Got the feeling from kubectl get clusterrole ...

that having access control rules, in particular cluster scoped, lying around without knowing where they come from will be unmaintainable over time. Labels show up nicely in describe.
Yolean · solsson · Aug 5, 2017 · Aug 5, 2017 · Aug 5, 2017 · Aug 5, 2017
commit 35974266ae938856f3a254b12308b1a99e67e5e7
diff --git a/rbac-namespace-default/events-watcher.yml b/rbac-namespace-default/events-watcher.yml
@@ -4,6 +4,8 @@ kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
   name: events-watcher
+  labels:
+    origin: github.com_Yolean_kubernetes-kafka
 rules:
 - apiGroups:
   - ""
@@ -16,6 +18,8 @@ kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
   name: kafka-events-watcher
+  labels:
+    origin: github.com_Yolean_kubernetes-kafka
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

diff --git a/rbac-namespace-default/node-reader.yml b/rbac-namespace-default/node-reader.yml
@@ -4,6 +4,8 @@ kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
   name: node-reader
+  labels:
+    origin: github.com_Yolean_kubernetes-kafka
 rules:
 - apiGroups:
   - ""
@@ -16,6 +18,8 @@ kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
   name: kafka-node-reader
+  labels:
+    origin: github.com_Yolean_kubernetes-kafka
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole