Update go dependencies

vendor/k8s.io/apiserver/pkg/authentication/authenticator/interfaces.go

@@ -1,68 +0,0 @@
-/*
-Copyright 2014 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package authenticator
-
-import (
-	"net/http"
-
-	"k8s.io/apiserver/pkg/authentication/user"
-)
-
-// Token checks a string value against a backing authentication store and returns
-// information about the current user and true if successful, false if not successful,
-// or an error if the token could not be checked.
-type Token interface {
-	AuthenticateToken(token string) (user.Info, bool, error)
-}
-
-// Request attempts to extract authentication information from a request and returns
-// information about the current user and true if successful, false if not successful,
-// or an error if the request could not be checked.
-type Request interface {
-	AuthenticateRequest(req *http.Request) (user.Info, bool, error)
-}
-
-// Password checks a username and password against a backing authentication store and
-// returns information about the user and true if successful, false if not successful,
-// or an error if the username and password could not be checked
-type Password interface {
-	AuthenticatePassword(user, password string) (user.Info, bool, error)
-}
-
-// TokenFunc is a function that implements the Token interface.
-type TokenFunc func(token string) (user.Info, bool, error)
-
-// AuthenticateToken implements authenticator.Token.
-func (f TokenFunc) AuthenticateToken(token string) (user.Info, bool, error) {
-	return f(token)
-}
-
-// RequestFunc is a function that implements the Request interface.
-type RequestFunc func(req *http.Request) (user.Info, bool, error)
-
-// AuthenticateRequest implements authenticator.Request.
-func (f RequestFunc) AuthenticateRequest(req *http.Request) (user.Info, bool, error) {
-	return f(req)
-}
-
-// PasswordFunc is a function that implements the Password interface.
-type PasswordFunc func(user, password string) (user.Info, bool, error)
-
-// AuthenticatePassword implements authenticator.Password.
-func (f PasswordFunc) AuthenticatePassword(user, password string) (user.Info, bool, error) {
-	return f(user, password)
-}

vendor/k8s.io/apiserver/pkg/authentication/serviceaccount/util.go

@@ -1,73 +0,0 @@
-/*
-Copyright 2014 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package serviceaccount
-
-import (
-	"fmt"
-	"strings"
-
-	apimachineryvalidation "k8s.io/apimachinery/pkg/api/validation"
-)
-
-const (
-	ServiceAccountUsernamePrefix    = "system:serviceaccount:"
-	ServiceAccountUsernameSeparator = ":"
-	ServiceAccountGroupPrefix       = "system:serviceaccounts:"
-	AllServiceAccountsGroup         = "system:serviceaccounts"
-)
-
-// MakeUsername generates a username from the given namespace and ServiceAccount name.
-// The resulting username can be passed to SplitUsername to extract the original namespace and ServiceAccount name.
-func MakeUsername(namespace, name string) string {
-	return ServiceAccountUsernamePrefix + namespace + ServiceAccountUsernameSeparator + name
-}
-
-var invalidUsernameErr = fmt.Errorf("Username must be in the form %s", MakeUsername("namespace", "name"))
-
-// SplitUsername returns the namespace and ServiceAccount name embedded in the given username,
-// or an error if the username is not a valid name produced by MakeUsername
-func SplitUsername(username string) (string, string, error) {
-	if !strings.HasPrefix(username, ServiceAccountUsernamePrefix) {
-		return "", "", invalidUsernameErr
-	}
-	trimmed := strings.TrimPrefix(username, ServiceAccountUsernamePrefix)
-	parts := strings.Split(trimmed, ServiceAccountUsernameSeparator)
-	if len(parts) != 2 {
-		return "", "", invalidUsernameErr
-	}
-	namespace, name := parts[0], parts[1]
-	if len(apimachineryvalidation.ValidateNamespaceName(namespace, false)) != 0 {
-		return "", "", invalidUsernameErr
-	}
-	if len(apimachineryvalidation.ValidateServiceAccountName(name, false)) != 0 {
-		return "", "", invalidUsernameErr
-	}
-	return namespace, name, nil
-}
-
-// MakeGroupNames generates service account group names for the given namespace
-func MakeGroupNames(namespace string) []string {
-	return []string{
-		AllServiceAccountsGroup,
-		MakeNamespaceGroupName(namespace),
-	}
-}
-
-// MakeNamespaceGroupName returns the name of the group all service accounts in the namespace are included in
-func MakeNamespaceGroupName(namespace string) string {
-	return ServiceAccountGroupPrefix + namespace
-}

vendor/k8s.io/apiserver/pkg/authentication/user/doc.go

@@ -1,19 +0,0 @@
-/*
-Copyright 2014 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Package user contains utilities for dealing with simple user exchange in the auth
-// packages. The user.Info interface defines an interface for exchanging that info.
-package user

vendor/k8s.io/apiserver/pkg/authentication/user/user.go

@@ -1,83 +0,0 @@
-/*
-Copyright 2014 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package user
-
-// Info describes a user that has been authenticated to the system.
-type Info interface {
-	// GetName returns the name that uniquely identifies this user among all
-	// other active users.
-	GetName() string
-	// GetUID returns a unique value for a particular user that will change
-	// if the user is removed from the system and another user is added with
-	// the same name.
-	GetUID() string
-	// GetGroups returns the names of the groups the user is a member of
-	GetGroups() []string
-
-	// GetExtra can contain any additional information that the authenticator
-	// thought was interesting.  One example would be scopes on a token.
-	// Keys in this map should be namespaced to the authenticator or
-	// authenticator/authorizer pair making use of them.
-	// For instance: "example.org/foo" instead of "foo"
-	// This is a map[string][]string because it needs to be serializeable into
-	// a SubjectAccessReviewSpec.authorization.k8s.io for proper authorization
-	// delegation flows
-	// In order to faithfully round-trip through an impersonation flow, these keys
-	// MUST be lowercase.
-	GetExtra() map[string][]string
-}
-
-// DefaultInfo provides a simple user information exchange object
-// for components that implement the UserInfo interface.
-type DefaultInfo struct {
-	Name   string
-	UID    string
-	Groups []string
-	Extra  map[string][]string
-}
-
-func (i *DefaultInfo) GetName() string {
-	return i.Name
-}
-
-func (i *DefaultInfo) GetUID() string {
-	return i.UID
-}
-
-func (i *DefaultInfo) GetGroups() []string {
-	return i.Groups
-}
-
-func (i *DefaultInfo) GetExtra() map[string][]string {
-	return i.Extra
-}
-
-// well-known user and group names
-const (
-	SystemPrivilegedGroup = "system:masters"
-	NodesGroup            = "system:nodes"
-	AllUnauthenticated    = "system:unauthenticated"
-	AllAuthenticated      = "system:authenticated"
-
-	Anonymous     = "system:anonymous"
-	APIServerUser = "system:apiserver"
-
-	// core kubernetes process identities
-	KubeProxy             = "system:kube-proxy"
-	KubeControllerManager = "system:kube-controller-manager"
-	KubeScheduler         = "system:kube-scheduler"
-)

vendor/k8s.io/apiserver/pkg/features/OWNERS

@@ -1,2 +0,0 @@
-approvers:
-- feature-approvers

vendor/k8s.io/apiserver/pkg/features/kube_features.go

@@ -1,91 +0,0 @@
-/*
-Copyright 2017 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package features
-
-import (
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
-)
-
-const (
-	// Every feature gate should add method here following this template:
-	//
-	// // owner: @username
-	// // alpha: v1.4
-	// MyFeature() bool
-
-	// owner: @tallclair
-	// alpha: v1.5
-	//
-	// StreamingProxyRedirects controls whether the apiserver should intercept (and follow)
-	// redirects from the backend (Kubelet) for streaming requests (exec/attach/port-forward).
-	StreamingProxyRedirects utilfeature.Feature = "StreamingProxyRedirects"
-
-	// owner: @tallclair
-	// alpha: v1.7
-	// beta: v1.8
-	// GA: v1.12
-	//
-	// AdvancedAuditing enables a much more general API auditing pipeline, which includes support for
-	// pluggable output backends and an audit policy specifying how different requests should be
-	// audited.
-	AdvancedAuditing utilfeature.Feature = "AdvancedAuditing"
-
-	// owner: @ilackams
-	// alpha: v1.7
-	//
-	// Enables compression of REST responses (GET and LIST only)
-	APIResponseCompression utilfeature.Feature = "APIResponseCompression"
-
-	// owner: @smarterclayton
-	// alpha: v1.7
-	//
-	// Allow asynchronous coordination of object creation.
-	// Auto-enabled by the Initializers admission plugin.
-	Initializers utilfeature.Feature = "Initializers"
-
-	// owner: @smarterclayton
-	// alpha: v1.8
-	// beta: v1.9
-	//
-	// Allow API clients to retrieve resource lists in chunks rather than
-	// all at once.
-	APIListChunking utilfeature.Feature = "APIListChunking"
-
-	// owner: @apelisse
-	// alpha: v1.12
-	//
-	// Allow requests to be processed but not stored, so that
-	// validation, merging, mutation can be tested without
-	// committing.
-	DryRun utilfeature.Feature = "DryRun"
-)
-
-func init() {
-	utilfeature.DefaultFeatureGate.Add(defaultKubernetesFeatureGates)
-}
-
-// defaultKubernetesFeatureGates consists of all known Kubernetes-specific feature keys.
-// To add a new feature, define a key for it above and add it here. The features will be
-// available throughout Kubernetes binaries.
-var defaultKubernetesFeatureGates = map[utilfeature.Feature]utilfeature.FeatureSpec{
-	StreamingProxyRedirects: {Default: true, PreRelease: utilfeature.Beta},
-	AdvancedAuditing:        {Default: true, PreRelease: utilfeature.GA},
-	APIResponseCompression:  {Default: false, PreRelease: utilfeature.Alpha},
-	Initializers:            {Default: false, PreRelease: utilfeature.Alpha},
-	APIListChunking:         {Default: true, PreRelease: utilfeature.Beta},
-	DryRun:                  {Default: false, PreRelease: utilfeature.Alpha},
-}

vendor/k8s.io/apiserver/pkg/server/config.go

@@ -30,8 +30,8 @@ import (
 
 	"github.com/emicklei/go-restful-swagger12"
 	"github.com/go-openapi/spec"
-	"github.com/golang/glog"
 	"github.com/pborman/uuid"
+	"k8s.io/klog"
 
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/serializer"
@@ -227,6 +227,9 @@ type SecureServingInfo struct {
 }
 
 type AuthenticationInfo struct {
+	// APIAudiences is a list of identifier that the API identifies as. This is
+	// used by some authenticators to validate audience bound credentials.
+	APIAudiences authenticator.Audiences
 	// Authenticator determines which subject is making the request
 	Authenticator authenticator.Request
 	// SupportsBasicAuth indicates that's at least one Authenticator supports basic auth
@@ -355,11 +358,11 @@ func (c *Config) Complete(informers informers.SharedInformerFactory) CompletedCo
 	// if there is no port, and we listen on one securely, use that one
 	if _, _, err := net.SplitHostPort(c.ExternalAddress); err != nil {
 		if c.SecureServing == nil {
-			glog.Fatalf("cannot derive external address port without listening on a secure port.")
+			klog.Fatalf("cannot derive external address port without listening on a secure port.")
 		}
 		_, port, err := c.SecureServing.HostPort()
 		if err != nil {
-			glog.Fatalf("cannot derive external address from the secure port: %v", err)
+			klog.Fatalf("cannot derive external address from the secure port: %v", err)
 		}
 		c.ExternalAddress = net.JoinHostPort(c.ExternalAddress, strconv.Itoa(port))
 	}
@@ -534,7 +537,7 @@ func DefaultBuildHandlerChain(apiHandler http.Handler, c *Config) http.Handler {
 	handler = genericapifilters.WithAudit(handler, c.AuditBackend, c.AuditPolicyChecker, c.LongRunningFunc)
 	failedHandler := genericapifilters.Unauthorized(c.Serializer, c.Authentication.SupportsBasicAuth)
 	failedHandler = genericapifilters.WithFailedAuthenticationAudit(failedHandler, c.AuditBackend, c.AuditPolicyChecker)
-	handler = genericapifilters.WithAuthentication(handler, c.Authentication.Authenticator, failedHandler)
+	handler = genericapifilters.WithAuthentication(handler, c.Authentication.Authenticator, failedHandler, c.Authentication.APIAudiences)
 	handler = genericfilters.WithCORS(handler, c.CorsAllowedOriginList, nil, nil, nil, "true")
 	handler = genericfilters.WithTimeoutForNonLongRunningRequests(handler, c.LongRunningFunc, c.RequestTimeout)
 	handler = genericfilters.WithWaitGroup(handler, c.LongRunningFunc, c.HandlerChainWaitGroup)

vendor/k8s.io/apiserver/pkg/server/deprecated_insecure_serving.go

@@ -21,8 +21,9 @@ import (
 	"net/http"
 	"time"
 
-	"github.com/golang/glog"
+	"k8s.io/klog"
 
+	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/client-go/rest"
 )
@@ -45,9 +46,9 @@ func (s *DeprecatedInsecureServingInfo) Serve(handler http.Handler, shutdownTime
 	}
 
 	if len(s.Name) > 0 {
-		glog.Infof("Serving %s insecurely on %s", s.Name, s.Listener.Addr())
+		klog.Infof("Serving %s insecurely on %s", s.Name, s.Listener.Addr())
 	} else {
-		glog.Infof("Serving insecurely on %s", s.Listener.Addr())
+		klog.Infof("Serving insecurely on %s", s.Listener.Addr())
 	}
 	return RunServer(insecureServer, s.Listener, shutdownTimeout, stopCh)
 }
@@ -77,9 +78,13 @@ func (s *DeprecatedInsecureServingInfo) NewLoopbackClientConfig() (*rest.Config,
 // but allows apiserver code to stop special-casing a nil user to skip authorization checks.
 type InsecureSuperuser struct{}
 
-func (InsecureSuperuser) AuthenticateRequest(req *http.Request) (user.Info, bool, error) {
-	return &user.DefaultInfo{
-		Name:   "system:unsecured",
-		Groups: []string{user.SystemPrivilegedGroup, user.AllAuthenticated},
+func (InsecureSuperuser) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error) {
+	auds, _ := authenticator.AudiencesFrom(req.Context())
+	return &authenticator.Response{
+		User: &user.DefaultInfo{
+			Name:   "system:unsecured",
+			Groups: []string{user.SystemPrivilegedGroup, user.AllAuthenticated},
+		},
+		Audiences: auds,
 	}, true, nil
 }

vendor/k8s.io/apiserver/pkg/server/genericapiserver.go

@@ -19,13 +19,14 @@ package server
 import (
 	"fmt"
 	"net/http"
+	gpath "path"
 	"strings"
 	"sync"
 	"time"
 
 	systemd "github.com/coreos/go-systemd/daemon"
 	"github.com/emicklei/go-restful-swagger12"
-	"github.com/golang/glog"
+	"k8s.io/klog"
 
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -42,8 +43,12 @@ import (
 	"k8s.io/apiserver/pkg/registry/rest"
 	"k8s.io/apiserver/pkg/server/healthz"
 	"k8s.io/apiserver/pkg/server/routes"
+	utilopenapi "k8s.io/apiserver/pkg/util/openapi"
 	restclient "k8s.io/client-go/rest"
+	openapibuilder "k8s.io/kube-openapi/pkg/builder"
 	openapicommon "k8s.io/kube-openapi/pkg/common"
+	openapiutil "k8s.io/kube-openapi/pkg/util"
+	openapiproto "k8s.io/kube-openapi/pkg/util/proto"
 )
 
 // Info about an API group.
@@ -312,7 +317,7 @@ func (s preparedGenericAPIServer) NonBlockingRun(stopCh <-chan struct{}) error {
 	s.RunPostStartHooks(stopCh)
 
 	if _, err := systemd.SdNotify(true, "READY=1\n"); err != nil {
-		glog.Errorf("Unable to send systemd daemon successful start message: %v\n", err)
+		klog.Errorf("Unable to send systemd daemon successful start message: %v\n", err)
 	}
 
 	return nil
@@ -320,9 +325,13 @@ func (s preparedGenericAPIServer) NonBlockingRun(stopCh <-chan struct{}) error {
 
 // installAPIResources is a private method for installing the REST storage backing each api groupversionresource
 func (s *GenericAPIServer) installAPIResources(apiPrefix string, apiGroupInfo *APIGroupInfo) error {
+	openAPIGroupModels, err := s.getOpenAPIModelsForGroup(apiPrefix, apiGroupInfo)
+	if err != nil {
+		return fmt.Errorf("unable to get openapi models for group %v: %v", apiPrefix, err)
+	}
 	for _, groupVersion := range apiGroupInfo.PrioritizedVersions {
 		if len(apiGroupInfo.VersionedResourcesStorageMap[groupVersion.Version]) == 0 {
-			glog.Warningf("Skipping API %v because it has no resources.", groupVersion)
+			klog.Warningf("Skipping API %v because it has no resources.", groupVersion)
 			continue
 		}
 
@@ -330,6 +339,7 @@ func (s *GenericAPIServer) installAPIResources(apiPrefix string, apiGroupInfo *A
 		if apiGroupInfo.OptionsExternalVersion != nil {
 			apiGroupVersion.OptionsExternalVersion = apiGroupInfo.OptionsExternalVersion
 		}
+		apiGroupVersion.OpenAPIModels = openAPIGroupModels
 
 		if err := apiGroupVersion.InstallREST(s.Handler.GoRestfulContainer); err != nil {
 			return fmt.Errorf("unable to setup API %v: %v", apiGroupInfo, err)
@@ -427,7 +437,6 @@ func (s *GenericAPIServer) newAPIGroupVersion(apiGroupInfo *APIGroupInfo, groupV
 		Admit:                        s.admissionControl,
 		MinRequestTimeout:            s.minRequestTimeout,
 		EnableAPIResponseCompression: s.enableAPIResponseCompression,
-		OpenAPIConfig:                s.openAPIConfig,
 		Authorizer:                   s.Authorizer,
 	}
 }
@@ -445,3 +454,37 @@ func NewDefaultAPIGroupInfo(group string, scheme *runtime.Scheme, parameterCodec
 		NegotiatedSerializer:   codecs,
 	}
 }
+
+// getOpenAPIModelsForGroup is a private method for getting the OpenAPI Schemas for each  api group
+func (s *GenericAPIServer) getOpenAPIModelsForGroup(apiPrefix string, apiGroupInfo *APIGroupInfo) (openapiproto.Models, error) {
+	if s.openAPIConfig == nil {
+		return nil, nil
+	}
+	pathsToIgnore := openapiutil.NewTrie(s.openAPIConfig.IgnorePrefixes)
+	// Get the canonical names of every resource we need to build in this api group
+	resourceNames := make([]string, 0)
+	for _, groupVersion := range apiGroupInfo.PrioritizedVersions {
+		for resource, storage := range apiGroupInfo.VersionedResourcesStorageMap[groupVersion.Version] {
+			path := gpath.Join(apiPrefix, groupVersion.Group, groupVersion.Version, resource)
+			if !pathsToIgnore.HasPrefix(path) {
+				kind, err := genericapi.GetResourceKind(groupVersion, storage, apiGroupInfo.Scheme)
+				if err != nil {
+					return nil, err
+				}
+				sampleObject, err := apiGroupInfo.Scheme.New(kind)
+				if err != nil {
+					return nil, err
+				}
+				name := openapiutil.GetCanonicalTypeName(sampleObject)
+				resourceNames = append(resourceNames, name)
+			}
+		}
+	}
+
+	// Build the openapi definitions for those resources and convert it to proto models
+	openAPISpec, err := openapibuilder.BuildOpenAPIDefinitionsForResources(s.openAPIConfig, resourceNames...)
+	if err != nil {
+		return nil, err
+	}
+	return utilopenapi.ToProtoModels(openAPISpec)
+}

vendor/k8s.io/apiserver/pkg/server/handler.go

@@ -25,7 +25,7 @@ import (
 	"strings"
 
 	"github.com/emicklei/go-restful"
-	"github.com/golang/glog"
+	"k8s.io/klog"
 
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -130,7 +130,7 @@ func (d director) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 			// normally these are passed to the nonGoRestfulMux, but if discovery is enabled, it will go directly.
 			// We can't rely on a prefix match since /apis matches everything (see the big comment on Director above)
 			if path == "/apis" || path == "/apis/" {
-				glog.V(5).Infof("%v: %v %q satisfied by gorestful with webservice %v", d.name, req.Method, path, ws.RootPath())
+				klog.V(5).Infof("%v: %v %q satisfied by gorestful with webservice %v", d.name, req.Method, path, ws.RootPath())
 				// don't use servemux here because gorestful servemuxes get messed up when removing webservices
 				// TODO fix gorestful, remove TPRs, or stop using gorestful
 				d.goRestfulContainer.Dispatch(w, req)
@@ -140,7 +140,7 @@ func (d director) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 		case strings.HasPrefix(path, ws.RootPath()):
 			// ensure an exact match or a path boundary match
 			if len(path) == len(ws.RootPath()) || path[len(ws.RootPath())] == '/' {
-				glog.V(5).Infof("%v: %v %q satisfied by gorestful with webservice %v", d.name, req.Method, path, ws.RootPath())
+				klog.V(5).Infof("%v: %v %q satisfied by gorestful with webservice %v", d.name, req.Method, path, ws.RootPath())
 				// don't use servemux here because gorestful servemuxes get messed up when removing webservices
 				// TODO fix gorestful, remove TPRs, or stop using gorestful
 				d.goRestfulContainer.Dispatch(w, req)
@@ -150,7 +150,7 @@ func (d director) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 	}
 
 	// if we didn't find a match, then we just skip gorestful altogether
-	glog.V(5).Infof("%v: %v %q satisfied by nonGoRestful", d.name, req.Method, path)
+	klog.V(5).Infof("%v: %v %q satisfied by nonGoRestful", d.name, req.Method, path)
 	d.nonGoRestfulMux.ServeHTTP(w, req)
 }
 
@@ -165,7 +165,7 @@ func logStackOnRecover(s runtime.NegotiatedSerializer, panicReason interface{},
 		}
 		buffer.WriteString(fmt.Sprintf("    %s:%d\r\n", file, line))
 	}
-	glog.Errorln(buffer.String())
+	klog.Errorln(buffer.String())
 
 	headers := http.Header{}
 	if ct := w.Header().Get("Content-Type"); len(ct) > 0 {

vendor/k8s.io/apiserver/pkg/server/healthz/healthz.go

@@ -25,8 +25,9 @@ import (
 	"sync/atomic"
 	"time"
 
-	"github.com/golang/glog"
+	"k8s.io/klog"
 
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/wait"
 )
 
@@ -76,7 +77,7 @@ func (l *log) Check(_ *http.Request) error {
 	l.startOnce.Do(func() {
 		l.lastVerified.Store(time.Now())
 		go wait.Forever(func() {
-			glog.Flush()
+			klog.Flush()
 			l.lastVerified.Store(time.Now())
 		}, time.Minute)
 	})
@@ -108,11 +109,11 @@ func InstallHandler(mux mux, checks ...HealthzChecker) {
 // result in a panic.
 func InstallPathHandler(mux mux, path string, checks ...HealthzChecker) {
 	if len(checks) == 0 {
-		glog.V(5).Info("No default health checks specified. Installing the ping handler.")
+		klog.V(5).Info("No default health checks specified. Installing the ping handler.")
 		checks = []HealthzChecker{PingHealthz}
 	}
 
-	glog.V(5).Info("Installing healthz checkers:", strings.Join(checkerNames(checks...), ", "))
+	klog.V(5).Info("Installing healthz checkers:", formatQuoted(checkerNames(checks...)...))
 
 	mux.Handle(path, handleRootHealthz(checks...))
 	for _, check := range checks {
@@ -141,22 +142,43 @@ func (c *healthzCheck) Check(r *http.Request) error {
 	return c.check(r)
 }
 
+// getExcludedChecks extracts the health check names to be excluded from the query param
+func getExcludedChecks(r *http.Request) sets.String {
+	checks, found := r.URL.Query()["exclude"]
+	if found {
+		return sets.NewString(checks...)
+	}
+	return sets.NewString()
+}
+
 // handleRootHealthz returns an http.HandlerFunc that serves the provided checks.
 func handleRootHealthz(checks ...HealthzChecker) http.HandlerFunc {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		failed := false
+		excluded := getExcludedChecks(r)
 		var verboseOut bytes.Buffer
 		for _, check := range checks {
+			// no-op the check if we've specified we want to exclude the check
+			if excluded.Has(check.Name()) {
+				excluded.Delete(check.Name())
+				fmt.Fprintf(&verboseOut, "[+]%v excluded: ok\n", check.Name())
+				continue
+			}
 			if err := check.Check(r); err != nil {
 				// don't include the error since this endpoint is public.  If someone wants more detail
 				// they should have explicit permission to the detailed checks.
-				glog.V(6).Infof("healthz check %v failed: %v", check.Name(), err)
+				klog.V(6).Infof("healthz check %v failed: %v", check.Name(), err)
 				fmt.Fprintf(&verboseOut, "[-]%v failed: reason withheld\n", check.Name())
 				failed = true
 			} else {
 				fmt.Fprintf(&verboseOut, "[+]%v ok\n", check.Name())
 			}
 		}
+		if excluded.Len() > 0 {
+			fmt.Fprintf(&verboseOut, "warn: some health checks cannot be excluded: no matches for %v\n", formatQuoted(excluded.List()...))
+			klog.Warningf("cannot exclude some health checks, no health checks are installed matching %v",
+				formatQuoted(excluded.List()...))
+		}
 		// always be verbose on failure
 		if failed {
 			http.Error(w, fmt.Sprintf("%vhealthz check failed", verboseOut.String()), http.StatusInternalServerError)
@@ -187,14 +209,20 @@ func adaptCheckToHandler(c func(r *http.Request) error) http.HandlerFunc {
 
 // checkerNames returns the names of the checks in the same order as passed in.
 func checkerNames(checks ...HealthzChecker) []string {
-	if len(checks) > 0 {
-		// accumulate the names of checks for printing them out.
-		checkerNames := make([]string, 0, len(checks))
-		for _, check := range checks {
-			// quote the Name so we can disambiguate
-			checkerNames = append(checkerNames, fmt.Sprintf("%q", check.Name()))
-		}
-		return checkerNames
+	// accumulate the names of checks for printing them out.
+	checkerNames := make([]string, 0, len(checks))
+	for _, check := range checks {
+		checkerNames = append(checkerNames, check.Name())
 	}
-	return nil
+	return checkerNames
+}
+
+// formatQuoted returns a formatted string of the health check names,
+// preserving the order passed in.
+func formatQuoted(names ...string) string {
+	quoted := make([]string, 0, len(names))
+	for _, name := range names {
+		quoted = append(quoted, fmt.Sprintf("%q", name))
+	}
+	return strings.Join(quoted, ",")
 }

vendor/k8s.io/apiserver/pkg/server/hooks.go

@@ -21,7 +21,7 @@ import (
 	"fmt"
 	"net/http"
 
-	"github.com/golang/glog"
+	"k8s.io/klog"
 
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
@@ -101,7 +101,7 @@ func (s *GenericAPIServer) AddPostStartHook(name string, hook PostStartHookFunc)
 // AddPostStartHookOrDie allows you to add a PostStartHook, but dies on failure
 func (s *GenericAPIServer) AddPostStartHookOrDie(name string, hook PostStartHookFunc) {
 	if err := s.AddPostStartHook(name, hook); err != nil {
-		glog.Fatalf("Error registering PostStartHook %q: %v", name, err)
+		klog.Fatalf("Error registering PostStartHook %q: %v", name, err)
 	}
 }
 
@@ -132,7 +132,7 @@ func (s *GenericAPIServer) AddPreShutdownHook(name string, hook PreShutdownHookF
 // AddPreShutdownHookOrDie allows you to add a PostStartHook, but dies on failure
 func (s *GenericAPIServer) AddPreShutdownHookOrDie(name string, hook PreShutdownHookFunc) {
 	if err := s.AddPreShutdownHook(name, hook); err != nil {
-		glog.Fatalf("Error registering PreShutdownHook %q: %v", name, err)
+		klog.Fatalf("Error registering PreShutdownHook %q: %v", name, err)
 	}
 }
 
@@ -185,7 +185,7 @@ func runPostStartHook(name string, entry postStartHookEntry, context PostStartHo
 	}()
 	// if the hook intentionally wants to kill server, let it.
 	if err != nil {
-		glog.Fatalf("PostStartHook %q failed: %v", name, err)
+		klog.Fatalf("PostStartHook %q failed: %v", name, err)
 	}
 	close(entry.done)
 }

vendor/k8s.io/apiserver/pkg/server/secure_serving.go

@@ -26,8 +26,8 @@ import (
 	"strings"
 	"time"
 
-	"github.com/golang/glog"
 	"golang.org/x/net/http2"
+	"k8s.io/klog"
 
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/validation"
@@ -113,7 +113,7 @@ func (s *SecureServingInfo) Serve(handler http.Handler, shutdownTimeout time.Dur
 		return fmt.Errorf("error configuring http2: %v", err)
 	}
 
-	glog.Infof("Serving securely on %s", secureServer.Addr)
+	klog.Infof("Serving securely on %s", secureServer.Addr)
 	return RunServer(secureServer, s.Listener, shutdownTimeout, stopCh)
 }
 
@@ -153,7 +153,7 @@ func RunServer(
 		msg := fmt.Sprintf("Stopped listening on %s", ln.Addr().String())
 		select {
 		case <-stopCh:
-			glog.Info(msg)
+			klog.Info(msg)
 		default:
 			panic(fmt.Sprintf("%s due to error: %v", msg, err))
 		}

vendor/k8s.io/apiserver/pkg/server/signal.go

@@ -26,7 +26,7 @@ var onlyOneSignalHandler = make(chan struct{})
 // SetupSignalHandler registered for SIGTERM and SIGINT. A stop channel is returned
 // which is closed on one of these signals. If a second signal is caught, the program
 // is terminated with exit code 1.
-func SetupSignalHandler() (stopCh <-chan struct{}) {
+func SetupSignalHandler() <-chan struct{} {
 	close(onlyOneSignalHandler) // panics when called twice
 
 	stop := make(chan struct{})

vendor/k8s.io/apiserver/pkg/util/feature/feature_gate.go

@@ -1,323 +0,0 @@
-/*
-Copyright 2016 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package feature
-
-import (
-	"fmt"
-	"sort"
-	"strconv"
-	"strings"
-	"sync"
-	"sync/atomic"
-
-	"github.com/golang/glog"
-	"github.com/spf13/pflag"
-)
-
-type Feature string
-
-const (
-	flagName = "feature-gates"
-
-	// allAlphaGate is a global toggle for alpha features. Per-feature key
-	// values override the default set by allAlphaGate. Examples:
-	//   AllAlpha=false,NewFeature=true  will result in newFeature=true
-	//   AllAlpha=true,NewFeature=false  will result in newFeature=false
-	allAlphaGate Feature = "AllAlpha"
-)
-
-var (
-	// The generic features.
-	defaultFeatures = map[Feature]FeatureSpec{
-		allAlphaGate: {Default: false, PreRelease: Alpha},
-	}
-
-	// Special handling for a few gates.
-	specialFeatures = map[Feature]func(known map[Feature]FeatureSpec, enabled map[Feature]bool, val bool){
-		allAlphaGate: setUnsetAlphaGates,
-	}
-
-	// DefaultFeatureGate is a shared global FeatureGate.
-	DefaultFeatureGate FeatureGate = NewFeatureGate()
-)
-
-type FeatureSpec struct {
-	Default    bool
-	PreRelease prerelease
-}
-
-type prerelease string
-
-const (
-	// Values for PreRelease.
-	Alpha = prerelease("ALPHA")
-	Beta  = prerelease("BETA")
-	GA    = prerelease("")
-
-	// Deprecated
-	Deprecated = prerelease("DEPRECATED")
-)
-
-// FeatureGate parses and stores flag gates for known features from
-// a string like feature1=true,feature2=false,...
-type FeatureGate interface {
-	// AddFlag adds a flag for setting global feature gates to the specified FlagSet.
-	AddFlag(fs *pflag.FlagSet)
-	// Set parses and stores flag gates for known features
-	// from a string like feature1=true,feature2=false,...
-	Set(value string) error
-	// SetFromMap stores flag gates for known features from a map[string]bool or returns an error
-	SetFromMap(m map[string]bool) error
-	// Enabled returns true if the key is enabled.
-	Enabled(key Feature) bool
-	// Add adds features to the featureGate.
-	Add(features map[Feature]FeatureSpec) error
-	// KnownFeatures returns a slice of strings describing the FeatureGate's known features.
-	KnownFeatures() []string
-	// DeepCopy returns a deep copy of the FeatureGate object, such that gates can be
-	// set on the copy without mutating the original. This is useful for validating
-	// config against potential feature gate changes before committing those changes.
-	DeepCopy() FeatureGate
-}
-
-// featureGate implements FeatureGate as well as pflag.Value for flag parsing.
-type featureGate struct {
-	special map[Feature]func(map[Feature]FeatureSpec, map[Feature]bool, bool)
-
-	// lock guards writes to known, enabled, and reads/writes of closed
-	lock sync.Mutex
-	// known holds a map[Feature]FeatureSpec
-	known *atomic.Value
-	// enabled holds a map[Feature]bool
-	enabled *atomic.Value
-	// closed is set to true when AddFlag is called, and prevents subsequent calls to Add
-	closed bool
-}
-
-func setUnsetAlphaGates(known map[Feature]FeatureSpec, enabled map[Feature]bool, val bool) {
-	for k, v := range known {
-		if v.PreRelease == Alpha {
-			if _, found := enabled[k]; !found {
-				enabled[k] = val
-			}
-		}
-	}
-}
-
-// Set, String, and Type implement pflag.Value
-var _ pflag.Value = &featureGate{}
-
-func NewFeatureGate() *featureGate {
-	known := map[Feature]FeatureSpec{}
-	for k, v := range defaultFeatures {
-		known[k] = v
-	}
-
-	knownValue := &atomic.Value{}
-	knownValue.Store(known)
-
-	enabled := map[Feature]bool{}
-	enabledValue := &atomic.Value{}
-	enabledValue.Store(enabled)
-
-	f := &featureGate{
-		known:   knownValue,
-		special: specialFeatures,
-		enabled: enabledValue,
-	}
-	return f
-}
-
-// Set parses a string of the form "key1=value1,key2=value2,..." into a
-// map[string]bool of known keys or returns an error.
-func (f *featureGate) Set(value string) error {
-	m := make(map[string]bool)
-	for _, s := range strings.Split(value, ",") {
-		if len(s) == 0 {
-			continue
-		}
-		arr := strings.SplitN(s, "=", 2)
-		k := strings.TrimSpace(arr[0])
-		if len(arr) != 2 {
-			return fmt.Errorf("missing bool value for %s", k)
-		}
-		v := strings.TrimSpace(arr[1])
-		boolValue, err := strconv.ParseBool(v)
-		if err != nil {
-			return fmt.Errorf("invalid value of %s=%s, err: %v", k, v, err)
-		}
-		m[k] = boolValue
-	}
-	return f.SetFromMap(m)
-}
-
-// SetFromMap stores flag gates for known features from a map[string]bool or returns an error
-func (f *featureGate) SetFromMap(m map[string]bool) error {
-	f.lock.Lock()
-	defer f.lock.Unlock()
-
-	// Copy existing state
-	known := map[Feature]FeatureSpec{}
-	for k, v := range f.known.Load().(map[Feature]FeatureSpec) {
-		known[k] = v
-	}
-	enabled := map[Feature]bool{}
-	for k, v := range f.enabled.Load().(map[Feature]bool) {
-		enabled[k] = v
-	}
-
-	for k, v := range m {
-		k := Feature(k)
-		featureSpec, ok := known[k]
-		if !ok {
-			return fmt.Errorf("unrecognized feature gate: %s", k)
-		}
-		enabled[k] = v
-		// Handle "special" features like "all alpha gates"
-		if fn, found := f.special[k]; found {
-			fn(known, enabled, v)
-		}
-
-		if featureSpec.PreRelease == Deprecated {
-			glog.Warningf("Setting deprecated feature gate %s=%t. It will be removed in a future release.", k, v)
-		} else if featureSpec.PreRelease == GA {
-			glog.Warningf("Setting GA feature gate %s=%t. It will be removed in a future release.", k, v)
-		}
-	}
-
-	// Persist changes
-	f.known.Store(known)
-	f.enabled.Store(enabled)
-
-	glog.V(1).Infof("feature gates: %v", f.enabled)
-	return nil
-}
-
-// String returns a string containing all enabled feature gates, formatted as "key1=value1,key2=value2,...".
-func (f *featureGate) String() string {
-	pairs := []string{}
-	for k, v := range f.enabled.Load().(map[Feature]bool) {
-		pairs = append(pairs, fmt.Sprintf("%s=%t", k, v))
-	}
-	sort.Strings(pairs)
-	return strings.Join(pairs, ",")
-}
-
-func (f *featureGate) Type() string {
-	return "mapStringBool"
-}
-
-// Add adds features to the featureGate.
-func (f *featureGate) Add(features map[Feature]FeatureSpec) error {
-	f.lock.Lock()
-	defer f.lock.Unlock()
-
-	if f.closed {
-		return fmt.Errorf("cannot add a feature gate after adding it to the flag set")
-	}
-
-	// Copy existing state
-	known := map[Feature]FeatureSpec{}
-	for k, v := range f.known.Load().(map[Feature]FeatureSpec) {
-		known[k] = v
-	}
-
-	for name, spec := range features {
-		if existingSpec, found := known[name]; found {
-			if existingSpec == spec {
-				continue
-			}
-			return fmt.Errorf("feature gate %q with different spec already exists: %v", name, existingSpec)
-		}
-
-		known[name] = spec
-	}
-
-	// Persist updated state
-	f.known.Store(known)
-
-	return nil
-}
-
-// Enabled returns true if the key is enabled.
-func (f *featureGate) Enabled(key Feature) bool {
-	if v, ok := f.enabled.Load().(map[Feature]bool)[key]; ok {
-		return v
-	}
-	return f.known.Load().(map[Feature]FeatureSpec)[key].Default
-}
-
-// AddFlag adds a flag for setting global feature gates to the specified FlagSet.
-func (f *featureGate) AddFlag(fs *pflag.FlagSet) {
-	f.lock.Lock()
-	// TODO(mtaufen): Shouldn't we just close it on the first Set/SetFromMap instead?
-	// Not all components expose a feature gates flag using this AddFlag method, and
-	// in the future, all components will completely stop exposing a feature gates flag,
-	// in favor of componentconfig.
-	f.closed = true
-	f.lock.Unlock()
-
-	known := f.KnownFeatures()
-	fs.Var(f, flagName, ""+
-		"A set of key=value pairs that describe feature gates for alpha/experimental features. "+
-		"Options are:\n"+strings.Join(known, "\n"))
-}
-
-// KnownFeatures returns a slice of strings describing the FeatureGate's known features.
-// Deprecated and GA features are hidden from the list.
-func (f *featureGate) KnownFeatures() []string {
-	var known []string
-	for k, v := range f.known.Load().(map[Feature]FeatureSpec) {
-		if v.PreRelease == GA || v.PreRelease == Deprecated {
-			continue
-		}
-		known = append(known, fmt.Sprintf("%s=true|false (%s - default=%t)", k, v.PreRelease, v.Default))
-	}
-	sort.Strings(known)
-	return known
-}
-
-// DeepCopy returns a deep copy of the FeatureGate object, such that gates can be
-// set on the copy without mutating the original. This is useful for validating
-// config against potential feature gate changes before committing those changes.
-func (f *featureGate) DeepCopy() FeatureGate {
-	// Copy existing state.
-	known := map[Feature]FeatureSpec{}
-	for k, v := range f.known.Load().(map[Feature]FeatureSpec) {
-		known[k] = v
-	}
-	enabled := map[Feature]bool{}
-	for k, v := range f.enabled.Load().(map[Feature]bool) {
-		enabled[k] = v
-	}
-
-	// Store copied state in new atomics.
-	knownValue := &atomic.Value{}
-	knownValue.Store(known)
-	enabledValue := &atomic.Value{}
-	enabledValue.Store(enabled)
-
-	// Construct a new featureGate around the copied state.
-	// Note that specialFeatures is treated as immutable by convention,
-	// and we maintain the value of f.closed across the copy.
-	return &featureGate{
-		special: specialFeatures,
-		known:   knownValue,
-		enabled: enabledValue,
-		closed:  f.closed,
-	}
-}

vendor/k8s.io/apiserver/pkg/util/logs/logs.go

@@ -22,9 +22,9 @@ import (
 	"log"
 	"time"
 
-	"github.com/golang/glog"
 	"github.com/spf13/pflag"
 	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/klog"
 )
 
 const logFlushFreqFlagName = "log-flush-frequency"
@@ -33,6 +33,7 @@ var logFlushFreq = pflag.Duration(logFlushFreqFlagName, 5*time.Second, "Maximum
 
 // TODO(thockin): This is temporary until we agree on log dirs and put those into each cmd.
 func init() {
+	klog.InitFlags(flag.CommandLine)
 	flag.Set("logtostderr", "true")
 }
 
@@ -42,38 +43,38 @@ func AddFlags(fs *pflag.FlagSet) {
 	fs.AddFlag(pflag.Lookup(logFlushFreqFlagName))
 }
 
-// GlogWriter serves as a bridge between the standard log package and the glog package.
-type GlogWriter struct{}
+// KlogWriter serves as a bridge between the standard log package and the glog package.
+type KlogWriter struct{}
 
 // Write implements the io.Writer interface.
-func (writer GlogWriter) Write(data []byte) (n int, err error) {
-	glog.InfoDepth(1, string(data))
+func (writer KlogWriter) Write(data []byte) (n int, err error) {
+	klog.InfoDepth(1, string(data))
 	return len(data), nil
 }
 
 // InitLogs initializes logs the way we want for kubernetes.
 func InitLogs() {
-	log.SetOutput(GlogWriter{})
+	log.SetOutput(KlogWriter{})
 	log.SetFlags(0)
 	// The default glog flush interval is 5 seconds.
-	go wait.Forever(glog.Flush, *logFlushFreq)
+	go wait.Forever(klog.Flush, *logFlushFreq)
 }
 
 // FlushLogs flushes logs immediately.
 func FlushLogs() {
-	glog.Flush()
+	klog.Flush()
 }
 
-// NewLogger creates a new log.Logger which sends logs to glog.Info.
+// NewLogger creates a new log.Logger which sends logs to klog.Info.
 func NewLogger(prefix string) *log.Logger {
-	return log.New(GlogWriter{}, prefix, 0)
+	return log.New(KlogWriter{}, prefix, 0)
 }
 
 // GlogSetter is a setter to set glog level.
 func GlogSetter(val string) (string, error) {
-	var level glog.Level
+	var level klog.Level
 	if err := level.Set(val); err != nil {
-		return "", fmt.Errorf("failed set glog.logging.verbosity %s: %v", val, err)
+		return "", fmt.Errorf("failed set klog.logging.verbosity %s: %v", val, err)
 	}
-	return fmt.Sprintf("successfully set glog.logging.verbosity to %s", val), nil
+	return fmt.Sprintf("successfully set klog.logging.verbosity to %s", val), nil
 }