Correct APIGroup for RoleBindingBuilder Subjects

This change corrects RoleBindingBuilder to use the RBAC API group
with users and groups as subjects (service accounts use the empty
string since they are in the legacy core group).  This is based on
the defaulting in pkg/apis/rbac/v1/defaults.go#SetDefaults_Subject.
This is required because the bootstrap RBAC data is built with these
helpers and does not go through defaulting, whereas the data
retrieved from the server has already gone through defaulting.  This
can lead to the reconciliation code incorrectly adding duplicate
subjects because it believes that they are missing (since the API
groups do not match).

Signed-off-by: Monis Khan <mkhan@redhat.com>

pkg/apis/rbac/helpers.go

@@ -348,7 +348,7 @@ func NewRoleBindingForClusterRole(roleName, namespace string) *RoleBindingBuilde
 // Groups adds the specified groups as the subjects of the RoleBinding.
 func (r *RoleBindingBuilder) Groups(groups ...string) *RoleBindingBuilder {
 	for _, group := range groups {
-		r.RoleBinding.Subjects = append(r.RoleBinding.Subjects, Subject{Kind: GroupKind, Name: group})
+		r.RoleBinding.Subjects = append(r.RoleBinding.Subjects, Subject{Kind: GroupKind, APIGroup: GroupName, Name: group})
 	}
 	return r
 }
@@ -356,7 +356,7 @@ func (r *RoleBindingBuilder) Groups(groups ...string) *RoleBindingBuilder {
 // Users adds the specified users as the subjects of the RoleBinding.
 func (r *RoleBindingBuilder) Users(users ...string) *RoleBindingBuilder {
 	for _, user := range users {
-		r.RoleBinding.Subjects = append(r.RoleBinding.Subjects, Subject{Kind: UserKind, Name: user})
+		r.RoleBinding.Subjects = append(r.RoleBinding.Subjects, Subject{Kind: UserKind, APIGroup: GroupName, Name: user})
 	}
 	return r
 }