Allow injection of policy in RBAC post start hook

This change allows the RBAC PostStartHook logic to be reused with
different policy data when bootstrapping the cluster.  Thus any
changes to the bootstrap logic are separated from the policy data.

Signed-off-by: Monis Khan <mkhan@redhat.com>

pkg/registry/rbac/rest/storage_rbac.go

@@ -134,10 +134,24 @@ func (p RESTStorageProvider) storage(version schema.GroupVersion, apiResourceCon
 }
 
 func (p RESTStorageProvider) PostStartHook() (string, genericapiserver.PostStartHookFunc, error) {
-	return PostStartHookName, PostStartHook, nil
+	policy := &PolicyData{
+		ClusterRoles:        append(bootstrappolicy.ClusterRoles(), bootstrappolicy.ControllerRoles()...),
+		ClusterRoleBindings: append(bootstrappolicy.ClusterRoleBindings(), bootstrappolicy.ControllerRoleBindings()...),
+		Roles:               bootstrappolicy.NamespaceRoles(),
+		RoleBindings:        bootstrappolicy.NamespaceRoleBindings(),
+	}
+	return PostStartHookName, policy.EnsureRBACPolicy(), nil
 }
 
-func PostStartHook(hookContext genericapiserver.PostStartHookContext) error {
+type PolicyData struct {
+	ClusterRoles        []rbac.ClusterRole
+	ClusterRoleBindings []rbac.ClusterRoleBinding
+	Roles               map[string][]rbac.Role
+	RoleBindings        map[string][]rbac.RoleBinding
+}
+
+func (p *PolicyData) EnsureRBACPolicy() genericapiserver.PostStartHookFunc {
+	return func(hookContext genericapiserver.PostStartHookContext) error {
 		// intializing roles is really important.  On some e2e runs, we've seen cases where etcd is down when the server
 		// starts, the roles don't initialize, and nothing works.
 		err := wait.Poll(1*time.Second, 30*time.Second, func() (done bool, err error) {
@@ -164,7 +178,7 @@ func PostStartHook(hookContext genericapiserver.PostStartHookContext) error {
 			}
 
 			// ensure bootstrap roles are created or reconciled
-		for _, clusterRole := range append(bootstrappolicy.ClusterRoles(), bootstrappolicy.ControllerRoles()...) {
+			for _, clusterRole := range p.ClusterRoles {
 				opts := reconciliation.ReconcileRoleOptions{
 					Role:    reconciliation.ClusterRoleRuleOwner{ClusterRole: &clusterRole},
 					Client:  reconciliation.ClusterRoleModifier{Client: clientset.ClusterRoles()},
@@ -192,7 +206,7 @@ func PostStartHook(hookContext genericapiserver.PostStartHookContext) error {
 			}
 
 			// ensure bootstrap rolebindings are created or reconciled
-		for _, clusterRoleBinding := range append(bootstrappolicy.ClusterRoleBindings(), bootstrappolicy.ControllerRoleBindings()...) {
+			for _, clusterRoleBinding := range p.ClusterRoleBindings {
 				opts := reconciliation.ReconcileRoleBindingOptions{
 					RoleBinding: reconciliation.ClusterRoleBindingAdapter{ClusterRoleBinding: &clusterRoleBinding},
 					Client:      reconciliation.ClusterRoleBindingClientAdapter{Client: clientset.ClusterRoleBindings()},
@@ -222,7 +236,7 @@ func PostStartHook(hookContext genericapiserver.PostStartHookContext) error {
 			}
 
 			// ensure bootstrap namespaced roles are created or reconciled
-		for namespace, roles := range bootstrappolicy.NamespaceRoles() {
+			for namespace, roles := range p.Roles {
 				for _, role := range roles {
 					opts := reconciliation.ReconcileRoleOptions{
 						Role:    reconciliation.RoleRuleOwner{Role: &role},
@@ -252,7 +266,7 @@ func PostStartHook(hookContext genericapiserver.PostStartHookContext) error {
 			}
 
 			// ensure bootstrap namespaced rolebindings are created or reconciled
-		for namespace, roleBindings := range bootstrappolicy.NamespaceRoleBindings() {
+			for namespace, roleBindings := range p.RoleBindings {
 				for _, roleBinding := range roleBindings {
 					opts := reconciliation.ReconcileRoleBindingOptions{
 						RoleBinding: reconciliation.RoleBindingAdapter{RoleBinding: &roleBinding},
@@ -291,6 +305,7 @@ func PostStartHook(hookContext genericapiserver.PostStartHookContext) error {
 		}
 
 		return nil
+	}
 }
 
 func (p RESTStorageProvider) GroupName() string {