Add --rolebinding-name to policy commands

Add the --rolebinding-name option to the rolebinding and
clusterrolebinding add commands for specifying the name of the rolebinding
to modify.

Fixes #13035

Author: Matt Rogers

Diff for: pkg/cmd/admin/policy/modify_roles.go

@@ -41,6 +41,7 @@ var (
 type RoleModificationOptions struct {
 	RoleNamespace       string
 	RoleName            string
+	RoleBindingName     string
 	RoleBindingAccessor RoleBindingAccessor
 
 	Targets  []string
@@ -71,6 +72,7 @@ func NewCmdAddRoleToGroup(name, fullName string, f *clientcmd.Factory, out io.Wr
 		},
 	}
 
+	cmd.Flags().StringVar(&options.RoleBindingName, "rolebinding-name", "", "Name of the rolebinding to modify or create. If left empty, appends to the first rolebinding found for the given role")
 	cmd.Flags().StringVar(&options.RoleNamespace, "role-namespace", "", "namespace where the role is located: empty means a role defined in cluster policy")
 
 	return cmd
@@ -99,6 +101,7 @@ func NewCmdAddRoleToUser(name, fullName string, f *clientcmd.Factory, out io.Wri
 		},
 	}
 
+	cmd.Flags().StringVar(&options.RoleBindingName, "rolebinding-name", "", "Name of the rolebinding to modify or create. If left empty, appends to the first rolebinding found for the given role")
 	cmd.Flags().StringVar(&options.RoleNamespace, "role-namespace", "", "namespace where the role is located: empty means a role defined in cluster policy")
 	cmd.Flags().StringSliceVarP(&saNames, "serviceaccount", "z", saNames, "service account in the current namespace to use as a user")
 
@@ -180,6 +183,7 @@ func NewCmdAddClusterRoleToGroup(name, fullName string, f *clientcmd.Factory, ou
 		},
 	}
 
+	cmd.Flags().StringVar(&options.RoleBindingName, "rolebinding-name", "", "Name of the rolebinding to modify or create. If left empty, appends to the first rolebinding found for the given role")
 	return cmd
 }
 
@@ -205,6 +209,7 @@ func NewCmdAddClusterRoleToUser(name, fullName string, f *clientcmd.Factory, out
 		},
 	}
 
+	cmd.Flags().StringVar(&options.RoleBindingName, "rolebinding-name", "", "Name of the rolebinding to modify or create. If left empty, appends to the first rolebinding found for the given role")
 	cmd.Flags().StringSliceVarP(&saNames, "serviceaccount", "z", saNames, "service account in the current namespace to use as a user")
 
 	return cmd
@@ -267,6 +272,7 @@ func (o *RoleModificationOptions) CompleteUserWithSA(f *clientcmd.Factory, args
 	}
 
 	o.RoleName = args[0]
+
 	if len(args) > 1 {
 		o.Users = append(o.Users, args[1:]...)
 	}
@@ -332,23 +338,43 @@ func (o *RoleModificationOptions) Complete(f *clientcmd.Factory, args []string,
 }
 
 func (o *RoleModificationOptions) AddRole() error {
-	roleBindings, err := o.RoleBindingAccessor.GetExistingRoleBindingsForRole(o.RoleNamespace, o.RoleName)
-	if err != nil {
-		return err
-	}
-	roleBindingNames, err := o.RoleBindingAccessor.GetExistingRoleBindingNames()
-	if err != nil {
-		return err
-	}
-
 	var roleBinding *authorizationapi.RoleBinding
-	isUpdate := true
-	if len(roleBindings) == 0 {
-		roleBinding = &authorizationapi.RoleBinding{}
-		isUpdate = false
+	var err error
+	isUpdate := false
+	if len(o.RoleBindingName) > 0 {
+		// Look for an existing rolebinding by name.
+		roleBinding, err = o.RoleBindingAccessor.GetRoleBinding(o.RoleBindingName)
+		if err != nil && !kapierrors.IsNotFound(err) {
+			return err
+		}
+		if !kapierrors.IsNotFound(err) && roleBinding != nil {
+			if roleBinding.RoleRef.Name != o.RoleName || roleBinding.RoleRef.Namespace != o.RoleNamespace {
+				return fmt.Errorf("rolebinding %s found for role %s, not %s", roleBinding.Name, roleBinding.RoleRef.Name, o.RoleName)
+			}
+			isUpdate = true
+		} else {
+			roleBinding = &authorizationapi.RoleBinding{}
+			roleBinding.Name = o.RoleBindingName
+		}
 	} else {
-		// only need to add the user or group to a single roleBinding on the role.  Just choose the first one
-		roleBinding = roleBindings[0]
+		// Look for existing bindings by role.
+		roleBindings, err := o.RoleBindingAccessor.GetExistingRoleBindingsForRole(o.RoleNamespace, o.RoleName)
+		if err != nil {
+			return err
+		}
+
+		if len(roleBindings) > 0 {
+			// only need to add the user or group to a single roleBinding on the role.  Just choose the first one
+			roleBinding = roleBindings[0]
+			isUpdate = true
+		} else {
+			roleBinding = &authorizationapi.RoleBinding{}
+			roleBindingNames, err := o.RoleBindingAccessor.GetExistingRoleBindingNames()
+			if err != nil {
+				return err
+			}
+			roleBinding.Name = getUniqueName(o.RoleName, roleBindingNames)
+		}
 	}
 
 	roleBinding.RoleRef.Namespace = o.RoleNamespace
@@ -373,7 +399,6 @@ subjectCheck:
 	if isUpdate {
 		err = o.RoleBindingAccessor.UpdateRoleBinding(roleBinding)
 	} else {
-		roleBinding.Name = getUniqueName(o.RoleName, roleBindingNames)
 		err = o.RoleBindingAccessor.CreateRoleBinding(roleBinding)
 		// If the rolebinding was created in the meantime, rerun
 		if kapierrors.IsAlreadyExists(err) {