Add glide.yaml and vendor deps

vendor/k8s.io/kubernetes/pkg/registry/rbac/role/BUILD

@@ -0,0 +1,33 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_binary",
+    "go_library",
+    "go_test",
+    "cgo_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "doc.go",
+        "registry.go",
+        "strategy.go",
+    ],
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/api:go_default_library",
+        "//pkg/api/rest:go_default_library",
+        "//pkg/apis/rbac:go_default_library",
+        "//pkg/apis/rbac/validation:go_default_library",
+        "//pkg/fields:go_default_library",
+        "//pkg/labels:go_default_library",
+        "//pkg/runtime:go_default_library",
+        "//pkg/storage:go_default_library",
+        "//pkg/util/validation/field:go_default_library",
+        "//pkg/watch:go_default_library",
+    ],
+)

vendor/k8s.io/kubernetes/pkg/registry/rbac/role/doc.go

@@ -0,0 +1,19 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package certificates provides Registry interface and its RESTStorage
+// implementation for storing Role objects.
+package role // import "k8s.io/kubernetes/pkg/registry/rbac/role"

vendor/k8s.io/kubernetes/pkg/registry/rbac/role/etcd/BUILD

@@ -0,0 +1,27 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_binary",
+    "go_library",
+    "go_test",
+    "cgo_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["etcd.go"],
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/api:go_default_library",
+        "//pkg/apis/rbac:go_default_library",
+        "//pkg/registry/cachesize:go_default_library",
+        "//pkg/registry/generic:go_default_library",
+        "//pkg/registry/generic/registry:go_default_library",
+        "//pkg/registry/rbac/role:go_default_library",
+        "//pkg/runtime:go_default_library",
+        "//pkg/storage:go_default_library",
+    ],
+)

vendor/k8s.io/kubernetes/pkg/registry/rbac/role/etcd/etcd.go

@@ -0,0 +1,77 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package etcd
+
+import (
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/apis/rbac"
+	"k8s.io/kubernetes/pkg/registry/cachesize"
+	"k8s.io/kubernetes/pkg/registry/generic"
+	genericregistry "k8s.io/kubernetes/pkg/registry/generic/registry"
+	"k8s.io/kubernetes/pkg/registry/rbac/role"
+	"k8s.io/kubernetes/pkg/runtime"
+	"k8s.io/kubernetes/pkg/storage"
+)
+
+// REST implements a RESTStorage for Role against etcd
+type REST struct {
+	*genericregistry.Store
+}
+
+// NewREST returns a RESTStorage object that will work against Role objects.
+func NewREST(opts generic.RESTOptions) *REST {
+	prefix := "/" + opts.ResourcePrefix
+
+	newListFunc := func() runtime.Object { return &rbac.RoleList{} }
+	storageInterface, dFunc := opts.Decorator(
+		opts.StorageConfig,
+		cachesize.GetWatchCacheSizeByResource(cachesize.Roles),
+		&rbac.Role{},
+		prefix,
+		role.Strategy,
+		newListFunc,
+		role.GetAttrs,
+		storage.NoTriggerPublisher,
+	)
+
+	store := &genericregistry.Store{
+		NewFunc:     func() runtime.Object { return &rbac.Role{} },
+		NewListFunc: newListFunc,
+		KeyRootFunc: func(ctx api.Context) string {
+			return genericregistry.NamespaceKeyRootFunc(ctx, prefix)
+		},
+		KeyFunc: func(ctx api.Context, id string) (string, error) {
+			return genericregistry.NamespaceKeyFunc(ctx, prefix, id)
+		},
+		ObjectNameFunc: func(obj runtime.Object) (string, error) {
+			return obj.(*rbac.Role).Name, nil
+		},
+		PredicateFunc:           role.Matcher,
+		QualifiedResource:       rbac.Resource("roles"),
+		EnableGarbageCollection: opts.EnableGarbageCollection,
+		DeleteCollectionWorkers: opts.DeleteCollectionWorkers,
+
+		CreateStrategy: role.Strategy,
+		UpdateStrategy: role.Strategy,
+		DeleteStrategy: role.Strategy,
+
+		Storage:     storageInterface,
+		DestroyFunc: dFunc,
+	}
+
+	return &REST{store}
+}

vendor/k8s.io/kubernetes/pkg/registry/rbac/role/policybased/BUILD

@@ -0,0 +1,26 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_binary",
+    "go_library",
+    "go_test",
+    "cgo_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["storage.go"],
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/api:go_default_library",
+        "//pkg/api/errors:go_default_library",
+        "//pkg/api/rest:go_default_library",
+        "//pkg/apis/rbac:go_default_library",
+        "//pkg/apis/rbac/validation:go_default_library",
+        "//pkg/registry/rbac:go_default_library",
+        "//pkg/runtime:go_default_library",
+    ],
+)

vendor/k8s.io/kubernetes/pkg/registry/rbac/role/policybased/storage.go

@@ -0,0 +1,97 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package policybased implements a standard storage for Role that prevents privilege escalation.
+package policybased
+
+import (
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/api/errors"
+	"k8s.io/kubernetes/pkg/api/rest"
+	"k8s.io/kubernetes/pkg/apis/rbac"
+	"k8s.io/kubernetes/pkg/apis/rbac/validation"
+	rbacregistry "k8s.io/kubernetes/pkg/registry/rbac"
+	"k8s.io/kubernetes/pkg/runtime"
+)
+
+var groupResource = rbac.Resource("roles")
+
+type Storage struct {
+	rest.StandardStorage
+
+	ruleResolver validation.AuthorizationRuleResolver
+
+	// user which skips privilege escalation checks
+	superUser string
+}
+
+func NewStorage(s rest.StandardStorage, ruleResolver validation.AuthorizationRuleResolver, superUser string) *Storage {
+	return &Storage{s, ruleResolver, superUser}
+}
+
+func (s *Storage) Create(ctx api.Context, obj runtime.Object) (runtime.Object, error) {
+	if rbacregistry.EscalationAllowed(ctx, s.superUser) {
+		return s.StandardStorage.Create(ctx, obj)
+	}
+
+	role := obj.(*rbac.Role)
+	rules := role.Rules
+	if err := validation.ConfirmNoEscalation(ctx, s.ruleResolver, rules); err != nil {
+		return nil, errors.NewForbidden(groupResource, role.Name, err)
+	}
+	return s.StandardStorage.Create(ctx, obj)
+}
+
+func (s *Storage) Update(ctx api.Context, name string, obj rest.UpdatedObjectInfo) (runtime.Object, bool, error) {
+	if rbacregistry.EscalationAllowed(ctx, s.superUser) {
+		return s.StandardStorage.Update(ctx, name, obj)
+	}
+
+	nonEscalatingInfo := wrapUpdatedObjectInfo(obj, func(ctx api.Context, obj runtime.Object, oldObj runtime.Object) (runtime.Object, error) {
+		role := obj.(*rbac.Role)
+
+		rules := role.Rules
+		if err := validation.ConfirmNoEscalation(ctx, s.ruleResolver, rules); err != nil {
+			return nil, errors.NewForbidden(groupResource, role.Name, err)
+		}
+		return obj, nil
+	})
+
+	return s.StandardStorage.Update(ctx, name, nonEscalatingInfo)
+}
+
+// TODO(ericchiang): This logic is copied from #26240. Replace with once that PR is merged into master.
+type wrappedUpdatedObjectInfo struct {
+	objInfo rest.UpdatedObjectInfo
+
+	transformFunc rest.TransformFunc
+}
+
+func wrapUpdatedObjectInfo(objInfo rest.UpdatedObjectInfo, transformFunc rest.TransformFunc) rest.UpdatedObjectInfo {
+	return &wrappedUpdatedObjectInfo{objInfo, transformFunc}
+}
+
+func (i *wrappedUpdatedObjectInfo) Preconditions() *api.Preconditions {
+	return i.objInfo.Preconditions()
+}
+
+func (i *wrappedUpdatedObjectInfo) UpdatedObject(ctx api.Context, oldObj runtime.Object) (runtime.Object, error) {
+	obj, err := i.objInfo.UpdatedObject(ctx, oldObj)
+	if err != nil {
+		return obj, err
+	}
+	return i.transformFunc(ctx, obj, oldObj)
+}

vendor/k8s.io/kubernetes/pkg/registry/rbac/role/registry.go

@@ -0,0 +1,90 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package role
+
+import (
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/api/rest"
+	"k8s.io/kubernetes/pkg/apis/rbac"
+	"k8s.io/kubernetes/pkg/watch"
+)
+
+// Registry is an interface for things that know how to store Roles.
+type Registry interface {
+	ListRoles(ctx api.Context, options *api.ListOptions) (*rbac.RoleList, error)
+	CreateRole(ctx api.Context, role *rbac.Role) error
+	UpdateRole(ctx api.Context, role *rbac.Role) error
+	GetRole(ctx api.Context, name string) (*rbac.Role, error)
+	DeleteRole(ctx api.Context, name string) error
+	WatchRoles(ctx api.Context, options *api.ListOptions) (watch.Interface, error)
+}
+
+// storage puts strong typing around storage calls
+type storage struct {
+	rest.StandardStorage
+}
+
+// NewRegistry returns a new Registry interface for the given Storage. Any mismatched
+// types will panic.
+func NewRegistry(s rest.StandardStorage) Registry {
+	return &storage{s}
+}
+
+func (s *storage) ListRoles(ctx api.Context, options *api.ListOptions) (*rbac.RoleList, error) {
+	obj, err := s.List(ctx, options)
+	if err != nil {
+		return nil, err
+	}
+
+	return obj.(*rbac.RoleList), nil
+}
+
+func (s *storage) CreateRole(ctx api.Context, role *rbac.Role) error {
+	_, err := s.Create(ctx, role)
+	return err
+}
+
+func (s *storage) UpdateRole(ctx api.Context, role *rbac.Role) error {
+	_, _, err := s.Update(ctx, role.Name, rest.DefaultUpdatedObjectInfo(role, api.Scheme))
+	return err
+}
+
+func (s *storage) WatchRoles(ctx api.Context, options *api.ListOptions) (watch.Interface, error) {
+	return s.Watch(ctx, options)
+}
+
+func (s *storage) GetRole(ctx api.Context, name string) (*rbac.Role, error) {
+	obj, err := s.Get(ctx, name)
+	if err != nil {
+		return nil, err
+	}
+	return obj.(*rbac.Role), nil
+}
+
+func (s *storage) DeleteRole(ctx api.Context, name string) error {
+	_, err := s.Delete(ctx, name, nil)
+	return err
+}
+
+// AuthorizerAdapter adapts the registry to the authorizer interface
+type AuthorizerAdapter struct {
+	Registry Registry
+}
+
+func (a AuthorizerAdapter) GetRole(namespace, name string) (*rbac.Role, error) {
+	return a.Registry.GetRole(api.WithNamespace(api.NewContext(), namespace), name)
+}

vendor/k8s.io/kubernetes/pkg/registry/rbac/role/strategy.go

@@ -0,0 +1,125 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package role
+
+import (
+	"fmt"
+
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/api/rest"
+	"k8s.io/kubernetes/pkg/apis/rbac"
+	"k8s.io/kubernetes/pkg/apis/rbac/validation"
+	"k8s.io/kubernetes/pkg/fields"
+	"k8s.io/kubernetes/pkg/labels"
+	"k8s.io/kubernetes/pkg/runtime"
+	apistorage "k8s.io/kubernetes/pkg/storage"
+	"k8s.io/kubernetes/pkg/util/validation/field"
+)
+
+// strategy implements behavior for Roles
+type strategy struct {
+	runtime.ObjectTyper
+	api.NameGenerator
+}
+
+// strategy is the default logic that applies when creating and updating
+// Role objects.
+var Strategy = strategy{api.Scheme, api.SimpleNameGenerator}
+
+// Strategy should implement rest.RESTCreateStrategy
+var _ rest.RESTCreateStrategy = Strategy
+
+// Strategy should implement rest.RESTUpdateStrategy
+var _ rest.RESTUpdateStrategy = Strategy
+
+// NamespaceScoped is true for Roles.
+func (strategy) NamespaceScoped() bool {
+	return true
+}
+
+// AllowCreateOnUpdate is true for Roles.
+func (strategy) AllowCreateOnUpdate() bool {
+	return true
+}
+
+// PrepareForCreate clears fields that are not allowed to be set by end users
+// on creation.
+func (strategy) PrepareForCreate(ctx api.Context, obj runtime.Object) {
+	_ = obj.(*rbac.Role)
+}
+
+// PrepareForUpdate clears fields that are not allowed to be set by end users on update.
+func (strategy) PrepareForUpdate(ctx api.Context, obj, old runtime.Object) {
+	newRole := obj.(*rbac.Role)
+	oldRole := old.(*rbac.Role)
+
+	_, _ = newRole, oldRole
+}
+
+// Validate validates a new Role. Validation must check for a correct signature.
+func (strategy) Validate(ctx api.Context, obj runtime.Object) field.ErrorList {
+	role := obj.(*rbac.Role)
+	return validation.ValidateRole(role)
+}
+
+// Canonicalize normalizes the object after validation.
+func (strategy) Canonicalize(obj runtime.Object) {
+	_ = obj.(*rbac.Role)
+}
+
+// ValidateUpdate is the default update validation for an end user.
+func (strategy) ValidateUpdate(ctx api.Context, obj, old runtime.Object) field.ErrorList {
+	newObj := obj.(*rbac.Role)
+	errorList := validation.ValidateRole(newObj)
+	return append(errorList, validation.ValidateRoleUpdate(newObj, old.(*rbac.Role))...)
+}
+
+// If AllowUnconditionalUpdate() is true and the object specified by
+// the user does not have a resource version, then generic Update()
+// populates it with the latest version. Else, it checks that the
+// version specified by the user matches the version of latest etcd
+// object.
+func (strategy) AllowUnconditionalUpdate() bool {
+	return true
+}
+
+func (s strategy) Export(ctx api.Context, obj runtime.Object, exact bool) error {
+	return nil
+}
+
+// GetAttrs returns labels and fields of a given object for filtering purposes.
+func GetAttrs(obj runtime.Object) (labels.Set, fields.Set, error) {
+	role, ok := obj.(*rbac.Role)
+	if !ok {
+		return nil, nil, fmt.Errorf("not a Role")
+	}
+	return labels.Set(role.Labels), SelectableFields(role), nil
+}
+
+// Matcher returns a generic matcher for a given label and field selector.
+func Matcher(label labels.Selector, field fields.Selector) apistorage.SelectionPredicate {
+	return apistorage.SelectionPredicate{
+		Label:    label,
+		Field:    field,
+		GetAttrs: GetAttrs,
+	}
+}
+
+// SelectableFields returns a field set that can be used for filter selection
+func SelectableFields(obj *rbac.Role) fields.Set {
+	return nil
+}