Add glide.yaml and vendor deps

2016-12-03 22:43:32 -08:00 · 2016-12-03 22:43:32 -08:00 · 5b3d5e81bd
commit 5b3d5e81bd
parent db918f12ad
18880 changed files with 5166045 additions and 1 deletions
--- a/vendor/k8s.io/kubernetes/pkg/registry/rbac/BUILD
+++ b/vendor/k8s.io/kubernetes/pkg/registry/rbac/BUILD
@ -0,0 +1,21 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_binary",
+    "go_library",
+    "go_test",
+    "cgo_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["escalation_check.go"],
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/api:go_default_library",
+        "//pkg/auth/user:go_default_library",
+    ],
+)
--- a/vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrole/BUILD
+++ b/vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrole/BUILD
@ -0,0 +1,33 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_binary",
+    "go_library",
+    "go_test",
+    "cgo_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "doc.go",
+        "registry.go",
+        "strategy.go",
+    ],
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/api:go_default_library",
+        "//pkg/api/rest:go_default_library",
+        "//pkg/apis/rbac:go_default_library",
+        "//pkg/apis/rbac/validation:go_default_library",
+        "//pkg/fields:go_default_library",
+        "//pkg/labels:go_default_library",
+        "//pkg/runtime:go_default_library",
+        "//pkg/storage:go_default_library",
+        "//pkg/util/validation/field:go_default_library",
+        "//pkg/watch:go_default_library",
+    ],
+)
--- a/vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrole/doc.go
+++ b/vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrole/doc.go
@ -0,0 +1,19 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package certificates provides Registry interface and its RESTStorage
+// implementation for storing ClusterRole objects.
+package clusterrole // import "k8s.io/kubernetes/pkg/registry/rbac/clusterrole"
--- a/vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrole/etcd/BUILD
+++ b/vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrole/etcd/BUILD
@ -0,0 +1,27 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_binary",
+    "go_library",
+    "go_test",
+    "cgo_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["etcd.go"],
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/api:go_default_library",
+        "//pkg/apis/rbac:go_default_library",
+        "//pkg/registry/cachesize:go_default_library",
+        "//pkg/registry/generic:go_default_library",
+        "//pkg/registry/generic/registry:go_default_library",
+        "//pkg/registry/rbac/clusterrole:go_default_library",
+        "//pkg/runtime:go_default_library",
+        "//pkg/storage:go_default_library",
+    ],
+)
--- a/vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrole/etcd/etcd.go
+++ b/vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrole/etcd/etcd.go
@ -0,0 +1,77 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package etcd
+
+import (
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/apis/rbac"
+	"k8s.io/kubernetes/pkg/registry/cachesize"
+	"k8s.io/kubernetes/pkg/registry/generic"
+	genericregistry "k8s.io/kubernetes/pkg/registry/generic/registry"
+	"k8s.io/kubernetes/pkg/registry/rbac/clusterrole"
+	"k8s.io/kubernetes/pkg/runtime"
+	"k8s.io/kubernetes/pkg/storage"
+)
+
+// REST implements a RESTStorage for ClusterRole against etcd
+type REST struct {
+	*genericregistry.Store
+}
+
+// NewREST returns a RESTStorage object that will work against ClusterRole objects.
+func NewREST(opts generic.RESTOptions) *REST {
+	prefix := "/" + opts.ResourcePrefix
+
+	newListFunc := func() runtime.Object { return &rbac.ClusterRoleList{} }
+	storageInterface, dFunc := opts.Decorator(
+		opts.StorageConfig,
+		cachesize.GetWatchCacheSizeByResource(cachesize.ClusterRoles),
+		&rbac.ClusterRole{},
+		prefix,
+		clusterrole.Strategy,
+		newListFunc,
+		clusterrole.GetAttrs,
+		storage.NoTriggerPublisher,
+	)
+
+	store := &genericregistry.Store{
+		NewFunc:     func() runtime.Object { return &rbac.ClusterRole{} },
+		NewListFunc: newListFunc,
+		KeyRootFunc: func(ctx api.Context) string {
+			return genericregistry.NamespaceKeyRootFunc(ctx, prefix)
+		},
+		KeyFunc: func(ctx api.Context, id string) (string, error) {
+			return genericregistry.NoNamespaceKeyFunc(ctx, prefix, id)
+		},
+		ObjectNameFunc: func(obj runtime.Object) (string, error) {
+			return obj.(*rbac.ClusterRole).Name, nil
+		},
+		PredicateFunc:           clusterrole.Matcher,
+		QualifiedResource:       rbac.Resource("clusterroles"),
+		EnableGarbageCollection: opts.EnableGarbageCollection,
+		DeleteCollectionWorkers: opts.DeleteCollectionWorkers,
+
+		CreateStrategy: clusterrole.Strategy,
+		UpdateStrategy: clusterrole.Strategy,
+		DeleteStrategy: clusterrole.Strategy,
+
+		Storage:     storageInterface,
+		DestroyFunc: dFunc,
+	}
+
+	return &REST{store}
+}
--- a/vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrole/policybased/BUILD
+++ b/vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrole/policybased/BUILD
@ -0,0 +1,26 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_binary",
+    "go_library",
+    "go_test",
+    "cgo_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["storage.go"],
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/api:go_default_library",
+        "//pkg/api/errors:go_default_library",
+        "//pkg/api/rest:go_default_library",
+        "//pkg/apis/rbac:go_default_library",
+        "//pkg/apis/rbac/validation:go_default_library",
+        "//pkg/registry/rbac:go_default_library",
+        "//pkg/runtime:go_default_library",
+    ],
+)
--- a/vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrole/policybased/storage.go
+++ b/vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrole/policybased/storage.go
@ -0,0 +1,97 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package policybased implements a standard storage for ClusterRole that prevents privilege escalation.
+package policybased
+
+import (
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/api/errors"
+	"k8s.io/kubernetes/pkg/api/rest"
+	"k8s.io/kubernetes/pkg/apis/rbac"
+	"k8s.io/kubernetes/pkg/apis/rbac/validation"
+	rbacregistry "k8s.io/kubernetes/pkg/registry/rbac"
+	"k8s.io/kubernetes/pkg/runtime"
+)
+
+var groupResource = rbac.Resource("clusterroles")
+
+type Storage struct {
+	rest.StandardStorage
+
+	ruleResolver validation.AuthorizationRuleResolver
+
+	// user which skips privilege escalation checks
+	superUser string
+}
+
+func NewStorage(s rest.StandardStorage, ruleResolver validation.AuthorizationRuleResolver, superUser string) *Storage {
+	return &Storage{s, ruleResolver, superUser}
+}
+
+func (s *Storage) Create(ctx api.Context, obj runtime.Object) (runtime.Object, error) {
+	if rbacregistry.EscalationAllowed(ctx, s.superUser) {
+		return s.StandardStorage.Create(ctx, obj)
+	}
+
+	clusterRole := obj.(*rbac.ClusterRole)
+	rules := clusterRole.Rules
+	if err := validation.ConfirmNoEscalation(ctx, s.ruleResolver, rules); err != nil {
+		return nil, errors.NewForbidden(groupResource, clusterRole.Name, err)
+	}
+	return s.StandardStorage.Create(ctx, obj)
+}
+
+func (s *Storage) Update(ctx api.Context, name string, obj rest.UpdatedObjectInfo) (runtime.Object, bool, error) {
+	if rbacregistry.EscalationAllowed(ctx, s.superUser) {
+		return s.StandardStorage.Update(ctx, name, obj)
+	}
+
+	nonEscalatingInfo := wrapUpdatedObjectInfo(obj, func(ctx api.Context, obj runtime.Object, oldObj runtime.Object) (runtime.Object, error) {
+		clusterRole := obj.(*rbac.ClusterRole)
+
+		rules := clusterRole.Rules
+		if err := validation.ConfirmNoEscalation(ctx, s.ruleResolver, rules); err != nil {
+			return nil, errors.NewForbidden(groupResource, clusterRole.Name, err)
+		}
+		return obj, nil
+	})
+
+	return s.StandardStorage.Update(ctx, name, nonEscalatingInfo)
+}
+
+// TODO(ericchiang): This logic is copied from #26240. Replace with once that PR is merged into master.
+type wrappedUpdatedObjectInfo struct {
+	objInfo rest.UpdatedObjectInfo
+
+	transformFunc rest.TransformFunc
+}
+
+func wrapUpdatedObjectInfo(objInfo rest.UpdatedObjectInfo, transformFunc rest.TransformFunc) rest.UpdatedObjectInfo {
+	return &wrappedUpdatedObjectInfo{objInfo, transformFunc}
+}
+
+func (i *wrappedUpdatedObjectInfo) Preconditions() *api.Preconditions {
+	return i.objInfo.Preconditions()
+}
+
+func (i *wrappedUpdatedObjectInfo) UpdatedObject(ctx api.Context, oldObj runtime.Object) (runtime.Object, error) {
+	obj, err := i.objInfo.UpdatedObject(ctx, oldObj)
+	if err != nil {
+		return obj, err
+	}
+	return i.transformFunc(ctx, obj, oldObj)
+}
--- a/vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrole/registry.go
+++ b/vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrole/registry.go
@ -0,0 +1,90 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package clusterrole
+
+import (
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/api/rest"
+	"k8s.io/kubernetes/pkg/apis/rbac"
+	"k8s.io/kubernetes/pkg/watch"
+)
+
+// Registry is an interface for things that know how to store ClusterRoles.
+type Registry interface {
+	ListClusterRoles(ctx api.Context, options *api.ListOptions) (*rbac.ClusterRoleList, error)
+	CreateClusterRole(ctx api.Context, clusterRole *rbac.ClusterRole) error
+	UpdateClusterRole(ctx api.Context, clusterRole *rbac.ClusterRole) error
+	GetClusterRole(ctx api.Context, name string) (*rbac.ClusterRole, error)
+	DeleteClusterRole(ctx api.Context, name string) error
+	WatchClusterRoles(ctx api.Context, options *api.ListOptions) (watch.Interface, error)
+}
+
+// storage puts strong typing around storage calls
+type storage struct {
+	rest.StandardStorage
+}
+
+// NewRegistry returns a new Registry interface for the given Storage. Any mismatched
+// types will panic.
+func NewRegistry(s rest.StandardStorage) Registry {
+	return &storage{s}
+}
+
+func (s *storage) ListClusterRoles(ctx api.Context, options *api.ListOptions) (*rbac.ClusterRoleList, error) {
+	obj, err := s.List(ctx, options)
+	if err != nil {
+		return nil, err
+	}
+
+	return obj.(*rbac.ClusterRoleList), nil
+}
+
+func (s *storage) CreateClusterRole(ctx api.Context, clusterRole *rbac.ClusterRole) error {
+	_, err := s.Create(ctx, clusterRole)
+	return err
+}
+
+func (s *storage) UpdateClusterRole(ctx api.Context, clusterRole *rbac.ClusterRole) error {
+	_, _, err := s.Update(ctx, clusterRole.Name, rest.DefaultUpdatedObjectInfo(clusterRole, api.Scheme))
+	return err
+}
+
+func (s *storage) WatchClusterRoles(ctx api.Context, options *api.ListOptions) (watch.Interface, error) {
+	return s.Watch(ctx, options)
+}
+
+func (s *storage) GetClusterRole(ctx api.Context, name string) (*rbac.ClusterRole, error) {
+	obj, err := s.Get(ctx, name)
+	if err != nil {
+		return nil, err
+	}
+	return obj.(*rbac.ClusterRole), nil
+}
+
+func (s *storage) DeleteClusterRole(ctx api.Context, name string) error {
+	_, err := s.Delete(ctx, name, nil)
+	return err
+}
+
+// AuthorizerAdapter adapts the registry to the authorizer interface
+type AuthorizerAdapter struct {
+	Registry Registry
+}
+
+func (a AuthorizerAdapter) GetClusterRole(name string) (*rbac.ClusterRole, error) {
+	return a.Registry.GetClusterRole(api.NewContext(), name)
+}
--- a/vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrole/strategy.go
+++ b/vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrole/strategy.go
@ -0,0 +1,125 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package clusterrole
+
+import (
+	"fmt"
+
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/api/rest"
+	"k8s.io/kubernetes/pkg/apis/rbac"
+	"k8s.io/kubernetes/pkg/apis/rbac/validation"
+	"k8s.io/kubernetes/pkg/fields"
+	"k8s.io/kubernetes/pkg/labels"
+	"k8s.io/kubernetes/pkg/runtime"
+	apistorage "k8s.io/kubernetes/pkg/storage"
+	"k8s.io/kubernetes/pkg/util/validation/field"
+)
+
+// strategy implements behavior for ClusterRoles
+type strategy struct {
+	runtime.ObjectTyper
+	api.NameGenerator
+}
+
+// strategy is the default logic that applies when creating and updating
+// ClusterRole objects.
+var Strategy = strategy{api.Scheme, api.SimpleNameGenerator}
+
+// Strategy should implement rest.RESTCreateStrategy
+var _ rest.RESTCreateStrategy = Strategy
+
+// Strategy should implement rest.RESTUpdateStrategy
+var _ rest.RESTUpdateStrategy = Strategy
+
+// NamespaceScoped is true for ClusterRoles.
+func (strategy) NamespaceScoped() bool {
+	return false
+}
+
+// AllowCreateOnUpdate is true for ClusterRoles.
+func (strategy) AllowCreateOnUpdate() bool {
+	return true
+}
+
+// PrepareForCreate clears fields that are not allowed to be set by end users
+// on creation.
+func (strategy) PrepareForCreate(ctx api.Context, obj runtime.Object) {
+	_ = obj.(*rbac.ClusterRole)
+}
+
+// PrepareForUpdate clears fields that are not allowed to be set by end users on update.
+func (strategy) PrepareForUpdate(ctx api.Context, obj, old runtime.Object) {
+	newClusterRole := obj.(*rbac.ClusterRole)
+	oldClusterRole := old.(*rbac.ClusterRole)
+
+	_, _ = newClusterRole, oldClusterRole
+}
+
+// Validate validates a new ClusterRole. Validation must check for a correct signature.
+func (strategy) Validate(ctx api.Context, obj runtime.Object) field.ErrorList {
+	clusterRole := obj.(*rbac.ClusterRole)
+	return validation.ValidateClusterRole(clusterRole)
+}
+
+// Canonicalize normalizes the object after validation.
+func (strategy) Canonicalize(obj runtime.Object) {
+	_ = obj.(*rbac.ClusterRole)
+}
+
+// ValidateUpdate is the default update validation for an end user.
+func (strategy) ValidateUpdate(ctx api.Context, obj, old runtime.Object) field.ErrorList {
+	newObj := obj.(*rbac.ClusterRole)
+	errorList := validation.ValidateClusterRole(newObj)
+	return append(errorList, validation.ValidateClusterRoleUpdate(newObj, old.(*rbac.ClusterRole))...)
+}
+
+// If AllowUnconditionalUpdate() is true and the object specified by
+// the user does not have a resource version, then generic Update()
+// populates it with the latest version. Else, it checks that the
+// version specified by the user matches the version of latest etcd
+// object.
+func (strategy) AllowUnconditionalUpdate() bool {
+	return true
+}
+
+func (s strategy) Export(ctx api.Context, obj runtime.Object, exact bool) error {
+	return nil
+}
+
+// GetAttrs returns labels and fields of a given object for filtering purposes.
+func GetAttrs(obj runtime.Object) (labels.Set, fields.Set, error) {
+	role, ok := obj.(*rbac.ClusterRole)
+	if !ok {
+		return nil, nil, fmt.Errorf("not a ClusterRole")
+	}
+	return labels.Set(role.Labels), SelectableFields(role), nil
+}
+
+// Matcher returns a generic matcher for a given label and field selector.
+func Matcher(label labels.Selector, field fields.Selector) apistorage.SelectionPredicate {
+	return apistorage.SelectionPredicate{
+		Label:    label,
+		Field:    field,
+		GetAttrs: GetAttrs,
+	}
+}
+
+// SelectableFields returns a field set that can be used for filter selection
+func SelectableFields(obj *rbac.ClusterRole) fields.Set {
+	return nil
+}
--- a/vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/BUILD
+++ b/vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/BUILD
@ -0,0 +1,33 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_binary",
+    "go_library",
+    "go_test",
+    "cgo_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "doc.go",
+        "registry.go",
+        "strategy.go",
+    ],
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/api:go_default_library",
+        "//pkg/api/rest:go_default_library",
+        "//pkg/apis/rbac:go_default_library",
+        "//pkg/apis/rbac/validation:go_default_library",
+        "//pkg/fields:go_default_library",
+        "//pkg/labels:go_default_library",
+        "//pkg/runtime:go_default_library",
+        "//pkg/storage:go_default_library",
+        "//pkg/util/validation/field:go_default_library",
+        "//pkg/watch:go_default_library",
+    ],
+)
--- a/vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/doc.go
+++ b/vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/doc.go
@ -0,0 +1,19 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package certificates provides Registry interface and its RESTStorage
+// implementation for storing ClusterRoleBinding objects.
+package clusterrolebinding // import "k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding"
--- a/vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/etcd/BUILD
+++ b/vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/etcd/BUILD
@ -0,0 +1,27 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_binary",
+    "go_library",
+    "go_test",
+    "cgo_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["etcd.go"],
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/api:go_default_library",
+        "//pkg/apis/rbac:go_default_library",
+        "//pkg/registry/cachesize:go_default_library",
+        "//pkg/registry/generic:go_default_library",
+        "//pkg/registry/generic/registry:go_default_library",
+        "//pkg/registry/rbac/clusterrolebinding:go_default_library",
+        "//pkg/runtime:go_default_library",
+        "//pkg/storage:go_default_library",
+    ],
+)
--- a/vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/etcd/etcd.go
+++ b/vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/etcd/etcd.go
@ -0,0 +1,77 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package etcd
+
+import (
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/apis/rbac"
+	"k8s.io/kubernetes/pkg/registry/cachesize"
+	"k8s.io/kubernetes/pkg/registry/generic"
+	genericregistry "k8s.io/kubernetes/pkg/registry/generic/registry"
+	"k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding"
+	"k8s.io/kubernetes/pkg/runtime"
+	"k8s.io/kubernetes/pkg/storage"
+)
+
+// REST implements a RESTStorage for ClusterRoleBinding against etcd
+type REST struct {
+	*genericregistry.Store
+}
+
+// NewREST returns a RESTStorage object that will work against ClusterRoleBinding objects.
+func NewREST(opts generic.RESTOptions) *REST {
+	prefix := "/" + opts.ResourcePrefix
+
+	newListFunc := func() runtime.Object { return &rbac.ClusterRoleBindingList{} }
+	storageInterface, dFunc := opts.Decorator(
+		opts.StorageConfig,
+		cachesize.GetWatchCacheSizeByResource(cachesize.ClusterRoleBindings),
+		&rbac.ClusterRoleBinding{},
+		prefix,
+		clusterrolebinding.Strategy,
+		newListFunc,
+		clusterrolebinding.GetAttrs,
+		storage.NoTriggerPublisher,
+	)
+
+	store := &genericregistry.Store{
+		NewFunc:     func() runtime.Object { return &rbac.ClusterRoleBinding{} },
+		NewListFunc: newListFunc,
+		KeyRootFunc: func(ctx api.Context) string {
+			return genericregistry.NamespaceKeyRootFunc(ctx, prefix)
+		},
+		KeyFunc: func(ctx api.Context, id string) (string, error) {
+			return genericregistry.NoNamespaceKeyFunc(ctx, prefix, id)
+		},
+		ObjectNameFunc: func(obj runtime.Object) (string, error) {
+			return obj.(*rbac.ClusterRoleBinding).Name, nil
+		},
+		PredicateFunc:           clusterrolebinding.Matcher,
+		QualifiedResource:       rbac.Resource("clusterrolebindings"),
+		EnableGarbageCollection: opts.EnableGarbageCollection,
+		DeleteCollectionWorkers: opts.DeleteCollectionWorkers,
+
+		CreateStrategy: clusterrolebinding.Strategy,
+		UpdateStrategy: clusterrolebinding.Strategy,
+		DeleteStrategy: clusterrolebinding.Strategy,
+
+		Storage:     storageInterface,
+		DestroyFunc: dFunc,
+	}
+
+	return &REST{store}
+}
--- a/vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/policybased/BUILD
+++ b/vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/policybased/BUILD
@ -0,0 +1,26 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_binary",
+    "go_library",
+    "go_test",
+    "cgo_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["storage.go"],
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/api:go_default_library",
+        "//pkg/api/errors:go_default_library",
+        "//pkg/api/rest:go_default_library",
+        "//pkg/apis/rbac:go_default_library",
+        "//pkg/apis/rbac/validation:go_default_library",
+        "//pkg/registry/rbac:go_default_library",
+        "//pkg/runtime:go_default_library",
+    ],
+)
--- a/vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/policybased/storage.go
+++ b/vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/policybased/storage.go
@ -0,0 +1,103 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package policybased implements a standard storage for ClusterRoleBinding that prevents privilege escalation.
+package policybased
+
+import (
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/api/errors"
+	"k8s.io/kubernetes/pkg/api/rest"
+	"k8s.io/kubernetes/pkg/apis/rbac"
+	"k8s.io/kubernetes/pkg/apis/rbac/validation"
+	rbacregistry "k8s.io/kubernetes/pkg/registry/rbac"
+	"k8s.io/kubernetes/pkg/runtime"
+)
+
+var groupResource = rbac.Resource("clusterrolebindings")
+
+type Storage struct {
+	rest.StandardStorage
+
+	ruleResolver validation.AuthorizationRuleResolver
+
+	// user which skips privilege escalation checks
+	superUser string
+}
+
+func NewStorage(s rest.StandardStorage, ruleResolver validation.AuthorizationRuleResolver, superUser string) *Storage {
+	return &Storage{s, ruleResolver, superUser}
+}
+
+func (s *Storage) Create(ctx api.Context, obj runtime.Object) (runtime.Object, error) {
+	if rbacregistry.EscalationAllowed(ctx, s.superUser) {
+		return s.StandardStorage.Create(ctx, obj)
+	}
+
+	clusterRoleBinding := obj.(*rbac.ClusterRoleBinding)
+	rules, err := s.ruleResolver.GetRoleReferenceRules(clusterRoleBinding.RoleRef, clusterRoleBinding.Namespace)
+	if err != nil {
+		return nil, err
+	}
+	if err := validation.ConfirmNoEscalation(ctx, s.ruleResolver, rules); err != nil {
+		return nil, errors.NewForbidden(groupResource, clusterRoleBinding.Name, err)
+	}
+	return s.StandardStorage.Create(ctx, obj)
+}
+
+func (s *Storage) Update(ctx api.Context, name string, obj rest.UpdatedObjectInfo) (runtime.Object, bool, error) {
+	if rbacregistry.EscalationAllowed(ctx, s.superUser) {
+		return s.StandardStorage.Update(ctx, name, obj)
+	}
+
+	nonEscalatingInfo := wrapUpdatedObjectInfo(obj, func(ctx api.Context, obj runtime.Object, oldObj runtime.Object) (runtime.Object, error) {
+		clusterRoleBinding := obj.(*rbac.ClusterRoleBinding)
+
+		rules, err := s.ruleResolver.GetRoleReferenceRules(clusterRoleBinding.RoleRef, clusterRoleBinding.Namespace)
+		if err != nil {
+			return nil, err
+		}
+		if err := validation.ConfirmNoEscalation(ctx, s.ruleResolver, rules); err != nil {
+			return nil, errors.NewForbidden(groupResource, clusterRoleBinding.Name, err)
+		}
+		return obj, nil
+	})
+
+	return s.StandardStorage.Update(ctx, name, nonEscalatingInfo)
+}
+
+// TODO(ericchiang): This logic is copied from #26240. Replace with once that PR is merged into master.
+type wrappedUpdatedObjectInfo struct {
+	objInfo rest.UpdatedObjectInfo
+
+	transformFunc rest.TransformFunc
+}
+
+func wrapUpdatedObjectInfo(objInfo rest.UpdatedObjectInfo, transformFunc rest.TransformFunc) rest.UpdatedObjectInfo {
+	return &wrappedUpdatedObjectInfo{objInfo, transformFunc}
+}
+
+func (i *wrappedUpdatedObjectInfo) Preconditions() *api.Preconditions {
+	return i.objInfo.Preconditions()
+}
+
+func (i *wrappedUpdatedObjectInfo) UpdatedObject(ctx api.Context, oldObj runtime.Object) (runtime.Object, error) {
+	obj, err := i.objInfo.UpdatedObject(ctx, oldObj)
+	if err != nil {
+		return obj, err
+	}
+	return i.transformFunc(ctx, obj, oldObj)
+}
--- a/vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/registry.go
+++ b/vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/registry.go
@ -0,0 +1,99 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package clusterrolebinding
+
+import (
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/api/rest"
+	"k8s.io/kubernetes/pkg/apis/rbac"
+	"k8s.io/kubernetes/pkg/watch"
+)
+
+// Registry is an interface for things that know how to store ClusterRoleBindings.
+type Registry interface {
+	ListClusterRoleBindings(ctx api.Context, options *api.ListOptions) (*rbac.ClusterRoleBindingList, error)
+	CreateClusterRoleBinding(ctx api.Context, clusterRoleBinding *rbac.ClusterRoleBinding) error
+	UpdateClusterRoleBinding(ctx api.Context, clusterRoleBinding *rbac.ClusterRoleBinding) error
+	GetClusterRoleBinding(ctx api.Context, name string) (*rbac.ClusterRoleBinding, error)
+	DeleteClusterRoleBinding(ctx api.Context, name string) error
+	WatchClusterRoleBindings(ctx api.Context, options *api.ListOptions) (watch.Interface, error)
+}
+
+// storage puts strong typing around storage calls
+type storage struct {
+	rest.StandardStorage
+}
+
+// NewRegistry returns a new Registry interface for the given Storage. Any mismatched
+// types will panic.
+func NewRegistry(s rest.StandardStorage) Registry {
+	return &storage{s}
+}
+
+func (s *storage) ListClusterRoleBindings(ctx api.Context, options *api.ListOptions) (*rbac.ClusterRoleBindingList, error) {
+	obj, err := s.List(ctx, options)
+	if err != nil {
+		return nil, err
+	}
+
+	return obj.(*rbac.ClusterRoleBindingList), nil
+}
+
+func (s *storage) CreateClusterRoleBinding(ctx api.Context, clusterRoleBinding *rbac.ClusterRoleBinding) error {
+	_, err := s.Create(ctx, clusterRoleBinding)
+	return err
+}
+
+func (s *storage) UpdateClusterRoleBinding(ctx api.Context, clusterRoleBinding *rbac.ClusterRoleBinding) error {
+	_, _, err := s.Update(ctx, clusterRoleBinding.Name, rest.DefaultUpdatedObjectInfo(clusterRoleBinding, api.Scheme))
+	return err
+}
+
+func (s *storage) WatchClusterRoleBindings(ctx api.Context, options *api.ListOptions) (watch.Interface, error) {
+	return s.Watch(ctx, options)
+}
+
+func (s *storage) GetClusterRoleBinding(ctx api.Context, name string) (*rbac.ClusterRoleBinding, error) {
+	obj, err := s.Get(ctx, name)
+	if err != nil {
+		return nil, err
+	}
+	return obj.(*rbac.ClusterRoleBinding), nil
+}
+
+func (s *storage) DeleteClusterRoleBinding(ctx api.Context, name string) error {
+	_, err := s.Delete(ctx, name, nil)
+	return err
+}
+
+// AuthorizerAdapter adapts the registry to the authorizer interface
+type AuthorizerAdapter struct {
+	Registry Registry
+}
+
+func (a AuthorizerAdapter) ListClusterRoleBindings() ([]*rbac.ClusterRoleBinding, error) {
+	list, err := a.Registry.ListClusterRoleBindings(api.NewContext(), &api.ListOptions{})
+	if err != nil {
+		return nil, err
+	}
+
+	ret := []*rbac.ClusterRoleBinding{}
+	for i := range list.Items {
+		ret = append(ret, &list.Items[i])
+	}
+	return ret, nil
+}
--- a/vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/strategy.go
+++ b/vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/strategy.go
@ -0,0 +1,125 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package clusterrolebinding
+
+import (
+	"fmt"
+
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/api/rest"
+	"k8s.io/kubernetes/pkg/apis/rbac"
+	"k8s.io/kubernetes/pkg/apis/rbac/validation"
+	"k8s.io/kubernetes/pkg/fields"
+	"k8s.io/kubernetes/pkg/labels"
+	"k8s.io/kubernetes/pkg/runtime"
+	apistorage "k8s.io/kubernetes/pkg/storage"
+	"k8s.io/kubernetes/pkg/util/validation/field"
+)
+
+// strategy implements behavior for ClusterRoleBindings
+type strategy struct {
+	runtime.ObjectTyper
+	api.NameGenerator
+}
+
+// strategy is the default logic that applies when creating and updating
+// ClusterRoleBinding objects.
+var Strategy = strategy{api.Scheme, api.SimpleNameGenerator}
+
+// Strategy should implement rest.RESTCreateStrategy
+var _ rest.RESTCreateStrategy = Strategy
+
+// Strategy should implement rest.RESTUpdateStrategy
+var _ rest.RESTUpdateStrategy = Strategy
+
+// NamespaceScoped is true for ClusterRoleBindings.
+func (strategy) NamespaceScoped() bool {
+	return false
+}
+
+// AllowCreateOnUpdate is true for ClusterRoleBindings.
+func (strategy) AllowCreateOnUpdate() bool {
+	return true
+}
+
+// PrepareForCreate clears fields that are not allowed to be set by end users
+// on creation.
+func (strategy) PrepareForCreate(ctx api.Context, obj runtime.Object) {
+	_ = obj.(*rbac.ClusterRoleBinding)
+}
+
+// PrepareForUpdate clears fields that are not allowed to be set by end users on update.
+func (strategy) PrepareForUpdate(ctx api.Context, obj, old runtime.Object) {
+	newClusterRoleBinding := obj.(*rbac.ClusterRoleBinding)
+	oldClusterRoleBinding := old.(*rbac.ClusterRoleBinding)
+
+	_, _ = newClusterRoleBinding, oldClusterRoleBinding
+}
+
+// Validate validates a new ClusterRoleBinding. Validation must check for a correct signature.
+func (strategy) Validate(ctx api.Context, obj runtime.Object) field.ErrorList {
+	clusterRoleBinding := obj.(*rbac.ClusterRoleBinding)
+	return validation.ValidateClusterRoleBinding(clusterRoleBinding)
+}
+
+// Canonicalize normalizes the object after validation.
+func (strategy) Canonicalize(obj runtime.Object) {
+	_ = obj.(*rbac.ClusterRoleBinding)
+}
+
+// ValidateUpdate is the default update validation for an end user.
+func (strategy) ValidateUpdate(ctx api.Context, obj, old runtime.Object) field.ErrorList {
+	newObj := obj.(*rbac.ClusterRoleBinding)
+	errorList := validation.ValidateClusterRoleBinding(newObj)
+	return append(errorList, validation.ValidateClusterRoleBindingUpdate(newObj, old.(*rbac.ClusterRoleBinding))...)
+}
+
+// If AllowUnconditionalUpdate() is true and the object specified by
+// the user does not have a resource version, then generic Update()
+// populates it with the latest version. Else, it checks that the
+// version specified by the user matches the version of latest etcd
+// object.
+func (strategy) AllowUnconditionalUpdate() bool {
+	return true
+}
+
+func (s strategy) Export(ctx api.Context, obj runtime.Object, exact bool) error {
+	return nil
+}
+
+// GetAttrs returns labels and fields of a given object for filtering purposes.
+func GetAttrs(obj runtime.Object) (labels.Set, fields.Set, error) {
+	roleBinding, ok := obj.(*rbac.ClusterRoleBinding)
+	if !ok {
+		return nil, nil, fmt.Errorf("not a ClusterRoleBinding")
+	}
+	return labels.Set(roleBinding.Labels), SelectableFields(roleBinding), nil
+}
+
+// Matcher returns a generic matcher for a given label and field selector.
+func Matcher(label labels.Selector, field fields.Selector) apistorage.SelectionPredicate {
+	return apistorage.SelectionPredicate{
+		Label:    label,
+		Field:    field,
+		GetAttrs: GetAttrs,
+	}
+}
+
+// SelectableFields returns a field set that can be used for filter selection
+func SelectableFields(obj *rbac.ClusterRoleBinding) fields.Set {
+	return nil
+}
--- a/vendor/k8s.io/kubernetes/pkg/registry/rbac/escalation_check.go
+++ b/vendor/k8s.io/kubernetes/pkg/registry/rbac/escalation_check.go
@ -0,0 +1,45 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rbac
+
+import (
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/auth/user"
+)
+
+func EscalationAllowed(ctx api.Context, superUser string) bool {
+	u, ok := api.UserFrom(ctx)
+	if !ok {
+		// the only way to be without a user is to either have no authenticators by explicitly saying that's your preference
+		// or to be connecting via the insecure port, in which case this logically doesn't apply
+		return true
+	}
+
+	// check to see if this subject is allowed to escalate
+	if len(superUser) != 0 && u.GetName() == superUser {
+		return true
+	}
+	// system:masters is special because the API server uses it for privileged loopback connections
+	// therefore we know that a member of system:masters can always do anything
+	for _, group := range u.GetGroups() {
+		if group == user.SystemPrivilegedGroup {
+			return true
+		}
+	}
+
+	return false
+}
--- a/vendor/k8s.io/kubernetes/pkg/registry/rbac/rest/BUILD
+++ b/vendor/k8s.io/kubernetes/pkg/registry/rbac/rest/BUILD
@ -0,0 +1,42 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_binary",
+    "go_library",
+    "go_test",
+    "cgo_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["storage_rbac.go"],
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/api:go_default_library",
+        "//pkg/api/rest:go_default_library",
+        "//pkg/apis/rbac:go_default_library",
+        "//pkg/apis/rbac/v1alpha1:go_default_library",
+        "//pkg/apis/rbac/validation:go_default_library",
+        "//pkg/client/clientset_generated/internalclientset/typed/rbac/internalversion:go_default_library",
+        "//pkg/genericapiserver:go_default_library",
+        "//pkg/registry:go_default_library",
+        "//pkg/registry/rbac/clusterrole:go_default_library",
+        "//pkg/registry/rbac/clusterrole/etcd:go_default_library",
+        "//pkg/registry/rbac/clusterrole/policybased:go_default_library",
+        "//pkg/registry/rbac/clusterrolebinding:go_default_library",
+        "//pkg/registry/rbac/clusterrolebinding/etcd:go_default_library",
+        "//pkg/registry/rbac/clusterrolebinding/policybased:go_default_library",
+        "//pkg/registry/rbac/role:go_default_library",
+        "//pkg/registry/rbac/role/etcd:go_default_library",
+        "//pkg/registry/rbac/role/policybased:go_default_library",
+        "//pkg/registry/rbac/rolebinding:go_default_library",
+        "//pkg/registry/rbac/rolebinding/etcd:go_default_library",
+        "//pkg/registry/rbac/rolebinding/policybased:go_default_library",
+        "//pkg/util/runtime:go_default_library",
+        "//plugin/pkg/auth/authorizer/rbac/bootstrappolicy:go_default_library",
+        "//vendor:github.com/golang/glog",
+    ],
+)
--- a/vendor/k8s.io/kubernetes/pkg/registry/rbac/rest/storage_rbac.go
+++ b/vendor/k8s.io/kubernetes/pkg/registry/rbac/rest/storage_rbac.go
@ -0,0 +1,159 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rest
+
+import (
+	"fmt"
+	"sync"
+
+	"github.com/golang/glog"
+
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/api/rest"
+	"k8s.io/kubernetes/pkg/apis/rbac"
+	rbacapiv1alpha1 "k8s.io/kubernetes/pkg/apis/rbac/v1alpha1"
+	rbacvalidation "k8s.io/kubernetes/pkg/apis/rbac/validation"
+	rbacclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/rbac/internalversion"
+	"k8s.io/kubernetes/pkg/genericapiserver"
+	"k8s.io/kubernetes/pkg/registry"
+	"k8s.io/kubernetes/pkg/registry/rbac/clusterrole"
+	clusterroleetcd "k8s.io/kubernetes/pkg/registry/rbac/clusterrole/etcd"
+	clusterrolepolicybased "k8s.io/kubernetes/pkg/registry/rbac/clusterrole/policybased"
+	"k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding"
+	clusterrolebindingetcd "k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/etcd"
+	clusterrolebindingpolicybased "k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/policybased"
+	"k8s.io/kubernetes/pkg/registry/rbac/role"
+	roleetcd "k8s.io/kubernetes/pkg/registry/rbac/role/etcd"
+	rolepolicybased "k8s.io/kubernetes/pkg/registry/rbac/role/policybased"
+	"k8s.io/kubernetes/pkg/registry/rbac/rolebinding"
+	rolebindingetcd "k8s.io/kubernetes/pkg/registry/rbac/rolebinding/etcd"
+	rolebindingpolicybased "k8s.io/kubernetes/pkg/registry/rbac/rolebinding/policybased"
+	utilruntime "k8s.io/kubernetes/pkg/util/runtime"
+	"k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy"
+)
+
+type RESTStorageProvider struct {
+	AuthorizerRBACSuperUser string
+}
+
+var _ genericapiserver.PostStartHookProvider = RESTStorageProvider{}
+
+func (p RESTStorageProvider) NewRESTStorage(apiResourceConfigSource genericapiserver.APIResourceConfigSource, restOptionsGetter registry.RESTOptionsGetter) (genericapiserver.APIGroupInfo, bool) {
+	apiGroupInfo := genericapiserver.NewDefaultAPIGroupInfo(rbac.GroupName)
+
+	if apiResourceConfigSource.AnyResourcesForVersionEnabled(rbacapiv1alpha1.SchemeGroupVersion) {
+		apiGroupInfo.VersionedResourcesStorageMap[rbacapiv1alpha1.SchemeGroupVersion.Version] = p.v1alpha1Storage(apiResourceConfigSource, restOptionsGetter)
+		apiGroupInfo.GroupMeta.GroupVersion = rbacapiv1alpha1.SchemeGroupVersion
+	}
+
+	return apiGroupInfo, true
+}
+
+func (p RESTStorageProvider) v1alpha1Storage(apiResourceConfigSource genericapiserver.APIResourceConfigSource, restOptionsGetter registry.RESTOptionsGetter) map[string]rest.Storage {
+	version := rbacapiv1alpha1.SchemeGroupVersion
+
+	once := new(sync.Once)
+	var authorizationRuleResolver rbacvalidation.AuthorizationRuleResolver
+	newRuleValidator := func() rbacvalidation.AuthorizationRuleResolver {
+		once.Do(func() {
+			authorizationRuleResolver = rbacvalidation.NewDefaultRuleResolver(
+				role.AuthorizerAdapter{Registry: role.NewRegistry(roleetcd.NewREST(restOptionsGetter(rbac.Resource("roles"))))},
+				rolebinding.AuthorizerAdapter{Registry: rolebinding.NewRegistry(rolebindingetcd.NewREST(restOptionsGetter(rbac.Resource("rolebindings"))))},
+				clusterrole.AuthorizerAdapter{Registry: clusterrole.NewRegistry(clusterroleetcd.NewREST(restOptionsGetter(rbac.Resource("clusterroles"))))},
+				clusterrolebinding.AuthorizerAdapter{Registry: clusterrolebinding.NewRegistry(clusterrolebindingetcd.NewREST(restOptionsGetter(rbac.Resource("clusterrolebindings"))))},
+			)
+		})
+		return authorizationRuleResolver
+	}
+
+	storage := map[string]rest.Storage{}
+	if apiResourceConfigSource.ResourceEnabled(version.WithResource("roles")) {
+		rolesStorage := roleetcd.NewREST(restOptionsGetter(rbac.Resource("roles")))
+		storage["roles"] = rolepolicybased.NewStorage(rolesStorage, newRuleValidator(), p.AuthorizerRBACSuperUser)
+	}
+	if apiResourceConfigSource.ResourceEnabled(version.WithResource("rolebindings")) {
+		roleBindingsStorage := rolebindingetcd.NewREST(restOptionsGetter(rbac.Resource("rolebindings")))
+		storage["rolebindings"] = rolebindingpolicybased.NewStorage(roleBindingsStorage, newRuleValidator(), p.AuthorizerRBACSuperUser)
+	}
+	if apiResourceConfigSource.ResourceEnabled(version.WithResource("clusterroles")) {
+		clusterRolesStorage := clusterroleetcd.NewREST(restOptionsGetter(rbac.Resource("clusterroles")))
+		storage["clusterroles"] = clusterrolepolicybased.NewStorage(clusterRolesStorage, newRuleValidator(), p.AuthorizerRBACSuperUser)
+	}
+	if apiResourceConfigSource.ResourceEnabled(version.WithResource("clusterrolebindings")) {
+		clusterRoleBindingsStorage := clusterrolebindingetcd.NewREST(restOptionsGetter(rbac.Resource("clusterrolebindings")))
+		storage["clusterrolebindings"] = clusterrolebindingpolicybased.NewStorage(clusterRoleBindingsStorage, newRuleValidator(), p.AuthorizerRBACSuperUser)
+	}
+	return storage
+}
+
+func (p RESTStorageProvider) PostStartHook() (string, genericapiserver.PostStartHookFunc, error) {
+	return "rbac/bootstrap-roles", PostStartHook, nil
+}
+
+func PostStartHook(hookContext genericapiserver.PostStartHookContext) error {
+	clientset, err := rbacclient.NewForConfig(hookContext.LoopbackClientConfig)
+	if err != nil {
+		utilruntime.HandleError(fmt.Errorf("unable to initialize clusterroles: %v", err))
+		return nil
+	}
+
+	existingClusterRoles, err := clientset.ClusterRoles().List(api.ListOptions{})
+	if err != nil {
+		utilruntime.HandleError(fmt.Errorf("unable to initialize clusterroles: %v", err))
+		return nil
+	}
+	// if clusterroles already exist, then assume we don't have work to do because we've already
+	// initialized or another API server has started this task
+	if len(existingClusterRoles.Items) > 0 {
+		return nil
+	}
+
+	for _, clusterRole := range append(bootstrappolicy.ClusterRoles(), bootstrappolicy.ControllerRoles()...) {
+		if _, err := clientset.ClusterRoles().Create(&clusterRole); err != nil {
+			// don't fail on failures, try to create as many as you can
+			utilruntime.HandleError(fmt.Errorf("unable to initialize clusterroles: %v", err))
+			continue
+		}
+		glog.Infof("Created clusterrole.%s/%s", rbac.GroupName, clusterRole.Name)
+	}
+
+	existingClusterRoleBindings, err := clientset.ClusterRoleBindings().List(api.ListOptions{})
+	if err != nil {
+		utilruntime.HandleError(fmt.Errorf("unable to initialize clusterrolebindings: %v", err))
+		return nil
+	}
+	// if clusterrolebindings already exist, then assume we don't have work to do because we've already
+	// initialized or another API server has started this task
+	if len(existingClusterRoleBindings.Items) > 0 {
+		return nil
+	}
+
+	for _, clusterRoleBinding := range append(bootstrappolicy.ClusterRoleBindings(), bootstrappolicy.ControllerRoleBindings()...) {
+		if _, err := clientset.ClusterRoleBindings().Create(&clusterRoleBinding); err != nil {
+			// don't fail on failures, try to create as many as you can
+			utilruntime.HandleError(fmt.Errorf("unable to initialize clusterrolebindings: %v", err))
+			continue
+		}
+		glog.Infof("Created clusterrolebinding.%s/%s", rbac.GroupName, clusterRoleBinding.Name)
+	}
+
+	return nil
+}
+
+func (p RESTStorageProvider) GroupName() string {
+	return rbac.GroupName
+}
--- a/vendor/k8s.io/kubernetes/pkg/registry/rbac/role/BUILD
+++ b/vendor/k8s.io/kubernetes/pkg/registry/rbac/role/BUILD
@ -0,0 +1,33 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_binary",
+    "go_library",
+    "go_test",
+    "cgo_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "doc.go",
+        "registry.go",
+        "strategy.go",
+    ],
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/api:go_default_library",
+        "//pkg/api/rest:go_default_library",
+        "//pkg/apis/rbac:go_default_library",
+        "//pkg/apis/rbac/validation:go_default_library",
+        "//pkg/fields:go_default_library",
+        "//pkg/labels:go_default_library",
+        "//pkg/runtime:go_default_library",
+        "//pkg/storage:go_default_library",
+        "//pkg/util/validation/field:go_default_library",
+        "//pkg/watch:go_default_library",
+    ],
+)
--- a/vendor/k8s.io/kubernetes/pkg/registry/rbac/role/doc.go
+++ b/vendor/k8s.io/kubernetes/pkg/registry/rbac/role/doc.go
@ -0,0 +1,19 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package certificates provides Registry interface and its RESTStorage
+// implementation for storing Role objects.
+package role // import "k8s.io/kubernetes/pkg/registry/rbac/role"
--- a/vendor/k8s.io/kubernetes/pkg/registry/rbac/role/etcd/BUILD
+++ b/vendor/k8s.io/kubernetes/pkg/registry/rbac/role/etcd/BUILD
@ -0,0 +1,27 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_binary",
+    "go_library",
+    "go_test",
+    "cgo_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["etcd.go"],
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/api:go_default_library",
+        "//pkg/apis/rbac:go_default_library",
+        "//pkg/registry/cachesize:go_default_library",
+        "//pkg/registry/generic:go_default_library",
+        "//pkg/registry/generic/registry:go_default_library",
+        "//pkg/registry/rbac/role:go_default_library",
+        "//pkg/runtime:go_default_library",
+        "//pkg/storage:go_default_library",
+    ],
+)
--- a/vendor/k8s.io/kubernetes/pkg/registry/rbac/role/etcd/etcd.go
+++ b/vendor/k8s.io/kubernetes/pkg/registry/rbac/role/etcd/etcd.go
@ -0,0 +1,77 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package etcd
+
+import (
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/apis/rbac"
+	"k8s.io/kubernetes/pkg/registry/cachesize"
+	"k8s.io/kubernetes/pkg/registry/generic"
+	genericregistry "k8s.io/kubernetes/pkg/registry/generic/registry"
+	"k8s.io/kubernetes/pkg/registry/rbac/role"
+	"k8s.io/kubernetes/pkg/runtime"
+	"k8s.io/kubernetes/pkg/storage"
+)
+
+// REST implements a RESTStorage for Role against etcd
+type REST struct {
+	*genericregistry.Store
+}
+
+// NewREST returns a RESTStorage object that will work against Role objects.
+func NewREST(opts generic.RESTOptions) *REST {
+	prefix := "/" + opts.ResourcePrefix
+
+	newListFunc := func() runtime.Object { return &rbac.RoleList{} }
+	storageInterface, dFunc := opts.Decorator(
+		opts.StorageConfig,
+		cachesize.GetWatchCacheSizeByResource(cachesize.Roles),
+		&rbac.Role{},
+		prefix,
+		role.Strategy,
+		newListFunc,
+		role.GetAttrs,
+		storage.NoTriggerPublisher,
+	)
+
+	store := &genericregistry.Store{
+		NewFunc:     func() runtime.Object { return &rbac.Role{} },
+		NewListFunc: newListFunc,
+		KeyRootFunc: func(ctx api.Context) string {
+			return genericregistry.NamespaceKeyRootFunc(ctx, prefix)
+		},
+		KeyFunc: func(ctx api.Context, id string) (string, error) {
+			return genericregistry.NamespaceKeyFunc(ctx, prefix, id)
+		},
+		ObjectNameFunc: func(obj runtime.Object) (string, error) {
+			return obj.(*rbac.Role).Name, nil
+		},
+		PredicateFunc:           role.Matcher,
+		QualifiedResource:       rbac.Resource("roles"),
+		EnableGarbageCollection: opts.EnableGarbageCollection,
+		DeleteCollectionWorkers: opts.DeleteCollectionWorkers,
+
+		CreateStrategy: role.Strategy,
+		UpdateStrategy: role.Strategy,
+		DeleteStrategy: role.Strategy,
+
+		Storage:     storageInterface,
+		DestroyFunc: dFunc,
+	}
+
+	return &REST{store}
+}
--- a/vendor/k8s.io/kubernetes/pkg/registry/rbac/role/policybased/BUILD
+++ b/vendor/k8s.io/kubernetes/pkg/registry/rbac/role/policybased/BUILD
@ -0,0 +1,26 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_binary",
+    "go_library",
+    "go_test",
+    "cgo_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["storage.go"],
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/api:go_default_library",
+        "//pkg/api/errors:go_default_library",
+        "//pkg/api/rest:go_default_library",
+        "//pkg/apis/rbac:go_default_library",
+        "//pkg/apis/rbac/validation:go_default_library",
+        "//pkg/registry/rbac:go_default_library",
+        "//pkg/runtime:go_default_library",
+    ],
+)
--- a/vendor/k8s.io/kubernetes/pkg/registry/rbac/role/policybased/storage.go
+++ b/vendor/k8s.io/kubernetes/pkg/registry/rbac/role/policybased/storage.go
@ -0,0 +1,97 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package policybased implements a standard storage for Role that prevents privilege escalation.
+package policybased
+
+import (
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/api/errors"
+	"k8s.io/kubernetes/pkg/api/rest"
+	"k8s.io/kubernetes/pkg/apis/rbac"
+	"k8s.io/kubernetes/pkg/apis/rbac/validation"
+	rbacregistry "k8s.io/kubernetes/pkg/registry/rbac"
+	"k8s.io/kubernetes/pkg/runtime"
+)
+
+var groupResource = rbac.Resource("roles")
+
+type Storage struct {
+	rest.StandardStorage
+
+	ruleResolver validation.AuthorizationRuleResolver
+
+	// user which skips privilege escalation checks
+	superUser string
+}
+
+func NewStorage(s rest.StandardStorage, ruleResolver validation.AuthorizationRuleResolver, superUser string) *Storage {
+	return &Storage{s, ruleResolver, superUser}
+}
+
+func (s *Storage) Create(ctx api.Context, obj runtime.Object) (runtime.Object, error) {
+	if rbacregistry.EscalationAllowed(ctx, s.superUser) {
+		return s.StandardStorage.Create(ctx, obj)
+	}
+
+	role := obj.(*rbac.Role)
+	rules := role.Rules
+	if err := validation.ConfirmNoEscalation(ctx, s.ruleResolver, rules); err != nil {
+		return nil, errors.NewForbidden(groupResource, role.Name, err)
+	}
+	return s.StandardStorage.Create(ctx, obj)
+}
+
+func (s *Storage) Update(ctx api.Context, name string, obj rest.UpdatedObjectInfo) (runtime.Object, bool, error) {
+	if rbacregistry.EscalationAllowed(ctx, s.superUser) {
+		return s.StandardStorage.Update(ctx, name, obj)
+	}
+
+	nonEscalatingInfo := wrapUpdatedObjectInfo(obj, func(ctx api.Context, obj runtime.Object, oldObj runtime.Object) (runtime.Object, error) {
+		role := obj.(*rbac.Role)
+
+		rules := role.Rules
+		if err := validation.ConfirmNoEscalation(ctx, s.ruleResolver, rules); err != nil {
+			return nil, errors.NewForbidden(groupResource, role.Name, err)
+		}
+		return obj, nil
+	})
+
+	return s.StandardStorage.Update(ctx, name, nonEscalatingInfo)
+}
+
+// TODO(ericchiang): This logic is copied from #26240. Replace with once that PR is merged into master.
+type wrappedUpdatedObjectInfo struct {
+	objInfo rest.UpdatedObjectInfo
+
+	transformFunc rest.TransformFunc
+}
+
+func wrapUpdatedObjectInfo(objInfo rest.UpdatedObjectInfo, transformFunc rest.TransformFunc) rest.UpdatedObjectInfo {
+	return &wrappedUpdatedObjectInfo{objInfo, transformFunc}
+}
+
+func (i *wrappedUpdatedObjectInfo) Preconditions() *api.Preconditions {
+	return i.objInfo.Preconditions()
+}
+
+func (i *wrappedUpdatedObjectInfo) UpdatedObject(ctx api.Context, oldObj runtime.Object) (runtime.Object, error) {
+	obj, err := i.objInfo.UpdatedObject(ctx, oldObj)
+	if err != nil {
+		return obj, err
+	}
+	return i.transformFunc(ctx, obj, oldObj)
+}
--- a/vendor/k8s.io/kubernetes/pkg/registry/rbac/role/registry.go
+++ b/vendor/k8s.io/kubernetes/pkg/registry/rbac/role/registry.go
@ -0,0 +1,90 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package role
+
+import (
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/api/rest"
+	"k8s.io/kubernetes/pkg/apis/rbac"
+	"k8s.io/kubernetes/pkg/watch"
+)
+
+// Registry is an interface for things that know how to store Roles.
+type Registry interface {
+	ListRoles(ctx api.Context, options *api.ListOptions) (*rbac.RoleList, error)
+	CreateRole(ctx api.Context, role *rbac.Role) error
+	UpdateRole(ctx api.Context, role *rbac.Role) error
+	GetRole(ctx api.Context, name string) (*rbac.Role, error)
+	DeleteRole(ctx api.Context, name string) error
+	WatchRoles(ctx api.Context, options *api.ListOptions) (watch.Interface, error)
+}
+
+// storage puts strong typing around storage calls
+type storage struct {
+	rest.StandardStorage
+}
+
+// NewRegistry returns a new Registry interface for the given Storage. Any mismatched
+// types will panic.
+func NewRegistry(s rest.StandardStorage) Registry {
+	return &storage{s}
+}
+
+func (s *storage) ListRoles(ctx api.Context, options *api.ListOptions) (*rbac.RoleList, error) {
+	obj, err := s.List(ctx, options)
+	if err != nil {
+		return nil, err
+	}
+
+	return obj.(*rbac.RoleList), nil
+}
+
+func (s *storage) CreateRole(ctx api.Context, role *rbac.Role) error {
+	_, err := s.Create(ctx, role)
+	return err
+}
+
+func (s *storage) UpdateRole(ctx api.Context, role *rbac.Role) error {
+	_, _, err := s.Update(ctx, role.Name, rest.DefaultUpdatedObjectInfo(role, api.Scheme))
+	return err
+}
+
+func (s *storage) WatchRoles(ctx api.Context, options *api.ListOptions) (watch.Interface, error) {
+	return s.Watch(ctx, options)
+}
+
+func (s *storage) GetRole(ctx api.Context, name string) (*rbac.Role, error) {
+	obj, err := s.Get(ctx, name)
+	if err != nil {
+		return nil, err
+	}
+	return obj.(*rbac.Role), nil
+}
+
+func (s *storage) DeleteRole(ctx api.Context, name string) error {
+	_, err := s.Delete(ctx, name, nil)
+	return err
+}
+
+// AuthorizerAdapter adapts the registry to the authorizer interface
+type AuthorizerAdapter struct {
+	Registry Registry
+}
+
+func (a AuthorizerAdapter) GetRole(namespace, name string) (*rbac.Role, error) {
+	return a.Registry.GetRole(api.WithNamespace(api.NewContext(), namespace), name)
+}
--- a/vendor/k8s.io/kubernetes/pkg/registry/rbac/role/strategy.go
+++ b/vendor/k8s.io/kubernetes/pkg/registry/rbac/role/strategy.go
@ -0,0 +1,125 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package role
+
+import (
+	"fmt"
+
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/api/rest"
+	"k8s.io/kubernetes/pkg/apis/rbac"
+	"k8s.io/kubernetes/pkg/apis/rbac/validation"
+	"k8s.io/kubernetes/pkg/fields"
+	"k8s.io/kubernetes/pkg/labels"
+	"k8s.io/kubernetes/pkg/runtime"
+	apistorage "k8s.io/kubernetes/pkg/storage"
+	"k8s.io/kubernetes/pkg/util/validation/field"
+)
+
+// strategy implements behavior for Roles
+type strategy struct {
+	runtime.ObjectTyper
+	api.NameGenerator
+}
+
+// strategy is the default logic that applies when creating and updating
+// Role objects.
+var Strategy = strategy{api.Scheme, api.SimpleNameGenerator}
+
+// Strategy should implement rest.RESTCreateStrategy
+var _ rest.RESTCreateStrategy = Strategy
+
+// Strategy should implement rest.RESTUpdateStrategy
+var _ rest.RESTUpdateStrategy = Strategy
+
+// NamespaceScoped is true for Roles.
+func (strategy) NamespaceScoped() bool {
+	return true
+}
+
+// AllowCreateOnUpdate is true for Roles.
+func (strategy) AllowCreateOnUpdate() bool {
+	return true
+}
+
+// PrepareForCreate clears fields that are not allowed to be set by end users
+// on creation.
+func (strategy) PrepareForCreate(ctx api.Context, obj runtime.Object) {
+	_ = obj.(*rbac.Role)
+}
+
+// PrepareForUpdate clears fields that are not allowed to be set by end users on update.
+func (strategy) PrepareForUpdate(ctx api.Context, obj, old runtime.Object) {
+	newRole := obj.(*rbac.Role)
+	oldRole := old.(*rbac.Role)
+
+	_, _ = newRole, oldRole
+}
+
+// Validate validates a new Role. Validation must check for a correct signature.
+func (strategy) Validate(ctx api.Context, obj runtime.Object) field.ErrorList {
+	role := obj.(*rbac.Role)
+	return validation.ValidateRole(role)
+}
+
+// Canonicalize normalizes the object after validation.
+func (strategy) Canonicalize(obj runtime.Object) {
+	_ = obj.(*rbac.Role)
+}
+
+// ValidateUpdate is the default update validation for an end user.
+func (strategy) ValidateUpdate(ctx api.Context, obj, old runtime.Object) field.ErrorList {
+	newObj := obj.(*rbac.Role)
+	errorList := validation.ValidateRole(newObj)
+	return append(errorList, validation.ValidateRoleUpdate(newObj, old.(*rbac.Role))...)
+}
+
+// If AllowUnconditionalUpdate() is true and the object specified by
+// the user does not have a resource version, then generic Update()
+// populates it with the latest version. Else, it checks that the
+// version specified by the user matches the version of latest etcd
+// object.
+func (strategy) AllowUnconditionalUpdate() bool {
+	return true
+}
+
+func (s strategy) Export(ctx api.Context, obj runtime.Object, exact bool) error {
+	return nil
+}
+
+// GetAttrs returns labels and fields of a given object for filtering purposes.
+func GetAttrs(obj runtime.Object) (labels.Set, fields.Set, error) {
+	role, ok := obj.(*rbac.Role)
+	if !ok {
+		return nil, nil, fmt.Errorf("not a Role")
+	}
+	return labels.Set(role.Labels), SelectableFields(role), nil
+}
+
+// Matcher returns a generic matcher for a given label and field selector.
+func Matcher(label labels.Selector, field fields.Selector) apistorage.SelectionPredicate {
+	return apistorage.SelectionPredicate{
+		Label:    label,
+		Field:    field,
+		GetAttrs: GetAttrs,
+	}
+}
+
+// SelectableFields returns a field set that can be used for filter selection
+func SelectableFields(obj *rbac.Role) fields.Set {
+	return nil
+}
--- a/vendor/k8s.io/kubernetes/pkg/registry/rbac/rolebinding/BUILD
+++ b/vendor/k8s.io/kubernetes/pkg/registry/rbac/rolebinding/BUILD
@ -0,0 +1,33 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_binary",
+    "go_library",
+    "go_test",
+    "cgo_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "doc.go",
+        "registry.go",
+        "strategy.go",
+    ],
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/api:go_default_library",
+        "//pkg/api/rest:go_default_library",
+        "//pkg/apis/rbac:go_default_library",
+        "//pkg/apis/rbac/validation:go_default_library",
+        "//pkg/fields:go_default_library",
+        "//pkg/labels:go_default_library",
+        "//pkg/runtime:go_default_library",
+        "//pkg/storage:go_default_library",
+        "//pkg/util/validation/field:go_default_library",
+        "//pkg/watch:go_default_library",
+    ],
+)
--- a/vendor/k8s.io/kubernetes/pkg/registry/rbac/rolebinding/doc.go
+++ b/vendor/k8s.io/kubernetes/pkg/registry/rbac/rolebinding/doc.go
@ -0,0 +1,19 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package certificates provides Registry interface and its RESTStorage
+// implementation for storing RoleBinding objects.
+package rolebinding // import "k8s.io/kubernetes/pkg/registry/rbac/rolebinding"
--- a/vendor/k8s.io/kubernetes/pkg/registry/rbac/rolebinding/etcd/BUILD
+++ b/vendor/k8s.io/kubernetes/pkg/registry/rbac/rolebinding/etcd/BUILD
@ -0,0 +1,27 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_binary",
+    "go_library",
+    "go_test",
+    "cgo_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["etcd.go"],
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/api:go_default_library",
+        "//pkg/apis/rbac:go_default_library",
+        "//pkg/registry/cachesize:go_default_library",
+        "//pkg/registry/generic:go_default_library",
+        "//pkg/registry/generic/registry:go_default_library",
+        "//pkg/registry/rbac/rolebinding:go_default_library",
+        "//pkg/runtime:go_default_library",
+        "//pkg/storage:go_default_library",
+    ],
+)
--- a/vendor/k8s.io/kubernetes/pkg/registry/rbac/rolebinding/etcd/etcd.go
+++ b/vendor/k8s.io/kubernetes/pkg/registry/rbac/rolebinding/etcd/etcd.go
@ -0,0 +1,77 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package etcd
+
+import (
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/apis/rbac"
+	"k8s.io/kubernetes/pkg/registry/cachesize"
+	"k8s.io/kubernetes/pkg/registry/generic"
+	genericregistry "k8s.io/kubernetes/pkg/registry/generic/registry"
+	"k8s.io/kubernetes/pkg/registry/rbac/rolebinding"
+	"k8s.io/kubernetes/pkg/runtime"
+	"k8s.io/kubernetes/pkg/storage"
+)
+
+// REST implements a RESTStorage for RoleBinding against etcd
+type REST struct {
+	*genericregistry.Store
+}
+
+// NewREST returns a RESTStorage object that will work against RoleBinding objects.
+func NewREST(opts generic.RESTOptions) *REST {
+	prefix := "/" + opts.ResourcePrefix
+
+	newListFunc := func() runtime.Object { return &rbac.RoleBindingList{} }
+	storageInterface, dFunc := opts.Decorator(
+		opts.StorageConfig,
+		cachesize.GetWatchCacheSizeByResource(cachesize.RoleBindings),
+		&rbac.RoleBinding{},
+		prefix,
+		rolebinding.Strategy,
+		newListFunc,
+		rolebinding.GetAttrs,
+		storage.NoTriggerPublisher,
+	)
+
+	store := &genericregistry.Store{
+		NewFunc:     func() runtime.Object { return &rbac.RoleBinding{} },
+		NewListFunc: newListFunc,
+		KeyRootFunc: func(ctx api.Context) string {
+			return genericregistry.NamespaceKeyRootFunc(ctx, prefix)
+		},
+		KeyFunc: func(ctx api.Context, id string) (string, error) {
+			return genericregistry.NamespaceKeyFunc(ctx, prefix, id)
+		},
+		ObjectNameFunc: func(obj runtime.Object) (string, error) {
+			return obj.(*rbac.RoleBinding).Name, nil
+		},
+		PredicateFunc:           rolebinding.Matcher,
+		QualifiedResource:       rbac.Resource("rolebindings"),
+		EnableGarbageCollection: opts.EnableGarbageCollection,
+		DeleteCollectionWorkers: opts.DeleteCollectionWorkers,
+
+		CreateStrategy: rolebinding.Strategy,
+		UpdateStrategy: rolebinding.Strategy,
+		DeleteStrategy: rolebinding.Strategy,
+
+		Storage:     storageInterface,
+		DestroyFunc: dFunc,
+	}
+
+	return &REST{store}
+}
--- a/vendor/k8s.io/kubernetes/pkg/registry/rbac/rolebinding/policybased/BUILD
+++ b/vendor/k8s.io/kubernetes/pkg/registry/rbac/rolebinding/policybased/BUILD
@ -0,0 +1,26 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_binary",
+    "go_library",
+    "go_test",
+    "cgo_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["storage.go"],
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/api:go_default_library",
+        "//pkg/api/errors:go_default_library",
+        "//pkg/api/rest:go_default_library",
+        "//pkg/apis/rbac:go_default_library",
+        "//pkg/apis/rbac/validation:go_default_library",
+        "//pkg/registry/rbac:go_default_library",
+        "//pkg/runtime:go_default_library",
+    ],
+)
--- a/vendor/k8s.io/kubernetes/pkg/registry/rbac/rolebinding/policybased/storage.go
+++ b/vendor/k8s.io/kubernetes/pkg/registry/rbac/rolebinding/policybased/storage.go
@ -0,0 +1,103 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package policybased implements a standard storage for RoleBinding that prevents privilege escalation.
+package policybased
+
+import (
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/api/errors"
+	"k8s.io/kubernetes/pkg/api/rest"
+	"k8s.io/kubernetes/pkg/apis/rbac"
+	"k8s.io/kubernetes/pkg/apis/rbac/validation"
+	rbacregistry "k8s.io/kubernetes/pkg/registry/rbac"
+	"k8s.io/kubernetes/pkg/runtime"
+)
+
+var groupResource = rbac.Resource("rolebindings")
+
+type Storage struct {
+	rest.StandardStorage
+
+	ruleResolver validation.AuthorizationRuleResolver
+
+	// user which skips privilege escalation checks
+	superUser string
+}
+
+func NewStorage(s rest.StandardStorage, ruleResolver validation.AuthorizationRuleResolver, superUser string) *Storage {
+	return &Storage{s, ruleResolver, superUser}
+}
+
+func (s *Storage) Create(ctx api.Context, obj runtime.Object) (runtime.Object, error) {
+	if rbacregistry.EscalationAllowed(ctx, s.superUser) {
+		return s.StandardStorage.Create(ctx, obj)
+	}
+
+	roleBinding := obj.(*rbac.RoleBinding)
+	rules, err := s.ruleResolver.GetRoleReferenceRules(roleBinding.RoleRef, roleBinding.Namespace)
+	if err != nil {
+		return nil, err
+	}
+	if err := validation.ConfirmNoEscalation(ctx, s.ruleResolver, rules); err != nil {
+		return nil, errors.NewForbidden(groupResource, roleBinding.Name, err)
+	}
+	return s.StandardStorage.Create(ctx, obj)
+}
+
+func (s *Storage) Update(ctx api.Context, name string, obj rest.UpdatedObjectInfo) (runtime.Object, bool, error) {
+	if rbacregistry.EscalationAllowed(ctx, s.superUser) {
+		return s.StandardStorage.Update(ctx, name, obj)
+	}
+
+	nonEscalatingInfo := wrapUpdatedObjectInfo(obj, func(ctx api.Context, obj runtime.Object, oldObj runtime.Object) (runtime.Object, error) {
+		roleBinding := obj.(*rbac.RoleBinding)
+
+		rules, err := s.ruleResolver.GetRoleReferenceRules(roleBinding.RoleRef, roleBinding.Namespace)
+		if err != nil {
+			return nil, err
+		}
+		if err := validation.ConfirmNoEscalation(ctx, s.ruleResolver, rules); err != nil {
+			return nil, errors.NewForbidden(groupResource, roleBinding.Name, err)
+		}
+		return obj, nil
+	})
+
+	return s.StandardStorage.Update(ctx, name, nonEscalatingInfo)
+}
+
+// TODO(ericchiang): This logic is copied from #26240. Replace with once that PR is merged into master.
+type wrappedUpdatedObjectInfo struct {
+	objInfo rest.UpdatedObjectInfo
+
+	transformFunc rest.TransformFunc
+}
+
+func wrapUpdatedObjectInfo(objInfo rest.UpdatedObjectInfo, transformFunc rest.TransformFunc) rest.UpdatedObjectInfo {
+	return &wrappedUpdatedObjectInfo{objInfo, transformFunc}
+}
+
+func (i *wrappedUpdatedObjectInfo) Preconditions() *api.Preconditions {
+	return i.objInfo.Preconditions()
+}
+
+func (i *wrappedUpdatedObjectInfo) UpdatedObject(ctx api.Context, oldObj runtime.Object) (runtime.Object, error) {
+	obj, err := i.objInfo.UpdatedObject(ctx, oldObj)
+	if err != nil {
+		return obj, err
+	}
+	return i.transformFunc(ctx, obj, oldObj)
+}
--- a/vendor/k8s.io/kubernetes/pkg/registry/rbac/rolebinding/registry.go
+++ b/vendor/k8s.io/kubernetes/pkg/registry/rbac/rolebinding/registry.go
@ -0,0 +1,100 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rolebinding
+
+import (
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/api/rest"
+	"k8s.io/kubernetes/pkg/apis/rbac"
+	"k8s.io/kubernetes/pkg/watch"
+)
+
+// Registry is an interface for things that know how to store RoleBindings.
+type Registry interface {
+	ListRoleBindings(ctx api.Context, options *api.ListOptions) (*rbac.RoleBindingList, error)
+	CreateRoleBinding(ctx api.Context, roleBinding *rbac.RoleBinding) error
+	UpdateRoleBinding(ctx api.Context, roleBinding *rbac.RoleBinding) error
+	GetRoleBinding(ctx api.Context, name string) (*rbac.RoleBinding, error)
+	DeleteRoleBinding(ctx api.Context, name string) error
+	WatchRoleBindings(ctx api.Context, options *api.ListOptions) (watch.Interface, error)
+}
+
+// storage puts strong typing around storage calls
+type storage struct {
+	rest.StandardStorage
+}
+
+// NewRegistry returns a new Registry interface for the given Storage. Any mismatched
+// types will panic.
+func NewRegistry(s rest.StandardStorage) Registry {
+	return &storage{s}
+}
+
+func (s *storage) ListRoleBindings(ctx api.Context, options *api.ListOptions) (*rbac.RoleBindingList, error) {
+	obj, err := s.List(ctx, options)
+	if err != nil {
+		return nil, err
+	}
+
+	return obj.(*rbac.RoleBindingList), nil
+}
+
+func (s *storage) CreateRoleBinding(ctx api.Context, roleBinding *rbac.RoleBinding) error {
+	// TODO(ericchiang): add additional validation
+	_, err := s.Create(ctx, roleBinding)
+	return err
+}
+
+func (s *storage) UpdateRoleBinding(ctx api.Context, roleBinding *rbac.RoleBinding) error {
+	_, _, err := s.Update(ctx, roleBinding.Name, rest.DefaultUpdatedObjectInfo(roleBinding, api.Scheme))
+	return err
+}
+
+func (s *storage) WatchRoleBindings(ctx api.Context, options *api.ListOptions) (watch.Interface, error) {
+	return s.Watch(ctx, options)
+}
+
+func (s *storage) GetRoleBinding(ctx api.Context, name string) (*rbac.RoleBinding, error) {
+	obj, err := s.Get(ctx, name)
+	if err != nil {
+		return nil, err
+	}
+	return obj.(*rbac.RoleBinding), nil
+}
+
+func (s *storage) DeleteRoleBinding(ctx api.Context, name string) error {
+	_, err := s.Delete(ctx, name, nil)
+	return err
+}
+
+// AuthorizerAdapter adapts the registry to the authorizer interface
+type AuthorizerAdapter struct {
+	Registry Registry
+}
+
+func (a AuthorizerAdapter) ListRoleBindings(namespace string) ([]*rbac.RoleBinding, error) {
+	list, err := a.Registry.ListRoleBindings(api.WithNamespace(api.NewContext(), namespace), &api.ListOptions{})
+	if err != nil {
+		return nil, err
+	}
+
+	ret := []*rbac.RoleBinding{}
+	for i := range list.Items {
+		ret = append(ret, &list.Items[i])
+	}
+	return ret, nil
+}
--- a/vendor/k8s.io/kubernetes/pkg/registry/rbac/rolebinding/strategy.go
+++ b/vendor/k8s.io/kubernetes/pkg/registry/rbac/rolebinding/strategy.go
@ -0,0 +1,125 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rolebinding
+
+import (
+	"fmt"
+
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/api/rest"
+	"k8s.io/kubernetes/pkg/apis/rbac"
+	"k8s.io/kubernetes/pkg/apis/rbac/validation"
+	"k8s.io/kubernetes/pkg/fields"
+	"k8s.io/kubernetes/pkg/labels"
+	"k8s.io/kubernetes/pkg/runtime"
+	apistorage "k8s.io/kubernetes/pkg/storage"
+	"k8s.io/kubernetes/pkg/util/validation/field"
+)
+
+// strategy implements behavior for RoleBindings
+type strategy struct {
+	runtime.ObjectTyper
+	api.NameGenerator
+}
+
+// strategy is the default logic that applies when creating and updating
+// RoleBinding objects.
+var Strategy = strategy{api.Scheme, api.SimpleNameGenerator}
+
+// Strategy should implement rest.RESTCreateStrategy
+var _ rest.RESTCreateStrategy = Strategy
+
+// Strategy should implement rest.RESTUpdateStrategy
+var _ rest.RESTUpdateStrategy = Strategy
+
+// NamespaceScoped is true for RoleBindings.
+func (strategy) NamespaceScoped() bool {
+	return true
+}
+
+// AllowCreateOnUpdate is true for RoleBindings.
+func (strategy) AllowCreateOnUpdate() bool {
+	return true
+}
+
+// PrepareForCreate clears fields that are not allowed to be set by end users
+// on creation.
+func (strategy) PrepareForCreate(ctx api.Context, obj runtime.Object) {
+	_ = obj.(*rbac.RoleBinding)
+}
+
+// PrepareForUpdate clears fields that are not allowed to be set by end users on update.
+func (strategy) PrepareForUpdate(ctx api.Context, obj, old runtime.Object) {
+	newRoleBinding := obj.(*rbac.RoleBinding)
+	oldRoleBinding := old.(*rbac.RoleBinding)
+
+	_, _ = newRoleBinding, oldRoleBinding
+}
+
+// Validate validates a new RoleBinding. Validation must check for a correct signature.
+func (strategy) Validate(ctx api.Context, obj runtime.Object) field.ErrorList {
+	roleBinding := obj.(*rbac.RoleBinding)
+	return validation.ValidateRoleBinding(roleBinding)
+}
+
+// Canonicalize normalizes the object after validation.
+func (strategy) Canonicalize(obj runtime.Object) {
+	_ = obj.(*rbac.RoleBinding)
+}
+
+// ValidateUpdate is the default update validation for an end user.
+func (strategy) ValidateUpdate(ctx api.Context, obj, old runtime.Object) field.ErrorList {
+	newObj := obj.(*rbac.RoleBinding)
+	errorList := validation.ValidateRoleBinding(newObj)
+	return append(errorList, validation.ValidateRoleBindingUpdate(newObj, old.(*rbac.RoleBinding))...)
+}
+
+// If AllowUnconditionalUpdate() is true and the object specified by
+// the user does not have a resource version, then generic Update()
+// populates it with the latest version. Else, it checks that the
+// version specified by the user matches the version of latest etcd
+// object.
+func (strategy) AllowUnconditionalUpdate() bool {
+	return true
+}
+
+func (s strategy) Export(ctx api.Context, obj runtime.Object, exact bool) error {
+	return nil
+}
+
+// GetAttrs returns labels and fields of a given object for filtering purposes.
+func GetAttrs(obj runtime.Object) (labels.Set, fields.Set, error) {
+	roleBinding, ok := obj.(*rbac.RoleBinding)
+	if !ok {
+		return nil, nil, fmt.Errorf("not a RoleBinding")
+	}
+	return labels.Set(roleBinding.Labels), SelectableFields(roleBinding), nil
+}
+
+// Matcher returns a generic matcher for a given label and field selector.
+func Matcher(label labels.Selector, field fields.Selector) apistorage.SelectionPredicate {
+	return apistorage.SelectionPredicate{
+		Label:    label,
+		Field:    field,
+		GetAttrs: GetAttrs,
+	}
+}
+
+// SelectableFields returns a field set that can be used for filter selection
+func SelectableFields(obj *rbac.RoleBinding) fields.Set {
+	return nil
+}