Merge pull request #64541 from mrogers950/additive-flag

Automatic merge from submit-queue (batch tested with PRs 63580, 63744, 64541, 64502, 64100). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Add more kubectl auth reconcile flags

```release-note
The --remove-extra-subjects and --remove-extra-permissions flags have been enabled for kubectl auth reconcile
```
/assign @deads2k 
cc @enj @juanvallejo

pkg/kubectl/cmd/auth/reconcile.go

@@ -37,9 +37,11 @@ import (
 // ReconcileOptions is the start of the data required to perform the operation.  As new fields are added, add them here instead of
 // referencing the cmd.Flags()
 type ReconcileOptions struct {
-	PrintFlags      *genericclioptions.PrintFlags
-	FilenameOptions *resource.FilenameOptions
-	DryRun          bool
+	PrintFlags             *genericclioptions.PrintFlags
+	FilenameOptions        *resource.FilenameOptions
+	DryRun                 bool
+	RemoveExtraPermissions bool
+	RemoveExtraSubjects    bool
 
 	Visitor         resource.Visitor
 	RBACClient      rbacv1client.RbacV1Interface
@@ -89,6 +91,8 @@ func NewCmdReconcile(f cmdutil.Factory, streams genericclioptions.IOStreams) *co
 
 	cmdutil.AddFilenameOptionFlags(cmd, o.FilenameOptions, "identifying the resource to reconcile.")
 	cmd.Flags().BoolVar(&o.DryRun, "dry-run", o.DryRun, "If true, display results but do not submit changes")
+	cmd.Flags().BoolVar(&o.RemoveExtraPermissions, "remove-extra-permissions", o.RemoveExtraPermissions, "If true, removes extra permissions added to roles")
+	cmd.Flags().BoolVar(&o.RemoveExtraSubjects, "remove-extra-subjects", o.RemoveExtraSubjects, "If true, removes extra subjects added to rolebindings")
 	cmd.MarkFlagRequired("filename")
 
 	return cmd
@@ -174,7 +178,7 @@ func (o *ReconcileOptions) RunReconcile() error {
 		case *rbacv1.Role:
 			reconcileOptions := reconciliation.ReconcileRoleOptions{
 				Confirm:                !o.DryRun,
-				RemoveExtraPermissions: false,
+				RemoveExtraPermissions: o.RemoveExtraPermissions,
 				Role: reconciliation.RoleRuleOwner{Role: t},
 				Client: reconciliation.RoleModifier{
 					NamespaceClient: o.NamespaceClient.Namespaces(),
@@ -190,7 +194,7 @@ func (o *ReconcileOptions) RunReconcile() error {
 		case *rbacv1.ClusterRole:
 			reconcileOptions := reconciliation.ReconcileRoleOptions{
 				Confirm:                !o.DryRun,
-				RemoveExtraPermissions: false,
+				RemoveExtraPermissions: o.RemoveExtraPermissions,
 				Role: reconciliation.ClusterRoleRuleOwner{ClusterRole: t},
 				Client: reconciliation.ClusterRoleModifier{
 					Client: o.RBACClient.ClusterRoles(),
@@ -205,7 +209,7 @@ func (o *ReconcileOptions) RunReconcile() error {
 		case *rbacv1.RoleBinding:
 			reconcileOptions := reconciliation.ReconcileRoleBindingOptions{
 				Confirm:             !o.DryRun,
-				RemoveExtraSubjects: false,
+				RemoveExtraSubjects: o.RemoveExtraSubjects,
 				RoleBinding:         reconciliation.RoleBindingAdapter{RoleBinding: t},
 				Client: reconciliation.RoleBindingClientAdapter{
 					Client:          o.RBACClient,
@@ -221,7 +225,7 @@ func (o *ReconcileOptions) RunReconcile() error {
 		case *rbacv1.ClusterRoleBinding:
 			reconcileOptions := reconciliation.ReconcileRoleBindingOptions{
 				Confirm:             !o.DryRun,
-				RemoveExtraSubjects: false,
+				RemoveExtraSubjects: o.RemoveExtraSubjects,
 				RoleBinding:         reconciliation.ClusterRoleBindingAdapter{ClusterRoleBinding: t},
 				Client: reconciliation.ClusterRoleBindingClientAdapter{
 					Client: o.RBACClient.ClusterRoleBindings(),