Split the API error in two

Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>

staging/src/k8s.io/kubectl/pkg/cmd/auth/whoami.go

@@ -139,20 +139,29 @@ func NewCmdWhoAmI(restClientGetter genericclioptions.RESTClientGetter, streams g
 	return cmd
 }
 
-var notEnabledErr = fmt.Errorf(
+var (
-	"the selfsubjectreviews API is not enabled in the cluster or you do not have permission to call\n" +
+	notEnabledErr = fmt.Errorf(
+		"the selfsubjectreviews API is not enabled in the cluster\n" +
 			"enable APISelfSubjectReview feature gate and authentication.k8s.io/v1alpha1 API")
 
+	forbiddenErr = fmt.Errorf(
+		"the selfsubjectreviews API is not enabled in the cluster or you do not have permission to call it")
+)
+
 // Run prints all user attributes.
 func (o WhoAmIOptions) Run() error {
 	sar := &authenticationv1alpha1.SelfSubjectReview{}
 	response, err := o.authClient.SelfSubjectReviews().Create(context.TODO(), sar, metav1.CreateOptions{})
 	if err != nil {
-		if errors.IsForbidden(err) || errors.IsNotFound(err) {
+		switch {
+		case errors.IsForbidden(err):
+			return forbiddenErr
+		case errors.IsNotFound(err):
 			return notEnabledErr
-		}
+		default:
 			return err
 		}
+	}
 	return o.resourcePrinterFunc(response, o.Out)
 }
 

staging/src/k8s.io/kubectl/pkg/cmd/auth/whoami_test.go

@@ -107,7 +107,7 @@ func TestWhoAmIRun(t *testing.T) {
 			serverErr: errors.NewForbidden(
 				corev1.Resource("selfsubjectreviews"), "foo", fmt.Errorf("error"),
 			),
-			expectedError:       notEnabledErr,
+			expectedError:       forbiddenErr,
 			expectedBodyStrings: []string{},
 		},
 		{