vendored changes

2026-04-07 10:17:51 +00:00 · 2020-02-12 17:56:04 +02:00 · 2020-02-12 17:56:04 +02:00 · 128f9a29f5
commit 128f9a29f5
parent d091fff18b
522 changed files with 29974 additions and 25705 deletions
--- a/vendor/k8s.io/apiserver/pkg/endpoints/discovery/group.go
+++ b/vendor/k8s.io/apiserver/pkg/endpoints/discovery/group.go
@ -69,5 +69,5 @@ func (s *APIGroupHandler) handle(req *restful.Request, resp *restful.Response) {
 }

 func (s *APIGroupHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
-	responsewriters.WriteObjectNegotiated(s.serializer, schema.GroupVersion{}, w, req, http.StatusOK, &s.group)
+	responsewriters.WriteObjectNegotiated(s.serializer, negotiation.DefaultEndpointRestrictions, schema.GroupVersion{}, w, req, http.StatusOK, &s.group)
 }
--- a/vendor/k8s.io/apiserver/pkg/endpoints/discovery/legacy.go
+++ b/vendor/k8s.io/apiserver/pkg/endpoints/discovery/legacy.go
@ -72,5 +72,5 @@ func (s *legacyRootAPIHandler) handle(req *restful.Request, resp *restful.Respon
 		Versions:                   []string{"v1"},
 	}

-	responsewriters.WriteObjectNegotiated(s.serializer, schema.GroupVersion{}, resp.ResponseWriter, req.Request, http.StatusOK, apiVersions)
+	responsewriters.WriteObjectNegotiated(s.serializer, negotiation.DefaultEndpointRestrictions, schema.GroupVersion{}, resp.ResponseWriter, req.Request, http.StatusOK, apiVersions)
 }
--- a/vendor/k8s.io/apiserver/pkg/endpoints/discovery/root.go
+++ b/vendor/k8s.io/apiserver/pkg/endpoints/discovery/root.go
@ -111,7 +111,7 @@ func (s *rootAPIsHandler) ServeHTTP(resp http.ResponseWriter, req *http.Request)
 		groups[i].ServerAddressByClientCIDRs = serverCIDR
 	}

-	responsewriters.WriteObjectNegotiated(s.serializer, schema.GroupVersion{}, resp, req, http.StatusOK, &metav1.APIGroupList{Groups: groups})
+	responsewriters.WriteObjectNegotiated(s.serializer, negotiation.DefaultEndpointRestrictions, schema.GroupVersion{}, resp, req, http.StatusOK, &metav1.APIGroupList{Groups: groups})
 }

 func (s *rootAPIsHandler) restfulHandle(req *restful.Request, resp *restful.Response) {
--- a/vendor/k8s.io/apiserver/pkg/endpoints/discovery/version.go
+++ b/vendor/k8s.io/apiserver/pkg/endpoints/discovery/version.go
@ -78,6 +78,6 @@ func (s *APIVersionHandler) handle(req *restful.Request, resp *restful.Response)
 }

 func (s *APIVersionHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
-	responsewriters.WriteObjectNegotiated(s.serializer, schema.GroupVersion{}, w, req, http.StatusOK,
+	responsewriters.WriteObjectNegotiated(s.serializer, negotiation.DefaultEndpointRestrictions, schema.GroupVersion{}, w, req, http.StatusOK,
 		&metav1.APIResourceList{GroupVersion: s.groupVersion.String(), APIResources: s.apiResourceLister.ListAPIResources()})
 }
--- a/vendor/k8s.io/apiserver/pkg/endpoints/groupversion.go
+++ b/vendor/k8s.io/apiserver/pkg/endpoints/groupversion.go
@ -72,6 +72,8 @@ type APIGroupVersion struct {
 	Linker          runtime.SelfLinker
 	UnsafeConvertor runtime.ObjectConvertor

+	EquivalentResourceRegistry runtime.EquivalentResourceRegistry
+
 	// Authorizer determines whether a user is allowed to make a certain request. The Handler does a preliminary
 	// authorization check using the request URI but it may be necessary to make additional checks, such as in
 	// the create-on-update case
--- a/vendor/k8s.io/apiserver/pkg/endpoints/handlers/create.go
+++ b/vendor/k8s.io/apiserver/pkg/endpoints/handlers/create.go
@ -43,7 +43,7 @@ import (
 	utiltrace "k8s.io/utils/trace"
 )

-func createHandler(r rest.NamedCreater, scope RequestScope, admit admission.Interface, includeName bool) http.HandlerFunc {
+func createHandler(r rest.NamedCreater, scope *RequestScope, admit admission.Interface, includeName bool) http.HandlerFunc {
 	return func(w http.ResponseWriter, req *http.Request) {
 		// For performance tracking purposes.
 		trace := utiltrace.New("Create " + req.URL.Path)
@ -73,7 +73,7 @@ func createHandler(r rest.NamedCreater, scope RequestScope, admit admission.Inte

 		ctx := req.Context()
 		ctx = request.WithNamespace(ctx, namespace)
-		outputMediaType, _, err := negotiation.NegotiateOutputMediaType(req, scope.Serializer, &scope)
+		outputMediaType, _, err := negotiation.NegotiateOutputMediaType(req, scope.Serializer, scope)
 		if err != nil {
 			scope.err(err, w, req)
 			return
@ -106,6 +106,7 @@ func createHandler(r rest.NamedCreater, scope RequestScope, admit admission.Inte
 			scope.err(err, w, req)
 			return
 		}
+		options.TypeMeta.SetGroupVersionKind(metav1.SchemeGroupVersion.WithKind("CreateOptions"))

 		defaultGVK := scope.Kind
 		original := r.New()
@ -128,9 +129,9 @@ func createHandler(r rest.NamedCreater, scope RequestScope, admit admission.Inte
 		audit.LogRequestObject(ae, obj, scope.Resource, scope.Subresource, scope.Serializer)

 		userInfo, _ := request.UserFrom(ctx)
-		admissionAttributes := admission.NewAttributesRecord(obj, nil, scope.Kind, namespace, name, scope.Resource, scope.Subresource, admission.Create, dryrun.IsDryRun(options.DryRun), userInfo)
+		admissionAttributes := admission.NewAttributesRecord(obj, nil, scope.Kind, namespace, name, scope.Resource, scope.Subresource, admission.Create, options, dryrun.IsDryRun(options.DryRun), userInfo)
 		if mutatingAdmission, ok := admit.(admission.MutationInterface); ok && mutatingAdmission.Handles(admission.Create) {
-			err = mutatingAdmission.Admit(admissionAttributes, &scope)
+			err = mutatingAdmission.Admit(admissionAttributes, scope)
 			if err != nil {
 				scope.err(err, w, req)
 				return
@ -157,7 +158,7 @@ func createHandler(r rest.NamedCreater, scope RequestScope, admit admission.Inte
 				ctx,
 				name,
 				obj,
-				rest.AdmissionToValidateObjectFunc(admit, admissionAttributes, &scope),
+				rest.AdmissionToValidateObjectFunc(admit, admissionAttributes, scope),
 				options,
 			)
 		})
@ -173,18 +174,17 @@ func createHandler(r rest.NamedCreater, scope RequestScope, admit admission.Inte
 			status.Code = int32(code)
 		}

-		scope.Trace = trace
-		transformResponseObject(ctx, scope, req, w, code, outputMediaType, result)
+		transformResponseObject(ctx, scope, trace, req, w, code, outputMediaType, result)
 	}
 }

 // CreateNamedResource returns a function that will handle a resource creation with name.
-func CreateNamedResource(r rest.NamedCreater, scope RequestScope, admission admission.Interface) http.HandlerFunc {
+func CreateNamedResource(r rest.NamedCreater, scope *RequestScope, admission admission.Interface) http.HandlerFunc {
 	return createHandler(r, scope, admission, true)
 }

 // CreateResource returns a function that will handle a resource creation.
-func CreateResource(r rest.Creater, scope RequestScope, admission admission.Interface) http.HandlerFunc {
+func CreateResource(r rest.Creater, scope *RequestScope, admission admission.Interface) http.HandlerFunc {
 	return createHandler(&namedCreaterAdapter{r}, scope, admission, false)
 }

--- a/vendor/k8s.io/apiserver/pkg/endpoints/handlers/delete.go
+++ b/vendor/k8s.io/apiserver/pkg/endpoints/handlers/delete.go
@ -40,7 +40,7 @@ import (

 // DeleteResource returns a function that will handle a resource deletion
 // TODO admission here becomes solely validating admission
-func DeleteResource(r rest.GracefulDeleter, allowsOptions bool, scope RequestScope, admit admission.Interface) http.HandlerFunc {
+func DeleteResource(r rest.GracefulDeleter, allowsOptions bool, scope *RequestScope, admit admission.Interface) http.HandlerFunc {
 	return func(w http.ResponseWriter, req *http.Request) {
 		// For performance tracking purposes.
 		trace := utiltrace.New("Delete " + req.URL.Path)
@ -64,7 +64,7 @@ func DeleteResource(r rest.GracefulDeleter, allowsOptions bool, scope RequestSco
 		ae := request.AuditEventFrom(ctx)
 		admit = admission.WithAudit(admit, ae)

-		outputMediaType, _, err := negotiation.NegotiateOutputMediaType(req, scope.Serializer, &scope)
+		outputMediaType, _, err := negotiation.NegotiateOutputMediaType(req, scope.Serializer, scope)
 		if err != nil {
 			scope.err(err, w, req)
 			return
@ -113,29 +113,14 @@ func DeleteResource(r rest.GracefulDeleter, allowsOptions bool, scope RequestSco
 			scope.err(err, w, req)
 			return
 		}
-
-		trace.Step("About to check admission control")
-		if admit != nil && admit.Handles(admission.Delete) {
-			userInfo, _ := request.UserFrom(ctx)
-			attrs := admission.NewAttributesRecord(nil, nil, scope.Kind, namespace, name, scope.Resource, scope.Subresource, admission.Delete, dryrun.IsDryRun(options.DryRun), userInfo)
-			if mutatingAdmission, ok := admit.(admission.MutationInterface); ok {
-				if err := mutatingAdmission.Admit(attrs, &scope); err != nil {
-					scope.err(err, w, req)
-					return
-				}
-			}
-			if validatingAdmission, ok := admit.(admission.ValidationInterface); ok {
-				if err := validatingAdmission.Validate(attrs, &scope); err != nil {
-					scope.err(err, w, req)
-					return
-				}
-			}
-		}
+		options.TypeMeta.SetGroupVersionKind(metav1.SchemeGroupVersion.WithKind("DeleteOptions"))

 		trace.Step("About to delete object from database")
 		wasDeleted := true
+		userInfo, _ := request.UserFrom(ctx)
+		staticAdmissionAttrs := admission.NewAttributesRecord(nil, nil, scope.Kind, namespace, name, scope.Resource, scope.Subresource, admission.Delete, options, dryrun.IsDryRun(options.DryRun), userInfo)
 		result, err := finishRequest(timeout, func() (runtime.Object, error) {
-			obj, deleted, err := r.Delete(ctx, name, options)
+			obj, deleted, err := r.Delete(ctx, name, rest.AdmissionToValidateObjectDeleteFunc(admit, staticAdmissionAttrs, scope), options)
 			wasDeleted = deleted
 			return obj, err
 		})
@ -168,13 +153,12 @@ func DeleteResource(r rest.GracefulDeleter, allowsOptions bool, scope RequestSco
 			}
 		}

-		scope.Trace = trace
-		transformResponseObject(ctx, scope, req, w, status, outputMediaType, result)
+		transformResponseObject(ctx, scope, trace, req, w, status, outputMediaType, result)
 	}
 }

 // DeleteCollection returns a function that will handle a collection deletion
-func DeleteCollection(r rest.CollectionDeleter, checkBody bool, scope RequestScope, admit admission.Interface) http.HandlerFunc {
+func DeleteCollection(r rest.CollectionDeleter, checkBody bool, scope *RequestScope, admit admission.Interface) http.HandlerFunc {
 	return func(w http.ResponseWriter, req *http.Request) {
 		trace := utiltrace.New("Delete " + req.URL.Path)
 		defer trace.LogIfLong(500 * time.Millisecond)
@ -197,7 +181,7 @@ func DeleteCollection(r rest.CollectionDeleter, checkBody bool, scope RequestSco
 		ctx = request.WithNamespace(ctx, namespace)
 		ae := request.AuditEventFrom(ctx)

-		outputMediaType, _, err := negotiation.NegotiateOutputMediaType(req, scope.Serializer, &scope)
+		outputMediaType, _, err := negotiation.NegotiateOutputMediaType(req, scope.Serializer, scope)
 		if err != nil {
 			scope.err(err, w, req)
 			return
@ -237,6 +221,8 @@ func DeleteCollection(r rest.CollectionDeleter, checkBody bool, scope RequestSco
 					scope.err(err, w, req)
 					return
 				}
+				// For backwards compatibility, we need to allow existing clients to submit per group DeleteOptions
+				// It is also allowed to pass a body with meta.k8s.io/v1.DeleteOptions
 				defaultGVK := scope.Kind.GroupVersion().WithKind("DeleteOptions")
 				obj, _, err := scope.Serializer.DecoderToVersion(s.Serializer, defaultGVK.GroupVersion()).Decode(body, &defaultGVK, options)
 				if err != nil {
@ -263,30 +249,13 @@ func DeleteCollection(r rest.CollectionDeleter, checkBody bool, scope RequestSco
 			scope.err(err, w, req)
 			return
 		}
+		options.TypeMeta.SetGroupVersionKind(metav1.SchemeGroupVersion.WithKind("DeleteOptions"))

 		admit = admission.WithAudit(admit, ae)
-		if admit != nil && admit.Handles(admission.Delete) {
-			userInfo, _ := request.UserFrom(ctx)
-			attrs := admission.NewAttributesRecord(nil, nil, scope.Kind, namespace, "", scope.Resource, scope.Subresource, admission.Delete, dryrun.IsDryRun(options.DryRun), userInfo)
-			if mutatingAdmission, ok := admit.(admission.MutationInterface); ok {
-				err = mutatingAdmission.Admit(attrs, &scope)
-				if err != nil {
-					scope.err(err, w, req)
-					return
-				}
-			}
-
-			if validatingAdmission, ok := admit.(admission.ValidationInterface); ok {
-				err = validatingAdmission.Validate(attrs, &scope)
-				if err != nil {
-					scope.err(err, w, req)
-					return
-				}
-			}
-		}
-
+		userInfo, _ := request.UserFrom(ctx)
+		staticAdmissionAttrs := admission.NewAttributesRecord(nil, nil, scope.Kind, namespace, "", scope.Resource, scope.Subresource, admission.Delete, options, dryrun.IsDryRun(options.DryRun), userInfo)
 		result, err := finishRequest(timeout, func() (runtime.Object, error) {
-			return r.DeleteCollection(ctx, options, &listOptions)
+			return r.DeleteCollection(ctx, rest.AdmissionToValidateObjectDeleteFunc(admit, staticAdmissionAttrs, scope), options, &listOptions)
 		})
 		if err != nil {
 			scope.err(err, w, req)
@ -305,7 +274,6 @@ func DeleteCollection(r rest.CollectionDeleter, checkBody bool, scope RequestSco
 			}
 		}

-		scope.Trace = trace
-		transformResponseObject(ctx, scope, req, w, http.StatusOK, outputMediaType, result)
+		transformResponseObject(ctx, scope, trace, req, w, http.StatusOK, outputMediaType, result)
 	}
 }
--- a/vendor/k8s.io/apiserver/pkg/endpoints/handlers/fieldmanager/fieldmanager.go
+++ b/vendor/k8s.io/apiserver/pkg/endpoints/handlers/fieldmanager/fieldmanager.go
@ -27,6 +27,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apiserver/pkg/endpoints/handlers/fieldmanager/internal"
+	"k8s.io/klog"
 	openapiproto "k8s.io/kube-openapi/pkg/util/proto"
 	"sigs.k8s.io/structured-merge-diff/fieldpath"
 	"sigs.k8s.io/structured-merge-diff/merge"
@ -115,11 +116,15 @@ func (f *FieldManager) Update(liveObj, newObj runtime.Object, manager string) (r
 	internal.RemoveObjectManagedFields(newObjVersioned)
 	newObjTyped, err := f.typeConverter.ObjectToTyped(newObjVersioned)
 	if err != nil {
-		return nil, fmt.Errorf("failed to create typed new object: %v", err)
+		// Return newObj and just by-pass fields update. This really shouldn't happen.
+		klog.Errorf("[SHOULD NOT HAPPEN] failed to create typed new object: %v", err)
+		return newObj, nil
 	}
 	liveObjTyped, err := f.typeConverter.ObjectToTyped(liveObjVersioned)
 	if err != nil {
-		return nil, fmt.Errorf("failed to create typed live object: %v", err)
+		// Return newObj and just by-pass fields update. This really shouldn't happen.
+		klog.Errorf("[SHOULD NOT HAPPEN] failed to create typed live object: %v", err)
+		return newObj, nil
 	}
 	apiVersion := fieldpath.APIVersion(f.groupVersion.String())
 	manager, err = f.buildManagerInfo(manager, metav1.ManagedFieldsOperationUpdate)
@ -156,7 +161,7 @@ func (f *FieldManager) Apply(liveObj runtime.Object, patch []byte, fieldManager
 	patchObj := &unstructured.Unstructured{Object: map[string]interface{}{}}

 	if err := yaml.Unmarshal(patch, &patchObj.Object); err != nil {
-		return nil, fmt.Errorf("error decoding YAML: %v", err)
+		return nil, errors.NewBadRequest(fmt.Sprintf("error decoding YAML: %v", err))
 	}
 	if patchObj.GetAPIVersion() != f.groupVersion.String() {
 		return nil,
--- a/vendor/k8s.io/apiserver/pkg/endpoints/handlers/fieldmanager/internal/typeconverter.go
+++ b/vendor/k8s.io/apiserver/pkg/endpoints/handlers/fieldmanager/internal/typeconverter.go
@ -21,6 +21,7 @@ import (

 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/kube-openapi/pkg/util/proto"
 	"sigs.k8s.io/structured-merge-diff/typed"
 	"sigs.k8s.io/structured-merge-diff/value"
@ -93,7 +94,7 @@ func (c *typeConverter) ObjectToTyped(obj runtime.Object) (typed.TypedValue, err
 	gvk := obj.GetObjectKind().GroupVersionKind()
 	t := c.parser.Type(gvk)
 	if t == nil {
-		return nil, fmt.Errorf("no corresponding type for %v", gvk)
+		return nil, newNoCorrespondingTypeError(gvk)
 	}
 	return t.FromUnstructured(u)
 }
@ -108,7 +109,7 @@ func (c *typeConverter) YAMLToTyped(from []byte) (typed.TypedValue, error) {
 	gvk := unstructured.GetObjectKind().GroupVersionKind()
 	t := c.parser.Type(gvk)
 	if t == nil {
-		return nil, fmt.Errorf("no corresponding type for %v", gvk)
+		return nil, newNoCorrespondingTypeError(gvk)
 	}
 	return t.FromYAML(typed.YAMLObject(string(from)))
 }
@ -125,3 +126,23 @@ func valueToObject(value *value.Value) (runtime.Object, error) {
 	}
 	return &unstructured.Unstructured{Object: u}, nil
 }
+
+type noCorrespondingTypeErr struct {
+	gvk schema.GroupVersionKind
+}
+
+func newNoCorrespondingTypeError(gvk schema.GroupVersionKind) error {
+	return &noCorrespondingTypeErr{gvk: gvk}
+}
+
+func (k *noCorrespondingTypeErr) Error() string {
+	return fmt.Sprintf("no corresponding type for %v", k.gvk)
+}
+
+func isNoCorrespondingTypeError(err error) bool {
+	if err == nil {
+		return false
+	}
+	_, ok := err.(*noCorrespondingTypeErr)
+	return ok
+}
--- a/vendor/k8s.io/apiserver/pkg/endpoints/handlers/fieldmanager/internal/versionconverter.go
+++ b/vendor/k8s.io/apiserver/pkg/endpoints/handlers/fieldmanager/internal/versionconverter.go
@ -97,5 +97,5 @@ func (v *versionConverter) Convert(object typed.TypedValue, version fieldpath.AP

 // IsMissingVersionError
 func (v *versionConverter) IsMissingVersionError(err error) bool {
-	return runtime.IsNotRegisteredError(err)
+	return runtime.IsNotRegisteredError(err) || isNoCorrespondingTypeError(err)
 }
--- a/vendor/k8s.io/apiserver/pkg/endpoints/handlers/get.go
+++ b/vendor/k8s.io/apiserver/pkg/endpoints/handlers/get.go
@ -46,7 +46,7 @@ type getterFunc func(ctx context.Context, name string, req *http.Request, trace

 // getResourceHandler is an HTTP handler function for get requests. It delegates to the
 // passed-in getterFunc to perform the actual get.
-func getResourceHandler(scope RequestScope, getter getterFunc) http.HandlerFunc {
+func getResourceHandler(scope *RequestScope, getter getterFunc) http.HandlerFunc {
 	return func(w http.ResponseWriter, req *http.Request) {
 		trace := utiltrace.New("Get " + req.URL.Path)
 		defer trace.LogIfLong(500 * time.Millisecond)
@ -59,7 +59,7 @@ func getResourceHandler(scope RequestScope, getter getterFunc) http.HandlerFunc
 		ctx := req.Context()
 		ctx = request.WithNamespace(ctx, namespace)

-		outputMediaType, _, err := negotiation.NegotiateOutputMediaType(req, scope.Serializer, &scope)
+		outputMediaType, _, err := negotiation.NegotiateOutputMediaType(req, scope.Serializer, scope)
 		if err != nil {
 			scope.err(err, w, req)
 			return
@ -72,14 +72,13 @@ func getResourceHandler(scope RequestScope, getter getterFunc) http.HandlerFunc
 		}

 		trace.Step("About to write a response")
-		scope.Trace = trace
-		transformResponseObject(ctx, scope, req, w, http.StatusOK, outputMediaType, result)
+		transformResponseObject(ctx, scope, trace, req, w, http.StatusOK, outputMediaType, result)
 		trace.Step("Transformed response object")
 	}
 }

 // GetResource returns a function that handles retrieving a single resource from a rest.Storage object.
-func GetResource(r rest.Getter, e rest.Exporter, scope RequestScope) http.HandlerFunc {
+func GetResource(r rest.Getter, e rest.Exporter, scope *RequestScope) http.HandlerFunc {
 	return getResourceHandler(scope,
 		func(ctx context.Context, name string, req *http.Request, trace *utiltrace.Trace) (runtime.Object, error) {
 			// check for export
@ -109,7 +108,7 @@ func GetResource(r rest.Getter, e rest.Exporter, scope RequestScope) http.Handle
 }

 // GetResourceWithOptions returns a function that handles retrieving a single resource from a rest.Storage object.
-func GetResourceWithOptions(r rest.GetterWithOptions, scope RequestScope, isSubresource bool) http.HandlerFunc {
+func GetResourceWithOptions(r rest.GetterWithOptions, scope *RequestScope, isSubresource bool) http.HandlerFunc {
 	return getResourceHandler(scope,
 		func(ctx context.Context, name string, req *http.Request, trace *utiltrace.Trace) (runtime.Object, error) {
 			opts, subpath, subpathKey := r.NewGetOptions()
@ -126,7 +125,7 @@ func GetResourceWithOptions(r rest.GetterWithOptions, scope RequestScope, isSubr
 }

 // getRequestOptions parses out options and can include path information.  The path information shouldn't include the subresource.
-func getRequestOptions(req *http.Request, scope RequestScope, into runtime.Object, subpath bool, subpathKey string, isSubresource bool) error {
+func getRequestOptions(req *http.Request, scope *RequestScope, into runtime.Object, subpath bool, subpathKey string, isSubresource bool) error {
 	if into == nil {
 		return nil
 	}
@ -163,7 +162,7 @@ func getRequestOptions(req *http.Request, scope RequestScope, into runtime.Objec
 	return scope.ParameterCodec.DecodeParameters(query, scope.Kind.GroupVersion(), into)
 }

-func ListResource(r rest.Lister, rw rest.Watcher, scope RequestScope, forceWatch bool, minRequestTimeout time.Duration) http.HandlerFunc {
+func ListResource(r rest.Lister, rw rest.Watcher, scope *RequestScope, forceWatch bool, minRequestTimeout time.Duration) http.HandlerFunc {
 	return func(w http.ResponseWriter, req *http.Request) {
 		// For performance tracking purposes.
 		trace := utiltrace.New("List " + req.URL.Path)
@ -185,7 +184,7 @@ func ListResource(r rest.Lister, rw rest.Watcher, scope RequestScope, forceWatch
 		ctx := req.Context()
 		ctx = request.WithNamespace(ctx, namespace)

-		outputMediaType, _, err := negotiation.NegotiateOutputMediaType(req, scope.Serializer, &scope)
+		outputMediaType, _, err := negotiation.NegotiateOutputMediaType(req, scope.Serializer, scope)
 		if err != nil {
 			scope.err(err, w, req)
 			return
@ -249,7 +248,8 @@ func ListResource(r rest.Lister, rw rest.Watcher, scope RequestScope, forceWatch
 				timeout = time.Duration(float64(minRequestTimeout) * (rand.Float64() + 1.0))
 			}
 			klog.V(3).Infof("Starting watch for %s, rv=%s labels=%s fields=%s timeout=%s", req.URL.Path, opts.ResourceVersion, opts.LabelSelector, opts.FieldSelector, timeout)
-
+			ctx, cancel := context.WithTimeout(ctx, timeout)
+			defer cancel()
 			watcher, err := rw.Watch(ctx, &opts)
 			if err != nil {
 				scope.err(err, w, req)
@ -257,7 +257,7 @@ func ListResource(r rest.Lister, rw rest.Watcher, scope RequestScope, forceWatch
 			}
 			requestInfo, _ := request.RequestInfoFrom(ctx)
 			metrics.RecordLongRunning(req, requestInfo, metrics.APIServerComponent, func() {
-				serveWatch(watcher, scope, req, w, timeout)
+				serveWatch(watcher, scope, outputMediaType, req, w, timeout)
 			})
 			return
 		}
@ -272,8 +272,7 @@ func ListResource(r rest.Lister, rw rest.Watcher, scope RequestScope, forceWatch
 		}
 		trace.Step("Listing from storage done")

-		scope.Trace = trace
-		transformResponseObject(ctx, scope, req, w, http.StatusOK, outputMediaType, result)
+		transformResponseObject(ctx, scope, trace, req, w, http.StatusOK, outputMediaType, result)
 		trace.Step(fmt.Sprintf("Writing http response done (%d items)", meta.LenList(result)))
 	}
 }
--- a/vendor/k8s.io/apiserver/pkg/endpoints/handlers/namer.go
+++ b/vendor/k8s.io/apiserver/pkg/endpoints/handlers/namer.go
@ -20,6 +20,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
+	"strings"

 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
@ -86,6 +87,21 @@ func (n ContextBasedNaming) Name(req *http.Request) (namespace, name string, err
 	return ns, requestInfo.Name, nil
 }

+// fastURLPathEncode encodes the provided path as a URL path
+func fastURLPathEncode(path string) string {
+	for _, r := range []byte(path) {
+		switch {
+		case r >= '-' && r <= '9', r >= 'A' && r <= 'Z', r >= 'a' && r <= 'z':
+			// characters within this range do not require escaping
+		default:
+			var u url.URL
+			u.Path = path
+			return u.EscapedPath()
+		}
+	}
+	return path
+}
+
 func (n ContextBasedNaming) GenerateLink(requestInfo *request.RequestInfo, obj runtime.Object) (uri string, err error) {
 	namespace, name, err := n.ObjectName(obj)
 	if err == errEmptyName && len(requestInfo.Name) > 0 {
@ -101,19 +117,23 @@ func (n ContextBasedNaming) GenerateLink(requestInfo *request.RequestInfo, obj r
 		return n.SelfLinkPathPrefix + url.QueryEscape(name) + n.SelfLinkPathSuffix, nil
 	}

-	return n.SelfLinkPathPrefix +
-			url.QueryEscape(namespace) +
-			"/" + url.QueryEscape(requestInfo.Resource) + "/" +
-			url.QueryEscape(name) +
-			n.SelfLinkPathSuffix,
-		nil
+	builder := strings.Builder{}
+	builder.Grow(len(n.SelfLinkPathPrefix) + len(namespace) + len(requestInfo.Resource) + len(name) + len(n.SelfLinkPathSuffix) + 8)
+	builder.WriteString(n.SelfLinkPathPrefix)
+	builder.WriteString(namespace)
+	builder.WriteByte('/')
+	builder.WriteString(requestInfo.Resource)
+	builder.WriteByte('/')
+	builder.WriteString(name)
+	builder.WriteString(n.SelfLinkPathSuffix)
+	return fastURLPathEncode(builder.String()), nil
 }

 func (n ContextBasedNaming) GenerateListLink(req *http.Request) (uri string, err error) {
 	if len(req.URL.RawPath) > 0 {
 		return req.URL.RawPath, nil
 	}
-	return req.URL.EscapedPath(), nil
+	return fastURLPathEncode(req.URL.Path), nil
 }

 func (n ContextBasedNaming) ObjectName(obj runtime.Object) (namespace, name string, err error) {
--- a/vendor/k8s.io/apiserver/pkg/endpoints/handlers/negotiation/errors.go
+++ b/vendor/k8s.io/apiserver/pkg/endpoints/handlers/negotiation/errors.go
@ -47,6 +47,34 @@ func (e errNotAcceptable) Status() metav1.Status {
 	}
 }

+// errNotAcceptableConversion indicates Accept negotiation has failed specifically
+// for a conversion to a known type.
+type errNotAcceptableConversion struct {
+	target   string
+	accepted []string
+}
+
+// NewNotAcceptableConversionError returns an error indicating that the desired
+// API transformation to the target group version kind string is not accepted and
+// only the listed mime types are allowed. This is temporary while Table does not
+// yet support protobuf encoding.
+func NewNotAcceptableConversionError(target string, accepted []string) error {
+	return errNotAcceptableConversion{target, accepted}
+}
+
+func (e errNotAcceptableConversion) Error() string {
+	return fmt.Sprintf("only the following media types are accepted when converting to %s: %v", e.target, strings.Join(e.accepted, ", "))
+}
+
+func (e errNotAcceptableConversion) Status() metav1.Status {
+	return metav1.Status{
+		Status:  metav1.StatusFailure,
+		Code:    http.StatusNotAcceptable,
+		Reason:  metav1.StatusReasonNotAcceptable,
+		Message: e.Error(),
+	}
+}
+
 // errUnsupportedMediaType indicates Content-Type is not recognized
 type errUnsupportedMediaType struct {
 	accepted []string
--- a/vendor/k8s.io/apiserver/pkg/endpoints/handlers/negotiation/negotiate.go
+++ b/vendor/k8s.io/apiserver/pkg/endpoints/handlers/negotiation/negotiate.go
@ -43,33 +43,27 @@ func MediaTypesForSerializer(ns runtime.NegotiatedSerializer) (mediaTypes, strea
 // NegotiateOutputMediaType negotiates the output structured media type and a serializer, or
 // returns an error.
 func NegotiateOutputMediaType(req *http.Request, ns runtime.NegotiatedSerializer, restrictions EndpointRestrictions) (MediaTypeOptions, runtime.SerializerInfo, error) {
-	mediaType, ok := NegotiateMediaTypeOptions(req.Header.Get("Accept"), AcceptedMediaTypesForEndpoint(ns), restrictions)
+	mediaType, ok := NegotiateMediaTypeOptions(req.Header.Get("Accept"), ns.SupportedMediaTypes(), restrictions)
 	if !ok {
 		supported, _ := MediaTypesForSerializer(ns)
 		return mediaType, runtime.SerializerInfo{}, NewNotAcceptableError(supported)
 	}
 	// TODO: move into resthandler
-	info := mediaType.Accepted.Serializer
+	info := mediaType.Accepted
 	if (mediaType.Pretty || isPrettyPrint(req)) && info.PrettySerializer != nil {
 		info.Serializer = info.PrettySerializer
 	}
 	return mediaType, info, nil
 }

-// NegotiateOutputSerializer returns a serializer for the output.
-func NegotiateOutputSerializer(req *http.Request, ns runtime.NegotiatedSerializer) (runtime.SerializerInfo, error) {
-	_, info, err := NegotiateOutputMediaType(req, ns, DefaultEndpointRestrictions)
-	return info, err
-}
-
-// NegotiateOutputStreamSerializer returns a stream serializer for the given request.
-func NegotiateOutputStreamSerializer(req *http.Request, ns runtime.NegotiatedSerializer) (runtime.SerializerInfo, error) {
-	mediaType, ok := NegotiateMediaTypeOptions(req.Header.Get("Accept"), AcceptedMediaTypesForEndpoint(ns), DefaultEndpointRestrictions)
-	if !ok || mediaType.Accepted.Serializer.StreamSerializer == nil {
+// NegotiateOutputMediaTypeStream returns a stream serializer for the given request.
+func NegotiateOutputMediaTypeStream(req *http.Request, ns runtime.NegotiatedSerializer, restrictions EndpointRestrictions) (runtime.SerializerInfo, error) {
+	mediaType, ok := NegotiateMediaTypeOptions(req.Header.Get("Accept"), ns.SupportedMediaTypes(), restrictions)
+	if !ok || mediaType.Accepted.StreamSerializer == nil {
 		_, supported := MediaTypesForSerializer(ns)
 		return runtime.SerializerInfo{}, NewNotAcceptableError(supported)
 	}
-	return mediaType.Accepted.Serializer, nil
+	return mediaType.Accepted, nil
 }

 // NegotiateInputSerializer returns the input serializer for the provided request.
@ -85,10 +79,7 @@ func NegotiateInputSerializerForMediaType(mediaType string, streaming bool, ns r
 		mediaType = mediaTypes[0].MediaType
 	}
 	if mediaType, _, err := mime.ParseMediaType(mediaType); err == nil {
-		for _, info := range mediaTypes {
-			if info.MediaType != mediaType {
-				continue
-			}
+		if info, ok := runtime.SerializerInfoForMediaType(mediaTypes, mediaType); ok {
 			return info, nil
 		}
 	}
@ -105,10 +96,13 @@ func NegotiateInputSerializerForMediaType(mediaType string, streaming bool, ns r
 func isPrettyPrint(req *http.Request) bool {
 	// DEPRECATED: should be part of the content type
 	if req.URL != nil {
-		pp := req.URL.Query().Get("pretty")
-		if len(pp) > 0 {
-			pretty, _ := strconv.ParseBool(pp)
-			return pretty
+		// avoid an allocation caused by parsing the URL query
+		if strings.Contains(req.URL.RawQuery, "pretty") {
+			pp := req.URL.Query().Get("pretty")
+			if len(pp) > 0 {
+				pretty, _ := strconv.ParseBool(pp)
+				return pretty
+			}
 		}
 	}
 	userAgent := req.UserAgent()
@ -122,9 +116,10 @@ func isPrettyPrint(req *http.Request) bool {
 // EndpointRestrictions is an interface that allows content-type negotiation
 // to verify server support for specific options
 type EndpointRestrictions interface {
-	// AllowsConversion should return true if the specified group version kind
-	// is an allowed target object.
-	AllowsConversion(schema.GroupVersionKind) bool
+	// AllowsMediaTypeTransform returns true if the endpoint allows either the requested mime type
+	// or the requested transformation. If false, the caller should ignore this mime type. If the
+	// target is nil, the client is not requesting a transformation.
+	AllowsMediaTypeTransform(mimeType, mimeSubType string, target *schema.GroupVersionKind) bool
 	// AllowsServerVersion should return true if the specified version is valid
 	// for the server group.
 	AllowsServerVersion(version string) bool
@ -139,20 +134,11 @@ var DefaultEndpointRestrictions = emptyEndpointRestrictions{}

 type emptyEndpointRestrictions struct{}

-func (emptyEndpointRestrictions) AllowsConversion(schema.GroupVersionKind) bool { return false }
-func (emptyEndpointRestrictions) AllowsServerVersion(string) bool               { return false }
-func (emptyEndpointRestrictions) AllowsStreamSchema(s string) bool              { return s == "watch" }
-
-// AcceptedMediaType contains information about a valid media type that the
-// server can serialize.
-type AcceptedMediaType struct {
-	// Type is the first part of the media type ("application")
-	Type string
-	// SubType is the second part of the media type ("json")
-	SubType string
-	// Serializer is the serialization info this object accepts
-	Serializer runtime.SerializerInfo
+func (emptyEndpointRestrictions) AllowsMediaTypeTransform(mimeType string, mimeSubType string, gvk *schema.GroupVersionKind) bool {
+	return gvk == nil
 }
+func (emptyEndpointRestrictions) AllowsServerVersion(string) bool  { return false }
+func (emptyEndpointRestrictions) AllowsStreamSchema(s string) bool { return s == "watch" }

 // MediaTypeOptions describes information for a given media type that may alter
 // the server response
@ -180,13 +166,13 @@ type MediaTypeOptions struct {
 	Unrecognized []string

 	// the accepted media type from the client
-	Accepted *AcceptedMediaType
+	Accepted runtime.SerializerInfo
 }

 // acceptMediaTypeOptions returns an options object that matches the provided media type params. If
 // it returns false, the provided options are not allowed and the media type must be skipped.  These
 // parameters are unversioned and may not be changed.
-func acceptMediaTypeOptions(params map[string]string, accepts *AcceptedMediaType, endpoint EndpointRestrictions) (MediaTypeOptions, bool) {
+func acceptMediaTypeOptions(params map[string]string, accepts *runtime.SerializerInfo, endpoint EndpointRestrictions) (MediaTypeOptions, bool) {
 	var options MediaTypeOptions

 	// extract all known parameters
@ -212,7 +198,7 @@ func acceptMediaTypeOptions(params map[string]string, accepts *AcceptedMediaType

 		// controls the streaming schema
 		case "stream":
-			if len(v) > 0 && (accepts.Serializer.StreamSerializer == nil || !endpoint.AllowsStreamSchema(v)) {
+			if len(v) > 0 && (accepts.StreamSerializer == nil || !endpoint.AllowsStreamSchema(v)) {
 				return MediaTypeOptions{}, false
 			}
 			options.Stream = v
@ -240,16 +226,16 @@ func acceptMediaTypeOptions(params map[string]string, accepts *AcceptedMediaType
 		}
 	}

-	if options.Convert != nil && !endpoint.AllowsConversion(*options.Convert) {
+	if !endpoint.AllowsMediaTypeTransform(accepts.MediaTypeType, accepts.MediaTypeSubType, options.Convert) {
 		return MediaTypeOptions{}, false
 	}

-	options.Accepted = accepts
+	options.Accepted = *accepts
 	return options, true
 }

 type candidateMediaType struct {
-	accepted *AcceptedMediaType
+	accepted *runtime.SerializerInfo
 	clauses  goautoneg.Accept
 }

@ -257,10 +243,10 @@ type candidateMediaTypeSlice []candidateMediaType

 // NegotiateMediaTypeOptions returns the most appropriate content type given the accept header and
 // a list of alternatives along with the accepted media type parameters.
-func NegotiateMediaTypeOptions(header string, accepted []AcceptedMediaType, endpoint EndpointRestrictions) (MediaTypeOptions, bool) {
+func NegotiateMediaTypeOptions(header string, accepted []runtime.SerializerInfo, endpoint EndpointRestrictions) (MediaTypeOptions, bool) {
 	if len(header) == 0 && len(accepted) > 0 {
 		return MediaTypeOptions{
-			Accepted: &accepted[0],
+			Accepted: accepted[0],
 		}, true
 	}

@ -270,8 +256,8 @@ func NegotiateMediaTypeOptions(header string, accepted []AcceptedMediaType, endp
 		for i := range accepted {
 			accepts := &accepted[i]
 			switch {
-			case clause.Type == accepts.Type && clause.SubType == accepts.SubType,
-				clause.Type == accepts.Type && clause.SubType == "*",
+			case clause.Type == accepts.MediaTypeType && clause.SubType == accepts.MediaTypeSubType,
+				clause.Type == accepts.MediaTypeType && clause.SubType == "*",
 				clause.Type == "*" && clause.SubType == "*":
 				candidates = append(candidates, candidateMediaType{accepted: accepts, clauses: clause})
 			}
@ -286,22 +272,3 @@ func NegotiateMediaTypeOptions(header string, accepted []AcceptedMediaType, endp

 	return MediaTypeOptions{}, false
 }
-
-// AcceptedMediaTypesForEndpoint returns an array of structs that are used to efficiently check which
-// allowed media types the server exposes.
-func AcceptedMediaTypesForEndpoint(ns runtime.NegotiatedSerializer) []AcceptedMediaType {
-	var acceptedMediaTypes []AcceptedMediaType
-	for _, info := range ns.SupportedMediaTypes() {
-		segments := strings.SplitN(info.MediaType, "/", 2)
-		if len(segments) == 1 {
-			segments = append(segments, "*")
-		}
-		t := AcceptedMediaType{
-			Type:       segments[0],
-			SubType:    segments[1],
-			Serializer: info,
-		}
-		acceptedMediaTypes = append(acceptedMediaTypes, t)
-	}
-	return acceptedMediaTypes
-}
--- a/vendor/k8s.io/apiserver/pkg/endpoints/handlers/patch.go
+++ b/vendor/k8s.io/apiserver/pkg/endpoints/handlers/patch.go
@ -23,7 +23,7 @@ import (
 	"strings"
 	"time"

-	"github.com/evanphx/json-patch"
+	jsonpatch "github.com/evanphx/json-patch"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metainternalversion "k8s.io/apimachinery/pkg/apis/meta/internalversion"
@ -55,7 +55,7 @@ const (
 )

 // PatchResource returns a function that will handle a resource patch.
-func PatchResource(r rest.Patcher, scope RequestScope, admit admission.Interface, patchTypes []string) http.HandlerFunc {
+func PatchResource(r rest.Patcher, scope *RequestScope, admit admission.Interface, patchTypes []string) http.HandlerFunc {
 	return func(w http.ResponseWriter, req *http.Request) {
 		// For performance tracking purposes.
 		trace := utiltrace.New("Patch " + req.URL.Path)
@ -95,7 +95,7 @@ func PatchResource(r rest.Patcher, scope RequestScope, admit admission.Interface
 		ctx := req.Context()
 		ctx = request.WithNamespace(ctx, namespace)

-		outputMediaType, _, err := negotiation.NegotiateOutputMediaType(req, scope.Serializer, &scope)
+		outputMediaType, _, err := negotiation.NegotiateOutputMediaType(req, scope.Serializer, scope)
 		if err != nil {
 			scope.err(err, w, req)
 			return
@ -118,6 +118,7 @@ func PatchResource(r rest.Patcher, scope RequestScope, admit admission.Interface
 			scope.err(err, w, req)
 			return
 		}
+		options.TypeMeta.SetGroupVersionKind(metav1.SchemeGroupVersion.WithKind("PatchOptions"))

 		ae := request.AuditEventFrom(ctx)
 		admit = admission.WithAudit(admit, ae)
@ -151,6 +152,7 @@ func PatchResource(r rest.Patcher, scope RequestScope, admit admission.Interface
 			scope.Resource,
 			scope.Subresource,
 			admission.Create,
+			patchToCreateOptions(options),
 			dryrun.IsDryRun(options.DryRun),
 			userInfo)
 		staticUpdateAttributes := admission.NewAttributesRecord(
@ -162,6 +164,7 @@ func PatchResource(r rest.Patcher, scope RequestScope, admit admission.Interface
 			scope.Resource,
 			scope.Subresource,
 			admission.Update,
+			patchToUpdateOptions(options),
 			dryrun.IsDryRun(options.DryRun),
 			userInfo,
 		)
@ -191,12 +194,12 @@ func PatchResource(r rest.Patcher, scope RequestScope, admit admission.Interface
 			subresource:     scope.Subresource,
 			dryRun:          dryrun.IsDryRun(options.DryRun),

-			objectInterfaces: &scope,
+			objectInterfaces: scope,

 			hubGroupVersion: scope.HubGroupVersion,

-			createValidation: withAuthorization(rest.AdmissionToValidateObjectFunc(admit, staticCreateAttributes, &scope), scope.Authorizer, createAuthorizerAttributes),
-			updateValidation: rest.AdmissionToValidateObjectUpdateFunc(admit, staticUpdateAttributes, &scope),
+			createValidation: withAuthorization(rest.AdmissionToValidateObjectFunc(admit, staticCreateAttributes, scope), scope.Authorizer, createAuthorizerAttributes),
+			updateValidation: rest.AdmissionToValidateObjectUpdateFunc(admit, staticUpdateAttributes, scope),
 			admissionCheck:   mutatingAdmission,

 			codec: codec,
@ -235,8 +238,7 @@ func PatchResource(r rest.Patcher, scope RequestScope, admit admission.Interface
 		if wasCreated {
 			status = http.StatusCreated
 		}
-		scope.Trace = trace
-		transformResponseObject(ctx, scope, req, w, status, outputMediaType, result)
+		transformResponseObject(ctx, scope, trace, req, w, status, outputMediaType, result)
 	}
 }

@ -336,6 +338,15 @@ func (p *jsonPatcher) createNewObject() (runtime.Object, error) {
 func (p *jsonPatcher) applyJSPatch(versionedJS []byte) (patchedJS []byte, retErr error) {
 	switch p.patchType {
 	case types.JSONPatchType:
+		// sanity check potentially abusive patches
+		// TODO(liggitt): drop this once golang json parser limits stack depth (https://github.com/golang/go/issues/31789)
+		if len(p.patchBytes) > 1024*1024 {
+			v := []interface{}{}
+			if err := json.Unmarshal(p.patchBytes, v); err != nil {
+				return nil, errors.NewBadRequest(fmt.Sprintf("error decoding patch: %v", err))
+			}
+		}
+
 		patchObj, err := jsonpatch.DecodePatch(p.patchBytes)
 		if err != nil {
 			return nil, errors.NewBadRequest(err.Error())
@ -351,6 +362,15 @@ func (p *jsonPatcher) applyJSPatch(versionedJS []byte) (patchedJS []byte, retErr
 		}
 		return patchedJS, nil
 	case types.MergePatchType:
+		// sanity check potentially abusive patches
+		// TODO(liggitt): drop this once golang json parser limits stack depth (https://github.com/golang/go/issues/31789)
+		if len(p.patchBytes) > 1024*1024 {
+			v := map[string]interface{}{}
+			if err := json.Unmarshal(p.patchBytes, v); err != nil {
+				return nil, errors.NewBadRequest(fmt.Sprintf("error decoding patch: %v", err))
+			}
+		}
+
 		return jsonpatch.MergePatch(versionedJS, p.patchBytes)
 	default:
 		// only here as a safety net - go-restful filters content-type
@ -490,9 +510,9 @@ func (p *patcher) applyPatch(_ context.Context, _, currentObject runtime.Object)
 	return objToUpdate, nil
 }

-func (p *patcher) admissionAttributes(ctx context.Context, updatedObject runtime.Object, currentObject runtime.Object, operation admission.Operation) admission.Attributes {
+func (p *patcher) admissionAttributes(ctx context.Context, updatedObject runtime.Object, currentObject runtime.Object, operation admission.Operation, operationOptions runtime.Object) admission.Attributes {
 	userInfo, _ := request.UserFrom(ctx)
-	return admission.NewAttributesRecord(updatedObject, currentObject, p.kind, p.namespace, p.name, p.resource, p.subresource, operation, p.dryRun, userInfo)
+	return admission.NewAttributesRecord(updatedObject, currentObject, p.kind, p.namespace, p.name, p.resource, p.subresource, operation, operationOptions, p.dryRun, userInfo)
 }

 // applyAdmission is called every time GuaranteedUpdate asks for the updated object,
@ -501,23 +521,26 @@ func (p *patcher) admissionAttributes(ctx context.Context, updatedObject runtime
 func (p *patcher) applyAdmission(ctx context.Context, patchedObject runtime.Object, currentObject runtime.Object) (runtime.Object, error) {
 	p.trace.Step("About to check admission control")
 	var operation admission.Operation
+	var options runtime.Object
 	if hasUID, err := hasUID(currentObject); err != nil {
 		return nil, err
 	} else if !hasUID {
 		operation = admission.Create
 		currentObject = nil
+		options = patchToCreateOptions(p.options)
 	} else {
 		operation = admission.Update
+		options = patchToUpdateOptions(p.options)
 	}
 	if p.admissionCheck != nil && p.admissionCheck.Handles(operation) {
-		attributes := p.admissionAttributes(ctx, patchedObject, currentObject, operation)
+		attributes := p.admissionAttributes(ctx, patchedObject, currentObject, operation, options)
 		return patchedObject, p.admissionCheck.Admit(attributes, p.objectInterfaces)
 	}
 	return patchedObject, nil
 }

 // patchResource divides PatchResource for easier unit testing
-func (p *patcher) patchResource(ctx context.Context, scope RequestScope) (runtime.Object, bool, error) {
+func (p *patcher) patchResource(ctx context.Context, scope *RequestScope) (runtime.Object, bool, error) {
 	p.namespace = request.NamespaceValue(ctx)
 	switch p.patchType {
 	case types.JSONPatchType, types.MergePatchType:
@ -552,11 +575,8 @@ func (p *patcher) patchResource(ctx context.Context, scope RequestScope) (runtim
 	wasCreated := false
 	p.updatedObjectInfo = rest.DefaultUpdatedObjectInfo(nil, p.applyPatch, p.applyAdmission)
 	result, err := finishRequest(p.timeout, func() (runtime.Object, error) {
-		// TODO: Pass in UpdateOptions to override UpdateStrategy.AllowUpdateOnCreate
-		options, err := patchToUpdateOptions(p.options)
-		if err != nil {
-			return nil, err
-		}
+		// Pass in UpdateOptions to override UpdateStrategy.AllowUpdateOnCreate
+		options := patchToUpdateOptions(p.options)
 		updateObject, created, updateErr := p.restPatcher.Update(ctx, p.name, p.updatedObjectInfo, p.createValidation, p.updateValidation, p.forceAllowCreate, options)
 		wasCreated = created
 		return updateObject, updateErr
@ -601,12 +621,28 @@ func interpretStrategicMergePatchError(err error) error {
 	}
 }

-func patchToUpdateOptions(po *metav1.PatchOptions) (*metav1.UpdateOptions, error) {
-	b, err := json.Marshal(po)
-	if err != nil {
-		return nil, err
+// patchToUpdateOptions creates an UpdateOptions with the same field values as the provided PatchOptions.
+func patchToUpdateOptions(po *metav1.PatchOptions) *metav1.UpdateOptions {
+	if po == nil {
+		return nil
 	}
-	uo := metav1.UpdateOptions{}
-	err = json.Unmarshal(b, &uo)
-	return &uo, err
+	uo := &metav1.UpdateOptions{
+		DryRun:       po.DryRun,
+		FieldManager: po.FieldManager,
+	}
+	uo.TypeMeta.SetGroupVersionKind(metav1.SchemeGroupVersion.WithKind("UpdateOptions"))
+	return uo
+}
+
+// patchToCreateOptions creates an CreateOptions with the same field values as the provided PatchOptions.
+func patchToCreateOptions(po *metav1.PatchOptions) *metav1.CreateOptions {
+	if po == nil {
+		return nil
+	}
+	co := &metav1.CreateOptions{
+		DryRun:       po.DryRun,
+		FieldManager: po.FieldManager,
+	}
+	co.TypeMeta.SetGroupVersionKind(metav1.SchemeGroupVersion.WithKind("CreateOptions"))
+	return co
 }
--- a/vendor/k8s.io/apiserver/pkg/endpoints/handlers/response.go
+++ b/vendor/k8s.io/apiserver/pkg/endpoints/handlers/response.go
@ -26,86 +26,97 @@ import (
 	metainternalversion "k8s.io/apimachinery/pkg/apis/meta/internalversion"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	metav1beta1 "k8s.io/apimachinery/pkg/apis/meta/v1beta1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1beta1/validation"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apiserver/pkg/endpoints/handlers/negotiation"
 	"k8s.io/apiserver/pkg/endpoints/handlers/responsewriters"
+	utiltrace "k8s.io/utils/trace"
 )

+// transformObject takes the object as returned by storage and ensures it is in
+// the client's desired form, as well as ensuring any API level fields like self-link
+// are properly set.
+func transformObject(ctx context.Context, obj runtime.Object, opts interface{}, mediaType negotiation.MediaTypeOptions, scope *RequestScope, req *http.Request) (runtime.Object, error) {
+	if _, ok := obj.(*metav1.Status); ok {
+		return obj, nil
+	}
+	if err := setObjectSelfLink(ctx, obj, req, scope.Namer); err != nil {
+		return nil, err
+	}
+
+	switch target := mediaType.Convert; {
+	case target == nil:
+		return obj, nil
+
+	case target.Kind == "PartialObjectMetadata":
+		return asPartialObjectMetadata(obj, target.GroupVersion())
+
+	case target.Kind == "PartialObjectMetadataList":
+		return asPartialObjectMetadataList(obj, target.GroupVersion())
+
+	case target.Kind == "Table":
+		options, ok := opts.(*metav1beta1.TableOptions)
+		if !ok {
+			return nil, fmt.Errorf("unexpected TableOptions, got %T", opts)
+		}
+		return asTable(ctx, obj, options, scope, target.GroupVersion())
+
+	default:
+		accepted, _ := negotiation.MediaTypesForSerializer(metainternalversion.Codecs)
+		err := negotiation.NewNotAcceptableError(accepted)
+		return nil, err
+	}
+}
+
+// optionsForTransform will load and validate any additional query parameter options for
+// a conversion or return an error.
+func optionsForTransform(mediaType negotiation.MediaTypeOptions, req *http.Request) (interface{}, error) {
+	switch target := mediaType.Convert; {
+	case target == nil:
+	case target.Kind == "Table" && (target.GroupVersion() == metav1beta1.SchemeGroupVersion || target.GroupVersion() == metav1.SchemeGroupVersion):
+		opts := &metav1beta1.TableOptions{}
+		if err := metav1beta1.ParameterCodec.DecodeParameters(req.URL.Query(), metav1beta1.SchemeGroupVersion, opts); err != nil {
+			return nil, err
+		}
+		switch errs := validation.ValidateTableOptions(opts); len(errs) {
+		case 0:
+			return opts, nil
+		case 1:
+			return nil, errors.NewBadRequest(fmt.Sprintf("Unable to convert to Table as requested: %v", errs[0].Error()))
+		default:
+			return nil, errors.NewBadRequest(fmt.Sprintf("Unable to convert to Table as requested: %v", errs))
+		}
+	}
+	return nil, nil
+}
+
+// targetEncodingForTransform returns the appropriate serializer for the input media type
+func targetEncodingForTransform(scope *RequestScope, mediaType negotiation.MediaTypeOptions, req *http.Request) (schema.GroupVersionKind, runtime.NegotiatedSerializer, bool) {
+	switch target := mediaType.Convert; {
+	case target == nil:
+	case (target.Kind == "PartialObjectMetadata" || target.Kind == "PartialObjectMetadataList" || target.Kind == "Table") &&
+		(target.GroupVersion() == metav1beta1.SchemeGroupVersion || target.GroupVersion() == metav1.SchemeGroupVersion):
+		return *target, metainternalversion.Codecs, true
+	}
+	return scope.Kind, scope.Serializer, false
+}
+
 // transformResponseObject takes an object loaded from storage and performs any necessary transformations.
 // Will write the complete response object.
-func transformResponseObject(ctx context.Context, scope RequestScope, req *http.Request, w http.ResponseWriter, statusCode int, mediaType negotiation.MediaTypeOptions, result runtime.Object) {
-	// status objects are ignored for transformation
-	if _, ok := result.(*metav1.Status); ok {
-		responsewriters.WriteObject(statusCode, scope.Kind.GroupVersion(), scope.Serializer, result, w, req)
-		return
-	}
-
-	// ensure the self link and empty list array are set
-	if err := setObjectSelfLink(ctx, result, req, scope.Namer); err != nil {
+func transformResponseObject(ctx context.Context, scope *RequestScope, trace *utiltrace.Trace, req *http.Request, w http.ResponseWriter, statusCode int, mediaType negotiation.MediaTypeOptions, result runtime.Object) {
+	options, err := optionsForTransform(mediaType, req)
+	if err != nil {
 		scope.err(err, w, req)
 		return
 	}
-
-	trace := scope.Trace
-
-	// If conversion was allowed by the scope, perform it before writing the response
-	switch target := mediaType.Convert; {
-
-	case target == nil:
-		trace.Step("Writing response")
-		responsewriters.WriteObject(statusCode, scope.Kind.GroupVersion(), scope.Serializer, result, w, req)
-
-	case target.Kind == "PartialObjectMetadata" && target.GroupVersion() == metav1beta1.SchemeGroupVersion:
-		partial, err := asV1Beta1PartialObjectMetadata(result)
-		if err != nil {
-			scope.err(err, w, req)
-			return
-		}
-
-		if err := writeMetaInternalVersion(partial, statusCode, w, req, &scope, target.GroupVersion()); err != nil {
-			scope.err(err, w, req)
-			return
-		}
-
-	case target.Kind == "PartialObjectMetadataList" && target.GroupVersion() == metav1beta1.SchemeGroupVersion:
-		trace.Step("Processing list items")
-		partial, err := asV1Beta1PartialObjectMetadataList(result)
-		if err != nil {
-			scope.err(err, w, req)
-			return
-		}
-
-		if err := writeMetaInternalVersion(partial, statusCode, w, req, &scope, target.GroupVersion()); err != nil {
-			scope.err(err, w, req)
-			return
-		}
-
-	case target.Kind == "Table" && target.GroupVersion() == metav1beta1.SchemeGroupVersion:
-		opts := &metav1beta1.TableOptions{}
-		trace.Step("Decoding parameters")
-		if err := metav1beta1.ParameterCodec.DecodeParameters(req.URL.Query(), metav1beta1.SchemeGroupVersion, opts); err != nil {
-			scope.err(err, w, req)
-			return
-		}
-
-		table, err := asV1Beta1Table(ctx, result, opts, scope)
-		if err != nil {
-			scope.err(err, w, req)
-			return
-		}
-
-		if err := writeMetaInternalVersion(table, statusCode, w, req, &scope, target.GroupVersion()); err != nil {
-			scope.err(err, w, req)
-			return
-		}
-
-	default:
-		// this block should only be hit if scope AllowsConversion is incorrect
-		accepted, _ := negotiation.MediaTypesForSerializer(metainternalversion.Codecs)
-		err := negotiation.NewNotAcceptableError(accepted)
+	obj, err := transformObject(ctx, result, options, mediaType, scope, req)
+	if err != nil {
 		scope.err(err, w, req)
+		return
 	}
+	kind, serializer, _ := targetEncodingForTransform(scope, mediaType, req)
+	responsewriters.WriteObjectNegotiated(serializer, scope, kind.GroupVersion(), w, req, statusCode, obj)
 }

 // errNotAcceptable indicates Accept negotiation has failed
@ -130,38 +141,41 @@ func (e errNotAcceptable) Status() metav1.Status {
 	}
 }

-func asV1Beta1Table(ctx context.Context, result runtime.Object, opts *metav1beta1.TableOptions, scope RequestScope) (runtime.Object, error) {
-	trace := scope.Trace
+func asTable(ctx context.Context, result runtime.Object, opts *metav1beta1.TableOptions, scope *RequestScope, groupVersion schema.GroupVersion) (runtime.Object, error) {
+	switch groupVersion {
+	case metav1beta1.SchemeGroupVersion, metav1.SchemeGroupVersion:
+	default:
+		return nil, newNotAcceptableError(fmt.Sprintf("no Table exists in group version %s", groupVersion))
+	}

-	trace.Step("Converting to table")
-	table, err := scope.TableConvertor.ConvertToTable(ctx, result, opts)
+	obj, err := scope.TableConvertor.ConvertToTable(ctx, result, opts)
 	if err != nil {
 		return nil, err
 	}

-	trace.Step("Processing rows")
+	table := (*metav1.Table)(obj)
+
 	for i := range table.Rows {
 		item := &table.Rows[i]
 		switch opts.IncludeObject {
-		case metav1beta1.IncludeObject:
+		case metav1.IncludeObject:
 			item.Object.Object, err = scope.Convertor.ConvertToVersion(item.Object.Object, scope.Kind.GroupVersion())
 			if err != nil {
 				return nil, err
 			}
 		// TODO: rely on defaulting for the value here?
-		case metav1beta1.IncludeMetadata, "":
+		case metav1.IncludeMetadata, "":
 			m, err := meta.Accessor(item.Object.Object)
 			if err != nil {
 				return nil, err
 			}
 			// TODO: turn this into an internal type and do conversion in order to get object kind automatically set?
 			partial := meta.AsPartialObjectMetadata(m)
-			partial.GetObjectKind().SetGroupVersionKind(metav1beta1.SchemeGroupVersion.WithKind("PartialObjectMetadata"))
+			partial.GetObjectKind().SetGroupVersionKind(groupVersion.WithKind("PartialObjectMetadata"))
 			item.Object.Object = partial
-		case metav1beta1.IncludeNone:
+		case metav1.IncludeNone:
 			item.Object.Object = nil
 		default:
-			// TODO: move this to validation on the table options?
 			err = errors.NewBadRequest(fmt.Sprintf("unrecognized includeObject value: %q", opts.IncludeObject))
 			return nil, err
 		}
@ -170,50 +184,74 @@ func asV1Beta1Table(ctx context.Context, result runtime.Object, opts *metav1beta
 	return table, nil
 }

-func asV1Beta1PartialObjectMetadata(result runtime.Object) (runtime.Object, error) {
+func asPartialObjectMetadata(result runtime.Object, groupVersion schema.GroupVersion) (runtime.Object, error) {
 	if meta.IsListType(result) {
-		// TODO: this should be calculated earlier
 		err := newNotAcceptableError(fmt.Sprintf("you requested PartialObjectMetadata, but the requested object is a list (%T)", result))
 		return nil, err
 	}
+	switch groupVersion {
+	case metav1beta1.SchemeGroupVersion, metav1.SchemeGroupVersion:
+	default:
+		return nil, newNotAcceptableError(fmt.Sprintf("no PartialObjectMetadataList exists in group version %s", groupVersion))
+	}
 	m, err := meta.Accessor(result)
 	if err != nil {
 		return nil, err
 	}
 	partial := meta.AsPartialObjectMetadata(m)
-	partial.GetObjectKind().SetGroupVersionKind(metav1beta1.SchemeGroupVersion.WithKind("PartialObjectMetadata"))
+	partial.GetObjectKind().SetGroupVersionKind(groupVersion.WithKind("PartialObjectMetadata"))
 	return partial, nil
 }

-func asV1Beta1PartialObjectMetadataList(result runtime.Object) (runtime.Object, error) {
-	if !meta.IsListType(result) {
-		// TODO: this should be calculated earlier
+func asPartialObjectMetadataList(result runtime.Object, groupVersion schema.GroupVersion) (runtime.Object, error) {
+	li, ok := result.(metav1.ListInterface)
+	if !ok {
 		return nil, newNotAcceptableError(fmt.Sprintf("you requested PartialObjectMetadataList, but the requested object is not a list (%T)", result))
 	}
-	list := &metav1beta1.PartialObjectMetadataList{}
-	err := meta.EachListItem(result, func(obj runtime.Object) error {
-		m, err := meta.Accessor(obj)
-		if err != nil {
-			return err
-		}
-		partial := meta.AsPartialObjectMetadata(m)
-		partial.GetObjectKind().SetGroupVersionKind(metav1beta1.SchemeGroupVersion.WithKind("PartialObjectMetadata"))
-		list.Items = append(list.Items, partial)
-		return nil
-	})
-	if err != nil {
-		return nil, err
-	}
-	return list, nil
-}

-func writeMetaInternalVersion(obj runtime.Object, statusCode int, w http.ResponseWriter, req *http.Request, restrictions negotiation.EndpointRestrictions, target schema.GroupVersion) error {
-	// renegotiate under the internal version
-	_, info, err := negotiation.NegotiateOutputMediaType(req, metainternalversion.Codecs, restrictions)
-	if err != nil {
-		return err
+	gvk := groupVersion.WithKind("PartialObjectMetadata")
+	switch {
+	case groupVersion == metav1beta1.SchemeGroupVersion:
+		list := &metav1beta1.PartialObjectMetadataList{}
+		err := meta.EachListItem(result, func(obj runtime.Object) error {
+			m, err := meta.Accessor(obj)
+			if err != nil {
+				return err
+			}
+			partial := meta.AsPartialObjectMetadata(m)
+			partial.GetObjectKind().SetGroupVersionKind(gvk)
+			list.Items = append(list.Items, *partial)
+			return nil
+		})
+		if err != nil {
+			return nil, err
+		}
+		list.SelfLink = li.GetSelfLink()
+		list.ResourceVersion = li.GetResourceVersion()
+		list.Continue = li.GetContinue()
+		return list, nil
+
+	case groupVersion == metav1.SchemeGroupVersion:
+		list := &metav1.PartialObjectMetadataList{}
+		err := meta.EachListItem(result, func(obj runtime.Object) error {
+			m, err := meta.Accessor(obj)
+			if err != nil {
+				return err
+			}
+			partial := meta.AsPartialObjectMetadata(m)
+			partial.GetObjectKind().SetGroupVersionKind(gvk)
+			list.Items = append(list.Items, *partial)
+			return nil
+		})
+		if err != nil {
+			return nil, err
+		}
+		list.SelfLink = li.GetSelfLink()
+		list.ResourceVersion = li.GetResourceVersion()
+		list.Continue = li.GetContinue()
+		return list, nil
+
+	default:
+		return nil, newNotAcceptableError(fmt.Sprintf("no PartialObjectMetadataList exists in group version %s", groupVersion))
 	}
-	encoder := metainternalversion.Codecs.EncoderForVersion(info.Serializer, target)
-	responsewriters.SerializeObject(info.MediaType, encoder, w, req, statusCode, obj)
-	return nil
 }
--- a/vendor/k8s.io/apiserver/pkg/endpoints/handlers/responsewriters/writers.go
+++ b/vendor/k8s.io/apiserver/pkg/endpoints/handlers/responsewriters/writers.go
@ -55,23 +55,6 @@ func (w httpResponseWriterWithInit) Write(b []byte) (n int, err error) {
 	return w.innerW.Write(b)
 }

-// WriteObject renders a returned runtime.Object to the response as a stream or an encoded object. If the object
-// returned by the response implements rest.ResourceStreamer that interface will be used to render the
-// response. The Accept header and current API version will be passed in, and the output will be copied
-// directly to the response body. If content type is returned it is used, otherwise the content type will
-// be "application/octet-stream". All other objects are sent to standard JSON serialization.
-func WriteObject(statusCode int, gv schema.GroupVersion, s runtime.NegotiatedSerializer, object runtime.Object, w http.ResponseWriter, req *http.Request) {
-	stream, ok := object.(rest.ResourceStreamer)
-	if ok {
-		requestInfo, _ := request.RequestInfoFrom(req.Context())
-		metrics.RecordLongRunning(req, requestInfo, metrics.APIServerComponent, func() {
-			StreamObject(statusCode, gv, s, stream, w, req)
-		})
-		return
-	}
-	WriteObjectNegotiated(s, gv, w, req, statusCode, object)
-}
-
 // StreamObject performs input stream negotiation from a ResourceStreamer and writes that to the response.
 // If the client requests a websocket upgrade, negotiate for a websocket reader protocol (because many
 // browser clients cannot easily handle binary streaming protocols).
@ -123,9 +106,17 @@ func SerializeObject(mediaType string, encoder runtime.Encoder, innerW http.Resp
 }

 // WriteObjectNegotiated renders an object in the content type negotiated by the client.
-// The context is optional and can be nil.
-func WriteObjectNegotiated(s runtime.NegotiatedSerializer, gv schema.GroupVersion, w http.ResponseWriter, req *http.Request, statusCode int, object runtime.Object) {
-	serializer, err := negotiation.NegotiateOutputSerializer(req, s)
+func WriteObjectNegotiated(s runtime.NegotiatedSerializer, restrictions negotiation.EndpointRestrictions, gv schema.GroupVersion, w http.ResponseWriter, req *http.Request, statusCode int, object runtime.Object) {
+	stream, ok := object.(rest.ResourceStreamer)
+	if ok {
+		requestInfo, _ := request.RequestInfoFrom(req.Context())
+		metrics.RecordLongRunning(req, requestInfo, metrics.APIServerComponent, func() {
+			StreamObject(statusCode, gv, s, stream, w, req)
+		})
+		return
+	}
+
+	_, serializer, err := negotiation.NegotiateOutputMediaType(req, s, restrictions)
 	if err != nil {
 		// if original statusCode was not successful we need to return the original error
 		// we cannot hide it behind negotiation problems
@ -162,7 +153,7 @@ func ErrorNegotiated(err error, s runtime.NegotiatedSerializer, gv schema.GroupV
 		return code
 	}

-	WriteObjectNegotiated(s, gv, w, req, code, status)
+	WriteObjectNegotiated(s, negotiation.DefaultEndpointRestrictions, gv, w, req, code, status)
 	return code
 }

--- a/vendor/k8s.io/apiserver/pkg/endpoints/handlers/rest.go
+++ b/vendor/k8s.io/apiserver/pkg/endpoints/handlers/rest.go
@ -25,7 +25,6 @@ import (
 	"net/http"
 	"net/url"
 	goruntime "runtime"
-	"strings"
 	"time"

 	"k8s.io/apimachinery/pkg/api/errors"
@ -42,7 +41,6 @@ import (
 	"k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/apiserver/pkg/registry/rest"
 	"k8s.io/klog"
-	utiltrace "k8s.io/utils/trace"
 )

 // RequestScope encapsulates common fields across all RESTful handler methods.
@ -52,13 +50,19 @@ type RequestScope struct {
 	Serializer runtime.NegotiatedSerializer
 	runtime.ParameterCodec

+	// StandardSerializers, if set, restricts which serializers can be used when
+	// we aren't transforming the output (into Table or PartialObjectMetadata).
+	// Used only by CRDs which do not yet support Protobuf.
+	StandardSerializers []runtime.SerializerInfo
+
 	Creater         runtime.ObjectCreater
 	Convertor       runtime.ObjectConvertor
 	Defaulter       runtime.ObjectDefaulter
 	Typer           runtime.ObjectTyper
 	UnsafeConvertor runtime.ObjectConvertor
 	Authorizer      authorizer.Authorizer
-	Trace           *utiltrace.Trace
+
+	EquivalentResourceMapper runtime.EquivalentResourceMapper

 	TableConvertor rest.TableConvertor
 	FieldManager   *fieldmanager.FieldManager
@ -79,12 +83,28 @@ func (scope *RequestScope) err(err error, w http.ResponseWriter, req *http.Reque
 	responsewriters.ErrorNegotiated(err, scope.Serializer, scope.Kind.GroupVersion(), w, req)
 }

-func (scope *RequestScope) AllowsConversion(gvk schema.GroupVersionKind) bool {
+func (scope *RequestScope) AllowsMediaTypeTransform(mimeType, mimeSubType string, gvk *schema.GroupVersionKind) bool {
+	// some handlers like CRDs can't serve all the mime types that PartialObjectMetadata or Table can - if
+	// gvk is nil (no conversion) allow StandardSerializers to further restrict the set of mime types.
+	if gvk == nil {
+		if len(scope.StandardSerializers) == 0 {
+			return true
+		}
+		for _, info := range scope.StandardSerializers {
+			if info.MediaTypeType == mimeType && info.MediaTypeSubType == mimeSubType {
+				return true
+			}
+		}
+		return false
+	}
+
 	// TODO: this is temporary, replace with an abstraction calculated at endpoint installation time
-	if gvk.GroupVersion() == metav1beta1.SchemeGroupVersion {
+	if gvk.GroupVersion() == metav1beta1.SchemeGroupVersion || gvk.GroupVersion() == metav1.SchemeGroupVersion {
 		switch gvk.Kind {
 		case "Table":
-			return scope.TableConvertor != nil
+			return scope.TableConvertor != nil &&
+				mimeType == "application" &&
+				(mimeSubType == "json" || mimeSubType == "yaml")
 		case "PartialObjectMetadata", "PartialObjectMetadataList":
 			// TODO: should delineate between lists and non-list endpoints
 			return true
@ -109,9 +129,12 @@ func (r *RequestScope) GetObjectCreater() runtime.ObjectCreater     { return r.C
 func (r *RequestScope) GetObjectTyper() runtime.ObjectTyper         { return r.Typer }
 func (r *RequestScope) GetObjectDefaulter() runtime.ObjectDefaulter { return r.Defaulter }
 func (r *RequestScope) GetObjectConvertor() runtime.ObjectConvertor { return r.Convertor }
+func (r *RequestScope) GetEquivalentResourceMapper() runtime.EquivalentResourceMapper {
+	return r.EquivalentResourceMapper
+}

 // ConnectResource returns a function that handles a connect request on a rest.Storage object.
-func ConnectResource(connecter rest.Connecter, scope RequestScope, admit admission.Interface, restPath string, isSubresource bool) http.HandlerFunc {
+func ConnectResource(connecter rest.Connecter, scope *RequestScope, admit admission.Interface, restPath string, isSubresource bool) http.HandlerFunc {
 	return func(w http.ResponseWriter, req *http.Request) {
 		if isDryRun(req.URL) {
 			scope.err(errors.NewBadRequest("dryRun is not supported"), w, req)
@ -138,14 +161,14 @@ func ConnectResource(connecter rest.Connecter, scope RequestScope, admit admissi
 			userInfo, _ := request.UserFrom(ctx)
 			// TODO: remove the mutating admission here as soon as we have ported all plugin that handle CONNECT
 			if mutatingAdmission, ok := admit.(admission.MutationInterface); ok {
-				err = mutatingAdmission.Admit(admission.NewAttributesRecord(opts, nil, scope.Kind, namespace, name, scope.Resource, scope.Subresource, admission.Connect, false, userInfo), &scope)
+				err = mutatingAdmission.Admit(admission.NewAttributesRecord(opts, nil, scope.Kind, namespace, name, scope.Resource, scope.Subresource, admission.Connect, nil, false, userInfo), scope)
 				if err != nil {
 					scope.err(err, w, req)
 					return
 				}
 			}
 			if validatingAdmission, ok := admit.(admission.ValidationInterface); ok {
-				err = validatingAdmission.Validate(admission.NewAttributesRecord(opts, nil, scope.Kind, namespace, name, scope.Resource, scope.Subresource, admission.Connect, false, userInfo), &scope)
+				err = validatingAdmission.Validate(admission.NewAttributesRecord(opts, nil, scope.Kind, namespace, name, scope.Resource, scope.Subresource, admission.Connect, nil, false, userInfo), scope)
 				if err != nil {
 					scope.err(err, w, req)
 					return
@ -166,13 +189,13 @@ func ConnectResource(connecter rest.Connecter, scope RequestScope, admit admissi

 // responder implements rest.Responder for assisting a connector in writing objects or errors.
 type responder struct {
-	scope RequestScope
+	scope *RequestScope
 	req   *http.Request
 	w     http.ResponseWriter
 }

 func (r *responder) Object(statusCode int, obj runtime.Object) {
-	responsewriters.WriteObject(statusCode, r.scope.Kind.GroupVersion(), r.scope.Serializer, obj, r.w, r.req)
+	responsewriters.WriteObjectNegotiated(r.scope.Serializer, r.scope, r.scope.Kind.GroupVersion(), r.w, r.req, statusCode, obj)
 }

 func (r *responder) Error(err error) {
@ -195,10 +218,12 @@ func finishRequest(timeout time.Duration, fn resultFunc) (result runtime.Object,
 		defer func() {
 			panicReason := recover()
 			if panicReason != nil {
+				// Same as stdlib http server code. Manually allocate stack
+				// trace buffer size to prevent excessively large logs
 				const size = 64 << 10
 				buf := make([]byte, size)
 				buf = buf[:goruntime.Stack(buf, false)]
-				panicReason = strings.TrimSuffix(fmt.Sprintf("%v\n%s", panicReason, string(buf)), "\n")
+				panicReason = fmt.Sprintf("%v\n%s", panicReason, buf)
 				// Propagate to parent goroutine
 				panicCh <- panicReason
 			}
@ -228,11 +253,11 @@ func finishRequest(timeout time.Duration, fn resultFunc) (result runtime.Object,
 	}
 }

-// transformDecodeError adds additional information when a decode fails.
+// transformDecodeError adds additional information into a bad-request api error when a decode fails.
 func transformDecodeError(typer runtime.ObjectTyper, baseErr error, into runtime.Object, gvk *schema.GroupVersionKind, body []byte) error {
 	objGVKs, _, err := typer.ObjectKinds(into)
 	if err != nil {
-		return err
+		return errors.NewBadRequest(err.Error())
 	}
 	objGVK := objGVKs[0]
 	if gvk != nil && len(gvk.Kind) > 0 {
@ -290,7 +315,12 @@ func checkName(obj runtime.Object, name, namespace string, namer ScopeNamer) err
 }

 // setObjectSelfLink sets the self link of an object as needed.
+// TODO: remove the need for the namer LinkSetters by requiring objects implement either Object or List
+//   interfaces
 func setObjectSelfLink(ctx context.Context, obj runtime.Object, req *http.Request, namer ScopeNamer) error {
+	// We only generate list links on objects that implement ListInterface - historically we duck typed this
+	// check via reflection, but as we move away from reflection we require that you not only carry Items but
+	// ListMeta into order to be identified as a list.
 	if !meta.IsListType(obj) {
 		requestInfo, ok := request.RequestInfoFrom(ctx)
 		if !ok {
--- a/vendor/k8s.io/apiserver/pkg/endpoints/handlers/update.go
+++ b/vendor/k8s.io/apiserver/pkg/endpoints/handlers/update.go
@ -42,7 +42,7 @@ import (
 )

 // UpdateResource returns a function that will handle a resource update
-func UpdateResource(r rest.Updater, scope RequestScope, admit admission.Interface) http.HandlerFunc {
+func UpdateResource(r rest.Updater, scope *RequestScope, admit admission.Interface) http.HandlerFunc {
 	return func(w http.ResponseWriter, req *http.Request) {
 		// For performance tracking purposes.
 		trace := utiltrace.New("Update " + req.URL.Path)
@ -64,7 +64,7 @@ func UpdateResource(r rest.Updater, scope RequestScope, admit admission.Interfac
 		ctx := req.Context()
 		ctx = request.WithNamespace(ctx, namespace)

-		outputMediaType, _, err := negotiation.NegotiateOutputMediaType(req, scope.Serializer, &scope)
+		outputMediaType, _, err := negotiation.NegotiateOutputMediaType(req, scope.Serializer, scope)
 		if err != nil {
 			scope.err(err, w, req)
 			return
@ -87,6 +87,7 @@ func UpdateResource(r rest.Updater, scope RequestScope, admit admission.Interfac
 			scope.err(err, w, req)
 			return
 		}
+		options.TypeMeta.SetGroupVersionKind(metav1.SchemeGroupVersion.WithKind("UpdateOptions"))

 		s, err := negotiation.NegotiateInputSerializer(req, false, scope.Serializer)
 		if err != nil {
@ -138,11 +139,11 @@ func UpdateResource(r rest.Updater, scope RequestScope, admit admission.Interfac
 					return nil, fmt.Errorf("unexpected error when extracting UID from oldObj: %v", err.Error())
 				} else if !isNotZeroObject {
 					if mutatingAdmission.Handles(admission.Create) {
-						return newObj, mutatingAdmission.Admit(admission.NewAttributesRecord(newObj, nil, scope.Kind, namespace, name, scope.Resource, scope.Subresource, admission.Create, dryrun.IsDryRun(options.DryRun), userInfo), &scope)
+						return newObj, mutatingAdmission.Admit(admission.NewAttributesRecord(newObj, nil, scope.Kind, namespace, name, scope.Resource, scope.Subresource, admission.Create, updateToCreateOptions(options), dryrun.IsDryRun(options.DryRun), userInfo), scope)
 					}
 				} else {
 					if mutatingAdmission.Handles(admission.Update) {
-						return newObj, mutatingAdmission.Admit(admission.NewAttributesRecord(newObj, oldObj, scope.Kind, namespace, name, scope.Resource, scope.Subresource, admission.Update, dryrun.IsDryRun(options.DryRun), userInfo), &scope)
+						return newObj, mutatingAdmission.Admit(admission.NewAttributesRecord(newObj, oldObj, scope.Kind, namespace, name, scope.Resource, scope.Subresource, admission.Update, options, dryrun.IsDryRun(options.DryRun), userInfo), scope)
 					}
 				}
 				return newObj, nil
@ -172,11 +173,11 @@ func UpdateResource(r rest.Updater, scope RequestScope, admit admission.Interfac
 				rest.DefaultUpdatedObjectInfo(obj, transformers...),
 				withAuthorization(rest.AdmissionToValidateObjectFunc(
 					admit,
-					admission.NewAttributesRecord(nil, nil, scope.Kind, namespace, name, scope.Resource, scope.Subresource, admission.Create, dryrun.IsDryRun(options.DryRun), userInfo), &scope),
+					admission.NewAttributesRecord(nil, nil, scope.Kind, namespace, name, scope.Resource, scope.Subresource, admission.Create, updateToCreateOptions(options), dryrun.IsDryRun(options.DryRun), userInfo), scope),
 					scope.Authorizer, createAuthorizerAttributes),
 				rest.AdmissionToValidateObjectUpdateFunc(
 					admit,
-					admission.NewAttributesRecord(nil, nil, scope.Kind, namespace, name, scope.Resource, scope.Subresource, admission.Update, dryrun.IsDryRun(options.DryRun), userInfo), &scope),
+					admission.NewAttributesRecord(nil, nil, scope.Kind, namespace, name, scope.Resource, scope.Subresource, admission.Update, options, dryrun.IsDryRun(options.DryRun), userInfo), scope),
 				false,
 				options,
 			)
@ -194,8 +195,7 @@ func UpdateResource(r rest.Updater, scope RequestScope, admit admission.Interfac
 			status = http.StatusCreated
 		}

-		scope.Trace = trace
-		transformResponseObject(ctx, scope, req, w, status, outputMediaType, result)
+		transformResponseObject(ctx, scope, trace, req, w, status, outputMediaType, result)
 	}
 }

@ -230,3 +230,16 @@ func withAuthorization(validate rest.ValidateObjectFunc, a authorizer.Authorizer
 		return errors.NewForbidden(gr, name, err)
 	}
 }
+
+// updateToCreateOptions creates a CreateOptions with the same field values as the provided UpdateOptions.
+func updateToCreateOptions(uo *metav1.UpdateOptions) *metav1.CreateOptions {
+	if uo == nil {
+		return nil
+	}
+	co := &metav1.CreateOptions{
+		DryRun:       uo.DryRun,
+		FieldManager: uo.FieldManager,
+	}
+	co.TypeMeta.SetGroupVersionKind(metav1.SchemeGroupVersion.WithKind("CreateOptions"))
+	return co
+}
--- a/vendor/k8s.io/apiserver/pkg/endpoints/handlers/watch.go
+++ b/vendor/k8s.io/apiserver/pkg/endpoints/handlers/watch.go
@ -25,13 +25,13 @@ import (

 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	metav1beta1 "k8s.io/apimachinery/pkg/apis/meta/v1beta1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/serializer/streaming"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/watch"
 	"k8s.io/apiserver/pkg/endpoints/handlers/negotiation"
 	"k8s.io/apiserver/pkg/endpoints/metrics"
-	"k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/apiserver/pkg/server/httplog"
 	"k8s.io/apiserver/pkg/util/wsstream"

@ -61,42 +61,51 @@ func (w *realTimeoutFactory) TimeoutCh() (<-chan time.Time, func() bool) {
 	return t.C, t.Stop
 }

-// serveWatch handles serving requests to the server
+// serveWatch will serve a watch response.
 // TODO: the functionality in this method and in WatchServer.Serve is not cleanly decoupled.
-func serveWatch(watcher watch.Interface, scope RequestScope, req *http.Request, w http.ResponseWriter, timeout time.Duration) {
-	// negotiate for the stream serializer
-	serializer, err := negotiation.NegotiateOutputStreamSerializer(req, scope.Serializer)
+func serveWatch(watcher watch.Interface, scope *RequestScope, mediaTypeOptions negotiation.MediaTypeOptions, req *http.Request, w http.ResponseWriter, timeout time.Duration) {
+	options, err := optionsForTransform(mediaTypeOptions, req)
+	if err != nil {
+		scope.err(err, w, req)
+		return
+	}
+
+	// negotiate for the stream serializer from the scope's serializer
+	serializer, err := negotiation.NegotiateOutputMediaTypeStream(req, scope.Serializer, scope)
 	if err != nil {
 		scope.err(err, w, req)
 		return
 	}
 	framer := serializer.StreamSerializer.Framer
 	streamSerializer := serializer.StreamSerializer.Serializer
-	embedded := serializer.Serializer
+	encoder := scope.Serializer.EncoderForVersion(streamSerializer, scope.Kind.GroupVersion())
+	useTextFraming := serializer.EncodesAsText
 	if framer == nil {
 		scope.err(fmt.Errorf("no framer defined for %q available for embedded encoding", serializer.MediaType), w, req)
 		return
 	}
-	encoder := scope.Serializer.EncoderForVersion(streamSerializer, scope.Kind.GroupVersion())
-
-	useTextFraming := serializer.EncodesAsText
-
-	// find the embedded serializer matching the media type
-	embeddedEncoder := scope.Serializer.EncoderForVersion(embedded, scope.Kind.GroupVersion())
-
 	// TODO: next step, get back mediaTypeOptions from negotiate and return the exact value here
 	mediaType := serializer.MediaType
 	if mediaType != runtime.ContentTypeJSON {
 		mediaType += ";stream=watch"
 	}

-	ctx := req.Context()
-	requestInfo, ok := request.RequestInfoFrom(ctx)
-	if !ok {
-		scope.err(fmt.Errorf("missing requestInfo"), w, req)
-		return
+	// locate the appropriate embedded encoder based on the transform
+	var embeddedEncoder runtime.Encoder
+	contentKind, contentSerializer, transform := targetEncodingForTransform(scope, mediaTypeOptions, req)
+	if transform {
+		info, ok := runtime.SerializerInfoForMediaType(contentSerializer.SupportedMediaTypes(), serializer.MediaType)
+		if !ok {
+			scope.err(fmt.Errorf("no encoder for %q exists in the requested target %#v", serializer.MediaType, contentSerializer), w, req)
+			return
+		}
+		embeddedEncoder = contentSerializer.EncoderForVersion(info.Serializer, contentKind.GroupVersion())
+	} else {
+		embeddedEncoder = scope.Serializer.EncoderForVersion(serializer.Serializer, contentKind.GroupVersion())
 	}

+	ctx := req.Context()
+
 	server := &WatchServer{
 		Watching: watcher,
 		Scope:    scope,
@ -106,10 +115,20 @@ func serveWatch(watcher watch.Interface, scope RequestScope, req *http.Request,
 		Framer:          framer,
 		Encoder:         encoder,
 		EmbeddedEncoder: embeddedEncoder,
-		Fixup: func(obj runtime.Object) {
-			if err := setSelfLink(obj, requestInfo, scope.Namer); err != nil {
-				utilruntime.HandleError(fmt.Errorf("failed to set link for object %v: %v", reflect.TypeOf(obj), err))
+
+		Fixup: func(obj runtime.Object) runtime.Object {
+			result, err := transformObject(ctx, obj, options, mediaTypeOptions, scope, req)
+			if err != nil {
+				utilruntime.HandleError(fmt.Errorf("failed to transform object %v: %v", reflect.TypeOf(obj), err))
+				return obj
 			}
+			// When we are transformed to a table, use the table options as the state for whether we
+			// should print headers - on watch, we only want to print table headers on the first object
+			// and omit them on subsequent events.
+			if tableOptions, ok := options.(*metav1beta1.TableOptions); ok {
+				tableOptions.NoHeaders = true
+			}
+			return result
 		},

 		TimeoutFactory: &realTimeoutFactory{timeout},
@ -121,7 +140,7 @@ func serveWatch(watcher watch.Interface, scope RequestScope, req *http.Request,
 // WatchServer serves a watch.Interface over a websocket or vanilla HTTP.
 type WatchServer struct {
 	Watching watch.Interface
-	Scope    RequestScope
+	Scope    *RequestScope

 	// true if websocket messages should use text framing (as opposed to binary framing)
 	UseTextFraming bool
@ -133,7 +152,8 @@ type WatchServer struct {
 	Encoder runtime.Encoder
 	// used to encode the nested object in the watch stream
 	EmbeddedEncoder runtime.Encoder
-	Fixup           func(runtime.Object)
+	// used to correct the object before we send it to the serializer
+	Fixup func(runtime.Object) runtime.Object

 	TimeoutFactory TimeoutFactory
 }
@ -191,6 +211,7 @@ func (s *WatchServer) ServeHTTP(w http.ResponseWriter, req *http.Request) {

 	var unknown runtime.Unknown
 	internalEvent := &metav1.InternalEvent{}
+	outEvent := &metav1.WatchEvent{}
 	buf := &bytes.Buffer{}
 	ch := s.Watching.ResultChan()
 	for {
@ -205,8 +226,7 @@ func (s *WatchServer) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 				return
 			}

-			obj := event.Object
-			s.Fixup(obj)
+			obj := s.Fixup(event.Object)
 			if err := s.EmbeddedEncoder.Encode(obj, buf); err != nil {
 				// unexpected error
 				utilruntime.HandleError(fmt.Errorf("unable to encode watch object %T: %v", obj, err))
@ -218,10 +238,11 @@ func (s *WatchServer) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 			unknown.Raw = buf.Bytes()
 			event.Object = &unknown

+			*outEvent = metav1.WatchEvent{}
+
 			// create the external type directly and encode it.  Clients will only recognize the serialization we provide.
 			// The internal event is being reused, not reallocated so its just a few extra assignments to do it this way
 			// and we get the benefit of using conversion functions which already have to stay in sync
-			outEvent := &metav1.WatchEvent{}
 			*internalEvent = metav1.InternalEvent(event)
 			err := metav1.Convert_v1_InternalEvent_To_v1_WatchEvent(internalEvent, outEvent, nil)
 			if err != nil {
@ -272,8 +293,7 @@ func (s *WatchServer) HandleWS(ws *websocket.Conn) {
 				// End of results.
 				return
 			}
-			obj := event.Object
-			s.Fixup(obj)
+			obj := s.Fixup(event.Object)
 			if err := s.EmbeddedEncoder.Encode(obj, buf); err != nil {
 				// unexpected error
 				utilruntime.HandleError(fmt.Errorf("unable to encode watch object %T: %v", obj, err))
--- a/vendor/k8s.io/apiserver/pkg/endpoints/installer.go
+++ b/vendor/k8s.io/apiserver/pkg/endpoints/installer.go
@ -512,6 +512,11 @@ func (a *APIInstaller) registerResourceHandlers(path string, storage rest.Storag
 	//
 	// test/integration/auth_test.go is currently the most comprehensive status code test

+	for _, s := range a.group.Serializer.SupportedMediaTypes() {
+		if len(s.MediaTypeSubType) == 0 || len(s.MediaTypeType) == 0 {
+			return nil, fmt.Errorf("all serializers in the group Serializer must have MediaTypeType and MediaTypeSubType set: %s", s.MediaType)
+		}
+	}
 	mediaTypes, streamMediaTypes := negotiation.MediaTypesForSerializer(a.group.Serializer)
 	allMediaTypes := append(mediaTypes, streamMediaTypes...)
 	ws.Produces(allMediaTypes...)
@ -527,6 +532,8 @@ func (a *APIInstaller) registerResourceHandlers(path string, storage rest.Storag
 		UnsafeConvertor: a.group.UnsafeConvertor,
 		Authorizer:      a.group.Authorizer,

+		EquivalentResourceMapper: a.group.EquivalentResourceRegistry,
+
 		// TODO: Check for the interface on storage
 		TableConvertor: tableProvider,

@ -801,6 +808,13 @@ func (a *APIInstaller) registerResourceHandlers(path string, storage rest.Storag
 				Produces(append(storageMeta.ProducesMIMETypes(action.Verb), mediaTypes...)...).
 				Writes(versionedStatus).
 				Returns(http.StatusOK, "OK", versionedStatus)
+			if isCollectionDeleter {
+				route.Reads(versionedDeleterObject)
+				route.ParameterNamed("body").Required(false)
+				if err := AddObjectParams(ws, route, versionedDeleteOptions); err != nil {
+					return nil, err
+				}
+			}
 			if err := AddObjectParams(ws, route, versionedListOptions); err != nil {
 				return nil, err
 			}
@ -913,6 +927,9 @@ func (a *APIInstaller) registerResourceHandlers(path string, storage rest.Storag
 		apiResource.Kind = gvk.Kind
 	}

+	// Record the existence of the GVR and the corresponding GVK
+	a.group.EquivalentResourceRegistry.RegisterKindFor(reqScope.Resource, reqScope.Subresource, fqKindToRegister)
+
 	return &apiResource, nil
 }

@ -1071,60 +1088,60 @@ func isVowel(c rune) bool {

 func restfulListResource(r rest.Lister, rw rest.Watcher, scope handlers.RequestScope, forceWatch bool, minRequestTimeout time.Duration) restful.RouteFunction {
 	return func(req *restful.Request, res *restful.Response) {
-		handlers.ListResource(r, rw, scope, forceWatch, minRequestTimeout)(res.ResponseWriter, req.Request)
+		handlers.ListResource(r, rw, &scope, forceWatch, minRequestTimeout)(res.ResponseWriter, req.Request)
 	}
 }

 func restfulCreateNamedResource(r rest.NamedCreater, scope handlers.RequestScope, admit admission.Interface) restful.RouteFunction {
 	return func(req *restful.Request, res *restful.Response) {
-		handlers.CreateNamedResource(r, scope, admit)(res.ResponseWriter, req.Request)
+		handlers.CreateNamedResource(r, &scope, admit)(res.ResponseWriter, req.Request)
 	}
 }

 func restfulCreateResource(r rest.Creater, scope handlers.RequestScope, admit admission.Interface) restful.RouteFunction {
 	return func(req *restful.Request, res *restful.Response) {
-		handlers.CreateResource(r, scope, admit)(res.ResponseWriter, req.Request)
+		handlers.CreateResource(r, &scope, admit)(res.ResponseWriter, req.Request)
 	}
 }

 func restfulDeleteResource(r rest.GracefulDeleter, allowsOptions bool, scope handlers.RequestScope, admit admission.Interface) restful.RouteFunction {
 	return func(req *restful.Request, res *restful.Response) {
-		handlers.DeleteResource(r, allowsOptions, scope, admit)(res.ResponseWriter, req.Request)
+		handlers.DeleteResource(r, allowsOptions, &scope, admit)(res.ResponseWriter, req.Request)
 	}
 }

 func restfulDeleteCollection(r rest.CollectionDeleter, checkBody bool, scope handlers.RequestScope, admit admission.Interface) restful.RouteFunction {
 	return func(req *restful.Request, res *restful.Response) {
-		handlers.DeleteCollection(r, checkBody, scope, admit)(res.ResponseWriter, req.Request)
+		handlers.DeleteCollection(r, checkBody, &scope, admit)(res.ResponseWriter, req.Request)
 	}
 }

 func restfulUpdateResource(r rest.Updater, scope handlers.RequestScope, admit admission.Interface) restful.RouteFunction {
 	return func(req *restful.Request, res *restful.Response) {
-		handlers.UpdateResource(r, scope, admit)(res.ResponseWriter, req.Request)
+		handlers.UpdateResource(r, &scope, admit)(res.ResponseWriter, req.Request)
 	}
 }

 func restfulPatchResource(r rest.Patcher, scope handlers.RequestScope, admit admission.Interface, supportedTypes []string) restful.RouteFunction {
 	return func(req *restful.Request, res *restful.Response) {
-		handlers.PatchResource(r, scope, admit, supportedTypes)(res.ResponseWriter, req.Request)
+		handlers.PatchResource(r, &scope, admit, supportedTypes)(res.ResponseWriter, req.Request)
 	}
 }

 func restfulGetResource(r rest.Getter, e rest.Exporter, scope handlers.RequestScope) restful.RouteFunction {
 	return func(req *restful.Request, res *restful.Response) {
-		handlers.GetResource(r, e, scope)(res.ResponseWriter, req.Request)
+		handlers.GetResource(r, e, &scope)(res.ResponseWriter, req.Request)
 	}
 }

 func restfulGetResourceWithOptions(r rest.GetterWithOptions, scope handlers.RequestScope, isSubresource bool) restful.RouteFunction {
 	return func(req *restful.Request, res *restful.Response) {
-		handlers.GetResourceWithOptions(r, scope, isSubresource)(res.ResponseWriter, req.Request)
+		handlers.GetResourceWithOptions(r, &scope, isSubresource)(res.ResponseWriter, req.Request)
 	}
 }

 func restfulConnectResource(connecter rest.Connecter, scope handlers.RequestScope, admit admission.Interface, restPath string, isSubresource bool) restful.RouteFunction {
 	return func(req *restful.Request, res *restful.Response) {
-		handlers.ConnectResource(connecter, scope, admit, restPath, isSubresource)(res.ResponseWriter, req.Request)
+		handlers.ConnectResource(connecter, &scope, admit, restPath, isSubresource)(res.ResponseWriter, req.Request)
 	}
 }
--- a/vendor/k8s.io/apiserver/pkg/endpoints/metrics/metrics.go
+++ b/vendor/k8s.io/apiserver/pkg/endpoints/metrics/metrics.go
@ -20,6 +20,7 @@ import (
 	"bufio"
 	"net"
 	"net/http"
+	"net/url"
 	"regexp"
 	"strconv"
 	"strings"
@ -34,7 +35,7 @@ import (
 	"k8s.io/apiserver/pkg/features"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"

-	"github.com/emicklei/go-restful"
+	restful "github.com/emicklei/go-restful"
 	"github.com/prometheus/client_golang/prometheus"
 )

@ -234,7 +235,7 @@ func RecordLongRunning(req *http.Request, requestInfo *request.RequestInfo, comp
 // a request. verb must be uppercase to be backwards compatible with existing monitoring tooling.
 func MonitorRequest(req *http.Request, verb, group, version, resource, subresource, scope, component, contentType string, httpCode, respSize int, elapsed time.Duration) {
 	reportedVerb := cleanVerb(verb, req)
-	dryRun := cleanDryRun(req.URL.Query()["dryRun"])
+	dryRun := cleanDryRun(req.URL)
 	client := cleanUserAgent(utilnet.GetHTTPClient(req))
 	elapsedMicroseconds := float64(elapsed / time.Microsecond)
 	elapsedSeconds := elapsed.Seconds()
@ -331,12 +332,19 @@ func cleanVerb(verb string, request *http.Request) string {
 	return reportedVerb
 }

-func cleanDryRun(dryRun []string) string {
+func cleanDryRun(u *url.URL) string {
+	// avoid allocating when we don't see dryRun in the query
+	if !strings.Contains(u.RawQuery, "dryRun") {
+		return ""
+	}
+	dryRun := u.Query()["dryRun"]
 	if errs := validation.ValidateDryRun(nil, dryRun); len(errs) > 0 {
 		return "invalid"
 	}
 	// Since dryRun could be valid with any arbitrarily long length
 	// we have to dedup and sort the elements before joining them together
+	// TODO: this is a fairly large allocation for what it does, consider
+	//   a sort and dedup in a single pass
 	return strings.Join(utilsets.NewString(dryRun...).List(), ",")
 }

@ -346,7 +354,10 @@ func cleanUserAgent(ua string) string {
 		return "Browser"
 	}
 	// If an old "kubectl.exe" has passed us its full path, we discard the path portion.
-	ua = kubectlExeRegexp.ReplaceAllString(ua, "$1")
+	if kubectlExeRegexp.MatchString(ua) {
+		// avoid an allocation
+		ua = kubectlExeRegexp.ReplaceAllString(ua, "$1")
+	}
 	return ua
 }