validate nonResourceURL in create clusterrole

pkg/kubectl/cmd/create_clusterrole.go

@@ -19,6 +19,7 @@ package cmd
 import (
 	"fmt"
 	"io"
+	"strings"
 
 	"github.com/spf13/cobra"
 
@@ -133,6 +134,20 @@ func (c *CreateClusterRoleOptions) Validate() error {
 				return fmt.Errorf("invalid verb: '%s' for nonResourceURL", v)
 			}
 		}
+
+		for _, nonResourceURL := range c.NonResourceURLs {
+			if nonResourceURL == "*" {
+				continue
+			}
+
+			if nonResourceURL == "" || !strings.HasPrefix(nonResourceURL, "/") {
+				return fmt.Errorf("nonResourceURL should start with /")
+			}
+
+			if strings.ContainsRune(nonResourceURL[:len(nonResourceURL)-1], '*') {
+				return fmt.Errorf("nonResourceURL only supports wildcard matches when '*' is at the end")
+			}
+		}
 	}
 
 	return nil