add "admission" API group

This commit is an initial pass at providing an admission API group.
The API group is required by the webhook admission controller being
developed as part of https://github.com/kubernetes/community/pull/132
and could be used more as that proposal comes to fruition.

cmd/libs/go2idl/go-to-protobuf/protobuf/cmd.go

@@ -90,6 +90,7 @@ func New() *Generator {
 			`k8s.io/kubernetes/pkg/apis/settings/v1alpha1`,
 			`k8s.io/kubernetes/pkg/apis/storage/v1beta1`,
 			`k8s.io/kubernetes/pkg/apis/storage/v1`,
+			`k8s.io/kubernetes/pkg/apis/admission/v1alpha1`,
 		}, ","),
 		DropEmbeddedFields: "k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta",
 	}

hack/lib/init.sh

@@ -79,6 +79,7 @@ KUBE_NONSERVER_GROUP_VERSIONS="
  abac.authorization.kubernetes.io/v1beta1 \
  componentconfig/v1alpha1 \
  imagepolicy.k8s.io/v1alpha1\
+ admission.k8s.io/v1alpha1\
 "
 
 # This emulates "readlink -f" which is not available on MacOS X.

hack/verify-api-groups.sh

@@ -69,6 +69,7 @@ groups_without_codegen=(
 	"abac"
 	"componentconfig"
 	"imagepolicy"
+	"admission"
 )
 client_gen_file="${KUBE_ROOT}/cmd/libs/go2idl/client-gen/main.go"
 
@@ -92,6 +93,7 @@ done
 # them.  This happens for types that aren't served from the API server
 packages_without_install=(
 	"k8s.io/kubernetes/pkg/apis/abac"
+	"k8s.io/kubernetes/pkg/apis/admission"
 )
 known_version_files=(
 	"pkg/master/import_known_versions.go"

hack/verify-pkg-names.sh

@@ -26,7 +26,7 @@ source "${KUBE_ROOT}/hack/lib/init.sh"
 kube::golang::verify_go_version
 
 cd "${KUBE_ROOT}"
-if git --no-pager grep -E $'^(import |\t)[a-z]+[A-Z_][a-zA-Z]* "[^"]+"$' -- '**/*.go' ':(exclude)vendor/*' ':(exclude)staging/src/k8s.io/client-go/*vendor/*' ':(exclude)staging/src/k8s.io/metrics/*'; then
+if git --no-pager grep -E $'^(import |\t)[a-z]+[A-Z_][a-zA-Z]* "[^"]+"$' -- '**/*.go' ':(exclude)vendor/*' ':(exclude)staging/src/k8s.io/client-go/*vendor/*' ':(exclude)staging/src/k8s.io/metrics/*' ':(exclude)pkg/apis/admission/v1alpha1/zz_generated.conversion.go'; then
   echo "!!! Some package aliases break go conventions."
   echo "To fix these errors, do not use capitalized or underlined characters"
   echo "in pkg aliases. Refer to https://blog.golang.org/package-names for more info."

pkg/BUILD

@@ -16,6 +16,7 @@ filegroup(
         "//pkg/api:all-srcs",
         "//pkg/apimachinery/tests:all-srcs",
         "//pkg/apis/abac:all-srcs",
+        "//pkg/apis/admission:all-srcs",
         "//pkg/apis/apps:all-srcs",
         "//pkg/apis/authentication:all-srcs",
         "//pkg/apis/authorization:all-srcs",

pkg/apis/admission/BUILD

@@ -0,0 +1,46 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "doc.go",
+        "register.go",
+        "types.generated.go",
+        "types.go",
+        "zz_generated.deepcopy.go",
+    ],
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/apis/authentication:go_default_library",
+        "//vendor/github.com/ugorji/go/codec:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/conversion:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/admission:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [
+        ":package-srcs",
+        "//pkg/apis/admission/v1alpha1:all-srcs",
+    ],
+    tags = ["automanaged"],
+)

pkg/apis/admission/doc.go

@@ -0,0 +1,19 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package,register
+// +groupName=admission.k8s.io
+package admission // import "k8s.io/kubernetes/pkg/apis/admission"

pkg/apis/admission/register.go

@@ -0,0 +1,52 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package admission
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the group name use in this package
+const GroupName = "admission.k8s.io"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal}
+
+// Kind takes an unqualified kind and returns a Group qualified GroupKind
+func Kind(kind string) schema.GroupKind {
+	return SchemeGroupVersion.WithKind(kind).GroupKind()
+}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	// SchemeBuilder the schema builder
+	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
+	// AddToScheme handler to add items to the schema
+	AddToScheme = SchemeBuilder.AddToScheme
+)
+
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&AdmissionReview{},
+	)
+	return nil
+}

pkg/apis/admission/types.go

@@ -0,0 +1,73 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package admission
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apiserver/pkg/admission"
+	"k8s.io/kubernetes/pkg/apis/authentication"
+)
+
+// AdmissionReview describes an admission request.
+type AdmissionReview struct {
+	metav1.TypeMeta
+
+	// Spec describes the attributes for the admission request.
+	// Since this admission controller is non-mutating the webhook should avoid setting this in its response to avoid the
+	// cost of deserializing it.
+	Spec AdmissionReviewSpec
+	// Status is filled in by the webhook and indicates whether the admission request should be permitted.
+	Status AdmissionReviewStatus
+}
+
+// AdmissionReviewSpec describes the admission.Attributes for the admission request.
+type AdmissionReviewSpec struct {
+	// Kind is the type of object being manipulated.  For example: Pod
+	Kind metav1.GroupVersionKind
+	// Name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and
+	// rely on the server to generate the name.  If that is the case, this method will return the empty string.
+	Name string
+	// Namespace is the namespace associated with the request (if any).
+	Namespace string
+	// Object is the object from the incoming request prior to default values being applied
+	Object runtime.Object
+	// OldObject is the existing object. Only populated for UPDATE requests.
+	OldObject runtime.Object
+	// Operation is the operation being performed
+	Operation admission.Operation
+	// Resource is the name of the resource being requested.  This is not the kind.  For example: pods
+	Resource metav1.GroupVersionResource
+	// SubResource is the name of the subresource being requested.  This is a different resource, scoped to the parent
+	// resource, but it may have a different kind. For instance, /pods has the resource "pods" and the kind "Pod", while
+	// /pods/foo/status has the resource "pods", the sub resource "status", and the kind "Pod" (because status operates on
+	// pods). The binding resource for a pod though may be /pods/foo/binding, which has resource "pods", subresource
+	// "binding", and kind "Binding".
+	SubResource string
+	// UserInfo is information about the requesting user
+	UserInfo authentication.UserInfo
+}
+
+// AdmissionReviewStatus describes the status of the admission request.
+type AdmissionReviewStatus struct {
+	// Allowed indicates whether or not the admission request was permitted.
+	Allowed bool
+	// Result contains extra details into why an admission request was denied.
+	// This field IS NOT consulted in any way if "Allowed" is "true".
+	// +optional
+	Result *metav1.Status
+}

pkg/apis/admission/v1alpha1/BUILD

@@ -0,0 +1,49 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "doc.go",
+        "generated.pb.go",
+        "helpers.go",
+        "register.go",
+        "types.generated.go",
+        "types.go",
+        "zz_generated.conversion.go",
+        "zz_generated.deepcopy.go",
+        "zz_generated.defaults.go",
+    ],
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/apis/admission:go_default_library",
+        "//pkg/apis/authentication/v1:go_default_library",
+        "//vendor/github.com/gogo/protobuf/proto:go_default_library",
+        "//vendor/github.com/ugorji/go/codec:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/conversion:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/admission:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+)

pkg/apis/admission/v1alpha1/doc.go

@@ -0,0 +1,23 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package,register
+// +k8s:conversion-gen=k8s.io/kubernetes/pkg/apis/admission
+// +k8s:openapi-gen=false
+// +k8s:defaulter-gen=TypeMeta
+
+// +groupName=admission.k8s.io
+package v1alpha1 // import "k8s.io/kubernetes/pkg/apis/admission/v1alpha1"

pkg/apis/admission/v1alpha1/generated.proto

@@ -0,0 +1,96 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+// This file was autogenerated by go-to-protobuf. Do not edit it manually!
+
+syntax = 'proto2';
+
+package k8s.io.kubernetes.pkg.apis.admission.v1alpha1;
+
+import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
+import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
+import "k8s.io/apiserver/pkg/apis/example/v1/generated.proto";
+import "k8s.io/kubernetes/pkg/apis/authentication/v1/generated.proto";
+
+// Package-wide variables from generator "generated".
+option go_package = "v1alpha1";
+
+// AdmissionReview describes an admission request.
+message AdmissionReview {
+  // Spec describes the attributes for the admission request.
+  // Since this admission controller is non-mutating the webhook should avoid setting this in its response to avoid the
+  // cost of deserializing it.
+  // +optional
+  optional AdmissionReviewSpec spec = 1;
+
+  // Status is filled in by the webhook and indicates whether the admission request should be permitted.
+  // +optional
+  optional AdmissionReviewStatus status = 2;
+}
+
+// AdmissionReviewSpec describes the admission.Attributes for the admission request.
+message AdmissionReviewSpec {
+  // Kind is the type of object being manipulated.  For example: Pod
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionKind kind = 1;
+
+  // Object is the object from the incoming request prior to default values being applied
+  optional k8s.io.apimachinery.pkg.runtime.RawExtension object = 2;
+
+  // OldObject is the existing object. Only populated for UPDATE requests.
+  // +optional
+  optional k8s.io.apimachinery.pkg.runtime.RawExtension oldObject = 3;
+
+  // Operation is the operation being performed
+  optional string operation = 4;
+
+  // Name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and
+  // rely on the server to generate the name.  If that is the case, this method will return the empty string.
+  // +optional
+  optional string name = 5;
+
+  // Namespace is the namespace associated with the request (if any).
+  // +optional
+  optional string namespace = 6;
+
+  // Resource is the name of the resource being requested.  This is not the kind.  For example: pods
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionResource resource = 7;
+
+  // SubResource is the name of the subresource being requested.  This is a different resource, scoped to the parent
+  // resource, but it may have a different kind. For instance, /pods has the resource "pods" and the kind "Pod", while
+  // /pods/foo/status has the resource "pods", the sub resource "status", and the kind "Pod" (because status operates on
+  // pods). The binding resource for a pod though may be /pods/foo/binding, which has resource "pods", subresource
+  // "binding", and kind "Binding".
+  // +optional
+  optional string subResource = 8;
+
+  // UserInfo is information about the requesting user
+  optional k8s.io.kubernetes.pkg.apis.authentication.v1.UserInfo userInfo = 9;
+}
+
+// AdmissionReviewStatus describes the status of the admission request.
+message AdmissionReviewStatus {
+  // Allowed indicates whether or not the admission request was permitted.
+  optional bool allowed = 1;
+
+  // Result contains extra details into why an admission request was denied.
+  // This field IS NOT consulted in any way if "Allowed" is "true".
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Status status = 2;
+}
+

pkg/apis/admission/v1alpha1/helpers.go

@@ -0,0 +1,68 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apiserver/pkg/admission"
+	authenticationv1 "k8s.io/kubernetes/pkg/apis/authentication/v1"
+)
+
+// NewAdmissionReview returns an AdmissionReview for the provided admission.Attributes
+func NewAdmissionReview(attr admission.Attributes) AdmissionReview {
+	gvk := attr.GetKind()
+	gvr := attr.GetResource()
+	aUserInfo := attr.GetUserInfo()
+	userInfo := authenticationv1.UserInfo{
+		Extra:    make(map[string]authenticationv1.ExtraValue),
+		Groups:   aUserInfo.GetGroups(),
+		UID:      aUserInfo.GetUID(),
+		Username: aUserInfo.GetName(),
+	}
+
+	// Convert the extra information in the user object
+	for key, val := range aUserInfo.GetExtra() {
+		userInfo.Extra[key] = authenticationv1.ExtraValue(val)
+	}
+
+	return AdmissionReview{
+		Spec: AdmissionReviewSpec{
+			Name:      attr.GetName(),
+			Namespace: attr.GetNamespace(),
+			Resource: metav1.GroupVersionResource{
+				Group:    gvr.Group,
+				Resource: gvr.Resource,
+				Version:  gvr.Version,
+			},
+			SubResource: attr.GetSubresource(),
+			Operation:   attr.GetOperation(),
+			Object: runtime.RawExtension{
+				Object: attr.GetObject(),
+			},
+			OldObject: runtime.RawExtension{
+				Object: attr.GetOldObject(),
+			},
+			Kind: metav1.GroupVersionKind{
+				Group:   gvk.Group,
+				Kind:    gvk.Kind,
+				Version: gvk.Version,
+			},
+			UserInfo: userInfo,
+		},
+	}
+}

pkg/apis/admission/v1alpha1/register.go

@@ -0,0 +1,58 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the group name for this API.
+const GroupName = "admission.k8s.io"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
+	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+func init() {
+	// We only register manually written functions here. The registration of the
+	// generated functions takes place in the generated files. The separation
+	// makes the code compile even when the generated files are missing.
+	localSchemeBuilder.Register(addKnownTypes, RegisterDefaults)
+}
+
+// Adds the list of known types to api.Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&AdmissionReview{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}

pkg/apis/admission/v1alpha1/types.go

@@ -0,0 +1,78 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apiserver/pkg/admission"
+	authenticationv1 "k8s.io/kubernetes/pkg/apis/authentication/v1"
+)
+
+// AdmissionReview describes an admission request.
+type AdmissionReview struct {
+	metav1.TypeMeta `json:",inline"`
+	// Spec describes the attributes for the admission request.
+	// Since this admission controller is non-mutating the webhook should avoid setting this in its response to avoid the
+	// cost of deserializing it.
+	// +optional
+	Spec AdmissionReviewSpec `json:"spec" protobuf:"bytes,1,opt,name=spec"`
+	// Status is filled in by the webhook and indicates whether the admission request should be permitted.
+	// +optional
+	Status AdmissionReviewStatus `json:"status,omitempty" protobuf:"bytes,2,opt,name=status"`
+}
+
+// AdmissionReviewSpec describes the admission.Attributes for the admission request.
+type AdmissionReviewSpec struct {
+	// Kind is the type of object being manipulated.  For example: Pod
+	Kind metav1.GroupVersionKind `json:"kind,omitempty" protobuf:"bytes,1,opt,name=kind"`
+	// Object is the object from the incoming request prior to default values being applied
+	Object runtime.RawExtension `json:"object,omitempty" protobuf:"bytes,2,opt,name=object"`
+	// OldObject is the existing object. Only populated for UPDATE requests.
+	// +optional
+	OldObject runtime.RawExtension `json:"oldObject,omitempty" protobuf:"bytes,3,opt,name=oldObject"`
+	// Operation is the operation being performed
+	Operation admission.Operation `json:"operation,omitempty" protobuf:"bytes,4,opt,name=operation"`
+	// Name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and
+	// rely on the server to generate the name.  If that is the case, this method will return the empty string.
+	// +optional
+	Name string `json:"name,omitempty" protobuf:"bytes,5,opt,name=name"`
+	// Namespace is the namespace associated with the request (if any).
+	// +optional
+	Namespace string `json:"namespace,omitempty" protobuf:"bytes,6,opt,name=namespace"`
+	// Resource is the name of the resource being requested.  This is not the kind.  For example: pods
+	Resource metav1.GroupVersionResource `json:"resource,omitempty" protobuf:"bytes,7,opt,name=resource"`
+	// SubResource is the name of the subresource being requested.  This is a different resource, scoped to the parent
+	// resource, but it may have a different kind. For instance, /pods has the resource "pods" and the kind "Pod", while
+	// /pods/foo/status has the resource "pods", the sub resource "status", and the kind "Pod" (because status operates on
+	// pods). The binding resource for a pod though may be /pods/foo/binding, which has resource "pods", subresource
+	// "binding", and kind "Binding".
+	// +optional
+	SubResource string `json:"subResource,omitempty" protobuf:"bytes,8,opt,name=subResource"`
+	// UserInfo is information about the requesting user
+	UserInfo authenticationv1.UserInfo `json:"userInfo,omitempty" protobuf:"bytes,9,opt,name=userInfo"`
+}
+
+// AdmissionReviewStatus describes the status of the admission request.
+type AdmissionReviewStatus struct {
+	// Allowed indicates whether or not the admission request was permitted.
+	Allowed bool `json:"allowed" protobuf:"varint,1,opt,name=allowed"`
+	// Result contains extra details into why an admission request was denied.
+	// This field IS NOT consulted in any way if "Allowed" is "true".
+	// +optional
+	Result *metav1.Status `json:"status,omitempty" protobuf:"bytes,2,opt,name=status"`
+}

pkg/apis/admission/v1alpha1/zz_generated.conversion.go

@@ -0,0 +1,149 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by conversion-gen. Do not edit it manually!
+
+package v1alpha1
+
+import (
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	pkg_admission "k8s.io/apiserver/pkg/admission"
+	admission "k8s.io/kubernetes/pkg/apis/admission"
+	unsafe "unsafe"
+)
+
+func init() {
+	SchemeBuilder.Register(RegisterConversions)
+}
+
+// RegisterConversions adds conversion functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterConversions(scheme *runtime.Scheme) error {
+	return scheme.AddGeneratedConversionFuncs(
+		Convert_v1alpha1_AdmissionReview_To_admission_AdmissionReview,
+		Convert_admission_AdmissionReview_To_v1alpha1_AdmissionReview,
+		Convert_v1alpha1_AdmissionReviewSpec_To_admission_AdmissionReviewSpec,
+		Convert_admission_AdmissionReviewSpec_To_v1alpha1_AdmissionReviewSpec,
+		Convert_v1alpha1_AdmissionReviewStatus_To_admission_AdmissionReviewStatus,
+		Convert_admission_AdmissionReviewStatus_To_v1alpha1_AdmissionReviewStatus,
+	)
+}
+
+func autoConvert_v1alpha1_AdmissionReview_To_admission_AdmissionReview(in *AdmissionReview, out *admission.AdmissionReview, s conversion.Scope) error {
+	if err := Convert_v1alpha1_AdmissionReviewSpec_To_admission_AdmissionReviewSpec(&in.Spec, &out.Spec, s); err != nil {
+		return err
+	}
+	if err := Convert_v1alpha1_AdmissionReviewStatus_To_admission_AdmissionReviewStatus(&in.Status, &out.Status, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_v1alpha1_AdmissionReview_To_admission_AdmissionReview is an autogenerated conversion function.
+func Convert_v1alpha1_AdmissionReview_To_admission_AdmissionReview(in *AdmissionReview, out *admission.AdmissionReview, s conversion.Scope) error {
+	return autoConvert_v1alpha1_AdmissionReview_To_admission_AdmissionReview(in, out, s)
+}
+
+func autoConvert_admission_AdmissionReview_To_v1alpha1_AdmissionReview(in *admission.AdmissionReview, out *AdmissionReview, s conversion.Scope) error {
+	if err := Convert_admission_AdmissionReviewSpec_To_v1alpha1_AdmissionReviewSpec(&in.Spec, &out.Spec, s); err != nil {
+		return err
+	}
+	if err := Convert_admission_AdmissionReviewStatus_To_v1alpha1_AdmissionReviewStatus(&in.Status, &out.Status, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_admission_AdmissionReview_To_v1alpha1_AdmissionReview is an autogenerated conversion function.
+func Convert_admission_AdmissionReview_To_v1alpha1_AdmissionReview(in *admission.AdmissionReview, out *AdmissionReview, s conversion.Scope) error {
+	return autoConvert_admission_AdmissionReview_To_v1alpha1_AdmissionReview(in, out, s)
+}
+
+func autoConvert_v1alpha1_AdmissionReviewSpec_To_admission_AdmissionReviewSpec(in *AdmissionReviewSpec, out *admission.AdmissionReviewSpec, s conversion.Scope) error {
+	out.Kind = in.Kind
+	if err := runtime.Convert_runtime_RawExtension_To_runtime_Object(&in.Object, &out.Object, s); err != nil {
+		return err
+	}
+	if err := runtime.Convert_runtime_RawExtension_To_runtime_Object(&in.OldObject, &out.OldObject, s); err != nil {
+		return err
+	}
+	out.Operation = pkg_admission.Operation(in.Operation)
+	out.Name = in.Name
+	out.Namespace = in.Namespace
+	out.Resource = in.Resource
+	out.SubResource = in.SubResource
+	// TODO: Inefficient conversion - can we improve it?
+	if err := s.Convert(&in.UserInfo, &out.UserInfo, 0); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_v1alpha1_AdmissionReviewSpec_To_admission_AdmissionReviewSpec is an autogenerated conversion function.
+func Convert_v1alpha1_AdmissionReviewSpec_To_admission_AdmissionReviewSpec(in *AdmissionReviewSpec, out *admission.AdmissionReviewSpec, s conversion.Scope) error {
+	return autoConvert_v1alpha1_AdmissionReviewSpec_To_admission_AdmissionReviewSpec(in, out, s)
+}
+
+func autoConvert_admission_AdmissionReviewSpec_To_v1alpha1_AdmissionReviewSpec(in *admission.AdmissionReviewSpec, out *AdmissionReviewSpec, s conversion.Scope) error {
+	out.Kind = in.Kind
+	out.Name = in.Name
+	out.Namespace = in.Namespace
+	if err := runtime.Convert_runtime_Object_To_runtime_RawExtension(&in.Object, &out.Object, s); err != nil {
+		return err
+	}
+	if err := runtime.Convert_runtime_Object_To_runtime_RawExtension(&in.OldObject, &out.OldObject, s); err != nil {
+		return err
+	}
+	out.Operation = pkg_admission.Operation(in.Operation)
+	out.Resource = in.Resource
+	out.SubResource = in.SubResource
+	// TODO: Inefficient conversion - can we improve it?
+	if err := s.Convert(&in.UserInfo, &out.UserInfo, 0); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_admission_AdmissionReviewSpec_To_v1alpha1_AdmissionReviewSpec is an autogenerated conversion function.
+func Convert_admission_AdmissionReviewSpec_To_v1alpha1_AdmissionReviewSpec(in *admission.AdmissionReviewSpec, out *AdmissionReviewSpec, s conversion.Scope) error {
+	return autoConvert_admission_AdmissionReviewSpec_To_v1alpha1_AdmissionReviewSpec(in, out, s)
+}
+
+func autoConvert_v1alpha1_AdmissionReviewStatus_To_admission_AdmissionReviewStatus(in *AdmissionReviewStatus, out *admission.AdmissionReviewStatus, s conversion.Scope) error {
+	out.Allowed = in.Allowed
+	out.Result = (*v1.Status)(unsafe.Pointer(in.Result))
+	return nil
+}
+
+// Convert_v1alpha1_AdmissionReviewStatus_To_admission_AdmissionReviewStatus is an autogenerated conversion function.
+func Convert_v1alpha1_AdmissionReviewStatus_To_admission_AdmissionReviewStatus(in *AdmissionReviewStatus, out *admission.AdmissionReviewStatus, s conversion.Scope) error {
+	return autoConvert_v1alpha1_AdmissionReviewStatus_To_admission_AdmissionReviewStatus(in, out, s)
+}
+
+func autoConvert_admission_AdmissionReviewStatus_To_v1alpha1_AdmissionReviewStatus(in *admission.AdmissionReviewStatus, out *AdmissionReviewStatus, s conversion.Scope) error {
+	out.Allowed = in.Allowed
+	out.Result = (*v1.Status)(unsafe.Pointer(in.Result))
+	return nil
+}
+
+// Convert_admission_AdmissionReviewStatus_To_v1alpha1_AdmissionReviewStatus is an autogenerated conversion function.
+func Convert_admission_AdmissionReviewStatus_To_v1alpha1_AdmissionReviewStatus(in *admission.AdmissionReviewStatus, out *AdmissionReviewStatus, s conversion.Scope) error {
+	return autoConvert_admission_AdmissionReviewStatus_To_v1alpha1_AdmissionReviewStatus(in, out, s)
+}

pkg/apis/admission/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,100 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package v1alpha1
+
+import (
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	v1 "k8s.io/kubernetes/pkg/apis/authentication/v1"
+	reflect "reflect"
+)
+
+func init() {
+	SchemeBuilder.Register(RegisterDeepCopies)
+}
+
+// RegisterDeepCopies adds deep-copy functions to the given scheme. Public
+// to allow building arbitrary schemes.
+func RegisterDeepCopies(scheme *runtime.Scheme) error {
+	return scheme.AddGeneratedDeepCopyFuncs(
+		conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_v1alpha1_AdmissionReview, InType: reflect.TypeOf(&AdmissionReview{})},
+		conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_v1alpha1_AdmissionReviewSpec, InType: reflect.TypeOf(&AdmissionReviewSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_v1alpha1_AdmissionReviewStatus, InType: reflect.TypeOf(&AdmissionReviewStatus{})},
+	)
+}
+
+// DeepCopy_v1alpha1_AdmissionReview is an autogenerated deepcopy function.
+func DeepCopy_v1alpha1_AdmissionReview(in interface{}, out interface{}, c *conversion.Cloner) error {
+	{
+		in := in.(*AdmissionReview)
+		out := out.(*AdmissionReview)
+		*out = *in
+		if err := DeepCopy_v1alpha1_AdmissionReviewSpec(&in.Spec, &out.Spec, c); err != nil {
+			return err
+		}
+		if err := DeepCopy_v1alpha1_AdmissionReviewStatus(&in.Status, &out.Status, c); err != nil {
+			return err
+		}
+		return nil
+	}
+}
+
+// DeepCopy_v1alpha1_AdmissionReviewSpec is an autogenerated deepcopy function.
+func DeepCopy_v1alpha1_AdmissionReviewSpec(in interface{}, out interface{}, c *conversion.Cloner) error {
+	{
+		in := in.(*AdmissionReviewSpec)
+		out := out.(*AdmissionReviewSpec)
+		*out = *in
+		if newVal, err := c.DeepCopy(&in.Object); err != nil {
+			return err
+		} else {
+			out.Object = *newVal.(*runtime.RawExtension)
+		}
+		if newVal, err := c.DeepCopy(&in.OldObject); err != nil {
+			return err
+		} else {
+			out.OldObject = *newVal.(*runtime.RawExtension)
+		}
+		if err := v1.DeepCopy_v1_UserInfo(&in.UserInfo, &out.UserInfo, c); err != nil {
+			return err
+		}
+		return nil
+	}
+}
+
+// DeepCopy_v1alpha1_AdmissionReviewStatus is an autogenerated deepcopy function.
+func DeepCopy_v1alpha1_AdmissionReviewStatus(in interface{}, out interface{}, c *conversion.Cloner) error {
+	{
+		in := in.(*AdmissionReviewStatus)
+		out := out.(*AdmissionReviewStatus)
+		*out = *in
+		if in.Result != nil {
+			in, out := &in.Result, &out.Result
+			if newVal, err := c.DeepCopy(*in); err != nil {
+				return err
+			} else {
+				*out = newVal.(*meta_v1.Status)
+			}
+		}
+		return nil
+	}
+}

pkg/apis/admission/v1alpha1/zz_generated.defaults.go

@@ -0,0 +1,32 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by defaulter-gen. Do not edit it manually!
+
+package v1alpha1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// RegisterDefaults adds defaulters functions to the given scheme.
+// Public to allow building arbitrary schemes.
+// All generated defaulters are covering - they call all nested defaulters.
+func RegisterDefaults(scheme *runtime.Scheme) error {
+	return nil
+}

pkg/apis/admission/zz_generated.deepcopy.go

@@ -0,0 +1,106 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package admission
+
+import (
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	authentication "k8s.io/kubernetes/pkg/apis/authentication"
+	reflect "reflect"
+)
+
+func init() {
+	SchemeBuilder.Register(RegisterDeepCopies)
+}
+
+// RegisterDeepCopies adds deep-copy functions to the given scheme. Public
+// to allow building arbitrary schemes.
+func RegisterDeepCopies(scheme *runtime.Scheme) error {
+	return scheme.AddGeneratedDeepCopyFuncs(
+		conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_admission_AdmissionReview, InType: reflect.TypeOf(&AdmissionReview{})},
+		conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_admission_AdmissionReviewSpec, InType: reflect.TypeOf(&AdmissionReviewSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_admission_AdmissionReviewStatus, InType: reflect.TypeOf(&AdmissionReviewStatus{})},
+	)
+}
+
+// DeepCopy_admission_AdmissionReview is an autogenerated deepcopy function.
+func DeepCopy_admission_AdmissionReview(in interface{}, out interface{}, c *conversion.Cloner) error {
+	{
+		in := in.(*AdmissionReview)
+		out := out.(*AdmissionReview)
+		*out = *in
+		if err := DeepCopy_admission_AdmissionReviewSpec(&in.Spec, &out.Spec, c); err != nil {
+			return err
+		}
+		if err := DeepCopy_admission_AdmissionReviewStatus(&in.Status, &out.Status, c); err != nil {
+			return err
+		}
+		return nil
+	}
+}
+
+// DeepCopy_admission_AdmissionReviewSpec is an autogenerated deepcopy function.
+func DeepCopy_admission_AdmissionReviewSpec(in interface{}, out interface{}, c *conversion.Cloner) error {
+	{
+		in := in.(*AdmissionReviewSpec)
+		out := out.(*AdmissionReviewSpec)
+		*out = *in
+		// in.Object is kind 'Interface'
+		if in.Object != nil {
+			if newVal, err := c.DeepCopy(&in.Object); err != nil {
+				return err
+			} else {
+				out.Object = *newVal.(*runtime.Object)
+			}
+		}
+		// in.OldObject is kind 'Interface'
+		if in.OldObject != nil {
+			if newVal, err := c.DeepCopy(&in.OldObject); err != nil {
+				return err
+			} else {
+				out.OldObject = *newVal.(*runtime.Object)
+			}
+		}
+		if err := authentication.DeepCopy_authentication_UserInfo(&in.UserInfo, &out.UserInfo, c); err != nil {
+			return err
+		}
+		return nil
+	}
+}
+
+// DeepCopy_admission_AdmissionReviewStatus is an autogenerated deepcopy function.
+func DeepCopy_admission_AdmissionReviewStatus(in interface{}, out interface{}, c *conversion.Cloner) error {
+	{
+		in := in.(*AdmissionReviewStatus)
+		out := out.(*AdmissionReviewStatus)
+		*out = *in
+		if in.Result != nil {
+			in, out := &in.Result, &out.Result
+			if newVal, err := c.DeepCopy(*in); err != nil {
+				return err
+			} else {
+				*out = newVal.(*v1.Status)
+			}
+		}
+		return nil
+	}
+}

pkg/generated/openapi/BUILD

@@ -13,6 +13,7 @@ openapi_library(
         "pkg/api/v1",
         "pkg/apis/abac/v0",
         "pkg/apis/abac/v1beta1",
+        "pkg/apis/admission/v1alpha1",
         "pkg/apis/apps/v1beta1",
         "pkg/apis/authentication/v1",
         "pkg/apis/authentication/v1beta1",

pkg/master/import_known_versions_test.go

@@ -71,18 +71,20 @@ func TestTypeTags(t *testing.T) {
 // but are also registered in internal versions (or referenced from internal types),
 // so we explicitly allow tags for them
 var typesAllowedTags = map[reflect.Type]bool{
-	reflect.TypeOf(intstr.IntOrString{}):    true,
-	reflect.TypeOf(metav1.Time{}):           true,
-	reflect.TypeOf(metav1.Duration{}):       true,
-	reflect.TypeOf(metav1.TypeMeta{}):       true,
-	reflect.TypeOf(metav1.ListMeta{}):       true,
-	reflect.TypeOf(metav1.ObjectMeta{}):     true,
-	reflect.TypeOf(metav1.OwnerReference{}): true,
-	reflect.TypeOf(metav1.LabelSelector{}):  true,
-	reflect.TypeOf(metav1.GetOptions{}):     true,
-	reflect.TypeOf(metav1.ExportOptions{}):  true,
-	reflect.TypeOf(metav1.ListOptions{}):    true,
-	reflect.TypeOf(metav1.DeleteOptions{}):  true,
+	reflect.TypeOf(intstr.IntOrString{}):          true,
+	reflect.TypeOf(metav1.Time{}):                 true,
+	reflect.TypeOf(metav1.Duration{}):             true,
+	reflect.TypeOf(metav1.TypeMeta{}):             true,
+	reflect.TypeOf(metav1.ListMeta{}):             true,
+	reflect.TypeOf(metav1.ObjectMeta{}):           true,
+	reflect.TypeOf(metav1.OwnerReference{}):       true,
+	reflect.TypeOf(metav1.LabelSelector{}):        true,
+	reflect.TypeOf(metav1.GetOptions{}):           true,
+	reflect.TypeOf(metav1.ExportOptions{}):        true,
+	reflect.TypeOf(metav1.ListOptions{}):          true,
+	reflect.TypeOf(metav1.DeleteOptions{}):        true,
+	reflect.TypeOf(metav1.GroupVersionKind{}):     true,
+	reflect.TypeOf(metav1.GroupVersionResource{}): true,
 }
 
 func ensureNoTags(t *testing.T, gvk schema.GroupVersionKind, tp reflect.Type, parents []reflect.Type) {