APIResourcesToExpandedRules converts an APIResourceList into a list of PolicyRules with all verbs allowed.

ApplyDenyRulesToExpandedRuleset takes in an expanded ruleset (see func `ExpandPolicyRules`) and removes anything matching the deny rules.

BuildPolicyRules takes an inherited role, an allow list, and a deny list; and processes everything into a list of policy rules.

CreateOrUpdateClusterRole ensures that a clusterrole exists in the specified state in the cluster, whether it has to be created or updated to ensure that.

CreateOrUpdateRole ensures that a role exists in the specified state in the cluster, whether it has to be created or updated to ensure that.

DiscoverClusterResources returns a list of all known resources and groups known to this API server.

EnumeratePolicyRules takes a list of rules with wildcards and returns a list of policy rules with resources explicitly enumerated.

ExpandPolicyRules ensures that multiple resources with the same verbs are not grouped together in the same rule definition (makes it easier to edit individual verbs later).

GetCacheInstance returns or instantiates a ResourceCache.

MergeExpandedPolicyRules takes two expanded rulesets (see func `ExpandPolicyRules`) and returns one merged expanded ruleset.

StripNonResourceURLs takes a list of PolicyRules that may specify NonResourceURLs and returns the same list without any NonResourceURLs.

ResourceCache holds information about the kube cluster state and its policies so that it doesn't need to be queried for every reconciliation.