Fresh dep ensure

vendor/k8s.io/kubernetes/pkg/kubeapiserver/BUILD

@@ -13,11 +13,24 @@ go_library(
     ],
     importpath = "k8s.io/kubernetes/pkg/kubeapiserver",
     deps = [
-        "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
-        "//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/server/resourceconfig:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/server/storage:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/storage/storagebackend:go_default_library",
+        "//pkg/api/legacyscheme:go_default_library",
+        "//pkg/apis/admissionregistration:go_default_library",
+        "//pkg/apis/apps:go_default_library",
+        "//pkg/apis/batch:go_default_library",
+        "//pkg/apis/core:go_default_library",
+        "//pkg/apis/events:go_default_library",
+        "//pkg/apis/extensions:go_default_library",
+        "//pkg/apis/networking:go_default_library",
+        "//pkg/apis/policy:go_default_library",
+        "//pkg/apis/storage:go_default_library",
+        "//pkg/kubeapiserver/options:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/server/options:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/server/resourceconfig:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/server/storage:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/storage/storagebackend:go_default_library",
     ],
 )
 

vendor/k8s.io/kubernetes/pkg/kubeapiserver/OWNERS

@@ -8,3 +8,6 @@ reviewers:
 - lavalamp
 - liggitt
 - sttts
+labels:
+- sig/api-machinery
+- area/apiserver

vendor/k8s.io/kubernetes/pkg/kubeapiserver/admission/BUILD

@@ -1,32 +1,37 @@
-package(default_visibility = ["//visibility:public"])
+load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
 
-load(
-    "@io_bazel_rules_go//go:def.bzl",
-    "go_library",
-    "go_test",
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "config.go",
+        "initializer.go",
+    ],
+    importpath = "k8s.io/kubernetes/pkg/kubeapiserver/admission",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//pkg/client/clientset_generated/internalclientset:go_default_library",
+        "//pkg/quota/v1:go_default_library",
+        "//pkg/quota/v1/install:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/api/meta:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/util/wait:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/admission:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/initializer:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/server:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/util/webhook:go_default_library",
+        "//staging/src/k8s.io/client-go/discovery/cached:go_default_library",
+        "//staging/src/k8s.io/client-go/informers:go_default_library",
+        "//staging/src/k8s.io/client-go/rest:go_default_library",
+        "//staging/src/k8s.io/client-go/restmapper:go_default_library",
+        "//vendor/k8s.io/klog:go_default_library",
+    ],
 )
 
 go_test(
     name = "go_default_test",
     srcs = ["initializer_test.go"],
     embed = [":go_default_library"],
-    deps = ["//vendor/k8s.io/apiserver/pkg/admission:go_default_library"],
-)
-
-go_library(
-    name = "go_default_library",
-    srcs = ["initializer.go"],
-    importpath = "k8s.io/kubernetes/pkg/kubeapiserver/admission",
-    deps = [
-        "//pkg/client/clientset_generated/internalclientset:go_default_library",
-        "//pkg/client/informers/informers_generated/internalversion:go_default_library",
-        "//pkg/quota:go_default_library",
-        "//vendor/k8s.io/apimachinery/pkg/api/meta:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/admission:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/config:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
-        "//vendor/k8s.io/client-go/kubernetes:go_default_library",
-    ],
+    deps = ["//staging/src/k8s.io/apiserver/pkg/admission:go_default_library"],
 )
 
 filegroup(
@@ -43,4 +48,5 @@ filegroup(
         "//pkg/kubeapiserver/admission/util:all-srcs",
     ],
     tags = ["automanaged"],
+    visibility = ["//visibility:public"],
 )

vendor/k8s.io/kubernetes/pkg/kubeapiserver/admission/config.go

@@ -0,0 +1,80 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package admission
+
+import (
+	"io/ioutil"
+	"net/http"
+	"time"
+
+	"k8s.io/klog"
+
+	utilwait "k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/apiserver/pkg/admission"
+	webhookinit "k8s.io/apiserver/pkg/admission/plugin/webhook/initializer"
+	"k8s.io/apiserver/pkg/server"
+	genericapiserver "k8s.io/apiserver/pkg/server"
+	"k8s.io/apiserver/pkg/util/webhook"
+	cacheddiscovery "k8s.io/client-go/discovery/cached"
+	externalinformers "k8s.io/client-go/informers"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/restmapper"
+	"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
+	quotainstall "k8s.io/kubernetes/pkg/quota/v1/install"
+)
+
+// Config holds the configuration needed to for initialize the admission plugins
+type Config struct {
+	CloudConfigFile      string
+	LoopbackClientConfig *rest.Config
+	ExternalInformers    externalinformers.SharedInformerFactory
+}
+
+// New sets up the plugins and admission start hooks needed for admission
+func (c *Config) New(proxyTransport *http.Transport, serviceResolver webhook.ServiceResolver) ([]admission.PluginInitializer, server.PostStartHookFunc, error) {
+	webhookAuthResolverWrapper := webhook.NewDefaultAuthenticationInfoResolverWrapper(proxyTransport, c.LoopbackClientConfig)
+	webhookPluginInitializer := webhookinit.NewPluginInitializer(webhookAuthResolverWrapper, serviceResolver)
+
+	var cloudConfig []byte
+	if c.CloudConfigFile != "" {
+		var err error
+		cloudConfig, err = ioutil.ReadFile(c.CloudConfigFile)
+		if err != nil {
+			klog.Fatalf("Error reading from cloud configuration file %s: %#v", c.CloudConfigFile, err)
+		}
+	}
+	internalClient, err := internalclientset.NewForConfig(c.LoopbackClientConfig)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	discoveryClient := cacheddiscovery.NewMemCacheClient(internalClient.Discovery())
+	discoveryRESTMapper := restmapper.NewDeferredDiscoveryRESTMapper(discoveryClient)
+	kubePluginInitializer := NewPluginInitializer(
+		cloudConfig,
+		discoveryRESTMapper,
+		quotainstall.NewQuotaConfigurationForAdmission(),
+	)
+
+	admissionPostStartHook := func(context genericapiserver.PostStartHookContext) error {
+		discoveryRESTMapper.Reset()
+		go utilwait.Until(discoveryRESTMapper.Reset, 30*time.Second, context.StopCh)
+		return nil
+	}
+
+	return []admission.PluginInitializer{webhookPluginInitializer, kubePluginInitializer}, admissionPostStartHook, nil
+}

vendor/k8s.io/kubernetes/pkg/kubeapiserver/admission/initializer.go

@@ -19,28 +19,13 @@ package admission
 import (
 	"k8s.io/apimachinery/pkg/api/meta"
 	"k8s.io/apiserver/pkg/admission"
-	webhookconfig "k8s.io/apiserver/pkg/admission/plugin/webhook/config"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
-	clientset "k8s.io/client-go/kubernetes"
-	"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
-	informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion"
-	"k8s.io/kubernetes/pkg/quota"
+	"k8s.io/apiserver/pkg/util/webhook"
+	quota "k8s.io/kubernetes/pkg/quota/v1"
 )
 
 // TODO add a `WantsToRun` which takes a stopCh.  Might make it generic.
 
-// WantsInternalKubeClientSet defines a function which sets ClientSet for admission plugins that need it
-type WantsInternalKubeClientSet interface {
-	SetInternalKubeClientSet(internalclientset.Interface)
-	admission.InitializationValidator
-}
-
-// WantsInternalKubeInformerFactory defines a function which sets InformerFactory for admission plugins that need it
-type WantsInternalKubeInformerFactory interface {
-	SetInternalKubeInformerFactory(informers.SharedInformerFactory)
-	admission.InitializationValidator
-}
-
 // WantsCloudConfig defines a function which sets CloudConfig for admission plugins that need it.
 type WantsCloudConfig interface {
 	SetCloudConfig([]byte)
@@ -59,15 +44,12 @@ type WantsQuotaConfiguration interface {
 
 // PluginInitializer is used for initialization of the Kubernetes specific admission plugins.
 type PluginInitializer struct {
-	internalClient                    internalclientset.Interface
-	externalClient                    clientset.Interface
-	informers                         informers.SharedInformerFactory
 	authorizer                        authorizer.Authorizer
 	cloudConfig                       []byte
 	restMapper                        meta.RESTMapper
 	quotaConfiguration                quota.Configuration
-	serviceResolver                   webhookconfig.ServiceResolver
-	authenticationInfoResolverWrapper webhookconfig.AuthenticationInfoResolverWrapper
+	serviceResolver                   webhook.ServiceResolver
+	authenticationInfoResolverWrapper webhook.AuthenticationInfoResolverWrapper
 }
 
 var _ admission.PluginInitializer = &PluginInitializer{}
@@ -76,15 +58,11 @@ var _ admission.PluginInitializer = &PluginInitializer{}
 // TODO: switch these parameters to use the builder pattern or just make them
 // all public, this construction method is pointless boilerplate.
 func NewPluginInitializer(
-	internalClient internalclientset.Interface,
-	sharedInformers informers.SharedInformerFactory,
 	cloudConfig []byte,
 	restMapper meta.RESTMapper,
 	quotaConfiguration quota.Configuration,
 ) *PluginInitializer {
 	return &PluginInitializer{
-		internalClient:     internalClient,
-		informers:          sharedInformers,
 		cloudConfig:        cloudConfig,
 		restMapper:         restMapper,
 		quotaConfiguration: quotaConfiguration,
@@ -94,14 +72,6 @@ func NewPluginInitializer(
 // Initialize checks the initialization interfaces implemented by each plugin
 // and provide the appropriate initialization data
 func (i *PluginInitializer) Initialize(plugin admission.Interface) {
-	if wants, ok := plugin.(WantsInternalKubeClientSet); ok {
-		wants.SetInternalKubeClientSet(i.internalClient)
-	}
-
-	if wants, ok := plugin.(WantsInternalKubeInformerFactory); ok {
-		wants.SetInternalKubeInformerFactory(i.informers)
-	}
-
 	if wants, ok := plugin.(WantsCloudConfig); ok {
 		wants.SetCloudConfig(i.cloudConfig)
 	}

vendor/k8s.io/kubernetes/pkg/kubeapiserver/admission/initializer_test.go

@@ -33,13 +33,13 @@ type WantsCloudConfigAdmissionPlugin struct {
 	cloudConfig []byte
 }
 
-func (self *WantsCloudConfigAdmissionPlugin) SetCloudConfig(cloudConfig []byte) {
-	self.cloudConfig = cloudConfig
+func (p *WantsCloudConfigAdmissionPlugin) SetCloudConfig(cloudConfig []byte) {
+	p.cloudConfig = cloudConfig
 }
 
 func TestCloudConfigAdmissionPlugin(t *testing.T) {
 	cloudConfig := []byte("cloud-configuration")
-	initializer := NewPluginInitializer(nil, nil, cloudConfig, nil, nil)
+	initializer := NewPluginInitializer(cloudConfig, nil, nil)
 	wantsCloudConfigAdmission := &WantsCloudConfigAdmissionPlugin{}
 	initializer.Initialize(wantsCloudConfigAdmission)
 

vendor/k8s.io/kubernetes/pkg/kubeapiserver/admission/util/BUILD

@@ -10,9 +10,9 @@ go_library(
     srcs = ["initializer.go"],
     importpath = "k8s.io/kubernetes/pkg/kubeapiserver/admission/util",
     deps = [
-        "//vendor/k8s.io/apimachinery/pkg/api/meta:go_default_library",
-        "//vendor/k8s.io/apimachinery/pkg/util/initialization:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/admission:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/api/meta:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/util/initialization:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/admission:go_default_library",
     ],
 )
 

vendor/k8s.io/kubernetes/pkg/kubeapiserver/authenticator/BUILD

@@ -12,26 +12,26 @@ go_library(
     deps = [
         "//pkg/features:go_default_library",
         "//pkg/serviceaccount:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/authentication/group:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/authentication/request/bearertoken:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/authentication/request/headerrequest:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/authentication/request/union:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/authentication/request/websocket:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/authentication/request/x509:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/authentication/token/cache:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/authentication/token/tokenfile:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/authentication/token/union:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
+        "//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile:go_default_library",
+        "//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth:go_default_library",
+        "//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc:go_default_library",
+        "//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/webhook:go_default_library",
+        "//staging/src/k8s.io/client-go/plugin/pkg/client/auth:go_default_library",
+        "//staging/src/k8s.io/client-go/util/cert:go_default_library",
         "//vendor/github.com/go-openapi/spec:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/authentication/authenticatorfactory:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/authentication/group:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/authentication/request/anonymous:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/authentication/request/bearertoken:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/authentication/request/headerrequest:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/authentication/request/union:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/authentication/request/websocket:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/authentication/request/x509:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/authentication/token/cache:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/authentication/token/tokenfile:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/authentication/token/union:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/util/feature:go_default_library",
-        "//vendor/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile:go_default_library",
-        "//vendor/k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth:go_default_library",
-        "//vendor/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc:go_default_library",
-        "//vendor/k8s.io/apiserver/plugin/pkg/authenticator/token/webhook:go_default_library",
-        "//vendor/k8s.io/client-go/plugin/pkg/client/auth:go_default_library",
-        "//vendor/k8s.io/client-go/util/cert:go_default_library",
     ],
 )
 

vendor/k8s.io/kubernetes/pkg/kubeapiserver/authenticator/OWNERS

@@ -0,0 +1,7 @@
+approvers:
+- sig-auth-authenticators-approvers
+reviewers:
+- sig-auth-authenticators-reviewers
+labels:
+- sig/auth
+

vendor/k8s.io/kubernetes/pkg/kubeapiserver/authenticator/config.go

@@ -38,14 +38,15 @@ import (
 	"k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth"
 	"k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"
 	"k8s.io/apiserver/plugin/pkg/authenticator/token/webhook"
+	// Initialize all known client auth plugins.
+	_ "k8s.io/client-go/plugin/pkg/client/auth"
 	certutil "k8s.io/client-go/util/cert"
 	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/serviceaccount"
-
-	_ "k8s.io/client-go/plugin/pkg/client/auth"
 )
 
-type AuthenticatorConfig struct {
+// Config contains the data on how to authenticate a request to the Kube API Server
+type Config struct {
 	Anonymous                   bool
 	BasicAuthFile               string
 	BootstrapToken              bool
@@ -63,7 +64,7 @@ type AuthenticatorConfig struct {
 	ServiceAccountKeyFiles      []string
 	ServiceAccountLookup        bool
 	ServiceAccountIssuer        string
-	ServiceAccountAPIAudiences  []string
+	APIAudiences                authenticator.Audiences
 	WebhookTokenAuthnConfigFile string
 	WebhookTokenAuthnCacheTTL   time.Duration
 
@@ -79,7 +80,7 @@ type AuthenticatorConfig struct {
 
 // New returns an authenticator.Request or an error that supports the standard
 // Kubernetes authentication mechanisms.
-func (config AuthenticatorConfig) New() (authenticator.Request, *spec.SecurityDefinitions, error) {
+func (config Config) New() (authenticator.Request, *spec.SecurityDefinitions, error) {
 	var authenticators []authenticator.Request
 	var tokenAuthenticators []authenticator.Token
 	securityDefinitions := spec.SecurityDefinitions{}
@@ -97,7 +98,7 @@ func (config AuthenticatorConfig) New() (authenticator.Request, *spec.SecurityDe
 		if err != nil {
 			return nil, nil, err
 		}
-		authenticators = append(authenticators, requestHeaderAuthenticator)
+		authenticators = append(authenticators, authenticator.WrapAudienceAgnosticRequest(config.APIAudiences, requestHeaderAuthenticator))
 	}
 
 	// basic auth
@@ -106,7 +107,7 @@ func (config AuthenticatorConfig) New() (authenticator.Request, *spec.SecurityDe
 		if err != nil {
 			return nil, nil, err
 		}
-		authenticators = append(authenticators, basicAuth)
+		authenticators = append(authenticators, authenticator.WrapAudienceAgnosticRequest(config.APIAudiences, basicAuth))
 
 		securityDefinitions["HTTPBasic"] = &spec.SecurityScheme{
 			SecuritySchemeProps: spec.SecuritySchemeProps{
@@ -131,17 +132,17 @@ func (config AuthenticatorConfig) New() (authenticator.Request, *spec.SecurityDe
 		if err != nil {
 			return nil, nil, err
 		}
-		tokenAuthenticators = append(tokenAuthenticators, tokenAuth)
+		tokenAuthenticators = append(tokenAuthenticators, authenticator.WrapAudienceAgnosticToken(config.APIAudiences, tokenAuth))
 	}
 	if len(config.ServiceAccountKeyFiles) > 0 {
-		serviceAccountAuth, err := newLegacyServiceAccountAuthenticator(config.ServiceAccountKeyFiles, config.ServiceAccountLookup, config.ServiceAccountTokenGetter)
+		serviceAccountAuth, err := newLegacyServiceAccountAuthenticator(config.ServiceAccountKeyFiles, config.ServiceAccountLookup, config.APIAudiences, config.ServiceAccountTokenGetter)
 		if err != nil {
 			return nil, nil, err
 		}
 		tokenAuthenticators = append(tokenAuthenticators, serviceAccountAuth)
 	}
 	if utilfeature.DefaultFeatureGate.Enabled(features.TokenRequest) && config.ServiceAccountIssuer != "" {
-		serviceAccountAuth, err := newServiceAccountAuthenticator(config.ServiceAccountIssuer, config.ServiceAccountAPIAudiences, config.ServiceAccountKeyFiles, config.ServiceAccountTokenGetter)
+		serviceAccountAuth, err := newServiceAccountAuthenticator(config.ServiceAccountIssuer, config.ServiceAccountKeyFiles, config.APIAudiences, config.ServiceAccountTokenGetter)
 		if err != nil {
 			return nil, nil, err
 		}
@@ -150,7 +151,7 @@ func (config AuthenticatorConfig) New() (authenticator.Request, *spec.SecurityDe
 	if config.BootstrapToken {
 		if config.BootstrapTokenAuthenticator != nil {
 			// TODO: This can sometimes be nil because of
-			tokenAuthenticators = append(tokenAuthenticators, config.BootstrapTokenAuthenticator)
+			tokenAuthenticators = append(tokenAuthenticators, authenticator.WrapAudienceAgnosticToken(config.APIAudiences, config.BootstrapTokenAuthenticator))
 		}
 	}
 	// NOTE(ericchiang): Keep the OpenID Connect after Service Accounts.
@@ -160,14 +161,25 @@ func (config AuthenticatorConfig) New() (authenticator.Request, *spec.SecurityDe
 	// simply returns an error, the OpenID Connect plugin may query the provider to
 	// update the keys, causing performance hits.
 	if len(config.OIDCIssuerURL) > 0 && len(config.OIDCClientID) > 0 {
-		oidcAuth, err := newAuthenticatorFromOIDCIssuerURL(config.OIDCIssuerURL, config.OIDCClientID, config.OIDCCAFile, config.OIDCUsernameClaim, config.OIDCUsernamePrefix, config.OIDCGroupsClaim, config.OIDCGroupsPrefix, config.OIDCSigningAlgs, config.OIDCRequiredClaims)
+		oidcAuth, err := newAuthenticatorFromOIDCIssuerURL(oidc.Options{
+			IssuerURL:            config.OIDCIssuerURL,
+			ClientID:             config.OIDCClientID,
+			APIAudiences:         config.APIAudiences,
+			CAFile:               config.OIDCCAFile,
+			UsernameClaim:        config.OIDCUsernameClaim,
+			UsernamePrefix:       config.OIDCUsernamePrefix,
+			GroupsClaim:          config.OIDCGroupsClaim,
+			GroupsPrefix:         config.OIDCGroupsPrefix,
+			SupportedSigningAlgs: config.OIDCSigningAlgs,
+			RequiredClaims:       config.OIDCRequiredClaims,
+		})
 		if err != nil {
 			return nil, nil, err
 		}
 		tokenAuthenticators = append(tokenAuthenticators, oidcAuth)
 	}
 	if len(config.WebhookTokenAuthnConfigFile) > 0 {
-		webhookTokenAuth, err := newWebhookTokenAuthenticator(config.WebhookTokenAuthnConfigFile, config.WebhookTokenAuthnCacheTTL)
+		webhookTokenAuth, err := newWebhookTokenAuthenticator(config.WebhookTokenAuthnConfigFile, config.WebhookTokenAuthnCacheTTL, config.APIAudiences)
 		if err != nil {
 			return nil, nil, err
 		}
@@ -179,7 +191,7 @@ func (config AuthenticatorConfig) New() (authenticator.Request, *spec.SecurityDe
 		tokenAuth := tokenunion.New(tokenAuthenticators...)
 		// Optionally cache authentication results
 		if config.TokenSuccessCacheTTL > 0 || config.TokenFailureCacheTTL > 0 {
-			tokenAuth = tokencache.New(tokenAuth, config.TokenSuccessCacheTTL, config.TokenFailureCacheTTL)
+			tokenAuth = tokencache.New(tokenAuth, true, config.TokenSuccessCacheTTL, config.TokenFailureCacheTTL)
 		}
 		authenticators = append(authenticators, bearertoken.New(tokenAuth), websocket.NewProtocolAuthenticator(tokenAuth))
 		securityDefinitions["BearerToken"] = &spec.SecurityScheme{
@@ -239,33 +251,23 @@ func newAuthenticatorFromTokenFile(tokenAuthFile string) (authenticator.Token, e
 }
 
 // newAuthenticatorFromOIDCIssuerURL returns an authenticator.Token or an error.
-func newAuthenticatorFromOIDCIssuerURL(issuerURL, clientID, caFile, usernameClaim, usernamePrefix, groupsClaim, groupsPrefix string, signingAlgs []string, requiredClaims map[string]string) (authenticator.Token, error) {
+func newAuthenticatorFromOIDCIssuerURL(opts oidc.Options) (authenticator.Token, error) {
 	const noUsernamePrefix = "-"
 
-	if usernamePrefix == "" && usernameClaim != "email" {
+	if opts.UsernamePrefix == "" && opts.UsernameClaim != "email" {
 		// Old behavior. If a usernamePrefix isn't provided, prefix all claims other than "email"
 		// with the issuerURL.
 		//
 		// See https://github.com/kubernetes/kubernetes/issues/31380
-		usernamePrefix = issuerURL + "#"
+		opts.UsernamePrefix = opts.IssuerURL + "#"
 	}
 
-	if usernamePrefix == noUsernamePrefix {
+	if opts.UsernamePrefix == noUsernamePrefix {
 		// Special value indicating usernames shouldn't be prefixed.
-		usernamePrefix = ""
+		opts.UsernamePrefix = ""
 	}
 
-	tokenAuthenticator, err := oidc.New(oidc.Options{
-		IssuerURL:            issuerURL,
-		ClientID:             clientID,
-		CAFile:               caFile,
-		UsernameClaim:        usernameClaim,
-		UsernamePrefix:       usernamePrefix,
-		GroupsClaim:          groupsClaim,
-		GroupsPrefix:         groupsPrefix,
-		SupportedSigningAlgs: signingAlgs,
-		RequiredClaims:       requiredClaims,
-	})
+	tokenAuthenticator, err := oidc.New(opts)
 	if err != nil {
 		return nil, err
 	}
@@ -274,7 +276,7 @@ func newAuthenticatorFromOIDCIssuerURL(issuerURL, clientID, caFile, usernameClai
 }
 
 // newLegacyServiceAccountAuthenticator returns an authenticator.Token or an error
-func newLegacyServiceAccountAuthenticator(keyfiles []string, lookup bool, serviceAccountGetter serviceaccount.ServiceAccountTokenGetter) (authenticator.Token, error) {
+func newLegacyServiceAccountAuthenticator(keyfiles []string, lookup bool, apiAudiences authenticator.Audiences, serviceAccountGetter serviceaccount.ServiceAccountTokenGetter) (authenticator.Token, error) {
 	allPublicKeys := []interface{}{}
 	for _, keyfile := range keyfiles {
 		publicKeys, err := certutil.PublicKeysFromFile(keyfile)
@@ -284,12 +286,12 @@ func newLegacyServiceAccountAuthenticator(keyfiles []string, lookup bool, servic
 		allPublicKeys = append(allPublicKeys, publicKeys...)
 	}
 
-	tokenAuthenticator := serviceaccount.JWTTokenAuthenticator(serviceaccount.LegacyIssuer, allPublicKeys, serviceaccount.NewLegacyValidator(lookup, serviceAccountGetter))
+	tokenAuthenticator := serviceaccount.JWTTokenAuthenticator(serviceaccount.LegacyIssuer, allPublicKeys, apiAudiences, serviceaccount.NewLegacyValidator(lookup, serviceAccountGetter))
 	return tokenAuthenticator, nil
 }
 
 // newServiceAccountAuthenticator returns an authenticator.Token or an error
-func newServiceAccountAuthenticator(iss string, audiences []string, keyfiles []string, serviceAccountGetter serviceaccount.ServiceAccountTokenGetter) (authenticator.Token, error) {
+func newServiceAccountAuthenticator(iss string, keyfiles []string, apiAudiences authenticator.Audiences, serviceAccountGetter serviceaccount.ServiceAccountTokenGetter) (authenticator.Token, error) {
 	allPublicKeys := []interface{}{}
 	for _, keyfile := range keyfiles {
 		publicKeys, err := certutil.PublicKeysFromFile(keyfile)
@@ -299,7 +301,7 @@ func newServiceAccountAuthenticator(iss string, audiences []string, keyfiles []s
 		allPublicKeys = append(allPublicKeys, publicKeys...)
 	}
 
-	tokenAuthenticator := serviceaccount.JWTTokenAuthenticator(iss, allPublicKeys, serviceaccount.NewValidator(audiences, serviceAccountGetter))
+	tokenAuthenticator := serviceaccount.JWTTokenAuthenticator(iss, allPublicKeys, apiAudiences, serviceaccount.NewValidator(serviceAccountGetter))
 	return tokenAuthenticator, nil
 }
 
@@ -316,11 +318,11 @@ func newAuthenticatorFromClientCAFile(clientCAFile string) (authenticator.Reques
 	return x509.New(opts, x509.CommonNameUserConversion), nil
 }
 
-func newWebhookTokenAuthenticator(webhookConfigFile string, ttl time.Duration) (authenticator.Token, error) {
-	webhookTokenAuthenticator, err := webhook.New(webhookConfigFile, ttl)
+func newWebhookTokenAuthenticator(webhookConfigFile string, ttl time.Duration, implicitAuds authenticator.Audiences) (authenticator.Token, error) {
+	webhookTokenAuthenticator, err := webhook.New(webhookConfigFile, implicitAuds)
 	if err != nil {
 		return nil, err
 	}
 
-	return webhookTokenAuthenticator, nil
+	return tokencache.New(webhookTokenAuthenticator, false, ttl, ttl), nil
 }

vendor/k8s.io/kubernetes/pkg/kubeapiserver/authorizer/BUILD

@@ -12,16 +12,15 @@ go_library(
     deps = [
         "//pkg/auth/authorizer/abac:go_default_library",
         "//pkg/auth/nodeidentifier:go_default_library",
-        "//pkg/client/informers/informers_generated/internalversion:go_default_library",
         "//pkg/kubeapiserver/authorizer/modes:go_default_library",
         "//plugin/pkg/auth/authorizer/node:go_default_library",
         "//plugin/pkg/auth/authorizer/rbac:go_default_library",
         "//plugin/pkg/auth/authorizer/rbac/bootstrappolicy:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/authorization/authorizerfactory:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/authorization/union:go_default_library",
-        "//vendor/k8s.io/apiserver/plugin/pkg/authorizer/webhook:go_default_library",
-        "//vendor/k8s.io/client-go/informers:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/authorization/union:go_default_library",
+        "//staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook:go_default_library",
+        "//staging/src/k8s.io/client-go/informers:go_default_library",
     ],
 )
 

vendor/k8s.io/kubernetes/pkg/kubeapiserver/authorizer/OWNERS

@@ -0,0 +1,7 @@
+approvers:
+- sig-auth-authorizers-approvers
+reviewers:
+- sig-auth-authorizers-reviewers
+labels:
+- sig/auth
+

vendor/k8s.io/kubernetes/pkg/kubeapiserver/authorizer/config.go

@@ -27,14 +27,14 @@ import (
 	versionedinformers "k8s.io/client-go/informers"
 	"k8s.io/kubernetes/pkg/auth/authorizer/abac"
 	"k8s.io/kubernetes/pkg/auth/nodeidentifier"
-	informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion"
 	"k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
 	"k8s.io/kubernetes/plugin/pkg/auth/authorizer/node"
 	"k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac"
 	"k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy"
 )
 
-type AuthorizationConfig struct {
+// Config contains the data on how to authorize a request to the Kube API Server
+type Config struct {
 	AuthorizationModes []string
 
 	// Options for ModeABAC
@@ -51,13 +51,12 @@ type AuthorizationConfig struct {
 	// TTL for caching of unauthorized responses from the webhook server.
 	WebhookCacheUnauthorizedTTL time.Duration
 
-	InformerFactory          informers.SharedInformerFactory
 	VersionedInformerFactory versionedinformers.SharedInformerFactory
 }
 
 // New returns the right sort of union of multiple authorizer.Authorizer objects
 // based on the authorizationMode or an error.
-func (config AuthorizationConfig) New() (authorizer.Authorizer, authorizer.RuleResolver, error) {
+func (config Config) New() (authorizer.Authorizer, authorizer.RuleResolver, error) {
 	if len(config.AuthorizationModes) == 0 {
 		return nil, nil, fmt.Errorf("at least one authorization mode must be passed")
 	}
@@ -74,9 +73,9 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, authorizer.RuleR
 			graph := node.NewGraph()
 			node.AddGraphEventHandlers(
 				graph,
-				config.InformerFactory.Core().InternalVersion().Nodes(),
-				config.InformerFactory.Core().InternalVersion().Pods(),
-				config.InformerFactory.Core().InternalVersion().PersistentVolumes(),
+				config.VersionedInformerFactory.Core().V1().Nodes(),
+				config.VersionedInformerFactory.Core().V1().Pods(),
+				config.VersionedInformerFactory.Core().V1().PersistentVolumes(),
 				config.VersionedInformerFactory.Storage().V1beta1().VolumeAttachments(),
 			)
 			nodeAuthorizer := node.NewAuthorizer(graph, nodeidentifier.NewDefaultNodeIdentifier(), bootstrappolicy.NodeRules())

vendor/k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes/BUILD

@@ -16,7 +16,7 @@ go_library(
     name = "go_default_library",
     srcs = ["modes.go"],
     importpath = "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes",
-    deps = ["//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library"],
+    deps = ["//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library"],
 )
 
 filegroup(

vendor/k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes/modes.go

@@ -19,14 +19,21 @@ package modes
 import "k8s.io/apimachinery/pkg/util/sets"
 
 const (
+	// ModeAlwaysAllow is the mode to set all requests as authorized
 	ModeAlwaysAllow string = "AlwaysAllow"
-	ModeAlwaysDeny  string = "AlwaysDeny"
-	ModeABAC        string = "ABAC"
-	ModeWebhook     string = "Webhook"
-	ModeRBAC        string = "RBAC"
-	ModeNode        string = "Node"
+	// ModeAlwaysDeny is the mode to set no requests as authorized
+	ModeAlwaysDeny string = "AlwaysDeny"
+	// ModeABAC is the mode to use Attribute Based Access Control to authorize
+	ModeABAC string = "ABAC"
+	// ModeWebhook is the mode to make an external webhook call to authorize
+	ModeWebhook string = "Webhook"
+	// ModeRBAC is the mode to use Role Based Access Control to authorize
+	ModeRBAC string = "RBAC"
+	// ModeNode is an authorization mode that authorizes API requests made by kubelets.
+	ModeNode string = "Node"
 )
 
+// AuthorizationModeChoices is the list of supported authorization modes
 var AuthorizationModeChoices = []string{ModeAlwaysAllow, ModeAlwaysDeny, ModeABAC, ModeWebhook, ModeRBAC, ModeNode}
 
 // IsValidAuthorizationMode returns true if the given authorization mode is a valid one for the apiserver

vendor/k8s.io/kubernetes/pkg/kubeapiserver/default_storage_factory_builder.go

@@ -17,11 +17,27 @@ limitations under the License.
 package kubeapiserver
 
 import (
+	"strings"
+
+	"fmt"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	serveroptions "k8s.io/apiserver/pkg/server/options"
+	"k8s.io/apiserver/pkg/server/options/encryptionconfig"
 	"k8s.io/apiserver/pkg/server/resourceconfig"
 	serverstorage "k8s.io/apiserver/pkg/server/storage"
 	"k8s.io/apiserver/pkg/storage/storagebackend"
+	"k8s.io/kubernetes/pkg/api/legacyscheme"
+	"k8s.io/kubernetes/pkg/apis/admissionregistration"
+	"k8s.io/kubernetes/pkg/apis/apps"
+	"k8s.io/kubernetes/pkg/apis/batch"
+	api "k8s.io/kubernetes/pkg/apis/core"
+	"k8s.io/kubernetes/pkg/apis/events"
+	"k8s.io/kubernetes/pkg/apis/extensions"
+	"k8s.io/kubernetes/pkg/apis/networking"
+	"k8s.io/kubernetes/pkg/apis/policy"
+	apisstorage "k8s.io/kubernetes/pkg/apis/storage"
+	kubeapiserveroptions "k8s.io/kubernetes/pkg/kubeapiserver/options"
 )
 
 // SpecialDefaultResourcePrefixes are prefixes compiled into Kubernetes.
@@ -35,18 +51,84 @@ var SpecialDefaultResourcePrefixes = map[schema.GroupResource]string{
 	{Group: "policy", Resource: "podsecuritypolicies"}:     "podsecuritypolicy",
 }
 
-// NewStorageFactory builds the DefaultStorageFactory.
-// Merges defaultResourceEncoding with the user specified overrides.
-func NewStorageFactory(
-	storageConfig storagebackend.Config,
-	defaultMediaType string,
-	serializer runtime.StorageSerializer,
-	defaultResourceEncoding *serverstorage.DefaultResourceEncodingConfig,
-	storageEncodingOverrides map[string]schema.GroupVersion,
-	resourceEncodingOverrides []schema.GroupVersionResource,
-	apiResourceConfig *serverstorage.ResourceConfig,
-) (*serverstorage.DefaultStorageFactory, error) {
-	resourceEncodingConfig := resourceconfig.MergeGroupEncodingConfigs(defaultResourceEncoding, storageEncodingOverrides)
-	resourceEncodingConfig = resourceconfig.MergeResourceEncodingConfigs(resourceEncodingConfig, resourceEncodingOverrides)
-	return serverstorage.NewDefaultStorageFactory(storageConfig, defaultMediaType, serializer, resourceEncodingConfig, apiResourceConfig, SpecialDefaultResourcePrefixes), nil
+func NewStorageFactoryConfig() *StorageFactoryConfig {
+	return &StorageFactoryConfig{
+		Serializer:              legacyscheme.Codecs,
+		DefaultResourceEncoding: serverstorage.NewDefaultResourceEncodingConfig(legacyscheme.Scheme),
+		ResourceEncodingOverrides: []schema.GroupVersionResource{
+			batch.Resource("cronjobs").WithVersion("v1beta1"),
+			apisstorage.Resource("volumeattachments").WithVersion("v1beta1"),
+			admissionregistration.Resource("initializerconfigurations").WithVersion("v1alpha1"),
+		},
+	}
+}
+
+type StorageFactoryConfig struct {
+	StorageConfig                    storagebackend.Config
+	ApiResourceConfig                *serverstorage.ResourceConfig
+	DefaultResourceEncoding          *serverstorage.DefaultResourceEncodingConfig
+	DefaultStorageMediaType          string
+	Serializer                       runtime.StorageSerializer
+	StorageEncodingOverrides         map[string]schema.GroupVersion
+	ResourceEncodingOverrides        []schema.GroupVersionResource
+	EtcdServersOverrides             []string
+	EncryptionProviderConfigFilepath string
+}
+
+func (c *StorageFactoryConfig) Complete(etcdOptions *serveroptions.EtcdOptions, serializationOptions *kubeapiserveroptions.StorageSerializationOptions) (*completedStorageFactoryConfig, error) {
+	storageGroupsToEncodingVersion, err := serializationOptions.StorageGroupsToEncodingVersion()
+	if err != nil {
+		return nil, fmt.Errorf("error generating storage version map: %s", err)
+	}
+	c.StorageEncodingOverrides = storageGroupsToEncodingVersion
+	c.StorageConfig = etcdOptions.StorageConfig
+	c.DefaultStorageMediaType = etcdOptions.DefaultStorageMediaType
+	c.EtcdServersOverrides = etcdOptions.EtcdServersOverrides
+	c.EncryptionProviderConfigFilepath = etcdOptions.EncryptionProviderConfigFilepath
+	return &completedStorageFactoryConfig{c}, nil
+}
+
+type completedStorageFactoryConfig struct {
+	*StorageFactoryConfig
+}
+
+func (c *completedStorageFactoryConfig) New() (*serverstorage.DefaultStorageFactory, error) {
+	resourceEncodingConfig := resourceconfig.MergeGroupEncodingConfigs(c.DefaultResourceEncoding, c.StorageEncodingOverrides)
+	resourceEncodingConfig = resourceconfig.MergeResourceEncodingConfigs(resourceEncodingConfig, c.ResourceEncodingOverrides)
+	storageFactory := serverstorage.NewDefaultStorageFactory(
+		c.StorageConfig,
+		c.DefaultStorageMediaType,
+		c.Serializer,
+		resourceEncodingConfig,
+		c.ApiResourceConfig,
+		SpecialDefaultResourcePrefixes)
+
+	storageFactory.AddCohabitatingResources(networking.Resource("networkpolicies"), extensions.Resource("networkpolicies"))
+	storageFactory.AddCohabitatingResources(apps.Resource("deployments"), extensions.Resource("deployments"))
+	storageFactory.AddCohabitatingResources(apps.Resource("daemonsets"), extensions.Resource("daemonsets"))
+	storageFactory.AddCohabitatingResources(apps.Resource("replicasets"), extensions.Resource("replicasets"))
+	storageFactory.AddCohabitatingResources(api.Resource("events"), events.Resource("events"))
+	storageFactory.AddCohabitatingResources(policy.Resource("podsecuritypolicies"), extensions.Resource("podsecuritypolicies"))
+
+	for _, override := range c.EtcdServersOverrides {
+		tokens := strings.Split(override, "#")
+		apiresource := strings.Split(tokens[0], "/")
+
+		group := apiresource[0]
+		resource := apiresource[1]
+		groupResource := schema.GroupResource{Group: group, Resource: resource}
+
+		servers := strings.Split(tokens[1], ";")
+		storageFactory.SetEtcdLocation(groupResource, servers)
+	}
+	if len(c.EncryptionProviderConfigFilepath) != 0 {
+		transformerOverrides, err := encryptionconfig.GetTransformerOverrides(c.EncryptionProviderConfigFilepath)
+		if err != nil {
+			return nil, err
+		}
+		for groupResource, transformer := range transformerOverrides {
+			storageFactory.SetTransformer(groupResource, transformer)
+		}
+	}
+	return storageFactory, nil
 }

vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/BUILD

@@ -21,13 +21,11 @@ go_library(
     importpath = "k8s.io/kubernetes/pkg/kubeapiserver/options",
     deps = [
         "//pkg/api/legacyscheme:go_default_library",
-        "//pkg/client/informers/informers_generated/internalversion:go_default_library",
         "//pkg/cloudprovider/providers:go_default_library",
         "//pkg/features:go_default_library",
         "//pkg/kubeapiserver/authenticator:go_default_library",
         "//pkg/kubeapiserver/authorizer:go_default_library",
         "//pkg/kubeapiserver/authorizer/modes:go_default_library",
-        "//pkg/kubeapiserver/server:go_default_library",
         "//plugin/pkg/admission/admit:go_default_library",
         "//plugin/pkg/admission/alwayspullimages:go_default_library",
         "//plugin/pkg/admission/antiaffinity:go_default_library",
@@ -54,24 +52,24 @@ go_library(
         "//plugin/pkg/admission/storage/persistentvolume/resize:go_default_library",
         "//plugin/pkg/admission/storage/storageclass/setdefault:go_default_library",
         "//plugin/pkg/admission/storage/storageobjectinuseprotection:go_default_library",
-        "//vendor/github.com/golang/glog:go_default_library",
-        "//vendor/github.com/pborman/uuid:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/util/net:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/admission:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/admission/plugin/initialization:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/mutating:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/validating:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/server:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/server/options:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/util/flag:go_default_library",
+        "//staging/src/k8s.io/client-go/informers:go_default_library",
+        "//staging/src/k8s.io/client-go/rest:go_default_library",
         "//vendor/github.com/spf13/pflag:go_default_library",
-        "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
-        "//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
-        "//vendor/k8s.io/apimachinery/pkg/util/net:go_default_library",
-        "//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/admission:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/admission/plugin/initialization:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/mutating:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/validating:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/server:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/server/options:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/util/feature:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/util/flag:go_default_library",
-        "//vendor/k8s.io/client-go/informers:go_default_library",
-        "//vendor/k8s.io/client-go/rest:go_default_library",
+        "//vendor/k8s.io/klog:go_default_library",
     ],
 )
 
@@ -92,12 +90,18 @@ go_test(
     name = "go_default_test",
     srcs = [
         "admission_test.go",
+        "authentication_test.go",
         "authorization_test.go",
         "storage_versions_test.go",
     ],
     embed = [":go_default_library"],
     deps = [
+        "//pkg/kubeapiserver/authenticator:go_default_library",
         "//pkg/kubeapiserver/authorizer/modes:go_default_library",
-        "//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/util/errors:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/server/options:go_default_library",
     ],
 )

vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/authentication.go

@@ -17,23 +17,28 @@ limitations under the License.
 package options
 
 import (
+	"errors"
 	"fmt"
 	"net/url"
 	"strings"
 	"time"
 
-	"github.com/golang/glog"
 	"github.com/spf13/pflag"
+	"k8s.io/klog"
 
 	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apiserver/pkg/authentication/authenticator"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	genericoptions "k8s.io/apiserver/pkg/server/options"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/apiserver/pkg/util/flag"
-	"k8s.io/kubernetes/pkg/kubeapiserver/authenticator"
+	"k8s.io/kubernetes/pkg/features"
+	kubeauthenticator "k8s.io/kubernetes/pkg/kubeapiserver/authenticator"
 	authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
 )
 
 type BuiltInAuthenticationOptions struct {
+	APIAudiences    []string
 	Anonymous       *AnonymousAuthenticationOptions
 	BootstrapToken  *BootstrapTokenAuthenticationOptions
 	ClientCert      *genericoptions.ClientCertAuthenticationOptions
@@ -73,10 +78,10 @@ type PasswordFileAuthenticationOptions struct {
 }
 
 type ServiceAccountAuthenticationOptions struct {
-	KeyFiles     []string
-	Lookup       bool
-	Issuer       string
-	APIAudiences []string
+	KeyFiles      []string
+	Lookup        bool
+	Issuer        string
+	MaxExpiration time.Duration
 }
 
 type TokenFileAuthenticationOptions struct {
@@ -168,11 +173,29 @@ func (s *BuiltInAuthenticationOptions) Validate() []error {
 			allErrors = append(allErrors, fmt.Errorf("service-account-issuer contained a ':' but was not a valid URL: %v", err))
 		}
 	}
+	if s.ServiceAccounts != nil && utilfeature.DefaultFeatureGate.Enabled(features.BoundServiceAccountTokenVolume) {
+		if !utilfeature.DefaultFeatureGate.Enabled(features.TokenRequest) || !utilfeature.DefaultFeatureGate.Enabled(features.TokenRequestProjection) {
+			allErrors = append(allErrors, errors.New("If the BoundServiceAccountTokenVolume feature is enabled,"+
+				" the TokenRequest and TokenRequestProjection features must also be enabled"))
+		}
+		if len(s.ServiceAccounts.Issuer) == 0 {
+			allErrors = append(allErrors, errors.New("service-account-issuer is a required flag when BoundServiceAccountTokenVolume is enabled"))
+		}
+		if len(s.ServiceAccounts.KeyFiles) == 0 {
+			allErrors = append(allErrors, errors.New("service-account-key-file is a required flag when BoundServiceAccountTokenVolume is enabled"))
+		}
+	}
 
 	return allErrors
 }
 
 func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
+	fs.StringSliceVar(&s.APIAudiences, "api-audiences", s.APIAudiences, ""+
+		"Identifiers of the API. The service account token authenticator will validate that "+
+		"tokens used against the API are bound to at least one of these audiences. If the "+
+		"--service-account-issuer flag is configured and this flag is not, this field "+
+		"defaults to a single element list containing the issuer URL .")
+
 	if s.Anonymous != nil {
 		fs.BoolVar(&s.Anonymous.Allow, "anonymous-auth", s.Anonymous.Allow, ""+
 			"Enables anonymous requests to the secure port of the API server. "+
@@ -257,9 +280,15 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
 			"Identifier of the service account token issuer. The issuer will assert this identifier "+
 			"in \"iss\" claim of issued tokens. This value is a string or URI.")
 
-		fs.StringSliceVar(&s.ServiceAccounts.APIAudiences, "service-account-api-audiences", s.ServiceAccounts.APIAudiences, ""+
+		// Deprecated in 1.13
+		fs.StringSliceVar(&s.APIAudiences, "service-account-api-audiences", s.APIAudiences, ""+
 			"Identifiers of the API. The service account token authenticator will validate that "+
 			"tokens used against the API are bound to at least one of these audiences.")
+		fs.MarkDeprecated("service-account-api-audiences", "Use --api-audiences")
+
+		fs.DurationVar(&s.ServiceAccounts.MaxExpiration, "service-account-max-token-expiration", s.ServiceAccounts.MaxExpiration, ""+
+			"The maximum validity duration of a token created by the service account token issuer. If an otherwise valid "+
+			"TokenRequest with a validity duration larger than this value is requested, a token will be issued with a validity duration of this value.")
 	}
 
 	if s.TokenFile != nil {
@@ -278,8 +307,8 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
 	}
 }
 
-func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() authenticator.AuthenticatorConfig {
-	ret := authenticator.AuthenticatorConfig{
+func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() kubeauthenticator.Config {
+	ret := kubeauthenticator.Config{
 		TokenSuccessCacheTTL: s.TokenSuccessCacheTTL,
 		TokenFailureCacheTTL: s.TokenFailureCacheTTL,
 	}
@@ -316,11 +345,14 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() authenticator.Au
 		ret.RequestHeaderConfig = s.RequestHeader.ToAuthenticationRequestHeaderConfig()
 	}
 
+	ret.APIAudiences = s.APIAudiences
 	if s.ServiceAccounts != nil {
+		if s.ServiceAccounts.Issuer != "" && len(s.APIAudiences) == 0 {
+			ret.APIAudiences = authenticator.Audiences{s.ServiceAccounts.Issuer}
+		}
 		ret.ServiceAccountKeyFiles = s.ServiceAccounts.KeyFiles
-		ret.ServiceAccountLookup = s.ServiceAccounts.Lookup
 		ret.ServiceAccountIssuer = s.ServiceAccounts.Issuer
-		ret.ServiceAccountAPIAudiences = s.ServiceAccounts.APIAudiences
+		ret.ServiceAccountLookup = s.ServiceAccounts.Lookup
 	}
 
 	if s.TokenFile != nil {
@@ -333,10 +365,10 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() authenticator.Au
 
 		if len(s.WebHook.ConfigFile) > 0 && s.WebHook.CacheTTL > 0 {
 			if s.TokenSuccessCacheTTL > 0 && s.WebHook.CacheTTL < s.TokenSuccessCacheTTL {
-				glog.Warningf("the webhook cache ttl of %s is shorter than the overall cache ttl of %s for successful token authentication attempts.", s.WebHook.CacheTTL, s.TokenSuccessCacheTTL)
+				klog.Warningf("the webhook cache ttl of %s is shorter than the overall cache ttl of %s for successful token authentication attempts.", s.WebHook.CacheTTL, s.TokenSuccessCacheTTL)
 			}
 			if s.TokenFailureCacheTTL > 0 && s.WebHook.CacheTTL < s.TokenFailureCacheTTL {
-				glog.Warningf("the webhook cache ttl of %s is shorter than the overall cache ttl of %s for failed token authentication attempts.", s.WebHook.CacheTTL, s.TokenFailureCacheTTL)
+				klog.Warningf("the webhook cache ttl of %s is shorter than the overall cache ttl of %s for failed token authentication attempts.", s.WebHook.CacheTTL, s.TokenFailureCacheTTL)
 			}
 		}
 	}
@@ -363,6 +395,11 @@ func (o *BuiltInAuthenticationOptions) ApplyTo(c *genericapiserver.Config) error
 
 	c.Authentication.SupportsBasicAuth = o.PasswordFile != nil && len(o.PasswordFile.BasicAuthFile) > 0
 
+	c.Authentication.APIAudiences = o.APIAudiences
+	if o.ServiceAccounts != nil && o.ServiceAccounts.Issuer != "" && len(o.APIAudiences) == 0 {
+		c.Authentication.APIAudiences = authenticator.Audiences{o.ServiceAccounts.Issuer}
+	}
+
 	return nil
 }
 
@@ -375,7 +412,7 @@ func (o *BuiltInAuthenticationOptions) ApplyAuthorization(authorization *BuiltIn
 	// authorization ModeAlwaysAllow cannot be combined with AnonymousAuth.
 	// in such a case the AnonymousAuth is stomped to false and you get a message
 	if o.Anonymous.Allow && sets.NewString(authorization.Modes...).Has(authzmodes.ModeAlwaysAllow) {
-		glog.Warningf("AnonymousAuth is not allowed with the AlwaysAllow authorizer. Resetting AnonymousAuth to false. You should use a different authorizer")
+		klog.Warningf("AnonymousAuth is not allowed with the AlwaysAllow authorizer. Resetting AnonymousAuth to false. You should use a different authorizer")
 		o.Anonymous.Allow = false
 	}
 }

vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/authentication_test.go

@@ -0,0 +1,174 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package options
+
+import (
+	"reflect"
+	"strings"
+	"testing"
+	"time"
+
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	"k8s.io/apiserver/pkg/authentication/authenticator"
+	"k8s.io/apiserver/pkg/authentication/authenticatorfactory"
+	apiserveroptions "k8s.io/apiserver/pkg/server/options"
+	kubeauthenticator "k8s.io/kubernetes/pkg/kubeapiserver/authenticator"
+)
+
+func TestAuthenticationValidate(t *testing.T) {
+	testCases := []struct {
+		name      string
+		testOIDC  *OIDCAuthenticationOptions
+		testSA    *ServiceAccountAuthenticationOptions
+		expectErr string
+	}{
+		{
+			name: "test when OIDC and ServiceAccounts are nil",
+		},
+		{
+			name: "test when OIDC and ServiceAccounts are valid",
+			testOIDC: &OIDCAuthenticationOptions{
+				UsernameClaim: "sub",
+				SigningAlgs:   []string{"RS256"},
+				IssuerURL:     "testIssuerURL",
+			},
+			testSA: &ServiceAccountAuthenticationOptions{
+				Issuer: "http://foo.bar.com",
+			},
+		},
+		{
+			name: "test when OIDC is invalid",
+			testOIDC: &OIDCAuthenticationOptions{
+				UsernameClaim: "sub",
+				SigningAlgs:   []string{"RS256"},
+				IssuerURL:     "testIssuerURL",
+			},
+			testSA: &ServiceAccountAuthenticationOptions{
+				Issuer: "http://foo.bar.com",
+			},
+			expectErr: "oidc-issuer-url and oidc-client-id should be specified together",
+		},
+		{
+			name: "test when ServiceAccount is invalid",
+			testOIDC: &OIDCAuthenticationOptions{
+				UsernameClaim: "sub",
+				SigningAlgs:   []string{"RS256"},
+				IssuerURL:     "testIssuerURL",
+				ClientID:      "testClientID",
+			},
+			testSA: &ServiceAccountAuthenticationOptions{
+				Issuer: "http://[::1]:namedport",
+			},
+			expectErr: "service-account-issuer contained a ':' but was not a valid URL",
+		},
+	}
+
+	for _, testcase := range testCases {
+		t.Run(testcase.name, func(t *testing.T) {
+			options := NewBuiltInAuthenticationOptions()
+			options.OIDC = testcase.testOIDC
+			options.ServiceAccounts = testcase.testSA
+
+			errs := options.Validate()
+			if len(errs) > 0 && !strings.Contains(utilerrors.NewAggregate(errs).Error(), testcase.expectErr) {
+				t.Errorf("Got err: %v, Expected err: %s", errs, testcase.expectErr)
+			}
+
+			if len(errs) == 0 && len(testcase.expectErr) != 0 {
+				t.Errorf("Got err nil, Expected err: %s", testcase.expectErr)
+			}
+		})
+	}
+}
+
+func TestToAuthenticationConfig(t *testing.T) {
+	testOptions := &BuiltInAuthenticationOptions{
+		Anonymous: &AnonymousAuthenticationOptions{
+			Allow: false,
+		},
+		ClientCert: &apiserveroptions.ClientCertAuthenticationOptions{
+			ClientCA: "/client-ca",
+		},
+		WebHook: &WebHookAuthenticationOptions{
+			CacheTTL:   180000000000,
+			ConfigFile: "/token-webhook-config",
+		},
+		BootstrapToken: &BootstrapTokenAuthenticationOptions{
+			Enable: false,
+		},
+		OIDC: &OIDCAuthenticationOptions{
+			CAFile:        "/testCAFile",
+			UsernameClaim: "sub",
+			SigningAlgs:   []string{"RS256"},
+			IssuerURL:     "testIssuerURL",
+			ClientID:      "testClientID",
+		},
+		PasswordFile: &PasswordFileAuthenticationOptions{
+			BasicAuthFile: "/testBasicAuthFile",
+		},
+		RequestHeader: &apiserveroptions.RequestHeaderAuthenticationOptions{
+			UsernameHeaders:     []string{"x-remote-user"},
+			GroupHeaders:        []string{"x-remote-group"},
+			ExtraHeaderPrefixes: []string{"x-remote-extra-"},
+			ClientCAFile:        "/testClientCAFile",
+			AllowedNames:        []string{"kube-aggregator"},
+		},
+		ServiceAccounts: &ServiceAccountAuthenticationOptions{
+			Lookup: true,
+			Issuer: "http://foo.bar.com",
+		},
+		TokenFile: &TokenFileAuthenticationOptions{
+			TokenFile: "/testTokenFile",
+		},
+		TokenSuccessCacheTTL: 10 * time.Second,
+		TokenFailureCacheTTL: 0,
+	}
+
+	expectConfig := kubeauthenticator.Config{
+		APIAudiences:                authenticator.Audiences{"http://foo.bar.com"},
+		Anonymous:                   false,
+		BasicAuthFile:               "/testBasicAuthFile",
+		BootstrapToken:              false,
+		ClientCAFile:                "/client-ca",
+		TokenAuthFile:               "/testTokenFile",
+		OIDCIssuerURL:               "testIssuerURL",
+		OIDCClientID:                "testClientID",
+		OIDCCAFile:                  "/testCAFile",
+		OIDCUsernameClaim:           "sub",
+		OIDCSigningAlgs:             []string{"RS256"},
+		ServiceAccountLookup:        true,
+		ServiceAccountIssuer:        "http://foo.bar.com",
+		WebhookTokenAuthnConfigFile: "/token-webhook-config",
+		WebhookTokenAuthnCacheTTL:   180000000000,
+
+		TokenSuccessCacheTTL: 10 * time.Second,
+		TokenFailureCacheTTL: 0,
+
+		RequestHeaderConfig: &authenticatorfactory.RequestHeaderConfig{
+			UsernameHeaders:     []string{"x-remote-user"},
+			GroupHeaders:        []string{"x-remote-group"},
+			ExtraHeaderPrefixes: []string{"x-remote-extra-"},
+			ClientCA:            "/testClientCAFile",
+			AllowedClientNames:  []string{"kube-aggregator"},
+		},
+	}
+
+	resultConfig := testOptions.ToAuthenticationConfig()
+	if !reflect.DeepEqual(resultConfig, expectConfig) {
+		t.Errorf("Got AuthenticationConfig:\n\t%v\nExpected AuthenticationConfig:\n\t%v", resultConfig, expectConfig)
+	}
+}

vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/authorization.go

@@ -25,7 +25,6 @@ import (
 
 	"k8s.io/apimachinery/pkg/util/sets"
 	versionedinformers "k8s.io/client-go/informers"
-	informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion"
 	"k8s.io/kubernetes/pkg/kubeapiserver/authorizer"
 	authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
 )
@@ -40,7 +39,7 @@ type BuiltInAuthorizationOptions struct {
 
 func NewBuiltInAuthorizationOptions() *BuiltInAuthorizationOptions {
 	return &BuiltInAuthorizationOptions{
-		Modes: []string{authzmodes.ModeAlwaysAllow},
+		Modes:                       []string{authzmodes.ModeAlwaysAllow},
 		WebhookCacheAuthorizedTTL:   5 * time.Minute,
 		WebhookCacheUnauthorizedTTL: 30 * time.Second,
 	}
@@ -110,14 +109,13 @@ func (s *BuiltInAuthorizationOptions) AddFlags(fs *pflag.FlagSet) {
 		"The duration to cache 'unauthorized' responses from the webhook authorizer.")
 }
 
-func (s *BuiltInAuthorizationOptions) ToAuthorizationConfig(informerFactory informers.SharedInformerFactory, versionedInformerFactory versionedinformers.SharedInformerFactory) authorizer.AuthorizationConfig {
-	return authorizer.AuthorizationConfig{
+func (s *BuiltInAuthorizationOptions) ToAuthorizationConfig(versionedInformerFactory versionedinformers.SharedInformerFactory) authorizer.Config {
+	return authorizer.Config{
 		AuthorizationModes:          s.Modes,
 		PolicyFile:                  s.PolicyFile,
 		WebhookConfigFile:           s.WebhookConfigFile,
 		WebhookCacheAuthorizedTTL:   s.WebhookCacheAuthorizedTTL,
 		WebhookCacheUnauthorizedTTL: s.WebhookCacheUnauthorizedTTL,
-		InformerFactory:             informerFactory,
 		VersionedInformerFactory:    versionedInformerFactory,
 	}
 }

vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/serving.go

@@ -20,41 +20,47 @@ package options
 import (
 	"fmt"
 	"net"
-	"strconv"
-
-	"github.com/pborman/uuid"
-	"github.com/spf13/pflag"
 
 	utilnet "k8s.io/apimachinery/pkg/util/net"
-	"k8s.io/apiserver/pkg/server"
 	genericoptions "k8s.io/apiserver/pkg/server/options"
-	kubeserver "k8s.io/kubernetes/pkg/kubeapiserver/server"
 )
 
 // NewSecureServingOptions gives default values for the kube-apiserver which are not the options wanted by
 // "normal" API servers running on the platform
 func NewSecureServingOptions() *genericoptions.SecureServingOptionsWithLoopback {
-	return genericoptions.WithLoopback(&genericoptions.SecureServingOptions{
+	o := genericoptions.SecureServingOptions{
 		BindAddress: net.ParseIP("0.0.0.0"),
 		BindPort:    6443,
+		Required:    true,
 		ServerCert: genericoptions.GeneratableKeyCert{
 			PairName:      "apiserver",
 			CertDirectory: "/var/run/kubernetes",
 		},
-	})
+	}
+	return o.WithLoopback()
+}
+
+// NewInsecureServingOptions gives default values for the kube-apiserver.
+// TODO: switch insecure serving off by default
+func NewInsecureServingOptions() *genericoptions.DeprecatedInsecureServingOptionsWithLoopback {
+	o := genericoptions.DeprecatedInsecureServingOptions{
+		BindAddress: net.ParseIP("127.0.0.1"),
+		BindPort:    8080,
+	}
+	return o.WithLoopback()
 }
 
 // DefaultAdvertiseAddress sets the field AdvertiseAddress if
 // unset. The field will be set based on the SecureServingOptions. If
 // the SecureServingOptions is not present, DefaultExternalAddress
 // will fall back to the insecure ServingOptions.
-func DefaultAdvertiseAddress(s *genericoptions.ServerRunOptions, insecure *InsecureServingOptions) error {
+func DefaultAdvertiseAddress(s *genericoptions.ServerRunOptions, insecure *genericoptions.DeprecatedInsecureServingOptions) error {
 	if insecure == nil {
 		return nil
 	}
 
 	if s.AdvertiseAddress == nil || s.AdvertiseAddress.IsUnspecified() {
-		hostIP, err := insecure.DefaultExternalAddress()
+		hostIP, err := utilnet.ChooseBindAddress(insecure.BindAddress)
 		if err != nil {
 			return fmt.Errorf("unable to find suitable network address.error='%v'. "+
 				"Try to set the AdvertiseAddress directly or provide a valid BindAddress to fix this", err)
@@ -64,76 +70,3 @@ func DefaultAdvertiseAddress(s *genericoptions.ServerRunOptions, insecure *Insec
 
 	return nil
 }
-
-// InsecureServingOptions are for creating an unauthenticated, unauthorized, insecure port.
-// No one should be using these anymore.
-type InsecureServingOptions struct {
-	BindAddress net.IP
-	BindPort    int
-}
-
-// NewInsecureServingOptions is for creating an unauthenticated, unauthorized, insecure port.
-// No one should be using these anymore.
-func NewInsecureServingOptions() *InsecureServingOptions {
-	return &InsecureServingOptions{
-		BindAddress: net.ParseIP("127.0.0.1"),
-		BindPort:    8080,
-	}
-}
-
-func (s InsecureServingOptions) Validate() []error {
-	errors := []error{}
-
-	if s.BindPort < 0 || s.BindPort > 65535 {
-		errors = append(errors, fmt.Errorf("--insecure-port %v must be between 0 and 65535, inclusive. 0 for turning off insecure (HTTP) port", s.BindPort))
-	}
-
-	return errors
-}
-
-func (s *InsecureServingOptions) DefaultExternalAddress() (net.IP, error) {
-	return utilnet.ChooseBindAddress(s.BindAddress)
-}
-
-func (s *InsecureServingOptions) AddFlags(fs *pflag.FlagSet) {
-	fs.IPVar(&s.BindAddress, "insecure-bind-address", s.BindAddress, ""+
-		"The IP address on which to serve the --insecure-port (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces).")
-	fs.MarkDeprecated("insecure-bind-address", "This flag will be removed in a future version.")
-	fs.Lookup("insecure-bind-address").Hidden = false
-
-	fs.IntVar(&s.BindPort, "insecure-port", s.BindPort, ""+
-		"The port on which to serve unsecured, unauthenticated access. It is assumed "+
-		"that firewall rules are set up such that this port is not reachable from outside of "+
-		"the cluster and that port 443 on the cluster's public address is proxied to this "+
-		"port. This is performed by nginx in the default setup. Set to zero to disable.")
-	fs.MarkDeprecated("insecure-port", "This flag will be removed in a future version.")
-	fs.Lookup("insecure-port").Hidden = false
-}
-
-// TODO: remove it until kops stop using `--address`
-func (s *InsecureServingOptions) AddDeprecatedFlags(fs *pflag.FlagSet) {
-	fs.IPVar(&s.BindAddress, "address", s.BindAddress,
-		"DEPRECATED: see --insecure-bind-address instead.")
-	fs.MarkDeprecated("address", "see --insecure-bind-address instead.")
-
-	fs.IntVar(&s.BindPort, "port", s.BindPort, "DEPRECATED: see --insecure-port instead.")
-	fs.MarkDeprecated("port", "see --insecure-port instead.")
-}
-
-func (s *InsecureServingOptions) ApplyTo(c *server.Config) (*kubeserver.InsecureServingInfo, error) {
-	if s.BindPort <= 0 {
-		return nil, nil
-	}
-
-	ret := &kubeserver.InsecureServingInfo{
-		BindAddress: net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.BindPort)),
-	}
-
-	var err error
-	privilegedLoopbackToken := uuid.NewRandom().String()
-	if c.LoopbackClientConfig, err = ret.NewLoopbackClientConfig(privilegedLoopbackToken); err != nil {
-		return nil, err
-	}
-
-	return ret, nil
-}

vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/storage_versions.go

@@ -17,14 +17,12 @@ limitations under the License.
 package options
 
 import (
+	"sort"
 	"strings"
 
+	"github.com/spf13/pflag"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
-
-	"sort"
-
-	"github.com/spf13/pflag"
 )
 
 const (
@@ -105,6 +103,11 @@ func (s *StorageSerializationOptions) AddFlags(fs *pflag.FlagSet) {
 		"You only need to pass the groups you wish to change from the defaults. "+
 		"It defaults to a list of preferred versions of all known groups.")
 
+	fs.MarkDeprecated("storage-versions", ""+
+		"Please omit this flag to ensure the default storage versions are used ."+
+		"Otherwise the cluster is not safe to upgrade to a version newer than 1.12. "+
+		"This flag will be removed in 1.13.")
+
 }
 
 // ToPreferredVersionString returns the preferred versions of all registered

vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/storage_versions_test.go

@@ -25,13 +25,11 @@ import (
 
 func TestGenerateStorageVersionMap(t *testing.T) {
 	testCases := []struct {
-		legacyVersion   string
 		storageVersions string
 		defaultVersions string
 		expectedMap     map[string]schema.GroupVersion
 	}{
 		{
-			legacyVersion:   "v1",
 			storageVersions: "v1,extensions/v1beta1",
 			expectedMap: map[string]schema.GroupVersion{
 				"":           {Version: "v1"},
@@ -39,7 +37,6 @@ func TestGenerateStorageVersionMap(t *testing.T) {
 			},
 		},
 		{
-			legacyVersion:   "",
 			storageVersions: "extensions/v1beta1,v1",
 			expectedMap: map[string]schema.GroupVersion{
 				"":           {Version: "v1"},
@@ -47,7 +44,6 @@ func TestGenerateStorageVersionMap(t *testing.T) {
 			},
 		},
 		{
-			legacyVersion:   "",
 			storageVersions: "autoscaling=extensions/v1beta1,v1",
 			defaultVersions: "extensions/v1beta1,v1,autoscaling/v1",
 			expectedMap: map[string]schema.GroupVersion{
@@ -57,7 +53,6 @@ func TestGenerateStorageVersionMap(t *testing.T) {
 			},
 		},
 		{
-			legacyVersion:   "",
 			storageVersions: "",
 			expectedMap:     map[string]schema.GroupVersion{},
 		},

vendor/k8s.io/kubernetes/pkg/kubeapiserver/server/BUILD

@@ -10,15 +10,9 @@ go_library(
     srcs = ["insecure_handler.go"],
     importpath = "k8s.io/kubernetes/pkg/kubeapiserver/server",
     deps = [
-        "//vendor/github.com/golang/glog:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/endpoints/filters:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/features:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/server:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/server/filters:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/server/options:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/util/feature:go_default_library",
-        "//vendor/k8s.io/client-go/rest:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/endpoints/filters:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/server:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/server/filters:go_default_library",
     ],
 )
 

vendor/k8s.io/kubernetes/pkg/kubeapiserver/server/insecure_handler.go

@@ -17,34 +17,22 @@ limitations under the License.
 package server
 
 import (
-	"net"
 	"net/http"
-	"time"
 
-	"github.com/golang/glog"
-
-	"k8s.io/apiserver/pkg/authentication/user"
 	genericapifilters "k8s.io/apiserver/pkg/endpoints/filters"
-	"k8s.io/apiserver/pkg/features"
 	"k8s.io/apiserver/pkg/server"
 	genericfilters "k8s.io/apiserver/pkg/server/filters"
-	"k8s.io/apiserver/pkg/server/options"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
-	"k8s.io/client-go/rest"
 )
 
-// InsecureServingInfo is required to serve http.  HTTP does NOT include authentication or authorization.
+// DeprecatedInsecureServingInfo is required to serve http.  HTTP does NOT include authentication or authorization.
 // You shouldn't be using this.  It makes sig-auth sad.
-// InsecureServingInfo *ServingInfo
+// DeprecatedInsecureServingInfo *ServingInfo
 
+// BuildInsecureHandlerChain sets up the server to listen to http. Should be removed.
 func BuildInsecureHandlerChain(apiHandler http.Handler, c *server.Config) http.Handler {
 	handler := apiHandler
-	if utilfeature.DefaultFeatureGate.Enabled(features.AdvancedAuditing) {
-		handler = genericapifilters.WithAudit(handler, c.AuditBackend, c.AuditPolicyChecker, c.LongRunningFunc)
-	} else {
-		handler = genericapifilters.WithLegacyAudit(handler, c.LegacyAuditWriter)
-	}
-	handler = genericapifilters.WithAuthentication(handler, insecureSuperuser{}, nil)
+	handler = genericapifilters.WithAudit(handler, c.AuditBackend, c.AuditPolicyChecker, c.LongRunningFunc)
+	handler = genericapifilters.WithAuthentication(handler, server.InsecureSuperuser{}, nil, nil)
 	handler = genericfilters.WithCORS(handler, c.CorsAllowedOriginList, nil, nil, nil, "true")
 	handler = genericfilters.WithTimeoutForNonLongRunningRequests(handler, c.LongRunningFunc, c.RequestTimeout)
 	handler = genericfilters.WithMaxInFlightLimit(handler, c.MaxRequestsInFlight, c.MaxMutatingRequestsInFlight, c.LongRunningFunc)
@@ -54,85 +42,3 @@ func BuildInsecureHandlerChain(apiHandler http.Handler, c *server.Config) http.H
 
 	return handler
 }
-
-type InsecureServingInfo struct {
-	// BindAddress is the ip:port to serve on
-	BindAddress string
-	// BindNetwork is the type of network to bind to - defaults to "tcp", accepts "tcp",
-	// "tcp4", and "tcp6".
-	BindNetwork string
-}
-
-func (s *InsecureServingInfo) NewLoopbackClientConfig(token string) (*rest.Config, error) {
-	if s == nil {
-		return nil, nil
-	}
-
-	host, port, err := server.LoopbackHostPort(s.BindAddress)
-	if err != nil {
-		return nil, err
-	}
-
-	return &rest.Config{
-		Host: "http://" + net.JoinHostPort(host, port),
-		// Increase QPS limits. The client is currently passed to all admission plugins,
-		// and those can be throttled in case of higher load on apiserver - see #22340 and #22422
-		// for more details. Once #22422 is fixed, we may want to remove it.
-		QPS:   50,
-		Burst: 100,
-	}, nil
-}
-
-// NonBlockingRun spawns the insecure http server. An error is
-// returned if the ports cannot be listened on.
-func NonBlockingRun(insecureServingInfo *InsecureServingInfo, insecureHandler http.Handler, shutDownTimeout time.Duration, stopCh <-chan struct{}) error {
-	// Use an internal stop channel to allow cleanup of the listeners on error.
-	internalStopCh := make(chan struct{})
-
-	if insecureServingInfo != nil && insecureHandler != nil {
-		if err := serveInsecurely(insecureServingInfo, insecureHandler, shutDownTimeout, internalStopCh); err != nil {
-			close(internalStopCh)
-			return err
-		}
-	}
-
-	// Now that the listener has bound successfully, it is the
-	// responsibility of the caller to close the provided channel to
-	// ensure cleanup.
-	go func() {
-		<-stopCh
-		close(internalStopCh)
-	}()
-
-	return nil
-}
-
-// serveInsecurely run the insecure http server. It fails only if the initial listen
-// call fails. The actual server loop (stoppable by closing stopCh) runs in a go
-// routine, i.e. serveInsecurely does not block.
-func serveInsecurely(insecureServingInfo *InsecureServingInfo, insecureHandler http.Handler, shutDownTimeout time.Duration, stopCh <-chan struct{}) error {
-	insecureServer := &http.Server{
-		Addr:           insecureServingInfo.BindAddress,
-		Handler:        insecureHandler,
-		MaxHeaderBytes: 1 << 20,
-	}
-	glog.Infof("Serving insecurely on %s", insecureServingInfo.BindAddress)
-	ln, _, err := options.CreateListener(insecureServingInfo.BindNetwork, insecureServingInfo.BindAddress)
-	if err != nil {
-		return err
-	}
-	err = server.RunServer(insecureServer, ln, shutDownTimeout, stopCh)
-	return err
-}
-
-// insecureSuperuser implements authenticator.Request to always return a superuser.
-// This is functionally equivalent to skipping authentication and authorization,
-// but allows apiserver code to stop special-casing a nil user to skip authorization checks.
-type insecureSuperuser struct{}
-
-func (insecureSuperuser) AuthenticateRequest(req *http.Request) (user.Info, bool, error) {
-	return &user.DefaultInfo{
-		Name:   "system:unsecured",
-		Groups: []string{user.SystemPrivilegedGroup, user.AllAuthenticated},
-	}, true, nil
-}