vendor files

vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/BUILD

@@ -0,0 +1,60 @@
+package(default_visibility = ["//visibility:public"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+    "go_test",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "api_enablement.go",
+        "authentication.go",
+        "authorization.go",
+        "cloudprovider.go",
+        "options.go",
+        "serving.go",
+        "storage_versions.go",
+    ],
+    importpath = "k8s.io/kubernetes/pkg/kubeapiserver/options",
+    deps = [
+        "//pkg/api/legacyscheme:go_default_library",
+        "//pkg/client/informers/informers_generated/internalversion:go_default_library",
+        "//pkg/cloudprovider:go_default_library",
+        "//pkg/kubeapiserver/authenticator:go_default_library",
+        "//pkg/kubeapiserver/authorizer:go_default_library",
+        "//pkg/kubeapiserver/authorizer/modes:go_default_library",
+        "//pkg/kubeapiserver/server:go_default_library",
+        "//vendor/github.com/golang/glog:go_default_library",
+        "//vendor/github.com/pborman/uuid:go_default_library",
+        "//vendor/github.com/spf13/pflag:go_default_library",
+        "//vendor/k8s.io/api/core/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/net:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/server:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/server/options:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/util/flag:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["storage_versions_test.go"],
+    importpath = "k8s.io/kubernetes/pkg/kubeapiserver/options",
+    library = ":go_default_library",
+    deps = ["//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library"],
+)

vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/api_enablement.go

@@ -0,0 +1,44 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package options
+
+import (
+	"github.com/spf13/pflag"
+
+	utilflag "k8s.io/apiserver/pkg/util/flag"
+)
+
+// APIEnablementOptions contains the options for which resources to turn on and off.
+// Given small aggregated API servers, this option isn't required for "normal" API servers
+type APIEnablementOptions struct {
+	RuntimeConfig utilflag.ConfigurationMap
+}
+
+func NewAPIEnablementOptions() *APIEnablementOptions {
+	return &APIEnablementOptions{
+		RuntimeConfig: make(utilflag.ConfigurationMap),
+	}
+}
+
+// AddFlags adds flags for a specific APIServer to the specified FlagSet
+func (s *APIEnablementOptions) AddFlags(fs *pflag.FlagSet) {
+	fs.Var(&s.RuntimeConfig, "runtime-config", ""+
+		"A set of key=value pairs that describe runtime configuration that may be passed "+
+		"to apiserver. apis/<groupVersion> key can be used to turn on/off specific api versions. "+
+		"apis/<groupVersion>/<resource> can be used to turn on/off specific resources. api/all and "+
+		"api/legacy are special keys to control all and legacy api versions respectively.")
+}

vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/authentication.go

@@ -0,0 +1,382 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package options
+
+import (
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/golang/glog"
+	"github.com/spf13/pflag"
+
+	genericapiserver "k8s.io/apiserver/pkg/server"
+	genericoptions "k8s.io/apiserver/pkg/server/options"
+	"k8s.io/kubernetes/pkg/kubeapiserver/authenticator"
+	authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
+)
+
+type BuiltInAuthenticationOptions struct {
+	Anonymous       *AnonymousAuthenticationOptions
+	BootstrapToken  *BootstrapTokenAuthenticationOptions
+	ClientCert      *genericoptions.ClientCertAuthenticationOptions
+	Keystone        *KeystoneAuthenticationOptions
+	OIDC            *OIDCAuthenticationOptions
+	PasswordFile    *PasswordFileAuthenticationOptions
+	RequestHeader   *genericoptions.RequestHeaderAuthenticationOptions
+	ServiceAccounts *ServiceAccountAuthenticationOptions
+	TokenFile       *TokenFileAuthenticationOptions
+	WebHook         *WebHookAuthenticationOptions
+
+	TokenSuccessCacheTTL time.Duration
+	TokenFailureCacheTTL time.Duration
+}
+
+type AnonymousAuthenticationOptions struct {
+	Allow bool
+}
+
+type BootstrapTokenAuthenticationOptions struct {
+	Enable bool
+}
+
+type KeystoneAuthenticationOptions struct {
+	URL    string
+	CAFile string
+}
+
+type OIDCAuthenticationOptions struct {
+	CAFile         string
+	ClientID       string
+	IssuerURL      string
+	UsernameClaim  string
+	UsernamePrefix string
+	GroupsClaim    string
+	GroupsPrefix   string
+}
+
+type PasswordFileAuthenticationOptions struct {
+	BasicAuthFile string
+}
+
+type ServiceAccountAuthenticationOptions struct {
+	KeyFiles []string
+	Lookup   bool
+}
+
+type TokenFileAuthenticationOptions struct {
+	TokenFile string
+}
+
+type WebHookAuthenticationOptions struct {
+	ConfigFile string
+	CacheTTL   time.Duration
+}
+
+func NewBuiltInAuthenticationOptions() *BuiltInAuthenticationOptions {
+	return &BuiltInAuthenticationOptions{
+		TokenSuccessCacheTTL: 10 * time.Second,
+		TokenFailureCacheTTL: 0 * time.Second,
+	}
+}
+
+func (s *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions {
+	return s.
+		WithAnonymous().
+		WithBootstrapToken().
+		WithClientCert().
+		WithKeystone().
+		WithOIDC().
+		WithPasswordFile().
+		WithRequestHeader().
+		WithServiceAccounts().
+		WithTokenFile().
+		WithWebHook()
+}
+
+func (s *BuiltInAuthenticationOptions) WithAnonymous() *BuiltInAuthenticationOptions {
+	s.Anonymous = &AnonymousAuthenticationOptions{Allow: true}
+	return s
+}
+
+func (s *BuiltInAuthenticationOptions) WithBootstrapToken() *BuiltInAuthenticationOptions {
+	s.BootstrapToken = &BootstrapTokenAuthenticationOptions{}
+	return s
+}
+
+func (s *BuiltInAuthenticationOptions) WithClientCert() *BuiltInAuthenticationOptions {
+	s.ClientCert = &genericoptions.ClientCertAuthenticationOptions{}
+	return s
+}
+
+func (s *BuiltInAuthenticationOptions) WithKeystone() *BuiltInAuthenticationOptions {
+	s.Keystone = &KeystoneAuthenticationOptions{}
+	return s
+}
+
+func (s *BuiltInAuthenticationOptions) WithOIDC() *BuiltInAuthenticationOptions {
+	s.OIDC = &OIDCAuthenticationOptions{}
+	return s
+}
+
+func (s *BuiltInAuthenticationOptions) WithPasswordFile() *BuiltInAuthenticationOptions {
+	s.PasswordFile = &PasswordFileAuthenticationOptions{}
+	return s
+}
+
+func (s *BuiltInAuthenticationOptions) WithRequestHeader() *BuiltInAuthenticationOptions {
+	s.RequestHeader = &genericoptions.RequestHeaderAuthenticationOptions{}
+	return s
+}
+
+func (s *BuiltInAuthenticationOptions) WithServiceAccounts() *BuiltInAuthenticationOptions {
+	s.ServiceAccounts = &ServiceAccountAuthenticationOptions{Lookup: true}
+	return s
+}
+
+func (s *BuiltInAuthenticationOptions) WithTokenFile() *BuiltInAuthenticationOptions {
+	s.TokenFile = &TokenFileAuthenticationOptions{}
+	return s
+}
+
+func (s *BuiltInAuthenticationOptions) WithWebHook() *BuiltInAuthenticationOptions {
+	s.WebHook = &WebHookAuthenticationOptions{
+		CacheTTL: 2 * time.Minute,
+	}
+	return s
+}
+
+// Validate checks invalid config combination
+func (s *BuiltInAuthenticationOptions) Validate() []error {
+	allErrors := []error{}
+
+	if s.OIDC != nil && (len(s.OIDC.IssuerURL) > 0) != (len(s.OIDC.ClientID) > 0) {
+		allErrors = append(allErrors, fmt.Errorf("oidc-issuer-url and oidc-client-id should be specified together"))
+	}
+
+	return allErrors
+}
+
+func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
+	if s.Anonymous != nil {
+		fs.BoolVar(&s.Anonymous.Allow, "anonymous-auth", s.Anonymous.Allow, ""+
+			"Enables anonymous requests to the secure port of the API server. "+
+			"Requests that are not rejected by another authentication method are treated as anonymous requests. "+
+			"Anonymous requests have a username of system:anonymous, and a group name of system:unauthenticated.")
+	}
+
+	if s.BootstrapToken != nil {
+		fs.BoolVar(&s.BootstrapToken.Enable, "enable-bootstrap-token-auth", s.BootstrapToken.Enable, ""+
+			"Enable to allow secrets of type 'bootstrap.kubernetes.io/token' in the 'kube-system' "+
+			"namespace to be used for TLS bootstrapping authentication.")
+	}
+
+	if s.ClientCert != nil {
+		s.ClientCert.AddFlags(fs)
+	}
+
+	if s.Keystone != nil {
+		fs.StringVar(&s.Keystone.URL, "experimental-keystone-url", s.Keystone.URL,
+			"If passed, activates the keystone authentication plugin.")
+
+		fs.StringVar(&s.Keystone.CAFile, "experimental-keystone-ca-file", s.Keystone.CAFile, ""+
+			"If set, the Keystone server's certificate will be verified by one of the authorities "+
+			"in the experimental-keystone-ca-file, otherwise the host's root CA set will be used.")
+	}
+
+	if s.OIDC != nil {
+		fs.StringVar(&s.OIDC.IssuerURL, "oidc-issuer-url", s.OIDC.IssuerURL, ""+
+			"The URL of the OpenID issuer, only HTTPS scheme will be accepted. "+
+			"If set, it will be used to verify the OIDC JSON Web Token (JWT).")
+
+		fs.StringVar(&s.OIDC.ClientID, "oidc-client-id", s.OIDC.ClientID,
+			"The client ID for the OpenID Connect client, must be set if oidc-issuer-url is set.")
+
+		fs.StringVar(&s.OIDC.CAFile, "oidc-ca-file", s.OIDC.CAFile, ""+
+			"If set, the OpenID server's certificate will be verified by one of the authorities "+
+			"in the oidc-ca-file, otherwise the host's root CA set will be used.")
+
+		fs.StringVar(&s.OIDC.UsernameClaim, "oidc-username-claim", "sub", ""+
+			"The OpenID claim to use as the user name. Note that claims other than the default ('sub') "+
+			"is not guaranteed to be unique and immutable. This flag is experimental, please see "+
+			"the authentication documentation for further details.")
+
+		fs.StringVar(&s.OIDC.UsernamePrefix, "oidc-username-prefix", "", ""+
+			"If provided, all usernames will be prefixed with this value. If not provided, "+
+			"username claims other than 'email' are prefixed by the issuer URL to avoid "+
+			"clashes. To skip any prefixing, provide the value '-'.")
+
+		fs.StringVar(&s.OIDC.GroupsClaim, "oidc-groups-claim", "", ""+
+			"If provided, the name of a custom OpenID Connect claim for specifying user groups. "+
+			"The claim value is expected to be a string or array of strings. This flag is experimental, "+
+			"please see the authentication documentation for further details.")
+
+		fs.StringVar(&s.OIDC.GroupsPrefix, "oidc-groups-prefix", "", ""+
+			"If provided, all groups will be prefixed with this value to prevent conflicts with "+
+			"other authentication strategies.")
+
+	}
+
+	if s.PasswordFile != nil {
+		fs.StringVar(&s.PasswordFile.BasicAuthFile, "basic-auth-file", s.PasswordFile.BasicAuthFile, ""+
+			"If set, the file that will be used to admit requests to the secure port of the API server "+
+			"via http basic authentication.")
+	}
+
+	if s.RequestHeader != nil {
+		s.RequestHeader.AddFlags(fs)
+	}
+
+	if s.ServiceAccounts != nil {
+		fs.StringArrayVar(&s.ServiceAccounts.KeyFiles, "service-account-key-file", s.ServiceAccounts.KeyFiles, ""+
+			"File containing PEM-encoded x509 RSA or ECDSA private or public keys, used to verify "+
+			"ServiceAccount tokens. If unspecified, --tls-private-key-file is used. "+
+			"The specified file can contain multiple keys, and the flag can be specified multiple times with different files.")
+
+		fs.BoolVar(&s.ServiceAccounts.Lookup, "service-account-lookup", s.ServiceAccounts.Lookup,
+			"If true, validate ServiceAccount tokens exist in etcd as part of authentication.")
+	}
+
+	if s.TokenFile != nil {
+		fs.StringVar(&s.TokenFile.TokenFile, "token-auth-file", s.TokenFile.TokenFile, ""+
+			"If set, the file that will be used to secure the secure port of the API server "+
+			"via token authentication.")
+	}
+
+	if s.WebHook != nil {
+		fs.StringVar(&s.WebHook.ConfigFile, "authentication-token-webhook-config-file", s.WebHook.ConfigFile, ""+
+			"File with webhook configuration for token authentication in kubeconfig format. "+
+			"The API server will query the remote service to determine authentication for bearer tokens.")
+
+		fs.DurationVar(&s.WebHook.CacheTTL, "authentication-token-webhook-cache-ttl", s.WebHook.CacheTTL,
+			"The duration to cache responses from the webhook token authenticator.")
+	}
+}
+
+func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() authenticator.AuthenticatorConfig {
+	ret := authenticator.AuthenticatorConfig{
+		TokenSuccessCacheTTL: s.TokenSuccessCacheTTL,
+		TokenFailureCacheTTL: s.TokenFailureCacheTTL,
+	}
+
+	if s.Anonymous != nil {
+		ret.Anonymous = s.Anonymous.Allow
+	}
+
+	if s.BootstrapToken != nil {
+		ret.BootstrapToken = s.BootstrapToken.Enable
+	}
+
+	if s.ClientCert != nil {
+		ret.ClientCAFile = s.ClientCert.ClientCA
+	}
+
+	if s.Keystone != nil {
+		ret.KeystoneURL = s.Keystone.URL
+		ret.KeystoneCAFile = s.Keystone.CAFile
+	}
+
+	if s.OIDC != nil {
+		ret.OIDCCAFile = s.OIDC.CAFile
+		ret.OIDCClientID = s.OIDC.ClientID
+		ret.OIDCGroupsClaim = s.OIDC.GroupsClaim
+		ret.OIDCGroupsPrefix = s.OIDC.GroupsPrefix
+		ret.OIDCIssuerURL = s.OIDC.IssuerURL
+		ret.OIDCUsernameClaim = s.OIDC.UsernameClaim
+		ret.OIDCUsernamePrefix = s.OIDC.UsernamePrefix
+	}
+
+	if s.PasswordFile != nil {
+		ret.BasicAuthFile = s.PasswordFile.BasicAuthFile
+	}
+
+	if s.RequestHeader != nil {
+		ret.RequestHeaderConfig = s.RequestHeader.ToAuthenticationRequestHeaderConfig()
+	}
+
+	if s.ServiceAccounts != nil {
+		ret.ServiceAccountKeyFiles = s.ServiceAccounts.KeyFiles
+		ret.ServiceAccountLookup = s.ServiceAccounts.Lookup
+	}
+
+	if s.TokenFile != nil {
+		ret.TokenAuthFile = s.TokenFile.TokenFile
+	}
+
+	if s.WebHook != nil {
+		ret.WebhookTokenAuthnConfigFile = s.WebHook.ConfigFile
+		ret.WebhookTokenAuthnCacheTTL = s.WebHook.CacheTTL
+
+		if len(s.WebHook.ConfigFile) > 0 && s.WebHook.CacheTTL > 0 {
+			if s.TokenSuccessCacheTTL > 0 && s.WebHook.CacheTTL < s.TokenSuccessCacheTTL {
+				glog.Warningf("the webhook cache ttl of %s is shorter than the overall cache ttl of %s for successful token authentication attempts.", s.WebHook.CacheTTL, s.TokenSuccessCacheTTL)
+			}
+			if s.TokenFailureCacheTTL > 0 && s.WebHook.CacheTTL < s.TokenFailureCacheTTL {
+				glog.Warningf("the webhook cache ttl of %s is shorter than the overall cache ttl of %s for failed token authentication attempts.", s.WebHook.CacheTTL, s.TokenFailureCacheTTL)
+			}
+		}
+	}
+
+	return ret
+}
+
+func (o *BuiltInAuthenticationOptions) ApplyTo(c *genericapiserver.Config) error {
+	if o == nil {
+		return nil
+	}
+
+	var err error
+	if o.ClientCert != nil {
+		c, err = c.ApplyClientCert(o.ClientCert.ClientCA)
+		if err != nil {
+			return fmt.Errorf("unable to load client CA file: %v", err)
+		}
+	}
+	if o.RequestHeader != nil {
+		c, err = c.ApplyClientCert(o.RequestHeader.ClientCAFile)
+		if err != nil {
+			return fmt.Errorf("unable to load client CA file: %v", err)
+		}
+	}
+
+	c.SupportsBasicAuth = o.PasswordFile != nil && len(o.PasswordFile.BasicAuthFile) > 0
+
+	return nil
+}
+
+// ApplyAuthorization will conditionally modify the authentication options based on the authorization options
+func (o *BuiltInAuthenticationOptions) ApplyAuthorization(authorization *BuiltInAuthorizationOptions) {
+	if o == nil || authorization == nil || o.Anonymous == nil {
+		return
+	}
+
+	// authorization ModeAlwaysAllow cannot be combined with AnonymousAuth.
+	// in such a case the AnonymousAuth is stomped to false and you get a message
+	if o.Anonymous.Allow {
+		found := false
+		for _, mode := range strings.Split(authorization.Mode, ",") {
+			if mode == authzmodes.ModeAlwaysAllow {
+				found = true
+				break
+			}
+		}
+		if found {
+			glog.Warningf("AnonymousAuth is not allowed with the AllowAll authorizer.  Resetting AnonymousAuth to false. You should use a different authorizer")
+			o.Anonymous.Allow = false
+		}
+	}
+}

vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/authorization.go

@@ -0,0 +1,95 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package options
+
+import (
+	"strings"
+	"time"
+
+	"github.com/spf13/pflag"
+
+	informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion"
+	"k8s.io/kubernetes/pkg/kubeapiserver/authorizer"
+	authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
+)
+
+type BuiltInAuthorizationOptions struct {
+	Mode                        string
+	PolicyFile                  string
+	WebhookConfigFile           string
+	WebhookCacheAuthorizedTTL   time.Duration
+	WebhookCacheUnauthorizedTTL time.Duration
+}
+
+func NewBuiltInAuthorizationOptions() *BuiltInAuthorizationOptions {
+	return &BuiltInAuthorizationOptions{
+		Mode: authzmodes.ModeAlwaysAllow,
+		WebhookCacheAuthorizedTTL:   5 * time.Minute,
+		WebhookCacheUnauthorizedTTL: 30 * time.Second,
+	}
+}
+
+func (s *BuiltInAuthorizationOptions) Validate() []error {
+	allErrors := []error{}
+	return allErrors
+}
+
+func (s *BuiltInAuthorizationOptions) AddFlags(fs *pflag.FlagSet) {
+	fs.StringVar(&s.Mode, "authorization-mode", s.Mode, ""+
+		"Ordered list of plug-ins to do authorization on secure port. Comma-delimited list of: "+
+		strings.Join(authzmodes.AuthorizationModeChoices, ",")+".")
+
+	fs.StringVar(&s.PolicyFile, "authorization-policy-file", s.PolicyFile, ""+
+		"File with authorization policy in csv format, used with --authorization-mode=ABAC, on the secure port.")
+
+	fs.StringVar(&s.WebhookConfigFile, "authorization-webhook-config-file", s.WebhookConfigFile, ""+
+		"File with webhook configuration in kubeconfig format, used with --authorization-mode=Webhook. "+
+		"The API server will query the remote service to determine access on the API server's secure port.")
+
+	fs.DurationVar(&s.WebhookCacheAuthorizedTTL, "authorization-webhook-cache-authorized-ttl",
+		s.WebhookCacheAuthorizedTTL,
+		"The duration to cache 'authorized' responses from the webhook authorizer.")
+
+	fs.DurationVar(&s.WebhookCacheUnauthorizedTTL,
+		"authorization-webhook-cache-unauthorized-ttl", s.WebhookCacheUnauthorizedTTL,
+		"The duration to cache 'unauthorized' responses from the webhook authorizer.")
+
+	fs.String("authorization-rbac-super-user", "", ""+
+		"If specified, a username which avoids RBAC authorization checks and role binding "+
+		"privilege escalation checks, to be used with --authorization-mode=RBAC.")
+	fs.MarkDeprecated("authorization-rbac-super-user", "Removed during alpha to beta.  The 'system:masters' group has privileged access.")
+
+}
+
+func (s *BuiltInAuthorizationOptions) Modes() []string {
+	modes := []string{}
+	if len(s.Mode) > 0 {
+		modes = strings.Split(s.Mode, ",")
+	}
+	return modes
+}
+
+func (s *BuiltInAuthorizationOptions) ToAuthorizationConfig(informerFactory informers.SharedInformerFactory) authorizer.AuthorizationConfig {
+	return authorizer.AuthorizationConfig{
+		AuthorizationModes:          s.Modes(),
+		PolicyFile:                  s.PolicyFile,
+		WebhookConfigFile:           s.WebhookConfigFile,
+		WebhookCacheAuthorizedTTL:   s.WebhookCacheAuthorizedTTL,
+		WebhookCacheUnauthorizedTTL: s.WebhookCacheUnauthorizedTTL,
+		InformerFactory:             informerFactory,
+	}
+}

vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/cloudprovider.go

@@ -0,0 +1,92 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package options
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/golang/glog"
+	"github.com/spf13/pflag"
+
+	"k8s.io/api/core/v1"
+	genericoptions "k8s.io/apiserver/pkg/server/options"
+	"k8s.io/kubernetes/pkg/cloudprovider"
+)
+
+type CloudProviderOptions struct {
+	CloudConfigFile string
+	CloudProvider   string
+}
+
+func NewCloudProviderOptions() *CloudProviderOptions {
+	return &CloudProviderOptions{}
+}
+
+func (s *CloudProviderOptions) Validate() []error {
+	allErrors := []error{}
+	return allErrors
+}
+
+func (s *CloudProviderOptions) AddFlags(fs *pflag.FlagSet) {
+	fs.StringVar(&s.CloudProvider, "cloud-provider", s.CloudProvider,
+		"The provider for cloud services. Empty string for no provider.")
+
+	fs.StringVar(&s.CloudConfigFile, "cloud-config", s.CloudConfigFile,
+		"The path to the cloud provider configuration file. Empty string for no configuration file.")
+}
+
+func (s *CloudProviderOptions) DefaultExternalHost(genericoptions *genericoptions.ServerRunOptions) error {
+	if len(genericoptions.ExternalHost) != 0 {
+		return nil
+	}
+
+	if cloudprovider.IsCloudProvider(s.CloudProvider) {
+		glog.Info("--external-hostname was not specified. Trying to get it from the cloud provider.")
+
+		cloud, err := cloudprovider.InitCloudProvider(s.CloudProvider, s.CloudConfigFile)
+		if err != nil {
+			return fmt.Errorf("%q cloud provider could not be initialized: %v", s.CloudProvider, err)
+		}
+		instances, supported := cloud.Instances()
+		if !supported {
+			return fmt.Errorf("%q cloud provider has no instances", s.CloudProvider)
+		}
+		hostname, err := os.Hostname()
+		if err != nil {
+			return fmt.Errorf("failed to get hostname: %v", err)
+		}
+		nodeName, err := instances.CurrentNodeName(hostname)
+		if err != nil {
+			return fmt.Errorf("failed to get NodeName from %q cloud provider: %v", s.CloudProvider, err)
+		}
+		addrs, err := instances.NodeAddresses(nodeName)
+		if err != nil {
+			return fmt.Errorf("failed to get external host address from %q cloud provider: %v", s.CloudProvider, err)
+		} else {
+			for _, addr := range addrs {
+				if addr.Type == v1.NodeExternalIP {
+					genericoptions.ExternalHost = addr.Address
+					glog.Warning("[Deprecated] Getting host address using cloud provider is " +
+						"now deprecated. Please use --external-hostname explicitly")
+				}
+			}
+		}
+	}
+
+	return nil
+}

vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/options.go

@@ -0,0 +1,24 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package options
+
+import (
+	utilnet "k8s.io/apimachinery/pkg/util/net"
+)
+
+// DefaultServiceNodePortRange is the default port range for NodePort services.
+var DefaultServiceNodePortRange = utilnet.PortRange{Base: 30000, Size: 2768}

vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/serving.go

@@ -0,0 +1,134 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package options contains flags and options for initializing an apiserver
+package options
+
+import (
+	"fmt"
+	"net"
+	"strconv"
+
+	"github.com/pborman/uuid"
+	"github.com/spf13/pflag"
+
+	utilnet "k8s.io/apimachinery/pkg/util/net"
+	"k8s.io/apiserver/pkg/server"
+	genericoptions "k8s.io/apiserver/pkg/server/options"
+	kubeserver "k8s.io/kubernetes/pkg/kubeapiserver/server"
+)
+
+// NewSecureServingOptions gives default values for the kube-apiserver and federation-apiserver which are not the options wanted by
+// "normal" API servers running on the platform
+func NewSecureServingOptions() *genericoptions.SecureServingOptions {
+	return &genericoptions.SecureServingOptions{
+		BindAddress: net.ParseIP("0.0.0.0"),
+		BindPort:    6443,
+		ServerCert: genericoptions.GeneratableKeyCert{
+			PairName:      "apiserver",
+			CertDirectory: "/var/run/kubernetes",
+		},
+	}
+}
+
+// DefaultAdvertiseAddress sets the field AdvertiseAddress if
+// unset. The field will be set based on the SecureServingOptions. If
+// the SecureServingOptions is not present, DefaultExternalAddress
+// will fall back to the insecure ServingOptions.
+func DefaultAdvertiseAddress(s *genericoptions.ServerRunOptions, insecure *InsecureServingOptions) error {
+	if insecure == nil {
+		return nil
+	}
+
+	if s.AdvertiseAddress == nil || s.AdvertiseAddress.IsUnspecified() {
+		hostIP, err := insecure.DefaultExternalAddress()
+		if err != nil {
+			return fmt.Errorf("Unable to find suitable network address.error='%v'. "+
+				"Try to set the AdvertiseAddress directly or provide a valid BindAddress to fix this.", err)
+		}
+		s.AdvertiseAddress = hostIP
+	}
+
+	return nil
+}
+
+// InsecureServingOptions are for creating an unauthenticated, unauthorized, insecure port.
+// No one should be using these anymore.
+type InsecureServingOptions struct {
+	BindAddress net.IP
+	BindPort    int
+}
+
+// NewInsecureServingOptions is for creating an unauthenticated, unauthorized, insecure port.
+// No one should be using these anymore.
+func NewInsecureServingOptions() *InsecureServingOptions {
+	return &InsecureServingOptions{
+		BindAddress: net.ParseIP("127.0.0.1"),
+		BindPort:    8080,
+	}
+}
+
+func (s InsecureServingOptions) Validate(portArg string) []error {
+	errors := []error{}
+
+	if s.BindPort < 0 || s.BindPort > 65535 {
+		errors = append(errors, fmt.Errorf("--insecure-port %v must be between 0 and 65535, inclusive. 0 for turning off secure port.", s.BindPort))
+	}
+
+	return errors
+}
+
+func (s *InsecureServingOptions) DefaultExternalAddress() (net.IP, error) {
+	return utilnet.ChooseBindAddress(s.BindAddress)
+}
+
+func (s *InsecureServingOptions) AddFlags(fs *pflag.FlagSet) {
+	fs.IPVar(&s.BindAddress, "insecure-bind-address", s.BindAddress, ""+
+		"The IP address on which to serve the --insecure-port (set to 0.0.0.0 for all interfaces).")
+
+	fs.IntVar(&s.BindPort, "insecure-port", s.BindPort, ""+
+		"The port on which to serve unsecured, unauthenticated access. It is assumed "+
+		"that firewall rules are set up such that this port is not reachable from outside of "+
+		"the cluster and that port 443 on the cluster's public address is proxied to this "+
+		"port. This is performed by nginx in the default setup.")
+}
+
+func (s *InsecureServingOptions) AddDeprecatedFlags(fs *pflag.FlagSet) {
+	fs.IPVar(&s.BindAddress, "address", s.BindAddress,
+		"DEPRECATED: see --insecure-bind-address instead.")
+	fs.MarkDeprecated("address", "see --insecure-bind-address instead.")
+
+	fs.IntVar(&s.BindPort, "port", s.BindPort, "DEPRECATED: see --insecure-port instead.")
+	fs.MarkDeprecated("port", "see --insecure-port instead.")
+}
+
+func (s *InsecureServingOptions) ApplyTo(c *server.Config) (*kubeserver.InsecureServingInfo, error) {
+	if s.BindPort <= 0 {
+		return nil, nil
+	}
+
+	ret := &kubeserver.InsecureServingInfo{
+		BindAddress: net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.BindPort)),
+	}
+
+	var err error
+	privilegedLoopbackToken := uuid.NewRandom().String()
+	if c.LoopbackClientConfig, err = ret.NewLoopbackClientConfig(privilegedLoopbackToken); err != nil {
+		return nil, err
+	}
+
+	return ret, nil
+}

vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/storage_versions.go

@@ -0,0 +1,114 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package options
+
+import (
+	"strings"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/kubernetes/pkg/api/legacyscheme"
+
+	"github.com/spf13/pflag"
+)
+
+const (
+	DefaultEtcdPathPrefix = "/registry"
+)
+
+// StorageSerializationOptions contains the options for encoding resources.
+type StorageSerializationOptions struct {
+	StorageVersions string
+	// The default values for StorageVersions. StorageVersions overrides
+	// these; you can change this if you want to change the defaults (e.g.,
+	// for testing). This is not actually exposed as a flag.
+	DefaultStorageVersions string
+}
+
+func NewStorageSerializationOptions() *StorageSerializationOptions {
+	return &StorageSerializationOptions{
+		DefaultStorageVersions: legacyscheme.Registry.AllPreferredGroupVersions(),
+		StorageVersions:        legacyscheme.Registry.AllPreferredGroupVersions(),
+	}
+}
+
+// StorageGroupsToEncodingVersion returns a map from group name to group version,
+// computed from s.StorageVersions flag.
+func (s *StorageSerializationOptions) StorageGroupsToEncodingVersion() (map[string]schema.GroupVersion, error) {
+	storageVersionMap := map[string]schema.GroupVersion{}
+
+	// First, get the defaults.
+	if err := mergeGroupVersionIntoMap(s.DefaultStorageVersions, storageVersionMap); err != nil {
+		return nil, err
+	}
+	// Override any defaults with the user settings.
+	if err := mergeGroupVersionIntoMap(s.StorageVersions, storageVersionMap); err != nil {
+		return nil, err
+	}
+
+	return storageVersionMap, nil
+}
+
+// dest must be a map of group to groupVersion.
+func mergeGroupVersionIntoMap(gvList string, dest map[string]schema.GroupVersion) error {
+	for _, gvString := range strings.Split(gvList, ",") {
+		if gvString == "" {
+			continue
+		}
+		// We accept two formats. "group/version" OR
+		// "group=group/version". The latter is used when types
+		// move between groups.
+		if !strings.Contains(gvString, "=") {
+			gv, err := schema.ParseGroupVersion(gvString)
+			if err != nil {
+				return err
+			}
+			dest[gv.Group] = gv
+
+		} else {
+			parts := strings.SplitN(gvString, "=", 2)
+			gv, err := schema.ParseGroupVersion(parts[1])
+			if err != nil {
+				return err
+			}
+			dest[parts[0]] = gv
+		}
+	}
+
+	return nil
+}
+
+// AddFlags adds flags for a specific APIServer to the specified FlagSet
+func (s *StorageSerializationOptions) AddFlags(fs *pflag.FlagSet) {
+	// Note: the weird ""+ in below lines seems to be the only way to get gofmt to
+	// arrange these text blocks sensibly. Grrr.
+
+	deprecatedStorageVersion := ""
+	fs.StringVar(&deprecatedStorageVersion, "storage-version", deprecatedStorageVersion,
+		"DEPRECATED: the version to store the legacy v1 resources with. Defaults to server preferred.")
+	fs.MarkDeprecated("storage-version", "--storage-version is deprecated and will be removed when the v1 API "+
+		"is retired. Setting this has no effect. See --storage-versions instead.")
+
+	fs.StringVar(&s.StorageVersions, "storage-versions", s.StorageVersions, ""+
+		"The per-group version to store resources in. "+
+		"Specified in the format \"group1/version1,group2/version2,...\". "+
+		"In the case where objects are moved from one group to the other, "+
+		"you may specify the format \"group1=group2/v1beta1,group3/v1beta1,...\". "+
+		"You only need to pass the groups you wish to change from the defaults. "+
+		"It defaults to a list of preferred versions of all registered groups, "+
+		"which is derived from the KUBE_API_VERSIONS environment variable.")
+
+}

vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/storage_versions_test.go

@@ -0,0 +1,78 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package options
+
+import (
+	"reflect"
+	"testing"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+func TestGenerateStorageVersionMap(t *testing.T) {
+	testCases := []struct {
+		legacyVersion   string
+		storageVersions string
+		defaultVersions string
+		expectedMap     map[string]schema.GroupVersion
+	}{
+		{
+			legacyVersion:   "v1",
+			storageVersions: "v1,extensions/v1beta1",
+			expectedMap: map[string]schema.GroupVersion{
+				"":           {Version: "v1"},
+				"extensions": {Group: "extensions", Version: "v1beta1"},
+			},
+		},
+		{
+			legacyVersion:   "",
+			storageVersions: "extensions/v1beta1,v1",
+			expectedMap: map[string]schema.GroupVersion{
+				"":           {Version: "v1"},
+				"extensions": {Group: "extensions", Version: "v1beta1"},
+			},
+		},
+		{
+			legacyVersion:   "",
+			storageVersions: "autoscaling=extensions/v1beta1,v1",
+			defaultVersions: "extensions/v1beta1,v1,autoscaling/v1",
+			expectedMap: map[string]schema.GroupVersion{
+				"":            {Version: "v1"},
+				"autoscaling": {Group: "extensions", Version: "v1beta1"},
+				"extensions":  {Group: "extensions", Version: "v1beta1"},
+			},
+		},
+		{
+			legacyVersion:   "",
+			storageVersions: "",
+			expectedMap:     map[string]schema.GroupVersion{},
+		},
+	}
+	for i, test := range testCases {
+		s := &StorageSerializationOptions{
+			StorageVersions:        test.storageVersions,
+			DefaultStorageVersions: test.defaultVersions,
+		}
+		output, err := s.StorageGroupsToEncodingVersion()
+		if err != nil {
+			t.Errorf("%v: unexpected error: %v", i, err)
+		}
+		if !reflect.DeepEqual(test.expectedMap, output) {
+			t.Errorf("%v: unexpected error. expect: %v, got: %v", i, test.expectedMap, output)
+		}
+	}
+}