Re-vendor

vendor/k8s.io/apiserver/pkg/apis/apiserver/install/install.go

@@ -20,8 +20,9 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apiserver/pkg/apis/apiserver"
-	"k8s.io/apiserver/pkg/apis/apiserver/v1"
+	v1 "k8s.io/apiserver/pkg/apis/apiserver/v1"
 	"k8s.io/apiserver/pkg/apis/apiserver/v1alpha1"
+	"k8s.io/apiserver/pkg/apis/apiserver/v1beta1"
 )
 
 // Install registers the API group and adds types to a scheme
@@ -32,6 +33,10 @@ func Install(scheme *runtime.Scheme) {
 	utilruntime.Must(v1alpha1.AddToScheme(scheme))
 	utilruntime.Must(scheme.SetVersionPriority(v1alpha1.SchemeGroupVersion))
 
+	// v1alpha is in the k8s.io-suffixed API group
+	utilruntime.Must(v1beta1.AddToScheme(scheme))
+	utilruntime.Must(scheme.SetVersionPriority(v1beta1.SchemeGroupVersion))
+
 	// v1 is in the config.k8s.io-suffixed API group
 	utilruntime.Must(v1.AddToScheme(scheme))
 	utilruntime.Must(scheme.SetVersionPriority(v1.SchemeGroupVersion))

vendor/k8s.io/apiserver/pkg/apis/apiserver/types.go

@@ -71,29 +71,78 @@ type EgressSelection struct {
 
 // Connection provides the configuration for a single egress selection client.
 type Connection struct {
-	// Type is the type of connection used to connect from client to konnectivity server.
-	// Currently supported values are "http-connect" and "direct".
-	Type string
+	// Protocol is the protocol used to connect from client to the konnectivity server.
+	ProxyProtocol ProtocolType
 
-	// httpConnect is the config needed to use http-connect to the konnectivity server.
+	// Transport defines the transport configurations we use to dial to the konnectivity server.
+	// This is required if ProxyProtocol is HTTPConnect or GRPC.
 	// +optional
-	HTTPConnect *HTTPConnectConfig
+	Transport *Transport
 }
 
-type HTTPConnectConfig struct {
+// ProtocolType is a set of valid values for Connection.ProtocolType
+type ProtocolType string
+
+// Valid types for ProtocolType for konnectivity server
+const (
+	// Use HTTPConnect to connect to konnectivity server
+	ProtocolHTTPConnect ProtocolType = "HTTPConnect"
+	// Use grpc to connect to konnectivity server
+	ProtocolGRPC ProtocolType = "GRPC"
+	// Connect directly (skip konnectivity server)
+	ProtocolDirect ProtocolType = "Direct"
+)
+
+// Transport defines the transport configurations we use to dial to the konnectivity server
+type Transport struct {
+	// TCP is the TCP configuration for communicating with the konnectivity server via TCP
+	// ProxyProtocol of GRPC is not supported with TCP transport at the moment
+	// Requires at least one of TCP or UDS to be set
+	// +optional
+	TCP *TCPTransport
+
+	// UDS is the UDS configuration for communicating with the konnectivity server via UDS
+	// Requires at least one of TCP or UDS to be set
+	// +optional
+	UDS *UDSTransport
+}
+
+// TCPTransport provides the information to connect to konnectivity server via TCP
+type TCPTransport struct {
 	// URL is the location of the konnectivity server to connect to.
 	// As an example it might be "https://127.0.0.1:8131"
 	URL string
 
-	// CABundle is the file location of the CA to be used to determine trust with the konnectivity server.
+	// TLSConfig is the config needed to use TLS when connecting to konnectivity server
+	// +optional
+	TLSConfig *TLSConfig
+}
+
+// UDSTransport provides the information to connect to konnectivity server via UDS
+type UDSTransport struct {
+	// UDSName is the name of the unix domain socket to connect to konnectivity server
+	// This does not use a unix:// prefix. (Eg: /etc/srv/kubernetes/konnectivity-server/konnectivity-server.socket)
+	UDSName string
+}
+
+// TLSConfig provides the authentication information to connect to konnectivity server
+// Only used with TCPTransport
+type TLSConfig struct {
+	// caBundle is the file location of the CA to be used to determine trust with the konnectivity server.
+	// Must be absent/empty if TCPTransport.URL is prefixed with http://
+	// If absent while TCPTransport.URL is prefixed with https://, default to system trust roots.
 	// +optional
 	CABundle string
 
-	// ClientKey is the file location of the client key to be used in mtls handshakes with the konnectivity server.
+	// clientKey is the file location of the client key to authenticate with the konnectivity server
+	// Must be absent/empty if TCPTransport.URL is prefixed with http://
+	// Must be configured if TCPTransport.URL is prefixed with https://
 	// +optional
 	ClientKey string
 
-	// ClientCert is the file location of the client certificate to be used in mtls handshakes with the konnectivity server.
+	// clientCert is the file location of the client certificate to authenticate with the konnectivity server
+	// Must be absent/empty if TCPTransport.URL is prefixed with http://
+	// Must be configured if TCPTransport.URL is prefixed with https://
 	// +optional
 	ClientCert string
 }

vendor/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/types.go

@@ -71,40 +71,78 @@ type EgressSelection struct {
 
 // Connection provides the configuration for a single egress selection client.
 type Connection struct {
-	// type is the type of connection used to connect from client to network/konnectivity server.
-	// Currently supported values are "http-connect" and "direct".
-	Type string `json:"type"`
+	// Protocol is the protocol used to connect from client to the konnectivity server.
+	ProxyProtocol ProtocolType `json:"proxyProtocol,omitempty"`
 
-	// httpConnect is the config needed to use http-connect to the konnectivity server.
-	// Absence when the type is "http-connect" will cause an error
-	// Presence when the type is "direct" will also cause an error
+	// Transport defines the transport configurations we use to dial to the konnectivity server.
+	// This is required if ProxyProtocol is HTTPConnect or GRPC.
 	// +optional
-	HTTPConnect *HTTPConnectConfig `json:"httpConnect,omitempty"`
+	Transport *Transport `json:"transport,omitempty"`
 }
 
-type HTTPConnectConfig struct {
-	// url is the location of the proxy server to connect to.
-	// As an example it might be "https://127.0.0.1:8131"
-	URL string `json:"url"`
+// ProtocolType is a set of valid values for Connection.ProtocolType
+type ProtocolType string
 
+// Valid types for ProtocolType for konnectivity server
+const (
+	// Use HTTPConnect to connect to konnectivity server
+	ProtocolHTTPConnect ProtocolType = "HTTPConnect"
+	// Use grpc to connect to konnectivity server
+	ProtocolGRPC ProtocolType = "GRPC"
+	// Connect directly (skip konnectivity server)
+	ProtocolDirect ProtocolType = "Direct"
+)
+
+// Transport defines the transport configurations we use to dial to the konnectivity server
+type Transport struct {
+	// TCP is the TCP configuration for communicating with the konnectivity server via TCP
+	// ProxyProtocol of GRPC is not supported with TCP transport at the moment
+	// Requires at least one of TCP or UDS to be set
+	// +optional
+	TCP *TCPTransport `json:"tcp,omitempty"`
+
+	// UDS is the UDS configuration for communicating with the konnectivity server via UDS
+	// Requires at least one of TCP or UDS to be set
+	// +optional
+	UDS *UDSTransport `json:"uds,omitempty"`
+}
+
+// TCPTransport provides the information to connect to konnectivity server via TCP
+type TCPTransport struct {
+	// URL is the location of the konnectivity server to connect to.
+	// As an example it might be "https://127.0.0.1:8131"
+	URL string `json:"url,omitempty"`
+
+	// TLSConfig is the config needed to use TLS when connecting to konnectivity server
+	// +optional
+	TLSConfig *TLSConfig `json:"tlsConfig,omitempty"`
+}
+
+// UDSTransport provides the information to connect to konnectivity server via UDS
+type UDSTransport struct {
+	// UDSName is the name of the unix domain socket to connect to konnectivity server
+	// This does not use a unix:// prefix. (Eg: /etc/srv/kubernetes/konnectivity-server/konnectivity-server.socket)
+	UDSName string `json:"udsName,omitempty"`
+}
+
+// TLSConfig provides the authentication information to connect to konnectivity server
+// Only used with TCPTransport
+type TLSConfig struct {
 	// caBundle is the file location of the CA to be used to determine trust with the konnectivity server.
-	// Must be absent/empty http-connect using the plain http
-	// Must be configured for http-connect using the https protocol
-	// Misconfiguration will cause an error
+	// Must be absent/empty if TCPTransport.URL is prefixed with http://
+	// If absent while TCPTransport.URL is prefixed with https://, default to system trust roots.
 	// +optional
 	CABundle string `json:"caBundle,omitempty"`
 
 	// clientKey is the file location of the client key to be used in mtls handshakes with the konnectivity server.
-	// Must be absent/empty http-connect using the plain http
-	// Must be configured for http-connect using the https protocol
-	// Misconfiguration will cause an error
+	// Must be absent/empty if TCPTransport.URL is prefixed with http://
+	// Must be configured if TCPTransport.URL is prefixed with https://
 	// +optional
 	ClientKey string `json:"clientKey,omitempty"`
 
 	// clientCert is the file location of the client certificate to be used in mtls handshakes with the konnectivity server.
-	// Must be absent/empty http-connect using the plain http
-	// Must be configured for http-connect using the https protocol
-	// Misconfiguration will cause an error
+	// Must be absent/empty if TCPTransport.URL is prefixed with http://
+	// Must be configured if TCPTransport.URL is prefixed with https://
 	// +optional
 	ClientCert string `json:"clientCert,omitempty"`
 }

vendor/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/zz_generated.conversion.go

@@ -85,13 +85,43 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
-	if err := s.AddGeneratedConversionFunc((*HTTPConnectConfig)(nil), (*apiserver.HTTPConnectConfig)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1alpha1_HTTPConnectConfig_To_apiserver_HTTPConnectConfig(a.(*HTTPConnectConfig), b.(*apiserver.HTTPConnectConfig), scope)
+	if err := s.AddGeneratedConversionFunc((*TCPTransport)(nil), (*apiserver.TCPTransport)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_TCPTransport_To_apiserver_TCPTransport(a.(*TCPTransport), b.(*apiserver.TCPTransport), scope)
 	}); err != nil {
 		return err
 	}
-	if err := s.AddGeneratedConversionFunc((*apiserver.HTTPConnectConfig)(nil), (*HTTPConnectConfig)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_apiserver_HTTPConnectConfig_To_v1alpha1_HTTPConnectConfig(a.(*apiserver.HTTPConnectConfig), b.(*HTTPConnectConfig), scope)
+	if err := s.AddGeneratedConversionFunc((*apiserver.TCPTransport)(nil), (*TCPTransport)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_apiserver_TCPTransport_To_v1alpha1_TCPTransport(a.(*apiserver.TCPTransport), b.(*TCPTransport), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*TLSConfig)(nil), (*apiserver.TLSConfig)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_TLSConfig_To_apiserver_TLSConfig(a.(*TLSConfig), b.(*apiserver.TLSConfig), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*apiserver.TLSConfig)(nil), (*TLSConfig)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_apiserver_TLSConfig_To_v1alpha1_TLSConfig(a.(*apiserver.TLSConfig), b.(*TLSConfig), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*Transport)(nil), (*apiserver.Transport)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_Transport_To_apiserver_Transport(a.(*Transport), b.(*apiserver.Transport), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*apiserver.Transport)(nil), (*Transport)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_apiserver_Transport_To_v1alpha1_Transport(a.(*apiserver.Transport), b.(*Transport), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*UDSTransport)(nil), (*apiserver.UDSTransport)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_UDSTransport_To_apiserver_UDSTransport(a.(*UDSTransport), b.(*apiserver.UDSTransport), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*apiserver.UDSTransport)(nil), (*UDSTransport)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_apiserver_UDSTransport_To_v1alpha1_UDSTransport(a.(*apiserver.UDSTransport), b.(*UDSTransport), scope)
 	}); err != nil {
 		return err
 	}
@@ -143,8 +173,8 @@ func Convert_apiserver_AdmissionPluginConfiguration_To_v1alpha1_AdmissionPluginC
 }
 
 func autoConvert_v1alpha1_Connection_To_apiserver_Connection(in *Connection, out *apiserver.Connection, s conversion.Scope) error {
-	out.Type = in.Type
-	out.HTTPConnect = (*apiserver.HTTPConnectConfig)(unsafe.Pointer(in.HTTPConnect))
+	out.ProxyProtocol = apiserver.ProtocolType(in.ProxyProtocol)
+	out.Transport = (*apiserver.Transport)(unsafe.Pointer(in.Transport))
 	return nil
 }
 
@@ -154,8 +184,8 @@ func Convert_v1alpha1_Connection_To_apiserver_Connection(in *Connection, out *ap
 }
 
 func autoConvert_apiserver_Connection_To_v1alpha1_Connection(in *apiserver.Connection, out *Connection, s conversion.Scope) error {
-	out.Type = in.Type
-	out.HTTPConnect = (*HTTPConnectConfig)(unsafe.Pointer(in.HTTPConnect))
+	out.ProxyProtocol = ProtocolType(in.ProxyProtocol)
+	out.Transport = (*Transport)(unsafe.Pointer(in.Transport))
 	return nil
 }
 
@@ -210,28 +240,90 @@ func Convert_apiserver_EgressSelectorConfiguration_To_v1alpha1_EgressSelectorCon
 	return autoConvert_apiserver_EgressSelectorConfiguration_To_v1alpha1_EgressSelectorConfiguration(in, out, s)
 }
 
-func autoConvert_v1alpha1_HTTPConnectConfig_To_apiserver_HTTPConnectConfig(in *HTTPConnectConfig, out *apiserver.HTTPConnectConfig, s conversion.Scope) error {
+func autoConvert_v1alpha1_TCPTransport_To_apiserver_TCPTransport(in *TCPTransport, out *apiserver.TCPTransport, s conversion.Scope) error {
 	out.URL = in.URL
+	out.TLSConfig = (*apiserver.TLSConfig)(unsafe.Pointer(in.TLSConfig))
+	return nil
+}
+
+// Convert_v1alpha1_TCPTransport_To_apiserver_TCPTransport is an autogenerated conversion function.
+func Convert_v1alpha1_TCPTransport_To_apiserver_TCPTransport(in *TCPTransport, out *apiserver.TCPTransport, s conversion.Scope) error {
+	return autoConvert_v1alpha1_TCPTransport_To_apiserver_TCPTransport(in, out, s)
+}
+
+func autoConvert_apiserver_TCPTransport_To_v1alpha1_TCPTransport(in *apiserver.TCPTransport, out *TCPTransport, s conversion.Scope) error {
+	out.URL = in.URL
+	out.TLSConfig = (*TLSConfig)(unsafe.Pointer(in.TLSConfig))
+	return nil
+}
+
+// Convert_apiserver_TCPTransport_To_v1alpha1_TCPTransport is an autogenerated conversion function.
+func Convert_apiserver_TCPTransport_To_v1alpha1_TCPTransport(in *apiserver.TCPTransport, out *TCPTransport, s conversion.Scope) error {
+	return autoConvert_apiserver_TCPTransport_To_v1alpha1_TCPTransport(in, out, s)
+}
+
+func autoConvert_v1alpha1_TLSConfig_To_apiserver_TLSConfig(in *TLSConfig, out *apiserver.TLSConfig, s conversion.Scope) error {
 	out.CABundle = in.CABundle
 	out.ClientKey = in.ClientKey
 	out.ClientCert = in.ClientCert
 	return nil
 }
 
-// Convert_v1alpha1_HTTPConnectConfig_To_apiserver_HTTPConnectConfig is an autogenerated conversion function.
-func Convert_v1alpha1_HTTPConnectConfig_To_apiserver_HTTPConnectConfig(in *HTTPConnectConfig, out *apiserver.HTTPConnectConfig, s conversion.Scope) error {
-	return autoConvert_v1alpha1_HTTPConnectConfig_To_apiserver_HTTPConnectConfig(in, out, s)
+// Convert_v1alpha1_TLSConfig_To_apiserver_TLSConfig is an autogenerated conversion function.
+func Convert_v1alpha1_TLSConfig_To_apiserver_TLSConfig(in *TLSConfig, out *apiserver.TLSConfig, s conversion.Scope) error {
+	return autoConvert_v1alpha1_TLSConfig_To_apiserver_TLSConfig(in, out, s)
 }
 
-func autoConvert_apiserver_HTTPConnectConfig_To_v1alpha1_HTTPConnectConfig(in *apiserver.HTTPConnectConfig, out *HTTPConnectConfig, s conversion.Scope) error {
-	out.URL = in.URL
+func autoConvert_apiserver_TLSConfig_To_v1alpha1_TLSConfig(in *apiserver.TLSConfig, out *TLSConfig, s conversion.Scope) error {
 	out.CABundle = in.CABundle
 	out.ClientKey = in.ClientKey
 	out.ClientCert = in.ClientCert
 	return nil
 }
 
-// Convert_apiserver_HTTPConnectConfig_To_v1alpha1_HTTPConnectConfig is an autogenerated conversion function.
-func Convert_apiserver_HTTPConnectConfig_To_v1alpha1_HTTPConnectConfig(in *apiserver.HTTPConnectConfig, out *HTTPConnectConfig, s conversion.Scope) error {
-	return autoConvert_apiserver_HTTPConnectConfig_To_v1alpha1_HTTPConnectConfig(in, out, s)
+// Convert_apiserver_TLSConfig_To_v1alpha1_TLSConfig is an autogenerated conversion function.
+func Convert_apiserver_TLSConfig_To_v1alpha1_TLSConfig(in *apiserver.TLSConfig, out *TLSConfig, s conversion.Scope) error {
+	return autoConvert_apiserver_TLSConfig_To_v1alpha1_TLSConfig(in, out, s)
+}
+
+func autoConvert_v1alpha1_Transport_To_apiserver_Transport(in *Transport, out *apiserver.Transport, s conversion.Scope) error {
+	out.TCP = (*apiserver.TCPTransport)(unsafe.Pointer(in.TCP))
+	out.UDS = (*apiserver.UDSTransport)(unsafe.Pointer(in.UDS))
+	return nil
+}
+
+// Convert_v1alpha1_Transport_To_apiserver_Transport is an autogenerated conversion function.
+func Convert_v1alpha1_Transport_To_apiserver_Transport(in *Transport, out *apiserver.Transport, s conversion.Scope) error {
+	return autoConvert_v1alpha1_Transport_To_apiserver_Transport(in, out, s)
+}
+
+func autoConvert_apiserver_Transport_To_v1alpha1_Transport(in *apiserver.Transport, out *Transport, s conversion.Scope) error {
+	out.TCP = (*TCPTransport)(unsafe.Pointer(in.TCP))
+	out.UDS = (*UDSTransport)(unsafe.Pointer(in.UDS))
+	return nil
+}
+
+// Convert_apiserver_Transport_To_v1alpha1_Transport is an autogenerated conversion function.
+func Convert_apiserver_Transport_To_v1alpha1_Transport(in *apiserver.Transport, out *Transport, s conversion.Scope) error {
+	return autoConvert_apiserver_Transport_To_v1alpha1_Transport(in, out, s)
+}
+
+func autoConvert_v1alpha1_UDSTransport_To_apiserver_UDSTransport(in *UDSTransport, out *apiserver.UDSTransport, s conversion.Scope) error {
+	out.UDSName = in.UDSName
+	return nil
+}
+
+// Convert_v1alpha1_UDSTransport_To_apiserver_UDSTransport is an autogenerated conversion function.
+func Convert_v1alpha1_UDSTransport_To_apiserver_UDSTransport(in *UDSTransport, out *apiserver.UDSTransport, s conversion.Scope) error {
+	return autoConvert_v1alpha1_UDSTransport_To_apiserver_UDSTransport(in, out, s)
+}
+
+func autoConvert_apiserver_UDSTransport_To_v1alpha1_UDSTransport(in *apiserver.UDSTransport, out *UDSTransport, s conversion.Scope) error {
+	out.UDSName = in.UDSName
+	return nil
+}
+
+// Convert_apiserver_UDSTransport_To_v1alpha1_UDSTransport is an autogenerated conversion function.
+func Convert_apiserver_UDSTransport_To_v1alpha1_UDSTransport(in *apiserver.UDSTransport, out *UDSTransport, s conversion.Scope) error {
+	return autoConvert_apiserver_UDSTransport_To_v1alpha1_UDSTransport(in, out, s)
 }

vendor/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/zz_generated.deepcopy.go

@@ -80,10 +80,10 @@ func (in *AdmissionPluginConfiguration) DeepCopy() *AdmissionPluginConfiguration
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Connection) DeepCopyInto(out *Connection) {
 	*out = *in
-	if in.HTTPConnect != nil {
-		in, out := &in.HTTPConnect, &out.HTTPConnect
-		*out = new(HTTPConnectConfig)
-		**out = **in
+	if in.Transport != nil {
+		in, out := &in.Transport, &out.Transport
+		*out = new(Transport)
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }
@@ -148,17 +148,80 @@ func (in *EgressSelectorConfiguration) DeepCopyObject() runtime.Object {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *HTTPConnectConfig) DeepCopyInto(out *HTTPConnectConfig) {
+func (in *TCPTransport) DeepCopyInto(out *TCPTransport) {
+	*out = *in
+	if in.TLSConfig != nil {
+		in, out := &in.TLSConfig, &out.TLSConfig
+		*out = new(TLSConfig)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TCPTransport.
+func (in *TCPTransport) DeepCopy() *TCPTransport {
+	if in == nil {
+		return nil
+	}
+	out := new(TCPTransport)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TLSConfig) DeepCopyInto(out *TLSConfig) {
 	*out = *in
 	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPConnectConfig.
-func (in *HTTPConnectConfig) DeepCopy() *HTTPConnectConfig {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSConfig.
+func (in *TLSConfig) DeepCopy() *TLSConfig {
 	if in == nil {
 		return nil
 	}
-	out := new(HTTPConnectConfig)
+	out := new(TLSConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Transport) DeepCopyInto(out *Transport) {
+	*out = *in
+	if in.TCP != nil {
+		in, out := &in.TCP, &out.TCP
+		*out = new(TCPTransport)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.UDS != nil {
+		in, out := &in.UDS, &out.UDS
+		*out = new(UDSTransport)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Transport.
+func (in *Transport) DeepCopy() *Transport {
+	if in == nil {
+		return nil
+	}
+	out := new(Transport)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UDSTransport) DeepCopyInto(out *UDSTransport) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UDSTransport.
+func (in *UDSTransport) DeepCopy() *UDSTransport {
+	if in == nil {
+		return nil
+	}
+	out := new(UDSTransport)
 	in.DeepCopyInto(out)
 	return out
 }

vendor/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/doc.go

@@ -0,0 +1,23 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package
+// +k8s:conversion-gen=k8s.io/apiserver/pkg/apis/apiserver
+// +k8s:defaulter-gen=TypeMeta
+// +groupName=apiserver.k8s.io
+
+// Package v1beta1 is the v1beta1 version of the API.
+package v1beta1 // import "k8s.io/apiserver/pkg/apis/apiserver/v1beta1"

vendor/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/register.go

@@ -0,0 +1,52 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const GroupName = "apiserver.k8s.io"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1beta1"}
+
+var (
+	// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
+	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+func init() {
+	// We only register manually written functions here. The registration of the
+	// generated functions takes place in the generated files. The separation
+	// makes the code compile even when the generated files are missing.
+	localSchemeBuilder.Register(addKnownTypes)
+}
+
+// Adds the list of known types to the given scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&EgressSelectorConfiguration{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}

vendor/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/types.go

@@ -0,0 +1,119 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// EgressSelectorConfiguration provides versioned configuration for egress selector clients.
+type EgressSelectorConfiguration struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// connectionServices contains a list of egress selection client configurations
+	EgressSelections []EgressSelection `json:"egressSelections"`
+}
+
+// EgressSelection provides the configuration for a single egress selection client.
+type EgressSelection struct {
+	// name is the name of the egress selection.
+	// Currently supported values are "Master", "Etcd" and "Cluster"
+	Name string `json:"name"`
+
+	// connection is the exact information used to configure the egress selection
+	Connection Connection `json:"connection"`
+}
+
+// Connection provides the configuration for a single egress selection client.
+type Connection struct {
+	// Protocol is the protocol used to connect from client to the konnectivity server.
+	ProxyProtocol ProtocolType `json:"proxyProtocol,omitempty"`
+
+	// Transport defines the transport configurations we use to dial to the konnectivity server.
+	// This is required if ProxyProtocol is HTTPConnect or GRPC.
+	// +optional
+	Transport *Transport `json:"transport,omitempty"`
+}
+
+// ProtocolType is a set of valid values for Connection.ProtocolType
+type ProtocolType string
+
+// Valid types for ProtocolType for konnectivity server
+const (
+	// Use HTTPConnect to connect to konnectivity server
+	ProtocolHTTPConnect ProtocolType = "HTTPConnect"
+	// Use grpc to connect to konnectivity server
+	ProtocolGRPC ProtocolType = "GRPC"
+	// Connect directly (skip konnectivity server)
+	ProtocolDirect ProtocolType = "Direct"
+)
+
+// Transport defines the transport configurations we use to dial to the konnectivity server
+type Transport struct {
+	// TCP is the TCP configuration for communicating with the konnectivity server via TCP
+	// ProxyProtocol of GRPC is not supported with TCP transport at the moment
+	// Requires at least one of TCP or UDS to be set
+	// +optional
+	TCP *TCPTransport `json:"tcp,omitempty"`
+
+	// UDS is the UDS configuration for communicating with the konnectivity server via UDS
+	// Requires at least one of TCP or UDS to be set
+	// +optional
+	UDS *UDSTransport `json:"uds,omitempty"`
+}
+
+// TCPTransport provides the information to connect to konnectivity server via TCP
+type TCPTransport struct {
+	// URL is the location of the konnectivity server to connect to.
+	// As an example it might be "https://127.0.0.1:8131"
+	URL string `json:"url,omitempty"`
+
+	// TLSConfig is the config needed to use TLS when connecting to konnectivity server
+	// +optional
+	TLSConfig *TLSConfig `json:"tlsConfig,omitempty"`
+}
+
+// UDSTransport provides the information to connect to konnectivity server via UDS
+type UDSTransport struct {
+	// UDSName is the name of the unix domain socket to connect to konnectivity server
+	// This does not use a unix:// prefix. (Eg: /etc/srv/kubernetes/konnectivity-server/konnectivity-server.socket)
+	UDSName string `json:"udsName,omitempty"`
+}
+
+// TLSConfig provides the authentication information to connect to konnectivity server
+// Only used with TCPTransport
+type TLSConfig struct {
+	// caBundle is the file location of the CA to be used to determine trust with the konnectivity server.
+	// Must be absent/empty if TCPTransport.URL is prefixed with http://
+	// If absent while TCPTransport.URL is prefixed with https://, default to system trust roots.
+	// +optional
+	CABundle string `json:"caBundle,omitempty"`
+
+	// clientKey is the file location of the client key to be used in mtls handshakes with the konnectivity server.
+	// Must be absent/empty if TCPTransport.URL is prefixed with http://
+	// Must be configured if TCPTransport.URL is prefixed with https://
+	// +optional
+	ClientKey string `json:"clientKey,omitempty"`
+
+	// clientCert is the file location of the client certificate to be used in mtls handshakes with the konnectivity server.
+	// Must be absent/empty if TCPTransport.URL is prefixed with http://
+	// Must be configured if TCPTransport.URL is prefixed with https://
+	// +optional
+	ClientCert string `json:"clientCert,omitempty"`
+}

vendor/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/zz_generated.conversion.go

@@ -0,0 +1,265 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by conversion-gen. DO NOT EDIT.
+
+package v1beta1
+
+import (
+	unsafe "unsafe"
+
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	apiserver "k8s.io/apiserver/pkg/apis/apiserver"
+)
+
+func init() {
+	localSchemeBuilder.Register(RegisterConversions)
+}
+
+// RegisterConversions adds conversion functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterConversions(s *runtime.Scheme) error {
+	if err := s.AddGeneratedConversionFunc((*Connection)(nil), (*apiserver.Connection)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta1_Connection_To_apiserver_Connection(a.(*Connection), b.(*apiserver.Connection), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*apiserver.Connection)(nil), (*Connection)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_apiserver_Connection_To_v1beta1_Connection(a.(*apiserver.Connection), b.(*Connection), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*EgressSelection)(nil), (*apiserver.EgressSelection)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta1_EgressSelection_To_apiserver_EgressSelection(a.(*EgressSelection), b.(*apiserver.EgressSelection), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*apiserver.EgressSelection)(nil), (*EgressSelection)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_apiserver_EgressSelection_To_v1beta1_EgressSelection(a.(*apiserver.EgressSelection), b.(*EgressSelection), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*EgressSelectorConfiguration)(nil), (*apiserver.EgressSelectorConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta1_EgressSelectorConfiguration_To_apiserver_EgressSelectorConfiguration(a.(*EgressSelectorConfiguration), b.(*apiserver.EgressSelectorConfiguration), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*apiserver.EgressSelectorConfiguration)(nil), (*EgressSelectorConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_apiserver_EgressSelectorConfiguration_To_v1beta1_EgressSelectorConfiguration(a.(*apiserver.EgressSelectorConfiguration), b.(*EgressSelectorConfiguration), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*TCPTransport)(nil), (*apiserver.TCPTransport)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta1_TCPTransport_To_apiserver_TCPTransport(a.(*TCPTransport), b.(*apiserver.TCPTransport), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*apiserver.TCPTransport)(nil), (*TCPTransport)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_apiserver_TCPTransport_To_v1beta1_TCPTransport(a.(*apiserver.TCPTransport), b.(*TCPTransport), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*TLSConfig)(nil), (*apiserver.TLSConfig)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta1_TLSConfig_To_apiserver_TLSConfig(a.(*TLSConfig), b.(*apiserver.TLSConfig), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*apiserver.TLSConfig)(nil), (*TLSConfig)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_apiserver_TLSConfig_To_v1beta1_TLSConfig(a.(*apiserver.TLSConfig), b.(*TLSConfig), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*Transport)(nil), (*apiserver.Transport)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta1_Transport_To_apiserver_Transport(a.(*Transport), b.(*apiserver.Transport), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*apiserver.Transport)(nil), (*Transport)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_apiserver_Transport_To_v1beta1_Transport(a.(*apiserver.Transport), b.(*Transport), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*UDSTransport)(nil), (*apiserver.UDSTransport)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta1_UDSTransport_To_apiserver_UDSTransport(a.(*UDSTransport), b.(*apiserver.UDSTransport), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*apiserver.UDSTransport)(nil), (*UDSTransport)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_apiserver_UDSTransport_To_v1beta1_UDSTransport(a.(*apiserver.UDSTransport), b.(*UDSTransport), scope)
+	}); err != nil {
+		return err
+	}
+	return nil
+}
+
+func autoConvert_v1beta1_Connection_To_apiserver_Connection(in *Connection, out *apiserver.Connection, s conversion.Scope) error {
+	out.ProxyProtocol = apiserver.ProtocolType(in.ProxyProtocol)
+	out.Transport = (*apiserver.Transport)(unsafe.Pointer(in.Transport))
+	return nil
+}
+
+// Convert_v1beta1_Connection_To_apiserver_Connection is an autogenerated conversion function.
+func Convert_v1beta1_Connection_To_apiserver_Connection(in *Connection, out *apiserver.Connection, s conversion.Scope) error {
+	return autoConvert_v1beta1_Connection_To_apiserver_Connection(in, out, s)
+}
+
+func autoConvert_apiserver_Connection_To_v1beta1_Connection(in *apiserver.Connection, out *Connection, s conversion.Scope) error {
+	out.ProxyProtocol = ProtocolType(in.ProxyProtocol)
+	out.Transport = (*Transport)(unsafe.Pointer(in.Transport))
+	return nil
+}
+
+// Convert_apiserver_Connection_To_v1beta1_Connection is an autogenerated conversion function.
+func Convert_apiserver_Connection_To_v1beta1_Connection(in *apiserver.Connection, out *Connection, s conversion.Scope) error {
+	return autoConvert_apiserver_Connection_To_v1beta1_Connection(in, out, s)
+}
+
+func autoConvert_v1beta1_EgressSelection_To_apiserver_EgressSelection(in *EgressSelection, out *apiserver.EgressSelection, s conversion.Scope) error {
+	out.Name = in.Name
+	if err := Convert_v1beta1_Connection_To_apiserver_Connection(&in.Connection, &out.Connection, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_v1beta1_EgressSelection_To_apiserver_EgressSelection is an autogenerated conversion function.
+func Convert_v1beta1_EgressSelection_To_apiserver_EgressSelection(in *EgressSelection, out *apiserver.EgressSelection, s conversion.Scope) error {
+	return autoConvert_v1beta1_EgressSelection_To_apiserver_EgressSelection(in, out, s)
+}
+
+func autoConvert_apiserver_EgressSelection_To_v1beta1_EgressSelection(in *apiserver.EgressSelection, out *EgressSelection, s conversion.Scope) error {
+	out.Name = in.Name
+	if err := Convert_apiserver_Connection_To_v1beta1_Connection(&in.Connection, &out.Connection, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_apiserver_EgressSelection_To_v1beta1_EgressSelection is an autogenerated conversion function.
+func Convert_apiserver_EgressSelection_To_v1beta1_EgressSelection(in *apiserver.EgressSelection, out *EgressSelection, s conversion.Scope) error {
+	return autoConvert_apiserver_EgressSelection_To_v1beta1_EgressSelection(in, out, s)
+}
+
+func autoConvert_v1beta1_EgressSelectorConfiguration_To_apiserver_EgressSelectorConfiguration(in *EgressSelectorConfiguration, out *apiserver.EgressSelectorConfiguration, s conversion.Scope) error {
+	out.EgressSelections = *(*[]apiserver.EgressSelection)(unsafe.Pointer(&in.EgressSelections))
+	return nil
+}
+
+// Convert_v1beta1_EgressSelectorConfiguration_To_apiserver_EgressSelectorConfiguration is an autogenerated conversion function.
+func Convert_v1beta1_EgressSelectorConfiguration_To_apiserver_EgressSelectorConfiguration(in *EgressSelectorConfiguration, out *apiserver.EgressSelectorConfiguration, s conversion.Scope) error {
+	return autoConvert_v1beta1_EgressSelectorConfiguration_To_apiserver_EgressSelectorConfiguration(in, out, s)
+}
+
+func autoConvert_apiserver_EgressSelectorConfiguration_To_v1beta1_EgressSelectorConfiguration(in *apiserver.EgressSelectorConfiguration, out *EgressSelectorConfiguration, s conversion.Scope) error {
+	out.EgressSelections = *(*[]EgressSelection)(unsafe.Pointer(&in.EgressSelections))
+	return nil
+}
+
+// Convert_apiserver_EgressSelectorConfiguration_To_v1beta1_EgressSelectorConfiguration is an autogenerated conversion function.
+func Convert_apiserver_EgressSelectorConfiguration_To_v1beta1_EgressSelectorConfiguration(in *apiserver.EgressSelectorConfiguration, out *EgressSelectorConfiguration, s conversion.Scope) error {
+	return autoConvert_apiserver_EgressSelectorConfiguration_To_v1beta1_EgressSelectorConfiguration(in, out, s)
+}
+
+func autoConvert_v1beta1_TCPTransport_To_apiserver_TCPTransport(in *TCPTransport, out *apiserver.TCPTransport, s conversion.Scope) error {
+	out.URL = in.URL
+	out.TLSConfig = (*apiserver.TLSConfig)(unsafe.Pointer(in.TLSConfig))
+	return nil
+}
+
+// Convert_v1beta1_TCPTransport_To_apiserver_TCPTransport is an autogenerated conversion function.
+func Convert_v1beta1_TCPTransport_To_apiserver_TCPTransport(in *TCPTransport, out *apiserver.TCPTransport, s conversion.Scope) error {
+	return autoConvert_v1beta1_TCPTransport_To_apiserver_TCPTransport(in, out, s)
+}
+
+func autoConvert_apiserver_TCPTransport_To_v1beta1_TCPTransport(in *apiserver.TCPTransport, out *TCPTransport, s conversion.Scope) error {
+	out.URL = in.URL
+	out.TLSConfig = (*TLSConfig)(unsafe.Pointer(in.TLSConfig))
+	return nil
+}
+
+// Convert_apiserver_TCPTransport_To_v1beta1_TCPTransport is an autogenerated conversion function.
+func Convert_apiserver_TCPTransport_To_v1beta1_TCPTransport(in *apiserver.TCPTransport, out *TCPTransport, s conversion.Scope) error {
+	return autoConvert_apiserver_TCPTransport_To_v1beta1_TCPTransport(in, out, s)
+}
+
+func autoConvert_v1beta1_TLSConfig_To_apiserver_TLSConfig(in *TLSConfig, out *apiserver.TLSConfig, s conversion.Scope) error {
+	out.CABundle = in.CABundle
+	out.ClientKey = in.ClientKey
+	out.ClientCert = in.ClientCert
+	return nil
+}
+
+// Convert_v1beta1_TLSConfig_To_apiserver_TLSConfig is an autogenerated conversion function.
+func Convert_v1beta1_TLSConfig_To_apiserver_TLSConfig(in *TLSConfig, out *apiserver.TLSConfig, s conversion.Scope) error {
+	return autoConvert_v1beta1_TLSConfig_To_apiserver_TLSConfig(in, out, s)
+}
+
+func autoConvert_apiserver_TLSConfig_To_v1beta1_TLSConfig(in *apiserver.TLSConfig, out *TLSConfig, s conversion.Scope) error {
+	out.CABundle = in.CABundle
+	out.ClientKey = in.ClientKey
+	out.ClientCert = in.ClientCert
+	return nil
+}
+
+// Convert_apiserver_TLSConfig_To_v1beta1_TLSConfig is an autogenerated conversion function.
+func Convert_apiserver_TLSConfig_To_v1beta1_TLSConfig(in *apiserver.TLSConfig, out *TLSConfig, s conversion.Scope) error {
+	return autoConvert_apiserver_TLSConfig_To_v1beta1_TLSConfig(in, out, s)
+}
+
+func autoConvert_v1beta1_Transport_To_apiserver_Transport(in *Transport, out *apiserver.Transport, s conversion.Scope) error {
+	out.TCP = (*apiserver.TCPTransport)(unsafe.Pointer(in.TCP))
+	out.UDS = (*apiserver.UDSTransport)(unsafe.Pointer(in.UDS))
+	return nil
+}
+
+// Convert_v1beta1_Transport_To_apiserver_Transport is an autogenerated conversion function.
+func Convert_v1beta1_Transport_To_apiserver_Transport(in *Transport, out *apiserver.Transport, s conversion.Scope) error {
+	return autoConvert_v1beta1_Transport_To_apiserver_Transport(in, out, s)
+}
+
+func autoConvert_apiserver_Transport_To_v1beta1_Transport(in *apiserver.Transport, out *Transport, s conversion.Scope) error {
+	out.TCP = (*TCPTransport)(unsafe.Pointer(in.TCP))
+	out.UDS = (*UDSTransport)(unsafe.Pointer(in.UDS))
+	return nil
+}
+
+// Convert_apiserver_Transport_To_v1beta1_Transport is an autogenerated conversion function.
+func Convert_apiserver_Transport_To_v1beta1_Transport(in *apiserver.Transport, out *Transport, s conversion.Scope) error {
+	return autoConvert_apiserver_Transport_To_v1beta1_Transport(in, out, s)
+}
+
+func autoConvert_v1beta1_UDSTransport_To_apiserver_UDSTransport(in *UDSTransport, out *apiserver.UDSTransport, s conversion.Scope) error {
+	out.UDSName = in.UDSName
+	return nil
+}
+
+// Convert_v1beta1_UDSTransport_To_apiserver_UDSTransport is an autogenerated conversion function.
+func Convert_v1beta1_UDSTransport_To_apiserver_UDSTransport(in *UDSTransport, out *apiserver.UDSTransport, s conversion.Scope) error {
+	return autoConvert_v1beta1_UDSTransport_To_apiserver_UDSTransport(in, out, s)
+}
+
+func autoConvert_apiserver_UDSTransport_To_v1beta1_UDSTransport(in *apiserver.UDSTransport, out *UDSTransport, s conversion.Scope) error {
+	out.UDSName = in.UDSName
+	return nil
+}
+
+// Convert_apiserver_UDSTransport_To_v1beta1_UDSTransport is an autogenerated conversion function.
+func Convert_apiserver_UDSTransport_To_v1beta1_UDSTransport(in *apiserver.UDSTransport, out *UDSTransport, s conversion.Scope) error {
+	return autoConvert_apiserver_UDSTransport_To_v1beta1_UDSTransport(in, out, s)
+}

vendor/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/zz_generated.deepcopy.go

@@ -0,0 +1,174 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package v1beta1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Connection) DeepCopyInto(out *Connection) {
+	*out = *in
+	if in.Transport != nil {
+		in, out := &in.Transport, &out.Transport
+		*out = new(Transport)
+		(*in).DeepCopyInto(*out)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Connection.
+func (in *Connection) DeepCopy() *Connection {
+	if in == nil {
+		return nil
+	}
+	out := new(Connection)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EgressSelection) DeepCopyInto(out *EgressSelection) {
+	*out = *in
+	in.Connection.DeepCopyInto(&out.Connection)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EgressSelection.
+func (in *EgressSelection) DeepCopy() *EgressSelection {
+	if in == nil {
+		return nil
+	}
+	out := new(EgressSelection)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EgressSelectorConfiguration) DeepCopyInto(out *EgressSelectorConfiguration) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	if in.EgressSelections != nil {
+		in, out := &in.EgressSelections, &out.EgressSelections
+		*out = make([]EgressSelection, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EgressSelectorConfiguration.
+func (in *EgressSelectorConfiguration) DeepCopy() *EgressSelectorConfiguration {
+	if in == nil {
+		return nil
+	}
+	out := new(EgressSelectorConfiguration)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *EgressSelectorConfiguration) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TCPTransport) DeepCopyInto(out *TCPTransport) {
+	*out = *in
+	if in.TLSConfig != nil {
+		in, out := &in.TLSConfig, &out.TLSConfig
+		*out = new(TLSConfig)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TCPTransport.
+func (in *TCPTransport) DeepCopy() *TCPTransport {
+	if in == nil {
+		return nil
+	}
+	out := new(TCPTransport)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TLSConfig) DeepCopyInto(out *TLSConfig) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSConfig.
+func (in *TLSConfig) DeepCopy() *TLSConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(TLSConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Transport) DeepCopyInto(out *Transport) {
+	*out = *in
+	if in.TCP != nil {
+		in, out := &in.TCP, &out.TCP
+		*out = new(TCPTransport)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.UDS != nil {
+		in, out := &in.UDS, &out.UDS
+		*out = new(UDSTransport)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Transport.
+func (in *Transport) DeepCopy() *Transport {
+	if in == nil {
+		return nil
+	}
+	out := new(Transport)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UDSTransport) DeepCopyInto(out *UDSTransport) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UDSTransport.
+func (in *UDSTransport) DeepCopy() *UDSTransport {
+	if in == nil {
+		return nil
+	}
+	out := new(UDSTransport)
+	in.DeepCopyInto(out)
+	return out
+}

vendor/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/zz_generated.defaults.go

@@ -0,0 +1,32 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by defaulter-gen. DO NOT EDIT.
+
+package v1beta1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// RegisterDefaults adds defaulters functions to the given scheme.
+// Public to allow building arbitrary schemes.
+// All generated defaulters are covering - they call all nested defaulters.
+func RegisterDefaults(scheme *runtime.Scheme) error {
+	return nil
+}

vendor/k8s.io/apiserver/pkg/apis/apiserver/zz_generated.deepcopy.go

@@ -80,10 +80,10 @@ func (in *AdmissionPluginConfiguration) DeepCopy() *AdmissionPluginConfiguration
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Connection) DeepCopyInto(out *Connection) {
 	*out = *in
-	if in.HTTPConnect != nil {
-		in, out := &in.HTTPConnect, &out.HTTPConnect
-		*out = new(HTTPConnectConfig)
-		**out = **in
+	if in.Transport != nil {
+		in, out := &in.Transport, &out.Transport
+		*out = new(Transport)
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }
@@ -148,17 +148,80 @@ func (in *EgressSelectorConfiguration) DeepCopyObject() runtime.Object {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *HTTPConnectConfig) DeepCopyInto(out *HTTPConnectConfig) {
+func (in *TCPTransport) DeepCopyInto(out *TCPTransport) {
+	*out = *in
+	if in.TLSConfig != nil {
+		in, out := &in.TLSConfig, &out.TLSConfig
+		*out = new(TLSConfig)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TCPTransport.
+func (in *TCPTransport) DeepCopy() *TCPTransport {
+	if in == nil {
+		return nil
+	}
+	out := new(TCPTransport)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TLSConfig) DeepCopyInto(out *TLSConfig) {
 	*out = *in
 	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPConnectConfig.
-func (in *HTTPConnectConfig) DeepCopy() *HTTPConnectConfig {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSConfig.
+func (in *TLSConfig) DeepCopy() *TLSConfig {
 	if in == nil {
 		return nil
 	}
-	out := new(HTTPConnectConfig)
+	out := new(TLSConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Transport) DeepCopyInto(out *Transport) {
+	*out = *in
+	if in.TCP != nil {
+		in, out := &in.TCP, &out.TCP
+		*out = new(TCPTransport)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.UDS != nil {
+		in, out := &in.UDS, &out.UDS
+		*out = new(UDSTransport)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Transport.
+func (in *Transport) DeepCopy() *Transport {
+	if in == nil {
+		return nil
+	}
+	out := new(Transport)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UDSTransport) DeepCopyInto(out *UDSTransport) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UDSTransport.
+func (in *UDSTransport) DeepCopy() *UDSTransport {
+	if in == nil {
+		return nil
+	}
+	out := new(UDSTransport)
 	in.DeepCopyInto(out)
 	return out
 }

vendor/k8s.io/apiserver/pkg/apis/audit/v1/generated.pb.go

@@ -47,7 +47,7 @@ var _ = math.Inf
 // is compatible with the proto package it is being compiled against.
 // A compilation error at this line likely means your copy of the
 // proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
 
 func (m *Event) Reset()      { *m = Event{} }
 func (*Event) ProtoMessage() {}
@@ -3101,6 +3101,7 @@ func (m *PolicyRule) Unmarshal(dAtA []byte) error {
 func skipGenerated(dAtA []byte) (n int, err error) {
 	l := len(dAtA)
 	iNdEx := 0
+	depth := 0
 	for iNdEx < l {
 		var wire uint64
 		for shift := uint(0); ; shift += 7 {
@@ -3132,10 +3133,8 @@ func skipGenerated(dAtA []byte) (n int, err error) {
 					break
 				}
 			}
-			return iNdEx, nil
 		case 1:
 			iNdEx += 8
-			return iNdEx, nil
 		case 2:
 			var length int
 			for shift := uint(0); ; shift += 7 {
@@ -3156,55 +3155,30 @@ func skipGenerated(dAtA []byte) (n int, err error) {
 				return 0, ErrInvalidLengthGenerated
 			}
 			iNdEx += length
-			if iNdEx < 0 {
-				return 0, ErrInvalidLengthGenerated
-			}
-			return iNdEx, nil
 		case 3:
-			for {
-				var innerWire uint64
-				var start int = iNdEx
-				for shift := uint(0); ; shift += 7 {
-					if shift >= 64 {
-						return 0, ErrIntOverflowGenerated
-					}
-					if iNdEx >= l {
-						return 0, io.ErrUnexpectedEOF
-					}
-					b := dAtA[iNdEx]
-					iNdEx++
-					innerWire |= (uint64(b) & 0x7F) << shift
-					if b < 0x80 {
-						break
-					}
-				}
-				innerWireType := int(innerWire & 0x7)
-				if innerWireType == 4 {
-					break
-				}
-				next, err := skipGenerated(dAtA[start:])
-				if err != nil {
-					return 0, err
-				}
-				iNdEx = start + next
-				if iNdEx < 0 {
-					return 0, ErrInvalidLengthGenerated
-				}
-			}
-			return iNdEx, nil
+			depth++
 		case 4:
-			return iNdEx, nil
+			if depth == 0 {
+				return 0, ErrUnexpectedEndOfGroupGenerated
+			}
+			depth--
 		case 5:
 			iNdEx += 4
-			return iNdEx, nil
 		default:
 			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
 		}
+		if iNdEx < 0 {
+			return 0, ErrInvalidLengthGenerated
+		}
+		if depth == 0 {
+			return iNdEx, nil
+		}
 	}
-	panic("unreachable")
+	return 0, io.ErrUnexpectedEOF
 }
 
 var (
-	ErrInvalidLengthGenerated = fmt.Errorf("proto: negative length found during unmarshaling")
-	ErrIntOverflowGenerated   = fmt.Errorf("proto: integer overflow")
+	ErrInvalidLengthGenerated        = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowGenerated          = fmt.Errorf("proto: integer overflow")
+	ErrUnexpectedEndOfGroupGenerated = fmt.Errorf("proto: unexpected end of group")
 )

vendor/k8s.io/apiserver/pkg/apis/audit/v1alpha1/generated.pb.go

@@ -47,7 +47,7 @@ var _ = math.Inf
 // is compatible with the proto package it is being compiled against.
 // A compilation error at this line likely means your copy of the
 // proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
 
 func (m *Event) Reset()      { *m = Event{} }
 func (*Event) ProtoMessage() {}
@@ -3158,6 +3158,7 @@ func (m *PolicyRule) Unmarshal(dAtA []byte) error {
 func skipGenerated(dAtA []byte) (n int, err error) {
 	l := len(dAtA)
 	iNdEx := 0
+	depth := 0
 	for iNdEx < l {
 		var wire uint64
 		for shift := uint(0); ; shift += 7 {
@@ -3189,10 +3190,8 @@ func skipGenerated(dAtA []byte) (n int, err error) {
 					break
 				}
 			}
-			return iNdEx, nil
 		case 1:
 			iNdEx += 8
-			return iNdEx, nil
 		case 2:
 			var length int
 			for shift := uint(0); ; shift += 7 {
@@ -3213,55 +3212,30 @@ func skipGenerated(dAtA []byte) (n int, err error) {
 				return 0, ErrInvalidLengthGenerated
 			}
 			iNdEx += length
-			if iNdEx < 0 {
-				return 0, ErrInvalidLengthGenerated
-			}
-			return iNdEx, nil
 		case 3:
-			for {
-				var innerWire uint64
-				var start int = iNdEx
-				for shift := uint(0); ; shift += 7 {
-					if shift >= 64 {
-						return 0, ErrIntOverflowGenerated
-					}
-					if iNdEx >= l {
-						return 0, io.ErrUnexpectedEOF
-					}
-					b := dAtA[iNdEx]
-					iNdEx++
-					innerWire |= (uint64(b) & 0x7F) << shift
-					if b < 0x80 {
-						break
-					}
-				}
-				innerWireType := int(innerWire & 0x7)
-				if innerWireType == 4 {
-					break
-				}
-				next, err := skipGenerated(dAtA[start:])
-				if err != nil {
-					return 0, err
-				}
-				iNdEx = start + next
-				if iNdEx < 0 {
-					return 0, ErrInvalidLengthGenerated
-				}
-			}
-			return iNdEx, nil
+			depth++
 		case 4:
-			return iNdEx, nil
+			if depth == 0 {
+				return 0, ErrUnexpectedEndOfGroupGenerated
+			}
+			depth--
 		case 5:
 			iNdEx += 4
-			return iNdEx, nil
 		default:
 			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
 		}
+		if iNdEx < 0 {
+			return 0, ErrInvalidLengthGenerated
+		}
+		if depth == 0 {
+			return iNdEx, nil
+		}
 	}
-	panic("unreachable")
+	return 0, io.ErrUnexpectedEOF
 }
 
 var (
-	ErrInvalidLengthGenerated = fmt.Errorf("proto: negative length found during unmarshaling")
-	ErrIntOverflowGenerated   = fmt.Errorf("proto: integer overflow")
+	ErrInvalidLengthGenerated        = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowGenerated          = fmt.Errorf("proto: integer overflow")
+	ErrUnexpectedEndOfGroupGenerated = fmt.Errorf("proto: unexpected end of group")
 )

vendor/k8s.io/apiserver/pkg/apis/audit/v1beta1/generated.pb.go

@@ -47,7 +47,7 @@ var _ = math.Inf
 // is compatible with the proto package it is being compiled against.
 // A compilation error at this line likely means your copy of the
 // proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
 
 func (m *Event) Reset()      { *m = Event{} }
 func (*Event) ProtoMessage() {}
@@ -3199,6 +3199,7 @@ func (m *PolicyRule) Unmarshal(dAtA []byte) error {
 func skipGenerated(dAtA []byte) (n int, err error) {
 	l := len(dAtA)
 	iNdEx := 0
+	depth := 0
 	for iNdEx < l {
 		var wire uint64
 		for shift := uint(0); ; shift += 7 {
@@ -3230,10 +3231,8 @@ func skipGenerated(dAtA []byte) (n int, err error) {
 					break
 				}
 			}
-			return iNdEx, nil
 		case 1:
 			iNdEx += 8
-			return iNdEx, nil
 		case 2:
 			var length int
 			for shift := uint(0); ; shift += 7 {
@@ -3254,55 +3253,30 @@ func skipGenerated(dAtA []byte) (n int, err error) {
 				return 0, ErrInvalidLengthGenerated
 			}
 			iNdEx += length
-			if iNdEx < 0 {
-				return 0, ErrInvalidLengthGenerated
-			}
-			return iNdEx, nil
 		case 3:
-			for {
-				var innerWire uint64
-				var start int = iNdEx
-				for shift := uint(0); ; shift += 7 {
-					if shift >= 64 {
-						return 0, ErrIntOverflowGenerated
-					}
-					if iNdEx >= l {
-						return 0, io.ErrUnexpectedEOF
-					}
-					b := dAtA[iNdEx]
-					iNdEx++
-					innerWire |= (uint64(b) & 0x7F) << shift
-					if b < 0x80 {
-						break
-					}
-				}
-				innerWireType := int(innerWire & 0x7)
-				if innerWireType == 4 {
-					break
-				}
-				next, err := skipGenerated(dAtA[start:])
-				if err != nil {
-					return 0, err
-				}
-				iNdEx = start + next
-				if iNdEx < 0 {
-					return 0, ErrInvalidLengthGenerated
-				}
-			}
-			return iNdEx, nil
+			depth++
 		case 4:
-			return iNdEx, nil
+			if depth == 0 {
+				return 0, ErrUnexpectedEndOfGroupGenerated
+			}
+			depth--
 		case 5:
 			iNdEx += 4
-			return iNdEx, nil
 		default:
 			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
 		}
+		if iNdEx < 0 {
+			return 0, ErrInvalidLengthGenerated
+		}
+		if depth == 0 {
+			return iNdEx, nil
+		}
 	}
-	panic("unreachable")
+	return 0, io.ErrUnexpectedEOF
 }
 
 var (
-	ErrInvalidLengthGenerated = fmt.Errorf("proto: negative length found during unmarshaling")
-	ErrIntOverflowGenerated   = fmt.Errorf("proto: integer overflow")
+	ErrInvalidLengthGenerated        = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowGenerated          = fmt.Errorf("proto: integer overflow")
+	ErrUnexpectedEndOfGroupGenerated = fmt.Errorf("proto: unexpected end of group")
 )

vendor/k8s.io/apiserver/pkg/apis/config/types.go

@@ -17,6 +17,8 @@ limitations under the License.
 package config
 
 import (
+	"fmt"
+
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -74,6 +76,11 @@ type Key struct {
 	Secret string
 }
 
+// String implements Stringer interface in a log safe way.
+func (k Key) String() string {
+	return fmt.Sprintf("Name: %s, Secret: [REDACTED]", k.Name)
+}
+
 // IdentityConfiguration is an empty struct to allow identity transformer in provider configuration.
 type IdentityConfiguration struct{}
 
@@ -81,12 +88,13 @@ type IdentityConfiguration struct{}
 type KMSConfiguration struct {
 	// name is the name of the KMS plugin to be used.
 	Name string
-	// cacheSize is the maximum number of secrets which are cached in memory. The default value is 1000.
+	// cachesize is the maximum number of secrets which are cached in memory. The default value is 1000.
+	// Set to a negative value to disable caching.
 	// +optional
-	CacheSize int32
+	CacheSize *int32
 	// endpoint is the gRPC server listening address, for example "unix:///var/run/kms-provider.sock".
 	Endpoint string
-	// Timeout for gRPC calls to kms-plugin (ex. 5s). The default is 3 seconds.
+	// timeout for gRPC calls to kms-plugin (ex. 5s). The default is 3 seconds.
 	// +optional
 	Timeout *metav1.Duration
 }

vendor/k8s.io/apiserver/pkg/apis/config/v1/defaults.go

@@ -0,0 +1,44 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"time"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+var (
+	defaultTimeout         = &metav1.Duration{Duration: 3 * time.Second}
+	defaultCacheSize int32 = 1000
+)
+
+func addDefaultingFuncs(scheme *runtime.Scheme) error {
+	return RegisterDefaults(scheme)
+}
+
+// SetDefaults_KMSConfiguration applies defaults to KMSConfiguration.
+func SetDefaults_KMSConfiguration(obj *KMSConfiguration) {
+	if obj.Timeout == nil {
+		obj.Timeout = defaultTimeout
+	}
+
+	if obj.CacheSize == nil {
+		obj.CacheSize = &defaultCacheSize
+	}
+}

vendor/k8s.io/apiserver/pkg/apis/config/v1/register.go

@@ -40,6 +40,7 @@ func init() {
 	// generated functions takes place in the generated files. The separation
 	// makes the code compile even when the generated files are missing.
 	localSchemeBuilder.Register(addKnownTypes)
+	localSchemeBuilder.Register(addDefaultingFuncs)
 }
 
 func addKnownTypes(scheme *runtime.Scheme) error {

vendor/k8s.io/apiserver/pkg/apis/config/v1/types.go

@@ -17,6 +17,8 @@ limitations under the License.
 package v1
 
 import (
+	"fmt"
+
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -74,6 +76,11 @@ type Key struct {
 	Secret string `json:"secret"`
 }
 
+// String implements Stringer interface in a log safe way.
+func (k Key) String() string {
+	return fmt.Sprintf("Name: %s, Secret: [REDACTED]", k.Name)
+}
+
 // IdentityConfiguration is an empty struct to allow identity transformer in provider configuration.
 type IdentityConfiguration struct{}
 
@@ -81,12 +88,13 @@ type IdentityConfiguration struct{}
 type KMSConfiguration struct {
 	// name is the name of the KMS plugin to be used.
 	Name string `json:"name"`
-	// cacheSize is the maximum number of secrets which are cached in memory. The default value is 1000.
+	// cachesize is the maximum number of secrets which are cached in memory. The default value is 1000.
+	// Set to a negative value to disable caching.
 	// +optional
-	CacheSize int32 `json:"cachesize,omitempty"`
+	CacheSize *int32 `json:"cachesize,omitempty"`
 	// endpoint is the gRPC server listening address, for example "unix:///var/run/kms-provider.sock".
 	Endpoint string `json:"endpoint"`
-	// Timeout for gRPC calls to kms-plugin (ex. 5s). The default is 3 seconds.
+	// timeout for gRPC calls to kms-plugin (ex. 5s). The default is 3 seconds.
 	// +optional
 	Timeout *metav1.Duration `json:"timeout,omitempty"`
 }

vendor/k8s.io/apiserver/pkg/apis/config/v1/zz_generated.conversion.go

@@ -179,7 +179,7 @@ func Convert_config_IdentityConfiguration_To_v1_IdentityConfiguration(in *config
 
 func autoConvert_v1_KMSConfiguration_To_config_KMSConfiguration(in *KMSConfiguration, out *config.KMSConfiguration, s conversion.Scope) error {
 	out.Name = in.Name
-	out.CacheSize = in.CacheSize
+	out.CacheSize = (*int32)(unsafe.Pointer(in.CacheSize))
 	out.Endpoint = in.Endpoint
 	out.Timeout = (*metav1.Duration)(unsafe.Pointer(in.Timeout))
 	return nil
@@ -192,7 +192,7 @@ func Convert_v1_KMSConfiguration_To_config_KMSConfiguration(in *KMSConfiguration
 
 func autoConvert_config_KMSConfiguration_To_v1_KMSConfiguration(in *config.KMSConfiguration, out *KMSConfiguration, s conversion.Scope) error {
 	out.Name = in.Name
-	out.CacheSize = in.CacheSize
+	out.CacheSize = (*int32)(unsafe.Pointer(in.CacheSize))
 	out.Endpoint = in.Endpoint
 	out.Timeout = (*metav1.Duration)(unsafe.Pointer(in.Timeout))
 	return nil

vendor/k8s.io/apiserver/pkg/apis/config/v1/zz_generated.deepcopy.go

@@ -97,6 +97,11 @@ func (in *IdentityConfiguration) DeepCopy() *IdentityConfiguration {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KMSConfiguration) DeepCopyInto(out *KMSConfiguration) {
 	*out = *in
+	if in.CacheSize != nil {
+		in, out := &in.CacheSize, &out.CacheSize
+		*out = new(int32)
+		**out = **in
+	}
 	if in.Timeout != nil {
 		in, out := &in.Timeout, &out.Timeout
 		*out = new(metav1.Duration)

vendor/k8s.io/apiserver/pkg/apis/config/v1/zz_generated.defaults.go

@@ -28,5 +28,18 @@ import (
 // Public to allow building arbitrary schemes.
 // All generated defaulters are covering - they call all nested defaulters.
 func RegisterDefaults(scheme *runtime.Scheme) error {
+	scheme.AddTypeDefaultingFunc(&EncryptionConfiguration{}, func(obj interface{}) { SetObjectDefaults_EncryptionConfiguration(obj.(*EncryptionConfiguration)) })
 	return nil
 }
+
+func SetObjectDefaults_EncryptionConfiguration(in *EncryptionConfiguration) {
+	for i := range in.Resources {
+		a := &in.Resources[i]
+		for j := range a.Providers {
+			b := &a.Providers[j]
+			if b.KMS != nil {
+				SetDefaults_KMSConfiguration(b.KMS)
+			}
+		}
+	}
+}

vendor/k8s.io/apiserver/pkg/apis/config/validation/validation.go

@@ -0,0 +1,219 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package validation validates EncryptionConfiguration.
+package validation
+
+import (
+	"encoding/base64"
+	"fmt"
+	"net/url"
+
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	"k8s.io/apiserver/pkg/apis/config"
+)
+
+const (
+	moreThanOneElementErr    = "more than one provider specified in a single element, should split into different list elements"
+	keyLenErrFmt             = "secret is not of the expected length, got %d, expected one of %v"
+	unsupportedSchemeErrFmt  = "unsupported scheme %q for KMS provider, only unix is supported"
+	atLeastOneRequiredErrFmt = "at least one %s is required"
+	mandatoryFieldErrFmt     = "%s is a mandatory field for a %s"
+	base64EncodingErr        = "secrets must be base64 encoded"
+	zeroOrNegativeErrFmt     = "%s should be a positive value"
+	nonZeroErrFmt            = "%s should be a positive value, or negative to disable"
+	encryptionConfigNilErr   = "EncryptionConfiguration can't be nil"
+)
+
+var (
+	aesKeySizes = []int{16, 24, 32}
+	// See https://golang.org/pkg/crypto/aes/#NewCipher for details on supported key sizes for AES.
+	secretBoxKeySizes = []int{32}
+	// See https://godoc.org/golang.org/x/crypto/nacl/secretbox#Open for details on the supported key sizes for Secretbox.
+	root = field.NewPath("resources")
+)
+
+// ValidateEncryptionConfiguration validates a v1.EncryptionConfiguration.
+func ValidateEncryptionConfiguration(c *config.EncryptionConfiguration) field.ErrorList {
+	allErrs := field.ErrorList{}
+
+	if c == nil {
+		allErrs = append(allErrs, field.Required(root, "EncryptionConfiguration can't be nil"))
+		return allErrs
+	}
+
+	if len(c.Resources) == 0 {
+		allErrs = append(allErrs, field.Required(root, fmt.Sprintf(atLeastOneRequiredErrFmt, root)))
+		return allErrs
+	}
+
+	for i, conf := range c.Resources {
+		r := root.Index(i).Child("resources")
+		p := root.Index(i).Child("providers")
+
+		if len(conf.Resources) == 0 {
+			allErrs = append(allErrs, field.Required(r, fmt.Sprintf(atLeastOneRequiredErrFmt, r)))
+		}
+
+		if len(conf.Providers) == 0 {
+			allErrs = append(allErrs, field.Required(p, fmt.Sprintf(atLeastOneRequiredErrFmt, p)))
+		}
+
+		for j, provider := range conf.Providers {
+			path := p.Index(j)
+			allErrs = append(allErrs, validateSingleProvider(provider, path)...)
+
+			switch {
+			case provider.KMS != nil:
+				allErrs = append(allErrs, validateKMSConfiguration(provider.KMS, path.Child("kms"))...)
+			case provider.AESGCM != nil:
+				allErrs = append(allErrs, validateKeys(provider.AESGCM.Keys, path.Child("aesgcm").Child("keys"), aesKeySizes)...)
+			case provider.AESCBC != nil:
+				allErrs = append(allErrs, validateKeys(provider.AESCBC.Keys, path.Child("aescbc").Child("keys"), aesKeySizes)...)
+			case provider.Secretbox != nil:
+				allErrs = append(allErrs, validateKeys(provider.Secretbox.Keys, path.Child("secretbox").Child("keys"), secretBoxKeySizes)...)
+			}
+		}
+	}
+
+	return allErrs
+}
+
+func validateSingleProvider(provider config.ProviderConfiguration, filedPath *field.Path) field.ErrorList {
+	allErrs := field.ErrorList{}
+	found := 0
+
+	if provider.KMS != nil {
+		found++
+	}
+	if provider.AESGCM != nil {
+		found++
+	}
+	if provider.AESCBC != nil {
+		found++
+	}
+	if provider.Secretbox != nil {
+		found++
+	}
+	if provider.Identity != nil {
+		found++
+	}
+
+	if found == 0 {
+		return append(allErrs, field.Invalid(filedPath, provider, "provider does not contain any of the expected providers: KMS, AESGCM, AESCBC, Secretbox, Identity"))
+	}
+
+	if found > 1 {
+		return append(allErrs, field.Invalid(filedPath, provider, moreThanOneElementErr))
+	}
+
+	return allErrs
+}
+
+func validateKeys(keys []config.Key, fieldPath *field.Path, expectedLen []int) field.ErrorList {
+	allErrs := field.ErrorList{}
+
+	if len(keys) == 0 {
+		allErrs = append(allErrs, field.Required(fieldPath, fmt.Sprintf(atLeastOneRequiredErrFmt, "keys")))
+		return allErrs
+	}
+
+	for i, key := range keys {
+		allErrs = append(allErrs, validateKey(key, fieldPath.Index(i), expectedLen)...)
+	}
+
+	return allErrs
+}
+
+func validateKey(key config.Key, fieldPath *field.Path, expectedLen []int) field.ErrorList {
+	allErrs := field.ErrorList{}
+
+	if key.Name == "" {
+		allErrs = append(allErrs, field.Required(fieldPath.Child("name"), fmt.Sprintf(mandatoryFieldErrFmt, "name", "key")))
+	}
+
+	if key.Secret == "" {
+		allErrs = append(allErrs, field.Required(fieldPath.Child("secret"), fmt.Sprintf(mandatoryFieldErrFmt, "secret", "key")))
+		return allErrs
+	}
+
+	secret, err := base64.StdEncoding.DecodeString(key.Secret)
+	if err != nil {
+		allErrs = append(allErrs, field.Invalid(fieldPath.Child("secret"), "REDACTED", base64EncodingErr))
+		return allErrs
+	}
+
+	lenMatched := false
+	for _, l := range expectedLen {
+		if len(secret) == l {
+			lenMatched = true
+			break
+		}
+	}
+
+	if !lenMatched {
+		allErrs = append(allErrs, field.Invalid(fieldPath.Child("secret"), "REDACTED", fmt.Sprintf(keyLenErrFmt, len(secret), expectedLen)))
+	}
+
+	return allErrs
+}
+
+func validateKMSConfiguration(c *config.KMSConfiguration, fieldPath *field.Path) field.ErrorList {
+	allErrs := field.ErrorList{}
+	if c.Name == "" {
+		allErrs = append(allErrs, field.Required(fieldPath.Child("name"), fmt.Sprintf(mandatoryFieldErrFmt, "name", "provider")))
+	}
+	allErrs = append(allErrs, validateKMSTimeout(c, fieldPath.Child("timeout"))...)
+	allErrs = append(allErrs, validateKMSEndpoint(c, fieldPath.Child("endpoint"))...)
+	allErrs = append(allErrs, validateKMSCacheSize(c, fieldPath.Child("cachesize"))...)
+	return allErrs
+}
+
+func validateKMSCacheSize(c *config.KMSConfiguration, fieldPath *field.Path) field.ErrorList {
+	allErrs := field.ErrorList{}
+	if *c.CacheSize == 0 {
+		allErrs = append(allErrs, field.Invalid(fieldPath, *c.CacheSize, fmt.Sprintf(nonZeroErrFmt, "cachesize")))
+	}
+
+	return allErrs
+}
+
+func validateKMSTimeout(c *config.KMSConfiguration, fieldPath *field.Path) field.ErrorList {
+	allErrs := field.ErrorList{}
+	if c.Timeout.Duration <= 0 {
+		allErrs = append(allErrs, field.Invalid(fieldPath, c.Timeout, fmt.Sprintf(zeroOrNegativeErrFmt, "timeout")))
+	}
+
+	return allErrs
+}
+
+func validateKMSEndpoint(c *config.KMSConfiguration, fieldPath *field.Path) field.ErrorList {
+	allErrs := field.ErrorList{}
+	if len(c.Endpoint) == 0 {
+		return append(allErrs, field.Invalid(fieldPath, "", fmt.Sprintf(mandatoryFieldErrFmt, "endpoint", "kms")))
+	}
+
+	u, err := url.Parse(c.Endpoint)
+	if err != nil {
+		return append(allErrs, field.Invalid(fieldPath, c.Endpoint, fmt.Sprintf("invalid endpoint for kms provider, error: %v", err)))
+	}
+
+	if u.Scheme != "unix" {
+		return append(allErrs, field.Invalid(fieldPath, c.Endpoint, fmt.Sprintf(unsupportedSchemeErrFmt, u.Scheme)))
+	}
+
+	return allErrs
+}

vendor/k8s.io/apiserver/pkg/apis/config/zz_generated.deepcopy.go

@@ -97,6 +97,11 @@ func (in *IdentityConfiguration) DeepCopy() *IdentityConfiguration {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KMSConfiguration) DeepCopyInto(out *KMSConfiguration) {
 	*out = *in
+	if in.CacheSize != nil {
+		in, out := &in.CacheSize, &out.CacheSize
+		*out = new(int32)
+		**out = **in
+	}
 	if in.Timeout != nil {
 		in, out := &in.Timeout, &out.Timeout
 		*out = new(v1.Duration)

vendor/k8s.io/apiserver/pkg/apis/flowcontrol/bootstrap/default.go

@@ -0,0 +1,475 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package bootstrap
+
+import (
+	coordinationv1 "k8s.io/api/coordination/v1"
+	corev1 "k8s.io/api/core/v1"
+	flowcontrol "k8s.io/api/flowcontrol/v1alpha1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apiserver/pkg/authentication/serviceaccount"
+	"k8s.io/apiserver/pkg/authentication/user"
+)
+
+// The objects that define an apiserver's initial behavior.  The
+// registered defaulting procedures make no changes to these
+// particular objects (this is verified in the unit tests of the
+// internalbootstrap package; it can not be verified in this package
+// because that would require importing k8s.io/kubernetes).
+var (
+	MandatoryPriorityLevelConfigurations = []*flowcontrol.PriorityLevelConfiguration{
+		MandatoryPriorityLevelConfigurationExempt,
+		MandatoryPriorityLevelConfigurationCatchAll,
+	}
+	MandatoryFlowSchemas = []*flowcontrol.FlowSchema{
+		MandatoryFlowSchemaExempt,
+		MandatoryFlowSchemaCatchAll,
+	}
+)
+
+// The objects that define the current suggested additional configuration
+var (
+	SuggestedPriorityLevelConfigurations = []*flowcontrol.PriorityLevelConfiguration{
+		// "system" priority-level is for the system components that affects self-maintenance of the
+		// cluster and the availability of those running pods in the cluster, including kubelet and
+		// kube-proxy.
+		SuggestedPriorityLevelConfigurationSystem,
+		// "leader-election" is dedicated for controllers' leader-election, which majorly affects the
+		// availability of any controller runs in the cluster.
+		SuggestedPriorityLevelConfigurationLeaderElection,
+		// "workload-high" is used by those workloads with higher priority but their failure won't directly
+		// impact the existing running pods in the cluster, which includes kube-scheduler, and those well-known
+		// built-in workloads such as "deployments", "replicasets" and other low-level custom workload which
+		// is important for the cluster.
+		SuggestedPriorityLevelConfigurationWorkloadHigh,
+		// "workload-low" is used by those workloads with lower priority which availability only has a
+		// minor impact on the cluster.
+		SuggestedPriorityLevelConfigurationWorkloadLow,
+		// "global-default" serves the rest traffic not handled by the other suggested flow-schemas above.
+		SuggestedPriorityLevelConfigurationGlobalDefault,
+	}
+	SuggestedFlowSchemas = []*flowcontrol.FlowSchema{
+		SuggestedFlowSchemaSystemNodes,               // references "system" priority-level
+		SuggestedFlowSchemaSystemLeaderElection,      // references "leader-election" priority-level
+		SuggestedFlowSchemaWorkloadLeaderElection,    // references "leader-election" priority-level
+		SuggestedFlowSchemaKubeControllerManager,     // references "workload-high" priority-level
+		SuggestedFlowSchemaKubeScheduler,             // references "workload-high" priority-level
+		SuggestedFlowSchemaKubeSystemServiceAccounts, // references "workload-high" priority-level
+		SuggestedFlowSchemaServiceAccounts,           // references "workload-low" priority-level
+		SuggestedFlowSchemaGlobalDefault,             // references "global-default" priority-level
+	}
+)
+
+// Mandatory PriorityLevelConfiguration objects
+var (
+	MandatoryPriorityLevelConfigurationExempt = newPriorityLevelConfiguration(
+		flowcontrol.PriorityLevelConfigurationNameExempt,
+		flowcontrol.PriorityLevelConfigurationSpec{
+			Type: flowcontrol.PriorityLevelEnablementExempt,
+		},
+	)
+	MandatoryPriorityLevelConfigurationCatchAll = newPriorityLevelConfiguration(
+		"catch-all",
+		flowcontrol.PriorityLevelConfigurationSpec{
+			Type: flowcontrol.PriorityLevelEnablementLimited,
+			Limited: &flowcontrol.LimitedPriorityLevelConfiguration{
+				AssuredConcurrencyShares: 1,
+				LimitResponse: flowcontrol.LimitResponse{
+					Type: flowcontrol.LimitResponseTypeReject,
+				},
+			},
+		})
+)
+
+// Mandatory FlowSchema objects
+var (
+	// "exempt" priority-level is used for preventing priority inversion and ensuring that sysadmin
+	// requests are always possible.
+	MandatoryFlowSchemaExempt = newFlowSchema(
+		"exempt",
+		flowcontrol.PriorityLevelConfigurationNameExempt,
+		1,  // matchingPrecedence
+		"", // distinguisherMethodType
+		flowcontrol.PolicyRulesWithSubjects{
+			Subjects: groups(user.SystemPrivilegedGroup),
+			ResourceRules: []flowcontrol.ResourcePolicyRule{
+				resourceRule(
+					[]string{flowcontrol.VerbAll},
+					[]string{flowcontrol.APIGroupAll},
+					[]string{flowcontrol.ResourceAll},
+					[]string{flowcontrol.NamespaceEvery},
+					true,
+				),
+			},
+			NonResourceRules: []flowcontrol.NonResourcePolicyRule{
+				nonResourceRule(
+					[]string{flowcontrol.VerbAll},
+					[]string{flowcontrol.NonResourceAll},
+				),
+			},
+		},
+	)
+	// "catch-all" priority-level only gets a minimal positive share of concurrency and won't be reaching
+	// ideally unless you intentionally deleted the suggested "global-default".
+	MandatoryFlowSchemaCatchAll = newFlowSchema(
+		"catch-all",
+		"catch-all",
+		10000, // matchingPrecedence
+		flowcontrol.FlowDistinguisherMethodByUserType, // distinguisherMethodType
+		flowcontrol.PolicyRulesWithSubjects{
+			Subjects: groups(user.AllUnauthenticated, user.AllAuthenticated),
+			ResourceRules: []flowcontrol.ResourcePolicyRule{
+				resourceRule(
+					[]string{flowcontrol.VerbAll},
+					[]string{flowcontrol.APIGroupAll},
+					[]string{flowcontrol.ResourceAll},
+					[]string{flowcontrol.NamespaceEvery},
+					true,
+				),
+			},
+			NonResourceRules: []flowcontrol.NonResourcePolicyRule{
+				nonResourceRule(
+					[]string{flowcontrol.VerbAll},
+					[]string{flowcontrol.NonResourceAll},
+				),
+			},
+		},
+	)
+)
+
+// Suggested PriorityLevelConfiguration objects
+var (
+	// system priority-level
+	SuggestedPriorityLevelConfigurationSystem = newPriorityLevelConfiguration(
+		"system",
+		flowcontrol.PriorityLevelConfigurationSpec{
+			Type: flowcontrol.PriorityLevelEnablementLimited,
+			Limited: &flowcontrol.LimitedPriorityLevelConfiguration{
+				AssuredConcurrencyShares: 30,
+				LimitResponse: flowcontrol.LimitResponse{
+					Type: flowcontrol.LimitResponseTypeQueue,
+					Queuing: &flowcontrol.QueuingConfiguration{
+						Queues:           64,
+						HandSize:         6,
+						QueueLengthLimit: 50,
+					},
+				},
+			},
+		})
+	// leader-election priority-level
+	SuggestedPriorityLevelConfigurationLeaderElection = newPriorityLevelConfiguration(
+		"leader-election",
+		flowcontrol.PriorityLevelConfigurationSpec{
+			Type: flowcontrol.PriorityLevelEnablementLimited,
+			Limited: &flowcontrol.LimitedPriorityLevelConfiguration{
+				AssuredConcurrencyShares: 10,
+				LimitResponse: flowcontrol.LimitResponse{
+					Type: flowcontrol.LimitResponseTypeQueue,
+					Queuing: &flowcontrol.QueuingConfiguration{
+						Queues:           16,
+						HandSize:         4,
+						QueueLengthLimit: 50,
+					},
+				},
+			},
+		})
+	// workload-high priority-level
+	SuggestedPriorityLevelConfigurationWorkloadHigh = newPriorityLevelConfiguration(
+		"workload-high",
+		flowcontrol.PriorityLevelConfigurationSpec{
+			Type: flowcontrol.PriorityLevelEnablementLimited,
+			Limited: &flowcontrol.LimitedPriorityLevelConfiguration{
+				AssuredConcurrencyShares: 40,
+				LimitResponse: flowcontrol.LimitResponse{
+					Type: flowcontrol.LimitResponseTypeQueue,
+					Queuing: &flowcontrol.QueuingConfiguration{
+						Queues:           128,
+						HandSize:         6,
+						QueueLengthLimit: 50,
+					},
+				},
+			},
+		})
+	// workload-low priority-level
+	SuggestedPriorityLevelConfigurationWorkloadLow = newPriorityLevelConfiguration(
+		"workload-low",
+		flowcontrol.PriorityLevelConfigurationSpec{
+			Type: flowcontrol.PriorityLevelEnablementLimited,
+			Limited: &flowcontrol.LimitedPriorityLevelConfiguration{
+				AssuredConcurrencyShares: 20,
+				LimitResponse: flowcontrol.LimitResponse{
+					Type: flowcontrol.LimitResponseTypeQueue,
+					Queuing: &flowcontrol.QueuingConfiguration{
+						Queues:           128,
+						HandSize:         6,
+						QueueLengthLimit: 50,
+					},
+				},
+			},
+		})
+	// global-default priority-level
+	SuggestedPriorityLevelConfigurationGlobalDefault = newPriorityLevelConfiguration(
+		"global-default",
+		flowcontrol.PriorityLevelConfigurationSpec{
+			Type: flowcontrol.PriorityLevelEnablementLimited,
+			Limited: &flowcontrol.LimitedPriorityLevelConfiguration{
+				AssuredConcurrencyShares: 100,
+				LimitResponse: flowcontrol.LimitResponse{
+					Type: flowcontrol.LimitResponseTypeQueue,
+					Queuing: &flowcontrol.QueuingConfiguration{
+						Queues:           128,
+						HandSize:         6,
+						QueueLengthLimit: 50,
+					},
+				},
+			},
+		})
+)
+
+// Suggested FlowSchema objects
+var (
+	SuggestedFlowSchemaSystemNodes = newFlowSchema(
+		"system-nodes", "system", 500,
+		flowcontrol.FlowDistinguisherMethodByUserType,
+		flowcontrol.PolicyRulesWithSubjects{
+			Subjects: groups(user.NodesGroup), // the nodes group
+			ResourceRules: []flowcontrol.ResourcePolicyRule{resourceRule(
+				[]string{flowcontrol.VerbAll},
+				[]string{flowcontrol.APIGroupAll},
+				[]string{flowcontrol.ResourceAll},
+				[]string{flowcontrol.NamespaceEvery},
+				true)},
+			NonResourceRules: []flowcontrol.NonResourcePolicyRule{
+				nonResourceRule(
+					[]string{flowcontrol.VerbAll},
+					[]string{flowcontrol.NonResourceAll}),
+			},
+		},
+	)
+	SuggestedFlowSchemaSystemLeaderElection = newFlowSchema(
+		"system-leader-election", "leader-election", 100,
+		flowcontrol.FlowDistinguisherMethodByUserType,
+		flowcontrol.PolicyRulesWithSubjects{
+			Subjects: append(
+				users(user.KubeControllerManager, user.KubeScheduler),
+				kubeSystemServiceAccount(flowcontrol.NameAll)...),
+			ResourceRules: []flowcontrol.ResourcePolicyRule{
+				resourceRule(
+					[]string{"get", "create", "update"},
+					[]string{corev1.GroupName},
+					[]string{"endpoints", "configmaps"},
+					[]string{"kube-system"},
+					false),
+				resourceRule(
+					[]string{"get", "create", "update"},
+					[]string{coordinationv1.GroupName},
+					[]string{"leases"},
+					[]string{flowcontrol.NamespaceEvery},
+					false),
+			},
+		},
+	)
+	SuggestedFlowSchemaWorkloadLeaderElection = newFlowSchema(
+		"workload-leader-election", "leader-election", 200,
+		flowcontrol.FlowDistinguisherMethodByUserType,
+		flowcontrol.PolicyRulesWithSubjects{
+			Subjects: kubeSystemServiceAccount(flowcontrol.NameAll),
+			ResourceRules: []flowcontrol.ResourcePolicyRule{
+				resourceRule(
+					[]string{"get", "create", "update"},
+					[]string{corev1.GroupName},
+					[]string{"endpoints", "configmaps"},
+					[]string{flowcontrol.NamespaceEvery},
+					false),
+				resourceRule(
+					[]string{"get", "create", "update"},
+					[]string{coordinationv1.GroupName},
+					[]string{"leases"},
+					[]string{flowcontrol.NamespaceEvery},
+					false),
+			},
+		},
+	)
+	SuggestedFlowSchemaKubeControllerManager = newFlowSchema(
+		"kube-controller-manager", "workload-high", 800,
+		flowcontrol.FlowDistinguisherMethodByNamespaceType,
+		flowcontrol.PolicyRulesWithSubjects{
+			Subjects: users(user.KubeControllerManager),
+			ResourceRules: []flowcontrol.ResourcePolicyRule{resourceRule(
+				[]string{flowcontrol.VerbAll},
+				[]string{flowcontrol.APIGroupAll},
+				[]string{flowcontrol.ResourceAll},
+				[]string{flowcontrol.NamespaceEvery},
+				true)},
+			NonResourceRules: []flowcontrol.NonResourcePolicyRule{
+				nonResourceRule(
+					[]string{flowcontrol.VerbAll},
+					[]string{flowcontrol.NonResourceAll}),
+			},
+		},
+	)
+	SuggestedFlowSchemaKubeScheduler = newFlowSchema(
+		"kube-scheduler", "workload-high", 800,
+		flowcontrol.FlowDistinguisherMethodByNamespaceType,
+		flowcontrol.PolicyRulesWithSubjects{
+			Subjects: users(user.KubeScheduler),
+			ResourceRules: []flowcontrol.ResourcePolicyRule{resourceRule(
+				[]string{flowcontrol.VerbAll},
+				[]string{flowcontrol.APIGroupAll},
+				[]string{flowcontrol.ResourceAll},
+				[]string{flowcontrol.NamespaceEvery},
+				true)},
+			NonResourceRules: []flowcontrol.NonResourcePolicyRule{
+				nonResourceRule(
+					[]string{flowcontrol.VerbAll},
+					[]string{flowcontrol.NonResourceAll}),
+			},
+		},
+	)
+	SuggestedFlowSchemaKubeSystemServiceAccounts = newFlowSchema(
+		"kube-system-service-accounts", "workload-high", 900,
+		flowcontrol.FlowDistinguisherMethodByNamespaceType,
+		flowcontrol.PolicyRulesWithSubjects{
+			Subjects: kubeSystemServiceAccount(flowcontrol.NameAll),
+			ResourceRules: []flowcontrol.ResourcePolicyRule{resourceRule(
+				[]string{flowcontrol.VerbAll},
+				[]string{flowcontrol.APIGroupAll},
+				[]string{flowcontrol.ResourceAll},
+				[]string{flowcontrol.NamespaceEvery},
+				true)},
+			NonResourceRules: []flowcontrol.NonResourcePolicyRule{
+				nonResourceRule(
+					[]string{flowcontrol.VerbAll},
+					[]string{flowcontrol.NonResourceAll}),
+			},
+		},
+	)
+	SuggestedFlowSchemaServiceAccounts = newFlowSchema(
+		"service-accounts", "workload-low", 9000,
+		flowcontrol.FlowDistinguisherMethodByUserType,
+		flowcontrol.PolicyRulesWithSubjects{
+			Subjects: groups(serviceaccount.AllServiceAccountsGroup),
+			ResourceRules: []flowcontrol.ResourcePolicyRule{resourceRule(
+				[]string{flowcontrol.VerbAll},
+				[]string{flowcontrol.APIGroupAll},
+				[]string{flowcontrol.ResourceAll},
+				[]string{flowcontrol.NamespaceEvery},
+				true)},
+			NonResourceRules: []flowcontrol.NonResourcePolicyRule{
+				nonResourceRule(
+					[]string{flowcontrol.VerbAll},
+					[]string{flowcontrol.NonResourceAll}),
+			},
+		},
+	)
+	SuggestedFlowSchemaGlobalDefault = newFlowSchema(
+		"global-default", "global-default", 9900,
+		flowcontrol.FlowDistinguisherMethodByUserType,
+		flowcontrol.PolicyRulesWithSubjects{
+			Subjects: groups(serviceaccount.AllServiceAccountsGroup),
+			ResourceRules: []flowcontrol.ResourcePolicyRule{resourceRule(
+				[]string{flowcontrol.VerbAll},
+				[]string{flowcontrol.APIGroupAll},
+				[]string{flowcontrol.ResourceAll},
+				[]string{flowcontrol.NamespaceEvery},
+				true)},
+			NonResourceRules: []flowcontrol.NonResourcePolicyRule{
+				nonResourceRule(
+					[]string{flowcontrol.VerbAll},
+					[]string{flowcontrol.NonResourceAll}),
+			},
+		},
+	)
+)
+
+func newPriorityLevelConfiguration(name string, spec flowcontrol.PriorityLevelConfigurationSpec) *flowcontrol.PriorityLevelConfiguration {
+	return &flowcontrol.PriorityLevelConfiguration{
+		ObjectMeta: metav1.ObjectMeta{Name: name},
+		Spec:       spec}
+}
+
+func newFlowSchema(name, plName string, matchingPrecedence int32, dmType flowcontrol.FlowDistinguisherMethodType, rules ...flowcontrol.PolicyRulesWithSubjects) *flowcontrol.FlowSchema {
+	var dm *flowcontrol.FlowDistinguisherMethod
+	if dmType != "" {
+		dm = &flowcontrol.FlowDistinguisherMethod{Type: dmType}
+	}
+	return &flowcontrol.FlowSchema{
+		ObjectMeta: metav1.ObjectMeta{Name: name},
+		Spec: flowcontrol.FlowSchemaSpec{
+			PriorityLevelConfiguration: flowcontrol.PriorityLevelConfigurationReference{
+				Name: plName,
+			},
+			MatchingPrecedence:  matchingPrecedence,
+			DistinguisherMethod: dm,
+			Rules:               rules},
+	}
+
+}
+
+func groups(names ...string) []flowcontrol.Subject {
+	ans := make([]flowcontrol.Subject, len(names))
+	for idx, name := range names {
+		ans[idx] = flowcontrol.Subject{
+			Kind: flowcontrol.SubjectKindGroup,
+			Group: &flowcontrol.GroupSubject{
+				Name: name,
+			},
+		}
+	}
+	return ans
+}
+
+func users(names ...string) []flowcontrol.Subject {
+	ans := make([]flowcontrol.Subject, len(names))
+	for idx, name := range names {
+		ans[idx] = flowcontrol.Subject{
+			Kind: flowcontrol.SubjectKindUser,
+			User: &flowcontrol.UserSubject{
+				Name: name,
+			},
+		}
+	}
+	return ans
+}
+
+func kubeSystemServiceAccount(names ...string) []flowcontrol.Subject {
+	subjects := []flowcontrol.Subject{}
+	for _, name := range names {
+		subjects = append(subjects, flowcontrol.Subject{
+			Kind: flowcontrol.SubjectKindServiceAccount,
+			ServiceAccount: &flowcontrol.ServiceAccountSubject{
+				Name:      name,
+				Namespace: metav1.NamespaceSystem,
+			},
+		})
+	}
+	return subjects
+}
+
+func resourceRule(verbs []string, groups []string, resources []string, namespaces []string, clusterScoped bool) flowcontrol.ResourcePolicyRule {
+	return flowcontrol.ResourcePolicyRule{
+		Verbs:        verbs,
+		APIGroups:    groups,
+		Resources:    resources,
+		Namespaces:   namespaces,
+		ClusterScope: clusterScoped,
+	}
+}
+
+func nonResourceRule(verbs []string, nonResourceURLs []string) flowcontrol.NonResourcePolicyRule {
+	return flowcontrol.NonResourcePolicyRule{Verbs: verbs, NonResourceURLs: nonResourceURLs}
+}