Replace godep with dep

vendor/k8s.io/kubernetes/test/e2e/auth/BUILD

@@ -0,0 +1,52 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "audit.go",
+        "certificates.go",
+        "framework.go",
+        "node_authz.go",
+        "service_accounts.go",
+    ],
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/util/version:go_default_library",
+        "//plugin/pkg/admission/serviceaccount:go_default_library",
+        "//test/e2e/framework:go_default_library",
+        "//test/utils/image:go_default_library",
+        "//vendor/github.com/onsi/ginkgo:go_default_library",
+        "//vendor/github.com/onsi/gomega:go_default_library",
+        "//vendor/k8s.io/api/certificates/v1beta1:go_default_library",
+        "//vendor/k8s.io/api/core/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/uuid:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/wait:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/apis/audit/v1beta1:go_default_library",
+        "//vendor/k8s.io/client-go/kubernetes:go_default_library",
+        "//vendor/k8s.io/client-go/kubernetes/typed/certificates/v1beta1:go_default_library",
+        "//vendor/k8s.io/client-go/rest:go_default_library",
+        "//vendor/k8s.io/client-go/util/cert:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+)

vendor/k8s.io/kubernetes/test/e2e/auth/OWNERS

@@ -0,0 +1,14 @@
+reviewers:
+  - liggitt
+  - mikedanese
+  - smarterclayton
+  - sttts
+  - tallclair
+  - ericchiang
+approvers:
+  - liggitt
+  - mikedanese
+  - smarterclayton
+  - sttts
+  - tallclair
+  - ericchiang

vendor/k8s.io/kubernetes/test/e2e/auth/audit.go

@@ -0,0 +1,179 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package auth
+
+import (
+	"bufio"
+	"encoding/json"
+	"fmt"
+	"strings"
+
+	apiv1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apiserver/pkg/apis/audit/v1beta1"
+	"k8s.io/kubernetes/test/e2e/framework"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+var _ = SIGDescribe("Advanced Audit [Feature:Audit]", func() {
+	f := framework.NewDefaultFramework("audit")
+
+	It("should audit API calls", func() {
+		namespace := f.Namespace.Name
+
+		// Create & Delete pod
+		pod := &apiv1.Pod{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "audit-pod",
+			},
+			Spec: apiv1.PodSpec{
+				Containers: []apiv1.Container{{
+					Name:  "pause",
+					Image: framework.GetPauseImageName(f.ClientSet),
+				}},
+			},
+		}
+		f.PodClient().CreateSync(pod)
+		f.PodClient().DeleteSync(pod.Name, &metav1.DeleteOptions{}, framework.DefaultPodDeletionTimeout)
+
+		// Create, Read, Delete secret
+		secret := &apiv1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "audit-secret",
+			},
+			Data: map[string][]byte{
+				"top-secret": []byte("foo-bar"),
+			},
+		}
+		_, err := f.ClientSet.Core().Secrets(f.Namespace.Name).Create(secret)
+		framework.ExpectNoError(err, "failed to create audit-secret")
+		_, err = f.ClientSet.Core().Secrets(f.Namespace.Name).Get(secret.Name, metav1.GetOptions{})
+		framework.ExpectNoError(err, "failed to get audit-secret")
+		err = f.ClientSet.Core().Secrets(f.Namespace.Name).Delete(secret.Name, &metav1.DeleteOptions{})
+		framework.ExpectNoError(err, "failed to delete audit-secret")
+
+		expectedEvents := []auditEvent{{
+			method:    "create",
+			namespace: namespace,
+			uri:       fmt.Sprintf("/api/v1/namespaces/%s/pods", namespace),
+			response:  "201",
+		}, {
+			method:    "delete",
+			namespace: namespace,
+			uri:       fmt.Sprintf("/api/v1/namespaces/%s/pods/%s", namespace, pod.Name),
+			response:  "200",
+		}, {
+			method:    "create",
+			namespace: namespace,
+			uri:       fmt.Sprintf("/api/v1/namespaces/%s/secrets", namespace),
+			response:  "201",
+		}, {
+			method:    "get",
+			namespace: namespace,
+			uri:       fmt.Sprintf("/api/v1/namespaces/%s/secrets/%s", namespace, secret.Name),
+			response:  "200",
+		}, {
+			method:    "delete",
+			namespace: namespace,
+			uri:       fmt.Sprintf("/api/v1/namespaces/%s/secrets/%s", namespace, secret.Name),
+			response:  "200",
+		}}
+		expectAuditLines(f, expectedEvents)
+	})
+})
+
+type auditEvent struct {
+	method, namespace, uri, response string
+}
+
+// Search the audit log for the expected audit lines.
+func expectAuditLines(f *framework.Framework, expected []auditEvent) {
+	expectations := map[auditEvent]bool{}
+	for _, event := range expected {
+		expectations[event] = false
+	}
+
+	// Fetch the log stream.
+	stream, err := f.ClientSet.Core().RESTClient().Get().AbsPath("/logs/kube-apiserver-audit.log").Stream()
+	framework.ExpectNoError(err, "could not read audit log")
+	defer stream.Close()
+
+	scanner := bufio.NewScanner(stream)
+	for scanner.Scan() {
+		line := scanner.Text()
+		event, err := parseAuditLine(line)
+		framework.ExpectNoError(err)
+
+		// If the event was expected, mark it as found.
+		if _, found := expectations[event]; found {
+			expectations[event] = true
+		}
+	}
+	framework.ExpectNoError(scanner.Err(), "error reading audit log")
+
+	for event, found := range expectations {
+		Expect(found).To(BeTrue(), "Event %#v not found!", event)
+	}
+}
+
+func parseAuditLine(line string) (auditEvent, error) {
+	var e v1beta1.Event
+	if err := json.Unmarshal([]byte(line), &e); err == nil {
+		event := auditEvent{
+			method: e.Verb,
+			uri:    e.RequestURI,
+		}
+		if e.ObjectRef != nil {
+			event.namespace = e.ObjectRef.Namespace
+		}
+		if e.ResponseStatus != nil {
+			event.response = fmt.Sprintf("%d", e.ResponseStatus.Code)
+		}
+		return event, nil
+	}
+
+	fields := strings.Fields(line)
+	if len(fields) < 3 {
+		return auditEvent{}, fmt.Errorf("could not parse audit line: %s", line)
+	}
+	// Ignore first field (timestamp)
+	if fields[1] != "AUDIT:" {
+		return auditEvent{}, fmt.Errorf("unexpected audit line format: %s", line)
+	}
+	fields = fields[2:]
+	event := auditEvent{}
+	for _, f := range fields {
+		parts := strings.SplitN(f, "=", 2)
+		if len(parts) != 2 {
+			return auditEvent{}, fmt.Errorf("could not parse audit line (part: %q): %s", f, line)
+		}
+		value := strings.Trim(parts[1], "\"")
+		switch parts[0] {
+		case "method":
+			event.method = value
+		case "namespace":
+			event.namespace = value
+		case "uri":
+			event.uri = value
+		case "response":
+			event.response = value
+		}
+	}
+	return event, nil
+}

vendor/k8s.io/kubernetes/test/e2e/auth/certificates.go

@@ -0,0 +1,121 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package auth
+
+import (
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"time"
+
+	"k8s.io/api/certificates/v1beta1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/wait"
+	v1beta1client "k8s.io/client-go/kubernetes/typed/certificates/v1beta1"
+	"k8s.io/client-go/util/cert"
+	"k8s.io/kubernetes/test/e2e/framework"
+
+	. "github.com/onsi/ginkgo"
+)
+
+var _ = SIGDescribe("Certificates API", func() {
+	f := framework.NewDefaultFramework("certificates")
+
+	It("should support building a client with a CSR", func() {
+		const commonName = "tester-csr"
+
+		pk, err := cert.NewPrivateKey()
+		framework.ExpectNoError(err)
+
+		pkder := x509.MarshalPKCS1PrivateKey(pk)
+		pkpem := pem.EncodeToMemory(&pem.Block{
+			Type:  "RSA PRIVATE KEY",
+			Bytes: pkder,
+		})
+
+		csrb, err := cert.MakeCSR(pk, &pkix.Name{CommonName: commonName, Organization: []string{"system:masters"}}, nil, nil)
+		framework.ExpectNoError(err)
+
+		csr := &v1beta1.CertificateSigningRequest{
+			ObjectMeta: metav1.ObjectMeta{
+				GenerateName: commonName + "-",
+			},
+			Spec: v1beta1.CertificateSigningRequestSpec{
+				Request: csrb,
+				Usages: []v1beta1.KeyUsage{
+					v1beta1.UsageSigning,
+					v1beta1.UsageKeyEncipherment,
+					v1beta1.UsageClientAuth,
+				},
+			},
+		}
+		csrs := f.ClientSet.CertificatesV1beta1().CertificateSigningRequests()
+
+		framework.Logf("creating CSR")
+		csr, err = csrs.Create(csr)
+		framework.ExpectNoError(err)
+
+		csrName := csr.Name
+
+		framework.Logf("approving CSR")
+		framework.ExpectNoError(wait.Poll(5*time.Second, time.Minute, func() (bool, error) {
+			csr.Status.Conditions = []v1beta1.CertificateSigningRequestCondition{
+				{
+					Type:    v1beta1.CertificateApproved,
+					Reason:  "E2E",
+					Message: "Set from an e2e test",
+				},
+			}
+			csr, err = csrs.UpdateApproval(csr)
+			if err != nil {
+				csr, _ = csrs.Get(csrName, metav1.GetOptions{})
+				framework.Logf("err updating approval: %v", err)
+				return false, nil
+			}
+			return true, nil
+		}))
+
+		framework.Logf("waiting for CSR to be signed")
+		framework.ExpectNoError(wait.Poll(5*time.Second, time.Minute, func() (bool, error) {
+			csr, _ = csrs.Get(csrName, metav1.GetOptions{})
+			if err != nil {
+				return false, err
+			}
+			if len(csr.Status.Certificate) == 0 {
+				framework.Logf("csr not signed yet")
+				return false, nil
+			}
+			return true, nil
+		}))
+
+		framework.Logf("testing the client")
+		rcfg, err := framework.LoadConfig()
+		framework.ExpectNoError(err)
+
+		rcfg.TLSClientConfig.CertData = csr.Status.Certificate
+		rcfg.TLSClientConfig.KeyData = pkpem
+		rcfg.TLSClientConfig.CertFile = ""
+		rcfg.BearerToken = ""
+		rcfg.AuthProvider = nil
+		rcfg.Username = ""
+		rcfg.Password = ""
+
+		newClient, err := v1beta1client.NewForConfig(rcfg)
+		framework.ExpectNoError(err)
+		framework.ExpectNoError(newClient.CertificateSigningRequests().Delete(csrName, nil))
+	})
+})

vendor/k8s.io/kubernetes/test/e2e/auth/framework.go

@@ -0,0 +1,23 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package auth
+
+import "github.com/onsi/ginkgo"
+
+func SIGDescribe(text string, body func()) bool {
+	return ginkgo.Describe("[sig-auth] "+text, body)
+}

vendor/k8s.io/kubernetes/test/e2e/auth/node_authz.go

@@ -0,0 +1,159 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package auth
+
+import (
+	"fmt"
+	"time"
+
+	"k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/wait"
+	clientset "k8s.io/client-go/kubernetes"
+	restclient "k8s.io/client-go/rest"
+	"k8s.io/kubernetes/test/e2e/framework"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+const (
+	NodesGroup     = "system:nodes"
+	NodeNamePrefix = "system:node:"
+)
+
+var _ = SIGDescribe("[Feature:NodeAuthorizer]", func() {
+
+	f := framework.NewDefaultFramework("node-authz")
+	// client that will impersonate a node
+	var c clientset.Interface
+	var ns string
+	var asUser string
+	var defaultSaSecret string
+	var nodeName string
+	BeforeEach(func() {
+		ns = f.Namespace.Name
+
+		nodeList, err := f.ClientSet.CoreV1().Nodes().List(metav1.ListOptions{})
+		Expect(err).NotTo(HaveOccurred())
+		Expect(len(nodeList.Items)).NotTo(Equal(0))
+		nodeName = nodeList.Items[0].Name
+		asUser = NodeNamePrefix + nodeName
+		sa, err := f.ClientSet.CoreV1().ServiceAccounts(ns).Get("default", metav1.GetOptions{})
+		Expect(len(sa.Secrets)).NotTo(Equal(0))
+		Expect(err).NotTo(HaveOccurred())
+		defaultSaSecret = sa.Secrets[0].Name
+		By("Creating a kubernetes client that impersonates a node")
+		config, err := framework.LoadConfig()
+		Expect(err).NotTo(HaveOccurred())
+		config.Impersonate = restclient.ImpersonationConfig{
+			UserName: asUser,
+			Groups:   []string{NodesGroup},
+		}
+		c, err = clientset.NewForConfig(config)
+		Expect(err).NotTo(HaveOccurred())
+
+	})
+	It("Getting a non-existent secret should exit with the Forbidden error, not a NotFound error", func() {
+		_, err := c.CoreV1().Secrets(ns).Get("foo", metav1.GetOptions{})
+		Expect(apierrors.IsForbidden(err)).Should(Equal(true))
+	})
+
+	It("Getting an existent secret should exit with the Forbidden error", func() {
+		_, err := c.CoreV1().Secrets(ns).Get(defaultSaSecret, metav1.GetOptions{})
+		Expect(apierrors.IsForbidden(err)).Should(Equal(true))
+	})
+
+	It("Getting a secret for a workload the node has access to should succeed", func() {
+		By("Create a secret for testing")
+		secret := &v1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: ns,
+				Name:      "node-auth-secret",
+			},
+			Data: map[string][]byte{
+				"data": []byte("keep it secret"),
+			},
+		}
+		_, err := f.ClientSet.CoreV1().Secrets(ns).Create(secret)
+		Expect(err).NotTo(HaveOccurred())
+
+		By("Node should not get the secret")
+		_, err = c.CoreV1().Secrets(ns).Get(secret.Name, metav1.GetOptions{})
+		Expect(apierrors.IsForbidden(err)).Should(Equal(true))
+
+		By("Create a pod that use the secret")
+		pod := &v1.Pod{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "pause",
+			},
+			Spec: v1.PodSpec{
+				Containers: []v1.Container{
+					{
+						Name:  "pause",
+						Image: framework.GetPauseImageName(f.ClientSet),
+					},
+				},
+				NodeName: nodeName,
+				Volumes: []v1.Volume{
+					{
+						Name: "node-auth-secret",
+						VolumeSource: v1.VolumeSource{
+							Secret: &v1.SecretVolumeSource{
+								SecretName: secret.Name,
+							},
+						},
+					},
+				},
+			},
+		}
+
+		_, err = f.ClientSet.CoreV1().Pods(ns).Create(pod)
+		Expect(err).NotTo(HaveOccurred())
+
+		By("The node should able to access the secret")
+		err = wait.Poll(framework.Poll, 1*time.Minute, func() (bool, error) {
+			_, err = c.CoreV1().Secrets(ns).Get(secret.Name, metav1.GetOptions{})
+			if err != nil {
+				framework.Logf("Failed to get secret %v, err: %v", secret.Name, err)
+				return false, nil
+			}
+			return true, nil
+		})
+		Expect(err).NotTo(HaveOccurred())
+	})
+
+	It("A node shouldn't be able to create an other node", func() {
+		node := &v1.Node{
+			ObjectMeta: metav1.ObjectMeta{Name: "foo"},
+			TypeMeta: metav1.TypeMeta{
+				Kind:       "Node",
+				APIVersion: "v1",
+			},
+		}
+		By(fmt.Sprintf("Create node foo by user: %v", asUser))
+		_, err := c.CoreV1().Nodes().Create(node)
+		Expect(apierrors.IsForbidden(err)).Should(Equal(true))
+	})
+
+	It("A node shouldn't be able to delete an other node", func() {
+		By(fmt.Sprintf("Create node foo by user: %v", asUser))
+		err := c.CoreV1().Nodes().Delete("foo", &metav1.DeleteOptions{})
+		Expect(apierrors.IsForbidden(err)).Should(Equal(true))
+	})
+})

vendor/k8s.io/kubernetes/test/e2e/auth/service_accounts.go

@@ -0,0 +1,388 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package auth
+
+import (
+	"fmt"
+	"time"
+
+	"k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/uuid"
+	"k8s.io/apimachinery/pkg/util/wait"
+	utilversion "k8s.io/kubernetes/pkg/util/version"
+	"k8s.io/kubernetes/plugin/pkg/admission/serviceaccount"
+	"k8s.io/kubernetes/test/e2e/framework"
+	imageutils "k8s.io/kubernetes/test/utils/image"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+var mountImage = imageutils.GetE2EImage(imageutils.Mounttest)
+
+var serviceAccountTokenNamespaceVersion = utilversion.MustParseSemantic("v1.2.0")
+
+var serviceAccountTokenAutomountVersion = utilversion.MustParseSemantic("v1.6.0-alpha.2")
+
+var _ = SIGDescribe("ServiceAccounts", func() {
+	f := framework.NewDefaultFramework("svcaccounts")
+
+	It("should ensure a single API token exists", func() {
+		// wait for the service account to reference a single secret
+		var secrets []v1.ObjectReference
+		framework.ExpectNoError(wait.Poll(time.Millisecond*500, time.Second*10, func() (bool, error) {
+			By("waiting for a single token reference")
+			sa, err := f.ClientSet.Core().ServiceAccounts(f.Namespace.Name).Get("default", metav1.GetOptions{})
+			if apierrors.IsNotFound(err) {
+				framework.Logf("default service account was not found")
+				return false, nil
+			}
+			if err != nil {
+				framework.Logf("error getting default service account: %v", err)
+				return false, err
+			}
+			switch len(sa.Secrets) {
+			case 0:
+				framework.Logf("default service account has no secret references")
+				return false, nil
+			case 1:
+				framework.Logf("default service account has a single secret reference")
+				secrets = sa.Secrets
+				return true, nil
+			default:
+				return false, fmt.Errorf("default service account has too many secret references: %#v", sa.Secrets)
+			}
+		}))
+
+		// make sure the reference doesn't flutter
+		{
+			By("ensuring the single token reference persists")
+			time.Sleep(2 * time.Second)
+			sa, err := f.ClientSet.Core().ServiceAccounts(f.Namespace.Name).Get("default", metav1.GetOptions{})
+			framework.ExpectNoError(err)
+			Expect(sa.Secrets).To(Equal(secrets))
+		}
+
+		// delete the referenced secret
+		By("deleting the service account token")
+		framework.ExpectNoError(f.ClientSet.Core().Secrets(f.Namespace.Name).Delete(secrets[0].Name, nil))
+
+		// wait for the referenced secret to be removed, and another one autocreated
+		framework.ExpectNoError(wait.Poll(time.Millisecond*500, framework.ServiceAccountProvisionTimeout, func() (bool, error) {
+			By("waiting for a new token reference")
+			sa, err := f.ClientSet.Core().ServiceAccounts(f.Namespace.Name).Get("default", metav1.GetOptions{})
+			if err != nil {
+				framework.Logf("error getting default service account: %v", err)
+				return false, err
+			}
+			switch len(sa.Secrets) {
+			case 0:
+				framework.Logf("default service account has no secret references")
+				return false, nil
+			case 1:
+				if sa.Secrets[0] == secrets[0] {
+					framework.Logf("default service account still has the deleted secret reference")
+					return false, nil
+				}
+				framework.Logf("default service account has a new single secret reference")
+				secrets = sa.Secrets
+				return true, nil
+			default:
+				return false, fmt.Errorf("default service account has too many secret references: %#v", sa.Secrets)
+			}
+		}))
+
+		// make sure the reference doesn't flutter
+		{
+			By("ensuring the single token reference persists")
+			time.Sleep(2 * time.Second)
+			sa, err := f.ClientSet.Core().ServiceAccounts(f.Namespace.Name).Get("default", metav1.GetOptions{})
+			framework.ExpectNoError(err)
+			Expect(sa.Secrets).To(Equal(secrets))
+		}
+
+		// delete the reference from the service account
+		By("deleting the reference to the service account token")
+		{
+			sa, err := f.ClientSet.Core().ServiceAccounts(f.Namespace.Name).Get("default", metav1.GetOptions{})
+			framework.ExpectNoError(err)
+			sa.Secrets = nil
+			_, updateErr := f.ClientSet.Core().ServiceAccounts(f.Namespace.Name).Update(sa)
+			framework.ExpectNoError(updateErr)
+		}
+
+		// wait for another one to be autocreated
+		framework.ExpectNoError(wait.Poll(time.Millisecond*500, framework.ServiceAccountProvisionTimeout, func() (bool, error) {
+			By("waiting for a new token to be created and added")
+			sa, err := f.ClientSet.Core().ServiceAccounts(f.Namespace.Name).Get("default", metav1.GetOptions{})
+			if err != nil {
+				framework.Logf("error getting default service account: %v", err)
+				return false, err
+			}
+			switch len(sa.Secrets) {
+			case 0:
+				framework.Logf("default service account has no secret references")
+				return false, nil
+			case 1:
+				framework.Logf("default service account has a new single secret reference")
+				secrets = sa.Secrets
+				return true, nil
+			default:
+				return false, fmt.Errorf("default service account has too many secret references: %#v", sa.Secrets)
+			}
+		}))
+
+		// make sure the reference doesn't flutter
+		{
+			By("ensuring the single token reference persists")
+			time.Sleep(2 * time.Second)
+			sa, err := f.ClientSet.Core().ServiceAccounts(f.Namespace.Name).Get("default", metav1.GetOptions{})
+			framework.ExpectNoError(err)
+			Expect(sa.Secrets).To(Equal(secrets))
+		}
+	})
+
+	It("should mount an API token into pods [Conformance]", func() {
+		var tokenContent string
+		var rootCAContent string
+
+		// Standard get, update retry loop
+		framework.ExpectNoError(wait.Poll(time.Millisecond*500, framework.ServiceAccountProvisionTimeout, func() (bool, error) {
+			By("getting the auto-created API token")
+			sa, err := f.ClientSet.Core().ServiceAccounts(f.Namespace.Name).Get("default", metav1.GetOptions{})
+			if apierrors.IsNotFound(err) {
+				framework.Logf("default service account was not found")
+				return false, nil
+			}
+			if err != nil {
+				framework.Logf("error getting default service account: %v", err)
+				return false, err
+			}
+			if len(sa.Secrets) == 0 {
+				framework.Logf("default service account has no secret references")
+				return false, nil
+			}
+			for _, secretRef := range sa.Secrets {
+				secret, err := f.ClientSet.Core().Secrets(f.Namespace.Name).Get(secretRef.Name, metav1.GetOptions{})
+				if err != nil {
+					framework.Logf("Error getting secret %s: %v", secretRef.Name, err)
+					continue
+				}
+				if secret.Type == v1.SecretTypeServiceAccountToken {
+					tokenContent = string(secret.Data[v1.ServiceAccountTokenKey])
+					rootCAContent = string(secret.Data[v1.ServiceAccountRootCAKey])
+					return true, nil
+				}
+			}
+
+			framework.Logf("default service account has no secret references to valid service account tokens")
+			return false, nil
+		}))
+
+		pod := &v1.Pod{
+			ObjectMeta: metav1.ObjectMeta{
+				GenerateName: "pod-service-account-" + string(uuid.NewUUID()) + "-",
+			},
+			Spec: v1.PodSpec{
+				Containers: []v1.Container{
+					{
+						Name:  "token-test",
+						Image: mountImage,
+						Args: []string{
+							fmt.Sprintf("--file_content=%s/%s", serviceaccount.DefaultAPITokenMountPath, v1.ServiceAccountTokenKey),
+						},
+					},
+					{
+						Name:  "root-ca-test",
+						Image: mountImage,
+						Args: []string{
+							fmt.Sprintf("--file_content=%s/%s", serviceaccount.DefaultAPITokenMountPath, v1.ServiceAccountRootCAKey),
+						},
+					},
+				},
+				RestartPolicy: v1.RestartPolicyNever,
+			},
+		}
+
+		supportsTokenNamespace, _ := framework.ServerVersionGTE(serviceAccountTokenNamespaceVersion, f.ClientSet.Discovery())
+		if supportsTokenNamespace {
+			pod.Spec.Containers = append(pod.Spec.Containers, v1.Container{
+				Name:  "namespace-test",
+				Image: mountImage,
+				Args: []string{
+					fmt.Sprintf("--file_content=%s/%s", serviceaccount.DefaultAPITokenMountPath, v1.ServiceAccountNamespaceKey),
+				},
+			})
+		}
+
+		f.TestContainerOutput("consume service account token", pod, 0, []string{
+			fmt.Sprintf(`content of file "%s/%s": %s`, serviceaccount.DefaultAPITokenMountPath, v1.ServiceAccountTokenKey, tokenContent),
+		})
+		f.TestContainerOutput("consume service account root CA", pod, 1, []string{
+			fmt.Sprintf(`content of file "%s/%s": %s`, serviceaccount.DefaultAPITokenMountPath, v1.ServiceAccountRootCAKey, rootCAContent),
+		})
+
+		if supportsTokenNamespace {
+			f.TestContainerOutput("consume service account namespace", pod, 2, []string{
+				fmt.Sprintf(`content of file "%s/%s": %s`, serviceaccount.DefaultAPITokenMountPath, v1.ServiceAccountNamespaceKey, f.Namespace.Name),
+			})
+		}
+	})
+
+	It("should allow opting out of API token automount [Conformance]", func() {
+		framework.SkipUnlessServerVersionGTE(serviceAccountTokenAutomountVersion, f.ClientSet.Discovery())
+
+		var err error
+		trueValue := true
+		falseValue := false
+		mountSA := &v1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: "mount"}, AutomountServiceAccountToken: &trueValue}
+		nomountSA := &v1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: "nomount"}, AutomountServiceAccountToken: &falseValue}
+		mountSA, err = f.ClientSet.Core().ServiceAccounts(f.Namespace.Name).Create(mountSA)
+		framework.ExpectNoError(err)
+		nomountSA, err = f.ClientSet.Core().ServiceAccounts(f.Namespace.Name).Create(nomountSA)
+		framework.ExpectNoError(err)
+
+		// Standard get, update retry loop
+		framework.ExpectNoError(wait.Poll(time.Millisecond*500, framework.ServiceAccountProvisionTimeout, func() (bool, error) {
+			By("getting the auto-created API token")
+			sa, err := f.ClientSet.Core().ServiceAccounts(f.Namespace.Name).Get(mountSA.Name, metav1.GetOptions{})
+			if apierrors.IsNotFound(err) {
+				framework.Logf("mount service account was not found")
+				return false, nil
+			}
+			if err != nil {
+				framework.Logf("error getting mount service account: %v", err)
+				return false, err
+			}
+			if len(sa.Secrets) == 0 {
+				framework.Logf("mount service account has no secret references")
+				return false, nil
+			}
+			for _, secretRef := range sa.Secrets {
+				secret, err := f.ClientSet.Core().Secrets(f.Namespace.Name).Get(secretRef.Name, metav1.GetOptions{})
+				if err != nil {
+					framework.Logf("Error getting secret %s: %v", secretRef.Name, err)
+					continue
+				}
+				if secret.Type == v1.SecretTypeServiceAccountToken {
+					return true, nil
+				}
+			}
+
+			framework.Logf("default service account has no secret references to valid service account tokens")
+			return false, nil
+		}))
+
+		testcases := []struct {
+			PodName            string
+			ServiceAccountName string
+			AutomountPodSpec   *bool
+			ExpectTokenVolume  bool
+		}{
+			{
+				PodName:            "pod-service-account-defaultsa",
+				ServiceAccountName: "default",
+				AutomountPodSpec:   nil,
+				ExpectTokenVolume:  true, // default is true
+			},
+			{
+				PodName:            "pod-service-account-mountsa",
+				ServiceAccountName: mountSA.Name,
+				AutomountPodSpec:   nil,
+				ExpectTokenVolume:  true,
+			},
+			{
+				PodName:            "pod-service-account-nomountsa",
+				ServiceAccountName: nomountSA.Name,
+				AutomountPodSpec:   nil,
+				ExpectTokenVolume:  false,
+			},
+
+			// Make sure pod spec trumps when opting in
+			{
+				PodName:            "pod-service-account-defaultsa-mountspec",
+				ServiceAccountName: "default",
+				AutomountPodSpec:   &trueValue,
+				ExpectTokenVolume:  true,
+			},
+			{
+				PodName:            "pod-service-account-mountsa-mountspec",
+				ServiceAccountName: mountSA.Name,
+				AutomountPodSpec:   &trueValue,
+				ExpectTokenVolume:  true,
+			},
+			{
+				PodName:            "pod-service-account-nomountsa-mountspec",
+				ServiceAccountName: nomountSA.Name,
+				AutomountPodSpec:   &trueValue,
+				ExpectTokenVolume:  true, // pod spec trumps
+			},
+
+			// Make sure pod spec trumps when opting out
+			{
+				PodName:            "pod-service-account-defaultsa-nomountspec",
+				ServiceAccountName: "default",
+				AutomountPodSpec:   &falseValue,
+				ExpectTokenVolume:  false, // pod spec trumps
+			},
+			{
+				PodName:            "pod-service-account-mountsa-nomountspec",
+				ServiceAccountName: mountSA.Name,
+				AutomountPodSpec:   &falseValue,
+				ExpectTokenVolume:  false, // pod spec trumps
+			},
+			{
+				PodName:            "pod-service-account-nomountsa-nomountspec",
+				ServiceAccountName: nomountSA.Name,
+				AutomountPodSpec:   &falseValue,
+				ExpectTokenVolume:  false, // pod spec trumps
+			},
+		}
+
+		for _, tc := range testcases {
+			pod := &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{Name: tc.PodName},
+				Spec: v1.PodSpec{
+					Containers:                   []v1.Container{{Name: "token-test", Image: mountImage}},
+					RestartPolicy:                v1.RestartPolicyNever,
+					ServiceAccountName:           tc.ServiceAccountName,
+					AutomountServiceAccountToken: tc.AutomountPodSpec,
+				},
+			}
+			createdPod, err := f.ClientSet.Core().Pods(f.Namespace.Name).Create(pod)
+			framework.ExpectNoError(err)
+			framework.Logf("created pod %s", tc.PodName)
+
+			hasServiceAccountTokenVolume := false
+			for _, c := range createdPod.Spec.Containers {
+				for _, vm := range c.VolumeMounts {
+					if vm.MountPath == serviceaccount.DefaultAPITokenMountPath {
+						hasServiceAccountTokenVolume = true
+					}
+				}
+			}
+
+			if hasServiceAccountTokenVolume != tc.ExpectTokenVolume {
+				framework.Failf("%s: expected volume=%v, got %v (%#v)", tc.PodName, tc.ExpectTokenVolume, hasServiceAccountTokenVolume, createdPod)
+			} else {
+				framework.Logf("pod %s service account token volume mount: %v", tc.PodName, hasServiceAccountTokenVolume)
+			}
+		}
+	})
+})