Bumping k8s dependencies to 1.13

vendor/k8s.io/kubernetes/pkg/registry/rbac/validation/rule.go

@@ -20,15 +20,17 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"strings"
 
 	"github.com/golang/glog"
 
 	rbacv1 "k8s.io/api/rbac/v1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apiserver/pkg/authentication/serviceaccount"
 	"k8s.io/apiserver/pkg/authentication/user"
 	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
+	rbacv1helpers "k8s.io/kubernetes/pkg/apis/rbac/v1"
 )
 
 type AuthorizationRuleResolver interface {
@@ -65,7 +67,22 @@ func ConfirmNoEscalation(ctx context.Context, ruleResolver AuthorizationRuleReso
 
 	ownerRightsCover, missingRights := Covers(ownerRules, rules)
 	if !ownerRightsCover {
-		return apierrors.NewUnauthorized(fmt.Sprintf("attempt to grant extra privileges: %v user=%v ownerrules=%v ruleResolutionErrors=%v", missingRights, user, ownerRules, ruleResolutionErrors))
+		compactMissingRights := missingRights
+		if compact, err := CompactRules(missingRights); err == nil {
+			compactMissingRights = compact
+		}
+
+		missingDescriptions := sets.NewString()
+		for _, missing := range compactMissingRights {
+			missingDescriptions.Insert(rbacv1helpers.CompactString(missing))
+		}
+
+		msg := fmt.Sprintf("user %q (groups=%q) is attempting to grant RBAC permissions not currently held:\n%s", user.GetName(), user.GetGroups(), strings.Join(missingDescriptions.List(), "\n"))
+		if len(ruleResolutionErrors) > 0 {
+			msg = msg + fmt.Sprintf("; resolution errors: %v", ruleResolutionErrors)
+		}
+
+		return errors.New(msg)
 	}
 	return nil
 }