diff --git a/cluster/aws/util.sh b/cluster/aws/util.sh
index 483bda04cb..39830b9be8 100755
--- a/cluster/aws/util.sh
+++ b/cluster/aws/util.sh
@@ -15,7 +15,7 @@
 # limitations under the License.
 
 KUBE_ROOT=$(dirname "${BASH_SOURCE}")/../..
-source "${KUBE_ROOT}/cluster/lib/util.sh"
+source "${KUBE_ROOT}/hack/lib/util.sh"
 
 echo -e "${color_red}WARNING${color_norm}: The bash deployment for AWS is obsolete. The" >&2
 echo -e "v1.5.x releases are the last to support cluster/kube-up.sh with AWS." >&2
diff --git a/cluster/common.sh b/cluster/common.sh
index b43b4adc73..f0773be208 100755
--- a/cluster/common.sh
+++ b/cluster/common.sh
@@ -24,7 +24,7 @@ KUBE_ROOT=$(cd $(dirname "${BASH_SOURCE}")/.. && pwd)
 
 DEFAULT_KUBECONFIG="${HOME}/.kube/config"
 
-source "${KUBE_ROOT}/cluster/lib/util.sh"
+source "${KUBE_ROOT}/hack/lib/util.sh"
 source "${KUBE_ROOT}/cluster/lib/logging.sh"
 # KUBE_RELEASE_VERSION_REGEX matches things like "v1.2.3" or "v1.2.3-alpha.4"
 #
@@ -308,17 +308,6 @@ function load-or-gen-kube-bearertoken() {
   fi
 }
 
-# Create a temp dir that'll be deleted at the end of this bash session.
-#
-# Vars set:
-#   KUBE_TEMP
-function ensure-temp-dir {
-  if [[ -z ${KUBE_TEMP-} ]]; then
-    export KUBE_TEMP=$(mktemp -d -t kubernetes.XXXXXX)
-    trap 'rm -rf "${KUBE_TEMP}"' EXIT
-  fi
-}
-
 # Get the master IP for the current-context in kubeconfig if one exists.
 #
 # Assumed vars:
@@ -896,38 +885,6 @@ function sha1sum-file() {
   fi
 }
 
-# Downloads cfssl into $1 directory
-#
-# Assumed vars:
-#   $1 (cfssl directory)
-#
-function download-cfssl {
-  mkdir -p "$1"
-  pushd "$1"
-
-  kernel=$(uname -s)
-  case "${kernel}" in
-    Linux)
-      curl -s -L -o cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
-      curl -s -L -o cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
-      ;;
-    Darwin)
-      curl -s -L -o cfssl https://pkg.cfssl.org/R1.2/cfssl_darwin-amd64
-      curl -s -L -o cfssljson https://pkg.cfssl.org/R1.2/cfssljson_darwin-amd64
-      ;;
-    *)
-      echo "Unknown, unsupported platform: ${kernel}." >&2
-      echo "Supported platforms: Linux, Darwin." >&2
-      exit 2
-  esac
-
-  chmod +x cfssl
-  chmod +x cfssljson
-
-  popd
-}
-
-
 # Create certificate pairs for the cluster.
 # $1: The public IP for the master.
 #
@@ -1018,12 +975,12 @@ function generate-certs {
     ./easyrsa --subject-alt-name="${SANS}" build-server-full "${MASTER_NAME}" nopass
     ./easyrsa build-client-full kube-apiserver nopass
 
-    download-cfssl "${KUBE_TEMP}/cfssl"
+    kube::util::ensure-cfssl "${KUBE_TEMP}/cfssl"
 
     # make the config for the signer
     echo '{"signing":{"default":{"expiry":"43800h","usages":["signing","key encipherment","client auth"]}}}' > "ca-config.json"
     # create the kubelet client cert with the correct groups
-    echo '{"CN":"kubelet","names":[{"O":"system:nodes"}],"hosts":[""],"key":{"algo":"rsa","size":2048}}' | "${KUBE_TEMP}/cfssl/cfssl" gencert -ca=pki/ca.crt -ca-key=pki/private/ca.key -config=ca-config.json - | "${KUBE_TEMP}/cfssl/cfssljson" -bare kubelet
+    echo '{"CN":"kubelet","names":[{"O":"system:nodes"}],"hosts":[""],"key":{"algo":"rsa","size":2048}}' | "${CFSSL_BIN}" gencert -ca=pki/ca.crt -ca-key=pki/private/ca.key -config=ca-config.json - | "${CFSSLJSON_BIN}" -bare kubelet
     mv "kubelet-key.pem" "pki/private/kubelet.key"
     mv "kubelet.pem" "pki/issued/kubelet.crt"
     rm -f "kubelet.csr"
@@ -1067,10 +1024,7 @@ function generate-etcd-cert() {
   mkdir -p "${cert_dir}"
   pushd "${cert_dir}"
 
-  if [ ! -x cfssl ] || [ ! -x cfssljson ]; then
-    echo "Download cfssl & cfssljson ..."
-    download-cfssl .
-  fi
+  kube::util::ensure-cfssl .
 
   if [ ! -r "ca-config.json" ]; then
     cat >ca-config.json <<EOF
@@ -1136,27 +1090,27 @@ EOF
   fi
 
   if [[ ! -r "ca.pem" || ! -r "ca-key.pem" ]]; then
-    ./cfssl gencert -initca ca-csr.json | ./cfssljson -bare ca -
+    ${CFSSL_BIN} gencert -initca ca-csr.json | ${CFSSLJSON_BIN} -bare ca -
   fi
 
   case "${type_cert}" in
     client)
       echo "Generate client certificates..."
       echo '{"CN":"client","hosts":["*"],"key":{"algo":"ecdsa","size":256}}' \
-       | ./cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client - \
-       | ./cfssljson -bare "${prefix}"
+       | ${CFSSL_BIN} gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client - \
+       | ${CFSSLJSON_BIN} -bare "${prefix}"
       ;;
     server)
       echo "Generate server certificates..."
       echo '{"CN":"'${member_ip}'","hosts":[""],"key":{"algo":"ecdsa","size":256}}' \
-       | ./cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server -hostname="${member_ip},127.0.0.1" - \
-       | ./cfssljson -bare "${prefix}"
+       | ${CFSSL_BIN} gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server -hostname="${member_ip},127.0.0.1" - \
+       | ${CFSSLJSON_BIN} -bare "${prefix}"
       ;;
     peer)
       echo "Generate peer certificates..."
       echo '{"CN":"'${member_ip}'","hosts":[""],"key":{"algo":"ecdsa","size":256}}' \
-       | ./cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer -hostname="${member_ip},127.0.0.1" - \
-       | ./cfssljson -bare "${prefix}"
+       | ${CFSSL_BIN} gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer -hostname="${member_ip},127.0.0.1" - \
+       | ${CFSSLJSON_BIN} -bare "${prefix}"
       ;;
     *)
       echo "Unknow, unsupported etcd certs type: ${type_cert}" >&2
diff --git a/cluster/gce/upgrade.sh b/cluster/gce/upgrade.sh
index 0013af1f28..4425e99c53 100755
--- a/cluster/gce/upgrade.sh
+++ b/cluster/gce/upgrade.sh
@@ -28,6 +28,7 @@ if [[ "${KUBERNETES_PROVIDER:-gce}" != "gce" ]]; then
 fi
 
 KUBE_ROOT=$(dirname "${BASH_SOURCE}")/../..
+source "${KUBE_ROOT}/hack/lib/util.sh"
 source "${KUBE_ROOT}/cluster/kube-util.sh"
 
 function usage() {
@@ -130,7 +131,7 @@ function backfile-kubeletauth-certs() {
   echo "${CA_KEY_BASE64}" | base64 -d > "${KUBE_TEMP}/pki/ca.key"
   echo "${CA_CERT_BASE64}" | base64 -d > "${KUBE_TEMP}/pki/ca.crt"
   (cd "${KUBE_TEMP}/pki"
-    download-cfssl "${KUBE_TEMP}/cfssl"
+    kube::util::ensure-cfssl "${KUBE_TEMP}/cfssl"
     cat <<EOF > ca-config.json
 {
   "signing": {
@@ -149,13 +150,13 @@ EOF
     # subpaths required for the apiserver to hit proxy
     # endpoints on the kubelet's handler.
     cat <<EOF \
-      | "${KUBE_TEMP}/cfssl/cfssl" gencert \
+      | "${CFSSL_BIN}" gencert \
         -ca=ca.crt \
         -ca-key=ca.key \
         -config=ca-config.json \
         -profile=client \
         - \
-      | "${KUBE_TEMP}/cfssl/cfssljson" -bare kube-apiserver
+      | "${CFSSLJSON_BIN}" -bare kube-apiserver
 {
   "CN": "kube-apiserver"
 }
@@ -192,7 +193,7 @@ function wait-for-master() {
 # Assumed vars
 #   KUBE_VERSION
 function prepare-upgrade() {
-  ensure-temp-dir
+  kube::util::ensure-temp-dir
   detect-project
   detect-node-names # sets INSTANCE_GROUPS
   write-cluster-name
diff --git a/cluster/gce/util.sh b/cluster/gce/util.sh
index 39b9e5bc76..2fe05f6c13 100755
--- a/cluster/gce/util.sh
+++ b/cluster/gce/util.sh
@@ -21,7 +21,7 @@
 KUBE_ROOT=$(dirname "${BASH_SOURCE}")/../..
 source "${KUBE_ROOT}/cluster/gce/${KUBE_CONFIG_FILE-"config-default.sh"}"
 source "${KUBE_ROOT}/cluster/common.sh"
-source "${KUBE_ROOT}/cluster/lib/util.sh"
+source "${KUBE_ROOT}/hack/lib/util.sh"
 
 if [[ "${NODE_OS_DISTRIBUTION}" == "debian" || "${NODE_OS_DISTRIBUTION}" == "container-linux" || "${NODE_OS_DISTRIBUTION}" == "trusty" || "${NODE_OS_DISTRIBUTION}" == "gci" ]]; then
   source "${KUBE_ROOT}/cluster/gce/${NODE_OS_DISTRIBUTION}/node-helper.sh"
@@ -581,7 +581,7 @@ function add-instance-metadata-from-file() {
 #   KUBE_ROOT
 #   <Various vars set in config file>
 function kube-up() {
-  ensure-temp-dir
+  kube::util::ensure-temp-dir
   detect-project
 
   load-or-gen-kube-basicauth
@@ -1620,7 +1620,7 @@ function prepare-push() {
   OUTPUT=${KUBE_ROOT}/_output/logs
   mkdir -p ${OUTPUT}
 
-  ensure-temp-dir
+  kube::util::ensure-temp-dir
   detect-project
   detect-master
   detect-node-names
diff --git a/cluster/gke/util.sh b/cluster/gke/util.sh
index ecdd36bd1b..95f91efb4c 100755
--- a/cluster/gke/util.sh
+++ b/cluster/gke/util.sh
@@ -22,7 +22,7 @@ KUBE_PROMPT_FOR_UPDATE=${KUBE_PROMPT_FOR_UPDATE:-"n"}
 KUBE_ROOT=$(dirname "${BASH_SOURCE}")/../..
 source "${KUBE_ROOT}/cluster/gke/${KUBE_CONFIG_FILE:-config-default.sh}"
 source "${KUBE_ROOT}/cluster/common.sh"
-source "${KUBE_ROOT}/cluster/lib/util.sh"
+source "${KUBE_ROOT}/hack/lib/util.sh"
 
 function with-retry() {
   local retry_limit=$1
diff --git a/cluster/lib/util.sh b/cluster/lib/util.sh
deleted file mode 100644
index 7082fb7ce2..0000000000
--- a/cluster/lib/util.sh
+++ /dev/null
@@ -1,46 +0,0 @@
-#!/bin/bash
-
-# Copyright 2015 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# Wait for background jobs to finish. Return with
-# an error status if any of the jobs failed.
-kube::util::wait-for-jobs() {
-  local fail=0
-  local job
-  for job in $(jobs -p); do
-    wait "${job}" || fail=$((fail + 1))
-  done
-  return ${fail}
-}
-
-# kube::util::join <delim> <list...>
-# Concatenates the list elements with the delimiter passed as first parameter
-#
-# Ex: kube::util::join , a b c
-#  -> a,b,c
-function kube::util::join {
-  local IFS="$1"
-  shift
-  echo "$*"
-}
-
-# Some useful colors.
-if [[ -z "${color_start-}" ]]; then
-  declare -r color_start="\033["
-  declare -r color_red="${color_start}0;31m"
-  declare -r color_yellow="${color_start}0;33m"
-  declare -r color_green="${color_start}0;32m"
-  declare -r color_norm="${color_start}0m"
-fi
diff --git a/cluster/photon-controller/util.sh b/cluster/photon-controller/util.sh
index bc9d0b572a..0b05cac9cd 100755
--- a/cluster/photon-controller/util.sh
+++ b/cluster/photon-controller/util.sh
@@ -156,7 +156,7 @@ function kube-up {
   verify-prereqs
   verify-ssh-prereqs
   verify-photon-config
-  ensure-temp-dir
+  kube::util::ensure-temp-dir
 
   find-release-tars
   find-image-id
diff --git a/cluster/vagrant/util.sh b/cluster/vagrant/util.sh
index 0b4be7fd84..64efdfddda 100755
--- a/cluster/vagrant/util.sh
+++ b/cluster/vagrant/util.sh
@@ -106,7 +106,7 @@ function verify-prereqs {
 
 # Create a set of provision scripts for the master and each of the nodes
 function create-provision-scripts {
-  ensure-temp-dir
+  kube::util::ensure-temp-dir
 
   (
     echo "#! /bin/bash"
diff --git a/cluster/validate-cluster.sh b/cluster/validate-cluster.sh
index d696178a5d..a94587bb65 100755
--- a/cluster/validate-cluster.sh
+++ b/cluster/validate-cluster.sh
@@ -30,7 +30,7 @@ if [ -f "${KUBE_ROOT}/cluster/env.sh" ]; then
   source "${KUBE_ROOT}/cluster/env.sh"
 fi
 
-source "${KUBE_ROOT}/cluster/lib/util.sh"
+source "${KUBE_ROOT}/hack/lib/util.sh"
 source "${KUBE_ROOT}/cluster/kube-util.sh"
 
 # Run kubectl and retry upon failure.
diff --git a/federation/cluster/common.sh b/federation/cluster/common.sh
index e62e8a7d36..ff355d6d5b 100644
--- a/federation/cluster/common.sh
+++ b/federation/cluster/common.sh
@@ -250,7 +250,7 @@ function create-federation-api-objects {
     done
 
     # Create server certificates.
-    ensure-temp-dir
+    kube::util::ensure-temp-dir
     echo "Creating federation apiserver certs for federation api host: ${FEDERATION_API_HOST} ( is this a dns name?: ${IS_DNS_NAME} )"
     MASTER_NAME="federation-apiserver" create-federation-apiserver-certs ${FEDERATION_API_HOST}
     export FEDERATION_APISERVER_CA_CERT_BASE64="${FEDERATION_APISERVER_CA_CERT_BASE64}"
diff --git a/hack/lib/init.sh b/hack/lib/init.sh
index a07f6f2e12..4eadc166b2 100644
--- a/hack/lib/init.sh
+++ b/hack/lib/init.sh
@@ -37,7 +37,6 @@ export no_proxy=127.0.0.1,localhost
 THIS_PLATFORM_BIN="${KUBE_ROOT}/_output/bin"
 
 source "${KUBE_ROOT}/hack/lib/util.sh"
-source "${KUBE_ROOT}/cluster/lib/util.sh"
 source "${KUBE_ROOT}/cluster/lib/logging.sh"
 
 kube::log::install_errexit
diff --git a/hack/lib/util.sh b/hack/lib/util.sh
index 6a0386a341..f2af8e62ff 100755
--- a/hack/lib/util.sh
+++ b/hack/lib/util.sh
@@ -537,20 +537,6 @@ kube::util::download_file() {
   return 1
 }
 
-# Test whether cfssl and cfssljson are installed.
-# Sets:
-#  CFSSL_BIN: The path of the installed cfssl binary
-#  CFSSLJSON_BIN: The path of the installed cfssljson binary
-function kube::util::test_cfssl_installed {
-    if ! command -v cfssl &>/dev/null || ! command -v cfssljson &>/dev/null; then
-      echo "Failed to successfully run 'cfssl', please verify that cfssl and cfssljson are in \$PATH."
-      echo "Hint: export PATH=\$PATH:\$GOPATH/bin; go get -u github.com/cloudflare/cfssl/cmd/..."
-      exit 1
-    fi
-    CFSSL_BIN=$(command -v cfssl)
-    CFSSLJSON_BIN=$(command -v cfssljson)
-}
-
 # Test whether openssl is installed.
 # Sets:
 #  OPENSSL_BIN: The path to the openssl binary to use
@@ -694,6 +680,91 @@ EOF
   fi
 }
 
+# Wait for background jobs to finish. Return with
+# an error status if any of the jobs failed.
+kube::util::wait-for-jobs() {
+  local fail=0
+  local job
+  for job in $(jobs -p); do
+    wait "${job}" || fail=$((fail + 1))
+  done
+  return ${fail}
+}
 
+# kube::util::join <delim> <list...>
+# Concatenates the list elements with the delimiter passed as first parameter
+#
+# Ex: kube::util::join , a b c
+#  -> a,b,c
+function kube::util::join {
+  local IFS="$1"
+  shift
+  echo "$*"
+}
+
+# Downloads cfssl/cfssljson into $1 directory if they do not already exist in PATH
+#
+# Assumed vars:
+#   $1 (cfssl directory) (optional)
+#
+# Sets:
+#  CFSSL_BIN: The path of the installed cfssl binary
+#  CFSSLJSON_BIN: The path of the installed cfssljson binary
+#
+function kube::util::ensure-cfssl {
+  if command -v cfssl &>/dev/null && command -v cfssljson &>/dev/null; then
+    CFSSL_BIN=$(command -v cfssl)
+    CFSSLJSON_BIN=$(command -v cfssljson)
+    return 0
+  fi
+
+  # Create a temp dir for cfssl if no directory was given
+  local cfssldir=${1:-}
+  if [[ -z "${cfssldir}" ]]; then
+    kube::util::ensure-temp-dir
+    cfssldir="${KUBE_TEMP}/cfssl"
+  fi
+
+  mkdir -p "${cfssldir}"
+  pushd "${cfssldir}" > /dev/null
+
+    echo "Unable to successfully run 'cfssl' from $PATH; downloading instead..."
+    kernel=$(uname -s)
+    case "${kernel}" in
+      Linux)
+        curl -s -L -o cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
+        curl -s -L -o cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
+        ;;
+      Darwin)
+        curl -s -L -o cfssl https://pkg.cfssl.org/R1.2/cfssl_darwin-amd64
+        curl -s -L -o cfssljson https://pkg.cfssl.org/R1.2/cfssljson_darwin-amd64
+        ;;
+      *)
+        echo "Unknown, unsupported platform: ${kernel}." >&2
+        echo "Supported platforms: Linux, Darwin." >&2
+        exit 2
+    esac
+
+    chmod +x cfssl || true
+    chmod +x cfssljson || true
+
+    CFSSL_BIN="${cfssldir}/cfssl"
+    CFSSLJSON_BIN="${cfssldir}/cfssljson"
+    if [[ ! -x ${CFSSL_BIN} || ! -x ${CFSSLJSON_BIN} ]]; then
+      echo "Failed to download 'cfssl'. Please install cfssl and cfssljson and verify they are in \$PATH."
+      echo "Hint: export PATH=\$PATH:\$GOPATH/bin; go get -u github.com/cloudflare/cfssl/cmd/..."
+      exit 1
+    fi
+  popd > /dev/null
+}
+
+# Some useful colors.
+if [[ -z "${color_start-}" ]]; then
+  declare -r color_start="\033["
+  declare -r color_red="${color_start}0;31m"
+  declare -r color_yellow="${color_start}0;33m"
+  declare -r color_green="${color_start}0;32m"
+  declare -r color_norm="${color_start}0m"
+fi
 
 # ex: ts=2 sw=2 et filetype=sh
diff --git a/hack/local-up-cluster.sh b/hack/local-up-cluster.sh
index d5a433e505..f497633d4b 100755
--- a/hack/local-up-cluster.sh
+++ b/hack/local-up-cluster.sh
@@ -805,7 +805,7 @@ if [[ "${START_MODE}" != "kubeletonly" ]]; then
 fi
 
 kube::util::test_openssl_installed
-kube::util::test_cfssl_installed
+kube::util::ensure-cfssl
 
 ### IF the user didn't supply an output/ for the build... Then we detect.
 if [ "$GO_OUT" == "" ]; then
diff --git a/hack/make-rules/verify.sh b/hack/make-rules/verify.sh
index 4c91ffddbe..eeff8c78a0 100755
--- a/hack/make-rules/verify.sh
+++ b/hack/make-rules/verify.sh
@@ -19,7 +19,7 @@ set -o nounset
 set -o pipefail
 
 KUBE_ROOT=$(dirname "${BASH_SOURCE}")/../..
-source "${KUBE_ROOT}/cluster/lib/util.sh"
+source "${KUBE_ROOT}/hack/lib/util.sh"
 
 # Excluded checks are always skipped.
 EXCLUDED_CHECKS=(
diff --git a/hack/update-all.sh b/hack/update-all.sh
index 7e4d130655..ab70a809bf 100755
--- a/hack/update-all.sh
+++ b/hack/update-all.sh
@@ -22,7 +22,6 @@ set -o pipefail
 KUBE_ROOT=$(dirname "${BASH_SOURCE}")/..
 source "${KUBE_ROOT}/hack/lib/init.sh"
 source "${KUBE_ROOT}/hack/lib/util.sh"
-source "${KUBE_ROOT}/cluster/lib/util.sh"
 
 SILENT=true
 ALL=false
diff --git a/staging/src/k8s.io/kube-aggregator/hack/local-up-kube-aggregator.sh b/staging/src/k8s.io/kube-aggregator/hack/local-up-kube-aggregator.sh
index 3be9dfc0a1..f060e22d0a 100755
--- a/staging/src/k8s.io/kube-aggregator/hack/local-up-kube-aggregator.sh
+++ b/staging/src/k8s.io/kube-aggregator/hack/local-up-kube-aggregator.sh
@@ -86,7 +86,7 @@ function start_kube-aggregator {
 }
 
 kube::util::test_openssl_installed
-kube::util::test_cfssl_installed
+kube::util::ensure-cfssl
 
 start_kube-aggregator
 
diff --git a/test/kubemark/start-kubemark.sh b/test/kubemark/start-kubemark.sh
index e1615b8803..bce8d3dc31 100755
--- a/test/kubemark/start-kubemark.sh
+++ b/test/kubemark/start-kubemark.sh
@@ -74,7 +74,7 @@ EOF
 # Generate certs/keys for CA, master, kubelet and kubecfg, and tokens for kubelet
 # and kubeproxy.
 function generate-pki-config {
-  ensure-temp-dir
+  kube::util::ensure-temp-dir
   gen-kube-bearertoken
   gen-kube-basicauth
   create-certs ${MASTER_IP}