Merge pull request #95761 from ingvagabund/move-rbac-under-component-helpers

Move pkg/registry/rbac code imported by kubectl under component helpers

hack/.golint_failures

@@ -150,7 +150,6 @@ pkg/registry/policy/rest
 pkg/registry/rbac/clusterrole/policybased
 pkg/registry/rbac/clusterrolebinding
 pkg/registry/rbac/clusterrolebinding/policybased
-pkg/registry/rbac/reconciliation
 pkg/registry/rbac/rest
 pkg/registry/rbac/role/policybased
 pkg/registry/rbac/rolebinding
@@ -408,6 +407,8 @@ staging/src/k8s.io/component-base/cli/flag
 staging/src/k8s.io/component-base/config/v1alpha1
 staging/src/k8s.io/component-base/featuregate
 staging/src/k8s.io/component-base/version/verflag
+staging/src/k8s.io/component-helpers/auth/rbac/reconciliation
+staging/src/k8s.io/component-helpers/auth/rbac/validation
 staging/src/k8s.io/controller-manager/config/v1alpha1
 staging/src/k8s.io/controller-manager/pkg/features
 staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1

pkg/kubectl/.import-restrictions

@@ -63,6 +63,4 @@ rules:
       - k8s.io/kubernetes/pkg/apis/storage/v1beta1
       - k8s.io/kubernetes/pkg/features
       - k8s.io/kubernetes/pkg/kubectl
-      - k8s.io/kubernetes/pkg/registry/rbac/reconciliation
-      - k8s.io/kubernetes/pkg/registry/rbac/validation
       - k8s.io/kubernetes/pkg/util/parsers

pkg/kubectl/cmd/auth/BUILD

@@ -16,7 +16,6 @@ go_library(
         "//build/visible_to:pkg_kubectl_cmd_auth_CONSUMERS",
     ],
     deps = [
-        "//pkg/registry/rbac/reconciliation:go_default_library",
         "//staging/src/k8s.io/api/authorization/v1:go_default_library",
         "//staging/src/k8s.io/api/rbac/v1:go_default_library",
         "//staging/src/k8s.io/api/rbac/v1alpha1:go_default_library",
@@ -34,6 +33,7 @@ go_library(
         "//staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1:go_default_library",
         "//staging/src/k8s.io/client-go/kubernetes/typed/core/v1:go_default_library",
         "//staging/src/k8s.io/client-go/kubernetes/typed/rbac/v1:go_default_library",
+        "//staging/src/k8s.io/component-helpers/auth/rbac/reconciliation:go_default_library",
         "//staging/src/k8s.io/kubectl/pkg/cmd/util:go_default_library",
         "//staging/src/k8s.io/kubectl/pkg/describe:go_default_library",
         "//staging/src/k8s.io/kubectl/pkg/scheme:go_default_library",

pkg/kubectl/cmd/auth/reconcile.go

@@ -32,10 +32,10 @@ import (
 	"k8s.io/cli-runtime/pkg/resource"
 	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
 	rbacv1client "k8s.io/client-go/kubernetes/typed/rbac/v1"
+	"k8s.io/component-helpers/auth/rbac/reconciliation"
 	cmdutil "k8s.io/kubectl/pkg/cmd/util"
 	"k8s.io/kubectl/pkg/scheme"
 	"k8s.io/kubectl/pkg/util/templates"
-	"k8s.io/kubernetes/pkg/registry/rbac/reconciliation"
 )
 
 // ReconcileOptions is the start of the data required to perform the operation.  As new fields are added, add them here instead of

pkg/registry/rbac/BUILD

@@ -39,7 +39,6 @@ filegroup(
         ":package-srcs",
         "//pkg/registry/rbac/clusterrole:all-srcs",
         "//pkg/registry/rbac/clusterrolebinding:all-srcs",
-        "//pkg/registry/rbac/reconciliation:all-srcs",
         "//pkg/registry/rbac/rest:all-srcs",
         "//pkg/registry/rbac/role:all-srcs",
         "//pkg/registry/rbac/rolebinding:all-srcs",

pkg/registry/rbac/rest/BUILD

@@ -18,7 +18,6 @@ go_library(
         "//pkg/registry/rbac/clusterrolebinding:go_default_library",
         "//pkg/registry/rbac/clusterrolebinding/policybased:go_default_library",
         "//pkg/registry/rbac/clusterrolebinding/storage:go_default_library",
-        "//pkg/registry/rbac/reconciliation:go_default_library",
         "//pkg/registry/rbac/role:go_default_library",
         "//pkg/registry/rbac/role/policybased:go_default_library",
         "//pkg/registry/rbac/role/storage:go_default_library",
@@ -43,6 +42,7 @@ go_library(
         "//staging/src/k8s.io/client-go/kubernetes/typed/core/v1:go_default_library",
         "//staging/src/k8s.io/client-go/kubernetes/typed/rbac/v1:go_default_library",
         "//staging/src/k8s.io/client-go/util/retry:go_default_library",
+        "//staging/src/k8s.io/component-helpers/auth/rbac/reconciliation:go_default_library",
         "//vendor/k8s.io/klog/v2:go_default_library",
     ],
 )

pkg/registry/rbac/rest/storage_rbac.go

@@ -39,6 +39,7 @@ import (
 	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
 	rbacv1client "k8s.io/client-go/kubernetes/typed/rbac/v1"
 	"k8s.io/client-go/util/retry"
+	"k8s.io/component-helpers/auth/rbac/reconciliation"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
 	"k8s.io/kubernetes/pkg/apis/rbac"
 	"k8s.io/kubernetes/pkg/registry/rbac/clusterrole"
@@ -47,7 +48,6 @@ import (
 	"k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding"
 	clusterrolebindingpolicybased "k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/policybased"
 	clusterrolebindingstore "k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/storage"
-	"k8s.io/kubernetes/pkg/registry/rbac/reconciliation"
 	"k8s.io/kubernetes/pkg/registry/rbac/role"
 	rolepolicybased "k8s.io/kubernetes/pkg/registry/rbac/role/policybased"
 	rolestore "k8s.io/kubernetes/pkg/registry/rbac/role/storage"

pkg/registry/rbac/validation/BUILD

@@ -10,7 +10,6 @@ go_test(
     name = "go_default_test",
     srcs = [
         "policy_compact_test.go",
-        "policy_comparator_test.go",
         "rule_test.go",
     ],
     embed = [":go_default_library"],
@@ -20,6 +19,7 @@ go_test(
         "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/diff:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
+        "//staging/src/k8s.io/component-helpers/auth/rbac/validation:go_default_library",
     ],
 )
 
@@ -28,7 +28,6 @@ go_library(
     srcs = [
         "internal_version_adapter.go",
         "policy_compact.go",
-        "policy_comparator.go",
         "rule.go",
     ],
     importpath = "k8s.io/kubernetes/pkg/registry/rbac/validation",
@@ -41,6 +40,7 @@ go_library(
         "//staging/src/k8s.io/apiserver/pkg/authentication/serviceaccount:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/endpoints/request:go_default_library",
+        "//staging/src/k8s.io/component-helpers/auth/rbac/validation:go_default_library",
         "//vendor/k8s.io/klog/v2:go_default_library",
     ],
 )

pkg/registry/rbac/validation/policy_compact_test.go

@@ -22,6 +22,7 @@ import (
 	"testing"
 
 	rbacv1 "k8s.io/api/rbac/v1"
+	"k8s.io/component-helpers/auth/rbac/validation"
 	rbacv1helpers "k8s.io/kubernetes/pkg/apis/rbac/v1"
 )
 
@@ -126,11 +127,11 @@ func TestCompactRules(t *testing.T) {
 			t.Errorf("%s: CompactRules mutated rules. Expected\n%#v\ngot\n%#v", k, originalRules, rules)
 			continue
 		}
-		if covers, missing := Covers(compacted, rules); !covers {
+		if covers, missing := validation.Covers(compacted, rules); !covers {
 			t.Errorf("%s: compacted rules did not cover original rules. missing: %#v", k, missing)
 			continue
 		}
-		if covers, missing := Covers(rules, compacted); !covers {
+		if covers, missing := validation.Covers(rules, compacted); !covers {
 			t.Errorf("%s: original rules did not cover compacted rules. missing: %#v", k, missing)
 			continue
 		}

pkg/registry/rbac/validation/rule.go

@@ -30,6 +30,7 @@ import (
 	"k8s.io/apiserver/pkg/authentication/serviceaccount"
 	"k8s.io/apiserver/pkg/authentication/user"
 	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
+	"k8s.io/component-helpers/auth/rbac/validation"
 	rbacv1helpers "k8s.io/kubernetes/pkg/apis/rbac/v1"
 )
 
@@ -65,7 +66,7 @@ func ConfirmNoEscalation(ctx context.Context, ruleResolver AuthorizationRuleReso
 		ruleResolutionErrors = append(ruleResolutionErrors, err)
 	}
 
-	ownerRightsCover, missingRights := Covers(ownerRules, rules)
+	ownerRightsCover, missingRights := validation.Covers(ownerRules, rules)
 	if !ownerRightsCover {
 		compactMissingRights := missingRights
 		if compact, err := CompactRules(missingRights); err == nil {
@@ -268,6 +269,15 @@ func appliesTo(user user.Info, bindingSubjects []rbacv1.Subject, namespace strin
 	return 0, false
 }
 
+func has(set []string, ele string) bool {
+	for _, s := range set {
+		if s == ele {
+			return true
+		}
+	}
+	return false
+}
+
 func appliesToUser(user user.Info, subject rbacv1.Subject, namespace string) bool {
 	switch subject.Kind {
 	case rbacv1.UserKind:

plugin/pkg/auth/authorizer/rbac/bootstrappolicy/BUILD

@@ -43,13 +43,13 @@ go_test(
         "//pkg/apis/core/install:go_default_library",
         "//pkg/apis/rbac/install:go_default_library",
         "//pkg/apis/rbac/v1:go_default_library",
-        "//pkg/registry/rbac/validation:go_default_library",
         "//staging/src/k8s.io/api/core/v1:go_default_library",
         "//staging/src/k8s.io/api/rbac/v1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/api/meta:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/diff:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
+        "//staging/src/k8s.io/component-helpers/auth/rbac/validation:go_default_library",
         "//vendor/sigs.k8s.io/yaml:go_default_library",
     ],
 )

plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy_test.go

@@ -25,18 +25,18 @@ import (
 
 	"sigs.k8s.io/yaml"
 
-	"k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/diff"
 	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/component-helpers/auth/rbac/validation"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
 	api "k8s.io/kubernetes/pkg/apis/core"
 	_ "k8s.io/kubernetes/pkg/apis/core/install"
 	_ "k8s.io/kubernetes/pkg/apis/rbac/install"
 	rbacv1helpers "k8s.io/kubernetes/pkg/apis/rbac/v1"
-	rbacregistryvalidation "k8s.io/kubernetes/pkg/registry/rbac/validation"
 	"k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy"
 )
 
@@ -100,7 +100,7 @@ func TestEditViewRelationship(t *testing.T) {
 
 	// confirm that the view role doesn't already have extra powers
 	for _, rule := range viewEscalatingNamespaceResources {
-		if covers, _ := rbacregistryvalidation.Covers(semanticRoles.view.Rules, []rbacv1.PolicyRule{rule}); covers {
+		if covers, _ := validation.Covers(semanticRoles.view.Rules, []rbacv1.PolicyRule{rule}); covers {
 			t.Errorf("view has extra powers: %#v", rule)
 		}
 	}
@@ -108,7 +108,7 @@ func TestEditViewRelationship(t *testing.T) {
 
 	// confirm that the view role doesn't have ungettable resources
 	for _, rule := range ungettableResources {
-		if covers, _ := rbacregistryvalidation.Covers(semanticRoles.view.Rules, []rbacv1.PolicyRule{rule}); covers {
+		if covers, _ := validation.Covers(semanticRoles.view.Rules, []rbacv1.PolicyRule{rule}); covers {
 			t.Errorf("view has ungettable resource: %#v", rule)
 		}
 	}

staging/publishing/import-restrictions.yaml

@@ -256,5 +256,6 @@
   - k8s.io/api
   - k8s.io/apimachinery
   - k8s.io/client-go
+  - k8s.io/component-helpers
   - k8s.io/klog
   - k8s.io/utils

staging/src/k8s.io/component-helpers/BUILD

@@ -9,6 +9,8 @@ filegroup(
     name = "all-srcs",
     srcs = [
         ":package-srcs",
+        "//staging/src/k8s.io/component-helpers/auth/rbac/reconciliation:all-srcs",
+        "//staging/src/k8s.io/component-helpers/auth/rbac/validation:all-srcs",
         "//staging/src/k8s.io/component-helpers/lease:all-srcs",
         "//staging/src/k8s.io/component-helpers/scheduling/corev1:all-srcs",
     ],

staging/src/k8s.io/component-helpers/auth/OWNERS

@@ -0,0 +1,8 @@
+# See the OWNERS docs at https://go.k8s.io/owners
+
+approvers:
+- sig-auth-api-approvers
+reviewers:
+- sig-auth-api-reviewers
+labels:
+- sig/auth

staging/src/k8s.io/component-helpers/auth/rbac/reconciliation/BUILD

@@ -14,8 +14,8 @@ go_test(
     ],
     embed = [":go_default_library"],
     deps = [
-        "//pkg/apis/core/helper:go_default_library",
         "//staging/src/k8s.io/api/rbac/v1:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/api/equality:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/diff:go_default_library",
     ],
@@ -33,9 +33,9 @@ go_library(
         "rolebinding_interfaces.go",
         "zz_generated.deepcopy.go",
     ],
-    importpath = "k8s.io/kubernetes/pkg/registry/rbac/reconciliation",
+    importmap = "k8s.io/kubernetes/vendor/k8s.io/component-helpers/auth/rbac/reconciliation",
+    importpath = "k8s.io/component-helpers/auth/rbac/reconciliation",
     deps = [
-        "//pkg/registry/rbac/validation:go_default_library",
         "//staging/src/k8s.io/api/core/v1:go_default_library",
         "//staging/src/k8s.io/api/rbac/v1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/api/equality:go_default_library",
@@ -46,6 +46,7 @@ go_library(
         "//staging/src/k8s.io/apimachinery/pkg/util/errors:go_default_library",
         "//staging/src/k8s.io/client-go/kubernetes/typed/core/v1:go_default_library",
         "//staging/src/k8s.io/client-go/kubernetes/typed/rbac/v1:go_default_library",
+        "//staging/src/k8s.io/component-helpers/auth/rbac/validation:go_default_library",
     ],
 )
 

staging/src/k8s.io/component-helpers/auth/rbac/reconciliation/clusterrole_interfaces.go

@@ -18,6 +18,7 @@ package reconciliation
 
 import (
 	"context"
+
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -25,7 +26,7 @@ import (
 )
 
 // +k8s:deepcopy-gen=true
-// +k8s:deepcopy-gen:interfaces=k8s.io/kubernetes/pkg/registry/rbac/reconciliation.RuleOwner
+// +k8s:deepcopy-gen:interfaces=k8s.io/component-helpers/auth/rbac/reconciliation.RuleOwner
 // +k8s:deepcopy-gen:nonpointer-interfaces=true
 type ClusterRoleRuleOwner struct {
 	ClusterRole *rbacv1.ClusterRole

staging/src/k8s.io/component-helpers/auth/rbac/reconciliation/clusterrolebinding_interfaces.go

@@ -18,6 +18,7 @@ package reconciliation
 
 import (
 	"context"
+
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -26,7 +27,7 @@ import (
 )
 
 // +k8s:deepcopy-gen=true
-// +k8s:deepcopy-gen:interfaces=k8s.io/kubernetes/pkg/registry/rbac/reconciliation.RoleBinding
+// +k8s:deepcopy-gen:interfaces=k8s.io/component-helpers/auth/rbac/reconciliation.RoleBinding
 // +k8s:deepcopy-gen:nonpointer-interfaces=true
 type ClusterRoleBindingAdapter struct {
 	ClusterRoleBinding *rbacv1.ClusterRoleBinding

staging/src/k8s.io/component-helpers/auth/rbac/reconciliation/reconcile_role.go

@@ -25,7 +25,7 @@ import (
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/kubernetes/pkg/registry/rbac/validation"
+	"k8s.io/component-helpers/auth/rbac/validation"
 )
 
 type ReconcileOperation string

staging/src/k8s.io/component-helpers/auth/rbac/reconciliation/reconcile_role_test.go

@@ -20,9 +20,9 @@ import (
 	"testing"
 
 	rbacv1 "k8s.io/api/rbac/v1"
+	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/diff"
-	"k8s.io/kubernetes/pkg/apis/core/helper"
 )
 
 func role(rules []rbacv1.PolicyRule, labels map[string]string, annotations map[string]string) *rbacv1.ClusterRole {
@@ -272,7 +272,7 @@ func TestComputeReconciledRoleRules(t *testing.T) {
 			t.Errorf("%s: Expected\n\t%v\ngot\n\t%v", k, tc.expectedReconciliationNeeded, reconciliationNeeded)
 			continue
 		}
-		if reconciliationNeeded && !helper.Semantic.DeepEqual(result.Role.(ClusterRoleRuleOwner).ClusterRole, tc.expectedReconciledRole) {
+		if reconciliationNeeded && !apiequality.Semantic.DeepEqual(result.Role.(ClusterRoleRuleOwner).ClusterRole, tc.expectedReconciledRole) {
 			t.Errorf("%s: Expected\n\t%#v\ngot\n\t%#v", k, tc.expectedReconciledRole, result.Role)
 		}
 	}
@@ -391,7 +391,7 @@ func TestComputeReconciledRoleAggregationRules(t *testing.T) {
 			t.Errorf("%s: Expected\n\t%v\ngot\n\t%v", k, tc.expectedReconciliationNeeded, reconciliationNeeded)
 			continue
 		}
-		if reconciliationNeeded && !helper.Semantic.DeepEqual(result.Role.(ClusterRoleRuleOwner).ClusterRole, tc.expectedReconciledRole) {
+		if reconciliationNeeded && !apiequality.Semantic.DeepEqual(result.Role.(ClusterRoleRuleOwner).ClusterRole, tc.expectedReconciledRole) {
 			t.Errorf("%s: %v", k, diff.ObjectDiff(tc.expectedReconciledRole, result.Role.(ClusterRoleRuleOwner).ClusterRole))
 		}
 	}

staging/src/k8s.io/component-helpers/auth/rbac/reconciliation/reconcile_rolebindings_test.go

@@ -20,7 +20,7 @@ import (
 	"testing"
 
 	rbacv1 "k8s.io/api/rbac/v1"
-	"k8s.io/kubernetes/pkg/apis/core/helper"
+	apiequality "k8s.io/apimachinery/pkg/api/equality"
 )
 
 func binding(roleRef rbacv1.RoleRef, subjects []rbacv1.Subject) *rbacv1.ClusterRoleBinding {
@@ -81,10 +81,10 @@ func TestDiffObjectReferenceLists(t *testing.T) {
 
 	for k, tc := range tests {
 		onlyA, onlyB := diffSubjectLists(tc.A, tc.B)
-		if !helper.Semantic.DeepEqual(onlyA, tc.ExpectedOnlyA) {
+		if !apiequality.Semantic.DeepEqual(onlyA, tc.ExpectedOnlyA) {
 			t.Errorf("%s: Expected %#v, got %#v", k, tc.ExpectedOnlyA, onlyA)
 		}
-		if !helper.Semantic.DeepEqual(onlyB, tc.ExpectedOnlyB) {
+		if !apiequality.Semantic.DeepEqual(onlyB, tc.ExpectedOnlyB) {
 			t.Errorf("%s: Expected %#v, got %#v", k, tc.ExpectedOnlyB, onlyB)
 		}
 	}
@@ -174,7 +174,7 @@ func TestComputeUpdate(t *testing.T) {
 			t.Errorf("%s: Expected\n\t%v\ngot\n\t%v (%v)", k, tc.ExpectedUpdateNeeded, updateNeeded, result.Operation)
 			continue
 		}
-		if updateNeeded && !helper.Semantic.DeepEqual(updatedBinding, tc.ExpectedUpdatedBinding) {
+		if updateNeeded && !apiequality.Semantic.DeepEqual(updatedBinding, tc.ExpectedUpdatedBinding) {
 			t.Errorf("%s: Expected\n\t%v %v\ngot\n\t%v %v", k, tc.ExpectedUpdatedBinding.RoleRef, tc.ExpectedUpdatedBinding.Subjects, updatedBinding.RoleRef, updatedBinding.Subjects)
 		}
 	}

staging/src/k8s.io/component-helpers/auth/rbac/reconciliation/role_interfaces.go

@@ -18,6 +18,7 @@ package reconciliation
 
 import (
 	"context"
+
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -26,7 +27,7 @@ import (
 )
 
 // +k8s:deepcopy-gen=true
-// +k8s:deepcopy-gen:interfaces=k8s.io/kubernetes/pkg/registry/rbac/reconciliation.RuleOwner
+// +k8s:deepcopy-gen:interfaces=k8s.io/component-helpers/auth/rbac/reconciliation.RuleOwner
 // +k8s:deepcopy-gen:nonpointer-interfaces=true
 type RoleRuleOwner struct {
 	Role *rbacv1.Role

staging/src/k8s.io/component-helpers/auth/rbac/reconciliation/rolebinding_interfaces.go

@@ -18,6 +18,7 @@ package reconciliation
 
 import (
 	"context"
+
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -27,7 +28,7 @@ import (
 )
 
 // +k8s:deepcopy-gen=true
-// +k8s:deepcopy-gen:interfaces=k8s.io/kubernetes/pkg/registry/rbac/reconciliation.RoleBinding
+// +k8s:deepcopy-gen:interfaces=k8s.io/component-helpers/auth/rbac/reconciliation.RoleBinding
 // +k8s:deepcopy-gen:nonpointer-interfaces=true
 type RoleBindingAdapter struct {
 	RoleBinding *rbacv1.RoleBinding

staging/src/k8s.io/component-helpers/auth/rbac/validation/BUILD

@@ -0,0 +1,31 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
+
+go_library(
+    name = "go_default_library",
+    srcs = ["policy_comparator.go"],
+    importmap = "k8s.io/kubernetes/vendor/k8s.io/component-helpers/auth/rbac/validation",
+    importpath = "k8s.io/component-helpers/auth/rbac/validation",
+    visibility = ["//visibility:public"],
+    deps = ["//staging/src/k8s.io/api/rbac/v1:go_default_library"],
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["policy_comparator_test.go"],
+    embed = [":go_default_library"],
+    deps = ["//staging/src/k8s.io/api/rbac/v1:go_default_library"],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+    visibility = ["//visibility:public"],
+)

vendor/modules.txt

@@ -2194,6 +2194,8 @@ k8s.io/component-base/version/verflag
 # k8s.io/component-helpers v0.0.0 => ./staging/src/k8s.io/component-helpers
 ## explicit
 # k8s.io/component-helpers => ./staging/src/k8s.io/component-helpers
+k8s.io/component-helpers/auth/rbac/reconciliation
+k8s.io/component-helpers/auth/rbac/validation
 k8s.io/component-helpers/lease
 k8s.io/component-helpers/scheduling/corev1
 # k8s.io/controller-manager v0.0.0 => ./staging/src/k8s.io/controller-manager