vendor/k8s.io/kubernetes/pkg/kubectl/cmd/create/create_role.go - cloudstack-kubernetes-provider - Git at Google

 /*
 Copyright 2017 The Kubernetes Authors.

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at

     http://www.apache.org/licenses/LICENSE-2.0

 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */

 package create

 import (
 	"fmt"
 	"strings"

 	"github.com/spf13/cobra"

 	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/cli-runtime/pkg/genericclioptions"
 	clientgorbacv1 "k8s.io/client-go/kubernetes/typed/rbac/v1"
 	cmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
 	"k8s.io/kubernetes/pkg/kubectl/scheme"
 	"k8s.io/kubernetes/pkg/kubectl/util/i18n"
 	"k8s.io/kubernetes/pkg/kubectl/util/templates"
 )

 var (
 	roleLong = templates.LongDesc(i18n.T(`
 		Create a role with single rule.`))

 	roleExample = templates.Examples(i18n.T(`
 		# Create a Role named "pod-reader" that allows user to perform "get", "watch" and "list" on pods
 		kubectl create role pod-reader --verb=get --verb=list --verb=watch --resource=pods

 		# Create a Role named "pod-reader" with ResourceName specified
 		kubectl create role pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod

 		# Create a Role named "foo" with API Group specified
 		kubectl create role foo --verb=get,list,watch --resource=rs.extensions

 		# Create a Role named "foo" with SubResource specified
 		kubectl create role foo --verb=get,list,watch --resource=pods,pods/status`))

 	// Valid resource verb list for validation.
 	validResourceVerbs = []string{"*", "get", "delete", "list", "create", "update", "patch", "watch", "proxy", "deletecollection", "use", "bind", "escalate", "impersonate"}

 	// Specialized verbs and GroupResources
 	specialVerbs = map[string][]schema.GroupResource{
 		"use": {
 			{
 				Group:    "extensions",
 				Resource: "podsecuritypolicies",
 			},
 		},
 		"bind": {
 			{
 				Group:    "rbac.authorization.k8s.io",
 				Resource: "roles",
 			},
 			{
 				Group:    "rbac.authorization.k8s.io",
 				Resource: "clusterroles",
 			},
 		},
 		"escalate": {
 			{
 				Group:    "rbac.authorization.k8s.io",
 				Resource: "roles",
 			},
 			{
 				Group:    "rbac.authorization.k8s.io",
 				Resource: "clusterroles",
 			},
 		},
 		"impersonate": {
 			{
 				Group:    "",
 				Resource: "users",
 			},
 			{
 				Group:    "",
 				Resource: "serviceaccounts",
 			},
 			{
 				Group:    "",
 				Resource: "groups",
 			},
 			{
 				Group:    "authentication.k8s.io",
 				Resource: "userextras",
 			},
 		},
 	}
 )

 type ResourceOptions struct {
 	Group       string
 	Resource    string
 	SubResource string
 }

 type CreateRoleOptions struct {
 	PrintFlags *genericclioptions.PrintFlags

 	Name          string
 	Verbs         []string
 	Resources     []ResourceOptions
 	ResourceNames []string

 	DryRun       bool
 	OutputFormat string
 	Namespace    string
 	Client       clientgorbacv1.RbacV1Interface
 	Mapper       meta.RESTMapper
 	PrintObj     func(obj runtime.Object) error

 	genericclioptions.IOStreams
 }

 func NewCreateRoleOptions(ioStreams genericclioptions.IOStreams) *CreateRoleOptions {
 	return &CreateRoleOptions{
 		PrintFlags: genericclioptions.NewPrintFlags("created").WithTypeSetter(scheme.Scheme),

 		IOStreams: ioStreams,
 	}
 }

 // Role is a command to ease creating Roles.
 func NewCmdCreateRole(f cmdutil.Factory, ioStreams genericclioptions.IOStreams) *cobra.Command {
 	o := NewCreateRoleOptions(ioStreams)

 	cmd := &cobra.Command{
 		Use:                   "role NAME --verb=verb --resource=resource.group/subresource [--resource-name=resourcename] [--dry-run]",
 		DisableFlagsInUseLine: true,
 		Short:                 roleLong,
 		Long:                  roleLong,
 		Example:               roleExample,
 		Run: func(cmd *cobra.Command, args []string) {
 			cmdutil.CheckErr(o.Complete(f, cmd, args))
 			cmdutil.CheckErr(o.Validate())
 			cmdutil.CheckErr(o.RunCreateRole())
 		},
 	}

 	o.PrintFlags.AddFlags(cmd)

 	cmdutil.AddApplyAnnotationFlags(cmd)
 	cmdutil.AddValidateFlags(cmd)
 	cmdutil.AddDryRunFlag(cmd)
 	cmd.Flags().StringSliceVar(&o.Verbs, "verb", o.Verbs, "Verb that applies to the resources contained in the rule")
 	cmd.Flags().StringSlice("resource", []string{}, "Resource that the rule applies to")
 	cmd.Flags().StringArrayVar(&o.ResourceNames, "resource-name", o.ResourceNames, "Resource in the white list that the rule applies to, repeat this flag for multiple items")

 	return cmd
 }

 func (o *CreateRoleOptions) Complete(f cmdutil.Factory, cmd *cobra.Command, args []string) error {
 	name, err := NameFromCommandArgs(cmd, args)
 	if err != nil {
 		return err
 	}
 	o.Name = name

 	// Remove duplicate verbs.
 	verbs := []string{}
 	for _, v := range o.Verbs {
 		// VerbAll respresents all kinds of verbs.
 		if v == "*" {
 			verbs = []string{"*"}
 			break
 		}
 		if !arrayContains(verbs, v) {
 			verbs = append(verbs, v)
 		}
 	}
 	o.Verbs = verbs

 	// Support resource.group pattern. If no API Group specified, use "" as core API Group.
 	// e.g. --resource=pods,deployments.extensions
 	resources := cmdutil.GetFlagStringSlice(cmd, "resource")
 	for _, r := range resources {
 		sections := strings.SplitN(r, "/", 2)

 		resource := &ResourceOptions{}
 		if len(sections) == 2 {
 			resource.SubResource = sections[1]
 		}

 		parts := strings.SplitN(sections[0], ".", 2)
 		if len(parts) == 2 {
 			resource.Group = parts[1]
 		}
 		resource.Resource = parts[0]

 		if resource.Resource == "*" && len(parts) == 1 && len(sections) == 1 {
 			o.Resources = []ResourceOptions{*resource}
 			break
 		}

 		o.Resources = append(o.Resources, *resource)
 	}

 	// Remove duplicate resource names.
 	resourceNames := []string{}
 	for _, n := range o.ResourceNames {
 		if !arrayContains(resourceNames, n) {
 			resourceNames = append(resourceNames, n)
 		}
 	}
 	o.ResourceNames = resourceNames

 	// Complete other options for Run.
 	o.Mapper, err = f.ToRESTMapper()
 	if err != nil {
 		return err
 	}

 	o.DryRun = cmdutil.GetDryRunFlag(cmd)
 	o.OutputFormat = cmdutil.GetFlagString(cmd, "output")

 	if o.DryRun {
 		o.PrintFlags.Complete("%s (dry run)")
 	}
 	printer, err := o.PrintFlags.ToPrinter()
 	if err != nil {
 		return err
 	}
 	o.PrintObj = func(obj runtime.Object) error {
 		return printer.PrintObj(obj, o.Out)
 	}

 	o.Namespace, _, err = f.ToRawKubeConfigLoader().Namespace()
 	if err != nil {
 		return err
 	}

 	clientset, err := f.KubernetesClientSet()
 	if err != nil {
 		return err
 	}
 	o.Client = clientset.RbacV1()

 	return nil
 }

 func (o *CreateRoleOptions) Validate() error {
 	if o.Name == "" {
 		return fmt.Errorf("name must be specified")
 	}

 	// validate verbs.
 	if len(o.Verbs) == 0 {
 		return fmt.Errorf("at least one verb must be specified")
 	}

 	for _, v := range o.Verbs {
 		if !arrayContains(validResourceVerbs, v) {
 			return fmt.Errorf("invalid verb: '%s'", v)
 		}
 	}

 	// validate resources.
 	if len(o.Resources) == 0 {
 		return fmt.Errorf("at least one resource must be specified")
 	}

 	return o.validateResource()
 }

 func (o *CreateRoleOptions) validateResource() error {
 	for _, r := range o.Resources {
 		if len(r.Resource) == 0 {
 			return fmt.Errorf("resource must be specified if apiGroup/subresource specified")
 		}
 		if r.Resource == "*" {
 			return nil
 		}

 		resource := schema.GroupVersionResource{Resource: r.Resource, Group: r.Group}
 		groupVersionResource, err := o.Mapper.ResourceFor(schema.GroupVersionResource{Resource: r.Resource, Group: r.Group})
 		if err == nil {
 			resource = groupVersionResource
 		}

 		for _, v := range o.Verbs {
 			if groupResources, ok := specialVerbs[v]; ok {
 				match := false
 				for _, extra := range groupResources {
 					if resource.Resource == extra.Resource && resource.Group == extra.Group {
 						match = true
 						err = nil
 						break
 					}
 				}
 				if !match {
 					return fmt.Errorf("can not perform '%s' on '%s' in group '%s'", v, resource.Resource, resource.Group)
 				}
 			}
 		}

 		if err != nil {
 			return err
 		}
 	}
 	return nil
 }

 func (o *CreateRoleOptions) RunCreateRole() error {
 	role := &rbacv1.Role{
 		// this is ok because we know exactly how we want to be serialized
 		TypeMeta: metav1.TypeMeta{APIVersion: rbacv1.SchemeGroupVersion.String(), Kind: "Role"},
 	}
 	role.Name = o.Name
 	rules, err := generateResourcePolicyRules(o.Mapper, o.Verbs, o.Resources, o.ResourceNames, []string{})
 	if err != nil {
 		return err
 	}
 	role.Rules = rules

 	// Create role.
 	if !o.DryRun {
 		role, err = o.Client.Roles(o.Namespace).Create(role)
 		if err != nil {
 			return err
 		}
 	}

 	return o.PrintObj(role)
 }

 func arrayContains(s []string, e string) bool {
 	for _, a := range s {
 		if a == e {
 			return true
 		}
 	}
 	return false
 }

 func generateResourcePolicyRules(mapper meta.RESTMapper, verbs []string, resources []ResourceOptions, resourceNames []string, nonResourceURLs []string) ([]rbacv1.PolicyRule, error) {
 	// groupResourceMapping is a apigroup-resource map. The key of this map is api group, while the value
 	// is a string array of resources under this api group.
 	// E.g.  groupResourceMapping = {"extensions": ["replicasets", "deployments"], "batch":["jobs"]}
 	groupResourceMapping := map[string][]string{}

 	// This loop does the following work:
 	// 1. Constructs groupResourceMapping based on input resources.
 	// 2. Prevents pointing to non-existent resources.
 	// 3. Transfers resource short name to long name. E.g. rs.extensions is transferred to replicasets.extensions
 	for _, r := range resources {
 		resource := schema.GroupVersionResource{Resource: r.Resource, Group: r.Group}
 		groupVersionResource, err := mapper.ResourceFor(schema.GroupVersionResource{Resource: r.Resource, Group: r.Group})
 		if err == nil {
 			resource = groupVersionResource
 		}

 		if len(r.SubResource) > 0 {
 			resource.Resource = resource.Resource + "/" + r.SubResource
 		}
 		if !arrayContains(groupResourceMapping[resource.Group], resource.Resource) {
 			groupResourceMapping[resource.Group] = append(groupResourceMapping[resource.Group], resource.Resource)
 		}
 	}

 	// Create separate rule for each of the api group.
 	rules := []rbacv1.PolicyRule{}
 	for _, g := range sets.StringKeySet(groupResourceMapping).List() {
 		rule := rbacv1.PolicyRule{}
 		rule.Verbs = verbs
 		rule.Resources = groupResourceMapping[g]
 		rule.APIGroups = []string{g}
 		rule.ResourceNames = resourceNames
 		rules = append(rules, rule)
 	}

 	if len(nonResourceURLs) > 0 {
 		rule := rbacv1.PolicyRule{}
 		rule.Verbs = verbs
 		rule.NonResourceURLs = nonResourceURLs
 		rules = append(rules, rule)
 	}

 	return rules, nil
 }
	/*
	Copyright 2017 The Kubernetes Authors.

	Licensed under the Apache License, Version 2.0 (the "License");
	you may not use this file except in compliance with the License.
	You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.
	*/

	package create

	import (
	"fmt"
	"strings"

	"github.com/spf13/cobra"

	rbacv1 "k8s.io/api/rbac/v1"
	"k8s.io/apimachinery/pkg/api/meta"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/runtime"
	"k8s.io/apimachinery/pkg/runtime/schema"
	"k8s.io/apimachinery/pkg/util/sets"
	"k8s.io/cli-runtime/pkg/genericclioptions"
	clientgorbacv1 "k8s.io/client-go/kubernetes/typed/rbac/v1"
	cmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
	"k8s.io/kubernetes/pkg/kubectl/scheme"
	"k8s.io/kubernetes/pkg/kubectl/util/i18n"
	"k8s.io/kubernetes/pkg/kubectl/util/templates"
	)

	var (
	roleLong = templates.LongDesc(i18n.T(`
	Create a role with single rule.`))

	roleExample = templates.Examples(i18n.T(`
	# Create a Role named "pod-reader" that allows user to perform "get", "watch" and "list" on pods
	kubectl create role pod-reader --verb=get --verb=list --verb=watch --resource=pods

	# Create a Role named "pod-reader" with ResourceName specified
	kubectl create role pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod

	# Create a Role named "foo" with API Group specified
	kubectl create role foo --verb=get,list,watch --resource=rs.extensions

	# Create a Role named "foo" with SubResource specified
	kubectl create role foo --verb=get,list,watch --resource=pods,pods/status`))

	// Valid resource verb list for validation.
	validResourceVerbs = []string{"*", "get", "delete", "list", "create", "update", "patch", "watch", "proxy", "deletecollection", "use", "bind", "escalate", "impersonate"}

	// Specialized verbs and GroupResources
	specialVerbs = map[string][]schema.GroupResource{
	"use": {
	{
	Group: "extensions",
	Resource: "podsecuritypolicies",
	},
	},
	"bind": {
	{
	Group: "rbac.authorization.k8s.io",
	Resource: "roles",
	},
	{
	Group: "rbac.authorization.k8s.io",
	Resource: "clusterroles",
	},
	},
	"escalate": {
	{
	Group: "rbac.authorization.k8s.io",
	Resource: "roles",
	},
	{
	Group: "rbac.authorization.k8s.io",
	Resource: "clusterroles",
	},
	},
	"impersonate": {
	{
	Group: "",
	Resource: "users",
	},
	{
	Group: "",
	Resource: "serviceaccounts",
	},
	{
	Group: "",
	Resource: "groups",
	},
	{
	Group: "authentication.k8s.io",
	Resource: "userextras",
	},
	},
	}
	)

	type ResourceOptions struct {
	Group string
	Resource string
	SubResource string
	}

	type CreateRoleOptions struct {
	PrintFlags *genericclioptions.PrintFlags

	Name string
	Verbs []string
	Resources []ResourceOptions
	ResourceNames []string

	DryRun bool
	OutputFormat string
	Namespace string
	Client clientgorbacv1.RbacV1Interface
	Mapper meta.RESTMapper
	PrintObj func(obj runtime.Object) error

	genericclioptions.IOStreams
	}

	func NewCreateRoleOptions(ioStreams genericclioptions.IOStreams) *CreateRoleOptions {
	return &CreateRoleOptions{
	PrintFlags: genericclioptions.NewPrintFlags("created").WithTypeSetter(scheme.Scheme),

	IOStreams: ioStreams,
	}
	}

	// Role is a command to ease creating Roles.
	func NewCmdCreateRole(f cmdutil.Factory, ioStreams genericclioptions.IOStreams) *cobra.Command {
	o := NewCreateRoleOptions(ioStreams)

	cmd := &cobra.Command{
	Use: "role NAME --verb=verb --resource=resource.group/subresource [--resource-name=resourcename] [--dry-run]",
	DisableFlagsInUseLine: true,
	Short: roleLong,
	Long: roleLong,
	Example: roleExample,
	Run: func(cmd *cobra.Command, args []string) {
	cmdutil.CheckErr(o.Complete(f, cmd, args))
	cmdutil.CheckErr(o.Validate())
	cmdutil.CheckErr(o.RunCreateRole())
	},
	}

	o.PrintFlags.AddFlags(cmd)

	cmdutil.AddApplyAnnotationFlags(cmd)
	cmdutil.AddValidateFlags(cmd)
	cmdutil.AddDryRunFlag(cmd)
	cmd.Flags().StringSliceVar(&o.Verbs, "verb", o.Verbs, "Verb that applies to the resources contained in the rule")
	cmd.Flags().StringSlice("resource", []string{}, "Resource that the rule applies to")
	cmd.Flags().StringArrayVar(&o.ResourceNames, "resource-name", o.ResourceNames, "Resource in the white list that the rule applies to, repeat this flag for multiple items")

	return cmd
	}

	func (o CreateRoleOptions) Complete(f cmdutil.Factory, cmd cobra.Command, args []string) error {
	name, err := NameFromCommandArgs(cmd, args)
	if err != nil {
	return err
	}
	o.Name = name

	// Remove duplicate verbs.
	verbs := []string{}
	for _, v := range o.Verbs {
	// VerbAll respresents all kinds of verbs.
	if v == "*" {
	verbs = []string{"*"}
	break
	}
	if !arrayContains(verbs, v) {
	verbs = append(verbs, v)
	}
	}
	o.Verbs = verbs

	// Support resource.group pattern. If no API Group specified, use "" as core API Group.
	// e.g. --resource=pods,deployments.extensions
	resources := cmdutil.GetFlagStringSlice(cmd, "resource")
	for _, r := range resources {
	sections := strings.SplitN(r, "/", 2)

	resource := &ResourceOptions{}
	if len(sections) == 2 {
	resource.SubResource = sections[1]
	}

	parts := strings.SplitN(sections[0], ".", 2)
	if len(parts) == 2 {
	resource.Group = parts[1]
	}
	resource.Resource = parts[0]

	if resource.Resource == "*" && len(parts) == 1 && len(sections) == 1 {
	o.Resources = []ResourceOptions{*resource}
	break
	}

	o.Resources = append(o.Resources, *resource)
	}

	// Remove duplicate resource names.
	resourceNames := []string{}
	for _, n := range o.ResourceNames {
	if !arrayContains(resourceNames, n) {
	resourceNames = append(resourceNames, n)
	}
	}
	o.ResourceNames = resourceNames

	// Complete other options for Run.
	o.Mapper, err = f.ToRESTMapper()
	if err != nil {
	return err
	}

	o.DryRun = cmdutil.GetDryRunFlag(cmd)
	o.OutputFormat = cmdutil.GetFlagString(cmd, "output")

	if o.DryRun {
	o.PrintFlags.Complete("%s (dry run)")
	}
	printer, err := o.PrintFlags.ToPrinter()
	if err != nil {
	return err
	}
	o.PrintObj = func(obj runtime.Object) error {
	return printer.PrintObj(obj, o.Out)
	}

	o.Namespace, _, err = f.ToRawKubeConfigLoader().Namespace()
	if err != nil {
	return err
	}

	clientset, err := f.KubernetesClientSet()
	if err != nil {
	return err
	}
	o.Client = clientset.RbacV1()

	return nil
	}

	func (o *CreateRoleOptions) Validate() error {
	if o.Name == "" {
	return fmt.Errorf("name must be specified")
	}

	// validate verbs.
	if len(o.Verbs) == 0 {
	return fmt.Errorf("at least one verb must be specified")
	}

	for _, v := range o.Verbs {
	if !arrayContains(validResourceVerbs, v) {
	return fmt.Errorf("invalid verb: '%s'", v)
	}
	}

	// validate resources.
	if len(o.Resources) == 0 {
	return fmt.Errorf("at least one resource must be specified")
	}

	return o.validateResource()
	}

	func (o *CreateRoleOptions) validateResource() error {
	for _, r := range o.Resources {
	if len(r.Resource) == 0 {
	return fmt.Errorf("resource must be specified if apiGroup/subresource specified")
	}
	if r.Resource == "*" {
	return nil
	}

	resource := schema.GroupVersionResource{Resource: r.Resource, Group: r.Group}
	groupVersionResource, err := o.Mapper.ResourceFor(schema.GroupVersionResource{Resource: r.Resource, Group: r.Group})
	if err == nil {
	resource = groupVersionResource
	}

	for _, v := range o.Verbs {
	if groupResources, ok := specialVerbs[v]; ok {
	match := false
	for _, extra := range groupResources {
	if resource.Resource == extra.Resource && resource.Group == extra.Group {
	match = true
	err = nil
	break
	}
	}
	if !match {
	return fmt.Errorf("can not perform '%s' on '%s' in group '%s'", v, resource.Resource, resource.Group)
	}
	}
	}

	if err != nil {
	return err
	}
	}
	return nil
	}

	func (o *CreateRoleOptions) RunCreateRole() error {
	role := &rbacv1.Role{
	// this is ok because we know exactly how we want to be serialized
	TypeMeta: metav1.TypeMeta{APIVersion: rbacv1.SchemeGroupVersion.String(), Kind: "Role"},
	}
	role.Name = o.Name
	rules, err := generateResourcePolicyRules(o.Mapper, o.Verbs, o.Resources, o.ResourceNames, []string{})
	if err != nil {
	return err
	}
	role.Rules = rules

	// Create role.
	if !o.DryRun {
	role, err = o.Client.Roles(o.Namespace).Create(role)
	if err != nil {
	return err
	}
	}

	return o.PrintObj(role)
	}

	func arrayContains(s []string, e string) bool {
	for _, a := range s {
	if a == e {
	return true
	}
	}
	return false
	}

	func generateResourcePolicyRules(mapper meta.RESTMapper, verbs []string, resources []ResourceOptions, resourceNames []string, nonResourceURLs []string) ([]rbacv1.PolicyRule, error) {
	// groupResourceMapping is a apigroup-resource map. The key of this map is api group, while the value
	// is a string array of resources under this api group.
	// E.g. groupResourceMapping = {"extensions": ["replicasets", "deployments"], "batch":["jobs"]}
	groupResourceMapping := map[string][]string{}

	// This loop does the following work:
	// 1. Constructs groupResourceMapping based on input resources.
	// 2. Prevents pointing to non-existent resources.
	// 3. Transfers resource short name to long name. E.g. rs.extensions is transferred to replicasets.extensions
	for _, r := range resources {
	resource := schema.GroupVersionResource{Resource: r.Resource, Group: r.Group}
	groupVersionResource, err := mapper.ResourceFor(schema.GroupVersionResource{Resource: r.Resource, Group: r.Group})
	if err == nil {
	resource = groupVersionResource
	}

	if len(r.SubResource) > 0 {
	resource.Resource = resource.Resource + "/" + r.SubResource
	}
	if !arrayContains(groupResourceMapping[resource.Group], resource.Resource) {
	groupResourceMapping[resource.Group] = append(groupResourceMapping[resource.Group], resource.Resource)
	}
	}

	// Create separate rule for each of the api group.
	rules := []rbacv1.PolicyRule{}
	for _, g := range sets.StringKeySet(groupResourceMapping).List() {
	rule := rbacv1.PolicyRule{}
	rule.Verbs = verbs
	rule.Resources = groupResourceMapping[g]
	rule.APIGroups = []string{g}
	rule.ResourceNames = resourceNames
	rules = append(rules, rule)
	}

	if len(nonResourceURLs) > 0 {
	rule := rbacv1.PolicyRule{}
	rule.Verbs = verbs
	rule.NonResourceURLs = nonResourceURLs
	rules = append(rules, rule)
	}

	return rules, nil
	}