 wait_for_url "${API_SCHEME}://${API_HOST}:${API_PORT}/api/v1beta3/nodes/${KUBELET_HOST}" "apiserver(nodes): " 0.25 80

-# COMPATIBILITY update the cluster roles so that new images can be used.

+# COMPATIBILITY update the cluster roles and role bindings so that new images can be used.

 oadm policy reconcile-cluster-roles --confirm

+oadm policy reconcile-cluster-role-bindings --confirm

 # COMPATIBILITY create a service account for the router

 echo '{"kind":"ServiceAccount","apiVersion":"v1","metadata":{"name":"router"}}' | oc create -f -

 # COMPATIBILITY add the router SA to the privileged SCC so that it can be use to create the router