Add glide.yaml and vendor deps

vendor/k8s.io/kubernetes/cmd/kube-apiserver/app/BUILD

@@ -0,0 +1,78 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_binary",
+    "go_library",
+    "go_test",
+    "cgo_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "plugins.go",
+        "server.go",
+    ],
+    tags = ["automanaged"],
+    deps = [
+        "//cmd/kube-apiserver/app/options:go_default_library",
+        "//pkg/admission:go_default_library",
+        "//pkg/api:go_default_library",
+        "//pkg/apis/autoscaling:go_default_library",
+        "//pkg/apis/batch:go_default_library",
+        "//pkg/apis/extensions:go_default_library",
+        "//pkg/apiserver:go_default_library",
+        "//pkg/apiserver/authenticator:go_default_library",
+        "//pkg/capabilities:go_default_library",
+        "//pkg/client/clientset_generated/internalclientset:go_default_library",
+        "//pkg/cloudprovider:go_default_library",
+        "//pkg/cloudprovider/providers:go_default_library",
+        "//pkg/controller/informers:go_default_library",
+        "//pkg/controller/serviceaccount:go_default_library",
+        "//pkg/generated/openapi:go_default_library",
+        "//pkg/genericapiserver:go_default_library",
+        "//pkg/genericapiserver/authorizer:go_default_library",
+        "//pkg/genericapiserver/options:go_default_library",
+        "//pkg/master:go_default_library",
+        "//pkg/registry/cachesize:go_default_library",
+        "//pkg/runtime/schema:go_default_library",
+        "//pkg/util/errors:go_default_library",
+        "//pkg/util/net:go_default_library",
+        "//pkg/util/wait:go_default_library",
+        "//pkg/version:go_default_library",
+        "//plugin/pkg/admission/admit:go_default_library",
+        "//plugin/pkg/admission/alwayspullimages:go_default_library",
+        "//plugin/pkg/admission/antiaffinity:go_default_library",
+        "//plugin/pkg/admission/deny:go_default_library",
+        "//plugin/pkg/admission/exec:go_default_library",
+        "//plugin/pkg/admission/gc:go_default_library",
+        "//plugin/pkg/admission/imagepolicy:go_default_library",
+        "//plugin/pkg/admission/initialresources:go_default_library",
+        "//plugin/pkg/admission/limitranger:go_default_library",
+        "//plugin/pkg/admission/namespace/autoprovision:go_default_library",
+        "//plugin/pkg/admission/namespace/exists:go_default_library",
+        "//plugin/pkg/admission/namespace/lifecycle:go_default_library",
+        "//plugin/pkg/admission/persistentvolume/label:go_default_library",
+        "//plugin/pkg/admission/podnodeselector:go_default_library",
+        "//plugin/pkg/admission/resourcequota:go_default_library",
+        "//plugin/pkg/admission/security/podsecuritypolicy:go_default_library",
+        "//plugin/pkg/admission/securitycontext/scdeny:go_default_library",
+        "//plugin/pkg/admission/serviceaccount:go_default_library",
+        "//plugin/pkg/admission/storageclass/default:go_default_library",
+        "//vendor:github.com/golang/glog",
+        "//vendor:github.com/pborman/uuid",
+        "//vendor:github.com/spf13/cobra",
+        "//vendor:github.com/spf13/pflag",
+    ],
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["server_test.go"],
+    library = "go_default_library",
+    tags = ["automanaged"],
+    deps = ["//cmd/kube-apiserver/app/options:go_default_library"],
+)

vendor/k8s.io/kubernetes/cmd/kube-apiserver/app/options/BUILD

@@ -0,0 +1,33 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_binary",
+    "go_library",
+    "go_test",
+    "cgo_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["options.go"],
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/api:go_default_library",
+        "//pkg/api/validation:go_default_library",
+        "//pkg/genericapiserver/options:go_default_library",
+        "//pkg/kubelet/client:go_default_library",
+        "//pkg/master/ports:go_default_library",
+        "//vendor:github.com/spf13/pflag",
+    ],
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["options_test.go"],
+    library = "go_default_library",
+    tags = ["automanaged"],
+    deps = ["//vendor:github.com/spf13/pflag"],
+)

vendor/k8s.io/kubernetes/cmd/kube-apiserver/app/options/options.go

@@ -0,0 +1,135 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package options contains flags and options for initializing an apiserver
+package options
+
+import (
+	"time"
+
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/api/validation"
+	genericoptions "k8s.io/kubernetes/pkg/genericapiserver/options"
+	kubeletclient "k8s.io/kubernetes/pkg/kubelet/client"
+	"k8s.io/kubernetes/pkg/master/ports"
+
+	"github.com/spf13/pflag"
+)
+
+// ServerRunOptions runs a kubernetes api server.
+type ServerRunOptions struct {
+	GenericServerRunOptions *genericoptions.ServerRunOptions
+	Etcd                    *genericoptions.EtcdOptions
+	SecureServing           *genericoptions.SecureServingOptions
+	InsecureServing         *genericoptions.ServingOptions
+	Authentication          *genericoptions.BuiltInAuthenticationOptions
+	Authorization           *genericoptions.BuiltInAuthorizationOptions
+
+	AllowPrivileged          bool
+	EventTTL                 time.Duration
+	KubeletConfig            kubeletclient.KubeletClientConfig
+	MaxConnectionBytesPerSec int64
+	SSHKeyfile               string
+	SSHUser                  string
+}
+
+// NewServerRunOptions creates a new ServerRunOptions object with default parameters
+func NewServerRunOptions() *ServerRunOptions {
+	s := ServerRunOptions{
+		GenericServerRunOptions: genericoptions.NewServerRunOptions(),
+		Etcd:            genericoptions.NewEtcdOptions(),
+		SecureServing:   genericoptions.NewSecureServingOptions(),
+		InsecureServing: genericoptions.NewInsecureServingOptions(),
+		Authentication:  genericoptions.NewBuiltInAuthenticationOptions().WithAll(),
+		Authorization:   genericoptions.NewBuiltInAuthorizationOptions(),
+
+		EventTTL: 1 * time.Hour,
+		KubeletConfig: kubeletclient.KubeletClientConfig{
+			Port: ports.KubeletPort,
+			PreferredAddressTypes: []string{
+				string(api.NodeHostName),
+				string(api.NodeInternalIP),
+				string(api.NodeExternalIP),
+				string(api.NodeLegacyHostIP),
+			},
+			EnableHttps: true,
+			HTTPTimeout: time.Duration(5) * time.Second,
+		},
+	}
+	return &s
+}
+
+// AddFlags adds flags for a specific APIServer to the specified FlagSet
+func (s *ServerRunOptions) AddFlags(fs *pflag.FlagSet) {
+	// Add the generic flags.
+	s.GenericServerRunOptions.AddUniversalFlags(fs)
+
+	s.Etcd.AddFlags(fs)
+	s.SecureServing.AddFlags(fs)
+	s.SecureServing.AddDeprecatedFlags(fs)
+	s.InsecureServing.AddFlags(fs)
+	s.InsecureServing.AddDeprecatedFlags(fs)
+	s.Authentication.AddFlags(fs)
+	s.Authorization.AddFlags(fs)
+
+	// Note: the weird ""+ in below lines seems to be the only way to get gofmt to
+	// arrange these text blocks sensibly. Grrr.
+
+	fs.DurationVar(&s.EventTTL, "event-ttl", s.EventTTL,
+		"Amount of time to retain events. Default is 1h.")
+
+	fs.BoolVar(&s.AllowPrivileged, "allow-privileged", s.AllowPrivileged,
+		"If true, allow privileged containers.")
+
+	fs.StringVar(&s.SSHUser, "ssh-user", s.SSHUser,
+		"If non-empty, use secure SSH proxy to the nodes, using this user name")
+
+	fs.StringVar(&s.SSHKeyfile, "ssh-keyfile", s.SSHKeyfile,
+		"If non-empty, use secure SSH proxy to the nodes, using this user keyfile")
+
+	fs.Int64Var(&s.MaxConnectionBytesPerSec, "max-connection-bytes-per-sec", s.MaxConnectionBytesPerSec, ""+
+		"If non-zero, throttle each user connection to this number of bytes/sec. "+
+		"Currently only applies to long-running requests.")
+
+	// Kubelet related flags:
+	fs.BoolVar(&s.KubeletConfig.EnableHttps, "kubelet-https", s.KubeletConfig.EnableHttps,
+		"Use https for kubelet connections.")
+
+	fs.StringSliceVar(&s.KubeletConfig.PreferredAddressTypes, "kubelet-preferred-address-types", s.KubeletConfig.PreferredAddressTypes,
+		"List of the preferred NodeAddressTypes to use for kubelet connections.")
+
+	fs.UintVar(&s.KubeletConfig.Port, "kubelet-port", s.KubeletConfig.Port,
+		"DEPRECATED: kubelet port.")
+	fs.MarkDeprecated("kubelet-port", "kubelet-port is deprecated and will be removed.")
+
+	fs.DurationVar(&s.KubeletConfig.HTTPTimeout, "kubelet-timeout", s.KubeletConfig.HTTPTimeout,
+		"Timeout for kubelet operations.")
+
+	fs.StringVar(&s.KubeletConfig.CertFile, "kubelet-client-certificate", s.KubeletConfig.CertFile,
+		"Path to a client cert file for TLS.")
+
+	fs.StringVar(&s.KubeletConfig.KeyFile, "kubelet-client-key", s.KubeletConfig.KeyFile,
+		"Path to a client key file for TLS.")
+
+	fs.StringVar(&s.KubeletConfig.CAFile, "kubelet-certificate-authority", s.KubeletConfig.CAFile,
+		"Path to a cert file for the certificate authority.")
+
+	// TODO: delete this flag as soon as we identify and fix all clients that send malformed updates, like #14126.
+	fs.BoolVar(&validation.RepairMalformedUpdates, "repair-malformed-updates", validation.RepairMalformedUpdates, ""+
+		"If true, server will do its best to fix the update request to pass the validation, "+
+		"e.g., setting empty UID in update request to its existing value. This flag can be turned off "+
+		"after we fix all the clients that send malformed updates.")
+}

vendor/k8s.io/kubernetes/cmd/kube-apiserver/app/options/options_test.go

@@ -0,0 +1,42 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package options
+
+import (
+	"testing"
+
+	"github.com/spf13/pflag"
+)
+
+func TestAddFlagsFlag(t *testing.T) {
+	// TODO: This only tests the enable-swagger-ui flag for now.
+	// Expand the test to include other flags as well.
+	f := pflag.NewFlagSet("addflagstest", pflag.ContinueOnError)
+	s := NewServerRunOptions()
+	s.AddFlags(f)
+	if s.GenericServerRunOptions.EnableSwaggerUI {
+		t.Errorf("Expected s.EnableSwaggerUI to be false by default")
+	}
+
+	args := []string{
+		"--enable-swagger-ui=true",
+	}
+	f.Parse(args)
+	if !s.GenericServerRunOptions.EnableSwaggerUI {
+		t.Errorf("Expected s.EnableSwaggerUI to be true")
+	}
+}

vendor/k8s.io/kubernetes/cmd/kube-apiserver/app/plugins.go

@@ -0,0 +1,46 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package app
+
+// This file exists to force the desired plugin implementations to be linked.
+// This should probably be part of some configuration fed into the build for a
+// given binary target.
+import (
+	// Cloud providers
+	_ "k8s.io/kubernetes/pkg/cloudprovider/providers"
+
+	// Admission policies
+	_ "k8s.io/kubernetes/plugin/pkg/admission/admit"
+	_ "k8s.io/kubernetes/plugin/pkg/admission/alwayspullimages"
+	_ "k8s.io/kubernetes/plugin/pkg/admission/antiaffinity"
+	_ "k8s.io/kubernetes/plugin/pkg/admission/deny"
+	_ "k8s.io/kubernetes/plugin/pkg/admission/exec"
+	_ "k8s.io/kubernetes/plugin/pkg/admission/gc"
+	_ "k8s.io/kubernetes/plugin/pkg/admission/imagepolicy"
+	_ "k8s.io/kubernetes/plugin/pkg/admission/initialresources"
+	_ "k8s.io/kubernetes/plugin/pkg/admission/limitranger"
+	_ "k8s.io/kubernetes/plugin/pkg/admission/namespace/autoprovision"
+	_ "k8s.io/kubernetes/plugin/pkg/admission/namespace/exists"
+	_ "k8s.io/kubernetes/plugin/pkg/admission/namespace/lifecycle"
+	_ "k8s.io/kubernetes/plugin/pkg/admission/persistentvolume/label"
+	_ "k8s.io/kubernetes/plugin/pkg/admission/podnodeselector"
+	_ "k8s.io/kubernetes/plugin/pkg/admission/resourcequota"
+	_ "k8s.io/kubernetes/plugin/pkg/admission/security/podsecuritypolicy"
+	_ "k8s.io/kubernetes/plugin/pkg/admission/securitycontext/scdeny"
+	_ "k8s.io/kubernetes/plugin/pkg/admission/serviceaccount"
+	_ "k8s.io/kubernetes/plugin/pkg/admission/storageclass/default"
+)

vendor/k8s.io/kubernetes/cmd/kube-apiserver/app/server.go

@@ -0,0 +1,315 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package app does all of the work necessary to create a Kubernetes
+// APIServer by binding together the API, master and APIServer infrastructure.
+// It can be configured and called directly or via the hyperkube framework.
+package app
+
+import (
+	"crypto/tls"
+	"net"
+	"net/http"
+	"net/url"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/golang/glog"
+	"github.com/pborman/uuid"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+
+	"k8s.io/kubernetes/cmd/kube-apiserver/app/options"
+	"k8s.io/kubernetes/pkg/admission"
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/apis/autoscaling"
+	"k8s.io/kubernetes/pkg/apis/batch"
+	"k8s.io/kubernetes/pkg/apis/extensions"
+	"k8s.io/kubernetes/pkg/apiserver"
+	"k8s.io/kubernetes/pkg/apiserver/authenticator"
+	"k8s.io/kubernetes/pkg/capabilities"
+	"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
+	"k8s.io/kubernetes/pkg/cloudprovider"
+	"k8s.io/kubernetes/pkg/controller/informers"
+	serviceaccountcontroller "k8s.io/kubernetes/pkg/controller/serviceaccount"
+	generatedopenapi "k8s.io/kubernetes/pkg/generated/openapi"
+	"k8s.io/kubernetes/pkg/genericapiserver"
+	"k8s.io/kubernetes/pkg/genericapiserver/authorizer"
+	genericoptions "k8s.io/kubernetes/pkg/genericapiserver/options"
+	"k8s.io/kubernetes/pkg/master"
+	"k8s.io/kubernetes/pkg/registry/cachesize"
+	"k8s.io/kubernetes/pkg/runtime/schema"
+	utilerrors "k8s.io/kubernetes/pkg/util/errors"
+	utilnet "k8s.io/kubernetes/pkg/util/net"
+	"k8s.io/kubernetes/pkg/util/wait"
+	"k8s.io/kubernetes/pkg/version"
+)
+
+// NewAPIServerCommand creates a *cobra.Command object with default parameters
+func NewAPIServerCommand() *cobra.Command {
+	s := options.NewServerRunOptions()
+	s.AddFlags(pflag.CommandLine)
+	cmd := &cobra.Command{
+		Use: "kube-apiserver",
+		Long: `The Kubernetes API server validates and configures data
+for the api objects which include pods, services, replicationcontrollers, and
+others. The API Server services REST operations and provides the frontend to the
+cluster's shared state through which all other components interact.`,
+		Run: func(cmd *cobra.Command, args []string) {
+		},
+	}
+
+	return cmd
+}
+
+// Run runs the specified APIServer.  This should never exit.
+func Run(s *options.ServerRunOptions) error {
+	if errs := s.Etcd.Validate(); len(errs) > 0 {
+		return utilerrors.NewAggregate(errs)
+	}
+	if err := s.GenericServerRunOptions.DefaultExternalAddress(s.SecureServing, s.InsecureServing); err != nil {
+		return err
+	}
+
+	genericapiserver.DefaultAndValidateRunOptions(s.GenericServerRunOptions)
+	genericConfig := genericapiserver.NewConfig(). // create the new config
+							ApplyOptions(s.GenericServerRunOptions). // apply the options selected
+							ApplySecureServingOptions(s.SecureServing).
+							ApplyInsecureServingOptions(s.InsecureServing).
+							ApplyAuthenticationOptions(s.Authentication).
+							ApplyRBACSuperUser(s.Authorization.RBACSuperUser)
+
+	serviceIPRange, apiServerServiceIP, err := master.DefaultServiceIPRange(s.GenericServerRunOptions.ServiceClusterIPRange)
+	if err != nil {
+		glog.Fatalf("Error determining service IP ranges: %v", err)
+	}
+	if err := genericConfig.MaybeGenerateServingCerts(apiServerServiceIP); err != nil {
+		glog.Fatalf("Failed to generate service certificate: %v", err)
+	}
+
+	capabilities.Initialize(capabilities.Capabilities{
+		AllowPrivileged: s.AllowPrivileged,
+		// TODO(vmarmol): Implement support for HostNetworkSources.
+		PrivilegedSources: capabilities.PrivilegedSources{
+			HostNetworkSources: []string{},
+			HostPIDSources:     []string{},
+			HostIPCSources:     []string{},
+		},
+		PerConnectionBandwidthLimitBytesPerSec: s.MaxConnectionBytesPerSec,
+	})
+
+	// Setup tunneler if needed
+	var tunneler genericapiserver.Tunneler
+	var proxyDialerFn apiserver.ProxyDialerFunc
+	if len(s.SSHUser) > 0 {
+		// Get ssh key distribution func, if supported
+		var installSSH genericapiserver.InstallSSHKey
+		cloud, err := cloudprovider.InitCloudProvider(s.GenericServerRunOptions.CloudProvider, s.GenericServerRunOptions.CloudConfigFile)
+		if err != nil {
+			glog.Fatalf("Cloud provider could not be initialized: %v", err)
+		}
+		if cloud != nil {
+			if instances, supported := cloud.Instances(); supported {
+				installSSH = instances.AddSSHKeyToAllInstances
+			}
+		}
+		if s.KubeletConfig.Port == 0 {
+			glog.Fatalf("Must enable kubelet port if proxy ssh-tunneling is specified.")
+		}
+		// Set up the tunneler
+		// TODO(cjcullen): If we want this to handle per-kubelet ports or other
+		// kubelet listen-addresses, we need to plumb through options.
+		healthCheckPath := &url.URL{
+			Scheme: "https",
+			Host:   net.JoinHostPort("127.0.0.1", strconv.FormatUint(uint64(s.KubeletConfig.Port), 10)),
+			Path:   "healthz",
+		}
+		tunneler = genericapiserver.NewSSHTunneler(s.SSHUser, s.SSHKeyfile, healthCheckPath, installSSH)
+
+		// Use the tunneler's dialer to connect to the kubelet
+		s.KubeletConfig.Dial = tunneler.Dial
+		// Use the tunneler's dialer when proxying to pods, services, and nodes
+		proxyDialerFn = tunneler.Dial
+	}
+
+	// Proxying to pods and services is IP-based... don't expect to be able to verify the hostname
+	proxyTLSClientConfig := &tls.Config{InsecureSkipVerify: true}
+
+	if s.Etcd.StorageConfig.DeserializationCacheSize == 0 {
+		// When size of cache is not explicitly set, estimate its size based on
+		// target memory usage.
+		glog.V(2).Infof("Initalizing deserialization cache size based on %dMB limit", s.GenericServerRunOptions.TargetRAMMB)
+
+		// This is the heuristics that from memory capacity is trying to infer
+		// the maximum number of nodes in the cluster and set cache sizes based
+		// on that value.
+		// From our documentation, we officially recomment 120GB machines for
+		// 2000 nodes, and we scale from that point. Thus we assume ~60MB of
+		// capacity per node.
+		// TODO: We may consider deciding that some percentage of memory will
+		// be used for the deserialization cache and divide it by the max object
+		// size to compute its size. We may even go further and measure
+		// collective sizes of the objects in the cache.
+		clusterSize := s.GenericServerRunOptions.TargetRAMMB / 60
+		s.Etcd.StorageConfig.DeserializationCacheSize = 25 * clusterSize
+		if s.Etcd.StorageConfig.DeserializationCacheSize < 1000 {
+			s.Etcd.StorageConfig.DeserializationCacheSize = 1000
+		}
+	}
+
+	storageGroupsToEncodingVersion, err := s.GenericServerRunOptions.StorageGroupsToEncodingVersion()
+	if err != nil {
+		glog.Fatalf("error generating storage version map: %s", err)
+	}
+	storageFactory, err := genericapiserver.BuildDefaultStorageFactory(
+		s.Etcd.StorageConfig, s.GenericServerRunOptions.DefaultStorageMediaType, api.Codecs,
+		genericapiserver.NewDefaultResourceEncodingConfig(), storageGroupsToEncodingVersion,
+		// FIXME: this GroupVersionResource override should be configurable
+		[]schema.GroupVersionResource{batch.Resource("cronjobs").WithVersion("v2alpha1")},
+		master.DefaultAPIResourceConfigSource(), s.GenericServerRunOptions.RuntimeConfig)
+	if err != nil {
+		glog.Fatalf("error in initializing storage factory: %s", err)
+	}
+	storageFactory.AddCohabitatingResources(batch.Resource("jobs"), extensions.Resource("jobs"))
+	storageFactory.AddCohabitatingResources(autoscaling.Resource("horizontalpodautoscalers"), extensions.Resource("horizontalpodautoscalers"))
+	for _, override := range s.Etcd.EtcdServersOverrides {
+		tokens := strings.Split(override, "#")
+		if len(tokens) != 2 {
+			glog.Errorf("invalid value of etcd server overrides: %s", override)
+			continue
+		}
+
+		apiresource := strings.Split(tokens[0], "/")
+		if len(apiresource) != 2 {
+			glog.Errorf("invalid resource definition: %s", tokens[0])
+			continue
+		}
+		group := apiresource[0]
+		resource := apiresource[1]
+		groupResource := schema.GroupResource{Group: group, Resource: resource}
+
+		servers := strings.Split(tokens[1], ";")
+		storageFactory.SetEtcdLocation(groupResource, servers)
+	}
+
+	// Default to the private server key for service account token signing
+	if len(s.Authentication.ServiceAccounts.KeyFiles) == 0 && s.SecureServing.ServerCert.CertKey.KeyFile != "" {
+		if authenticator.IsValidServiceAccountKeyFile(s.SecureServing.ServerCert.CertKey.KeyFile) {
+			s.Authentication.ServiceAccounts.KeyFiles = []string{s.SecureServing.ServerCert.CertKey.KeyFile}
+		} else {
+			glog.Warning("No TLS key provided, service account token authentication disabled")
+		}
+	}
+
+	authenticatorConfig := s.Authentication.ToAuthenticationConfig(s.SecureServing.ClientCA)
+	if s.Authentication.ServiceAccounts.Lookup {
+		// If we need to look up service accounts and tokens,
+		// go directly to etcd to avoid recursive auth insanity
+		storageConfig, err := storageFactory.NewConfig(api.Resource("serviceaccounts"))
+		if err != nil {
+			glog.Fatalf("Unable to get serviceaccounts storage: %v", err)
+		}
+		authenticatorConfig.ServiceAccountTokenGetter = serviceaccountcontroller.NewGetterFromStorageInterface(storageConfig, storageFactory.ResourcePrefix(api.Resource("serviceaccounts")), storageFactory.ResourcePrefix(api.Resource("secrets")))
+	}
+
+	apiAuthenticator, securityDefinitions, err := authenticator.New(authenticatorConfig)
+	if err != nil {
+		glog.Fatalf("Invalid Authentication Config: %v", err)
+	}
+
+	privilegedLoopbackToken := uuid.NewRandom().String()
+	selfClientConfig, err := genericoptions.NewSelfClientConfig(s.SecureServing, s.InsecureServing, privilegedLoopbackToken)
+	if err != nil {
+		glog.Fatalf("Failed to create clientset: %v", err)
+	}
+	client, err := internalclientset.NewForConfig(selfClientConfig)
+	if err != nil {
+		glog.Errorf("Failed to create clientset: %v", err)
+	}
+	sharedInformers := informers.NewSharedInformerFactory(nil, client, 10*time.Minute)
+
+	authorizationConfig := s.Authorization.ToAuthorizationConfig(sharedInformers)
+	apiAuthorizer, err := authorizer.NewAuthorizerFromAuthorizationConfig(authorizationConfig)
+	if err != nil {
+		glog.Fatalf("Invalid Authorization Config: %v", err)
+	}
+
+	admissionControlPluginNames := strings.Split(s.GenericServerRunOptions.AdmissionControl, ",")
+	pluginInitializer := admission.NewPluginInitializer(sharedInformers, apiAuthorizer)
+	admissionController, err := admission.NewFromPlugins(client, admissionControlPluginNames, s.GenericServerRunOptions.AdmissionControlConfigFile, pluginInitializer)
+	if err != nil {
+		glog.Fatalf("Failed to initialize plugins: %v", err)
+	}
+
+	proxyTransport := utilnet.SetTransportDefaults(&http.Transport{
+		Dial:            proxyDialerFn,
+		TLSClientConfig: proxyTLSClientConfig,
+	})
+	kubeVersion := version.Get()
+
+	genericConfig.Version = &kubeVersion
+	genericConfig.LoopbackClientConfig = selfClientConfig
+	genericConfig.Authenticator = apiAuthenticator
+	genericConfig.Authorizer = apiAuthorizer
+	genericConfig.AdmissionControl = admissionController
+	genericConfig.APIResourceConfigSource = storageFactory.APIResourceConfigSource
+	genericConfig.OpenAPIConfig.Info.Title = "Kubernetes"
+	genericConfig.OpenAPIConfig.Definitions = generatedopenapi.OpenAPIDefinitions
+	genericConfig.EnableOpenAPISupport = true
+	genericConfig.EnableMetrics = true
+	genericConfig.OpenAPIConfig.SecurityDefinitions = securityDefinitions
+
+	config := &master.Config{
+		GenericConfig: genericConfig,
+
+		StorageFactory:          storageFactory,
+		EnableWatchCache:        s.GenericServerRunOptions.EnableWatchCache,
+		EnableCoreControllers:   true,
+		DeleteCollectionWorkers: s.GenericServerRunOptions.DeleteCollectionWorkers,
+		EventTTL:                s.EventTTL,
+		KubeletClientConfig:     s.KubeletConfig,
+		EnableUISupport:         true,
+		EnableLogsSupport:       true,
+		ProxyTransport:          proxyTransport,
+
+		Tunneler: tunneler,
+
+		ServiceIPRange:       serviceIPRange,
+		APIServerServiceIP:   apiServerServiceIP,
+		APIServerServicePort: 443,
+
+		ServiceNodePortRange:      s.GenericServerRunOptions.ServiceNodePortRange,
+		KubernetesServiceNodePort: s.GenericServerRunOptions.KubernetesServiceNodePort,
+
+		MasterCount: s.GenericServerRunOptions.MasterCount,
+	}
+
+	if s.GenericServerRunOptions.EnableWatchCache {
+		glog.V(2).Infof("Initalizing cache sizes based on %dMB limit", s.GenericServerRunOptions.TargetRAMMB)
+		cachesize.InitializeWatchCacheSizes(s.GenericServerRunOptions.TargetRAMMB)
+		cachesize.SetWatchCacheSizes(s.GenericServerRunOptions.WatchCacheSizes)
+	}
+
+	m, err := config.Complete().New()
+	if err != nil {
+		return err
+	}
+
+	sharedInformers.Start(wait.NeverStop)
+	m.GenericAPIServer.PrepareRun().Run(wait.NeverStop)
+	return nil
+}

vendor/k8s.io/kubernetes/cmd/kube-apiserver/app/server_test.go

@@ -0,0 +1,65 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package app
+
+import (
+	"regexp"
+	"testing"
+
+	"k8s.io/kubernetes/cmd/kube-apiserver/app/options"
+)
+
+func TestLongRunningRequestRegexp(t *testing.T) {
+	regexp := regexp.MustCompile(options.NewServerRunOptions().GenericServerRunOptions.LongRunningRequestRE)
+	dontMatch := []string{
+		"/api/v1/watch-namespace/",
+		"/api/v1/namespace-proxy/",
+		"/api/v1/namespace-watch",
+		"/api/v1/namespace-proxy",
+		"/api/v1/namespace-portforward/pods",
+		"/api/v1/portforward/pods",
+		". anything",
+		"/ that",
+	}
+	doMatch := []string{
+		"/api/v1/pods/watch",
+		"/api/v1/watch/stuff",
+		"/api/v1/default/service/proxy",
+		"/api/v1/pods/proxy/path/to/thing",
+		"/api/v1/namespaces/myns/pods/mypod/log",
+		"/api/v1/namespaces/myns/pods/mypod/logs",
+		"/api/v1/namespaces/myns/pods/mypod/portforward",
+		"/api/v1/namespaces/myns/pods/mypod/exec",
+		"/api/v1/namespaces/myns/pods/mypod/attach",
+		"/api/v1/namespaces/myns/pods/mypod/log/",
+		"/api/v1/namespaces/myns/pods/mypod/logs/",
+		"/api/v1/namespaces/myns/pods/mypod/portforward/",
+		"/api/v1/namespaces/myns/pods/mypod/exec/",
+		"/api/v1/namespaces/myns/pods/mypod/attach/",
+		"/api/v1/watch/namespaces/myns/pods",
+	}
+	for _, path := range dontMatch {
+		if regexp.MatchString(path) {
+			t.Errorf("path should not have match regexp but did: %s", path)
+		}
+	}
+	for _, path := range doMatch {
+		if !regexp.MatchString(path) {
+			t.Errorf("path should have match regexp did not: %s", path)
+		}
+	}
+}