This job view page is being replaced by Spyglass soon. Check out the new job view.
PRzshihang: move BoundServiceAccountTokenVolume to beta
ResultFAILURE
Tests 4 failed / 1912 succeeded
Started2020-10-17 01:06
Elapsed34m6s
Revisione2694ec09abf530783151c39bb56cc6697e64888
Refs 95667

Test Failures


//plugin/pkg/auth/authorizer/rbac/bootstrappolicy/go_default_test:run_1_of_2 0.00s

bazel test //plugin/pkg/auth/authorizer/rbac/bootstrappolicy/go_default_test:run_1_of_2
exec ${PAGER:-/usr/bin/less} "$0" || exit 1
Executing tests from //plugin/pkg/auth/authorizer/rbac/bootstrappolicy:go_default_test
-----------------------------------------------------------------------------
--- FAIL: TestBootstrapControllerRoles (0.13s)
    policy_test.go:246: Bootstrap policy data does not match the test fixture in testdata/controller-roles.yaml
    policy_test.go:257: Diff between bootstrap data and fixture data in testdata/controller-roles.yaml:
        -------------
        apiVersion: v1
        items:
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:attachdetach-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - persistentvolumeclaims
            - persistentvolumes
            verbs:
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - nodes/status
            verbs:
            - patch
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - list
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
          - apiGroups:
            - storage.k8s.io
            resources:
            - volumeattachments
            verbs:
            - create
            - delete
            - get
            - list
            - watch
          - apiGroups:
            - storage.k8s.io
            resources:
            - csidrivers
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - storage.k8s.io
            resources:
            - csinodes
            verbs:
            - get
            - list
            - watch
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:certificate-controller
          rules:
          - apiGroups:
            - certificates.k8s.io
            resources:
            - certificatesigningrequests
            verbs:
            - delete
            - get
            - list
            - watch
          - apiGroups:
            - certificates.k8s.io
            resources:
            - certificatesigningrequests/approval
            - certificatesigningrequests/status
            verbs:
            - update
          - apiGroups:
            - certificates.k8s.io
            resourceNames:
            - kubernetes.io/kube-apiserver-client-kubelet
            resources:
            - signers
            verbs:
            - approve
          - apiGroups:
            - certificates.k8s.io
            resourceNames:
            - kubernetes.io/kube-apiserver-client
            - kubernetes.io/kube-apiserver-client-kubelet
            - kubernetes.io/kubelet-serving
            - kubernetes.io/legacy-unknown
            resources:
            - signers
            verbs:
            - sign
          - apiGroups:
            - authorization.k8s.io
            resources:
            - subjectaccessreviews
            verbs:
            - create
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:clusterrole-aggregation-controller
          rules:
          - apiGroups:
            - rbac.authorization.k8s.io
            resources:
            - clusterroles
            verbs:
            - escalate
            - get
            - list
            - patch
            - update
            - watch
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:cronjob-controller
          rules:
          - apiGroups:
            - batch
            resources:
            - cronjobs
            verbs:
            - get
            - list
            - update
            - watch
          - apiGroups:
            - batch
            resources:
            - jobs
            verbs:
            - create
            - delete
            - get
            - list
            - patch
            - update
            - watch
          - apiGroups:
            - batch
            resources:
            - cronjobs/status
            verbs:
            - update
          - apiGroups:
            - batch
            resources:
            - cronjobs/finalizers
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - delete
            - list
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:daemon-set-controller
          rules:
          - apiGroups:
            - apps
            - extensions
            resources:
            - daemonsets
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - apps
            - extensions
            resources:
            - daemonsets/status
            verbs:
            - update
          - apiGroups:
            - apps
            - extensions
            resources:
            - daemonsets/finalizers
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - create
            - delete
            - list
            - patch
            - watch
          - apiGroups:
            - ""
            resources:
            - pods/binding
            verbs:
            - create
          - apiGroups:
            - apps
            resources:
            - controllerrevisions
            verbs:
            - create
            - delete
            - get
            - list
            - patch
            - update
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:deployment-controller
          rules:
          - apiGroups:
            - apps
            - extensions
            resources:
            - deployments
            verbs:
            - get
            - list
            - update
            - watch
          - apiGroups:
            - apps
            - extensions
            resources:
            - deployments/status
            verbs:
            - update
          - apiGroups:
            - apps
            - extensions
            resources:
            - deployments/finalizers
            verbs:
            - update
          - apiGroups:
            - apps
            - extensions
            resources:
            - replicasets
            verbs:
            - create
            - delete
            - get
            - list
            - patch
            - update
            - watch
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - get
            - list
            - update
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:disruption-controller
          rules:
          - apiGroups:
            - apps
            - extensions
            resources:
            - deployments
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - apps
            - extensions
            resources:
            - replicasets
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - replicationcontrollers
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - policy
            resources:
            - poddisruptionbudgets
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - apps
            resources:
            - statefulsets
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - policy
            resources:
            - poddisruptionbudgets/status
            verbs:
            - update
          - apiGroups:
            - '*'
            resources:
            - '*/scale'
            verbs:
            - get
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:endpoint-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - pods
            - services
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - endpoints
            verbs:
            - create
            - delete
            - get
            - list
            - update
          - apiGroups:
            - ""
            resources:
            - endpoints/restricted
            verbs:
            - create
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:endpointslice-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - nodes
            - pods
            - services
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - services/finalizers
            verbs:
            - update
          - apiGroups:
            - discovery.k8s.io
            resources:
            - endpointslices
            verbs:
            - create
            - delete
            - get
            - list
            - update
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:endpointslicemirroring-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - endpoints
            - services
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - services/finalizers
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - endpoints/finalizers
            verbs:
            - update
          - apiGroups:
            - discovery.k8s.io
            resources:
            - endpointslices
            verbs:
            - create
            - delete
            - get
            - list
            - update
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:expand-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - persistentvolumes
            verbs:
            - get
            - list
            - patch
            - update
            - watch
          - apiGroups:
            - ""
            resources:
            - persistentvolumeclaims/status
            verbs:
            - patch
            - update
          - apiGroups:
            - ""
            resources:
            - persistentvolumeclaims
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - storage.k8s.io
            resources:
            - storageclasses
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - endpoints
            - services
            verbs:
            - get
          - apiGroups:
            - ""
            resources:
            - secrets
            verbs:
            - get
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:generic-garbage-collector
          rules:
          - apiGroups:
            - '*'
            resources:
            - '*'
            verbs:
            - delete
            - get
            - list
            - patch
            - update
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:horizontal-pod-autoscaler
          rules:
          - apiGroups:
            - autoscaling
            resources:
            - horizontalpodautoscalers
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - autoscaling
            resources:
            - horizontalpodautoscalers/status
            verbs:
            - update
          - apiGroups:
            - '*'
            resources:
            - '*/scale'
            verbs:
            - get
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - list
          - apiGroups:
            - ""
            resourceNames:
            - 'http:heapster:'
            - 'https:heapster:'
            resources:
            - services/proxy
            verbs:
            - get
          - apiGroups:
            - metrics.k8s.io
            resources:
            - pods
            verbs:
            - list
          - apiGroups:
            - custom.metrics.k8s.io
            resources:
            - '*'
            verbs:
            - get
            - list
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:job-controller
          rules:
          - apiGroups:
            - batch
            resources:
            - jobs
            verbs:
            - get
            - list
            - update
            - watch
          - apiGroups:
            - batch
            resources:
            - jobs/status
            verbs:
            - update
          - apiGroups:
            - batch
            resources:
            - jobs/finalizers
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - create
            - delete
            - list
            - patch
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:namespace-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - namespaces
            verbs:
            - delete
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - namespaces/finalize
            - namespaces/status
            verbs:
            - update
          - apiGroups:
            - '*'
            resources:
            - '*'
            verbs:
            - delete
            - deletecollection
            - get
            - list
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:node-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - delete
            - get
            - list
            - patch
            - update
          - apiGroups:
            - ""
            resources:
            - nodes/status
            verbs:
            - patch
            - update
          - apiGroups:
            - ""
            resources:
            - pods/status
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - delete
            - list
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:persistent-volume-binder
          rules:
          - apiGroups:
            - ""
            resources:
            - persistentvolumes
            verbs:
            - create
            - delete
            - get
            - list
            - update
            - watch
          - apiGroups:
            - ""
            resources:
            - persistentvolumes/status
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - persistentvolumeclaims
            verbs:
            - get
            - list
            - update
            - watch
          - apiGroups:
            - ""
            resources:
            - persistentvolumeclaims/status
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - create
            - delete
            - get
            - list
            - watch
          - apiGroups:
            - storage.k8s.io
            resources:
            - storageclasses
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - endpoints
            verbs:
            - create
            - delete
            - get
            - update
          - apiGroups:
            - ""
            resources:
            - services
            verbs:
            - create
            - delete
            - get
          - apiGroups:
            - ""
            resources:
            - secrets
            verbs:
            - get
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - get
            - list
          - apiGroups:
            - ""
            resources:
            - events
            verbs:
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:pod-garbage-collector
          rules:
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - delete
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - get
            - list
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:pv-protection-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - persistentvolumes
            verbs:
            - get
            - list
            - update
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:pvc-protection-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - persistentvolumeclaims
            verbs:
            - get
            - list
            - update
            - watch
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:replicaset-controller
          rules:
          - apiGroups:
            - apps
            - extensions
            resources:
            - replicasets
            verbs:
            - get
            - list
            - update
            - watch
          - apiGroups:
            - apps
            - extensions
            resources:
            - replicasets/status
            verbs:
            - update
          - apiGroups:
            - apps
            - extensions
            resources:
            - replicasets/finalizers
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - create
            - delete
            - list
            - patch
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:replication-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - replicationcontrollers
            verbs:
            - get
            - list
            - update
            - watch
          - apiGroups:
            - ""
            resources:
            - replicationcontrollers/status
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - replicationcontrollers/finalizers
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - create
            - delete
            - list
            - patch
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:resourcequota-controller
          rules:
          - apiGroups:
            - '*'
            resources:
            - '*'
            verbs:
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - resourcequotas/status
            verbs:
            - update
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:ro
        
        A: ot-ca-cert-publisher
          rules:
          - apiGroups:
            - ""
            resources:
            - configmaps
            verbs:
            - create
            - update
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:route-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - nodes/status
            verbs:
            - patch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:service-account-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - serviceaccounts
            verbs:
            - create
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:service-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - services
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - services/status
            verbs:
            - patch
            - update
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - list
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:statefulset-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - list
            - watch
          - apiGroups:
            - apps
            resources:
            - statefulsets
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - apps
            resources:
            - statefulsets/status
            verbs:
            - update
          - apiGroups:
            - apps
            resources:
            - statefulsets/finalizers
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - create
            - delete
            - get
            - patch
            - update
          - apiGroups:
            - apps
            resources:
            - controllerrevisions
            verbs:
            - create
            - delete
            - get
            - list
            - patch
            - update
            - watch
          - apiGroups:
            - ""
            resources:
            - persistentvolumeclaims
            verbs:
            - create
            - get
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:ttl-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - list
            - patch
            - update
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        kind: List
        metadata: {}
        
        
        B: ute-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - nodes/status
            verbs:
            - patch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:service-account-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - serviceaccounts
            verbs:
            - create
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:service-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - services
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - services/status
            verbs:
            - patch
            - update
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - list
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:statefulset-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - list
            - watch
          - apiGroups:
            - apps
            resources:
            - statefulsets
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - apps
            resources:
            - statefulsets/status
            verbs:
            - update
          - apiGroups:
            - apps
            resources:
            - statefulsets/finalizers
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - create
            - delete
            - get
            - patch
            - update
          - apiGroups:
            - apps
            resources:
            - controllerrevisions
            verbs:
            - create
            - delete
            - get
            - list
            - patch
            - update
            - watch
          - apiGroups:
            - ""
            resources:
            - persistentvolumeclaims
            verbs:
            - create
            - get
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:ttl-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - list
            - patch
            - update
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        kind: List
        metadata: {}
        
        
    policy_test.go:258: If the change is expected, re-run with UPDATE_BOOTSTRAP_POLICY_FIXTURE_DATA=true to update the fixtures
--- FAIL: TestBootstrapControllerRoleBindings (0.08s)
    policy_test.go:246: Bootstrap policy data does not match the test fixture in testdata/controller-role-bindings.yaml
    policy_test.go:257: Diff between bootstrap data and fixture data in testdata/controller-role-bindings.yaml:
        -------------
        apiVersion: v1
        items:
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:attachdetach-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:attachdetach-controller
          subjects:
          - kind: ServiceAccount
            name: attachdetach-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:certificate-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:certificate-controller
          subjects:
          - kind: ServiceAccount
            name: certificate-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:clusterrole-aggregation-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:clusterrole-aggregation-controller
          subjects:
          - kind: ServiceAccount
            name: clusterrole-aggregation-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:cronjob-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:cronjob-controller
          subjects:
          - kind: ServiceAccount
            name: cronjob-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:daemon-set-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:daemon-set-controller
          subjects:
          - kind: ServiceAccount
            name: daemon-set-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:deployment-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:deployment-controller
          subjects:
          - kind: ServiceAccount
            name: deployment-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:disruption-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:disruption-controller
          subjects:
          - kind: ServiceAccount
            name: disruption-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:endpoint-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:endpoint-controller
          subjects:
          - kind: ServiceAccount
            name: endpoint-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:endpointslice-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:endpointslice-controller
          subjects:
          - kind: ServiceAccount
            name: endpointslice-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:endpointslicemirroring-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:endpointslicemirroring-controller
          subjects:
          - kind: ServiceAccount
            name: endpointslicemirroring-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:expand-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:expand-controller
          subjects:
          - kind: ServiceAccount
            name: expand-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:generic-garbage-collector
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:generic-garbage-collector
          subjects:
          - kind: ServiceAccount
            name: generic-garbage-collector
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:horizontal-pod-autoscaler
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:horizontal-pod-autoscaler
          subjects:
          - kind: ServiceAccount
            name: horizontal-pod-autoscaler
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:job-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:job-controller
          subjects:
          - kind: ServiceAccount
            name: job-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:namespace-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:namespace-controller
          subjects:
          - kind: ServiceAccount
            name: namespace-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:node-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:node-controller
          subjects:
          - kind: ServiceAccount
            name: node-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:persistent-volume-binder
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:persistent-volume-binder
          subjects:
          - kind: ServiceAccount
            name: persistent-volume-binder
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:pod-garbage-collector
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:pod-garbage-collector
          subjects:
          - kind: ServiceAccount
            name: pod-garbage-collector
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:pv-protection-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:pv-protection-controller
          subjects:
          - kind: ServiceAccount
            name: pv-protection-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:pvc-protection-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:pvc-protection-controller
          subjects:
          - kind: ServiceAccount
            name: pvc-protection-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:replicaset-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:replicaset-controller
          subjects:
          - kind: ServiceAccount
            name: replicaset-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:replication-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:replication-controller
          subjects:
          - kind: ServiceAccount
            name: replication-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:resourcequota-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:resourcequota-controller
          subjects:
          - kind: ServiceAccount
            name: resourcequota-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:ro
        
        A: ot-ca-cert-publisher
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:root-ca-cert-publisher
          subjects:
          - kind: ServiceAccount
            name: root-ca-cert-publisher
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:route-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:route-controller
          subjects:
          - kind: ServiceAccount
            name: route-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:service-account-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:service-account-controller
          subjects:
          - kind: ServiceAccount
            name: service-account-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:service-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:service-controller
          subjects:
          - kind: ServiceAccount
            name: service-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:statefulset-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:statefulset-controller
          subjects:
          - kind: ServiceAccount
            name: statefulset-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:ttl-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:ttl-controller
          subjects:
          - kind: ServiceAccount
            name: ttl-controller
            namespace: kube-system
        kind: List
        metadata: {}
        
        
        B: ute-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:route-controller
          subjects:
          - kind: ServiceAccount
            name: route-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:service-account-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:service-account-controller
          subjects:
          - kind: ServiceAccount
            name: service-account-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:service-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:service-controller
          subjects:
          - kind: ServiceAccount
            name: service-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:statefulset-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:statefulset-controller
          subjects:
          - kind: ServiceAccount
            name: statefulset-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:ttl-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:ttl-controller
          subjects:
          - kind: ServiceAccount
            name: ttl-controller
            namespace: kube-system
        kind: List
        metadata: {}
        
        
    policy_test.go:258: If the change is expected, re-run with UPDATE_BOOTSTRAP_POLICY_FIXTURE_DATA=true to update the fixtures
FAIL

				from junit_bazel.xml

Filter through log files | View test history on testgrid


//plugin/pkg/auth/authorizer/rbac/bootstrappolicy/go_default_test:run_1_of_2 0.00s

bazel test //plugin/pkg/auth/authorizer/rbac/bootstrappolicy/go_default_test:run_1_of_2
exec ${PAGER:-/usr/bin/less} "$0" || exit 1
Executing tests from //plugin/pkg/auth/authorizer/rbac/bootstrappolicy:go_default_test
-----------------------------------------------------------------------------
--- FAIL: TestBootstrapControllerRoles (0.13s)
    policy_test.go:246: Bootstrap policy data does not match the test fixture in testdata/controller-roles.yaml
    policy_test.go:257: Diff between bootstrap data and fixture data in testdata/controller-roles.yaml:
        -------------
        apiVersion: v1
        items:
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:attachdetach-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - persistentvolumeclaims
            - persistentvolumes
            verbs:
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - nodes/status
            verbs:
            - patch
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - list
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
          - apiGroups:
            - storage.k8s.io
            resources:
            - volumeattachments
            verbs:
            - create
            - delete
            - get
            - list
            - watch
          - apiGroups:
            - storage.k8s.io
            resources:
            - csidrivers
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - storage.k8s.io
            resources:
            - csinodes
            verbs:
            - get
            - list
            - watch
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:certificate-controller
          rules:
          - apiGroups:
            - certificates.k8s.io
            resources:
            - certificatesigningrequests
            verbs:
            - delete
            - get
            - list
            - watch
          - apiGroups:
            - certificates.k8s.io
            resources:
            - certificatesigningrequests/approval
            - certificatesigningrequests/status
            verbs:
            - update
          - apiGroups:
            - certificates.k8s.io
            resourceNames:
            - kubernetes.io/kube-apiserver-client-kubelet
            resources:
            - signers
            verbs:
            - approve
          - apiGroups:
            - certificates.k8s.io
            resourceNames:
            - kubernetes.io/kube-apiserver-client
            - kubernetes.io/kube-apiserver-client-kubelet
            - kubernetes.io/kubelet-serving
            - kubernetes.io/legacy-unknown
            resources:
            - signers
            verbs:
            - sign
          - apiGroups:
            - authorization.k8s.io
            resources:
            - subjectaccessreviews
            verbs:
            - create
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:clusterrole-aggregation-controller
          rules:
          - apiGroups:
            - rbac.authorization.k8s.io
            resources:
            - clusterroles
            verbs:
            - escalate
            - get
            - list
            - patch
            - update
            - watch
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:cronjob-controller
          rules:
          - apiGroups:
            - batch
            resources:
            - cronjobs
            verbs:
            - get
            - list
            - update
            - watch
          - apiGroups:
            - batch
            resources:
            - jobs
            verbs:
            - create
            - delete
            - get
            - list
            - patch
            - update
            - watch
          - apiGroups:
            - batch
            resources:
            - cronjobs/status
            verbs:
            - update
          - apiGroups:
            - batch
            resources:
            - cronjobs/finalizers
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - delete
            - list
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:daemon-set-controller
          rules:
          - apiGroups:
            - apps
            - extensions
            resources:
            - daemonsets
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - apps
            - extensions
            resources:
            - daemonsets/status
            verbs:
            - update
          - apiGroups:
            - apps
            - extensions
            resources:
            - daemonsets/finalizers
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - create
            - delete
            - list
            - patch
            - watch
          - apiGroups:
            - ""
            resources:
            - pods/binding
            verbs:
            - create
          - apiGroups:
            - apps
            resources:
            - controllerrevisions
            verbs:
            - create
            - delete
            - get
            - list
            - patch
            - update
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:deployment-controller
          rules:
          - apiGroups:
            - apps
            - extensions
            resources:
            - deployments
            verbs:
            - get
            - list
            - update
            - watch
          - apiGroups:
            - apps
            - extensions
            resources:
            - deployments/status
            verbs:
            - update
          - apiGroups:
            - apps
            - extensions
            resources:
            - deployments/finalizers
            verbs:
            - update
          - apiGroups:
            - apps
            - extensions
            resources:
            - replicasets
            verbs:
            - create
            - delete
            - get
            - list
            - patch
            - update
            - watch
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - get
            - list
            - update
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:disruption-controller
          rules:
          - apiGroups:
            - apps
            - extensions
            resources:
            - deployments
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - apps
            - extensions
            resources:
            - replicasets
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - replicationcontrollers
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - policy
            resources:
            - poddisruptionbudgets
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - apps
            resources:
            - statefulsets
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - policy
            resources:
            - poddisruptionbudgets/status
            verbs:
            - update
          - apiGroups:
            - '*'
            resources:
            - '*/scale'
            verbs:
            - get
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:endpoint-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - pods
            - services
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - endpoints
            verbs:
            - create
            - delete
            - get
            - list
            - update
          - apiGroups:
            - ""
            resources:
            - endpoints/restricted
            verbs:
            - create
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:endpointslice-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - nodes
            - pods
            - services
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - services/finalizers
            verbs:
            - update
          - apiGroups:
            - discovery.k8s.io
            resources:
            - endpointslices
            verbs:
            - create
            - delete
            - get
            - list
            - update
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:endpointslicemirroring-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - endpoints
            - services
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - services/finalizers
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - endpoints/finalizers
            verbs:
            - update
          - apiGroups:
            - discovery.k8s.io
            resources:
            - endpointslices
            verbs:
            - create
            - delete
            - get
            - list
            - update
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:expand-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - persistentvolumes
            verbs:
            - get
            - list
            - patch
            - update
            - watch
          - apiGroups:
            - ""
            resources:
            - persistentvolumeclaims/status
            verbs:
            - patch
            - update
          - apiGroups:
            - ""
            resources:
            - persistentvolumeclaims
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - storage.k8s.io
            resources:
            - storageclasses
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - endpoints
            - services
            verbs:
            - get
          - apiGroups:
            - ""
            resources:
            - secrets
            verbs:
            - get
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:generic-garbage-collector
          rules:
          - apiGroups:
            - '*'
            resources:
            - '*'
            verbs:
            - delete
            - get
            - list
            - patch
            - update
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:horizontal-pod-autoscaler
          rules:
          - apiGroups:
            - autoscaling
            resources:
            - horizontalpodautoscalers
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - autoscaling
            resources:
            - horizontalpodautoscalers/status
            verbs:
            - update
          - apiGroups:
            - '*'
            resources:
            - '*/scale'
            verbs:
            - get
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - list
          - apiGroups:
            - ""
            resourceNames:
            - 'http:heapster:'
            - 'https:heapster:'
            resources:
            - services/proxy
            verbs:
            - get
          - apiGroups:
            - metrics.k8s.io
            resources:
            - pods
            verbs:
            - list
          - apiGroups:
            - custom.metrics.k8s.io
            resources:
            - '*'
            verbs:
            - get
            - list
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:job-controller
          rules:
          - apiGroups:
            - batch
            resources:
            - jobs
            verbs:
            - get
            - list
            - update
            - watch
          - apiGroups:
            - batch
            resources:
            - jobs/status
            verbs:
            - update
          - apiGroups:
            - batch
            resources:
            - jobs/finalizers
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - create
            - delete
            - list
            - patch
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:namespace-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - namespaces
            verbs:
            - delete
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - namespaces/finalize
            - namespaces/status
            verbs:
            - update
          - apiGroups:
            - '*'
            resources:
            - '*'
            verbs:
            - delete
            - deletecollection
            - get
            - list
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:node-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - delete
            - get
            - list
            - patch
            - update
          - apiGroups:
            - ""
            resources:
            - nodes/status
            verbs:
            - patch
            - update
          - apiGroups:
            - ""
            resources:
            - pods/status
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - delete
            - list
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:persistent-volume-binder
          rules:
          - apiGroups:
            - ""
            resources:
            - persistentvolumes
            verbs:
            - create
            - delete
            - get
            - list
            - update
            - watch
          - apiGroups:
            - ""
            resources:
            - persistentvolumes/status
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - persistentvolumeclaims
            verbs:
            - get
            - list
            - update
            - watch
          - apiGroups:
            - ""
            resources:
            - persistentvolumeclaims/status
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - create
            - delete
            - get
            - list
            - watch
          - apiGroups:
            - storage.k8s.io
            resources:
            - storageclasses
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - endpoints
            verbs:
            - create
            - delete
            - get
            - update
          - apiGroups:
            - ""
            resources:
            - services
            verbs:
            - create
            - delete
            - get
          - apiGroups:
            - ""
            resources:
            - secrets
            verbs:
            - get
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - get
            - list
          - apiGroups:
            - ""
            resources:
            - events
            verbs:
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:pod-garbage-collector
          rules:
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - delete
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - get
            - list
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:pv-protection-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - persistentvolumes
            verbs:
            - get
            - list
            - update
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:pvc-protection-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - persistentvolumeclaims
            verbs:
            - get
            - list
            - update
            - watch
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:replicaset-controller
          rules:
          - apiGroups:
            - apps
            - extensions
            resources:
            - replicasets
            verbs:
            - get
            - list
            - update
            - watch
          - apiGroups:
            - apps
            - extensions
            resources:
            - replicasets/status
            verbs:
            - update
          - apiGroups:
            - apps
            - extensions
            resources:
            - replicasets/finalizers
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - create
            - delete
            - list
            - patch
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:replication-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - replicationcontrollers
            verbs:
            - get
            - list
            - update
            - watch
          - apiGroups:
            - ""
            resources:
            - replicationcontrollers/status
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - replicationcontrollers/finalizers
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - create
            - delete
            - list
            - patch
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:resourcequota-controller
          rules:
          - apiGroups:
            - '*'
            resources:
            - '*'
            verbs:
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - resourcequotas/status
            verbs:
            - update
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:ro
        
        A: ot-ca-cert-publisher
          rules:
          - apiGroups:
            - ""
            resources:
            - configmaps
            verbs:
            - create
            - update
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:route-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - nodes/status
            verbs:
            - patch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:service-account-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - serviceaccounts
            verbs:
            - create
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:service-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - services
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - services/status
            verbs:
            - patch
            - update
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - list
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:statefulset-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - list
            - watch
          - apiGroups:
            - apps
            resources:
            - statefulsets
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - apps
            resources:
            - statefulsets/status
            verbs:
            - update
          - apiGroups:
            - apps
            resources:
            - statefulsets/finalizers
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - create
            - delete
            - get
            - patch
            - update
          - apiGroups:
            - apps
            resources:
            - controllerrevisions
            verbs:
            - create
            - delete
            - get
            - list
            - patch
            - update
            - watch
          - apiGroups:
            - ""
            resources:
            - persistentvolumeclaims
            verbs:
            - create
            - get
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:ttl-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - list
            - patch
            - update
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        kind: List
        metadata: {}
        
        
        B: ute-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - nodes/status
            verbs:
            - patch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:service-account-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - serviceaccounts
            verbs:
            - create
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:service-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - services
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - services/status
            verbs:
            - patch
            - update
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - list
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:statefulset-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - list
            - watch
          - apiGroups:
            - apps
            resources:
            - statefulsets
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - apps
            resources:
            - statefulsets/status
            verbs:
            - update
          - apiGroups:
            - apps
            resources:
            - statefulsets/finalizers
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - create
            - delete
            - get
            - patch
            - update
          - apiGroups:
            - apps
            resources:
            - controllerrevisions
            verbs:
            - create
            - delete
            - get
            - list
            - patch
            - update
            - watch
          - apiGroups:
            - ""
            resources:
            - persistentvolumeclaims
            verbs:
            - create
            - get
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:ttl-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - list
            - patch
            - update
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        kind: List
        metadata: {}
        
        
    policy_test.go:258: If the change is expected, re-run with UPDATE_BOOTSTRAP_POLICY_FIXTURE_DATA=true to update the fixtures
--- FAIL: TestBootstrapControllerRoleBindings (0.08s)
    policy_test.go:246: Bootstrap policy data does not match the test fixture in testdata/controller-role-bindings.yaml
    policy_test.go:257: Diff between bootstrap data and fixture data in testdata/controller-role-bindings.yaml:
        -------------
        apiVersion: v1
        items:
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:attachdetach-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:attachdetach-controller
          subjects:
          - kind: ServiceAccount
            name: attachdetach-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:certificate-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:certificate-controller
          subjects:
          - kind: ServiceAccount
            name: certificate-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:clusterrole-aggregation-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:clusterrole-aggregation-controller
          subjects:
          - kind: ServiceAccount
            name: clusterrole-aggregation-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:cronjob-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:cronjob-controller
          subjects:
          - kind: ServiceAccount
            name: cronjob-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:daemon-set-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:daemon-set-controller
          subjects:
          - kind: ServiceAccount
            name: daemon-set-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:deployment-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:deployment-controller
          subjects:
          - kind: ServiceAccount
            name: deployment-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:disruption-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:disruption-controller
          subjects:
          - kind: ServiceAccount
            name: disruption-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:endpoint-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:endpoint-controller
          subjects:
          - kind: ServiceAccount
            name: endpoint-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:endpointslice-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:endpointslice-controller
          subjects:
          - kind: ServiceAccount
            name: endpointslice-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:endpointslicemirroring-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:endpointslicemirroring-controller
          subjects:
          - kind: ServiceAccount
            name: endpointslicemirroring-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:expand-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:expand-controller
          subjects:
          - kind: ServiceAccount
            name: expand-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:generic-garbage-collector
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:generic-garbage-collector
          subjects:
          - kind: ServiceAccount
            name: generic-garbage-collector
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:horizontal-pod-autoscaler
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:horizontal-pod-autoscaler
          subjects:
          - kind: ServiceAccount
            name: horizontal-pod-autoscaler
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:job-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:job-controller
          subjects:
          - kind: ServiceAccount
            name: job-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:namespace-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:namespace-controller
          subjects:
          - kind: ServiceAccount
            name: namespace-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:node-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:node-controller
          subjects:
          - kind: ServiceAccount
            name: node-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:persistent-volume-binder
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:persistent-volume-binder
          subjects:
          - kind: ServiceAccount
            name: persistent-volume-binder
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:pod-garbage-collector
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:pod-garbage-collector
          subjects:
          - kind: ServiceAccount
            name: pod-garbage-collector
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:pv-protection-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:pv-protection-controller
          subjects:
          - kind: ServiceAccount
            name: pv-protection-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:pvc-protection-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:pvc-protection-controller
          subjects:
          - kind: ServiceAccount
            name: pvc-protection-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:replicaset-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:replicaset-controller
          subjects:
          - kind: ServiceAccount
            name: replicaset-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:replication-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:replication-controller
          subjects:
          - kind: ServiceAccount
            name: replication-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:resourcequota-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:resourcequota-controller
          subjects:
          - kind: ServiceAccount
            name: resourcequota-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:ro
        
        A: ot-ca-cert-publisher
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:root-ca-cert-publisher
          subjects:
          - kind: ServiceAccount
            name: root-ca-cert-publisher
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:route-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:route-controller
          subjects:
          - kind: ServiceAccount
            name: route-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:service-account-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:service-account-controller
          subjects:
          - kind: ServiceAccount
            name: service-account-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:service-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:service-controller
          subjects:
          - kind: ServiceAccount
            name: service-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:statefulset-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:statefulset-controller
          subjects:
          - kind: ServiceAccount
            name: statefulset-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:ttl-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:ttl-controller
          subjects:
          - kind: ServiceAccount
            name: ttl-controller
            namespace: kube-system
        kind: List
        metadata: {}
        
        
        B: ute-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:route-controller
          subjects:
          - kind: ServiceAccount
            name: route-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:service-account-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:service-account-controller
          subjects:
          - kind: ServiceAccount
            name: service-account-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:service-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:service-controller
          subjects:
          - kind: ServiceAccount
            name: service-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:statefulset-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:statefulset-controller
          subjects:
          - kind: ServiceAccount
            name: statefulset-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:ttl-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:ttl-controller
          subjects:
          - kind: ServiceAccount
            name: ttl-controller
            namespace: kube-system
        kind: List
        metadata: {}
        
        
    policy_test.go:258: If the change is expected, re-run with UPDATE_BOOTSTRAP_POLICY_FIXTURE_DATA=true to update the fixtures
FAIL

				from junit_bazel.xml

Filter through log files | View test history on testgrid


//plugin/pkg/auth/authorizer/rbac/bootstrappolicy/go_default_test:run_2_of_2 0.00s

bazel test //plugin/pkg/auth/authorizer/rbac/bootstrappolicy/go_default_test:run_2_of_2
exec ${PAGER:-/usr/bin/less} "$0" || exit 1
Executing tests from //plugin/pkg/auth/authorizer/rbac/bootstrappolicy:go_default_test
-----------------------------------------------------------------------------
--- FAIL: TestBootstrapControllerRoles (0.14s)
    policy_test.go:246: Bootstrap policy data does not match the test fixture in testdata/controller-roles.yaml
    policy_test.go:257: Diff between bootstrap data and fixture data in testdata/controller-roles.yaml:
        -------------
        apiVersion: v1
        items:
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:attachdetach-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - persistentvolumeclaims
            - persistentvolumes
            verbs:
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - nodes/status
            verbs:
            - patch
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - list
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
          - apiGroups:
            - storage.k8s.io
            resources:
            - volumeattachments
            verbs:
            - create
            - delete
            - get
            - list
            - watch
          - apiGroups:
            - storage.k8s.io
            resources:
            - csidrivers
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - storage.k8s.io
            resources:
            - csinodes
            verbs:
            - get
            - list
            - watch
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:certificate-controller
          rules:
          - apiGroups:
            - certificates.k8s.io
            resources:
            - certificatesigningrequests
            verbs:
            - delete
            - get
            - list
            - watch
          - apiGroups:
            - certificates.k8s.io
            resources:
            - certificatesigningrequests/approval
            - certificatesigningrequests/status
            verbs:
            - update
          - apiGroups:
            - certificates.k8s.io
            resourceNames:
            - kubernetes.io/kube-apiserver-client-kubelet
            resources:
            - signers
            verbs:
            - approve
          - apiGroups:
            - certificates.k8s.io
            resourceNames:
            - kubernetes.io/kube-apiserver-client
            - kubernetes.io/kube-apiserver-client-kubelet
            - kubernetes.io/kubelet-serving
            - kubernetes.io/legacy-unknown
            resources:
            - signers
            verbs:
            - sign
          - apiGroups:
            - authorization.k8s.io
            resources:
            - subjectaccessreviews
            verbs:
            - create
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:clusterrole-aggregation-controller
          rules:
          - apiGroups:
            - rbac.authorization.k8s.io
            resources:
            - clusterroles
            verbs:
            - escalate
            - get
            - list
            - patch
            - update
            - watch
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:cronjob-controller
          rules:
          - apiGroups:
            - batch
            resources:
            - cronjobs
            verbs:
            - get
            - list
            - update
            - watch
          - apiGroups:
            - batch
            resources:
            - jobs
            verbs:
            - create
            - delete
            - get
            - list
            - patch
            - update
            - watch
          - apiGroups:
            - batch
            resources:
            - cronjobs/status
            verbs:
            - update
          - apiGroups:
            - batch
            resources:
            - cronjobs/finalizers
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - delete
            - list
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:daemon-set-controller
          rules:
          - apiGroups:
            - apps
            - extensions
            resources:
            - daemonsets
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - apps
            - extensions
            resources:
            - daemonsets/status
            verbs:
            - update
          - apiGroups:
            - apps
            - extensions
            resources:
            - daemonsets/finalizers
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - create
            - delete
            - list
            - patch
            - watch
          - apiGroups:
            - ""
            resources:
            - pods/binding
            verbs:
            - create
          - apiGroups:
            - apps
            resources:
            - controllerrevisions
            verbs:
            - create
            - delete
            - get
            - list
            - patch
            - update
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:deployment-controller
          rules:
          - apiGroups:
            - apps
            - extensions
            resources:
            - deployments
            verbs:
            - get
            - list
            - update
            - watch
          - apiGroups:
            - apps
            - extensions
            resources:
            - deployments/status
            verbs:
            - update
          - apiGroups:
            - apps
            - extensions
            resources:
            - deployments/finalizers
            verbs:
            - update
          - apiGroups:
            - apps
            - extensions
            resources:
            - replicasets
            verbs:
            - create
            - delete
            - get
            - list
            - patch
            - update
            - watch
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - get
            - list
            - update
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:disruption-controller
          rules:
          - apiGroups:
            - apps
            - extensions
            resources:
            - deployments
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - apps
            - extensions
            resources:
            - replicasets
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - replicationcontrollers
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - policy
            resources:
            - poddisruptionbudgets
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - apps
            resources:
            - statefulsets
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - policy
            resources:
            - poddisruptionbudgets/status
            verbs:
            - update
          - apiGroups:
            - '*'
            resources:
            - '*/scale'
            verbs:
            - get
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:endpoint-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - pods
            - services
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - endpoints
            verbs:
            - create
            - delete
            - get
            - list
            - update
          - apiGroups:
            - ""
            resources:
            - endpoints/restricted
            verbs:
            - create
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:endpointslice-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - nodes
            - pods
            - services
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - services/finalizers
            verbs:
            - update
          - apiGroups:
            - discovery.k8s.io
            resources:
            - endpointslices
            verbs:
            - create
            - delete
            - get
            - list
            - update
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:endpointslicemirroring-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - endpoints
            - services
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - services/finalizers
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - endpoints/finalizers
            verbs:
            - update
          - apiGroups:
            - discovery.k8s.io
            resources:
            - endpointslices
            verbs:
            - create
            - delete
            - get
            - list
            - update
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:expand-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - persistentvolumes
            verbs:
            - get
            - list
            - patch
            - update
            - watch
          - apiGroups:
            - ""
            resources:
            - persistentvolumeclaims/status
            verbs:
            - patch
            - update
          - apiGroups:
            - ""
            resources:
            - persistentvolumeclaims
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - storage.k8s.io
            resources:
            - storageclasses
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - endpoints
            - services
            verbs:
            - get
          - apiGroups:
            - ""
            resources:
            - secrets
            verbs:
            - get
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:generic-garbage-collector
          rules:
          - apiGroups:
            - '*'
            resources:
            - '*'
            verbs:
            - delete
            - get
            - list
            - patch
            - update
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:horizontal-pod-autoscaler
          rules:
          - apiGroups:
            - autoscaling
            resources:
            - horizontalpodautoscalers
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - autoscaling
            resources:
            - horizontalpodautoscalers/status
            verbs:
            - update
          - apiGroups:
            - '*'
            resources:
            - '*/scale'
            verbs:
            - get
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - list
          - apiGroups:
            - ""
            resourceNames:
            - 'http:heapster:'
            - 'https:heapster:'
            resources:
            - services/proxy
            verbs:
            - get
          - apiGroups:
            - metrics.k8s.io
            resources:
            - pods
            verbs:
            - list
          - apiGroups:
            - custom.metrics.k8s.io
            resources:
            - '*'
            verbs:
            - get
            - list
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:job-controller
          rules:
          - apiGroups:
            - batch
            resources:
            - jobs
            verbs:
            - get
            - list
            - update
            - watch
          - apiGroups:
            - batch
            resources:
            - jobs/status
            verbs:
            - update
          - apiGroups:
            - batch
            resources:
            - jobs/finalizers
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - create
            - delete
            - list
            - patch
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:namespace-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - namespaces
            verbs:
            - delete
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - namespaces/finalize
            - namespaces/status
            verbs:
            - update
          - apiGroups:
            - '*'
            resources:
            - '*'
            verbs:
            - delete
            - deletecollection
            - get
            - list
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:node-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - delete
            - get
            - list
            - patch
            - update
          - apiGroups:
            - ""
            resources:
            - nodes/status
            verbs:
            - patch
            - update
          - apiGroups:
            - ""
            resources:
            - pods/status
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - delete
            - list
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:persistent-volume-binder
          rules:
          - apiGroups:
            - ""
            resources:
            - persistentvolumes
            verbs:
            - create
            - delete
            - get
            - list
            - update
            - watch
          - apiGroups:
            - ""
            resources:
            - persistentvolumes/status
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - persistentvolumeclaims
            verbs:
            - get
            - list
            - update
            - watch
          - apiGroups:
            - ""
            resources:
            - persistentvolumeclaims/status
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - create
            - delete
            - get
            - list
            - watch
          - apiGroups:
            - storage.k8s.io
            resources:
            - storageclasses
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - endpoints
            verbs:
            - create
            - delete
            - get
            - update
          - apiGroups:
            - ""
            resources:
            - services
            verbs:
            - create
            - delete
            - get
          - apiGroups:
            - ""
            resources:
            - secrets
            verbs:
            - get
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - get
            - list
          - apiGroups:
            - ""
            resources:
            - events
            verbs:
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:pod-garbage-collector
          rules:
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - delete
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - get
            - list
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:pv-protection-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - persistentvolumes
            verbs:
            - get
            - list
            - update
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:pvc-protection-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - persistentvolumeclaims
            verbs:
            - get
            - list
            - update
            - watch
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:replicaset-controller
          rules:
          - apiGroups:
            - apps
            - extensions
            resources:
            - replicasets
            verbs:
            - get
            - list
            - update
            - watch
          - apiGroups:
            - apps
            - extensions
            resources:
            - replicasets/status
            verbs:
            - update
          - apiGroups:
            - apps
            - extensions
            resources:
            - replicasets/finalizers
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - create
            - delete
            - list
            - patch
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:replication-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - replicationcontrollers
            verbs:
            - get
            - list
            - update
            - watch
          - apiGroups:
            - ""
            resources:
            - replicationcontrollers/status
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - replicationcontrollers/finalizers
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - create
            - delete
            - list
            - patch
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:resourcequota-controller
          rules:
          - apiGroups:
            - '*'
            resources:
            - '*'
            verbs:
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - resourcequotas/status
            verbs:
            - update
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:ro
        
        A: ot-ca-cert-publisher
          rules:
          - apiGroups:
            - ""
            resources:
            - configmaps
            verbs:
            - create
            - update
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:route-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - nodes/status
            verbs:
            - patch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:service-account-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - serviceaccounts
            verbs:
            - create
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:service-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - services
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - services/status
            verbs:
            - patch
            - update
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - list
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:statefulset-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - list
            - watch
          - apiGroups:
            - apps
            resources:
            - statefulsets
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - apps
            resources:
            - statefulsets/status
            verbs:
            - update
          - apiGroups:
            - apps
            resources:
            - statefulsets/finalizers
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - create
            - delete
            - get
            - patch
            - update
          - apiGroups:
            - apps
            resources:
            - controllerrevisions
            verbs:
            - create
            - delete
            - get
            - list
            - patch
            - update
            - watch
          - apiGroups:
            - ""
            resources:
            - persistentvolumeclaims
            verbs:
            - create
            - get
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:ttl-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - list
            - patch
            - update
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        kind: List
        metadata: {}
        
        
        B: ute-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - nodes/status
            verbs:
            - patch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:service-account-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - serviceaccounts
            verbs:
            - create
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:service-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - services
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - services/status
            verbs:
            - patch
            - update
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - list
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:statefulset-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - list
            - watch
          - apiGroups:
            - apps
            resources:
            - statefulsets
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - apps
            resources:
            - statefulsets/status
            verbs:
            - update
          - apiGroups:
            - apps
            resources:
            - statefulsets/finalizers
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - create
            - delete
            - get
            - patch
            - update
          - apiGroups:
            - apps
            resources:
            - controllerrevisions
            verbs:
            - create
            - delete
            - get
            - list
            - patch
            - update
            - watch
          - apiGroups:
            - ""
            resources:
            - persistentvolumeclaims
            verbs:
            - create
            - get
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:ttl-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - list
            - patch
            - update
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        kind: List
        metadata: {}
        
        
    policy_test.go:258: If the change is expected, re-run with UPDATE_BOOTSTRAP_POLICY_FIXTURE_DATA=true to update the fixtures
--- FAIL: TestBootstrapControllerRoleBindings (0.09s)
    policy_test.go:246: Bootstrap policy data does not match the test fixture in testdata/controller-role-bindings.yaml
    policy_test.go:257: Diff between bootstrap data and fixture data in testdata/controller-role-bindings.yaml:
        -------------
        apiVersion: v1
        items:
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:attachdetach-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:attachdetach-controller
          subjects:
          - kind: ServiceAccount
            name: attachdetach-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:certificate-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:certificate-controller
          subjects:
          - kind: ServiceAccount
            name: certificate-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:clusterrole-aggregation-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:clusterrole-aggregation-controller
          subjects:
          - kind: ServiceAccount
            name: clusterrole-aggregation-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:cronjob-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:cronjob-controller
          subjects:
          - kind: ServiceAccount
            name: cronjob-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:daemon-set-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:daemon-set-controller
          subjects:
          - kind: ServiceAccount
            name: daemon-set-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:deployment-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:deployment-controller
          subjects:
          - kind: ServiceAccount
            name: deployment-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:disruption-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:disruption-controller
          subjects:
          - kind: ServiceAccount
            name: disruption-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:endpoint-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:endpoint-controller
          subjects:
          - kind: ServiceAccount
            name: endpoint-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:endpointslice-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:endpointslice-controller
          subjects:
          - kind: ServiceAccount
            name: endpointslice-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:endpointslicemirroring-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:endpointslicemirroring-controller
          subjects:
          - kind: ServiceAccount
            name: endpointslicemirroring-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:expand-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:expand-controller
          subjects:
          - kind: ServiceAccount
            name: expand-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:generic-garbage-collector
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:generic-garbage-collector
          subjects:
          - kind: ServiceAccount
            name: generic-garbage-collector
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:horizontal-pod-autoscaler
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:horizontal-pod-autoscaler
          subjects:
          - kind: ServiceAccount
            name: horizontal-pod-autoscaler
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:job-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:job-controller
          subjects:
          - kind: ServiceAccount
            name: job-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:namespace-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:namespace-controller
          subjects:
          - kind: ServiceAccount
            name: namespace-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:node-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:node-controller
          subjects:
          - kind: ServiceAccount
            name: node-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:persistent-volume-binder
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:persistent-volume-binder
          subjects:
          - kind: ServiceAccount
            name: persistent-volume-binder
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:pod-garbage-collector
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:pod-garbage-collector
          subjects:
          - kind: ServiceAccount
            name: pod-garbage-collector
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:pv-protection-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:pv-protection-controller
          subjects:
          - kind: ServiceAccount
            name: pv-protection-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:pvc-protection-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:pvc-protection-controller
          subjects:
          - kind: ServiceAccount
            name: pvc-protection-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:replicaset-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:replicaset-controller
          subjects:
          - kind: ServiceAccount
            name: replicaset-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:replication-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:replication-controller
          subjects:
          - kind: ServiceAccount
            name: replication-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:resourcequota-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:resourcequota-controller
          subjects:
          - kind: ServiceAccount
            name: resourcequota-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:ro
        
        A: ot-ca-cert-publisher
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:root-ca-cert-publisher
          subjects:
          - kind: ServiceAccount
            name: root-ca-cert-publisher
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:route-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:route-controller
          subjects:
          - kind: ServiceAccount
            name: route-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:service-account-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:service-account-controller
          subjects:
          - kind: ServiceAccount
            name: service-account-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:service-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:service-controller
          subjects:
          - kind: ServiceAccount
            name: service-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:statefulset-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:statefulset-controller
          subjects:
          - kind: ServiceAccount
            name: statefulset-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:ttl-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:ttl-controller
          subjects:
          - kind: ServiceAccount
            name: ttl-controller
            namespace: kube-system
        kind: List
        metadata: {}
        
        
        B: ute-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:route-controller
          subjects:
          - kind: ServiceAccount
            name: route-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:service-account-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:service-account-controller
          subjects:
          - kind: ServiceAccount
            name: service-account-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:service-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:service-controller
          subjects:
          - kind: ServiceAccount
            name: service-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:statefulset-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:statefulset-controller
          subjects:
          - kind: ServiceAccount
            name: statefulset-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:ttl-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:ttl-controller
          subjects:
          - kind: ServiceAccount
            name: ttl-controller
            namespace: kube-system
        kind: List
        metadata: {}
        
        
    policy_test.go:258: If the change is expected, re-run with UPDATE_BOOTSTRAP_POLICY_FIXTURE_DATA=true to update the fixtures
FAIL

				from junit_bazel.xml

Filter through log files | View test history on testgrid


//plugin/pkg/auth/authorizer/rbac/bootstrappolicy/go_default_test:run_2_of_2 0.00s

bazel test //plugin/pkg/auth/authorizer/rbac/bootstrappolicy/go_default_test:run_2_of_2
exec ${PAGER:-/usr/bin/less} "$0" || exit 1
Executing tests from //plugin/pkg/auth/authorizer/rbac/bootstrappolicy:go_default_test
-----------------------------------------------------------------------------
--- FAIL: TestBootstrapControllerRoles (0.14s)
    policy_test.go:246: Bootstrap policy data does not match the test fixture in testdata/controller-roles.yaml
    policy_test.go:257: Diff between bootstrap data and fixture data in testdata/controller-roles.yaml:
        -------------
        apiVersion: v1
        items:
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:attachdetach-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - persistentvolumeclaims
            - persistentvolumes
            verbs:
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - nodes/status
            verbs:
            - patch
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - list
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
          - apiGroups:
            - storage.k8s.io
            resources:
            - volumeattachments
            verbs:
            - create
            - delete
            - get
            - list
            - watch
          - apiGroups:
            - storage.k8s.io
            resources:
            - csidrivers
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - storage.k8s.io
            resources:
            - csinodes
            verbs:
            - get
            - list
            - watch
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:certificate-controller
          rules:
          - apiGroups:
            - certificates.k8s.io
            resources:
            - certificatesigningrequests
            verbs:
            - delete
            - get
            - list
            - watch
          - apiGroups:
            - certificates.k8s.io
            resources:
            - certificatesigningrequests/approval
            - certificatesigningrequests/status
            verbs:
            - update
          - apiGroups:
            - certificates.k8s.io
            resourceNames:
            - kubernetes.io/kube-apiserver-client-kubelet
            resources:
            - signers
            verbs:
            - approve
          - apiGroups:
            - certificates.k8s.io
            resourceNames:
            - kubernetes.io/kube-apiserver-client
            - kubernetes.io/kube-apiserver-client-kubelet
            - kubernetes.io/kubelet-serving
            - kubernetes.io/legacy-unknown
            resources:
            - signers
            verbs:
            - sign
          - apiGroups:
            - authorization.k8s.io
            resources:
            - subjectaccessreviews
            verbs:
            - create
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:clusterrole-aggregation-controller
          rules:
          - apiGroups:
            - rbac.authorization.k8s.io
            resources:
            - clusterroles
            verbs:
            - escalate
            - get
            - list
            - patch
            - update
            - watch
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:cronjob-controller
          rules:
          - apiGroups:
            - batch
            resources:
            - cronjobs
            verbs:
            - get
            - list
            - update
            - watch
          - apiGroups:
            - batch
            resources:
            - jobs
            verbs:
            - create
            - delete
            - get
            - list
            - patch
            - update
            - watch
          - apiGroups:
            - batch
            resources:
            - cronjobs/status
            verbs:
            - update
          - apiGroups:
            - batch
            resources:
            - cronjobs/finalizers
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - delete
            - list
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:daemon-set-controller
          rules:
          - apiGroups:
            - apps
            - extensions
            resources:
            - daemonsets
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - apps
            - extensions
            resources:
            - daemonsets/status
            verbs:
            - update
          - apiGroups:
            - apps
            - extensions
            resources:
            - daemonsets/finalizers
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - create
            - delete
            - list
            - patch
            - watch
          - apiGroups:
            - ""
            resources:
            - pods/binding
            verbs:
            - create
          - apiGroups:
            - apps
            resources:
            - controllerrevisions
            verbs:
            - create
            - delete
            - get
            - list
            - patch
            - update
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:deployment-controller
          rules:
          - apiGroups:
            - apps
            - extensions
            resources:
            - deployments
            verbs:
            - get
            - list
            - update
            - watch
          - apiGroups:
            - apps
            - extensions
            resources:
            - deployments/status
            verbs:
            - update
          - apiGroups:
            - apps
            - extensions
            resources:
            - deployments/finalizers
            verbs:
            - update
          - apiGroups:
            - apps
            - extensions
            resources:
            - replicasets
            verbs:
            - create
            - delete
            - get
            - list
            - patch
            - update
            - watch
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - get
            - list
            - update
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:disruption-controller
          rules:
          - apiGroups:
            - apps
            - extensions
            resources:
            - deployments
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - apps
            - extensions
            resources:
            - replicasets
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - replicationcontrollers
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - policy
            resources:
            - poddisruptionbudgets
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - apps
            resources:
            - statefulsets
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - policy
            resources:
            - poddisruptionbudgets/status
            verbs:
            - update
          - apiGroups:
            - '*'
            resources:
            - '*/scale'
            verbs:
            - get
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:endpoint-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - pods
            - services
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - endpoints
            verbs:
            - create
            - delete
            - get
            - list
            - update
          - apiGroups:
            - ""
            resources:
            - endpoints/restricted
            verbs:
            - create
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:endpointslice-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - nodes
            - pods
            - services
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - services/finalizers
            verbs:
            - update
          - apiGroups:
            - discovery.k8s.io
            resources:
            - endpointslices
            verbs:
            - create
            - delete
            - get
            - list
            - update
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:endpointslicemirroring-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - endpoints
            - services
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - services/finalizers
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - endpoints/finalizers
            verbs:
            - update
          - apiGroups:
            - discovery.k8s.io
            resources:
            - endpointslices
            verbs:
            - create
            - delete
            - get
            - list
            - update
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:expand-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - persistentvolumes
            verbs:
            - get
            - list
            - patch
            - update
            - watch
          - apiGroups:
            - ""
            resources:
            - persistentvolumeclaims/status
            verbs:
            - patch
            - update
          - apiGroups:
            - ""
            resources:
            - persistentvolumeclaims
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - storage.k8s.io
            resources:
            - storageclasses
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - endpoints
            - services
            verbs:
            - get
          - apiGroups:
            - ""
            resources:
            - secrets
            verbs:
            - get
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:generic-garbage-collector
          rules:
          - apiGroups:
            - '*'
            resources:
            - '*'
            verbs:
            - delete
            - get
            - list
            - patch
            - update
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:horizontal-pod-autoscaler
          rules:
          - apiGroups:
            - autoscaling
            resources:
            - horizontalpodautoscalers
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - autoscaling
            resources:
            - horizontalpodautoscalers/status
            verbs:
            - update
          - apiGroups:
            - '*'
            resources:
            - '*/scale'
            verbs:
            - get
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - list
          - apiGroups:
            - ""
            resourceNames:
            - 'http:heapster:'
            - 'https:heapster:'
            resources:
            - services/proxy
            verbs:
            - get
          - apiGroups:
            - metrics.k8s.io
            resources:
            - pods
            verbs:
            - list
          - apiGroups:
            - custom.metrics.k8s.io
            resources:
            - '*'
            verbs:
            - get
            - list
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:job-controller
          rules:
          - apiGroups:
            - batch
            resources:
            - jobs
            verbs:
            - get
            - list
            - update
            - watch
          - apiGroups:
            - batch
            resources:
            - jobs/status
            verbs:
            - update
          - apiGroups:
            - batch
            resources:
            - jobs/finalizers
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - create
            - delete
            - list
            - patch
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:namespace-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - namespaces
            verbs:
            - delete
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - namespaces/finalize
            - namespaces/status
            verbs:
            - update
          - apiGroups:
            - '*'
            resources:
            - '*'
            verbs:
            - delete
            - deletecollection
            - get
            - list
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:node-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - delete
            - get
            - list
            - patch
            - update
          - apiGroups:
            - ""
            resources:
            - nodes/status
            verbs:
            - patch
            - update
          - apiGroups:
            - ""
            resources:
            - pods/status
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - delete
            - list
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:persistent-volume-binder
          rules:
          - apiGroups:
            - ""
            resources:
            - persistentvolumes
            verbs:
            - create
            - delete
            - get
            - list
            - update
            - watch
          - apiGroups:
            - ""
            resources:
            - persistentvolumes/status
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - persistentvolumeclaims
            verbs:
            - get
            - list
            - update
            - watch
          - apiGroups:
            - ""
            resources:
            - persistentvolumeclaims/status
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - create
            - delete
            - get
            - list
            - watch
          - apiGroups:
            - storage.k8s.io
            resources:
            - storageclasses
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - endpoints
            verbs:
            - create
            - delete
            - get
            - update
          - apiGroups:
            - ""
            resources:
            - services
            verbs:
            - create
            - delete
            - get
          - apiGroups:
            - ""
            resources:
            - secrets
            verbs:
            - get
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - get
            - list
          - apiGroups:
            - ""
            resources:
            - events
            verbs:
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:pod-garbage-collector
          rules:
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - delete
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - get
            - list
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:pv-protection-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - persistentvolumes
            verbs:
            - get
            - list
            - update
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:pvc-protection-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - persistentvolumeclaims
            verbs:
            - get
            - list
            - update
            - watch
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:replicaset-controller
          rules:
          - apiGroups:
            - apps
            - extensions
            resources:
            - replicasets
            verbs:
            - get
            - list
            - update
            - watch
          - apiGroups:
            - apps
            - extensions
            resources:
            - replicasets/status
            verbs:
            - update
          - apiGroups:
            - apps
            - extensions
            resources:
            - replicasets/finalizers
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - create
            - delete
            - list
            - patch
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:replication-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - replicationcontrollers
            verbs:
            - get
            - list
            - update
            - watch
          - apiGroups:
            - ""
            resources:
            - replicationcontrollers/status
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - replicationcontrollers/finalizers
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - create
            - delete
            - list
            - patch
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:resourcequota-controller
          rules:
          - apiGroups:
            - '*'
            resources:
            - '*'
            verbs:
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - resourcequotas/status
            verbs:
            - update
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:ro
        
        A: ot-ca-cert-publisher
          rules:
          - apiGroups:
            - ""
            resources:
            - configmaps
            verbs:
            - create
            - update
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:route-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - nodes/status
            verbs:
            - patch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:service-account-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - serviceaccounts
            verbs:
            - create
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:service-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - services
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - services/status
            verbs:
            - patch
            - update
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - list
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:statefulset-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - list
            - watch
          - apiGroups:
            - apps
            resources:
            - statefulsets
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - apps
            resources:
            - statefulsets/status
            verbs:
            - update
          - apiGroups:
            - apps
            resources:
            - statefulsets/finalizers
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - create
            - delete
            - get
            - patch
            - update
          - apiGroups:
            - apps
            resources:
            - controllerrevisions
            verbs:
            - create
            - delete
            - get
            - list
            - patch
            - update
            - watch
          - apiGroups:
            - ""
            resources:
            - persistentvolumeclaims
            verbs:
            - create
            - get
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:ttl-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - list
            - patch
            - update
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        kind: List
        metadata: {}
        
        
        B: ute-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - nodes/status
            verbs:
            - patch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:service-account-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - serviceaccounts
            verbs:
            - create
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:service-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - services
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - ""
            resources:
            - services/status
            verbs:
            - patch
            - update
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - list
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:statefulset-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - list
            - watch
          - apiGroups:
            - apps
            resources:
            - statefulsets
            verbs:
            - get
            - list
            - watch
          - apiGroups:
            - apps
            resources:
            - statefulsets/status
            verbs:
            - update
          - apiGroups:
            - apps
            resources:
            - statefulsets/finalizers
            verbs:
            - update
          - apiGroups:
            - ""
            resources:
            - pods
            verbs:
            - create
            - delete
            - get
            - patch
            - update
          - apiGroups:
            - apps
            resources:
            - controllerrevisions
            verbs:
            - create
            - delete
            - get
            - list
            - patch
            - update
            - watch
          - apiGroups:
            - ""
            resources:
            - persistentvolumeclaims
            verbs:
            - create
            - get
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:ttl-controller
          rules:
          - apiGroups:
            - ""
            resources:
            - nodes
            verbs:
            - list
            - patch
            - update
            - watch
          - apiGroups:
            - ""
            - events.k8s.io
            resources:
            - events
            verbs:
            - create
            - patch
            - update
        kind: List
        metadata: {}
        
        
    policy_test.go:258: If the change is expected, re-run with UPDATE_BOOTSTRAP_POLICY_FIXTURE_DATA=true to update the fixtures
--- FAIL: TestBootstrapControllerRoleBindings (0.09s)
    policy_test.go:246: Bootstrap policy data does not match the test fixture in testdata/controller-role-bindings.yaml
    policy_test.go:257: Diff between bootstrap data and fixture data in testdata/controller-role-bindings.yaml:
        -------------
        apiVersion: v1
        items:
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:attachdetach-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:attachdetach-controller
          subjects:
          - kind: ServiceAccount
            name: attachdetach-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:certificate-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:certificate-controller
          subjects:
          - kind: ServiceAccount
            name: certificate-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:clusterrole-aggregation-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:clusterrole-aggregation-controller
          subjects:
          - kind: ServiceAccount
            name: clusterrole-aggregation-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:cronjob-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:cronjob-controller
          subjects:
          - kind: ServiceAccount
            name: cronjob-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:daemon-set-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:daemon-set-controller
          subjects:
          - kind: ServiceAccount
            name: daemon-set-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:deployment-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:deployment-controller
          subjects:
          - kind: ServiceAccount
            name: deployment-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:disruption-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:disruption-controller
          subjects:
          - kind: ServiceAccount
            name: disruption-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:endpoint-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:endpoint-controller
          subjects:
          - kind: ServiceAccount
            name: endpoint-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:endpointslice-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:endpointslice-controller
          subjects:
          - kind: ServiceAccount
            name: endpointslice-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:endpointslicemirroring-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:endpointslicemirroring-controller
          subjects:
          - kind: ServiceAccount
            name: endpointslicemirroring-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:expand-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:expand-controller
          subjects:
          - kind: ServiceAccount
            name: expand-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:generic-garbage-collector
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:generic-garbage-collector
          subjects:
          - kind: ServiceAccount
            name: generic-garbage-collector
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:horizontal-pod-autoscaler
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:horizontal-pod-autoscaler
          subjects:
          - kind: ServiceAccount
            name: horizontal-pod-autoscaler
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:job-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:job-controller
          subjects:
          - kind: ServiceAccount
            name: job-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:namespace-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:namespace-controller
          subjects:
          - kind: ServiceAccount
            name: namespace-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:node-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:node-controller
          subjects:
          - kind: ServiceAccount
            name: node-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:persistent-volume-binder
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:persistent-volume-binder
          subjects:
          - kind: ServiceAccount
            name: persistent-volume-binder
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:pod-garbage-collector
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:pod-garbage-collector
          subjects:
          - kind: ServiceAccount
            name: pod-garbage-collector
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:pv-protection-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:pv-protection-controller
          subjects:
          - kind: ServiceAccount
            name: pv-protection-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:pvc-protection-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:pvc-protection-controller
          subjects:
          - kind: ServiceAccount
            name: pvc-protection-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:replicaset-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:replicaset-controller
          subjects:
          - kind: ServiceAccount
            name: replicaset-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:replication-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:replication-controller
          subjects:
          - kind: ServiceAccount
            name: replication-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:resourcequota-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:resourcequota-controller
          subjects:
          - kind: ServiceAccount
            name: resourcequota-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:ro
        
        A: ot-ca-cert-publisher
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:root-ca-cert-publisher
          subjects:
          - kind: ServiceAccount
            name: root-ca-cert-publisher
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:route-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:route-controller
          subjects:
          - kind: ServiceAccount
            name: route-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:service-account-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:service-account-controller
          subjects:
          - kind: ServiceAccount
            name: service-account-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:service-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:service-controller
          subjects:
          - kind: ServiceAccount
            name: service-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:statefulset-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:statefulset-controller
          subjects:
          - kind: ServiceAccount
            name: statefulset-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:ttl-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:ttl-controller
          subjects:
          - kind: ServiceAccount
            name: ttl-controller
            namespace: kube-system
        kind: List
        metadata: {}
        
        
        B: ute-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:route-controller
          subjects:
          - kind: ServiceAccount
            name: route-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:service-account-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:service-account-controller
          subjects:
          - kind: ServiceAccount
            name: service-account-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:service-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:service-controller
          subjects:
          - kind: ServiceAccount
            name: service-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:statefulset-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:statefulset-controller
          subjects:
          - kind: ServiceAccount
            name: statefulset-controller
            namespace: kube-system
        - apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            annotations:
              rbac.authorization.kubernetes.io/autoupdate: "true"
            creationTimestamp: null
            labels:
              kubernetes.io/bootstrapping: rbac-defaults
            name: system:controller:ttl-controller
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: system:controller:ttl-controller
          subjects:
          - kind: ServiceAccount
            name: ttl-controller
            namespace: kube-system
        kind: List
        metadata: {}
        
        
    policy_test.go:258: If the change is expected, re-run with UPDATE_BOOTSTRAP_POLICY_FIXTURE_DATA=true to update the fixtures
FAIL

				from junit_bazel.xml

Filter through log files | View test history on testgrid


Show 1912 Passed Tests