@@ -389,6 +389,34 @@ _oadm_policy_reconcile-cluster-roles()

     must_have_one_noun=()

 }

+_oadm_policy_reconcile-cluster-role-bindings()

+{

+    last_command="oadm_policy_reconcile-cluster-role-bindings"

+    commands=()

+

+    flags=()

+    two_word_flags=()

+    flags_with_completion=()

+    flags_completion=()

+

+    flags+=("--additive-only")

+    flags+=("--confirm")

+    flags+=("--exclude-groups=")

+    flags+=("--exclude-users=")

+    flags+=("--no-headers")

+    flags+=("--output=")

+    two_word_flags+=("-o")

+    flags+=("--output-version=")

+    flags+=("--show-all")

+    flags+=("-a")

+    flags+=("--sort-by=")

+    flags+=("--template=")

+    two_word_flags+=("-t")

+

+    must_have_one_flag=()

+    must_have_one_noun=()

+}

+

 _oadm_policy()

 {

     last_command="oadm_policy"

@@ -405,6 +433,7 @@ _oadm_policy()

     commands+=("add-cluster-role-to-group")

     commands+=("remove-cluster-role-from-group")

     commands+=("reconcile-cluster-roles")

+    commands+=("reconcile-cluster-role-bindings")

     flags=()

     two_word_flags=()

@@ -819,6 +819,34 @@ _openshift_admin_policy_reconcile-cluster-roles()

     must_have_one_noun=()

 }

+_openshift_admin_policy_reconcile-cluster-role-bindings()

+{

+    last_command="openshift_admin_policy_reconcile-cluster-role-bindings"

+    commands=()

+

+    flags=()

+    two_word_flags=()

+    flags_with_completion=()

+    flags_completion=()

+

+    flags+=("--additive-only")

+    flags+=("--confirm")

+    flags+=("--exclude-groups=")

+    flags+=("--exclude-users=")

+    flags+=("--no-headers")

+    flags+=("--output=")

+    two_word_flags+=("-o")

+    flags+=("--output-version=")

+    flags+=("--show-all")

+    flags+=("-a")

+    flags+=("--sort-by=")

+    flags+=("--template=")

+    two_word_flags+=("-t")

+

+    must_have_one_flag=()

+    must_have_one_noun=()

+}

+

 _openshift_admin_policy()

 {

     last_command="openshift_admin_policy"

@@ -835,6 +863,7 @@ _openshift_admin_policy()

     commands+=("add-cluster-role-to-group")

     commands+=("remove-cluster-role-from-group")

     commands+=("reconcile-cluster-roles")

+    commands+=("reconcile-cluster-role-bindings")

     flags=()

     two_word_flags=()

@@ -201,6 +201,31 @@ Manage nodes - list pods, evacuate, or mark ready

 ====

+== oadm policy reconcile-cluster-role-bindings

+Replace cluster role bindings to match the recommended bootstrap policy

+

+====

+

+[options="nowrap"]

+----

+  # Display the cluster role bindings that would be modified

+  $ openshift admin policy reconcile-cluster-role-bindings

+

+  # Display the cluster role bindings that would be modified, removing any extra subjects

+  $ openshift admin policy reconcile-cluster-role-bindings --additive-only=false

+

+  # Update cluster role bindings that don't match the current defaults

+  $ openshift admin policy reconcile-cluster-role-bindings --confirm

+

+  # Update cluster role bindings that don't match the current defaults, avoid adding roles to the system:authenticated group

+  $ openshift admin policy reconcile-cluster-role-bindings --confirm --exclude-groups=system:authenticated

+

+  # Update cluster role bindings that don't match the current defaults, removing any extra subjects from the binding

+  $ openshift admin policy reconcile-cluster-role-bindings --confirm --additive-only=false

+----

+====

+

+

 == oadm policy reconcile-cluster-roles

 Replace cluster roles to match the recommended bootstrap policy

@@ -45,6 +45,7 @@ func NewCmdPolicy(name, fullName string, f *clientcmd.Factory, out io.Writer) *c

 	cmds.AddCommand(NewCmdAddClusterRoleToGroup(AddClusterRoleToGroupRecommendedName, fullName+" "+AddClusterRoleToGroupRecommendedName, f, out))

 	cmds.AddCommand(NewCmdRemoveClusterRoleFromGroup(RemoveClusterRoleFromGroupRecommendedName, fullName+" "+RemoveClusterRoleFromGroupRecommendedName, f, out))

 	cmds.AddCommand(NewCmdReconcileClusterRoles(ReconcileClusterRolesRecommendedName, fullName+" "+ReconcileClusterRolesRecommendedName, f, out))

+	cmds.AddCommand(NewCmdReconcileClusterRoleBindings(ReconcileClusterRoleBindingsRecommendedName, fullName+" "+ReconcileClusterRoleBindingsRecommendedName, f, out))

 	return cmds

 }

new file mode 100644

@@ -0,0 +1,307 @@

+package policy

+

+import (

+	"errors"

+	"fmt"

+	"io"

+

+	"github.com/spf13/cobra"

+

+	kapi "k8s.io/kubernetes/pkg/api"

+	kapierrors "k8s.io/kubernetes/pkg/api/errors"

+	kcmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"

+	"k8s.io/kubernetes/pkg/util"

+

+	authorizationapi "github.com/openshift/origin/pkg/authorization/api"

+	"github.com/openshift/origin/pkg/client"

+	"github.com/openshift/origin/pkg/cmd/server/bootstrappolicy"

+	"github.com/openshift/origin/pkg/cmd/util/clientcmd"

+	uservalidation "github.com/openshift/origin/pkg/user/api/validation"

+)

+

+// ReconcileClusterRoleBindingsRecommendedName is the recommended command name

+const ReconcileClusterRoleBindingsRecommendedName = "reconcile-cluster-role-bindings"

+

+type ReconcileClusterRoleBindingsOptions struct {

+	Confirmed bool

+	Union     bool

+

+	ExcludeSubjects []kapi.ObjectReference

+

+	Out    io.Writer

+	Output string

+

+	RoleBindingClient client.ClusterRoleBindingInterface

+}

+

+const (

+	reconcileBindingsLong = `

+Replace cluster role bindings to match the recommended bootstrap policy

+

+This command will inspect the cluster role bindings against the recommended bootstrap policy.

+Any cluster role binding that does not match will be replaced by the recommended bootstrap role binding.

+This command will not remove any additional cluster role bindings.

+

+You can see which recommended cluster role bindings have changed by choosing an output type.`

+

+	reconcileBindingsExample = `  # Display the cluster role bindings that would be modified

+  $ %[1]s

+

+  # Display the cluster role bindings that would be modified, removing any extra subjects

+  $ %[1]s --additive-only=false

+

+  # Update cluster role bindings that don't match the current defaults

+  $ %[1]s --confirm

+

+  # Update cluster role bindings that don't match the current defaults, avoid adding roles to the system:authenticated group

+  $ %[1]s --confirm --exclude-groups=system:authenticated

+

+  # Update cluster role bindings that don't match the current defaults, removing any extra subjects from the binding

+  $ %[1]s --confirm --additive-only=false`

+)

+

+// NewCmdReconcileClusterRoleBindings implements the OpenShift cli reconcile-cluster-role-bindings command

+func NewCmdReconcileClusterRoleBindings(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command {

+	o := &ReconcileClusterRoleBindingsOptions{

+		Out:   out,

+		Union: true,

+	}

+

+	excludeUsers := util.StringList{}

+	excludeGroups := util.StringList{}

+

+	cmd := &cobra.Command{

+		Use:     name,

+		Short:   "Replace cluster role bindings to match the recommended bootstrap policy",

+		Long:    reconcileBindingsLong,

+		Example: fmt.Sprintf(reconcileBindingsExample, fullName),

+		Run: func(cmd *cobra.Command, args []string) {

+			if err := o.Complete(cmd, f, args, excludeUsers, excludeGroups); err != nil {

+				kcmdutil.CheckErr(err)

+			}

+

+			if err := o.Validate(); err != nil {

+				kcmdutil.CheckErr(kcmdutil.UsageError(cmd, err.Error()))

+			}

+

+			if err := o.RunReconcileClusterRoleBindings(cmd, f); err != nil {

+				kcmdutil.CheckErr(err)

+			}

+		},

+	}

+

+	cmd.Flags().BoolVar(&o.Confirmed, "confirm", o.Confirmed, "Specify that cluster role bindings should be modified. Defaults to false, displaying what would be replaced but not actually replacing anything.")

+	cmd.Flags().BoolVar(&o.Union, "additive-only", o.Union, "Preserves extra subjects in cluster role bindings.")

+	cmd.Flags().Var(&excludeUsers, "exclude-users", "Do not add cluster role bindings for these user names.")

+	cmd.Flags().Var(&excludeGroups, "exclude-groups", "Do not add cluster role bindings for these group names.")

+	kcmdutil.AddPrinterFlags(cmd)

+	cmd.Flags().Lookup("output").DefValue = "yaml"

+	cmd.Flags().Lookup("output").Value.Set("yaml")

+

+	return cmd

+}

+

+func (o *ReconcileClusterRoleBindingsOptions) Complete(cmd *cobra.Command, f *clientcmd.Factory, args []string, excludeUsers, excludeGroups util.StringList) error {

+	if len(args) != 0 {

+		return kcmdutil.UsageError(cmd, "no arguments are allowed")

+	}

+

+	oclient, _, err := f.Clients()

+	if err != nil {

+		return err

+	}

+	o.RoleBindingClient = oclient.ClusterRoleBindings()

+

+	o.Output = kcmdutil.GetFlagString(cmd, "output")

+

+	o.ExcludeSubjects = authorizationapi.BuildSubjects(excludeUsers, excludeGroups, uservalidation.ValidateUserName, uservalidation.ValidateGroupName)

+

+	return nil

+}

+

+func (o *ReconcileClusterRoleBindingsOptions) Validate() error {

+	if o.RoleBindingClient == nil {

+		return errors.New("a role binding client is required")

+	}

+	if o.Output != "yaml" && o.Output != "json" && o.Output != "" {

+		return fmt.Errorf("unknown output specified: %s", o.Output)

+	}

+	return nil

+}

+

+// ReconcileClusterRoleBindingsOptions contains all the necessary functionality for the OpenShift cli reconcile-cluster-role-bindings command

+func (o *ReconcileClusterRoleBindingsOptions) RunReconcileClusterRoleBindings(cmd *cobra.Command, f *clientcmd.Factory) error {

+	changedClusterRoleBindings, err := o.ChangedClusterRoleBindings()

+	if err != nil {

+		return err

+	}

+

+	if len(changedClusterRoleBindings) == 0 {

+		return nil

+	}

+

+	if (len(o.Output) != 0) && !o.Confirmed {

+		list := &kapi.List{}

+		for _, item := range changedClusterRoleBindings {

+			list.Items = append(list.Items, item)

+		}

+

+		if err := f.Factory.PrintObject(cmd, list, o.Out); err != nil {

+			return err

+		}

+	}

+

+	if o.Confirmed {

+		return o.ReplaceChangedRoleBindings(changedClusterRoleBindings)

+	}

+

+	return nil

+}

+

+// ChangedClusterRoleBindings returns the role bindings that must be created and/or updated to

+// match the recommended bootstrap policy

+func (o *ReconcileClusterRoleBindingsOptions) ChangedClusterRoleBindings() ([]*authorizationapi.ClusterRoleBinding, error) {

+	changedRoleBindings := []*authorizationapi.ClusterRoleBinding{}

+

+	bootstrapClusterRoleBindings := bootstrappolicy.GetBootstrapClusterRoleBindings()

+	for i := range bootstrapClusterRoleBindings {

+		expectedClusterRoleBinding := &bootstrapClusterRoleBindings[i]

+

+		actualClusterRoleBinding, err := o.RoleBindingClient.Get(expectedClusterRoleBinding.Name)

+		if kapierrors.IsNotFound(err) {

+			// Remove excluded subjects from the new role binding

+			expectedClusterRoleBinding.Subjects, _ = diff(expectedClusterRoleBinding.Subjects, o.ExcludeSubjects)

+			changedRoleBindings = append(changedRoleBindings, expectedClusterRoleBinding)

+			continue

+		}

+		if err != nil {

+			return nil, err

+		}

+

+		// Copy any existing labels/annotations, so the displayed update is correct

+		// This assumes bootstrap role bindings will not set any labels/annotations

+		// These aren't actually used during update; the latest labels/annotations are pulled from the existing object again

+		expectedClusterRoleBinding.Labels = actualClusterRoleBinding.Labels

+		expectedClusterRoleBinding.Annotations = actualClusterRoleBinding.Annotations

+

+		if updatedClusterRoleBinding, needsUpdating := computeUpdatedBinding(*expectedClusterRoleBinding, *actualClusterRoleBinding, o.ExcludeSubjects, o.Union); needsUpdating {

+			changedRoleBindings = append(changedRoleBindings, updatedClusterRoleBinding)

+		}

+	}

+

+	return changedRoleBindings, nil

+}

+

+// ReplaceChangedRoleBindings will reconcile all the changed system role bindings back to the recommended bootstrap policy

+func (o *ReconcileClusterRoleBindingsOptions) ReplaceChangedRoleBindings(changedRoleBindings []*authorizationapi.ClusterRoleBinding) error {

+	for i := range changedRoleBindings {

+		roleBinding, err := o.RoleBindingClient.Get(changedRoleBindings[i].Name)

+		if err != nil && !kapierrors.IsNotFound(err) {

+			return err

+		}

+

+		if kapierrors.IsNotFound(err) {

+			createdRoleBinding, err := o.RoleBindingClient.Create(changedRoleBindings[i])

+			if err != nil {

+				return err

+			}

+

+			fmt.Fprintf(o.Out, "clusterrolebinding/%s\n", createdRoleBinding.Name)

+			continue

+		}

+

+		// RoleRef is immutable, to reset this, we have to delete/recreate

+		if !kapi.Semantic.DeepEqual(roleBinding.RoleRef, changedRoleBindings[i].RoleRef) {

+			roleBinding.RoleRef = changedRoleBindings[i].RoleRef

+			roleBinding.Subjects = changedRoleBindings[i].Subjects

+

+			// TODO: for extra credit, determine whether the right to delete/create this rolebinding for the current user came from this rolebinding before deleting it

+			err := o.RoleBindingClient.Delete(roleBinding.Name)

+			if err != nil {

+				return err

+			}

+			createdRoleBinding, err := o.RoleBindingClient.Create(changedRoleBindings[i])

+			if err != nil {

+				return err

+			}

+			fmt.Fprintf(o.Out, "clusterrolebinding/%s\n", createdRoleBinding.Name)

+			continue

+		}

+

+		roleBinding.Subjects = changedRoleBindings[i].Subjects

+		updatedRoleBinding, err := o.RoleBindingClient.Update(roleBinding)

+		if err != nil {

+			return err

+		}

+

+		fmt.Fprintf(o.Out, "clusterrolebinding/%s\n", updatedRoleBinding.Name)

+	}

+

+	return nil

+}

+

+func computeUpdatedBinding(expected authorizationapi.ClusterRoleBinding, actual authorizationapi.ClusterRoleBinding, excludeSubjects []kapi.ObjectReference, union bool) (*authorizationapi.ClusterRoleBinding, bool) {

+	needsUpdating := false

+

+	// Always reset the roleref if it is different

+	if !kapi.Semantic.DeepEqual(expected.RoleRef, actual.RoleRef) {

+		needsUpdating = true

+	}

+

+	// compute the list of subjects we should not add roles for (existing subjects in the exclude list should be preserved)

+	doNotAddSubjects, _ := diff(excludeSubjects, actual.Subjects)

+	// remove any excluded subjects that do not exist from our expected subject list (so we don't add them)

+	expectedSubjects, _ := diff(expected.Subjects, doNotAddSubjects)

+

+	missingSubjects, extraSubjects := diff(expectedSubjects, actual.Subjects)

+	// Always add missing expected subjects

+	if len(missingSubjects) > 0 {

+		needsUpdating = true

+	}

+	// extra subjects only require a change if we're not unioning

+	if len(extraSubjects) > 0 && !union {

+		needsUpdating = true

+	}

+

+	if !needsUpdating {

+		return nil, false

+	}

+

+	updated := expected

+	updated.Subjects = expectedSubjects

+	if union {

+		updated.Subjects = append(updated.Subjects, extraSubjects...)

+	}

+	return &updated, true

+}

+

+func contains(list []kapi.ObjectReference, item kapi.ObjectReference) bool {

+	for _, listItem := range list {

+		if kapi.Semantic.DeepEqual(listItem, item) {

+			return true

+		}

+	}

+	return false

+}

+

+// diff returns lists containing the items unique to each provided list:

+//   list1Only = list1 - list2

+//   list2Only = list2 - list1

+// if both returned lists are empty, the provided lists are equal

+func diff(list1 []kapi.ObjectReference, list2 []kapi.ObjectReference) (list1Only []kapi.ObjectReference, list2Only []kapi.ObjectReference) {

+	for _, list1Item := range list1 {

+		if !contains(list2, list1Item) {

+			if !contains(list1Only, list1Item) {

+				list1Only = append(list1Only, list1Item)

+			}

+		}

+	}

+	for _, list2Item := range list2 {

+		if !contains(list1, list2Item) {

+			if !contains(list2Only, list2Item) {

+				list2Only = append(list2Only, list2Item)

+			}

+		}

+	}

+	return

+}

new file mode 100644

@@ -0,0 +1,191 @@

+package policy

+

+import (

+	"testing"

+

+	kapi "k8s.io/kubernetes/pkg/api"

+

+	authorizationapi "github.com/openshift/origin/pkg/authorization/api"

+)

+

+func binding(roleRef kapi.ObjectReference, subjects []kapi.ObjectReference) *authorizationapi.ClusterRoleBinding {

+	return &authorizationapi.ClusterRoleBinding{RoleRef: roleRef, Subjects: subjects}

+}

+

+func ref(name string) kapi.ObjectReference {

+	return kapi.ObjectReference{Name: name}

+}

+

+func refs(names ...string) []kapi.ObjectReference {

+	r := []kapi.ObjectReference{}

+	for _, name := range names {

+		r = append(r, ref(name))

+	}

+	return r

+}

+

+func TestDiff(t *testing.T) {

+	tests := map[string]struct {

+		A             []kapi.ObjectReference

+		B             []kapi.ObjectReference

+		ExpectedOnlyA []kapi.ObjectReference

+		ExpectedOnlyB []kapi.ObjectReference

+	}{

+		"empty": {},

+

+		"matching, order-independent": {

+			A: refs("foo", "bar"),

+			B: refs("bar", "foo"),

+		},

+

+		"partial match": {

+			A:             refs("foo", "bar"),

+			B:             refs("foo", "baz"),

+			ExpectedOnlyA: refs("bar"),

+			ExpectedOnlyB: refs("baz"),

+		},

+

+		"missing": {

+			A:             refs("foo"),

+			B:             refs("bar"),

+			ExpectedOnlyA: refs("foo"),

+			ExpectedOnlyB: refs("bar"),

+		},

+

+		"remove duplicates": {

+			A:             refs("foo", "foo"),

+			B:             refs("bar", "bar"),

+			ExpectedOnlyA: refs("foo"),

+			ExpectedOnlyB: refs("bar"),

+		},

+	}

+

+	for k, tc := range tests {

+		onlyA, onlyB := diff(tc.A, tc.B)

+		if !kapi.Semantic.DeepEqual(onlyA, tc.ExpectedOnlyA) {

+			t.Errorf("%s: Expected %#v, got %#v", k, tc.ExpectedOnlyA, onlyA)

+		}

+		if !kapi.Semantic.DeepEqual(onlyB, tc.ExpectedOnlyB) {

+			t.Errorf("%s: Expected %#v, got %#v", k, tc.ExpectedOnlyB, onlyB)

+		}

+	}

+}

+

+func TestComputeUpdate(t *testing.T) {

+	tests := map[string]struct {

+		ExpectedBinding *authorizationapi.ClusterRoleBinding

+		ActualBinding   *authorizationapi.ClusterRoleBinding

+		ExcludeSubjects []kapi.ObjectReference

+		Union           bool

+

+		ExpectedUpdatedBinding *authorizationapi.ClusterRoleBinding

+		ExpectedUpdateNeeded   bool

+	}{

+		"match without union": {

+			ExpectedBinding: binding(ref("role"), refs("a")),

+			ActualBinding:   binding(ref("role"), refs("a")),

+			Union:           false,

+

+			ExpectedUpdatedBinding: nil,

+			ExpectedUpdateNeeded:   false,

+		},

+		"match with union": {

+			ExpectedBinding: binding(ref("role"), refs("a")),

+			ActualBinding:   binding(ref("role"), refs("a")),

+			Union:           true,

+

+			ExpectedUpdatedBinding: nil,

+			ExpectedUpdateNeeded:   false,

+		},

+

+		"different roleref with identical subjects": {

+			ExpectedBinding: binding(ref("role"), refs("a")),

+			ActualBinding:   binding(ref("differentRole"), refs("a")),

+			Union:           true,

+

+			ExpectedUpdatedBinding: binding(ref("role"), refs("a")),

+			ExpectedUpdateNeeded:   true,

+		},

+

+		"extra subjects without union": {

+			ExpectedBinding: binding(ref("role"), refs("a")),

+			ActualBinding:   binding(ref("role"), refs("a", "b")),

+			Union:           false,

+

+			ExpectedUpdatedBinding: binding(ref("role"), refs("a")),

+			ExpectedUpdateNeeded:   true,

+		},

+		"extra subjects with union": {

+			ExpectedBinding: binding(ref("role"), refs("a")),

+			ActualBinding:   binding(ref("role"), refs("a", "b")),

+			Union:           true,

+

+			ExpectedUpdatedBinding: nil,

+			ExpectedUpdateNeeded:   false,

+		},

+

+		"missing subjects without union": {

+			ExpectedBinding: binding(ref("role"), refs("a", "c")),

+			ActualBinding:   binding(ref("role"), refs("a", "b")),

+			Union:           false,

+

+			ExpectedUpdatedBinding: binding(ref("role"), refs("a", "c")),

+			ExpectedUpdateNeeded:   true,

+		},

+		"missing subjects with union": {

+			ExpectedBinding: binding(ref("role"), refs("a", "c")),

+			ActualBinding:   binding(ref("role"), refs("a", "b")),

+			Union:           true,

+

+			ExpectedUpdatedBinding: binding(ref("role"), refs("a", "c", "b")),

+			ExpectedUpdateNeeded:   true,

+		},

+

+		"do not add should make update unnecessary": {

+			ExpectedBinding: binding(ref("role"), refs("a", "b")),

+			ActualBinding:   binding(ref("role"), refs("a")),

+			ExcludeSubjects: refs("b"),

+			Union:           false,

+

+			ExpectedUpdatedBinding: nil,

+			ExpectedUpdateNeeded:   false,

+		},

+		"do not add should not add": {

+			ExpectedBinding: binding(ref("role"), refs("a", "b", "c")),

+			ActualBinding:   binding(ref("role"), refs("a")),

+			ExcludeSubjects: refs("c"),

+			Union:           false,

+

+			ExpectedUpdatedBinding: binding(ref("role"), refs("a", "b")),

+			ExpectedUpdateNeeded:   true,

+		},

+		"do not add should not remove": {

+			ExpectedBinding: binding(ref("role"), refs("a", "b")),

+			ActualBinding:   binding(ref("role"), refs("a", "b", "c")),

+			ExcludeSubjects: refs("b"),

+			Union:           false,

+

+			ExpectedUpdatedBinding: binding(ref("role"), refs("a", "b")),

+			ExpectedUpdateNeeded:   true,

+		},

+		"do not add complex": {

+			ExpectedBinding: binding(ref("role"), refs("matching1", "matching2", "missing1", "missing2")),

+			ActualBinding:   binding(ref("role"), refs("matching1", "matching2", "extra1", "extra2")),

+			ExcludeSubjects: refs("matching1", "missing1", "extra1"),

+			Union:           false,

+

+			ExpectedUpdatedBinding: binding(ref("role"), refs("matching1", "matching2", "missing2")),

+			ExpectedUpdateNeeded:   true,

+		},

+	}

+

+	for k, tc := range tests {

+		updatedBinding, updateNeeded := computeUpdatedBinding(*tc.ExpectedBinding, *tc.ActualBinding, tc.ExcludeSubjects, tc.Union)

+		if updateNeeded != tc.ExpectedUpdateNeeded {

+			t.Errorf("%s: Expected\n\t%v\ngot\n\t%v", k, tc.ExpectedUpdateNeeded, updateNeeded)

+		}

+		if !kapi.Semantic.DeepEqual(updatedBinding, tc.ExpectedUpdatedBinding) {

+			t.Errorf("%s: Expected\n\t%v %v\ngot\n\t%v %v", k, tc.ExpectedUpdatedBinding.RoleRef, tc.ExpectedUpdatedBinding.Subjects, updatedBinding.RoleRef, updatedBinding.Subjects)

+		}

+	}

+}

@@ -157,6 +157,12 @@ func (o *ReconcileClusterRolesOptions) ChangedClusterRoles() ([]*authorizationap

 			return nil, err

 		}

+		// Copy any existing labels/annotations, so the displayed update is correct

+		// This assumes bootstrap roles will not set any labels/annotations

+		// These aren't actually used during update; the latest labels/annotations are pulled from the existing object again

+		expectedClusterRole.Labels = actualClusterRole.Labels

+		expectedClusterRole.Annotations = actualClusterRole.Annotations

+

 		if !kapi.Semantic.DeepEqual(expectedClusterRole.Rules, actualClusterRole.Rules) {

 			if o.Union {

 				_, missingRules := rulevalidation.Covers(expectedClusterRole.Rules, actualClusterRole.Rules)

@@ -13,7 +13,8 @@ os::log::install_errexit

   set +e

   oc delete project/example project/ui-test-project project/recreated-project

   oc delete sa/router -n default

-  oadm policy reconcile-cluster-roles

+  oadm policy reconcile-cluster-roles --confirm

+  oadm policy reconcile-cluster-role-bindings --confirm

 ) 2>/dev/null 1>&2

 defaultimage="openshift/origin-\${component}:latest"

@@ -75,6 +76,7 @@ oadm policy add-cluster-role-to-group cluster-admin system:unauthenticated

 oadm policy remove-cluster-role-from-group cluster-admin system:unauthenticated

 oadm policy add-cluster-role-to-user cluster-admin system:no-user

 oadm policy remove-cluster-role-from-user cluster-admin system:no-user

+

 oc delete clusterrole/cluster-status

 [ ! "$(oc get clusterrole/cluster-status)" ]

 oadm policy reconcile-cluster-roles

@@ -82,10 +84,40 @@ oadm policy reconcile-cluster-roles

 oadm policy reconcile-cluster-roles --confirm

 oc get clusterrole/cluster-status

 oc replace --force -f ./test/fixtures/basic-user.json

+# display shows customized labels/annotations

+[ "$(oadm policy reconcile-cluster-roles | grep custom-label)" ]

+[ "$(oadm policy reconcile-cluster-roles | grep custom-annotation)" ]

 oadm policy reconcile-cluster-roles --additive-only --confirm

+# reconcile preserves added rules, labels, and annotations

+[ "$(oc get clusterroles/basic-user -o json | grep custom-label)" ]

+[ "$(oc get clusterroles/basic-user -o json | grep custom-annotation)" ]

 [ "$(oc get clusterroles/basic-user -o json | grep groups)" ]

 oadm policy reconcile-cluster-roles --confirm

 [ ! "$(oc get clusterroles/basic-user -o json | grep groups)" ]

+

+# Ensure a removed binding gets re-added

+oc delete clusterrolebinding/cluster-status-binding

+[ ! "$(oc get clusterrolebinding/cluster-status-binding)" ]

+oadm policy reconcile-cluster-role-bindings

+[ ! "$(oc get clusterrolebinding/cluster-status-binding)" ]

+oadm policy reconcile-cluster-role-bindings --confirm

+oc get clusterrolebinding/cluster-status-binding

+# Customize a binding

+oc replace --force -f ./test/fixtures/basic-users-binding.json

+# display shows customized labels/annotations

+[ "$(oadm policy reconcile-cluster-role-bindings | grep custom-label)" ]

+[ "$(oadm policy reconcile-cluster-role-bindings | grep custom-annotation)" ]

+oadm policy reconcile-cluster-role-bindings --confirm

+# Ensure a customized binding's subjects, labels, annotations are retained by default

+[ "$(oc get clusterrolebindings/basic-users -o json | grep custom-label)" ]

+[ "$(oc get clusterrolebindings/basic-users -o json | grep custom-annotation)" ]

+[ "$(oc get clusterrolebindings/basic-users -o json | grep custom-user)" ]

+# Ensure a customized binding's roleref is corrected

+[ ! "$(oc get clusterrolebindings/basic-users -o json | grep cluster-status)" ]

+# Ensure --additive-only=false removes customized users from the binding

+oadm policy reconcile-cluster-role-bindings --additive-only=false --confirm

+[ ! "$(oc get clusterrolebindings/basic-users -o json | grep custom-user)" ]

+

 echo "admin-policy: ok"

 # Test the commands the UI projects page tells users to run

@@ -6,7 +6,13 @@

         "selfLink": "/osapi/v1beta3/clusterroles/basic-user",

         "uid": "86a5ce7c-3f44-11e5-a9a6-080027c5bfa9",

         "resourceVersion": "18",

-        "creationTimestamp": "2015-08-10T09:45:25Z"

+        "creationTimestamp": "2015-08-10T09:45:25Z",

+        "labels": {

+        	"custom-label":"value"

+        },

+        "annotations": {

+        	"custom-annotation":"value"

+        }

     },

     "rules": [

         {

new file mode 100644

@@ -0,0 +1,30 @@

+{

+    "kind": "ClusterRoleBinding",

+    "apiVersion": "v1",

+    "metadata": {

+        "name": "basic-users",

+        "selfLink": "/oapi/v1/clusterrolebindings/basic-users",

+        "uid": "8dcfc4cd-6917-11e5-8b72-3c970e4b7ffe",

+        "resourceVersion": "42",

+        "creationTimestamp": "2015-10-02T15:09:18Z",

+        "labels": {

+        	"custom-label":"value"

+        },

+        "annotations": {

+        	"custom-annotation":"value"

+        }

+    },

+    "subjects": [

+        {

+            "kind": "SystemGroup",

+            "name": "system:authenticated"

+        },

+        {

+            "kind": "User",

+            "name": "custom-user"

+        }

+    ],

+    "roleRef": {

+        "name": "cluster-status"

+    }

+}