vendor update for CSI 0.3.0

2025-06-14 02:43:36 +00:00 · 2018-07-18 16:47:22 +02:00
parent 6f484f92fc
commit 8ea659f0d5
6810 changed files with 438061 additions and 193861 deletions
--- a/vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/BUILD
+++ b/vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/BUILD
@ -23,6 +23,7 @@ go_library(
        "//pkg/api/legacyscheme:go_default_library",
        "//pkg/client/informers/informers_generated/internalversion:go_default_library",
        "//pkg/cloudprovider/providers:go_default_library",
+        "//pkg/features:go_default_library",
        "//pkg/kubeapiserver/authenticator:go_default_library",
        "//pkg/kubeapiserver/authorizer:go_default_library",
        "//pkg/kubeapiserver/authorizer/modes:go_default_library",
@ -37,13 +38,10 @@ go_library(
        "//plugin/pkg/admission/extendedresourcetoleration:go_default_library",
        "//plugin/pkg/admission/gc:go_default_library",
        "//plugin/pkg/admission/imagepolicy:go_default_library",
-        "//plugin/pkg/admission/initialresources:go_default_library",
        "//plugin/pkg/admission/limitranger:go_default_library",
        "//plugin/pkg/admission/namespace/autoprovision:go_default_library",
        "//plugin/pkg/admission/namespace/exists:go_default_library",
        "//plugin/pkg/admission/noderestriction:go_default_library",
-        "//plugin/pkg/admission/persistentvolume/label:go_default_library",
-        "//plugin/pkg/admission/persistentvolume/resize:go_default_library",
        "//plugin/pkg/admission/podnodeselector:go_default_library",
        "//plugin/pkg/admission/podpreset:go_default_library",
        "//plugin/pkg/admission/podtolerationrestriction:go_default_library",
@ -52,6 +50,8 @@ go_library(
        "//plugin/pkg/admission/security/podsecuritypolicy:go_default_library",
        "//plugin/pkg/admission/securitycontext/scdeny:go_default_library",
        "//plugin/pkg/admission/serviceaccount:go_default_library",
+        "//plugin/pkg/admission/storage/persistentvolume/label:go_default_library",
+        "//plugin/pkg/admission/storage/persistentvolume/resize:go_default_library",
        "//plugin/pkg/admission/storage/storageclass/setdefault:go_default_library",
        "//plugin/pkg/admission/storage/storageobjectinuseprotection:go_default_library",
        "//vendor/github.com/golang/glog:go_default_library",
@ -68,6 +68,8 @@ go_library(
        "//vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/validating:go_default_library",
        "//vendor/k8s.io/apiserver/pkg/server:go_default_library",
        "//vendor/k8s.io/apiserver/pkg/server/options:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/util/feature:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/util/flag:go_default_library",
        "//vendor/k8s.io/client-go/informers:go_default_library",
        "//vendor/k8s.io/client-go/rest:go_default_library",
    ],
@ -90,8 +92,12 @@ go_test(
    name = "go_default_test",
    srcs = [
        "admission_test.go",
+        "authorization_test.go",
        "storage_versions_test.go",
    ],
    embed = [":go_default_library"],
-    deps = ["//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library"],
+    deps = [
+        "//pkg/kubeapiserver/authorizer/modes:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
+    ],
 )
--- a/vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/admission.go
+++ b/vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/admission.go
@ -73,6 +73,7 @@ func (a *AdmissionOptions) AddFlags(fs *pflag.FlagSet) {
 		"The order of plugins in which they are passed to this flag does not matter. "+
 		"Comma-delimited list of: "+strings.Join(a.GenericAdmission.Plugins.Registered(), ", ")+".")
 	fs.MarkDeprecated("admission-control", "Use --enable-admission-plugins or --disable-admission-plugins instead. Will be removed in a future version.")
+	fs.Lookup("admission-control").Hidden = false

 	a.GenericAdmission.AddFlags(fs)
 }
--- a/vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/authentication.go
+++ b/vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/authentication.go
@ -25,8 +25,10 @@ import (
 	"github.com/golang/glog"
 	"github.com/spf13/pflag"

+	"k8s.io/apimachinery/pkg/util/sets"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	genericoptions "k8s.io/apiserver/pkg/server/options"
+	"k8s.io/apiserver/pkg/util/flag"
 	"k8s.io/kubernetes/pkg/kubeapiserver/authenticator"
 	authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
 )
@ -63,6 +65,7 @@ type OIDCAuthenticationOptions struct {
 	GroupsClaim    string
 	GroupsPrefix   string
 	SigningAlgs    []string
+	RequiredClaims map[string]string
 }

 type PasswordFileAuthenticationOptions struct {
@ -222,6 +225,11 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
 			"Comma-separated list of allowed JOSE asymmetric signing algorithms. JWTs with a "+
 			"'alg' header value not in this list will be rejected. "+
 			"Values are defined by RFC 7518 https://tools.ietf.org/html/rfc7518#section-3.1.")
+
+		fs.Var(flag.NewMapStringStringNoSplit(&s.OIDC.RequiredClaims), "oidc-required-claim", ""+
+			"A key=value pair that describes a required claim in the ID Token. "+
+			"If set, the claim is verified to be present in the ID Token with a matching value. "+
+			"Repeat this flag to specify multiple claims.")
 	}

 	if s.PasswordFile != nil {
@ -297,6 +305,7 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() authenticator.Au
 		ret.OIDCUsernameClaim = s.OIDC.UsernameClaim
 		ret.OIDCUsernamePrefix = s.OIDC.UsernamePrefix
 		ret.OIDCSigningAlgs = s.OIDC.SigningAlgs
+		ret.OIDCRequiredClaims = s.OIDC.RequiredClaims
 	}

 	if s.PasswordFile != nil {
@ -365,17 +374,8 @@ func (o *BuiltInAuthenticationOptions) ApplyAuthorization(authorization *BuiltIn

 	// authorization ModeAlwaysAllow cannot be combined with AnonymousAuth.
 	// in such a case the AnonymousAuth is stomped to false and you get a message
-	if o.Anonymous.Allow {
-		found := false
-		for _, mode := range strings.Split(authorization.Mode, ",") {
-			if mode == authzmodes.ModeAlwaysAllow {
-				found = true
-				break
-			}
-		}
-		if found {
-			glog.Warningf("AnonymousAuth is not allowed with the AllowAll authorizer.  Resetting AnonymousAuth to false. You should use a different authorizer")
-			o.Anonymous.Allow = false
-		}
+	if o.Anonymous.Allow && sets.NewString(authorization.Modes...).Has(authzmodes.ModeAlwaysAllow) {
+		glog.Warningf("AnonymousAuth is not allowed with the AlwaysAllow authorizer. Resetting AnonymousAuth to false. You should use a different authorizer")
+		o.Anonymous.Allow = false
 	}
 }
--- a/vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/authorization.go
+++ b/vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/authorization.go
@ -17,11 +17,13 @@ limitations under the License.
 package options

 import (
+	"fmt"
 	"strings"
 	"time"

 	"github.com/spf13/pflag"

+	"k8s.io/apimachinery/pkg/util/sets"
 	versionedinformers "k8s.io/client-go/informers"
 	informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion"
 	"k8s.io/kubernetes/pkg/kubeapiserver/authorizer"
@ -29,7 +31,7 @@ import (
 )

 type BuiltInAuthorizationOptions struct {
-	Mode                        string
+	Modes                       []string
 	PolicyFile                  string
 	WebhookConfigFile           string
 	WebhookCacheAuthorizedTTL   time.Duration
@ -38,19 +40,57 @@ type BuiltInAuthorizationOptions struct {

 func NewBuiltInAuthorizationOptions() *BuiltInAuthorizationOptions {
 	return &BuiltInAuthorizationOptions{
-		Mode: authzmodes.ModeAlwaysAllow,
+		Modes: []string{authzmodes.ModeAlwaysAllow},
 		WebhookCacheAuthorizedTTL:   5 * time.Minute,
 		WebhookCacheUnauthorizedTTL: 30 * time.Second,
 	}
 }

 func (s *BuiltInAuthorizationOptions) Validate() []error {
+	if s == nil {
+		return nil
+	}
 	allErrors := []error{}
+
+	if len(s.Modes) == 0 {
+		allErrors = append(allErrors, fmt.Errorf("at least one authorization-mode must be passed"))
+	}
+
+	allowedModes := sets.NewString(authzmodes.AuthorizationModeChoices...)
+	modes := sets.NewString(s.Modes...)
+	for _, mode := range s.Modes {
+		if !allowedModes.Has(mode) {
+			allErrors = append(allErrors, fmt.Errorf("authorization-mode %q is not a valid mode", mode))
+		}
+		if mode == authzmodes.ModeABAC {
+			if s.PolicyFile == "" {
+				allErrors = append(allErrors, fmt.Errorf("authorization-mode ABAC's authorization policy file not passed"))
+			}
+		}
+		if mode == authzmodes.ModeWebhook {
+			if s.WebhookConfigFile == "" {
+				allErrors = append(allErrors, fmt.Errorf("authorization-mode Webhook's authorization config file not passed"))
+			}
+		}
+	}
+
+	if s.PolicyFile != "" && !modes.Has(authzmodes.ModeABAC) {
+		allErrors = append(allErrors, fmt.Errorf("cannot specify --authorization-policy-file without mode ABAC"))
+	}
+
+	if s.WebhookConfigFile != "" && !modes.Has(authzmodes.ModeWebhook) {
+		allErrors = append(allErrors, fmt.Errorf("cannot specify --authorization-webhook-config-file without mode Webhook"))
+	}
+
+	if len(s.Modes) != len(modes.List()) {
+		allErrors = append(allErrors, fmt.Errorf("authorization-mode %q has mode specified more than once", s.Modes))
+	}
+
 	return allErrors
 }

 func (s *BuiltInAuthorizationOptions) AddFlags(fs *pflag.FlagSet) {
-	fs.StringVar(&s.Mode, "authorization-mode", s.Mode, ""+
+	fs.StringSliceVar(&s.Modes, "authorization-mode", s.Modes, ""+
 		"Ordered list of plug-ins to do authorization on secure port. Comma-delimited list of: "+
 		strings.Join(authzmodes.AuthorizationModeChoices, ",")+".")

@ -68,25 +108,11 @@ func (s *BuiltInAuthorizationOptions) AddFlags(fs *pflag.FlagSet) {
 	fs.DurationVar(&s.WebhookCacheUnauthorizedTTL,
 		"authorization-webhook-cache-unauthorized-ttl", s.WebhookCacheUnauthorizedTTL,
 		"The duration to cache 'unauthorized' responses from the webhook authorizer.")
-
-	fs.String("authorization-rbac-super-user", "", ""+
-		"If specified, a username which avoids RBAC authorization checks and role binding "+
-		"privilege escalation checks, to be used with --authorization-mode=RBAC.")
-	fs.MarkDeprecated("authorization-rbac-super-user", "Removed during alpha to beta.  The 'system:masters' group has privileged access.")
-
-}
-
-func (s *BuiltInAuthorizationOptions) Modes() []string {
-	modes := []string{}
-	if len(s.Mode) > 0 {
-		modes = strings.Split(s.Mode, ",")
-	}
-	return modes
 }

 func (s *BuiltInAuthorizationOptions) ToAuthorizationConfig(informerFactory informers.SharedInformerFactory, versionedInformerFactory versionedinformers.SharedInformerFactory) authorizer.AuthorizationConfig {
 	return authorizer.AuthorizationConfig{
-		AuthorizationModes:          s.Modes(),
+		AuthorizationModes:          s.Modes,
 		PolicyFile:                  s.PolicyFile,
 		WebhookConfigFile:           s.WebhookConfigFile,
 		WebhookCacheAuthorizedTTL:   s.WebhookCacheAuthorizedTTL,
--- a/vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/authorization_test.go
+++ b/vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/authorization_test.go
@ -0,0 +1,104 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package options
+
+import (
+	"testing"
+
+	"k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
+)
+
+func TestAuthzValidate(t *testing.T) {
+	examplePolicyFile := "../../auth/authorizer/abac/example_policy_file.jsonl"
+
+	testCases := []struct {
+		name              string
+		modes             []string
+		policyFile        string
+		webhookConfigFile string
+		expectErr         bool
+	}{
+		{
+			name:      "Unknown modes should return errors",
+			modes:     []string{"DoesNotExist"},
+			expectErr: true,
+		},
+		{
+			name:      "At least one authorizationMode is necessary",
+			modes:     []string{},
+			expectErr: true,
+		},
+		{
+			name:      "ModeAlwaysAllow and ModeAlwaysDeny should return without authorizationPolicyFile",
+			modes:     []string{modes.ModeAlwaysAllow, modes.ModeAlwaysDeny},
+			expectErr: false,
+		},
+		{
+			name:      "ModeABAC requires a policy file",
+			modes:     []string{modes.ModeAlwaysAllow, modes.ModeAlwaysDeny, modes.ModeABAC},
+			expectErr: true,
+		},
+		{
+			name:              "Authorization Policy file cannot be used without ModeABAC",
+			modes:             []string{modes.ModeAlwaysAllow, modes.ModeAlwaysDeny},
+			policyFile:        examplePolicyFile,
+			webhookConfigFile: "",
+			expectErr:         true,
+		},
+		{
+			name:              "ModeABAC should not error if a valid policy path is provided",
+			modes:             []string{modes.ModeAlwaysAllow, modes.ModeAlwaysDeny, modes.ModeABAC},
+			policyFile:        examplePolicyFile,
+			webhookConfigFile: "",
+			expectErr:         false,
+		},
+		{
+			name:      "ModeWebhook requires a config file",
+			modes:     []string{modes.ModeWebhook},
+			expectErr: true,
+		},
+		{
+			name:              "Cannot provide webhook config file without ModeWebhook",
+			modes:             []string{modes.ModeAlwaysAllow},
+			webhookConfigFile: "authz_webhook_config.yaml",
+			expectErr:         true,
+		},
+		{
+			name:              "ModeWebhook should not error if a valid config file is provided",
+			modes:             []string{modes.ModeWebhook},
+			webhookConfigFile: "authz_webhook_config.yaml",
+			expectErr:         false,
+		},
+	}
+
+	for _, testcase := range testCases {
+		t.Run(testcase.name, func(t *testing.T) {
+			options := NewBuiltInAuthorizationOptions()
+			options.Modes = testcase.modes
+			options.WebhookConfigFile = testcase.webhookConfigFile
+			options.PolicyFile = testcase.policyFile
+
+			errs := options.Validate()
+			if len(errs) > 0 && !testcase.expectErr {
+				t.Errorf("got unexpected err %v", errs)
+			}
+			if testcase.expectErr && len(errs) == 0 {
+				t.Errorf("should return an error")
+			}
+		})
+	}
+}
--- a/vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/plugins.go
+++ b/vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/plugins.go
@ -34,13 +34,10 @@ import (
 	"k8s.io/kubernetes/plugin/pkg/admission/extendedresourcetoleration"
 	"k8s.io/kubernetes/plugin/pkg/admission/gc"
 	"k8s.io/kubernetes/plugin/pkg/admission/imagepolicy"
-	"k8s.io/kubernetes/plugin/pkg/admission/initialresources"
 	"k8s.io/kubernetes/plugin/pkg/admission/limitranger"
 	"k8s.io/kubernetes/plugin/pkg/admission/namespace/autoprovision"
 	"k8s.io/kubernetes/plugin/pkg/admission/namespace/exists"
 	"k8s.io/kubernetes/plugin/pkg/admission/noderestriction"
-	"k8s.io/kubernetes/plugin/pkg/admission/persistentvolume/label"
-	"k8s.io/kubernetes/plugin/pkg/admission/persistentvolume/resize"
 	"k8s.io/kubernetes/plugin/pkg/admission/podnodeselector"
 	"k8s.io/kubernetes/plugin/pkg/admission/podpreset"
 	"k8s.io/kubernetes/plugin/pkg/admission/podtolerationrestriction"
@ -49,6 +46,8 @@ import (
 	"k8s.io/kubernetes/plugin/pkg/admission/security/podsecuritypolicy"
 	"k8s.io/kubernetes/plugin/pkg/admission/securitycontext/scdeny"
 	"k8s.io/kubernetes/plugin/pkg/admission/serviceaccount"
+	"k8s.io/kubernetes/plugin/pkg/admission/storage/persistentvolume/label"
+	"k8s.io/kubernetes/plugin/pkg/admission/storage/persistentvolume/resize"
 	"k8s.io/kubernetes/plugin/pkg/admission/storage/storageclass/setdefault"
 	"k8s.io/kubernetes/plugin/pkg/admission/storage/storageobjectinuseprotection"

@ -58,6 +57,8 @@ import (
 	"k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle"
 	mutatingwebhook "k8s.io/apiserver/pkg/admission/plugin/webhook/mutating"
 	validatingwebhook "k8s.io/apiserver/pkg/admission/plugin/webhook/validating"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	"k8s.io/kubernetes/pkg/features"
 )

 // AllOrderedPlugins is the list of all the plugins in order.
@ -68,7 +69,6 @@ var AllOrderedPlugins = []string{
 	exists.PluginName,                       // NamespaceExists
 	scdeny.PluginName,                       // SecurityContextDeny
 	antiaffinity.PluginName,                 // LimitPodHardAntiAffinityTopology
-	initialresources.PluginName,             // InitialResources
 	podpreset.PluginName,                    // PodPreset
 	limitranger.PluginName,                  // LimitRanger
 	serviceaccount.PluginName,               // ServiceAccount
@ -109,7 +109,6 @@ func RegisterAllAdmissionPlugins(plugins *admission.Plugins) {
 	extendedresourcetoleration.Register(plugins)
 	gc.Register(plugins)
 	imagepolicy.Register(plugins)
-	initialresources.Register(plugins)
 	limitranger.Register(plugins)
 	autoprovision.Register(plugins)
 	exists.Register(plugins)
@ -134,13 +133,17 @@ func DefaultOffAdmissionPlugins() sets.String {
 		lifecycle.PluginName,                //NamespaceLifecycle
 		limitranger.PluginName,              //LimitRanger
 		serviceaccount.PluginName,           //ServiceAccount
-		label.PluginName,                    //PersistentVolumeLabel
 		setdefault.PluginName,               //DefaultStorageClass
+		resize.PluginName,                   //PersistentVolumeClaimResize
 		defaulttolerationseconds.PluginName, //DefaultTolerationSeconds
 		mutatingwebhook.PluginName,          //MutatingAdmissionWebhook
 		validatingwebhook.PluginName,        //ValidatingAdmissionWebhook
 		resourcequota.PluginName,            //ResourceQuota
 	)

+	if utilfeature.DefaultFeatureGate.Enabled(features.PodPriority) {
+		defaultOnPlugins.Insert(podpriority.PluginName) //PodPriority
+	}
+
 	return sets.NewString(AllOrderedPlugins...).Difference(defaultOnPlugins)
 }
--- a/vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/serving.go
+++ b/vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/serving.go
@ -81,7 +81,7 @@ func NewInsecureServingOptions() *InsecureServingOptions {
 	}
 }

-func (s InsecureServingOptions) Validate(portArg string) []error {
+func (s InsecureServingOptions) Validate() []error {
 	errors := []error{}

 	if s.BindPort < 0 || s.BindPort > 65535 {
@ -99,6 +99,7 @@ func (s *InsecureServingOptions) AddFlags(fs *pflag.FlagSet) {
 	fs.IPVar(&s.BindAddress, "insecure-bind-address", s.BindAddress, ""+
 		"The IP address on which to serve the --insecure-port (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces).")
 	fs.MarkDeprecated("insecure-bind-address", "This flag will be removed in a future version.")
+	fs.Lookup("insecure-bind-address").Hidden = false

 	fs.IntVar(&s.BindPort, "insecure-port", s.BindPort, ""+
 		"The port on which to serve unsecured, unauthenticated access. It is assumed "+
@ -106,6 +107,7 @@ func (s *InsecureServingOptions) AddFlags(fs *pflag.FlagSet) {
 		"the cluster and that port 443 on the cluster's public address is proxied to this "+
 		"port. This is performed by nginx in the default setup. Set to zero to disable.")
 	fs.MarkDeprecated("insecure-port", "This flag will be removed in a future version.")
+	fs.Lookup("insecure-port").Hidden = false
 }

 // TODO: remove it until kops stop using `--address`
--- a/vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/storage_versions.go
+++ b/vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/storage_versions.go
@ -22,6 +22,8 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"

+	"sort"
+
 	"github.com/spf13/pflag"
 )

@ -40,8 +42,8 @@ type StorageSerializationOptions struct {

 func NewStorageSerializationOptions() *StorageSerializationOptions {
 	return &StorageSerializationOptions{
-		DefaultStorageVersions: legacyscheme.Registry.AllPreferredGroupVersions(),
-		StorageVersions:        legacyscheme.Registry.AllPreferredGroupVersions(),
+		DefaultStorageVersions: ToPreferredVersionString(legacyscheme.Scheme.PreferredVersionAllGroups()),
+		StorageVersions:        ToPreferredVersionString(legacyscheme.Scheme.PreferredVersionAllGroups()),
 	}
 }

@ -95,20 +97,25 @@ func mergeGroupVersionIntoMap(gvList string, dest map[string]schema.GroupVersion
 func (s *StorageSerializationOptions) AddFlags(fs *pflag.FlagSet) {
 	// Note: the weird ""+ in below lines seems to be the only way to get gofmt to
 	// arrange these text blocks sensibly. Grrr.
-
-	deprecatedStorageVersion := ""
-	fs.StringVar(&deprecatedStorageVersion, "storage-version", deprecatedStorageVersion,
-		"DEPRECATED: the version to store the legacy v1 resources with. Defaults to server preferred.")
-	fs.MarkDeprecated("storage-version", "--storage-version is deprecated and will be removed when the v1 API "+
-		"is retired. Setting this has no effect. See --storage-versions instead.")
-
 	fs.StringVar(&s.StorageVersions, "storage-versions", s.StorageVersions, ""+
 		"The per-group version to store resources in. "+
 		"Specified in the format \"group1/version1,group2/version2,...\". "+
 		"In the case where objects are moved from one group to the other, "+
 		"you may specify the format \"group1=group2/v1beta1,group3/v1beta1,...\". "+
 		"You only need to pass the groups you wish to change from the defaults. "+
-		"It defaults to a list of preferred versions of all registered groups, "+
-		"which is derived from the KUBE_API_VERSIONS environment variable.")
+		"It defaults to a list of preferred versions of all known groups.")

 }
+
+// ToPreferredVersionString returns the preferred versions of all registered
+// groups in the form of "group1/version1,group2/version2,...".  This is compatible
+// with the flag format
+func ToPreferredVersionString(versions []schema.GroupVersion) string {
+	var defaults []string
+	for _, version := range versions {
+		defaults = append(defaults, version.String())
+	}
+	// sorting provides stable output for help.
+	sort.Strings(defaults)
+	return strings.Join(defaults, ",")
+}