Description of problem:

OCP 3.11 documentation says 'To add or update custom roles and permissions, it is strongly recommended to use 'oc auth reconcile' command'

To update custom roles it is absolutely logical to use 'oc auth reconcile' command since it will append new verbs to custom role instead of deleting old verbs and adding new verbs. 

I don't think the same command should be our recommendation while creating a custom role because if there is a custom role with same name as your new role present in the environment then it will just update the role. Cluster admin would not be notified that a custom role with same name already exists in the environment. Which in turn might provide extended permissions to user/SA attached to this custom role.


Version-Release number of selected component (if applicable):

- Openshift Container Platform 3.11

How reproducible:

- Always

Steps to Reproduce:

1. Create a custom role using 'oc auth reconcile' command
2. Create another custom role with same name but different definition than the first custom role.
3. You should be able to see 'oc auth reconcile' command creates a custom role if there is no custom role with same name otherwise it updates the existing role.

Actual results:

- 'oc auth reconcile' command does not notify if a custom role with same name already exists.

Expected results:

- It should notify cluster admin

Additional info:


Document URL: 

https://docs.openshift.com/container-platform/3.11/architecture/additional_concepts/authorization.html#applying-custom-roles-and-permissions

Section Number and Name: 

Describe the issue: 

Suggestions for improvement: 

- To update custom roles and permissions, it is strongly recommended to use the following command:
# oc auth reconcile -f FILE

Additional information: