// Covers determines whether or not the ownerRules cover the servantRules in terms of allowed actions. // It returns whether or not the ownerRules cover and a list of the rules that the ownerRules do not cover. func Covers(ownerRules, servantRules []rbacv1.PolicyRule) (bool, []rbacv1.PolicyRule) { … } // BreadownRule takes a rule and builds an equivalent list of rules that each have at most one verb, one // resource, and one resource name func BreakdownRule(rule rbacv1.PolicyRule) []rbacv1.PolicyRule { … } func has(set []string, ele string) bool { … } func hasAll(set, contains []string) bool { … } func resourceCoversAll(setResources, coversResources []string) bool { … } func nonResourceURLsCoversAll(set, covers []string) bool { … } func nonResourceURLCovers(ownerPath, subPath string) bool { … } // ruleCovers determines whether the ownerRule (which may have multiple verbs, resources, and resourceNames) covers // the subrule (which may only contain at most one verb, resource, and resourceName) func ruleCovers(ownerRule, subRule rbacv1.PolicyRule) bool { … }