@@ -170,7 +170,7 @@ func (o *ReconcileClusterRoleBindingsOptions) ChangedClusterRoleBindings() ([]*a

 		actualClusterRoleBinding, err := o.RoleBindingClient.Get(expectedClusterRoleBinding.Name)

 		if kapierrors.IsNotFound(err) {

 			// Remove excluded subjects from the new role binding

-			expectedClusterRoleBinding.Subjects, _ = diff(expectedClusterRoleBinding.Subjects, o.ExcludeSubjects)

+			expectedClusterRoleBinding.Subjects, _ = Diff(expectedClusterRoleBinding.Subjects, o.ExcludeSubjects)

 			changedRoleBindings = append(changedRoleBindings, expectedClusterRoleBinding)

 			continue

 		}

@@ -249,11 +249,11 @@ func computeUpdatedBinding(expected authorizationapi.ClusterRoleBinding, actual

 	}

 	// compute the list of subjects we should not add roles for (existing subjects in the exclude list should be preserved)

-	doNotAddSubjects, _ := diff(excludeSubjects, actual.Subjects)

+	doNotAddSubjects, _ := Diff(excludeSubjects, actual.Subjects)

 	// remove any excluded subjects that do not exist from our expected subject list (so we don't add them)

-	expectedSubjects, _ := diff(expected.Subjects, doNotAddSubjects)

+	expectedSubjects, _ := Diff(expected.Subjects, doNotAddSubjects)

-	missingSubjects, extraSubjects := diff(expectedSubjects, actual.Subjects)

+	missingSubjects, extraSubjects := Diff(expectedSubjects, actual.Subjects)

 	// Always add missing expected subjects

 	if len(missingSubjects) > 0 {

 		needsUpdating = true

@@ -284,11 +284,11 @@ func contains(list []kapi.ObjectReference, item kapi.ObjectReference) bool {

 	return false

 }

-// diff returns lists containing the items unique to each provided list:

+// Diff returns lists containing the items unique to each provided list:

 //   list1Only = list1 - list2

 //   list2Only = list2 - list1

 // if both returned lists are empty, the provided lists are equal

-func diff(list1 []kapi.ObjectReference, list2 []kapi.ObjectReference) (list1Only []kapi.ObjectReference, list2Only []kapi.ObjectReference) {

+func Diff(list1 []kapi.ObjectReference, list2 []kapi.ObjectReference) (list1Only []kapi.ObjectReference, list2Only []kapi.ObjectReference) {

 	for _, list1Item := range list1 {

 		if !contains(list2, list1Item) {

 			if !contains(list1Only, list1Item) {

@@ -20,7 +20,7 @@ import (

 var (

 	// availableClusterDiagnostics contains the names of cluster diagnostics that can be executed

 	// during a single run of diagnostics. Add more diagnostics to the list as they are defined.

-	availableClusterDiagnostics = sets.NewString(clustdiags.NodeDefinitionsName, clustdiags.ClusterRegistryName, clustdiags.ClusterRouterName, clustdiags.ClusterRolesName)

+	availableClusterDiagnostics = sets.NewString(clustdiags.NodeDefinitionsName, clustdiags.ClusterRegistryName, clustdiags.ClusterRouterName, clustdiags.ClusterRolesName, clustdiags.ClusterRoleBindingsName)

 )

 // buildClusterDiagnostics builds cluster Diagnostic objects if a cluster-admin client can be extracted from the rawConfig passed in.

@@ -53,6 +53,8 @@ func (o DiagnosticsOptions) buildClusterDiagnostics(rawConfig *clientcmdapi.Conf

 			diagnostics = append(diagnostics, &clustdiags.ClusterRouter{KubeClient: kclusterClient, OsClient: clusterClient})

 		case clustdiags.ClusterRolesName:

 			diagnostics = append(diagnostics, &clustdiags.ClusterRoles{ClusterRolesClient: clusterClient, SARClient: clusterClient})

+		case clustdiags.ClusterRoleBindingsName:

+			diagnostics = append(diagnostics, &clustdiags.ClusterRoleBindings{ClusterRoleBindingsClient: clusterClient, SARClient: clusterClient})

 		default:

 			return nil, false, fmt.Errorf("unknown diagnostic: %v", diagnosticName)

new file mode 100644

@@ -0,0 +1,99 @@

+package cluster

+

+import (

+	"fmt"

+	"io/ioutil"

+

+	kerrs "k8s.io/kubernetes/pkg/api/errors"

+

+	authorizationapi "github.com/openshift/origin/pkg/authorization/api"

+	osclient "github.com/openshift/origin/pkg/client"

+	policycmd "github.com/openshift/origin/pkg/cmd/admin/policy"

+	"github.com/openshift/origin/pkg/diagnostics/types"

+)

+

+// ClusterRoleBindings is a Diagnostic to check that the default cluster role bindings match expectations

+type ClusterRoleBindings struct {

+	ClusterRoleBindingsClient osclient.ClusterRoleBindingsInterface

+	SARClient                 osclient.SubjectAccessReviews

+}

+

+const (

+	ClusterRoleBindingsName = "ClusterRoleBindings"

+)

+

+func (d *ClusterRoleBindings) Name() string {

+	return ClusterRoleBindingsName

+}

+

+func (d *ClusterRoleBindings) Description() string {

+	return "Check that the ClusterRoleBindings are up-to-date"

+}

+

+func (d *ClusterRoleBindings) CanRun() (bool, error) {

+	if d.ClusterRoleBindingsClient == nil {

+		return false, fmt.Errorf("must have client.ClusterRoleBindingsInterface")

+	}

+	if d.SARClient == nil {

+		return false, fmt.Errorf("must have client.SubjectAccessReviews")

+	}

+

+	return userCan(d.SARClient, authorizationapi.AuthorizationAttributes{

+		Verb:     "list",

+		Resource: "clusterrolebindings",

+	})

+}

+

+func (d *ClusterRoleBindings) Check() types.DiagnosticResult {

+	r := types.NewDiagnosticResult(ClusterRoleBindingsName)

+

+	reconcileOptions := &policycmd.ReconcileClusterRoleBindingsOptions{

+		Confirmed:         false,

+		Union:             false,

+		Out:               ioutil.Discard,

+		RoleBindingClient: d.ClusterRoleBindingsClient.ClusterRoleBindings(),

+	}

+

+	changedClusterRoleBindings, err := reconcileOptions.ChangedClusterRoleBindings()

+	if err != nil {

+		r.Error("CRBD1000", err, fmt.Sprintf("Error inspecting ClusterRoleBindings: %v", err))

+	}

+

+	// success

+	if len(changedClusterRoleBindings) == 0 {

+		return r

+	}

+

+	for _, changedClusterRoleBinding := range changedClusterRoleBindings {

+		actualClusterRole, err := d.ClusterRoleBindingsClient.ClusterRoleBindings().Get(changedClusterRoleBinding.Name)

+		if kerrs.IsNotFound(err) {

+			r.Error("CRBD1001", nil, fmt.Sprintf("clusterrolebinding/%s is missing.\n\nUse the `oadm policy reconcile-cluster-role-bindings` command to create the role binding.", changedClusterRoleBinding.Name))

+			continue

+		}

+		if err != nil {

+			r.Error("CRBD1002", err, fmt.Sprintf("Unable to get clusterrolebinding/%s: %v", changedClusterRoleBinding.Name, err))

+		}

+

+		missingSubjects, extraSubjects := policycmd.Diff(changedClusterRoleBinding.Subjects, actualClusterRole.Subjects)

+		switch {

+		case len(missingSubjects) > 0:

+			// Only a warning, because they can remove things like self-provisioner role from system:unauthenticated, and it's not an error

+			r.Warn("CRBD1003", nil, fmt.Sprintf("clusterrolebinding/%s is missing expected subjects.\n\nUse the `oadm policy reconcile-cluster-role bindings` command to update the role binding to include expected subjects.", changedClusterRoleBinding.Name))

+		case len(extraSubjects) > 0:

+			// Only info, because it is normal to use policy to grant cluster roles to users

+			r.Info("CRBD1004", fmt.Sprintf("clusterrolebinding/%s has more subjects than expected.\n\nUse the `oadm policy reconcile-cluster-role bindings` command to update the role binding to remove extra subjects.", changedClusterRoleBinding.Name))

+		}

+

+		for _, missingSubject := range missingSubjects {

+			r.Info("CRBD1005", fmt.Sprintf("clusterrolebinding/%s is missing subject %v.", changedClusterRoleBinding.Name, missingSubject))

+		}

+

+		for _, extraSubject := range extraSubjects {

+			r.Info("CRBD1006", fmt.Sprintf("clusterrolebinding/%s has extra subject %v.", changedClusterRoleBinding.Name, extraSubject))

+		}

+

+		r.Debug("CRBD1007", fmt.Sprintf("clusterrolebinding/%s is now %v.", changedClusterRoleBinding.Name, changedClusterRoleBinding))

+	}

+

+	return r

+}