Merge pull request #67006 from mbohlool/crd_webhook_conversion

CRD webhook conversion
2018-11-10 02:33:51 -08:00 · 2018-11-10 02:33:51 -08:00 · 97baad34a7
parent 344b42f0a4 d51d0164c5
commit 97baad34a7
35 changed files with 1567 additions and 56 deletions
--- a/cmd/kube-apiserver/app/apiextensions.go
+++ b/cmd/kube-apiserver/app/apiextensions.go
@ -28,6 +28,7 @@ import (
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	genericoptions "k8s.io/apiserver/pkg/server/options"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/apiserver/pkg/util/webhook"
 	kubeexternalinformers "k8s.io/client-go/informers"
 	"k8s.io/kubernetes/cmd/kube-apiserver/app/options"
 )
@ -38,6 +39,8 @@ func createAPIExtensionsConfig(
 	pluginInitializers []admission.PluginInitializer,
 	commandOptions *options.ServerRunOptions,
 	masterCount int,
 	serviceResolver webhook.ServiceResolver,
 	authResolverWrapper webhook.AuthenticationInfoResolverWrapper,
 ) (*apiextensionsapiserver.Config, error) {
 	// make a shallow copy to let us twiddle a few things
 	// most of the config actually remains the same.  We only need to mess with a couple items related to the particulars of the apiextensions
@ -74,6 +77,8 @@ func createAPIExtensionsConfig(
 		ExtraConfig: apiextensionsapiserver.ExtraConfig{
 			CRDRESTOptionsGetter: apiextensionsoptions.NewCRDRESTOptionsGetter(etcdOptions),
 			MasterCount:          masterCount,
 			AuthResolverWrapper:  authResolverWrapper,
 			ServiceResolver:      serviceResolver,
 		},
 	}
--- a/cmd/kube-apiserver/app/server.go
+++ b/cmd/kube-apiserver/app/server.go
@ -165,7 +165,8 @@ func CreateServerChain(completedOptions completedServerRunOptions, stopCh <-chan
 	}
 	// If additional API servers are added, they should be gated.
-	apiExtensionsConfig, err := createAPIExtensionsConfig(*kubeAPIServerConfig.GenericConfig, kubeAPIServerConfig.ExtraConfig.VersionedInformers, pluginInitializer, completedOptions.ServerRunOptions, completedOptions.MasterCount)
+	apiExtensionsConfig, err := createAPIExtensionsConfig(*kubeAPIServerConfig.GenericConfig, kubeAPIServerConfig.ExtraConfig.VersionedInformers, pluginInitializer, completedOptions.ServerRunOptions, completedOptions.MasterCount,
 		serviceResolver, webhook.NewDefaultAuthenticationInfoResolverWrapper(proxyTransport, kubeAPIServerConfig.GenericConfig.LoopbackClientConfig))
 	if err != nil {
 		return nil, err
 	}
--- a/staging/src/k8s.io/apiextensions-apiserver/Godeps/Godeps.json
+++ b/staging/src/k8s.io/apiextensions-apiserver/Godeps/Godeps.json
@ -2342,6 +2342,10 @@
 			"ImportPath": "k8s.io/apimachinery/pkg/util/sets",
 			"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/uuid",
 			"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/validation",
 			"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
@ -2450,6 +2454,10 @@
 			"ImportPath": "k8s.io/apiserver/pkg/util/logs",
 			"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
 		},
 		{
 			"ImportPath": "k8s.io/apiserver/pkg/util/proxy",
 			"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
 		},
 		{
 			"ImportPath": "k8s.io/apiserver/pkg/util/webhook",
 			"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
@ -2474,6 +2482,10 @@
 			"ImportPath": "k8s.io/client-go/kubernetes/scheme",
 			"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/listers/core/v1",
 			"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/rest",
 			"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/BUILD
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/BUILD
@ -67,6 +67,7 @@ go_library(
        "//staging/src/k8s.io/apiserver/pkg/server/storage:go_default_library",
        "//staging/src/k8s.io/apiserver/pkg/storage/storagebackend:go_default_library",
        "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
        "//staging/src/k8s.io/apiserver/pkg/util/webhook:go_default_library",
        "//staging/src/k8s.io/client-go/scale:go_default_library",
        "//staging/src/k8s.io/client-go/scale/scheme/autoscalingv1:go_default_library",
        "//staging/src/k8s.io/client-go/tools/cache:go_default_library",
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/apiserver.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/apiserver.go
@ -31,6 +31,7 @@ import (
 	"k8s.io/apiserver/pkg/registry/rest"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	serverstorage "k8s.io/apiserver/pkg/server/storage"
 	"k8s.io/apiserver/pkg/util/webhook"
 	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
 	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/install"
@ -78,6 +79,11 @@ type ExtraConfig struct {
 	// MasterCount is used to detect whether cluster is HA, and if it is
 	// the CRD Establishing will be hold by 5 seconds.
 	MasterCount int
 	// ServiceResolver is used in CR webhook converters to resolve webhook's service names
 	ServiceResolver webhook.ServiceResolver
 	// AuthResolverWrapper is used in CR webhook converters
 	AuthResolverWrapper webhook.AuthenticationInfoResolverWrapper
 }
 type Config struct {
@ -167,7 +173,7 @@ func (c completedConfig) New(delegationTarget genericapiserver.DelegationTarget)
 		delegate:  delegateHandler,
 	}
 	establishingController := establish.NewEstablishingController(s.Informers.Apiextensions().InternalVersion().CustomResourceDefinitions(), crdClient.Apiextensions())
-	crdHandler := NewCustomResourceDefinitionHandler(
+	crdHandler, err := NewCustomResourceDefinitionHandler(
 		versionDiscoveryHandler,
 		groupDiscoveryHandler,
 		s.Informers.Apiextensions().InternalVersion().CustomResourceDefinitions(),
@ -175,8 +181,13 @@ func (c completedConfig) New(delegationTarget genericapiserver.DelegationTarget)
 		c.ExtraConfig.CRDRESTOptionsGetter,
 		c.GenericConfig.AdmissionControl,
 		establishingController,
 		c.ExtraConfig.ServiceResolver,
 		c.ExtraConfig.AuthResolverWrapper,
 		c.ExtraConfig.MasterCount,
 	)
 	if err != nil {
 		return nil, err
 	}
 	s.GenericAPIServer.Handler.NonGoRestfulMux.Handle("/apis", crdHandler)
 	s.GenericAPIServer.Handler.NonGoRestfulMux.HandlePrefix("/apis/", crdHandler)
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/conversion/BUILD
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/conversion/BUILD
@ -5,15 +5,23 @@ go_library(
    srcs = [
        "converter.go",
        "nop_converter.go",
        "webhook_converter.go",
    ],
    importmap = "k8s.io/kubernetes/vendor/k8s.io/apiextensions-apiserver/pkg/apiserver/conversion",
    importpath = "k8s.io/apiextensions-apiserver/pkg/apiserver/conversion",
    visibility = ["//visibility:public"],
    deps = [
        "//staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions:go_default_library",
        "//staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1:go_default_library",
        "//staging/src/k8s.io/apiextensions-apiserver/pkg/features:go_default_library",
        "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
        "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/unstructured:go_default_library",
        "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",
        "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
        "//staging/src/k8s.io/apimachinery/pkg/util/uuid:go_default_library",
        "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
        "//staging/src/k8s.io/apiserver/pkg/util/webhook:go_default_library",
        "//staging/src/k8s.io/client-go/rest:go_default_library",
    ],
 )
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/conversion/converter.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/conversion/converter.go
@ -20,39 +20,74 @@ import (
 	"fmt"
 	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
 	apiextensionsfeatures "k8s.io/apiextensions-apiserver/pkg/features"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/apiserver/pkg/util/webhook"
 )
-// NewCRDConverter returns a new CRD converter based on the conversion settings in crd object.
+// CRConverterFactory is the factory for all CR converters.
-func NewCRDConverter(crd *apiextensions.CustomResourceDefinition) (safe, unsafe runtime.ObjectConvertor) {
+type CRConverterFactory struct {
 	// webhookConverterFactory is the factory for webhook converters.
 	// This field should not be used if CustomResourceWebhookConversion feature is disabled.
 	webhookConverterFactory *webhookConverterFactory
 }
 // NewCRConverterFactory creates a new CRConverterFactory
 func NewCRConverterFactory(serviceResolver webhook.ServiceResolver, authResolverWrapper webhook.AuthenticationInfoResolverWrapper) (*CRConverterFactory, error) {
 	converterFactory := &CRConverterFactory{}
 	if utilfeature.DefaultFeatureGate.Enabled(apiextensionsfeatures.CustomResourceWebhookConversion) {
 		webhookConverterFactory, err := newWebhookConverterFactory(serviceResolver, authResolverWrapper)
 		if err != nil {
 			return nil, err
 		}
 		converterFactory.webhookConverterFactory = webhookConverterFactory
 	}
 	return converterFactory, nil
 }
 // NewConverter returns a new CR converter based on the conversion settings in crd object.
 func (m *CRConverterFactory) NewConverter(crd *apiextensions.CustomResourceDefinition) (safe, unsafe runtime.ObjectConvertor, err error) {
 	validVersions := map[schema.GroupVersion]bool{}
 	for _, version := range crd.Spec.Versions {
 		validVersions[schema.GroupVersion{Group: crd.Spec.Group, Version: version.Name}] = true
 	}
-	// The only converter right now is nopConverter. More converters will be returned based on the
+	switch crd.Spec.Conversion.Strategy {
-	// CRD object when they introduced.
+	case apiextensions.NoneConverter:
-	unsafe = &crdConverter{
+		unsafe = &crConverter{
 			clusterScoped: crd.Spec.Scope == apiextensions.ClusterScoped,
 			delegate: &nopConverter{
 				validVersions: validVersions,
 			},
 		}
-	return &safeConverterWrapper{unsafe}, unsafe
+		return &safeConverterWrapper{unsafe}, unsafe, nil
 	case apiextensions.WebhookConverter:
 		if !utilfeature.DefaultFeatureGate.Enabled(apiextensionsfeatures.CustomResourceWebhookConversion) {
 			return nil, nil, fmt.Errorf("webhook conversion is disabled on this cluster")
 		}
 		unsafe, err := m.webhookConverterFactory.NewWebhookConverter(validVersions, crd)
 		if err != nil {
 			return nil, nil, err
 		}
 		return &safeConverterWrapper{unsafe}, unsafe, nil
 	}
 	return nil, nil, fmt.Errorf("unknown conversion strategy %q for CRD %s", crd.Spec.Conversion.Strategy, crd.Name)
 }
-var _ runtime.ObjectConvertor = &crdConverter{}
+var _ runtime.ObjectConvertor = &crConverter{}
-// crdConverter extends the delegate with generic CRD conversion behaviour. The delegate will implement the
+// crConverter extends the delegate with generic CR conversion behaviour. The delegate will implement the
 // user defined conversion strategy given in the CustomResourceDefinition.
-type crdConverter struct {
+type crConverter struct {
 	delegate      runtime.ObjectConvertor
 	clusterScoped bool
 }
-func (c *crdConverter) ConvertFieldLabel(gvk schema.GroupVersionKind, label, value string) (string, string, error) {
+func (c *crConverter) ConvertFieldLabel(gvk schema.GroupVersionKind, label, value string) (string, string, error) {
 	// We currently only support metadata.namespace and metadata.name.
 	switch {
 	case label == "metadata.name":
@ -64,12 +99,12 @@ func (c *crdConverter) ConvertFieldLabel(gvk schema.GroupVersionKind, label, val
 	}
 }
-func (c *crdConverter) Convert(in, out, context interface{}) error {
+func (c *crConverter) Convert(in, out, context interface{}) error {
 	return c.delegate.Convert(in, out, context)
 }
 // ConvertToVersion converts in object to the given gvk in place and returns the same `in` object.
-func (c *crdConverter) ConvertToVersion(in runtime.Object, target runtime.GroupVersioner) (runtime.Object, error) {
+func (c *crConverter) ConvertToVersion(in runtime.Object, target runtime.GroupVersioner) (runtime.Object, error) {
 	// Run the converter on the list items instead of list itself
 	if list, ok := in.(*unstructured.UnstructuredList); ok {
 		for i := range list.Items {
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/conversion/nop_converter.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/conversion/nop_converter.go
@ -49,11 +49,11 @@ func (c *nopConverter) Convert(in, out, context interface{}) error {
 	outGVK := unstructOut.GroupVersionKind()
 	if !c.validVersions[outGVK.GroupVersion()] {
-		return fmt.Errorf("request to convert CRD from an invalid group/version: %s", outGVK.String())
+		return fmt.Errorf("request to convert CR from an invalid group/version: %s", outGVK.String())
 	}
 	inGVK := unstructIn.GroupVersionKind()
 	if !c.validVersions[inGVK.GroupVersion()] {
-		return fmt.Errorf("request to convert CRD to an invalid group/version: %s", inGVK.String())
+		return fmt.Errorf("request to convert CR to an invalid group/version: %s", inGVK.String())
 	}
 	unstructOut.SetUnstructuredContent(unstructIn.UnstructuredContent())
@ -72,7 +72,7 @@ func (c *nopConverter) ConvertToVersion(in runtime.Object, target runtime.GroupV
 		return nil, fmt.Errorf("%v is unstructured and is not suitable for converting to %q", kind, target)
 	}
 	if !c.validVersions[gvk.GroupVersion()] {
-		return nil, fmt.Errorf("request to convert CRD to an invalid group/version: %s", gvk.String())
+		return nil, fmt.Errorf("request to convert CR to an invalid group/version: %s", gvk.String())
 	}
 	in.GetObjectKind().SetGroupVersionKind(gvk)
 	return in, nil
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/conversion/webhook_converter.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/conversion/webhook_converter.go
@ -0,0 +1,350 @@
 /*
 Copyright 2018 The Kubernetes Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package conversion
 import (
 	"context"
 	"errors"
 	"fmt"
 	"k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/uuid"
 	"k8s.io/apiserver/pkg/util/webhook"
 	"k8s.io/client-go/rest"
 	internal "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
 	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
 )
 type webhookConverterFactory struct {
 	clientManager webhook.ClientManager
 }
 func newWebhookConverterFactory(serviceResolver webhook.ServiceResolver, authResolverWrapper webhook.AuthenticationInfoResolverWrapper) (*webhookConverterFactory, error) {
 	clientManager, err := webhook.NewClientManager(v1beta1.SchemeGroupVersion, v1beta1.AddToScheme)
 	if err != nil {
 		return nil, err
 	}
 	authInfoResolver, err := webhook.NewDefaultAuthenticationInfoResolver("")
 	if err != nil {
 		return nil, err
 	}
 	// Set defaults which may be overridden later.
 	clientManager.SetAuthenticationInfoResolver(authInfoResolver)
 	clientManager.SetAuthenticationInfoResolverWrapper(authResolverWrapper)
 	clientManager.SetServiceResolver(serviceResolver)
 	return &webhookConverterFactory{clientManager}, nil
 }
 // webhookConverter is a converter that calls an external webhook to do the CR conversion.
 type webhookConverter struct {
 	validVersions map[schema.GroupVersion]bool
 	clientManager webhook.ClientManager
 	restClient    *rest.RESTClient
 	name          string
 	nopConverter  nopConverter
 }
 func webhookClientConfigForCRD(crd *internal.CustomResourceDefinition) *webhook.ClientConfig {
 	apiConfig := crd.Spec.Conversion.WebhookClientConfig
 	ret := webhook.ClientConfig{
 		Name:     fmt.Sprintf("conversion_webhook_for_%s", crd.Name),
 		CABundle: apiConfig.CABundle,
 	}
 	if apiConfig.URL != nil {
 		ret.URL = *apiConfig.URL
 	}
 	if apiConfig.Service != nil {
 		ret.Service = &webhook.ClientConfigService{
 			Name:      apiConfig.Service.Name,
 			Namespace: apiConfig.Service.Namespace,
 		}
 		if apiConfig.Service.Path != nil {
 			ret.Service.Path = *apiConfig.Service.Path
 		}
 	}
 	return &ret
 }
 var _ runtime.ObjectConvertor = &webhookConverter{}
 func (f *webhookConverterFactory) NewWebhookConverter(validVersions map[schema.GroupVersion]bool, crd *internal.CustomResourceDefinition) (*webhookConverter, error) {
 	restClient, err := f.clientManager.HookClient(*webhookClientConfigForCRD(crd))
 	if err != nil {
 		return nil, err
 	}
 	return &webhookConverter{
 		clientManager: f.clientManager,
 		validVersions: validVersions,
 		restClient:    restClient,
 		name:          crd.Name,
 		nopConverter:  nopConverter{validVersions: validVersions},
 	}, nil
 }
 func (webhookConverter) ConvertFieldLabel(gvk schema.GroupVersionKind, label, value string) (string, string, error) {
 	return "", "", errors.New("unstructured cannot convert field labels")
 }
 func (c *webhookConverter) Convert(in, out, context interface{}) error {
 	unstructIn, ok := in.(*unstructured.Unstructured)
 	if !ok {
 		return fmt.Errorf("input type %T in not valid for unstructured conversion", in)
 	}
 	unstructOut, ok := out.(*unstructured.Unstructured)
 	if !ok {
 		return fmt.Errorf("output type %T in not valid for unstructured conversion", out)
 	}
 	outGVK := unstructOut.GroupVersionKind()
 	if !c.validVersions[outGVK.GroupVersion()] {
 		return fmt.Errorf("request to convert CR from an invalid group/version: %s", outGVK.String())
 	}
 	inGVK := unstructIn.GroupVersionKind()
 	if !c.validVersions[inGVK.GroupVersion()] {
 		return fmt.Errorf("request to convert CR to an invalid group/version: %s", inGVK.String())
 	}
 	converted, err := c.ConvertToVersion(unstructIn, outGVK.GroupVersion())
 	if err != nil {
 		return err
 	}
 	unstructuredConverted, ok := converted.(runtime.Unstructured)
 	if !ok {
 		// this should not happened
 		return fmt.Errorf("CR conversion failed")
 	}
 	unstructOut.SetUnstructuredContent(unstructuredConverted.UnstructuredContent())
 	return nil
 }
 func createConversionReview(obj runtime.Object, apiVersion string) *v1beta1.ConversionReview {
 	listObj, isList := obj.(*unstructured.UnstructuredList)
 	var objects []runtime.RawExtension
 	if isList {
 		for i := 0; i < len(listObj.Items); i++ {
 			// Only sent item for conversion, if the apiVersion is different
 			if listObj.Items[i].GetAPIVersion() != apiVersion {
 				objects = append(objects, runtime.RawExtension{Object: &listObj.Items[i]})
 			}
 		}
 	} else {
 		if obj.GetObjectKind().GroupVersionKind().GroupVersion().String() != apiVersion {
 			objects = []runtime.RawExtension{{Object: obj}}
 		}
 	}
 	return &v1beta1.ConversionReview{
 		Request: &v1beta1.ConversionRequest{
 			Objects:           objects,
 			DesiredAPIVersion: apiVersion,
 			UID:               uuid.NewUUID(),
 		},
 		Response: &v1beta1.ConversionResponse{},
 	}
 }
 func getRawExtensionObject(rx runtime.RawExtension) (runtime.Object, error) {
 	if rx.Object != nil {
 		return rx.Object, nil
 	}
 	u := unstructured.Unstructured{}
 	err := u.UnmarshalJSON(rx.Raw)
 	if err != nil {
 		return nil, err
 	}
 	return &u, nil
 }
 // getTargetGroupVersion returns group/version which should be used to convert in objects to.
 // String version of the return item is APIVersion.
 func getTargetGroupVersion(in runtime.Object, target runtime.GroupVersioner) (schema.GroupVersion, error) {
 	fromGVK := in.GetObjectKind().GroupVersionKind()
 	toGVK, ok := target.KindForGroupVersionKinds([]schema.GroupVersionKind{fromGVK})
 	if !ok {
 		// TODO: should this be a typed error?
 		return schema.GroupVersion{}, fmt.Errorf("%v is unstructured and is not suitable for converting to %q", fromGVK.String(), target)
 	}
 	return toGVK.GroupVersion(), nil
 }
 func (c *webhookConverter) ConvertToVersion(in runtime.Object, target runtime.GroupVersioner) (runtime.Object, error) {
 	// In general, the webhook should not do any defaulting or validation. A special case of that is an empty object
 	// conversion that must result an empty object and practically is the same as nopConverter.
 	// A smoke test in API machinery calls the converter on empty objects. As this case happens consistently
 	// it special cased here not to call webhook converter. The test initiated here:
 	// https://github.com/kubernetes/kubernetes/blob/dbb448bbdcb9e440eee57024ffa5f1698956a054/staging/src/k8s.io/apiserver/pkg/storage/cacher/cacher.go#L201
 	if isEmptyUnstructuredObject(in) {
 		return c.nopConverter.ConvertToVersion(in, target)
 	}
 	toGV, err := getTargetGroupVersion(in, target)
 	if err != nil {
 		return nil, err
 	}
 	if !c.validVersions[toGV] {
 		return nil, fmt.Errorf("request to convert CR to an invalid group/version: %s", toGV.String())
 	}
 	fromGV := in.GetObjectKind().GroupVersionKind().GroupVersion()
 	if !c.validVersions[fromGV] {
 		return nil, fmt.Errorf("request to convert CR from an invalid group/version: %s", fromGV.String())
 	}
 	listObj, isList := in.(*unstructured.UnstructuredList)
 	if isList {
 		for i, item := range listObj.Items {
 			fromGV := item.GroupVersionKind().GroupVersion()
 			if !c.validVersions[fromGV] {
 				return nil, fmt.Errorf("input list has invalid group/version `%v` at `%v` index", fromGV, i)
 			}
 		}
 	}
 	request := createConversionReview(in, toGV.String())
 	if len(request.Request.Objects) == 0 {
 		if !isList {
 			return in, nil
 		}
 		out := listObj.DeepCopy()
 		out.SetAPIVersion(toGV.String())
 		return out, nil
 	}
 	response := &v1beta1.ConversionReview{}
 	// TODO: Figure out if adding one second timeout make sense here.
 	ctx := context.TODO()
 	r := c.restClient.Post().Context(ctx).Body(request).Do()
 	if err := r.Into(response); err != nil {
 		// TODO: Return a webhook specific error to be able to convert it to meta.Status
 		return nil, fmt.Errorf("calling to conversion webhook failed for %s: %v", c.name, err)
 	}
 	if response.Response == nil {
 		// TODO: Return a webhook specific error to be able to convert it to meta.Status
 		return nil, fmt.Errorf("conversion webhook response was absent for %s", c.name)
 	}
 	if response.Response.Result.Status != v1.StatusSuccess {
 		// TODO return status message as error
 		return nil, fmt.Errorf("conversion request failed for %v, Response: %v", in.GetObjectKind(), response)
 	}
 	if len(response.Response.ConvertedObjects) != len(request.Request.Objects) {
 		return nil, fmt.Errorf("expected %v converted objects, got %v", len(request.Request.Objects), len(response.Response.ConvertedObjects))
 	}
 	if isList {
 		convertedList := listObj.DeepCopy()
 		// Collection of items sent for conversion is different than list items
 		// because only items that needed conversion has been sent.
 		convertedIndex := 0
 		for i := 0; i < len(listObj.Items); i++ {
 			if listObj.Items[i].GetAPIVersion() == toGV.String() {
 				// This item has not been sent for conversion, skip it.
 				continue
 			}
 			converted, err := getRawExtensionObject(response.Response.ConvertedObjects[convertedIndex])
 			convertedIndex++
 			original := listObj.Items[i]
 			if err != nil {
 				return nil, fmt.Errorf("invalid converted object at index %v: %v", convertedIndex, err)
 			}
 			if e, a := toGV, converted.GetObjectKind().GroupVersionKind().GroupVersion(); e != a {
 				return nil, fmt.Errorf("invalid converted object at index %v: invalid groupVersion, e=%v, a=%v", convertedIndex, e, a)
 			}
 			if e, a := original.GetObjectKind().GroupVersionKind().Kind, converted.GetObjectKind().GroupVersionKind().Kind; e != a {
 				return nil, fmt.Errorf("invalid converted object at index %v: invalid kind, e=%v, a=%v", convertedIndex, e, a)
 			}
 			unstructConverted, ok := converted.(*unstructured.Unstructured)
 			if !ok {
 				// this should not happened
 				return nil, fmt.Errorf("CR conversion failed")
 			}
 			if err := validateConvertedObject(&listObj.Items[i], unstructConverted); err != nil {
 				return nil, fmt.Errorf("invalid converted object at index %v: %v", convertedIndex, err)
 			}
 			convertedList.Items[i] = *unstructConverted
 		}
 		convertedList.SetAPIVersion(toGV.String())
 		return convertedList, nil
 	}
 	if len(response.Response.ConvertedObjects) != 1 {
 		// This should not happened
 		return nil, fmt.Errorf("CR conversion failed")
 	}
 	converted, err := getRawExtensionObject(response.Response.ConvertedObjects[0])
 	if err != nil {
 		return nil, err
 	}
 	if e, a := toGV, converted.GetObjectKind().GroupVersionKind().GroupVersion(); e != a {
 		return nil, fmt.Errorf("invalid converted object: invalid groupVersion, e=%v, a=%v", e, a)
 	}
 	if e, a := in.GetObjectKind().GroupVersionKind().Kind, converted.GetObjectKind().GroupVersionKind().Kind; e != a {
 		return nil, fmt.Errorf("invalid converted object: invalid kind, e=%v, a=%v", e, a)
 	}
 	unstructConverted, ok := converted.(*unstructured.Unstructured)
 	if !ok {
 		// this should not happened
 		return nil, fmt.Errorf("CR conversion failed")
 	}
 	unstructIn, ok := in.(*unstructured.Unstructured)
 	if !ok {
 		// this should not happened
 		return nil, fmt.Errorf("CR conversion failed")
 	}
 	if err := validateConvertedObject(unstructIn, unstructConverted); err != nil {
 		return nil, fmt.Errorf("invalid converted object: %v", err)
 	}
 	return converted, nil
 }
 func validateConvertedObject(unstructIn, unstructOut *unstructured.Unstructured) error {
 	if e, a := unstructIn.GetKind(), unstructOut.GetKind(); e != a {
 		return fmt.Errorf("must have the same kind: %v != %v", e, a)
 	}
 	if e, a := unstructIn.GetName(), unstructOut.GetName(); e != a {
 		return fmt.Errorf("must have the same name: %v != %v", e, a)
 	}
 	if e, a := unstructIn.GetNamespace(), unstructOut.GetNamespace(); e != a {
 		return fmt.Errorf("must have the same namespace: %v != %v", e, a)
 	}
 	if e, a := unstructIn.GetUID(), unstructOut.GetUID(); e != a {
 		return fmt.Errorf("must have the same UID: %v != %v", e, a)
 	}
 	return nil
 }
 // isEmptyUnstructuredObject returns true if in is an empty unstructured object, i.e. an unstructured object that does
 // not have any field except apiVersion and kind.
 func isEmptyUnstructuredObject(in runtime.Object) bool {
 	u, ok := in.(*unstructured.Unstructured)
 	if !ok {
 		return false
 	}
 	if len(u.Object) != 2 {
 		return false
 	}
 	if _, ok := u.Object["kind"]; !ok {
 		return false
 	}
 	if _, ok := u.Object["apiVersion"]; !ok {
 		return false
 	}
 	return true
 }
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/customresource_handler.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/customresource_handler.go
@ -67,6 +67,7 @@ import (
 	apiextensionsfeatures "k8s.io/apiextensions-apiserver/pkg/features"
 	"k8s.io/apiextensions-apiserver/pkg/registry/customresource"
 	"k8s.io/apiextensions-apiserver/pkg/registry/customresource/tableconvertor"
 	"k8s.io/apiserver/pkg/util/webhook"
 )
 // crdHandler serves the `/apis` endpoint.
@ -93,6 +94,8 @@ type crdHandler struct {
 	// MasterCount is used to implement sleep to improve
 	// CRD establishing process for HA clusters.
 	masterCount int
 	converterFactory *conversion.CRConverterFactory
 }
 // crdInfo stores enough information to serve the storage for the custom resource
@ -129,7 +132,9 @@ func NewCustomResourceDefinitionHandler(
 	restOptionsGetter generic.RESTOptionsGetter,
 	admission admission.Interface,
 	establishingController *establish.EstablishingController,
-	masterCount int) *crdHandler {
+	serviceResolver webhook.ServiceResolver,
 	authResolverWrapper webhook.AuthenticationInfoResolverWrapper,
 	masterCount int) (*crdHandler, error) {
 	ret := &crdHandler{
 		versionDiscoveryHandler: versionDiscoveryHandler,
 		groupDiscoveryHandler:   groupDiscoveryHandler,
@ -147,10 +152,15 @@ func NewCustomResourceDefinitionHandler(
 			ret.removeDeadStorage()
 		},
 	})
 	crConverterFactory, err := conversion.NewCRConverterFactory(serviceResolver, authResolverWrapper)
 	if err != nil {
 		return nil, err
 	}
 	ret.converterFactory = crConverterFactory
 	ret.customStorage.Store(crdStorageMap{})
-	return ret
+	return ret, nil
 }
 func (r *crdHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
@ -433,7 +443,10 @@ func (r *crdHandler) getOrCreateServingInfoFor(crd *apiextensions.CustomResource
 	scaleScopes := map[string]handlers.RequestScope{}
 	for _, v := range crd.Spec.Versions {
-		safeConverter, unsafeConverter := conversion.NewCRDConverter(crd)
+		safeConverter, unsafeConverter, err := r.converterFactory.NewConverter(crd)
 		if err != nil {
 			return nil, err
 		}
 		// In addition to Unstructured objects (Custom Resources), we also may sometimes need to
 		// decode unversioned Options objects, so we delegate to parameterScheme for such types.
 		parameterScheme := runtime.NewScheme()
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/customresource_handler_test.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/customresource_handler_test.go
@ -79,14 +79,24 @@ func TestConvertFieldLabel(t *testing.T) {
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			crd := apiextensions.CustomResourceDefinition{}
+			crd := apiextensions.CustomResourceDefinition{
 				Spec: apiextensions.CustomResourceDefinitionSpec{
 					Conversion: &apiextensions.CustomResourceConversion{
 						Strategy: "None",
 					},
 				},
 			}
 			if test.clusterScoped {
 				crd.Spec.Scope = apiextensions.ClusterScoped
 			} else {
 				crd.Spec.Scope = apiextensions.NamespaceScoped
 			}
-			_, c := conversion.NewCRDConverter(&crd)
+			f, err := conversion.NewCRConverterFactory(nil, nil)
 			if err != nil {
 				t.Fatal(err)
 			}
 			_, c, err := f.NewConverter(&crd)
 			label, value, err := c.ConvertFieldLabel(schema.GroupVersionKind{}, test.label, "value")
 			if e, a := test.expectError, err != nil; e != a {
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/cmd/server/options/BUILD
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/cmd/server/options/BUILD
@ -14,6 +14,9 @@ go_library(
        "//staging/src/k8s.io/apiserver/pkg/registry/generic:go_default_library",
        "//staging/src/k8s.io/apiserver/pkg/server:go_default_library",
        "//staging/src/k8s.io/apiserver/pkg/server/options:go_default_library",
        "//staging/src/k8s.io/apiserver/pkg/util/proxy:go_default_library",
        "//staging/src/k8s.io/apiserver/pkg/util/webhook:go_default_library",
        "//staging/src/k8s.io/client-go/listers/core/v1:go_default_library",
        "//vendor/github.com/spf13/pflag:go_default_library",
    ],
 )
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/cmd/server/options/options.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/cmd/server/options/options.go
@ -20,6 +20,7 @@ import (
 	"fmt"
 	"io"
 	"net"
 	"net/url"
 	"github.com/spf13/pflag"
@ -30,6 +31,9 @@ import (
 	genericregistry "k8s.io/apiserver/pkg/registry/generic"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	genericoptions "k8s.io/apiserver/pkg/server/options"
 	"k8s.io/apiserver/pkg/util/proxy"
 	"k8s.io/apiserver/pkg/util/webhook"
 	"k8s.io/client-go/listers/core/v1"
 )
 const defaultEtcdPathPrefix = "/registry/apiextensions.kubernetes.io"
@ -94,6 +98,8 @@ func (o CustomResourceDefinitionsServerOptions) Config() (*apiserver.Config, err
 		GenericConfig: serverConfig,
 		ExtraConfig: apiserver.ExtraConfig{
 			CRDRESTOptionsGetter: NewCRDRESTOptionsGetter(*o.RecommendedOptions.Etcd),
 			ServiceResolver:      &serviceResolver{serverConfig.SharedInformerFactory.Core().V1().Services().Lister()},
 			AuthResolverWrapper:  webhook.NewDefaultAuthenticationInfoResolverWrapper(nil, serverConfig.LoopbackClientConfig),
 		},
 	}
 	return config, nil
@ -114,3 +120,11 @@ func NewCRDRESTOptionsGetter(etcdOptions genericoptions.EtcdOptions) genericregi
 	return ret
 }
 type serviceResolver struct {
 	services v1.ServiceLister
 }
 func (r *serviceResolver) ResolveEndpoint(namespace, name string) (*url.URL, error) {
 	return proxy.ResolveCluster(r.services, namespace, name)
 }
--- a/staging/src/k8s.io/apiextensions-apiserver/test/integration/helpers.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/test/integration/helpers.go
@ -76,8 +76,8 @@ func newNamespacedCustomResourceClient(ns string, client dynamic.Interface, crd
 	return newNamespacedCustomResourceVersionedClient(ns, client, crd, crd.Spec.Versions[0].Name)
 }
-// updateCustomResourceDefinitionWithRetry updates a CRD, retrying up to 5 times on version conflict errors.
+// UpdateCustomResourceDefinitionWithRetry updates a CRD, retrying up to 5 times on version conflict errors.
-func updateCustomResourceDefinitionWithRetry(client clientset.Interface, name string, update func(*apiextensionsv1beta1.CustomResourceDefinition)) (*apiextensionsv1beta1.CustomResourceDefinition, error) {
+func UpdateCustomResourceDefinitionWithRetry(client clientset.Interface, name string, update func(*apiextensionsv1beta1.CustomResourceDefinition)) (*apiextensionsv1beta1.CustomResourceDefinition, error) {
 	for i := 0; i < 5; i++ {
 		crd, err := client.ApiextensionsV1beta1().CustomResourceDefinitions().Get(name, metav1.GetOptions{})
 		if err != nil {
--- a/staging/src/k8s.io/apiextensions-apiserver/test/integration/validation_test.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/test/integration/validation_test.go
@ -445,7 +445,7 @@ func TestCRValidationOnCRDUpdate(t *testing.T) {
 			}
 			// update the CRD to a less stricter schema
-			_, err = updateCustomResourceDefinitionWithRetry(apiExtensionClient, "noxus.mygroup.example.com", func(crd *apiextensionsv1beta1.CustomResourceDefinition) {
+			_, err = UpdateCustomResourceDefinitionWithRetry(apiExtensionClient, "noxus.mygroup.example.com", func(crd *apiextensionsv1beta1.CustomResourceDefinition) {
 				validationSchema, err := getSchemaForVersion(crd, v.Name)
 				if err != nil {
 					t.Fatal(err)
--- a/staging/src/k8s.io/apiextensions-apiserver/test/integration/versioning_test.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/test/integration/versioning_test.go
@ -64,7 +64,7 @@ func TestInternalVersionIsHandlerVersion(t *testing.T) {
 	// update validation via update because the cache priming in CreateNewCustomResourceDefinition will fail otherwise
 	t.Logf("Updating CRD to validate apiVersion")
-	noxuDefinition, err = updateCustomResourceDefinitionWithRetry(apiExtensionClient, noxuDefinition.Name, func(crd *apiextensionsv1beta1.CustomResourceDefinition) {
+	noxuDefinition, err = UpdateCustomResourceDefinitionWithRetry(apiExtensionClient, noxuDefinition.Name, func(crd *apiextensionsv1beta1.CustomResourceDefinition) {
 		crd.Spec.Validation = &apiextensionsv1beta1.CustomResourceValidation{
 			OpenAPIV3Schema: &apiextensionsv1beta1.JSONSchemaProps{
 				Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/webhook.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/webhook.go
@ -164,6 +164,7 @@ func (a *Webhook) Dispatch(attr admission.Attributes) error {
 		return admission.NewForbidden(attr, fmt.Errorf("not yet ready to handle request"))
 	}
 	hooks := a.hookSource.Webhooks()
 	// TODO: Figure out if adding one second timeout make sense here.
 	ctx := context.TODO()
 	var relevantHooks []*v1beta1.Webhook
--- a/test/e2e/apimachinery/BUILD
+++ b/test/e2e/apimachinery/BUILD
@ -11,6 +11,7 @@ go_library(
        "aggregator.go",
        "certs.go",
        "chunking.go",
        "crd_conversion_webhook.go",
        "crd_watch.go",
        "custom_resource_definition.go",
        "etcd_failure.go",
@ -36,9 +37,11 @@ go_library(
        "//staging/src/k8s.io/api/batch/v1beta1:go_default_library",
        "//staging/src/k8s.io/api/core/v1:go_default_library",
        "//staging/src/k8s.io/api/extensions/v1beta1:go_default_library",
        "//staging/src/k8s.io/api/rbac/v1:go_default_library",
        "//staging/src/k8s.io/api/rbac/v1beta1:go_default_library",
        "//staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1:go_default_library",
        "//staging/src/k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset:go_default_library",
        "//staging/src/k8s.io/apiextensions-apiserver/test/integration:go_default_library",
        "//staging/src/k8s.io/apiextensions-apiserver/test/integration/fixtures:go_default_library",
        "//staging/src/k8s.io/apimachinery/pkg/api/equality:go_default_library",
        "//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library",
--- a/test/e2e/apimachinery/crd_conversion_webhook.go
+++ b/test/e2e/apimachinery/crd_conversion_webhook.go
@ -0,0 +1,396 @@
 /*
 Copyright 2018 The Kubernetes Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package apimachinery
 import (
 	"time"
 	apps "k8s.io/api/apps/v1"
 	"k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
 	"k8s.io/apiextensions-apiserver/test/integration"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	utilversion "k8s.io/apimachinery/pkg/util/version"
 	"k8s.io/client-go/dynamic"
 	clientset "k8s.io/client-go/kubernetes"
 	"k8s.io/kubernetes/test/e2e/framework"
 	imageutils "k8s.io/kubernetes/test/utils/image"
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
 	_ "github.com/stretchr/testify/assert"
 )
 const (
 	secretCRDName      = "sample-custom-resource-conversion-webhook-secret"
 	deploymentCRDName  = "sample-crd-conversion-webhook-deployment"
 	serviceCRDName     = "e2e-test-crd-conversion-webhook"
 	roleBindingCRDName = "crd-conversion-webhook-auth-reader"
 )
 var serverCRDConversionWebhookVersion = utilversion.MustParseSemantic("v1.13.0-alpha")
 var apiVersions = []v1beta1.CustomResourceDefinitionVersion{
 	{
 		Name:    "v1",
 		Served:  true,
 		Storage: true,
 	},
 	{
 		Name:    "v2",
 		Served:  true,
 		Storage: false,
 	},
 }
 var alternativeApiVersions = []v1beta1.CustomResourceDefinitionVersion{
 	{
 		Name:    "v1",
 		Served:  true,
 		Storage: false,
 	},
 	{
 		Name:    "v2",
 		Served:  true,
 		Storage: true,
 	},
 }
 var _ = SIGDescribe("CustomResourceConversionWebhook [Feature:CustomResourceWebhookConversion]", func() {
 	var context *certContext
 	f := framework.NewDefaultFramework("crd-webhook")
 	var client clientset.Interface
 	var namespaceName string
 	BeforeEach(func() {
 		client = f.ClientSet
 		namespaceName = f.Namespace.Name
 		// Make sure the relevant provider supports conversion webhook
 		framework.SkipUnlessServerVersionGTE(serverCRDConversionWebhookVersion, f.ClientSet.Discovery())
 		By("Setting up server cert")
 		context = setupServerCert(f.Namespace.Name, serviceCRDName)
 		createAuthReaderRoleBindingForCRDConversion(f, f.Namespace.Name)
 		deployCustomResourceWebhookAndService(f, imageutils.GetE2EImage(imageutils.CRDConversionWebhook), context)
 	})
 	AfterEach(func() {
 		cleanCRDWebhookTest(client, namespaceName)
 	})
 	It("Should be able to convert from CR v1 to CR v2", func() {
 		testcrd, err := framework.CreateMultiVersionTestCRD(f, "stable.example.com", apiVersions,
 			&v1beta1.WebhookClientConfig{
 				CABundle: context.signingCert,
 				Service: &v1beta1.ServiceReference{
 					Namespace: f.Namespace.Name,
 					Name:      serviceCRDName,
 					Path:      strPtr("/crdconvert"),
 				}})
 		if err != nil {
 			return
 		}
 		defer testcrd.CleanUp()
 		testCustomResourceConversionWebhook(f, testcrd.Crd, testcrd.DynamicClients)
 	})
 	It("Should be able to convert a non homogeneous list of CRs", func() {
 		testcrd, err := framework.CreateMultiVersionTestCRD(f, "stable.example.com", apiVersions,
 			&v1beta1.WebhookClientConfig{
 				CABundle: context.signingCert,
 				Service: &v1beta1.ServiceReference{
 					Namespace: f.Namespace.Name,
 					Name:      serviceCRDName,
 					Path:      strPtr("/crdconvert"),
 				}})
 		if err != nil {
 			return
 		}
 		defer testcrd.CleanUp()
 		testCRListConversion(f, testcrd)
 	})
 })
 func cleanCRDWebhookTest(client clientset.Interface, namespaceName string) {
 	_ = client.CoreV1().Services(namespaceName).Delete(serviceCRDName, nil)
 	_ = client.AppsV1().Deployments(namespaceName).Delete(deploymentCRDName, nil)
 	_ = client.CoreV1().Secrets(namespaceName).Delete(secretCRDName, nil)
 	_ = client.RbacV1().RoleBindings("kube-system").Delete(roleBindingCRDName, nil)
 }
 func createAuthReaderRoleBindingForCRDConversion(f *framework.Framework, namespace string) {
 	By("Create role binding to let cr conversion webhook read extension-apiserver-authentication")
 	client := f.ClientSet
 	// Create the role binding to allow the webhook read the extension-apiserver-authentication configmap
 	_, err := client.RbacV1().RoleBindings("kube-system").Create(&rbacv1.RoleBinding{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: roleBindingCRDName,
 		},
 		RoleRef: rbacv1.RoleRef{
 			APIGroup: "",
 			Kind:     "Role",
 			Name:     "extension-apiserver-authentication-reader",
 		},
 		// Webhook uses the default service account.
 		Subjects: []rbacv1.Subject{
 			{
 				Kind:      "ServiceAccount",
 				Name:      "default",
 				Namespace: namespace,
 			},
 		},
 	})
 	if err != nil && errors.IsAlreadyExists(err) {
 		framework.Logf("role binding %s already exists", roleBindingCRDName)
 	} else {
 		framework.ExpectNoError(err, "creating role binding %s:webhook to access configMap", namespace)
 	}
 }
 func deployCustomResourceWebhookAndService(f *framework.Framework, image string, context *certContext) {
 	By("Deploying the custom resource conversion webhook pod")
 	client := f.ClientSet
 	// Creating the secret that contains the webhook's cert.
 	secret := &v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: secretCRDName,
 		},
 		Type: v1.SecretTypeOpaque,
 		Data: map[string][]byte{
 			"tls.crt": context.cert,
 			"tls.key": context.key,
 		},
 	}
 	namespace := f.Namespace.Name
 	_, err := client.CoreV1().Secrets(namespace).Create(secret)
 	framework.ExpectNoError(err, "creating secret %q in namespace %q", secretName, namespace)
 	// Create the deployment of the webhook
 	podLabels := map[string]string{"app": "sample-crd-conversion-webhook", "crd-webhook": "true"}
 	replicas := int32(1)
 	zero := int64(0)
 	mounts := []v1.VolumeMount{
 		{
 			Name:      "crd-conversion-webhook-certs",
 			ReadOnly:  true,
 			MountPath: "/webhook.local.config/certificates",
 		},
 	}
 	volumes := []v1.Volume{
 		{
 			Name: "crd-conversion-webhook-certs",
 			VolumeSource: v1.VolumeSource{
 				Secret: &v1.SecretVolumeSource{SecretName: secretCRDName},
 			},
 		},
 	}
 	containers := []v1.Container{
 		{
 			Name:         "sample-crd-conversion-webhook",
 			VolumeMounts: mounts,
 			Args: []string{
 				"--tls-cert-file=/webhook.local.config/certificates/tls.crt",
 				"--tls-private-key-file=/webhook.local.config/certificates/tls.key",
 				"--alsologtostderr",
 				"-v=4",
 				"2>&1",
 			},
 			Image: image,
 		},
 	}
 	d := &apps.Deployment{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:   deploymentCRDName,
 			Labels: podLabels,
 		},
 		Spec: apps.DeploymentSpec{
 			Replicas: &replicas,
 			Selector: &metav1.LabelSelector{
 				MatchLabels: podLabels,
 			},
 			Strategy: apps.DeploymentStrategy{
 				Type: apps.RollingUpdateDeploymentStrategyType,
 			},
 			Template: v1.PodTemplateSpec{
 				ObjectMeta: metav1.ObjectMeta{
 					Labels: podLabels,
 				},
 				Spec: v1.PodSpec{
 					TerminationGracePeriodSeconds: &zero,
 					Containers:                    containers,
 					Volumes:                       volumes,
 				},
 			},
 		},
 	}
 	deployment, err := client.AppsV1().Deployments(namespace).Create(d)
 	framework.ExpectNoError(err, "creating deployment %s in namespace %s", deploymentCRDName, namespace)
 	By("Wait for the deployment to be ready")
 	err = framework.WaitForDeploymentRevisionAndImage(client, namespace, deploymentCRDName, "1", image)
 	framework.ExpectNoError(err, "waiting for the deployment of image %s in %s in %s to complete", image, deploymentName, namespace)
 	err = framework.WaitForDeploymentComplete(client, deployment)
 	framework.ExpectNoError(err, "waiting for the deployment status valid", image, deploymentCRDName, namespace)
 	By("Deploying the webhook service")
 	serviceLabels := map[string]string{"crd-webhook": "true"}
 	service := &v1.Service{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: namespace,
 			Name:      serviceCRDName,
 			Labels:    map[string]string{"test": "crd-webhook"},
 		},
 		Spec: v1.ServiceSpec{
 			Selector: serviceLabels,
 			Ports: []v1.ServicePort{
 				{
 					Protocol:   "TCP",
 					Port:       443,
 					TargetPort: intstr.FromInt(443),
 				},
 			},
 		},
 	}
 	_, err = client.CoreV1().Services(namespace).Create(service)
 	framework.ExpectNoError(err, "creating service %s in namespace %s", serviceCRDName, namespace)
 	By("Verifying the service has paired with the endpoint")
 	err = framework.WaitForServiceEndpointsNum(client, namespace, serviceCRDName, 1, 1*time.Second, 30*time.Second)
 	framework.ExpectNoError(err, "waiting for service %s/%s have %d endpoint", namespace, serviceCRDName, 1)
 }
 func verifyV1Object(f *framework.Framework, crd *v1beta1.CustomResourceDefinition, obj *unstructured.Unstructured) {
 	Expect(obj.GetAPIVersion()).To(BeEquivalentTo(crd.Spec.Group + "/v1"))
 	hostPort, exists := obj.Object["hostPort"]
 	Expect(exists).To(BeTrue())
 	Expect(hostPort).To(BeEquivalentTo("localhost:8080"))
 	_, hostExists := obj.Object["host"]
 	Expect(hostExists).To(BeFalse())
 	_, portExists := obj.Object["port"]
 	Expect(portExists).To(BeFalse())
 }
 func verifyV2Object(f *framework.Framework, crd *v1beta1.CustomResourceDefinition, obj *unstructured.Unstructured) {
 	Expect(obj.GetAPIVersion()).To(BeEquivalentTo(crd.Spec.Group + "/v2"))
 	_, hostPortExists := obj.Object["hostPort"]
 	Expect(hostPortExists).To(BeFalse())
 	host, hostExists := obj.Object["host"]
 	Expect(hostExists).To(BeTrue())
 	Expect(host).To(BeEquivalentTo("localhost"))
 	port, portExists := obj.Object["port"]
 	Expect(portExists).To(BeTrue())
 	Expect(port).To(BeEquivalentTo("8080"))
 }
 func testCustomResourceConversionWebhook(f *framework.Framework, crd *v1beta1.CustomResourceDefinition, customResourceClients map[string]dynamic.ResourceInterface) {
 	name := "cr-instance-1"
 	By("Creating a v1 custom resource")
 	crInstance := &unstructured.Unstructured{
 		Object: map[string]interface{}{
 			"kind":       crd.Spec.Names.Kind,
 			"apiVersion": crd.Spec.Group + "/v1",
 			"metadata": map[string]interface{}{
 				"name":      name,
 				"namespace": f.Namespace.Name,
 			},
 			"hostPort": "localhost:8080",
 		},
 	}
 	_, err := customResourceClients["v1"].Create(crInstance, metav1.CreateOptions{})
 	Expect(err).To(BeNil())
 	By("v2 custom resource should be converted")
 	v2crd, err := customResourceClients["v2"].Get(name, metav1.GetOptions{})
 	verifyV2Object(f, crd, v2crd)
 }
 func testCRListConversion(f *framework.Framework, testCrd *framework.TestCrd) {
 	crd := testCrd.Crd
 	customResourceClients := testCrd.DynamicClients
 	name1 := "cr-instance-1"
 	name2 := "cr-instance-2"
 	By("Creating a v1 custom resource")
 	crInstance := &unstructured.Unstructured{
 		Object: map[string]interface{}{
 			"kind":       crd.Spec.Names.Kind,
 			"apiVersion": crd.Spec.Group + "/v1",
 			"metadata": map[string]interface{}{
 				"name":      name1,
 				"namespace": f.Namespace.Name,
 			},
 			"hostPort": "localhost:8080",
 		},
 	}
 	_, err := customResourceClients["v1"].Create(crInstance, metav1.CreateOptions{})
 	Expect(err).To(BeNil())
 	// Now cr-instance-1 is stored as v1. lets change storage version
 	crd, err = integration.UpdateCustomResourceDefinitionWithRetry(testCrd.ApiExtensionClient, crd.Name, func(c *v1beta1.CustomResourceDefinition) {
 		c.Spec.Versions = alternativeApiVersions
 	})
 	Expect(err).To(BeNil())
 	By("Create a v2 custom resource")
 	crInstance = &unstructured.Unstructured{
 		Object: map[string]interface{}{
 			"kind":       crd.Spec.Names.Kind,
 			"apiVersion": crd.Spec.Group + "/v1",
 			"metadata": map[string]interface{}{
 				"name":      name2,
 				"namespace": f.Namespace.Name,
 			},
 			"hostPort": "localhost:8080",
 		},
 	}
 	// After changing a CRD, the resources for versions will be re-created that can be result in
 	// cancelled connection (e.g. "grpc connection closed" or "context canceled").
 	// Just retrying fixes that.
 	for i := 0; i < 5; i++ {
 		_, err = customResourceClients["v1"].Create(crInstance, metav1.CreateOptions{})
 		if err == nil {
 			break
 		}
 	}
 	Expect(err).To(BeNil())
 	// Now that we have a v1 and v2 object, both list operation in v1 and v2 should work as expected.
 	By("List CRs in v1")
 	list, err := customResourceClients["v1"].List(metav1.ListOptions{})
 	Expect(err).To(BeNil())
 	Expect(len(list.Items)).To(BeIdenticalTo(2))
 	Expect((list.Items[0].GetName() == name1 && list.Items[1].GetName() == name2) ||
 		(list.Items[0].GetName() == name2 && list.Items[1].GetName() == name1)).To(BeTrue())
 	verifyV1Object(f, crd, &list.Items[0])
 	verifyV1Object(f, crd, &list.Items[1])
 	By("List CRs in v2")
 	list, err = customResourceClients["v2"].List(metav1.ListOptions{})
 	Expect(err).To(BeNil())
 	Expect(len(list.Items)).To(BeIdenticalTo(2))
 	Expect((list.Items[0].GetName() == name1 && list.Items[1].GetName() == name2) ||
 		(list.Items[0].GetName() == name2 && list.Items[1].GetName() == name1)).To(BeTrue())
 	verifyV2Object(f, crd, &list.Items[0])
 	verifyV2Object(f, crd, &list.Items[1])
 }
--- a/test/e2e/apimachinery/webhook.go
+++ b/test/e2e/apimachinery/webhook.go
@ -136,7 +136,7 @@ var _ = SIGDescribe("AdmissionWebhook", func() {
 		defer testcrd.CleanUp()
 		webhookCleanup := registerWebhookForCustomResource(f, context, testcrd)
 		defer webhookCleanup()
-		testCustomResourceWebhook(f, testcrd.Crd, testcrd.DynamicClient)
+		testCustomResourceWebhook(f, testcrd.Crd, testcrd.GetV1DynamicClient())
 	})
 	It("Should unconditionally reject operations on fail closed webhook", func() {
@ -173,7 +173,7 @@ var _ = SIGDescribe("AdmissionWebhook", func() {
 		defer testcrd.CleanUp()
 		webhookCleanup := registerMutatingWebhookForCustomResource(f, context, testcrd)
 		defer webhookCleanup()
-		testMutatingCustomResourceWebhook(f, testcrd.Crd, testcrd.DynamicClient)
+		testMutatingCustomResourceWebhook(f, testcrd.Crd, testcrd.GetV1DynamicClient())
 	})
 	It("Should deny crd creation", func() {
@ -1157,7 +1157,7 @@ func registerWebhookForCustomResource(f *framework.Framework, context *certConte
 					Operations: []v1beta1.OperationType{v1beta1.Create},
 					Rule: v1beta1.Rule{
 						APIGroups:   []string{testcrd.ApiGroup},
-						APIVersions: []string{testcrd.ApiVersion},
+						APIVersions: testcrd.GetAPIVersions(),
 						Resources:   []string{testcrd.GetPluralName()},
 					},
 				}},
@ -1198,7 +1198,7 @@ func registerMutatingWebhookForCustomResource(f *framework.Framework, context *c
 					Operations: []v1beta1.OperationType{v1beta1.Create},
 					Rule: v1beta1.Rule{
 						APIGroups:   []string{testcrd.ApiGroup},
-						APIVersions: []string{testcrd.ApiVersion},
+						APIVersions: testcrd.GetAPIVersions(),
 						Resources:   []string{testcrd.GetPluralName()},
 					},
 				}},
@ -1217,7 +1217,7 @@ func registerMutatingWebhookForCustomResource(f *framework.Framework, context *c
 					Operations: []v1beta1.OperationType{v1beta1.Create},
 					Rule: v1beta1.Rule{
 						APIGroups:   []string{testcrd.ApiGroup},
-						APIVersions: []string{testcrd.ApiVersion},
+						APIVersions: testcrd.GetAPIVersions(),
 						Resources:   []string{testcrd.GetPluralName()},
 					},
 				}},
@ -1343,12 +1343,18 @@ func testCRDDenyWebhook(f *framework.Framework) {
 	name := fmt.Sprintf("e2e-test-%s-%s-crd", f.BaseName, "deny")
 	kind := fmt.Sprintf("E2e-test-%s-%s-crd", f.BaseName, "deny")
 	group := fmt.Sprintf("%s-crd-test.k8s.io", f.BaseName)
-	apiVersion := "v1"
+	apiVersions := []apiextensionsv1beta1.CustomResourceDefinitionVersion{
 		{
 			Name:    "v1",
 			Served:  true,
 			Storage: true,
 		},
 	}
 	testcrd := &framework.TestCrd{
 		Name:     name,
 		Kind:     kind,
 		ApiGroup: group,
-		ApiVersion: apiVersion,
+		Versions: apiVersions,
 	}
 	// Creating a custom resource definition for use by assorted tests.
@ -1371,7 +1377,7 @@ func testCRDDenyWebhook(f *framework.Framework) {
 		},
 		Spec: apiextensionsv1beta1.CustomResourceDefinitionSpec{
 			Group:    testcrd.ApiGroup,
-			Version: testcrd.ApiVersion,
+			Versions: testcrd.Versions,
 			Names: apiextensionsv1beta1.CustomResourceDefinitionNames{
 				Plural:   testcrd.GetPluralName(),
 				Singular: testcrd.Name,
--- a/test/e2e/framework/crd_util.go
+++ b/test/e2e/framework/crd_util.go
@ -35,25 +35,23 @@ type TestCrd struct {
 	Name               string
 	Kind               string
 	ApiGroup           string
-	ApiVersion         string
+	Versions           []apiextensionsv1beta1.CustomResourceDefinitionVersion
 	ApiExtensionClient *crdclientset.Clientset
 	Crd                *apiextensionsv1beta1.CustomResourceDefinition
-	DynamicClient      dynamic.ResourceInterface
+	DynamicClients     map[string]dynamic.ResourceInterface
 	CleanUp            CleanCrdFn
 }
 // CreateTestCRD creates a new CRD specifically for the calling test.
-func CreateTestCRD(f *Framework) (*TestCrd, error) {
+func CreateMultiVersionTestCRD(f *Framework, group string, apiVersions []apiextensionsv1beta1.CustomResourceDefinitionVersion, conversionWebhook *apiextensionsv1beta1.WebhookClientConfig) (*TestCrd, error) {
 	suffix := randomSuffix()
 	name := fmt.Sprintf("e2e-test-%s-%s-crd", f.BaseName, suffix)
 	kind := fmt.Sprintf("E2e-test-%s-%s-crd", f.BaseName, suffix)
 	group := fmt.Sprintf("%s-crd-test.k8s.io", f.BaseName)
 	apiVersion := "v1"
 	testcrd := &TestCrd{
 		Name:     name,
 		Kind:     kind,
 		ApiGroup: group,
-		ApiVersion: apiVersion,
+		Versions: apiVersions,
 	}
 	// Creating a custom resource definition for use by assorted tests.
@ -75,6 +73,13 @@ func CreateTestCRD(f *Framework) (*TestCrd, error) {
 	crd := newCRDForTest(testcrd)
 	if conversionWebhook != nil {
 		crd.Spec.Conversion = &apiextensionsv1beta1.CustomResourceConversion{
 			Strategy:            "Webhook",
 			WebhookClientConfig: conversionWebhook,
 		}
 	}
 	//create CRD and waits for the resource to be recognized and available.
 	crd, err = fixtures.CreateNewCustomResourceDefinitionWatchUnsafe(crd, apiExtensionClient)
 	if err != nil {
@ -82,12 +87,17 @@ func CreateTestCRD(f *Framework) (*TestCrd, error) {
 		return nil, err
 	}
-	gvr := schema.GroupVersionResource{Group: crd.Spec.Group, Version: crd.Spec.Version, Resource: crd.Spec.Names.Plural}
+	resourceClients := map[string]dynamic.ResourceInterface{}
-	resourceClient := dynamicClient.Resource(gvr).Namespace(f.Namespace.Name)
+	for _, v := range crd.Spec.Versions {
 		if v.Served {
 			gvr := schema.GroupVersionResource{Group: crd.Spec.Group, Version: v.Name, Resource: crd.Spec.Names.Plural}
 			resourceClients[v.Name] = dynamicClient.Resource(gvr).Namespace(f.Namespace.Name)
 		}
 	}
 	testcrd.ApiExtensionClient = apiExtensionClient
 	testcrd.Crd = crd
-	testcrd.DynamicClient = resourceClient
+	testcrd.DynamicClients = resourceClients
 	testcrd.CleanUp = func() error {
 		err := fixtures.DeleteCustomResourceDefinition(crd, apiExtensionClient)
 		if err != nil {
@ -98,13 +108,26 @@ func CreateTestCRD(f *Framework) (*TestCrd, error) {
 	return testcrd, nil
 }
 // CreateTestCRD creates a new CRD specifically for the calling test.
 func CreateTestCRD(f *Framework) (*TestCrd, error) {
 	group := fmt.Sprintf("%s-crd-test.k8s.io", f.BaseName)
 	apiVersions := []apiextensionsv1beta1.CustomResourceDefinitionVersion{
 		{
 			Name:    "v1",
 			Served:  true,
 			Storage: true,
 		},
 	}
 	return CreateMultiVersionTestCRD(f, group, apiVersions, nil)
 }
 // newCRDForTest generates a CRD definition for the test
 func newCRDForTest(testcrd *TestCrd) *apiextensionsv1beta1.CustomResourceDefinition {
 	return &apiextensionsv1beta1.CustomResourceDefinition{
 		ObjectMeta: metav1.ObjectMeta{Name: testcrd.GetMetaName()},
 		Spec: apiextensionsv1beta1.CustomResourceDefinitionSpec{
 			Group:    testcrd.ApiGroup,
-			Version: testcrd.ApiVersion,
+			Versions: testcrd.Versions,
 			Names: apiextensionsv1beta1.CustomResourceDefinitionNames{
 				Plural:   testcrd.GetPluralName(),
 				Singular: testcrd.Name,
@ -130,3 +153,17 @@ func (c *TestCrd) GetPluralName() string {
 func (c *TestCrd) GetListName() string {
 	return c.Name + "List"
 }
 func (c *TestCrd) GetAPIVersions() []string {
 	ret := []string{}
 	for _, v := range c.Versions {
 		if v.Served {
 			ret = append(ret, v.Name)
 		}
 	}
 	return ret
 }
 func (c *TestCrd) GetV1DynamicClient() dynamic.ResourceInterface {
 	return c.DynamicClients["v1"]
 }
--- a/test/images/BUILD
+++ b/test/images/BUILD
@ -12,6 +12,7 @@ filegroup(
    srcs = [
        ":package-srcs",
        "//test/images/apparmor-loader:all-srcs",
        "//test/images/crd-conversion-webhook:all-srcs",
        "//test/images/echoserver:all-srcs",
        "//test/images/entrypoint-tester:all-srcs",
        "//test/images/fakegitserver:all-srcs",
--- a/test/images/crd-conversion-webhook/BASEIMAGE
+++ b/test/images/crd-conversion-webhook/BASEIMAGE
@ -0,0 +1,4 @@
 amd64=alpine:3.6
 arm=arm32v6/alpine:3.6
 arm64=arm64v8/alpine:3.6
 ppc64le=ppc64le/alpine:3.6
--- a/test/images/crd-conversion-webhook/BUILD
+++ b/test/images/crd-conversion-webhook/BUILD
@ -0,0 +1,40 @@
 load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
 go_library(
    name = "go_default_library",
    srcs = [
        "config.go",
        "main.go",
    ],
    importpath = "k8s.io/kubernetes/test/images/crd-conversion-webhook",
    visibility = ["//visibility:private"],
    deps = [
        "//staging/src/k8s.io/client-go/kubernetes:go_default_library",
        "//staging/src/k8s.io/client-go/rest:go_default_library",
        "//test/images/crd-conversion-webhook/converter:go_default_library",
        "//vendor/github.com/golang/glog:go_default_library",
    ],
 )
 go_binary(
    name = "crd-conversion-webhook",
    embed = [":go_default_library"],
    visibility = ["//visibility:public"],
 )
 filegroup(
    name = "package-srcs",
    srcs = glob(["**"]),
    tags = ["automanaged"],
    visibility = ["//visibility:private"],
 )
 filegroup(
    name = "all-srcs",
    srcs = [
        ":package-srcs",
        "//test/images/crd-conversion-webhook/converter:all-srcs",
    ],
    tags = ["automanaged"],
    visibility = ["//visibility:public"],
 )
--- a/test/images/crd-conversion-webhook/Dockerfile
+++ b/test/images/crd-conversion-webhook/Dockerfile
@ -0,0 +1,18 @@
 # Copyright 2018 The Kubernetes Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 FROM BASEIMAGE
 ADD crd_conversion_webhook /crd_conversion_webhook
 ENTRYPOINT ["/crd_conversion_webhook"]
--- a/test/images/crd-conversion-webhook/Makefile
+++ b/test/images/crd-conversion-webhook/Makefile
@ -0,0 +1,25 @@
 # Copyright 2018 The Kubernetes Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 SRCS=crd_conversion_webhook
 ARCH ?= amd64
 TARGET ?= $(CURDIR)
 GOLANG_VERSION ?= latest
 SRC_DIR = $(notdir $(shell pwd))
 export
 bin:
 	../image-util.sh bin $(SRCS)
 .PHONY: bin
--- a/test/images/crd-conversion-webhook/README.md
+++ b/test/images/crd-conversion-webhook/README.md
@ -0,0 +1,11 @@
 # Kubernetes External Admission Webhook Test Image
 The image tests CustomResourceConversionWebhook. After deploying it to kubernetes cluster,
 administrator needs to create a CustomResourceConversion.Webhook
 in kubernetes cluster to use remote webhook for conversions.
 ## Build the code
 ```bash
 make build
 ```
--- a/test/images/crd-conversion-webhook/VERSION
+++ b/test/images/crd-conversion-webhook/VERSION
@ -0,0 +1 @@
 1.13rev2
--- a/test/images/crd-conversion-webhook/config.go
+++ b/test/images/crd-conversion-webhook/config.go
@ -0,0 +1,51 @@
 /*
 Copyright 2018 The Kubernetes Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"crypto/tls"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
 	"github.com/golang/glog"
 )
 // Get a clientset with in-cluster config.
 func getClient() *kubernetes.Clientset {
 	config, err := rest.InClusterConfig()
 	if err != nil {
 		glog.Fatal(err)
 	}
 	clientset, err := kubernetes.NewForConfig(config)
 	if err != nil {
 		glog.Fatal(err)
 	}
 	return clientset
 }
 func configTLS(config Config, clientset *kubernetes.Clientset) *tls.Config {
 	sCert, err := tls.LoadX509KeyPair(config.CertFile, config.KeyFile)
 	if err != nil {
 		glog.Fatal(err)
 	}
 	return &tls.Config{
 		Certificates: []tls.Certificate{sCert},
 		// TODO: uses mutual tls after we agree on what cert the apiserver should use.
 		// ClientAuth:   tls.RequireAndVerifyClientCert,
 	}
 }
--- a/test/images/crd-conversion-webhook/converter/BUILD
+++ b/test/images/crd-conversion-webhook/converter/BUILD
@ -0,0 +1,47 @@
 load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
 go_library(
    name = "go_default_library",
    srcs = [
        "example_converter.go",
        "framework.go",
    ],
    importpath = "k8s.io/kubernetes/test/images/crd-conversion-webhook/converter",
    visibility = ["//visibility:public"],
    deps = [
        "//staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1:go_default_library",
        "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
        "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/unstructured:go_default_library",
        "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",
        "//staging/src/k8s.io/apimachinery/pkg/runtime/serializer/json:go_default_library",
        "//vendor/bitbucket.org/ww/goautoneg:go_default_library",
        "//vendor/github.com/golang/glog:go_default_library",
    ],
 )
 go_test(
    name = "go_default_test",
    srcs = ["converter_test.go"],
    embed = [":go_default_library"],
    deps = [
        "//staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1:go_default_library",
        "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
        "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/unstructured:go_default_library",
        "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",
        "//staging/src/k8s.io/apimachinery/pkg/runtime/serializer/json:go_default_library",
    ],
 )
 filegroup(
    name = "package-srcs",
    srcs = glob(["**"]),
    tags = ["automanaged"],
    visibility = ["//visibility:private"],
 )
 filegroup(
    name = "all-srcs",
    srcs = [":package-srcs"],
    tags = ["automanaged"],
    visibility = ["//visibility:public"],
 )
--- a/test/images/crd-conversion-webhook/converter/converter_test.go
+++ b/test/images/crd-conversion-webhook/converter/converter_test.go
@ -0,0 +1,97 @@
 /*
 Copyright 2018 The Kubernetes Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package converter
 import (
 	"net/http"
 	"net/http/httptest"
 	"strings"
 	"testing"
 	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/serializer/json"
 )
 func TestConverter(t *testing.T) {
 	sampleObj := `kind: ConversionReview
 apiVersion: apiextensions.k8s.io/v1beta1
 request:
  uid: 0000-0000-0000-0000
  desiredAPIVersion: stable.example.com/v2
  objects:
    - apiVersion: stable.example.com/v1
      kind: CronTab
      metadata:
        name: my-new-cron-object
      spec:
        cronSpec: "* * * * */5"
        image: my-awesome-cron-image
      hostPort: "localhost:7070"
 `
 	// First try json, it should fail as the data is taml
 	response := httptest.NewRecorder()
 	request, err := http.NewRequest("POST", "/convert", strings.NewReader(sampleObj))
 	if err != nil {
 		t.Fatal(err)
 	}
 	request.Header.Add("Content-Type", "application/json")
 	ServeExampleConvert(response, request)
 	convertReview := v1beta1.ConversionReview{}
 	scheme := runtime.NewScheme()
 	jsonSerializer := json.NewSerializer(json.DefaultMetaFactory, scheme, scheme, false)
 	if _, _, err := jsonSerializer.Decode(response.Body.Bytes(), nil, &convertReview); err != nil {
 		t.Fatal(err)
 	}
 	if convertReview.Response.Result.Status != v1.StatusFailure {
 		t.Fatalf("expected the operation to fail when yaml is provided with json header")
 	} else if !strings.Contains(convertReview.Response.Result.Message, "json parse error") {
 		t.Fatalf("expected to fail on json parser, but it failed with: %v", convertReview.Response.Result.Message)
 	}
 	// Now try yaml, and it should successfully convert
 	response = httptest.NewRecorder()
 	request, err = http.NewRequest("POST", "/convert", strings.NewReader(sampleObj))
 	if err != nil {
 		t.Fatal(err)
 	}
 	request.Header.Add("Content-Type", "application/yaml")
 	ServeExampleConvert(response, request)
 	convertReview = v1beta1.ConversionReview{}
 	yamlSerializer := json.NewYAMLSerializer(json.DefaultMetaFactory, scheme, scheme)
 	if _, _, err := yamlSerializer.Decode(response.Body.Bytes(), nil, &convertReview); err != nil {
 		t.Fatalf("cannot decode data: \n %v\n Error: %v", response.Body, err)
 	}
 	if convertReview.Response.Result.Status != v1.StatusSuccess {
 		t.Fatalf("cr conversion failed: %v", convertReview.Response)
 	}
 	convertedObj := unstructured.Unstructured{}
 	if _, _, err := yamlSerializer.Decode(convertReview.Response.ConvertedObjects[0].Raw, nil, &convertedObj); err != nil {
 		t.Fatal(err)
 	}
 	if e, a := "stable.example.com/v2", convertedObj.GetAPIVersion(); e != a {
 		t.Errorf("expected= %v, actual= %v", e, a)
 	}
 	if e, a := "localhost", convertedObj.Object["host"]; e != a {
 		t.Errorf("expected= %v, actual= %v", e, a)
 	}
 	if e, a := "7070", convertedObj.Object["port"]; e != a {
 		t.Errorf("expected= %v, actual= %v", e, a)
 	}
 }
--- a/test/images/crd-conversion-webhook/converter/example_converter.go
+++ b/test/images/crd-conversion-webhook/converter/example_converter.go
@ -0,0 +1,79 @@
 /*
 Copyright 2018 The Kubernetes Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package converter
 import (
 	"fmt"
 	"strings"
 	"github.com/golang/glog"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
 func convertExampleCRD(Object *unstructured.Unstructured, toVersion string) (*unstructured.Unstructured, metav1.Status) {
 	glog.V(2).Info("converting crd")
 	convertedObject := Object.DeepCopy()
 	fromVersion := Object.GetAPIVersion()
 	if toVersion == fromVersion {
 		return nil, statusErrorWithMessage("conversion from a version to itself should not call the webhook: %s", toVersion)
 	}
 	switch Object.GetAPIVersion() {
 	case "stable.example.com/v1":
 		switch toVersion {
 		case "stable.example.com/v2":
 			hostPort, ok := convertedObject.Object["hostPort"]
 			if ok {
 				delete(convertedObject.Object, "hostPort")
 				parts := strings.Split(hostPort.(string), ":")
 				if len(parts) != 2 {
 					return nil, statusErrorWithMessage("invalid hostPort value `%v`", hostPort)
 				}
 				convertedObject.Object["host"] = parts[0]
 				convertedObject.Object["port"] = parts[1]
 			}
 		default:
 			return nil, statusErrorWithMessage("unexpected conversion version %q", toVersion)
 		}
 	case "stable.example.com/v2":
 		switch toVersion {
 		case "stable.example.com/v1":
 			host, hasHost := convertedObject.Object["host"]
 			port, hasPort := convertedObject.Object["port"]
 			if hasHost || hasPort {
 				if !hasHost {
 					host = ""
 				}
 				if !hasPort {
 					port = ""
 				}
 				convertedObject.Object["hostPort"] = fmt.Sprintf("%s:%s", host, port)
 				delete(convertedObject.Object, "host")
 				delete(convertedObject.Object, "port")
 			}
 		default:
 			return nil, statusErrorWithMessage("unexpected conversion version %q", toVersion)
 		}
 	default:
 		return nil, statusErrorWithMessage("unexpected conversion version %q", fromVersion)
 	}
 	return convertedObject, statusSucceed()
 }
--- a/test/images/crd-conversion-webhook/converter/framework.go
+++ b/test/images/crd-conversion-webhook/converter/framework.go
@ -0,0 +1,178 @@
 /*
 Copyright 2018 The Kubernetes Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package converter
 import (
 	"bitbucket.org/ww/goautoneg"
 	"fmt"
 	"io/ioutil"
 	"net/http"
 	"strings"
 	"github.com/golang/glog"
 	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/serializer/json"
 )
 // convertFunc is the user defined function for any conversion. The code in this file is a
 // template that can be use for any CR conversion given this function.
 type convertFunc func(Object *unstructured.Unstructured, version string) (*unstructured.Unstructured, metav1.Status)
 // conversionResponseFailureWithMessagef is a helper function to create an AdmissionResponse
 // with a formatted embedded error message.
 func conversionResponseFailureWithMessagef(msg string, params ...interface{}) *v1beta1.ConversionResponse {
 	return &v1beta1.ConversionResponse{
 		Result: metav1.Status{
 			Message: fmt.Sprintf(msg, params...),
 			Status:  metav1.StatusFailure,
 		},
 	}
 }
 func statusErrorWithMessage(msg string, params ...interface{}) metav1.Status {
 	return metav1.Status{
 		Message: fmt.Sprintf(msg, params...),
 		Status:  metav1.StatusFailure,
 	}
 }
 func statusSucceed() metav1.Status {
 	return metav1.Status{
 		Status: metav1.StatusSuccess,
 	}
 }
 // doConversion converts the requested object given the conversion function and returns a conversion response.
 // failures will be reported as Reason in the conversion response.
 func doConversion(convertRequest *v1beta1.ConversionRequest, convert convertFunc) *v1beta1.ConversionResponse {
 	var convertedObjects []runtime.RawExtension
 	for _, obj := range convertRequest.Objects {
 		cr := unstructured.Unstructured{}
 		if err := cr.UnmarshalJSON(obj.Raw); err != nil {
 			glog.Error(err)
 			return conversionResponseFailureWithMessagef("failed to unmarshall object (%v) with error: %v", string(obj.Raw), err)
 		}
 		convertedCR, status := convert(&cr, convertRequest.DesiredAPIVersion)
 		if status.Status != metav1.StatusSuccess {
 			glog.Error(status.String())
 			return &v1beta1.ConversionResponse{
 				Result: status,
 			}
 		}
 		convertedCR.SetAPIVersion(convertRequest.DesiredAPIVersion)
 		convertedObjects = append(convertedObjects, runtime.RawExtension{Object: convertedCR})
 	}
 	return &v1beta1.ConversionResponse{
 		ConvertedObjects: convertedObjects,
 		Result:           statusSucceed(),
 	}
 }
 func serve(w http.ResponseWriter, r *http.Request, convert convertFunc) {
 	var body []byte
 	if r.Body != nil {
 		if data, err := ioutil.ReadAll(r.Body); err == nil {
 			body = data
 		}
 	}
 	contentType := r.Header.Get("Content-Type")
 	serializer := getInputSerializer(contentType)
 	if serializer == nil {
 		msg := fmt.Sprintf("invalid Content-Type header `%s`", contentType)
 		glog.Errorf(msg)
 		http.Error(w, msg, http.StatusBadRequest)
 		return
 	}
 	glog.V(2).Infof("handling request: %v", body)
 	convertReview := v1beta1.ConversionReview{}
 	if _, _, err := serializer.Decode(body, nil, &convertReview); err != nil {
 		glog.Error(err)
 		convertReview.Response = conversionResponseFailureWithMessagef("failed to deserialize body (%v) with error %v", string(body), err)
 	} else {
 		convertReview.Response = doConversion(convertReview.Request, convert)
 		convertReview.Response.UID = convertReview.Request.UID
 	}
 	glog.V(2).Info(fmt.Sprintf("sending response: %v", convertReview.Response))
 	// reset the request, it is not needed in a response.
 	convertReview.Request = &v1beta1.ConversionRequest{}
 	accept := r.Header.Get("Accept")
 	outSerializer := getOutputSerializer(accept)
 	if outSerializer == nil {
 		msg := fmt.Sprintf("invalid accept header `%s`", accept)
 		glog.Errorf(msg)
 		http.Error(w, msg, http.StatusBadRequest)
 		return
 	}
 	err := outSerializer.Encode(&convertReview, w)
 	if err != nil {
 		glog.Error(err)
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
 }
 // ServeExampleConvert servers endpoint for the example converter defined as convertExampleCRD function.
 func ServeExampleConvert(w http.ResponseWriter, r *http.Request) {
 	serve(w, r, convertExampleCRD)
 }
 type mediaType struct {
 	Type, SubType string
 }
 var scheme = runtime.NewScheme()
 var serializers = map[mediaType]runtime.Serializer{
 	{"application", "json"}: json.NewSerializer(json.DefaultMetaFactory, scheme, scheme, false),
 	{"application", "yaml"}: json.NewYAMLSerializer(json.DefaultMetaFactory, scheme, scheme),
 }
 func getInputSerializer(contentType string) runtime.Serializer {
 	parts := strings.SplitN(contentType, "/", 2)
 	if len(parts) != 2 {
 		return nil
 	}
 	return serializers[mediaType{parts[0], parts[1]}]
 }
 func getOutputSerializer(accept string) runtime.Serializer {
 	if len(accept) == 0 {
 		return serializers[mediaType{"application", "json"}]
 	}
 	clauses := goautoneg.ParseAccept(accept)
 	for _, clause := range clauses {
 		for k, v := range serializers {
 			switch {
 			case clause.Type == k.Type && clause.SubType == k.SubType,
 				clause.Type == k.Type && clause.SubType == "*",
 				clause.Type == "*" && clause.SubType == "*":
 				return v
 			}
 		}
 	}
 	return nil
 }
--- a/test/images/crd-conversion-webhook/main.go
+++ b/test/images/crd-conversion-webhook/main.go
@ -0,0 +1,52 @@
 /*
 Copyright 2018 The Kubernetes Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"flag"
 	"net/http"
 	"k8s.io/kubernetes/test/images/crd-conversion-webhook/converter"
 )
 // Config contains the server (the webhook) cert and key.
 type Config struct {
 	CertFile string
 	KeyFile  string
 }
 func (c *Config) addFlags() {
 	flag.StringVar(&c.CertFile, "tls-cert-file", c.CertFile, ""+
 		"File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated "+
 		"after server cert).")
 	flag.StringVar(&c.KeyFile, "tls-private-key-file", c.KeyFile, ""+
 		"File containing the default x509 private key matching --tls-cert-file.")
 }
 func main() {
 	var config Config
 	config.addFlags()
 	flag.Parse()
 	http.HandleFunc("/crdconvert", converter.ServeExampleConvert)
 	clientset := getClient()
 	server := &http.Server{
 		Addr:      ":443",
 		TLSConfig: configTLS(config, clientset),
 	}
 	server.ListenAndServeTLS("", "")
 }
--- a/test/utils/image/manifest.go
+++ b/test/utils/image/manifest.go
@ -92,6 +92,7 @@ var (
 // Preconfigured image configs
 var (
 	CRDConversionWebhook     = Config{e2eRegistry, "crd-conversion-webhook", "1.13rev2"}
 	AdmissionWebhook         = Config{e2eRegistry, "webhook", "1.13v1"}
 	APIServer                = Config{e2eRegistry, "sample-apiserver", "1.10"}
 	AppArmorLoader           = Config{e2eRegistry, "apparmor-loader", "1.0"}