Limit access to core/api/v1 inside of client-go

cmd/importverifier/importverifier.go

@@ -57,6 +57,8 @@ type ImportRestriction struct {
 	// given as paths that would be used in a Go
 	// import statement
 	AllowedImports []string `yaml:"allowedImports"`
+	// ExcludeTests will skip checking test dependencies.
+	ExcludeTests bool `yaml:"excludeTests"`
 }
 
 // ForbiddenImportsFor determines all of the forbidden
@@ -120,7 +122,11 @@ func isPathUnder(base, path string) (bool, error) {
 // and returns a deduplicated list of them
 func (i *ImportRestriction) forbiddenImportsFor(pkg Package) []string {
 	forbiddenImportSet := map[string]struct{}{}
-	for _, imp := range append(pkg.Imports, append(pkg.TestImports, pkg.XTestImports...)...) {
+	imports := pkg.Imports
+	if !i.ExcludeTests {
+		imports = append(imports, append(pkg.TestImports, pkg.XTestImports...)...)
+	}
+	for _, imp := range imports {
 		path := extractVendorPath(imp)
 		if i.isForbidden(path) {
 			forbiddenImportSet[path] = struct{}{}

hack/import-restrictions.yaml

@@ -45,6 +45,28 @@
   - k8s.io/apimachinery
   - k8s.io/client-go
 
+# prevent core machinery from taking explicit v1 references unless
+# necessary
+- baseImportPath: "./vendor/k8s.io/client-go/rest/"
+  excludeTests: true
+  allowedImports:
+  - k8s.io/apimachinery
+  - k8s.io/client-go
+- baseImportPath: "./vendor/k8s.io/client-go/tools/"
+  excludeTests: true
+  ignoredSubTrees:
+  - "./vendor/k8s.io/client-go/tools/bootstrap/token/api"
+  - "./vendor/k8s.io/client-go/tools/cache/testing"
+  - "./vendor/k8s.io/client-go/tools/leaderelection/resourcelock"
+  - "./vendor/k8s.io/client-go/tools/portforward"
+  - "./vendor/k8s.io/client-go/tools/record"
+  - "./vendor/k8s.io/client-go/tools/reference"
+  - "./vendor/k8s.io/client-go/tools/remotecommand"
+  allowedImports:
+  - k8s.io/apimachinery
+  - k8s.io/client-go
+
+
 - baseImportPath: "./vendor/k8s.io/apiserver/"
   allowedImports:
   - k8s.io/api