Merge branch 'master' into correct-deprecation-errors

2017-05-19 08:55:17 -07:00
parent 2acc5f18b5 3c1c926883
commit acfdafb1fb
110 changed files with 2356 additions and 103 deletions
--- a/.github/ISSUE_TEMPLATE.md
+++ b/.github/ISSUE_TEMPLATE.md
@@ -2,6 +2,12 @@
 **Is this a request for help?** (If yes, you should use our troubleshooting guide and community support channels, see http://kubernetes.io/docs/troubleshooting/.):
 **Note:** Please file issues for subcomponents under the appropriate repo
 | Component | Repo                                                               |
 | --------- | ------------------------------------------------------------------ |
 | kubectl   | [kubernetes/kubectl](https://github.com/kubernetes/kubectl/issues/new) |
 | kubeadm   | [kubernetes/kubeadm](https://github.com/kubernetes/kubeadm/issues/new) |
 **What keywords did you search in Kubernetes issues before filing this one?** (If you have found any duplicates, you should instead reply there.):
--- a/cluster/gce/util.sh
+++ b/cluster/gce/util.sh
@@ -1203,14 +1203,14 @@ function create-cluster-autoscaler-mig-config() {
  # Each MIG must have at least one node, so the min number of nodes
  # must be greater or equal to the number of migs.
-  if [[ ${AUTOSCALER_MIN_NODES} < ${NUM_MIGS} ]]; then
+  if [[ ${AUTOSCALER_MIN_NODES} -lt ${NUM_MIGS} ]]; then
    echo "AUTOSCALER_MIN_NODES must be greater or equal ${NUM_MIGS}"
    exit 2
  fi
  # Each MIG must have at least one node, so the min number of nodes
  # must be greater or equal to the number of migs.
-  if [[ ${AUTOSCALER_MAX_NODES} < ${NUM_MIGS} ]]; then
+  if [[ ${AUTOSCALER_MAX_NODES} -lt ${NUM_MIGS} ]]; then
    echo "AUTOSCALER_MAX_NODES must be greater or equal ${NUM_MIGS}"
    exit 2
  fi
--- a/cmd/cloud-controller-manager/app/controllermanager.go
+++ b/cmd/cloud-controller-manager/app/controllermanager.go
@@ -199,6 +199,12 @@ func StartControllers(s *options.CloudControllerManagerServer, kubeconfig *restc
 	client := func(serviceAccountName string) clientset.Interface {
 		return rootClientBuilder.ClientOrDie(serviceAccountName)
 	}
 	if cloud != nil {
 		// Initialize the cloud provider with a reference to the clientBuilder
 		cloud.Initialize(clientBuilder)
 	}
 	versionedClient := client("shared-informers")
 	sharedInformers := informers.NewSharedInformerFactory(versionedClient, resyncPeriod(s)())
--- a/cmd/kube-apiserver/app/BUILD
+++ b/cmd/kube-apiserver/app/BUILD
@@ -54,6 +54,7 @@ go_library(
        "//plugin/pkg/admission/namespace/autoprovision:go_default_library",
        "//plugin/pkg/admission/namespace/exists:go_default_library",
        "//plugin/pkg/admission/namespace/lifecycle:go_default_library",
        "//plugin/pkg/admission/noderestriction:go_default_library",
        "//plugin/pkg/admission/persistentvolume/label:go_default_library",
        "//plugin/pkg/admission/podnodeselector:go_default_library",
        "//plugin/pkg/admission/podpreset:go_default_library",
--- a/cmd/kube-apiserver/app/plugins.go
+++ b/cmd/kube-apiserver/app/plugins.go
@@ -37,6 +37,7 @@ import (
 	_ "k8s.io/kubernetes/plugin/pkg/admission/namespace/autoprovision"
 	_ "k8s.io/kubernetes/plugin/pkg/admission/namespace/exists"
 	_ "k8s.io/kubernetes/plugin/pkg/admission/namespace/lifecycle"
 	_ "k8s.io/kubernetes/plugin/pkg/admission/noderestriction"
 	_ "k8s.io/kubernetes/plugin/pkg/admission/persistentvolume/label"
 	_ "k8s.io/kubernetes/plugin/pkg/admission/podnodeselector"
 	_ "k8s.io/kubernetes/plugin/pkg/admission/podpreset"
--- a/cmd/kube-controller-manager/app/controllermanager.go
+++ b/cmd/kube-controller-manager/app/controllermanager.go
@@ -451,6 +451,11 @@ func StartControllers(controllers map[string]InitFunc, s *options.CMServer, root
 		return fmt.Errorf("cloud provider could not be initialized: %v", err)
 	}
 	if cloud != nil {
 		// Initialize the cloud provider with a reference to the clientBuilder
 		cloud.Initialize(clientBuilder)
 	}
 	if ctx.IsControllerEnabled(nodeControllerName) {
 		_, clusterCIDR, err := net.ParseCIDR(s.ClusterCIDR)
 		if err != nil {
--- a/cmd/libs/go2idl/client-gen/BUILD
+++ b/cmd/libs/go2idl/client-gen/BUILD
@@ -41,6 +41,7 @@ filegroup(
        ":package-srcs",
        "//cmd/libs/go2idl/client-gen/args:all-srcs",
        "//cmd/libs/go2idl/client-gen/generators:all-srcs",
        "//cmd/libs/go2idl/client-gen/path:all-srcs",
        "//cmd/libs/go2idl/client-gen/test_apis/testgroup:all-srcs",
        "//cmd/libs/go2idl/client-gen/testoutput/clientset_generated/test_internalclientset:all-srcs",
        "//cmd/libs/go2idl/client-gen/types:all-srcs",
--- a/cmd/libs/go2idl/client-gen/generators/BUILD
+++ b/cmd/libs/go2idl/client-gen/generators/BUILD
@@ -22,6 +22,7 @@ go_library(
        "//cmd/libs/go2idl/client-gen/args:go_default_library",
        "//cmd/libs/go2idl/client-gen/generators/fake:go_default_library",
        "//cmd/libs/go2idl/client-gen/generators/scheme:go_default_library",
        "//cmd/libs/go2idl/client-gen/path:go_default_library",
        "//cmd/libs/go2idl/client-gen/types:go_default_library",
        "//vendor/github.com/golang/glog:go_default_library",
        "//vendor/k8s.io/gengo/args:go_default_library",
--- a/cmd/libs/go2idl/client-gen/generators/client_generator.go
+++ b/cmd/libs/go2idl/client-gen/generators/client_generator.go
@@ -29,6 +29,7 @@ import (
 	clientgenargs "k8s.io/kubernetes/cmd/libs/go2idl/client-gen/args"
 	"k8s.io/kubernetes/cmd/libs/go2idl/client-gen/generators/fake"
 	"k8s.io/kubernetes/cmd/libs/go2idl/client-gen/generators/scheme"
 	"k8s.io/kubernetes/cmd/libs/go2idl/client-gen/path"
 	clientgentypes "k8s.io/kubernetes/cmd/libs/go2idl/client-gen/types"
 	"github.com/golang/glog"
@@ -275,7 +276,8 @@ func Packages(context *generator.Context, arguments *args.GeneratorArgs) generat
 	gvToTypes := map[clientgentypes.GroupVersion][]*types.Type{}
 	for gv, inputDir := range customArgs.GroupVersionToInputPath {
-		p := context.Universe.Package(inputDir)
+		// Package are indexed with the vendor prefix stripped
 		p := context.Universe.Package(path.Vendorless(inputDir))
 		for n, t := range p.Types {
 			// filter out types which are not included in user specified overrides.
 			typesOverride, ok := includedTypesOverrides[gv]
--- a/cmd/libs/go2idl/client-gen/generators/fake/BUILD
+++ b/cmd/libs/go2idl/client-gen/generators/fake/BUILD
@@ -19,6 +19,7 @@ go_library(
    deps = [
        "//cmd/libs/go2idl/client-gen/args:go_default_library",
        "//cmd/libs/go2idl/client-gen/generators/scheme:go_default_library",
        "//cmd/libs/go2idl/client-gen/path:go_default_library",
        "//cmd/libs/go2idl/client-gen/types:go_default_library",
        "//vendor/github.com/golang/glog:go_default_library",
        "//vendor/k8s.io/gengo/generator:go_default_library",
--- a/cmd/libs/go2idl/client-gen/generators/fake/generator_fake_for_type.go
+++ b/cmd/libs/go2idl/client-gen/generators/fake/generator_fake_for_type.go
@@ -24,6 +24,7 @@ import (
 	"k8s.io/gengo/generator"
 	"k8s.io/gengo/namer"
 	"k8s.io/gengo/types"
 	"k8s.io/kubernetes/cmd/libs/go2idl/client-gen/path"
 )
 // genFakeForType produces a file for each top-level type.
@@ -99,7 +100,7 @@ func (g *genFakeForType) GenerateType(c *generator.Context, t *types.Type, w io.
 	}
 	// allow user to define a group name that's different from the one parsed from the directory.
-	p := c.Universe.Package(g.inputPackage)
+	p := c.Universe.Package(path.Vendorless(g.inputPackage))
 	if override := types.ExtractCommentTags("+", p.DocComments)["groupName"]; override != nil {
 		groupName = override[0]
 	}
--- a/cmd/libs/go2idl/client-gen/generators/generator_for_group.go
+++ b/cmd/libs/go2idl/client-gen/generators/generator_for_group.go
@@ -23,6 +23,7 @@ import (
 	"k8s.io/gengo/generator"
 	"k8s.io/gengo/namer"
 	"k8s.io/gengo/types"
 	"k8s.io/kubernetes/cmd/libs/go2idl/client-gen/path"
 )
 // genGroup produces a file for a group client, e.g. ExtensionsClient for the extension group.
@@ -76,7 +77,7 @@ func (g *genGroup) GenerateType(c *generator.Context, t *types.Type, w io.Writer
 		groupName = ""
 	}
 	// allow user to define a group name that's different from the one parsed from the directory.
-	p := c.Universe.Package(g.inputPackage)
+	p := c.Universe.Package(path.Vendorless(g.inputPackage))
 	if override := types.ExtractCommentTags("+", p.DocComments)["groupName"]; override != nil {
 		groupName = override[0]
 	}
@@ -95,7 +96,7 @@ func (g *genGroup) GenerateType(c *generator.Context, t *types.Type, w io.Writer
 		"restDefaultKubernetesUserAgent": c.Universe.Function(types.Name{Package: "k8s.io/client-go/rest", Name: "DefaultKubernetesUserAgent"}),
 		"restRESTClientInterface":        c.Universe.Type(types.Name{Package: "k8s.io/client-go/rest", Name: "Interface"}),
 		"restRESTClientFor":              c.Universe.Function(types.Name{Package: "k8s.io/client-go/rest", Name: "RESTClientFor"}),
-		"SchemeGroupVersion":             c.Universe.Variable(types.Name{Package: g.inputPackage, Name: "SchemeGroupVersion"}),
+		"SchemeGroupVersion":             c.Universe.Variable(types.Name{Package: path.Vendorless(g.inputPackage), Name: "SchemeGroupVersion"}),
 	}
 	sw.Do(groupInterfaceTemplate, m)
 	sw.Do(groupClientTemplate, m)
--- a/cmd/libs/go2idl/client-gen/generators/scheme/BUILD
+++ b/cmd/libs/go2idl/client-gen/generators/scheme/BUILD
@@ -12,6 +12,7 @@ go_library(
    srcs = ["generator_for_scheme.go"],
    tags = ["automanaged"],
    deps = [
        "//cmd/libs/go2idl/client-gen/path:go_default_library",
        "//cmd/libs/go2idl/client-gen/types:go_default_library",
        "//vendor/k8s.io/gengo/generator:go_default_library",
        "//vendor/k8s.io/gengo/namer:go_default_library",
--- a/cmd/libs/go2idl/client-gen/generators/scheme/generator_for_scheme.go
+++ b/cmd/libs/go2idl/client-gen/generators/scheme/generator_for_scheme.go
@@ -26,6 +26,7 @@ import (
 	"k8s.io/gengo/generator"
 	"k8s.io/gengo/namer"
 	"k8s.io/gengo/types"
 	"k8s.io/kubernetes/cmd/libs/go2idl/client-gen/path"
 	clientgentypes "k8s.io/kubernetes/cmd/libs/go2idl/client-gen/types"
 )
@@ -66,10 +67,10 @@ func (g *GenScheme) Imports(c *generator.Context) (imports []string) {
 					packagePath = filepath.Dir(packagePath)
 				}
 				packagePath = filepath.Join(packagePath, "install")
-				imports = append(imports, strings.ToLower(fmt.Sprintf("%s \"%s\"", group.Group.NonEmpty(), packagePath)))
+				imports = append(imports, strings.ToLower(fmt.Sprintf("%s \"%s\"", group.Group.NonEmpty(), path.Vendorless(packagePath))))
 				break
 			} else {
-				imports = append(imports, strings.ToLower(fmt.Sprintf("%s%s \"%s\"", group.Group.NonEmpty(), version.NonEmpty(), packagePath)))
+				imports = append(imports, strings.ToLower(fmt.Sprintf("%s%s \"%s\"", group.Group.NonEmpty(), version.NonEmpty(), path.Vendorless(packagePath))))
 			}
 		}
 	}
--- a/cmd/libs/go2idl/client-gen/path/BUILD
+++ b/cmd/libs/go2idl/client-gen/path/BUILD
@@ -0,0 +1,27 @@
 package(default_visibility = ["//visibility:public"])
 licenses(["notice"])
 load(
    "@io_bazel_rules_go//go:def.bzl",
    "go_library",
 )
 go_library(
    name = "go_default_library",
    srcs = ["path.go"],
    tags = ["automanaged"],
 )
 filegroup(
    name = "package-srcs",
    srcs = glob(["**"]),
    tags = ["automanaged"],
    visibility = ["//visibility:private"],
 )
 filegroup(
    name = "all-srcs",
    srcs = [":package-srcs"],
    tags = ["automanaged"],
 )
--- a/cmd/libs/go2idl/client-gen/path/path.go
+++ b/cmd/libs/go2idl/client-gen/path/path.go
@@ -0,0 +1,31 @@
 /*
 Copyright 2017 The Kubernetes Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package path
 import "strings"
 // Vendorless removes the longest match of "*/vendor/" from the front of p.
 // It is useful if a package locates in vendor/, e.g.,
 // k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/apis/meta/v1, because gengo
 // indexes the package with its import path, e.g.,
 // k8s.io/apimachinery/pkg/apis/meta/v1,
 func Vendorless(p string) string {
 	if pos := strings.LastIndex(p, "/vendor/"); pos != -1 {
 		return p[pos+len("/vendor/"):]
 	}
 	return p
 }
--- a/federation/cluster/federation-down.sh
+++ b/federation/cluster/federation-down.sh
@@ -52,7 +52,8 @@ function unjoin_clusters() {
        "${context}" \
        --federation-system-namespace=${FEDERATION_NAMESPACE} \
        --context="${FEDERATION_KUBE_CONTEXT}" \
-        --host-cluster-context="${HOST_CLUSTER_CONTEXT}"
+        --host-cluster-context="${HOST_CLUSTER_CONTEXT}" \
        --v=4
  done
 }
--- a/federation/cluster/federation-up.sh
+++ b/federation/cluster/federation-up.sh
@@ -94,7 +94,8 @@ function init() {
      --apiserver-enable-basic-auth=true \
      --apiserver-enable-token-auth=true \
      --apiserver-arg-overrides="--v=4" \
-      --controllermanager-arg-overrides="--v=4"
+      --controllermanager-arg-overrides="--v=4" \
      --v=4
 }
 # join_clusters joins the clusters in the local kubeconfig to federation. The clusters
@@ -107,7 +108,8 @@ function join_clusters() {
        "${context}" \
        --federation-system-namespace=${FEDERATION_NAMESPACE} \
        --host-cluster-context="${HOST_CLUSTER_CONTEXT}" \
-        --context="${FEDERATION_KUBE_CONTEXT}"
+        --context="${FEDERATION_KUBE_CONTEXT}" \
        --v=4
  done
 }
--- a/federation/pkg/federation-controller/util/federated_updater.go
+++ b/federation/pkg/federation-controller/util/federated_updater.go
@@ -122,7 +122,7 @@ func (fu *federatedUpdaterImpl) Update(ops []FederatedOperation) error {
 				fu.recordEvent(op.Obj, eventType, "Deleting", eventArgs...)
 				err = fu.deleteFunction(clientset, op.Obj)
 				// IsNotFound error is fine since that means the object is deleted already.
-				if err != nil && !errors.IsNotFound(err) {
+				if errors.IsNotFound(err) {
 					err = nil
 				}
 			}
--- a/hack/.linted_packages
+++ b/hack/.linted_packages
@@ -26,6 +26,7 @@ cmd/kubectl
 cmd/kubelet
 cmd/libs/go2idl/client-gen
 cmd/libs/go2idl/client-gen/generators
 cmd/libs/go2idl/client-gen/path
 cmd/libs/go2idl/client-gen/test_apis/testgroup/install
 cmd/libs/go2idl/conversion-gen
 cmd/libs/go2idl/deepcopy-gen
@@ -86,6 +87,7 @@ pkg/apis/settings/install
 pkg/apis/settings/validation
 pkg/apis/storage/install
 pkg/apis/storage/validation
 pkg/auth/nodeidentifier
 pkg/bootstrap/api
 pkg/client/conditions
 pkg/client/informers/informers_generated/externalversions
--- a/hack/local-up-cluster.sh
+++ b/hack/local-up-cluster.sh
@@ -25,6 +25,7 @@ DOCKERIZE_KUBELET=${DOCKERIZE_KUBELET:-""}
 ALLOW_PRIVILEGED=${ALLOW_PRIVILEGED:-""}
 ALLOW_SECURITY_CONTEXT=${ALLOW_SECURITY_CONTEXT:-""}
 PSP_ADMISSION=${PSP_ADMISSION:-""}
 NODE_ADMISSION=${NODE_ADMISSION:-""}
 RUNTIME_CONFIG=${RUNTIME_CONFIG:-""}
 KUBELET_AUTHORIZATION_WEBHOOK=${KUBELET_AUTHORIZATION_WEBHOOK:-""}
 KUBELET_AUTHENTICATION_WEBHOOK=${KUBELET_AUTHENTICATION_WEBHOOK:-""}
@@ -388,6 +389,9 @@ function start_apiserver {
    if [[ -n "${PSP_ADMISSION}" ]]; then
      security_admission=",PodSecurityPolicy"
    fi
    if [[ -n "${NODE_ADMISSION}" ]]; then
      security_admission=",NodeRestriction"
    fi
    # Admission Controllers to invoke prior to persisting objects in cluster
    ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount${security_admission},ResourceQuota,DefaultStorageClass,DefaultTolerationSeconds
--- a/hack/verify-flags/known-flags.txt
+++ b/hack/verify-flags/known-flags.txt
@@ -85,7 +85,6 @@ cgroups-per-qos
 chaos-chance
 cidr-allocator-type
 clean-start
 cleanup
 cleanup-iptables
 client-ca-file
 client-certificate
@@ -273,7 +272,6 @@ federation-name
 federation-system-namespace
 federation-upgrade-target
 file-check-frequency
 file_content_in_loop
 file-suffix
 flex-volume-plugin-dir
 forward-services
@@ -302,7 +300,6 @@ google-json-key
 grace-period
 ha-domain
 hairpin-mode
 hard
 hard-pod-affinity-symmetric-weight
 healthz-bind-address
 healthz-port
@@ -563,7 +560,6 @@ pv-recycler-minimum-timeout-nfs
 pv-recycler-pod-template-filepath-hostpath
 pv-recycler-pod-template-filepath-nfs
 pv-recycler-timeout-increment-hostpath
 quiet
 read-only-port
 really-crash-for-testing
 reconcile-cidr
@@ -592,13 +588,11 @@ requestheader-username-headers
 required-contexts
 require-kubeconfig
 resolv-conf
 resource
 resource-container
 resource-name
 resource-quota-sync-period
 resource-version
 results-dir
 retry_time
 rkt-api-endpoint
 rkt-path
 rkt-stage1-image
@@ -617,7 +611,6 @@ schedule-pods-here
 scheduler-config
 scheduler-name
 schema-cache-dir
 scopes
 scrape-timeout
 seccomp-profile-root
 secondary-node-eviction-rate
@@ -668,7 +661,6 @@ storage-media-type
 storage-version
 storage-versions
 streaming-connection-idle-timeout
 subresource
 suicide-timeout
 sync-frequency
 system-cgroups
@@ -712,7 +704,6 @@ use-service-account-credentials
 user-whitelist
 use-service-account-credentials
 use-taint-based-evictions
 verb
 verify-only
 versioned-clientset-package
 viper-config
--- a/pkg/BUILD
+++ b/pkg/BUILD
@@ -31,6 +31,7 @@ filegroup(
        "//pkg/apis/settings:all-srcs",
        "//pkg/apis/storage:all-srcs",
        "//pkg/auth/authorizer/abac:all-srcs",
        "//pkg/auth/nodeidentifier:all-srcs",
        "//pkg/auth/user:all-srcs",
        "//pkg/bootstrap/api:all-srcs",
        "//pkg/capabilities:all-srcs",
--- a/pkg/api/pod/util.go
+++ b/pkg/api/pod/util.go
@@ -21,11 +21,14 @@ import (
 	"k8s.io/kubernetes/pkg/api"
 )
 // Visitor is called with each object name, and returns true if visiting should continue
 type Visitor func(name string) (shouldContinue bool)
 // VisitPodSecretNames invokes the visitor function with the name of every secret
 // referenced by the pod spec. If visitor returns false, visiting is short-circuited.
 // Transitive references (e.g. pod -> pvc -> pv -> secret) are not visited.
 // Returns true if visiting completed, false if visiting was short-circuited.
-func VisitPodSecretNames(pod *api.Pod, visitor func(string) bool) bool {
+func VisitPodSecretNames(pod *api.Pod, visitor Visitor) bool {
 	for _, reference := range pod.Spec.ImagePullSecrets {
 		if !visitor(reference.Name) {
 			return false
@@ -86,7 +89,7 @@ func VisitPodSecretNames(pod *api.Pod, visitor func(string) bool) bool {
 	return true
 }
-func visitContainerSecretNames(container *api.Container, visitor func(string) bool) bool {
+func visitContainerSecretNames(container *api.Container, visitor Visitor) bool {
 	for _, env := range container.EnvFrom {
 		if env.SecretRef != nil {
 			if !visitor(env.SecretRef.Name) {
@@ -104,6 +107,60 @@ func visitContainerSecretNames(container *api.Container, visitor func(string) bo
 	return true
 }
 // VisitPodConfigmapNames invokes the visitor function with the name of every configmap
 // referenced by the pod spec. If visitor returns false, visiting is short-circuited.
 // Transitive references (e.g. pod -> pvc -> pv -> secret) are not visited.
 // Returns true if visiting completed, false if visiting was short-circuited.
 func VisitPodConfigmapNames(pod *api.Pod, visitor Visitor) bool {
 	for i := range pod.Spec.InitContainers {
 		if !visitContainerConfigmapNames(&pod.Spec.InitContainers[i], visitor) {
 			return false
 		}
 	}
 	for i := range pod.Spec.Containers {
 		if !visitContainerConfigmapNames(&pod.Spec.Containers[i], visitor) {
 			return false
 		}
 	}
 	var source *api.VolumeSource
 	for i := range pod.Spec.Volumes {
 		source = &pod.Spec.Volumes[i].VolumeSource
 		switch {
 		case source.Projected != nil:
 			for j := range source.Projected.Sources {
 				if source.Projected.Sources[j].ConfigMap != nil {
 					if !visitor(source.Projected.Sources[j].ConfigMap.Name) {
 						return false
 					}
 				}
 			}
 		case source.ConfigMap != nil:
 			if !visitor(source.ConfigMap.Name) {
 				return false
 			}
 		}
 	}
 	return true
 }
 func visitContainerConfigmapNames(container *api.Container, visitor Visitor) bool {
 	for _, env := range container.EnvFrom {
 		if env.ConfigMapRef != nil {
 			if !visitor(env.ConfigMapRef.Name) {
 				return false
 			}
 		}
 	}
 	for _, envVar := range container.Env {
 		if envVar.ValueFrom != nil && envVar.ValueFrom.ConfigMapKeyRef != nil {
 			if !visitor(envVar.ValueFrom.ConfigMapKeyRef.Name) {
 				return false
 			}
 		}
 	}
 	return true
 }
 // IsPodReady returns true if a pod is ready; false otherwise.
 func IsPodReady(pod *api.Pod) bool {
 	return IsPodReadyConditionTrue(pod.Status)
--- a/pkg/api/v1/pod/util.go
+++ b/pkg/api/v1/pod/util.go
@@ -107,11 +107,14 @@ func SetInitContainersStatusesAnnotations(pod *v1.Pod) error {
 	return nil
 }
 // Visitor is called with each object name, and returns true if visiting should continue
 type Visitor func(name string) (shouldContinue bool)
 // VisitPodSecretNames invokes the visitor function with the name of every secret
 // referenced by the pod spec. If visitor returns false, visiting is short-circuited.
 // Transitive references (e.g. pod -> pvc -> pv -> secret) are not visited.
 // Returns true if visiting completed, false if visiting was short-circuited.
-func VisitPodSecretNames(pod *v1.Pod, visitor func(string) bool) bool {
+func VisitPodSecretNames(pod *v1.Pod, visitor Visitor) bool {
 	for _, reference := range pod.Spec.ImagePullSecrets {
 		if !visitor(reference.Name) {
 			return false
@@ -173,7 +176,7 @@ func VisitPodSecretNames(pod *v1.Pod, visitor func(string) bool) bool {
 	return true
 }
-func visitContainerSecretNames(container *v1.Container, visitor func(string) bool) bool {
+func visitContainerSecretNames(container *v1.Container, visitor Visitor) bool {
 	for _, env := range container.EnvFrom {
 		if env.SecretRef != nil {
 			if !visitor(env.SecretRef.Name) {
--- a/pkg/auth/nodeidentifier/BUILD
+++ b/pkg/auth/nodeidentifier/BUILD
@@ -0,0 +1,40 @@
 package(default_visibility = ["//visibility:public"])
 licenses(["notice"])
 load(
    "@io_bazel_rules_go//go:def.bzl",
    "go_library",
    "go_test",
 )
 go_library(
    name = "go_default_library",
    srcs = [
        "default.go",
        "interfaces.go",
    ],
    tags = ["automanaged"],
    deps = ["//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library"],
 )
 go_test(
    name = "go_default_test",
    srcs = ["default_test.go"],
    library = ":go_default_library",
    tags = ["automanaged"],
    deps = ["//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library"],
 )
 filegroup(
    name = "package-srcs",
    srcs = glob(["**"]),
    tags = ["automanaged"],
    visibility = ["//visibility:private"],
 )
 filegroup(
    name = "all-srcs",
    srcs = [":package-srcs"],
    tags = ["automanaged"],
 )
--- a/pkg/auth/nodeidentifier/default.go
+++ b/pkg/auth/nodeidentifier/default.go
@@ -0,0 +1,64 @@
 /*
 Copyright 2017 The Kubernetes Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package nodeidentifier
 import (
 	"strings"
 	"k8s.io/apiserver/pkg/authentication/user"
 )
 // NewDefaultNodeIdentifier returns a default NodeIdentifier implementation,
 // which returns isNode=true if the user groups contain the system:nodes group,
 // and populates nodeName if isNode is true, and the user name is in the format system:node:<nodeName>
 func NewDefaultNodeIdentifier() NodeIdentifier {
 	return defaultNodeIdentifier{}
 }
 // defaultNodeIdentifier implements NodeIdentifier
 type defaultNodeIdentifier struct{}
 // nodeUserNamePrefix is the prefix for usernames in the form `system:node:<nodeName>`
 const nodeUserNamePrefix = "system:node:"
 // NodeIdentity returns isNode=true if the user groups contain the system:nodes group,
 // and populates nodeName if isNode is true, and the user name is in the format system:node:<nodeName>
 func (defaultNodeIdentifier) NodeIdentity(u user.Info) (string, bool) {
 	// Make sure we're a node, and can parse the node name
 	if u == nil {
 		return "", false
 	}
 	isNode := false
 	for _, g := range u.GetGroups() {
 		if g == user.NodesGroup {
 			isNode = true
 			break
 		}
 	}
 	if !isNode {
 		return "", false
 	}
 	userName := u.GetName()
 	nodeName := ""
 	if strings.HasPrefix(userName, nodeUserNamePrefix) {
 		nodeName = strings.TrimPrefix(userName, nodeUserNamePrefix)
 	}
 	return nodeName, isNode
 }
--- a/pkg/auth/nodeidentifier/default_test.go
+++ b/pkg/auth/nodeidentifier/default_test.go
@@ -0,0 +1,68 @@
 /*
 Copyright 2017 The Kubernetes Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package nodeidentifier
 import (
 	"testing"
 	"k8s.io/apiserver/pkg/authentication/user"
 )
 func TestDefaultNodeIdentifier_NodeIdentity(t *testing.T) {
 	tests := []struct {
 		name           string
 		user           user.Info
 		expectNodeName string
 		expectIsNode   bool
 	}{
 		{
 			name:           "nil user",
 			user:           nil,
 			expectNodeName: "",
 			expectIsNode:   false,
 		},
 		{
 			name:           "node username without group",
 			user:           &user.DefaultInfo{Name: "system:node:foo"},
 			expectNodeName: "",
 			expectIsNode:   false,
 		},
 		{
 			name:           "node group without username",
 			user:           &user.DefaultInfo{Name: "foo", Groups: []string{"system:nodes"}},
 			expectNodeName: "",
 			expectIsNode:   true,
 		},
 		{
 			name:           "node group and username",
 			user:           &user.DefaultInfo{Name: "system:node:foo", Groups: []string{"system:nodes"}},
 			expectNodeName: "foo",
 			expectIsNode:   true,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			nodeName, isNode := NewDefaultNodeIdentifier().NodeIdentity(tt.user)
 			if nodeName != tt.expectNodeName {
 				t.Errorf("DefaultNodeIdentifier.NodeIdentity() got = %v, want %v", nodeName, tt.expectNodeName)
 			}
 			if isNode != tt.expectIsNode {
 				t.Errorf("DefaultNodeIdentifier.NodeIdentity() got1 = %v, want %v", isNode, tt.expectIsNode)
 			}
 		})
 	}
 }
--- a/pkg/auth/nodeidentifier/interfaces.go
+++ b/pkg/auth/nodeidentifier/interfaces.go
@@ -0,0 +1,30 @@
 /*
 Copyright 2017 The Kubernetes Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package nodeidentifier
 import (
 	"k8s.io/apiserver/pkg/authentication/user"
 )
 // NodeIdentifier determines node information from a given user
 type NodeIdentifier interface {
 	// IdentifyNode determines node information from the given user.Info.
 	// nodeName is the name of the Node API object associated with the user.Info,
 	// and may be empty if a specific node cannot be determined.
 	// isNode is true if the user.Info represents an identity issued to a node.
 	NodeIdentity(user.Info) (nodeName string, isNode bool)
 }
--- a/pkg/cloudprovider/BUILD
+++ b/pkg/cloudprovider/BUILD
@@ -17,6 +17,7 @@ go_library(
    tags = ["automanaged"],
    deps = [
        "//pkg/api/v1:go_default_library",
        "//pkg/controller:go_default_library",
        "//vendor/github.com/golang/glog:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
    ],
--- a/pkg/cloudprovider/cloud.go
+++ b/pkg/cloudprovider/cloud.go
@@ -23,10 +23,13 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/kubernetes/pkg/api/v1"
 	"k8s.io/kubernetes/pkg/controller"
 )
 // Interface is an abstract, pluggable interface for cloud providers.
 type Interface interface {
 	// Initialize provides the cloud with a kubernetes client builder
 	Initialize(clientBuilder controller.ControllerClientBuilder)
 	// LoadBalancer returns a balancer interface. Also returns true if the interface is supported, false otherwise.
 	LoadBalancer() (LoadBalancer, bool)
 	// Instances returns an instances interface. Also returns true if the interface is supported, false otherwise.
--- a/pkg/cloudprovider/providers/aws/BUILD
+++ b/pkg/cloudprovider/providers/aws/BUILD
@@ -30,6 +30,7 @@ go_library(
        "//pkg/api/v1:go_default_library",
        "//pkg/api/v1/service:go_default_library",
        "//pkg/cloudprovider:go_default_library",
        "//pkg/controller:go_default_library",
        "//pkg/credentialprovider/aws:go_default_library",
        "//pkg/volume:go_default_library",
        "//vendor/github.com/aws/aws-sdk-go/aws:go_default_library",
--- a/pkg/cloudprovider/providers/aws/aws.go
+++ b/pkg/cloudprovider/providers/aws/aws.go
@@ -49,6 +49,7 @@ import (
 	"k8s.io/kubernetes/pkg/api/v1"
 	"k8s.io/kubernetes/pkg/api/v1/service"
 	"k8s.io/kubernetes/pkg/cloudprovider"
 	"k8s.io/kubernetes/pkg/controller"
 	"k8s.io/kubernetes/pkg/volume"
 )
@@ -888,6 +889,9 @@ func newAWSCloud(config io.Reader, awsServices Services) (*Cloud, error) {
 	return awsCloud, nil
 }
 // Initialize passes a Kubernetes clientBuilder interface to the cloud provider
 func (c *Cloud) Initialize(clientBuilder controller.ControllerClientBuilder) {}
 // Clusters returns the list of clusters.
 func (c *Cloud) Clusters() (cloudprovider.Clusters, bool) {
 	return nil, false
--- a/pkg/cloudprovider/providers/azure/BUILD
+++ b/pkg/cloudprovider/providers/azure/BUILD
@@ -29,6 +29,7 @@ go_library(
        "//pkg/api/v1:go_default_library",
        "//pkg/api/v1/service:go_default_library",
        "//pkg/cloudprovider:go_default_library",
        "//pkg/controller:go_default_library",
        "//pkg/version:go_default_library",
        "//pkg/volume:go_default_library",
        "//vendor/github.com/Azure/azure-sdk-for-go/arm/compute:go_default_library",
--- a/pkg/cloudprovider/providers/azure/azure.go
+++ b/pkg/cloudprovider/providers/azure/azure.go
@@ -20,8 +20,10 @@ import (
 	"fmt"
 	"io"
 	"io/ioutil"
 	"time"
 	"k8s.io/kubernetes/pkg/cloudprovider"
 	"k8s.io/kubernetes/pkg/controller"
 	"k8s.io/kubernetes/pkg/version"
 	"github.com/Azure/azure-sdk-for-go/arm/compute"
@@ -30,7 +32,6 @@ import (
 	"github.com/Azure/go-autorest/autorest"
 	"github.com/Azure/go-autorest/autorest/azure"
 	"github.com/ghodss/yaml"
 	"time"
 )
 // CloudProviderName is the value used for the --cloud-provider flag
@@ -179,6 +180,9 @@ func NewCloud(configReader io.Reader) (cloudprovider.Interface, error) {
 	return &az, nil
 }
 // Initialize passes a Kubernetes clientBuilder interface to the cloud provider
 func (az *Cloud) Initialize(clientBuilder controller.ControllerClientBuilder) {}
 // LoadBalancer returns a balancer interface. Also returns true if the interface is supported, false otherwise.
 func (az *Cloud) LoadBalancer() (cloudprovider.LoadBalancer, bool) {
 	return az, true
--- a/pkg/cloudprovider/providers/cloudstack/BUILD
+++ b/pkg/cloudprovider/providers/cloudstack/BUILD
@@ -18,6 +18,7 @@ go_library(
    deps = [
        "//pkg/api/v1:go_default_library",
        "//pkg/cloudprovider:go_default_library",
        "//pkg/controller:go_default_library",
        "//vendor/github.com/golang/glog:go_default_library",
        "//vendor/github.com/xanzy/go-cloudstack/cloudstack:go_default_library",
        "//vendor/gopkg.in/gcfg.v1:go_default_library",
--- a/pkg/cloudprovider/providers/cloudstack/cloudstack.go
+++ b/pkg/cloudprovider/providers/cloudstack/cloudstack.go
@@ -24,6 +24,7 @@ import (
 	"github.com/xanzy/go-cloudstack/cloudstack"
 	"gopkg.in/gcfg.v1"
 	"k8s.io/kubernetes/pkg/cloudprovider"
 	"k8s.io/kubernetes/pkg/controller"
 )
 // ProviderName is the name of this cloud provider.
@@ -81,6 +82,9 @@ func newCSCloud(cfg *CSConfig) (*CSCloud, error) {
 	return &CSCloud{client, cfg.Global.ProjectID, cfg.Global.Zone}, nil
 }
 // Initialize passes a Kubernetes clientBuilder interface to the cloud provider
 func (cs *CSCloud) Initialize(clientBuilder controller.ControllerClientBuilder) {}
 // LoadBalancer returns an implementation of LoadBalancer for CloudStack.
 func (cs *CSCloud) LoadBalancer() (cloudprovider.LoadBalancer, bool) {
 	return cs, true
--- a/pkg/cloudprovider/providers/fake/BUILD
+++ b/pkg/cloudprovider/providers/fake/BUILD
@@ -17,6 +17,7 @@ go_library(
    deps = [
        "//pkg/api/v1:go_default_library",
        "//pkg/cloudprovider:go_default_library",
        "//pkg/controller:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
    ],
 )
--- a/pkg/cloudprovider/providers/fake/fake.go
+++ b/pkg/cloudprovider/providers/fake/fake.go
@@ -26,6 +26,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/kubernetes/pkg/api/v1"
 	"k8s.io/kubernetes/pkg/cloudprovider"
 	"k8s.io/kubernetes/pkg/controller"
 )
 const defaultProviderName = "fake"
@@ -82,6 +83,9 @@ func (f *FakeCloud) ClearCalls() {
 	f.Calls = []string{}
 }
 // Initialize passes a Kubernetes clientBuilder interface to the cloud provider
 func (f *FakeCloud) Initialize(clientBuilder controller.ControllerClientBuilder) {}
 func (f *FakeCloud) ListClusters() ([]string, error) {
 	return f.ClusterList, f.Err
 }
--- a/pkg/cloudprovider/providers/gce/BUILD
+++ b/pkg/cloudprovider/providers/gce/BUILD
@@ -38,6 +38,7 @@ go_library(
        "//pkg/api/v1:go_default_library",
        "//pkg/api/v1/service:go_default_library",
        "//pkg/cloudprovider:go_default_library",
        "//pkg/controller:go_default_library",
        "//pkg/util/net/sets:go_default_library",
        "//pkg/volume:go_default_library",
        "//vendor/cloud.google.com/go/compute/metadata:go_default_library",
--- a/pkg/cloudprovider/providers/gce/gce.go
+++ b/pkg/cloudprovider/providers/gce/gce.go
@@ -31,6 +31,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/util/flowcontrol"
 	"k8s.io/kubernetes/pkg/cloudprovider"
 	"k8s.io/kubernetes/pkg/controller"
 	"github.com/golang/glog"
 	"golang.org/x/oauth2"
@@ -233,6 +234,9 @@ func CreateGCECloud(projectID, region, zone string, managedZones []string, netwo
 	}, nil
 }
 // Initialize passes a Kubernetes clientBuilder interface to the cloud provider
 func (gce *GCECloud) Initialize(clientBuilder controller.ControllerClientBuilder) {}
 // LoadBalancer returns an implementation of LoadBalancer for Google Compute Engine.
 func (gce *GCECloud) LoadBalancer() (cloudprovider.LoadBalancer, bool) {
 	return gce, true
--- a/pkg/cloudprovider/providers/gce/gce_instances.go
+++ b/pkg/cloudprovider/providers/gce/gce_instances.go
@@ -17,7 +17,6 @@ limitations under the License.
 package gce
 import (
 	"errors"
 	"fmt"
 	"net/http"
 	"strconv"
@@ -62,7 +61,27 @@ func (gce *GCECloud) NodeAddresses(_ types.NodeName) ([]v1.NodeAddress, error) {
 // This method will not be called from the node that is requesting this ID.
 // i.e. metadata service and other local methods cannot be used here
 func (gce *GCECloud) NodeAddressesByProviderID(providerID string) ([]v1.NodeAddress, error) {
-	return []v1.NodeAddress{}, errors.New("unimplemented")
+	project, zone, name, err := splitProviderID(providerID)
 	if err != nil {
 		return []v1.NodeAddress{}, err
 	}
 	instance, err := gce.service.Instances.Get(project, zone, canonicalizeInstanceName(name)).Do()
 	if err != nil {
 		return []v1.NodeAddress{}, fmt.Errorf("error while querying for providerID %q: %v", providerID, err)
 	}
 	if len(instance.NetworkInterfaces) < 1 {
 		return []v1.NodeAddress{}, fmt.Errorf("could not find network interfaces for providerID %q", providerID)
 	}
 	networkInterface := instance.NetworkInterfaces[0]
 	nodeAddresses := []v1.NodeAddress{{Type: v1.NodeInternalIP, Address: networkInterface.NetworkIP}}
 	for _, config := range networkInterface.AccessConfigs {
 		nodeAddresses = append(nodeAddresses, v1.NodeAddress{Type: v1.NodeExternalIP, Address: config.NatIP})
 	}
 	return nodeAddresses, nil
 }
 // InstanceTypeByProviderID returns the cloudprovider instance type of the node
@@ -70,7 +89,15 @@ func (gce *GCECloud) NodeAddressesByProviderID(providerID string) ([]v1.NodeAddr
 // node that is requesting this ID. i.e. metadata service and other local
 // methods cannot be used here
 func (gce *GCECloud) InstanceTypeByProviderID(providerID string) (string, error) {
-	return "", errors.New("unimplemented")
+	project, zone, name, err := splitProviderID(providerID)
 	if err != nil {
 		return "", err
 	}
 	instance, err := gce.getInstanceFromProjectInZoneByName(project, zone, name)
 	if err != nil {
 		return "", err
 	}
 	return instance.Type, nil
 }
 // ExternalID returns the cloud provider ID of the node with the specified NodeName (deprecated).
@@ -339,30 +366,38 @@ func (gce *GCECloud) getInstancesByNames(names []string) ([]*gceInstance, error)
 func (gce *GCECloud) getInstanceByName(name string) (*gceInstance, error) {
 	// Avoid changing behaviour when not managing multiple zones
 	for _, zone := range gce.managedZones {
-		name = canonicalizeInstanceName(name)
+		instance, err := gce.getInstanceFromProjectInZoneByName(gce.projectID, zone, name)
 		mc := newInstancesMetricContext("get", zone)
 		res, err := gce.service.Instances.Get(gce.projectID, zone, name).Do()
 		mc.Observe(err)
 		if err != nil {
 			glog.Errorf("getInstanceByName: failed to get instance %s; err: %v", name, err)
 			if isHTTPErrorCode(err, http.StatusNotFound) {
 				continue
 			}
 			return nil, err
 		}
-		return &gceInstance{
+		return instance, nil
 			Zone:  lastComponent(res.Zone),
 			Name:  res.Name,
 			ID:    res.Id,
 			Disks: res.Disks,
 			Type:  lastComponent(res.MachineType),
 		}, nil
 	}
 	return nil, cloudprovider.InstanceNotFound
 }
 func (gce *GCECloud) getInstanceFromProjectInZoneByName(project, zone, name string) (*gceInstance, error) {
 	name = canonicalizeInstanceName(name)
 	mc := newInstancesMetricContext("get", zone)
 	res, err := gce.service.Instances.Get(project, zone, name).Do()
 	mc.Observe(err)
 	if err != nil {
 		glog.Errorf("getInstanceFromProjectInZoneByName: failed to get instance %s; err: %v", name, err)
 		return nil, err
 	}
 	return &gceInstance{
 		Zone:  lastComponent(res.Zone),
 		Name:  res.Name,
 		ID:    res.Id,
 		Disks: res.Disks,
 		Type:  lastComponent(res.MachineType),
 	}, nil
 }
 func getInstanceIDViaMetadata() (string, error) {
 	result, err := metadata.Get("instance/hostname")
 	if err != nil {
--- a/pkg/cloudprovider/providers/gce/gce_test.go
+++ b/pkg/cloudprovider/providers/gce/gce_test.go
@@ -158,3 +158,93 @@ func TestCreateFirewallFails(t *testing.T) {
 		t.Errorf("error expected when creating firewall without any tags found")
 	}
 }
 func TestSplitProviderID(t *testing.T) {
 	providers := []struct {
 		providerID string
 		project  string
 		zone     string
 		instance string
 		fail bool
 	}{
 		{
 			providerID: ProviderName + "://project-example-164317/us-central1-f/kubernetes-node-fhx1",
 			project:    "project-example-164317",
 			zone:       "us-central1-f",
 			instance:   "kubernetes-node-fhx1",
 			fail:       false,
 		},
 		{
 			providerID: ProviderName + "://project-example.164317/us-central1-f/kubernetes-node-fhx1",
 			project:    "project-example.164317",
 			zone:       "us-central1-f",
 			instance:   "kubernetes-node-fhx1",
 			fail:       false,
 		},
 		{
 			providerID: ProviderName + "://project-example-164317/us-central1-fkubernetes-node-fhx1",
 			project:    "",
 			zone:       "",
 			instance:   "",
 			fail:       true,
 		},
 		{
 			providerID: ProviderName + ":/project-example-164317/us-central1-f/kubernetes-node-fhx1",
 			project:    "",
 			zone:       "",
 			instance:   "",
 			fail:       true,
 		},
 		{
 			providerID: "aws://project-example-164317/us-central1-f/kubernetes-node-fhx1",
 			project:    "",
 			zone:       "",
 			instance:   "",
 			fail:       true,
 		},
 		{
 			providerID: ProviderName + "://project-example-164317/us-central1-f/kubernetes-node-fhx1/",
 			project:    "",
 			zone:       "",
 			instance:   "",
 			fail:       true,
 		},
 		{
 			providerID: ProviderName + "://project-example.164317//kubernetes-node-fhx1",
 			project:    "",
 			zone:       "",
 			instance:   "",
 			fail:       true,
 		},
 		{
 			providerID: ProviderName + "://project-example.164317/kubernetes-node-fhx1",
 			project:    "",
 			zone:       "",
 			instance:   "",
 			fail:       true,
 		},
 	}
 	for _, test := range providers {
 		project, zone, instance, err := splitProviderID(test.providerID)
 		if (err != nil) != test.fail {
 			t.Errorf("Expected to failt=%t, with pattern %v", test.fail, test)
 		}
 		if test.fail {
 			continue
 		}
 		if project != test.project {
 			t.Errorf("Expected %v, but got %v", test.project, project)
 		}
 		if zone != test.zone {
 			t.Errorf("Expected %v, but got %v", test.zone, zone)
 		}
 		if instance != test.instance {
 			t.Errorf("Expected %v, but got %v", test.instance, instance)
 		}
 	}
 }
--- a/pkg/cloudprovider/providers/gce/gce_util.go
+++ b/pkg/cloudprovider/providers/gce/gce_util.go
@@ -17,7 +17,9 @@ limitations under the License.
 package gce
 import (
 	"errors"
 	"fmt"
 	"regexp"
 	"strings"
 	"k8s.io/apimachinery/pkg/types"
@@ -35,6 +37,8 @@ type gceInstance struct {
 	Type  string
 }
 var providerIdRE = regexp.MustCompile(`^` + ProviderName + `://([^/]+)/([^/]+)/([^/]+)$`)
 func getProjectAndZone() (string, string, error) {
 	result, err := metadata.Get("instance/zone")
 	if err != nil {
@@ -100,3 +104,14 @@ func isHTTPErrorCode(err error, code int) bool {
 	apiErr, ok := err.(*googleapi.Error)
 	return ok && apiErr.Code == code
 }
 // splitProviderID splits a provider's id into core components.
 // A providerID is build out of '${ProviderName}://${project-id}/${zone}/${instance-name}'
 // See cloudprovider.GetInstanceProviderID.
 func splitProviderID(providerID string) (project, zone, instance string, err error) {
 	matches := providerIdRE.FindStringSubmatch(providerID)
 	if len(matches) != 4 {
 		return "", "", "", errors.New("error splitting providerID")
 	}
 	return matches[1], matches[2], matches[3], nil
 }
--- a/pkg/cloudprovider/providers/mesos/BUILD
+++ b/pkg/cloudprovider/providers/mesos/BUILD
@@ -20,6 +20,7 @@ go_library(
    deps = [
        "//pkg/api/v1:go_default_library",
        "//pkg/cloudprovider:go_default_library",
        "//pkg/controller:go_default_library",
        "//vendor/github.com/golang/glog:go_default_library",
        "//vendor/github.com/mesos/mesos-go/detector:go_default_library",
        "//vendor/github.com/mesos/mesos-go/detector/zoo:go_default_library",
--- a/pkg/cloudprovider/providers/mesos/mesos.go
+++ b/pkg/cloudprovider/providers/mesos/mesos.go
@@ -31,6 +31,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/kubernetes/pkg/api/v1"
 	"k8s.io/kubernetes/pkg/cloudprovider"
 	"k8s.io/kubernetes/pkg/controller"
 )
 const (
@@ -89,6 +90,9 @@ func newMesosCloud(configReader io.Reader) (*MesosCloud, error) {
 	}
 }
 // Initialize passes a Kubernetes clientBuilder interface to the cloud provider
 func (c *MesosCloud) Initialize(clientBuilder controller.ControllerClientBuilder) {}
 // Implementation of Instances.CurrentNodeName
 func (c *MesosCloud) CurrentNodeName(hostname string) (types.NodeName, error) {
 	return types.NodeName(hostname), nil
--- a/pkg/cloudprovider/providers/openstack/BUILD
+++ b/pkg/cloudprovider/providers/openstack/BUILD
@@ -24,6 +24,7 @@ go_library(
        "//pkg/api/v1/helper:go_default_library",
        "//pkg/api/v1/service:go_default_library",
        "//pkg/cloudprovider:go_default_library",
        "//pkg/controller:go_default_library",
        "//pkg/util/exec:go_default_library",
        "//pkg/util/mount:go_default_library",
        "//pkg/volume:go_default_library",
--- a/pkg/cloudprovider/providers/openstack/openstack.go
+++ b/pkg/cloudprovider/providers/openstack/openstack.go
@@ -45,6 +45,7 @@ import (
 	"k8s.io/kubernetes/pkg/api/v1"
 	v1helper "k8s.io/kubernetes/pkg/api/v1/helper"
 	"k8s.io/kubernetes/pkg/cloudprovider"
 	"k8s.io/kubernetes/pkg/controller"
 )
 const ProviderName = "openstack"
@@ -265,6 +266,9 @@ func newOpenStack(cfg Config) (*OpenStack, error) {
 	return &os, nil
 }
 // Initialize passes a Kubernetes clientBuilder interface to the cloud provider
 func (os *OpenStack) Initialize(clientBuilder controller.ControllerClientBuilder) {}
 // mapNodeNameToServerName maps a k8s NodeName to an OpenStack Server Name
 // This is a simple string cast.
 func mapNodeNameToServerName(nodeName types.NodeName) string {
--- a/pkg/cloudprovider/providers/ovirt/BUILD
+++ b/pkg/cloudprovider/providers/ovirt/BUILD
@@ -15,6 +15,7 @@ go_library(
    deps = [
        "//pkg/api/v1:go_default_library",
        "//pkg/cloudprovider:go_default_library",
        "//pkg/controller:go_default_library",
        "//vendor/gopkg.in/gcfg.v1:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
    ],
--- a/pkg/cloudprovider/providers/ovirt/ovirt.go
+++ b/pkg/cloudprovider/providers/ovirt/ovirt.go
@@ -34,6 +34,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/kubernetes/pkg/api/v1"
 	"k8s.io/kubernetes/pkg/cloudprovider"
 	"k8s.io/kubernetes/pkg/controller"
 )
 const ProviderName = "ovirt"
@@ -116,7 +117,10 @@ func newOVirtCloud(config io.Reader) (*OVirtCloud, error) {
 	return &OVirtCloud{VmsRequest: request}, nil
 }
-func (aws *OVirtCloud) Clusters() (cloudprovider.Clusters, bool) {
+// Initialize passes a Kubernetes clientBuilder interface to the cloud provider
 func (v *OVirtCloud) Initialize(clientBuilder controller.ControllerClientBuilder) {}
 func (v *OVirtCloud) Clusters() (cloudprovider.Clusters, bool) {
 	return nil, false
 }
--- a/pkg/cloudprovider/providers/photon/BUILD
+++ b/pkg/cloudprovider/providers/photon/BUILD
@@ -16,6 +16,7 @@ go_library(
        "//pkg/api/v1:go_default_library",
        "//pkg/api/v1/helper:go_default_library",
        "//pkg/cloudprovider:go_default_library",
        "//pkg/controller:go_default_library",
        "//vendor/github.com/golang/glog:go_default_library",
        "//vendor/github.com/vmware/photon-controller-go-sdk/photon:go_default_library",
        "//vendor/gopkg.in/gcfg.v1:go_default_library",
--- a/pkg/cloudprovider/providers/photon/photon.go
+++ b/pkg/cloudprovider/providers/photon/photon.go
@@ -41,6 +41,7 @@ import (
 	"k8s.io/kubernetes/pkg/api/v1"
 	v1helper "k8s.io/kubernetes/pkg/api/v1/helper"
 	"k8s.io/kubernetes/pkg/cloudprovider"
 	"k8s.io/kubernetes/pkg/controller"
 )
 const (
@@ -292,6 +293,9 @@ func newPCCloud(cfg PCConfig) (*PCCloud, error) {
 	return &pc, nil
 }
 // Initialize passes a Kubernetes clientBuilder interface to the cloud provider
 func (pc *PCCloud) Initialize(clientBuilder controller.ControllerClientBuilder) {}
 // Instances returns an implementation of Instances for Photon Controller.
 func (pc *PCCloud) Instances() (cloudprovider.Instances, bool) {
 	return pc, true
--- a/pkg/cloudprovider/providers/rackspace/BUILD
+++ b/pkg/cloudprovider/providers/rackspace/BUILD
@@ -15,6 +15,7 @@ go_library(
    deps = [
        "//pkg/api/v1:go_default_library",
        "//pkg/cloudprovider:go_default_library",
        "//pkg/controller:go_default_library",
        "//vendor/github.com/golang/glog:go_default_library",
        "//vendor/github.com/rackspace/gophercloud:go_default_library",
        "//vendor/github.com/rackspace/gophercloud/openstack/compute/v2/extensions/volumeattach:go_default_library",
--- a/pkg/cloudprovider/providers/rackspace/rackspace.go
+++ b/pkg/cloudprovider/providers/rackspace/rackspace.go
@@ -43,6 +43,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/kubernetes/pkg/api/v1"
 	"k8s.io/kubernetes/pkg/cloudprovider"
 	"k8s.io/kubernetes/pkg/controller"
 )
 const (
@@ -218,6 +219,9 @@ func newRackspace(cfg Config) (*Rackspace, error) {
 	return &os, nil
 }
 // Initialize passes a Kubernetes clientBuilder interface to the cloud provider
 func (os *Rackspace) Initialize(clientBuilder controller.ControllerClientBuilder) {}
 type Instances struct {
 	compute *gophercloud.ServiceClient
 }
--- a/pkg/cloudprovider/providers/vsphere/BUILD
+++ b/pkg/cloudprovider/providers/vsphere/BUILD
@@ -19,6 +19,7 @@ go_library(
        "//pkg/api/v1:go_default_library",
        "//pkg/api/v1/helper:go_default_library",
        "//pkg/cloudprovider:go_default_library",
        "//pkg/controller:go_default_library",
        "//vendor/github.com/golang/glog:go_default_library",
        "//vendor/github.com/vmware/govmomi:go_default_library",
        "//vendor/github.com/vmware/govmomi/find:go_default_library",
--- a/pkg/cloudprovider/providers/vsphere/vsphere.go
+++ b/pkg/cloudprovider/providers/vsphere/vsphere.go
@@ -50,6 +50,7 @@ import (
 	"k8s.io/kubernetes/pkg/api/v1"
 	v1helper "k8s.io/kubernetes/pkg/api/v1/helper"
 	"k8s.io/kubernetes/pkg/cloudprovider"
 	"k8s.io/kubernetes/pkg/controller"
 )
 const (
@@ -229,6 +230,9 @@ func init() {
 	})
 }
 // Initialize passes a Kubernetes clientBuilder interface to the cloud provider
 func (vs *VSphere) Initialize(clientBuilder controller.ControllerClientBuilder) {}
 // UUID gets the BIOS UUID via the sys interface.  This UUID is known by vsphere
 func getvmUUID() (string, error) {
 	id, err := ioutil.ReadFile(UUIDPath)
--- a/pkg/controller/endpoint/endpoints_controller.go
+++ b/pkg/controller/endpoint/endpoints_controller.go
@@ -146,7 +146,6 @@ func (e *EndpointController) Run(workers int, stopCh <-chan struct{}) {
 	go func() {
 		defer utilruntime.HandleCrash()
 		time.Sleep(5 * time.Minute) // give time for our cache to fill
 		e.checkLeftoverEndpoints()
 	}()
--- a/pkg/kubelet/envvars/envvars.go
+++ b/pkg/kubelet/envvars/envvars.go
@@ -18,6 +18,7 @@ package envvars
 import (
 	"fmt"
 	"net"
 	"strconv"
 	"strings"
@@ -78,18 +79,21 @@ func makeLinkVariables(service *v1.Service) []v1.EnvVar {
 		if sp.Protocol != "" {
 			protocol = string(sp.Protocol)
 		}
 		hostPort := net.JoinHostPort(service.Spec.ClusterIP, strconv.Itoa(int(sp.Port)))
 		if i == 0 {
 			// Docker special-cases the first port.
 			all = append(all, v1.EnvVar{
 				Name:  prefix + "_PORT",
-				Value: fmt.Sprintf("%s://%s:%d", strings.ToLower(protocol), service.Spec.ClusterIP, sp.Port),
+				Value: fmt.Sprintf("%s://%s", strings.ToLower(protocol), hostPort),
 			})
 		}
 		portPrefix := fmt.Sprintf("%s_PORT_%d_%s", prefix, sp.Port, strings.ToUpper(protocol))
 		all = append(all, []v1.EnvVar{
 			{
 				Name:  portPrefix,
-				Value: fmt.Sprintf("%s://%s:%d", strings.ToLower(protocol), service.Spec.ClusterIP, sp.Port),
+				Value: fmt.Sprintf("%s://%s", strings.ToLower(protocol), hostPort),
 			},
 			{
 				Name:  portPrefix + "_PROTO",
--- a/pkg/kubelet/envvars/envvars_test.go
+++ b/pkg/kubelet/envvars/envvars_test.go
@@ -79,6 +79,17 @@ func TestFromServices(t *testing.T) {
 				},
 			},
 		},
 		{
 			ObjectMeta: metav1.ObjectMeta{Name: "super-ipv6"},
 			Spec: v1.ServiceSpec{
 				Selector:  map[string]string{"bar": "baz"},
 				ClusterIP: "2001:DB8::",
 				Ports: []v1.ServicePort{
 					{Name: "u-d-p", Port: 8084, Protocol: "UDP"},
 					{Name: "t-c-p", Port: 8084, Protocol: "TCP"},
 				},
 			},
 		},
 	}
 	vars := envvars.FromServices(sl)
 	expected := []v1.EnvVar{
@@ -114,6 +125,19 @@ func TestFromServices(t *testing.T) {
 		{Name: "Q_U_U_X_PORT_8083_TCP_PROTO", Value: "tcp"},
 		{Name: "Q_U_U_X_PORT_8083_TCP_PORT", Value: "8083"},
 		{Name: "Q_U_U_X_PORT_8083_TCP_ADDR", Value: "9.8.7.6"},
 		{Name: "SUPER_IPV6_SERVICE_HOST", Value: "2001:DB8::"},
 		{Name: "SUPER_IPV6_SERVICE_PORT", Value: "8084"},
 		{Name: "SUPER_IPV6_SERVICE_PORT_U_D_P", Value: "8084"},
 		{Name: "SUPER_IPV6_SERVICE_PORT_T_C_P", Value: "8084"},
 		{Name: "SUPER_IPV6_PORT", Value: "udp://[2001:DB8::]:8084"},
 		{Name: "SUPER_IPV6_PORT_8084_UDP", Value: "udp://[2001:DB8::]:8084"},
 		{Name: "SUPER_IPV6_PORT_8084_UDP_PROTO", Value: "udp"},
 		{Name: "SUPER_IPV6_PORT_8084_UDP_PORT", Value: "8084"},
 		{Name: "SUPER_IPV6_PORT_8084_UDP_ADDR", Value: "2001:DB8::"},
 		{Name: "SUPER_IPV6_PORT_8084_TCP", Value: "tcp://[2001:DB8::]:8084"},
 		{Name: "SUPER_IPV6_PORT_8084_TCP_PROTO", Value: "tcp"},
 		{Name: "SUPER_IPV6_PORT_8084_TCP_PORT", Value: "8084"},
 		{Name: "SUPER_IPV6_PORT_8084_TCP_ADDR", Value: "2001:DB8::"},
 	}
 	if len(vars) != len(expected) {
 		t.Errorf("Expected %d env vars, got: %+v", len(expected), vars)
--- a/pkg/util/bandwidth/linux.go
+++ b/pkg/util/bandwidth/linux.go
@@ -101,7 +101,7 @@ func hexCIDR(cidr string) (string, error) {
 		return "", err
 	}
 	ip = ip.Mask(ipnet.Mask)
-	hexIP := hex.EncodeToString([]byte(ip.To4()))
+	hexIP := hex.EncodeToString([]byte(ip))
 	hexMask := ipnet.Mask.String()
 	return hexIP + "/" + hexMask, nil
 }
@@ -119,6 +119,9 @@ func asciiCIDR(cidr string) (string, error) {
 	ip := net.IP(ipData)
 	maskData, err := hex.DecodeString(parts[1])
 	if err != nil {
 		return "", err
 	}
 	mask := net.IPMask(maskData)
 	size, _ := mask.Size()
--- a/pkg/util/bandwidth/linux_test.go
+++ b/pkg/util/bandwidth/linux_test.go
@@ -94,19 +94,33 @@ func TestNextClassID(t *testing.T) {
 func TestHexCIDR(t *testing.T) {
 	tests := []struct {
 		name      string
 		input     string
 		output    string
 		expectErr bool
 	}{
 		{
-			input:  "1.2.0.0/16",
+			name:   "IPv4 masked",
 			input:  "1.2.3.4/16",
 			output: "01020000/ffff0000",
 		},
 		{
 			name:   "IPv4 host",
 			input:  "172.17.0.2/32",
 			output: "ac110002/ffffffff",
 		},
 		{
 			name:   "IPv6 masked",
 			input:  "2001:dead:beef::cafe/64",
 			output: "2001deadbeef00000000000000000000/ffffffffffffffff0000000000000000",
 		},
 		{
 			name:   "IPv6 host",
 			input:  "2001::5/128",
 			output: "20010000000000000000000000000005/ffffffffffffffffffffffffffffffff",
 		},
 		{
 			name:      "invalid CIDR",
 			input:     "foo",
 			expectErr: true,
 		},
@@ -115,21 +129,76 @@ func TestHexCIDR(t *testing.T) {
 		output, err := hexCIDR(test.input)
 		if test.expectErr {
 			if err == nil {
-				t.Error("unexpected non-error")
+				t.Errorf("case %s: unexpected non-error", test.name)
 			}
 		} else {
 			if err != nil {
-				t.Errorf("unexpected error: %v", err)
+				t.Errorf("case %s: unexpected error: %v", test.name, err)
 			}
 			if output != test.output {
-				t.Errorf("expected: %s, saw: %s", test.output, output)
+				t.Errorf("case %s: expected: %s, saw: %s",
 					test.name, test.output, output)
 			}
-			input, err := asciiCIDR(output)
+		}
 	}
 }
 func TestAsciiCIDR(t *testing.T) {
 	tests := []struct {
 		name      string
 		input     string
 		output    string
 		expectErr bool
 	}{
 		{
 			name:   "IPv4",
 			input:  "01020000/ffff0000",
 			output: "1.2.0.0/16",
 		},
 		{
 			name:   "IPv4 host",
 			input:  "ac110002/ffffffff",
 			output: "172.17.0.2/32",
 		},
 		{
 			name:   "IPv6",
 			input:  "2001deadbeef00000000000000000000/ffffffffffffffff0000000000000000",
 			output: "2001:dead:beef::/64",
 		},
 		{
 			name:   "IPv6 host",
 			input:  "20010000000000000000000000000005/ffffffffffffffffffffffffffffffff",
 			output: "2001::5/128",
 		},
 		{
 			name:      "invalid CIDR",
 			input:     "malformed",
 			expectErr: true,
 		},
 		{
 			name:      "non-hex IP",
 			input:     "nonhex/32",
 			expectErr: true,
 		},
 		{
 			name:      "non-hex mask",
 			input:     "01020000/badmask",
 			expectErr: true,
 		},
 	}
 	for _, test := range tests {
 		output, err := asciiCIDR(test.input)
 		if test.expectErr {
 			if err == nil {
 				t.Errorf("case %s: unexpected non-error", test.name)
 			}
 		} else {
 			if err != nil {
-				t.Errorf("unexpected error: %v", err)
+				t.Errorf("case %s: unexpected error: %v", test.name, err)
 			}
-			if input != test.input {
+			if output != test.output {
-				t.Errorf("expected: %s, saw: %s", test.input, input)
+				t.Errorf("case %s: expected: %s, saw: %s",
 					test.name, test.output, output)
 			}
 		}
 	}
--- a/plugin/BUILD
+++ b/plugin/BUILD
@@ -27,6 +27,7 @@ filegroup(
        "//plugin/pkg/admission/namespace/autoprovision:all-srcs",
        "//plugin/pkg/admission/namespace/exists:all-srcs",
        "//plugin/pkg/admission/namespace/lifecycle:all-srcs",
        "//plugin/pkg/admission/noderestriction:all-srcs",
        "//plugin/pkg/admission/persistentvolume/label:all-srcs",
        "//plugin/pkg/admission/podnodeselector:all-srcs",
        "//plugin/pkg/admission/podpreset:all-srcs",
--- a/plugin/pkg/admission/admit/admission.go
+++ b/plugin/pkg/admission/admit/admission.go
@@ -24,7 +24,12 @@ import (
 )
 func init() {
-	kubeapiserveradmission.Plugins.Register("AlwaysAdmit", func(config io.Reader) (admission.Interface, error) {
+	Register(&kubeapiserveradmission.Plugins)
 }
 // Register registers a plugin
 func Register(plugins *admission.Plugins) {
 	plugins.Register("AlwaysAdmit", func(config io.Reader) (admission.Interface, error) {
 		return NewAlwaysAdmit(), nil
 	})
 }
--- a/plugin/pkg/admission/alwayspullimages/admission.go
+++ b/plugin/pkg/admission/alwayspullimages/admission.go
@@ -34,7 +34,12 @@ import (
 )
 func init() {
-	kubeapiserveradmission.Plugins.Register("AlwaysPullImages", func(config io.Reader) (admission.Interface, error) {
+	Register(&kubeapiserveradmission.Plugins)
 }
 // Register registers a plugin
 func Register(plugins *admission.Plugins) {
 	plugins.Register("AlwaysPullImages", func(config io.Reader) (admission.Interface, error) {
 		return NewAlwaysPullImages(), nil
 	})
 }
--- a/plugin/pkg/admission/antiaffinity/admission.go
+++ b/plugin/pkg/admission/antiaffinity/admission.go
@@ -28,7 +28,12 @@ import (
 )
 func init() {
-	kubeapiserveradmission.Plugins.Register("LimitPodHardAntiAffinityTopology", func(config io.Reader) (admission.Interface, error) {
+	Register(&kubeapiserveradmission.Plugins)
 }
 // Register registers a plugin
 func Register(plugins *admission.Plugins) {
 	plugins.Register("LimitPodHardAntiAffinityTopology", func(config io.Reader) (admission.Interface, error) {
 		return NewInterPodAntiAffinity(), nil
 	})
 }
--- a/plugin/pkg/admission/defaulttolerationseconds/admission.go
+++ b/plugin/pkg/admission/defaulttolerationseconds/admission.go
@@ -40,7 +40,12 @@ var (
 )
 func init() {
-	kubeapiserveradmission.Plugins.Register("DefaultTolerationSeconds", func(config io.Reader) (admission.Interface, error) {
+	Register(&kubeapiserveradmission.Plugins)
 }
 // Register registers a plugin
 func Register(plugins *admission.Plugins) {
 	plugins.Register("DefaultTolerationSeconds", func(config io.Reader) (admission.Interface, error) {
 		return NewDefaultTolerationSeconds(), nil
 	})
 }
--- a/plugin/pkg/admission/deny/admission.go
+++ b/plugin/pkg/admission/deny/admission.go
@@ -25,7 +25,12 @@ import (
 )
 func init() {
-	kubeapiserveradmission.Plugins.Register("AlwaysDeny", func(config io.Reader) (admission.Interface, error) {
+	Register(&kubeapiserveradmission.Plugins)
 }
 // Register registers a plugin
 func Register(plugins *admission.Plugins) {
 	plugins.Register("AlwaysDeny", func(config io.Reader) (admission.Interface, error) {
 		return NewAlwaysDeny(), nil
 	})
 }
--- a/plugin/pkg/admission/exec/admission.go
+++ b/plugin/pkg/admission/exec/admission.go
@@ -30,13 +30,18 @@ import (
 )
 func init() {
-	kubeapiserveradmission.Plugins.Register("DenyEscalatingExec", func(config io.Reader) (admission.Interface, error) {
+	Register(&kubeapiserveradmission.Plugins)
 }
 // Register registers a plugin
 func Register(plugins *admission.Plugins) {
 	plugins.Register("DenyEscalatingExec", func(config io.Reader) (admission.Interface, error) {
 		return NewDenyEscalatingExec(), nil
 	})
 	// This is for legacy support of the DenyExecOnPrivileged admission controller.  Most
 	// of the time DenyEscalatingExec should be preferred.
-	kubeapiserveradmission.Plugins.Register("DenyExecOnPrivileged", func(config io.Reader) (admission.Interface, error) {
+	plugins.Register("DenyExecOnPrivileged", func(config io.Reader) (admission.Interface, error) {
 		return NewDenyExecOnPrivileged(), nil
 	})
 }
--- a/plugin/pkg/admission/gc/gc_admission.go
+++ b/plugin/pkg/admission/gc/gc_admission.go
@@ -32,7 +32,12 @@ import (
 )
 func init() {
-	kubeapiserveradmission.Plugins.Register("OwnerReferencesPermissionEnforcement", func(config io.Reader) (admission.Interface, error) {
+	Register(&kubeapiserveradmission.Plugins)
 }
 // Register registers a plugin
 func Register(plugins *admission.Plugins) {
 	plugins.Register("OwnerReferencesPermissionEnforcement", func(config io.Reader) (admission.Interface, error) {
 		// the pods/status endpoint is ignored by this plugin since old kubelets
 		// corrupt them.  the pod status strategy ensures status updates cannot mutate
 		// ownerRef.
--- a/plugin/pkg/admission/imagepolicy/admission.go
+++ b/plugin/pkg/admission/imagepolicy/admission.go
@@ -50,7 +50,12 @@ var (
 )
 func init() {
-	kubeapiserveradmission.Plugins.Register("ImagePolicyWebhook", func(config io.Reader) (admission.Interface, error) {
+	Register(&kubeapiserveradmission.Plugins)
 }
 // Register registers a plugin
 func Register(plugins *admission.Plugins) {
 	plugins.Register("ImagePolicyWebhook", func(config io.Reader) (admission.Interface, error) {
 		newImagePolicyWebhook, err := NewImagePolicyWebhook(config)
 		if err != nil {
 			return nil, err
--- a/plugin/pkg/admission/initialresources/admission.go
+++ b/plugin/pkg/admission/initialresources/admission.go
@@ -47,7 +47,12 @@ const (
 // WARNING: this feature is experimental and will definitely change.
 func init() {
-	kubeapiserveradmission.Plugins.Register("InitialResources", func(config io.Reader) (admission.Interface, error) {
+	Register(&kubeapiserveradmission.Plugins)
 }
 // Register registers a plugin
 func Register(plugins *admission.Plugins) {
 	plugins.Register("InitialResources", func(config io.Reader) (admission.Interface, error) {
 		// TODO: remove the usage of flags in favor of reading versioned configuration
 		s, err := newDataSource(*source)
 		if err != nil {
--- a/plugin/pkg/admission/limitranger/admission.go
+++ b/plugin/pkg/admission/limitranger/admission.go
@@ -44,7 +44,12 @@ const (
 )
 func init() {
-	kubeapiserveradmission.Plugins.Register("LimitRanger", func(config io.Reader) (admission.Interface, error) {
+	Register(&kubeapiserveradmission.Plugins)
 }
 // Register registers a plugin
 func Register(plugins *admission.Plugins) {
 	plugins.Register("LimitRanger", func(config io.Reader) (admission.Interface, error) {
 		return NewLimitRanger(&DefaultLimitRangerActions{})
 	})
 }
--- a/plugin/pkg/admission/namespace/autoprovision/admission.go
+++ b/plugin/pkg/admission/namespace/autoprovision/admission.go
@@ -31,7 +31,12 @@ import (
 )
 func init() {
-	kubeapiserveradmission.Plugins.Register("NamespaceAutoProvision", func(config io.Reader) (admission.Interface, error) {
+	Register(&kubeapiserveradmission.Plugins)
 }
 // Register registers a plugin
 func Register(plugins *admission.Plugins) {
 	plugins.Register("NamespaceAutoProvision", func(config io.Reader) (admission.Interface, error) {
 		return NewProvision(), nil
 	})
 }
--- a/plugin/pkg/admission/namespace/exists/admission.go
+++ b/plugin/pkg/admission/namespace/exists/admission.go
@@ -31,7 +31,12 @@ import (
 )
 func init() {
-	kubeapiserveradmission.Plugins.Register("NamespaceExists", func(config io.Reader) (admission.Interface, error) {
+	Register(&kubeapiserveradmission.Plugins)
 }
 // Register registers a plugin
 func Register(plugins *admission.Plugins) {
 	plugins.Register("NamespaceExists", func(config io.Reader) (admission.Interface, error) {
 		return NewExists(), nil
 	})
 }
--- a/plugin/pkg/admission/namespace/lifecycle/admission.go
+++ b/plugin/pkg/admission/namespace/lifecycle/admission.go
@@ -51,7 +51,12 @@ const (
 )
 func init() {
-	kubeapiserveradmission.Plugins.Register(PluginName, func(config io.Reader) (admission.Interface, error) {
+	Register(&kubeapiserveradmission.Plugins)
 }
 // Register registers a plugin
 func Register(plugins *admission.Plugins) {
 	plugins.Register(PluginName, func(config io.Reader) (admission.Interface, error) {
 		return NewLifecycle(sets.NewString(metav1.NamespaceDefault, metav1.NamespaceSystem, metav1.NamespacePublic))
 	})
 }
--- a/plugin/pkg/admission/noderestriction/BUILD
+++ b/plugin/pkg/admission/noderestriction/BUILD
@@ -0,0 +1,54 @@
 package(default_visibility = ["//visibility:public"])
 licenses(["notice"])
 load(
    "@io_bazel_rules_go//go:def.bzl",
    "go_library",
    "go_test",
 )
 go_library(
    name = "go_default_library",
    srcs = ["admission.go"],
    tags = ["automanaged"],
    deps = [
        "//pkg/api:go_default_library",
        "//pkg/api/pod:go_default_library",
        "//pkg/auth/nodeidentifier:go_default_library",
        "//pkg/client/clientset_generated/internalclientset:go_default_library",
        "//pkg/client/clientset_generated/internalclientset/typed/core/internalversion:go_default_library",
        "//pkg/kubeapiserver/admission:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
        "//vendor/k8s.io/apiserver/pkg/admission:go_default_library",
    ],
 )
 go_test(
    name = "go_default_test",
    srcs = ["admission_test.go"],
    library = ":go_default_library",
    tags = ["automanaged"],
    deps = [
        "//pkg/api:go_default_library",
        "//pkg/auth/nodeidentifier:go_default_library",
        "//pkg/client/clientset_generated/internalclientset/fake:go_default_library",
        "//pkg/client/clientset_generated/internalclientset/typed/core/internalversion:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
        "//vendor/k8s.io/apiserver/pkg/admission:go_default_library",
        "//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library",
    ],
 )
 filegroup(
    name = "package-srcs",
    srcs = glob(["**"]),
    tags = ["automanaged"],
    visibility = ["//visibility:private"],
 )
 filegroup(
    name = "all-srcs",
    srcs = [":package-srcs"],
    tags = ["automanaged"],
 )
--- a/plugin/pkg/admission/noderestriction/OWNERS
+++ b/plugin/pkg/admission/noderestriction/OWNERS
@@ -0,0 +1,8 @@
 approvers:
 - deads2k
 - liggitt
 - timstclair
 reviewers:
 - deads2k
 - liggitt
 - timstclair
--- a/plugin/pkg/admission/noderestriction/admission.go
+++ b/plugin/pkg/admission/noderestriction/admission.go
@@ -0,0 +1,203 @@
 /*
 Copyright 2017 The Kubernetes Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package node
 import (
 	"fmt"
 	"io"
 	"k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apiserver/pkg/admission"
 	"k8s.io/kubernetes/pkg/api"
 	podutil "k8s.io/kubernetes/pkg/api/pod"
 	"k8s.io/kubernetes/pkg/auth/nodeidentifier"
 	"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
 	coreinternalversion "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/core/internalversion"
 	kubeapiserveradmission "k8s.io/kubernetes/pkg/kubeapiserver/admission"
 )
 const (
 	PluginName = "NodeRestriction"
 )
 func init() {
 	kubeapiserveradmission.Plugins.Register(PluginName, func(config io.Reader) (admission.Interface, error) {
 		return NewPlugin(nodeidentifier.NewDefaultNodeIdentifier(), false), nil
 	})
 }
 // NewPlugin creates a new NodeRestriction admission plugin.
 // This plugin identifies requests from nodes
 func NewPlugin(nodeIdentifier nodeidentifier.NodeIdentifier, strict bool) *nodePlugin {
 	return &nodePlugin{
 		Handler:        admission.NewHandler(admission.Create, admission.Update, admission.Delete),
 		nodeIdentifier: nodeIdentifier,
 		strict:         strict,
 	}
 }
 // nodePlugin holds state for and implements the admission plugin.
 type nodePlugin struct {
 	*admission.Handler
 	strict         bool
 	nodeIdentifier nodeidentifier.NodeIdentifier
 	podsGetter     coreinternalversion.PodsGetter
 }
 var (
 	_ = admission.Interface(&nodePlugin{})
 	_ = kubeapiserveradmission.WantsInternalKubeClientSet(&nodePlugin{})
 )
 func (p *nodePlugin) SetInternalKubeClientSet(f internalclientset.Interface) {
 	p.podsGetter = f.Core()
 }
 func (p *nodePlugin) Validate() error {
 	if p.nodeIdentifier == nil {
 		return fmt.Errorf("%s requires a node identifier", PluginName)
 	}
 	if p.podsGetter == nil {
 		return fmt.Errorf("%s requires a pod getter", PluginName)
 	}
 	return nil
 }
 var (
 	podResource  = api.Resource("pods")
 	nodeResource = api.Resource("nodes")
 )
 func (c *nodePlugin) Admit(a admission.Attributes) error {
 	nodeName, isNode := c.nodeIdentifier.NodeIdentity(a.GetUserInfo())
 	// Our job is just to restrict nodes
 	if !isNode {
 		return nil
 	}
 	if len(nodeName) == 0 {
 		if c.strict {
 			// In strict mode, disallow requests from nodes we cannot match to a particular node
 			return admission.NewForbidden(a, fmt.Errorf("could not determine node identity from user"))
 		}
 		// Our job is just to restrict identifiable nodes
 		return nil
 	}
 	switch a.GetResource().GroupResource() {
 	case podResource:
 		switch a.GetSubresource() {
 		case "":
 			return c.admitPod(nodeName, a)
 		case "status":
 			return c.admitPodStatus(nodeName, a)
 		default:
 			return admission.NewForbidden(a, fmt.Errorf("unexpected pod subresource %s", a.GetSubresource()))
 		}
 	case nodeResource:
 		return c.admitNode(nodeName, a)
 	default:
 		return nil
 	}
 }
 func (c *nodePlugin) admitPod(nodeName string, a admission.Attributes) error {
 	switch a.GetOperation() {
 	case admission.Create:
 		// require a pod object
 		pod, ok := a.GetObject().(*api.Pod)
 		if !ok {
 			return admission.NewForbidden(a, fmt.Errorf("unexpected type %T", a.GetObject()))
 		}
 		// only allow nodes to create mirror pods
 		if _, isMirrorPod := pod.Annotations[api.MirrorPodAnnotationKey]; !isMirrorPod {
 			return admission.NewForbidden(a, fmt.Errorf("pod does not have %q annotation, node %s can only create mirror pods", api.MirrorPodAnnotationKey, nodeName))
 		}
 		// only allow nodes to create a pod bound to itself
 		if pod.Spec.NodeName != nodeName {
 			return admission.NewForbidden(a, fmt.Errorf("node %s can only create pods with spec.nodeName set to itself", nodeName))
 		}
 		// don't allow a node to create a pod that references any other API objects
 		if pod.Spec.ServiceAccountName != "" {
 			return admission.NewForbidden(a, fmt.Errorf("node %s can not create pods that reference a service account", nodeName))
 		}
 		hasSecrets := false
 		podutil.VisitPodSecretNames(pod, func(name string) (shouldContinue bool) { hasSecrets = true; return false })
 		if hasSecrets {
 			return admission.NewForbidden(a, fmt.Errorf("node %s can not create pods that reference secrets", nodeName))
 		}
 		hasConfigMaps := false
 		podutil.VisitPodConfigmapNames(pod, func(name string) (shouldContinue bool) { hasConfigMaps = true; return false })
 		if hasConfigMaps {
 			return admission.NewForbidden(a, fmt.Errorf("node %s can not create pods that reference configmaps", nodeName))
 		}
 		for _, v := range pod.Spec.Volumes {
 			if v.PersistentVolumeClaim != nil {
 				return admission.NewForbidden(a, fmt.Errorf("node %s can not create pods that reference persistentvolumeclaims", nodeName))
 			}
 		}
 		return nil
 	case admission.Delete:
 		// get the existing pod
 		existingPod, err := c.podsGetter.Pods(a.GetNamespace()).Get(a.GetName(), v1.GetOptions{ResourceVersion: "0"})
 		if err != nil {
 			return admission.NewForbidden(a, err)
 		}
 		// only allow a node to delete a pod bound to itself
 		if existingPod.Spec.NodeName != nodeName {
 			return admission.NewForbidden(a, fmt.Errorf("node %s can only delete pods with spec.nodeName set to itself", nodeName))
 		}
 		return nil
 	default:
 		return admission.NewForbidden(a, fmt.Errorf("unexpected operation %s", a.GetOperation()))
 	}
 }
 func (c *nodePlugin) admitPodStatus(nodeName string, a admission.Attributes) error {
 	switch a.GetOperation() {
 	case admission.Update:
 		// require an existing pod
 		pod, ok := a.GetOldObject().(*api.Pod)
 		if !ok {
 			return admission.NewForbidden(a, fmt.Errorf("unexpected type %T", a.GetObject()))
 		}
 		// only allow a node to update status of a pod bound to itself
 		if pod.Spec.NodeName != nodeName {
 			return admission.NewForbidden(a, fmt.Errorf("node %s can only update pod status for pods with spec.nodeName set to itself", nodeName))
 		}
 		return nil
 	default:
 		return admission.NewForbidden(a, fmt.Errorf("unexpected operation %s", a.GetOperation()))
 	}
 }
 func (c *nodePlugin) admitNode(nodeName string, a admission.Attributes) error {
 	if a.GetName() != nodeName {
 		return admission.NewForbidden(a, fmt.Errorf("cannot modify other nodes"))
 	}
 	return nil
 }
--- a/plugin/pkg/admission/noderestriction/admission_test.go
+++ b/plugin/pkg/admission/noderestriction/admission_test.go
@@ -0,0 +1,476 @@
 /*
 Copyright 2017 The Kubernetes Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package node
 import (
 	"strings"
 	"testing"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apiserver/pkg/admission"
 	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/auth/nodeidentifier"
 	"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/fake"
 	coreinternalversion "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/core/internalversion"
 )
 func makeTestPod(namespace, name, node string, mirror bool) *api.Pod {
 	pod := &api.Pod{}
 	pod.Namespace = namespace
 	pod.Name = name
 	pod.Spec.NodeName = node
 	if mirror {
 		pod.Annotations = map[string]string{api.MirrorPodAnnotationKey: "true"}
 	}
 	return pod
 }
 func Test_nodePlugin_Admit(t *testing.T) {
 	var (
 		mynode = &user.DefaultInfo{Name: "system:node:mynode", Groups: []string{"system:nodes"}}
 		bob    = &user.DefaultInfo{Name: "bob"}
 		mynodeObj    = &api.Node{ObjectMeta: metav1.ObjectMeta{Name: "mynode"}}
 		othernodeObj = &api.Node{ObjectMeta: metav1.ObjectMeta{Name: "othernode"}}
 		mymirrorpod      = makeTestPod("ns", "mymirrorpod", "mynode", true)
 		othermirrorpod   = makeTestPod("ns", "othermirrorpod", "othernode", true)
 		unboundmirrorpod = makeTestPod("ns", "unboundmirrorpod", "", true)
 		mypod            = makeTestPod("ns", "mypod", "mynode", false)
 		otherpod         = makeTestPod("ns", "otherpod", "othernode", false)
 		unboundpod       = makeTestPod("ns", "unboundpod", "", false)
 		configmapResource = api.Resource("configmap").WithVersion("v1")
 		configmapKind     = api.Kind("ConfigMap").WithVersion("v1")
 		podResource = api.Resource("pods").WithVersion("v1")
 		podKind     = api.Kind("Pod").WithVersion("v1")
 		nodeResource = api.Resource("nodes").WithVersion("v1")
 		nodeKind     = api.Kind("Node").WithVersion("v1")
 		noExistingPods = fake.NewSimpleClientset().Core()
 		existingPods   = fake.NewSimpleClientset(mymirrorpod, othermirrorpod, unboundmirrorpod, mypod, otherpod, unboundpod).Core()
 	)
 	sapod := makeTestPod("ns", "mysapod", "mynode", true)
 	sapod.Spec.ServiceAccountName = "foo"
 	secretpod := makeTestPod("ns", "mysecretpod", "mynode", true)
 	secretpod.Spec.Volumes = []api.Volume{{VolumeSource: api.VolumeSource{Secret: &api.SecretVolumeSource{SecretName: "foo"}}}}
 	configmappod := makeTestPod("ns", "myconfigmappod", "mynode", true)
 	configmappod.Spec.Volumes = []api.Volume{{VolumeSource: api.VolumeSource{ConfigMap: &api.ConfigMapVolumeSource{LocalObjectReference: api.LocalObjectReference{Name: "foo"}}}}}
 	pvcpod := makeTestPod("ns", "mypvcpod", "mynode", true)
 	pvcpod.Spec.Volumes = []api.Volume{{VolumeSource: api.VolumeSource{PersistentVolumeClaim: &api.PersistentVolumeClaimVolumeSource{ClaimName: "foo"}}}}
 	tests := []struct {
 		name       string
 		strict     bool
 		podsGetter coreinternalversion.PodsGetter
 		attributes admission.Attributes
 		err        string
 	}{
 		// Mirror pods bound to us
 		{
 			name:       "allow creating a mirror pod bound to self",
 			podsGetter: noExistingPods,
 			attributes: admission.NewAttributesRecord(mymirrorpod, nil, podKind, mymirrorpod.Namespace, mymirrorpod.Name, podResource, "", admission.Create, mynode),
 			err:        "",
 		},
 		{
 			name:       "forbid update of mirror pod bound to self",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(mymirrorpod, mymirrorpod, podKind, mymirrorpod.Namespace, mymirrorpod.Name, podResource, "", admission.Update, mynode),
 			err:        "forbidden: unexpected operation",
 		},
 		{
 			name:       "allow delete of mirror pod bound to self",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(nil, nil, podKind, mymirrorpod.Namespace, mymirrorpod.Name, podResource, "", admission.Delete, mynode),
 			err:        "",
 		},
 		{
 			name:       "forbid create of mirror pod status bound to self",
 			podsGetter: noExistingPods,
 			attributes: admission.NewAttributesRecord(mymirrorpod, nil, podKind, mymirrorpod.Namespace, mymirrorpod.Name, podResource, "status", admission.Create, mynode),
 			err:        "forbidden: unexpected operation",
 		},
 		{
 			name:       "allow update of mirror pod status bound to self",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(mymirrorpod, mymirrorpod, podKind, mymirrorpod.Namespace, mymirrorpod.Name, podResource, "status", admission.Update, mynode),
 			err:        "",
 		},
 		{
 			name:       "forbid delete of mirror pod status bound to self",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(nil, nil, podKind, mymirrorpod.Namespace, mymirrorpod.Name, podResource, "status", admission.Delete, mynode),
 			err:        "forbidden: unexpected operation",
 		},
 		// Mirror pods bound to another node
 		{
 			name:       "forbid creating a mirror pod bound to another",
 			podsGetter: noExistingPods,
 			attributes: admission.NewAttributesRecord(othermirrorpod, nil, podKind, othermirrorpod.Namespace, othermirrorpod.Name, podResource, "", admission.Create, mynode),
 			err:        "spec.nodeName set to itself",
 		},
 		{
 			name:       "forbid update of mirror pod bound to another",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(othermirrorpod, othermirrorpod, podKind, othermirrorpod.Namespace, othermirrorpod.Name, podResource, "", admission.Update, mynode),
 			err:        "forbidden: unexpected operation",
 		},
 		{
 			name:       "forbid delete of mirror pod bound to another",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(nil, nil, podKind, othermirrorpod.Namespace, othermirrorpod.Name, podResource, "", admission.Delete, mynode),
 			err:        "spec.nodeName set to itself",
 		},
 		{
 			name:       "forbid create of mirror pod status bound to another",
 			podsGetter: noExistingPods,
 			attributes: admission.NewAttributesRecord(othermirrorpod, nil, podKind, othermirrorpod.Namespace, othermirrorpod.Name, podResource, "status", admission.Create, mynode),
 			err:        "forbidden: unexpected operation",
 		},
 		{
 			name:       "forbid update of mirror pod status bound to another",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(othermirrorpod, othermirrorpod, podKind, othermirrorpod.Namespace, othermirrorpod.Name, podResource, "status", admission.Update, mynode),
 			err:        "spec.nodeName set to itself",
 		},
 		{
 			name:       "forbid delete of mirror pod status bound to another",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(nil, nil, podKind, othermirrorpod.Namespace, othermirrorpod.Name, podResource, "status", admission.Delete, mynode),
 			err:        "forbidden: unexpected operation",
 		},
 		// Mirror pods not bound to any node
 		{
 			name:       "forbid creating a mirror pod unbound",
 			podsGetter: noExistingPods,
 			attributes: admission.NewAttributesRecord(unboundmirrorpod, nil, podKind, unboundmirrorpod.Namespace, unboundmirrorpod.Name, podResource, "", admission.Create, mynode),
 			err:        "spec.nodeName set to itself",
 		},
 		{
 			name:       "forbid update of mirror pod unbound",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(unboundmirrorpod, unboundmirrorpod, podKind, unboundmirrorpod.Namespace, unboundmirrorpod.Name, podResource, "", admission.Update, mynode),
 			err:        "forbidden: unexpected operation",
 		},
 		{
 			name:       "forbid delete of mirror pod unbound",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(nil, nil, podKind, unboundmirrorpod.Namespace, unboundmirrorpod.Name, podResource, "", admission.Delete, mynode),
 			err:        "spec.nodeName set to itself",
 		},
 		{
 			name:       "forbid create of mirror pod status unbound",
 			podsGetter: noExistingPods,
 			attributes: admission.NewAttributesRecord(unboundmirrorpod, nil, podKind, unboundmirrorpod.Namespace, unboundmirrorpod.Name, podResource, "status", admission.Create, mynode),
 			err:        "forbidden: unexpected operation",
 		},
 		{
 			name:       "forbid update of mirror pod status unbound",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(unboundmirrorpod, unboundmirrorpod, podKind, unboundmirrorpod.Namespace, unboundmirrorpod.Name, podResource, "status", admission.Update, mynode),
 			err:        "spec.nodeName set to itself",
 		},
 		{
 			name:       "forbid delete of mirror pod status unbound",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(nil, nil, podKind, unboundmirrorpod.Namespace, unboundmirrorpod.Name, podResource, "status", admission.Delete, mynode),
 			err:        "forbidden: unexpected operation",
 		},
 		// Normal pods bound to us
 		{
 			name:       "forbid creating a normal pod bound to self",
 			podsGetter: noExistingPods,
 			attributes: admission.NewAttributesRecord(mypod, nil, podKind, mypod.Namespace, mypod.Name, podResource, "", admission.Create, mynode),
 			err:        "can only create mirror pods",
 		},
 		{
 			name:       "forbid update of normal pod bound to self",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(mypod, mypod, podKind, mypod.Namespace, mypod.Name, podResource, "", admission.Update, mynode),
 			err:        "forbidden: unexpected operation",
 		},
 		{
 			name:       "allow delete of normal pod bound to self",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(nil, nil, podKind, mypod.Namespace, mypod.Name, podResource, "", admission.Delete, mynode),
 			err:        "",
 		},
 		{
 			name:       "forbid create of normal pod status bound to self",
 			podsGetter: noExistingPods,
 			attributes: admission.NewAttributesRecord(mypod, nil, podKind, mypod.Namespace, mypod.Name, podResource, "status", admission.Create, mynode),
 			err:        "forbidden: unexpected operation",
 		},
 		{
 			name:       "allow update of normal pod status bound to self",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(mypod, mypod, podKind, mypod.Namespace, mypod.Name, podResource, "status", admission.Update, mynode),
 			err:        "",
 		},
 		{
 			name:       "forbid delete of normal pod status bound to self",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(nil, nil, podKind, mypod.Namespace, mypod.Name, podResource, "status", admission.Delete, mynode),
 			err:        "forbidden: unexpected operation",
 		},
 		// Normal pods bound to another
 		{
 			name:       "forbid creating a normal pod bound to another",
 			podsGetter: noExistingPods,
 			attributes: admission.NewAttributesRecord(otherpod, nil, podKind, otherpod.Namespace, otherpod.Name, podResource, "", admission.Create, mynode),
 			err:        "can only create mirror pods",
 		},
 		{
 			name:       "forbid update of normal pod bound to another",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(otherpod, otherpod, podKind, otherpod.Namespace, otherpod.Name, podResource, "", admission.Update, mynode),
 			err:        "forbidden: unexpected operation",
 		},
 		{
 			name:       "forbid delete of normal pod bound to another",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(nil, nil, podKind, otherpod.Namespace, otherpod.Name, podResource, "", admission.Delete, mynode),
 			err:        "spec.nodeName set to itself",
 		},
 		{
 			name:       "forbid create of normal pod status bound to another",
 			podsGetter: noExistingPods,
 			attributes: admission.NewAttributesRecord(otherpod, nil, podKind, otherpod.Namespace, otherpod.Name, podResource, "status", admission.Create, mynode),
 			err:        "forbidden: unexpected operation",
 		},
 		{
 			name:       "forbid update of normal pod status bound to another",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(otherpod, otherpod, podKind, otherpod.Namespace, otherpod.Name, podResource, "status", admission.Update, mynode),
 			err:        "spec.nodeName set to itself",
 		},
 		{
 			name:       "forbid delete of normal pod status bound to another",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(nil, nil, podKind, otherpod.Namespace, otherpod.Name, podResource, "status", admission.Delete, mynode),
 			err:        "forbidden: unexpected operation",
 		},
 		// Normal pods not bound to any node
 		{
 			name:       "forbid creating a normal pod unbound",
 			podsGetter: noExistingPods,
 			attributes: admission.NewAttributesRecord(unboundpod, nil, podKind, unboundpod.Namespace, unboundpod.Name, podResource, "", admission.Create, mynode),
 			err:        "can only create mirror pods",
 		},
 		{
 			name:       "forbid update of normal pod unbound",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(unboundpod, unboundpod, podKind, unboundpod.Namespace, unboundpod.Name, podResource, "", admission.Update, mynode),
 			err:        "forbidden: unexpected operation",
 		},
 		{
 			name:       "forbid delete of normal pod unbound",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(nil, nil, podKind, unboundpod.Namespace, unboundpod.Name, podResource, "", admission.Delete, mynode),
 			err:        "spec.nodeName set to itself",
 		},
 		{
 			name:       "forbid create of normal pod status unbound",
 			podsGetter: noExistingPods,
 			attributes: admission.NewAttributesRecord(unboundpod, nil, podKind, unboundpod.Namespace, unboundpod.Name, podResource, "status", admission.Create, mynode),
 			err:        "forbidden: unexpected operation",
 		},
 		{
 			name:       "forbid update of normal pod status unbound",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(unboundpod, unboundpod, podKind, unboundpod.Namespace, unboundpod.Name, podResource, "status", admission.Update, mynode),
 			err:        "spec.nodeName set to itself",
 		},
 		{
 			name:       "forbid delete of normal pod status unbound",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(nil, nil, podKind, unboundpod.Namespace, unboundpod.Name, podResource, "status", admission.Delete, mynode),
 			err:        "forbidden: unexpected operation",
 		},
 		// Missing pod
 		{
 			name:       "forbid delete of unknown pod",
 			podsGetter: noExistingPods,
 			attributes: admission.NewAttributesRecord(nil, nil, podKind, unboundpod.Namespace, unboundpod.Name, podResource, "", admission.Delete, mynode),
 			err:        "not found",
 		},
 		// Resource pods
 		{
 			name:       "forbid create of pod referencing service account",
 			podsGetter: noExistingPods,
 			attributes: admission.NewAttributesRecord(sapod, nil, podKind, sapod.Namespace, sapod.Name, podResource, "", admission.Create, mynode),
 			err:        "reference a service account",
 		},
 		{
 			name:       "forbid create of pod referencing secret",
 			podsGetter: noExistingPods,
 			attributes: admission.NewAttributesRecord(secretpod, nil, podKind, secretpod.Namespace, secretpod.Name, podResource, "", admission.Create, mynode),
 			err:        "reference secrets",
 		},
 		{
 			name:       "forbid create of pod referencing configmap",
 			podsGetter: noExistingPods,
 			attributes: admission.NewAttributesRecord(configmappod, nil, podKind, configmappod.Namespace, configmappod.Name, podResource, "", admission.Create, mynode),
 			err:        "reference configmaps",
 		},
 		{
 			name:       "forbid create of pod referencing persistentvolumeclaim",
 			podsGetter: noExistingPods,
 			attributes: admission.NewAttributesRecord(pvcpod, nil, podKind, pvcpod.Namespace, pvcpod.Name, podResource, "", admission.Create, mynode),
 			err:        "reference persistentvolumeclaims",
 		},
 		// My node object
 		{
 			name:       "allow create of my node",
 			podsGetter: noExistingPods,
 			attributes: admission.NewAttributesRecord(mynodeObj, nil, nodeKind, mynodeObj.Namespace, mynodeObj.Name, nodeResource, "", admission.Create, mynode),
 			err:        "",
 		},
 		{
 			name:       "allow update of my node",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(mynodeObj, mynodeObj, nodeKind, mynodeObj.Namespace, mynodeObj.Name, nodeResource, "", admission.Update, mynode),
 			err:        "",
 		},
 		{
 			name:       "allow delete of my node",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(nil, nil, nodeKind, mynodeObj.Namespace, mynodeObj.Name, nodeResource, "", admission.Delete, mynode),
 			err:        "",
 		},
 		{
 			name:       "allow update of my node status",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(mynodeObj, mynodeObj, nodeKind, mynodeObj.Namespace, mynodeObj.Name, nodeResource, "status", admission.Update, mynode),
 			err:        "",
 		},
 		// Other node object
 		{
 			name:       "forbid create of other node",
 			podsGetter: noExistingPods,
 			attributes: admission.NewAttributesRecord(othernodeObj, nil, nodeKind, othernodeObj.Namespace, othernodeObj.Name, nodeResource, "", admission.Create, mynode),
 			err:        "cannot modify other nodes",
 		},
 		{
 			name:       "forbid update of other node",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(othernodeObj, othernodeObj, nodeKind, othernodeObj.Namespace, othernodeObj.Name, nodeResource, "", admission.Update, mynode),
 			err:        "cannot modify other nodes",
 		},
 		{
 			name:       "forbid delete of other node",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(nil, nil, nodeKind, othernodeObj.Namespace, othernodeObj.Name, nodeResource, "", admission.Delete, mynode),
 			err:        "cannot modify other nodes",
 		},
 		{
 			name:       "forbid update of other node status",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(othernodeObj, othernodeObj, nodeKind, othernodeObj.Namespace, othernodeObj.Name, nodeResource, "status", admission.Update, mynode),
 			err:        "cannot modify other nodes",
 		},
 		// Unrelated objects
 		{
 			name:       "allow create of unrelated object",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(&api.ConfigMap{}, nil, configmapKind, "myns", "mycm", configmapResource, "", admission.Create, mynode),
 			err:        "",
 		},
 		{
 			name:       "allow update of unrelated object",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(&api.ConfigMap{}, &api.ConfigMap{}, configmapKind, "myns", "mycm", configmapResource, "", admission.Update, mynode),
 			err:        "",
 		},
 		{
 			name:       "allow delete of unrelated object",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(nil, nil, configmapKind, "myns", "mycm", configmapResource, "", admission.Delete, mynode),
 			err:        "",
 		},
 		// Unrelated user
 		{
 			name:       "allow unrelated user creating a normal pod unbound",
 			podsGetter: noExistingPods,
 			attributes: admission.NewAttributesRecord(unboundpod, nil, podKind, unboundpod.Namespace, unboundpod.Name, podResource, "", admission.Create, bob),
 			err:        "",
 		},
 		{
 			name:       "allow unrelated user update of normal pod unbound",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(unboundpod, unboundpod, podKind, unboundpod.Namespace, unboundpod.Name, podResource, "", admission.Update, bob),
 			err:        "",
 		},
 		{
 			name:       "allow unrelated user delete of normal pod unbound",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(nil, nil, podKind, unboundpod.Namespace, unboundpod.Name, podResource, "", admission.Delete, bob),
 			err:        "",
 		},
 		{
 			name:       "allow unrelated user create of normal pod status unbound",
 			podsGetter: noExistingPods,
 			attributes: admission.NewAttributesRecord(unboundpod, nil, podKind, unboundpod.Namespace, unboundpod.Name, podResource, "status", admission.Create, bob),
 			err:        "",
 		},
 		{
 			name:       "allow unrelated user update of normal pod status unbound",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(unboundpod, unboundpod, podKind, unboundpod.Namespace, unboundpod.Name, podResource, "status", admission.Update, bob),
 			err:        "",
 		},
 		{
 			name:       "allow unrelated user delete of normal pod status unbound",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(nil, nil, podKind, unboundpod.Namespace, unboundpod.Name, podResource, "status", admission.Delete, bob),
 			err:        "",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			c := NewPlugin(nodeidentifier.NewDefaultNodeIdentifier(), tt.strict)
 			c.podsGetter = tt.podsGetter
 			err := c.Admit(tt.attributes)
 			if (err == nil) != (len(tt.err) == 0) {
 				t.Errorf("nodePlugin.Admit() error = %v, expected %v", err, tt.err)
 				return
 			}
 			if len(tt.err) > 0 && !strings.Contains(err.Error(), tt.err) {
 				t.Errorf("nodePlugin.Admit() error = %v, expected %v", err, tt.err)
 			}
 		})
 	}
 }
--- a/plugin/pkg/admission/persistentvolume/label/admission.go
+++ b/plugin/pkg/admission/persistentvolume/label/admission.go
@@ -33,7 +33,12 @@ import (
 )
 func init() {
-	kubeapiserveradmission.Plugins.Register("PersistentVolumeLabel", func(config io.Reader) (admission.Interface, error) {
+	Register(&kubeapiserveradmission.Plugins)
 }
 // Register registers a plugin
 func Register(plugins *admission.Plugins) {
 	plugins.Register("PersistentVolumeLabel", func(config io.Reader) (admission.Interface, error) {
 		persistentVolumeLabelAdmission := NewPersistentVolumeLabel()
 		return persistentVolumeLabelAdmission, nil
 	})
--- a/plugin/pkg/admission/podnodeselector/admission.go
+++ b/plugin/pkg/admission/podnodeselector/admission.go
@@ -40,7 +40,12 @@ import (
 var NamespaceNodeSelectors = []string{"scheduler.alpha.kubernetes.io/node-selector"}
 func init() {
-	kubeapiserveradmission.Plugins.Register("PodNodeSelector", func(config io.Reader) (admission.Interface, error) {
+	Register(&kubeapiserveradmission.Plugins)
 }
 // Register registers a plugin
 func Register(plugins *admission.Plugins) {
 	plugins.Register("PodNodeSelector", func(config io.Reader) (admission.Interface, error) {
 		// TODO move this to a versioned configuration file format.
 		pluginConfig := readConfig(config)
 		plugin := NewPodNodeSelector(pluginConfig.PodNodeSelectorPluginConfig)
--- a/plugin/pkg/admission/podpreset/admission.go
+++ b/plugin/pkg/admission/podpreset/admission.go
@@ -42,7 +42,12 @@ const (
 )
 func init() {
-	kubeapiserveradmission.Plugins.Register(pluginName, func(config io.Reader) (admission.Interface, error) {
+	Register(&kubeapiserveradmission.Plugins)
 }
 // Register registers a plugin
 func Register(plugins *admission.Plugins) {
 	plugins.Register(pluginName, func(config io.Reader) (admission.Interface, error) {
 		return NewPlugin(), nil
 	})
 }
--- a/plugin/pkg/admission/podtolerationrestriction/admission.go
+++ b/plugin/pkg/admission/podtolerationrestriction/admission.go
@@ -37,6 +37,11 @@ import (
 )
 func init() {
 	Register(&kubeapiserveradmission.Plugins)
 }
 // Register registers a plugin
 func Register(plugins *admission.Plugins) {
 	kubeapiserveradmission.Plugins.Register("PodTolerationRestriction", func(config io.Reader) (admission.Interface, error) {
 		pluginConfig, err := loadConfiguration(config)
 		if err != nil {
--- a/plugin/pkg/admission/resourcequota/admission.go
+++ b/plugin/pkg/admission/resourcequota/admission.go
@@ -33,7 +33,12 @@ import (
 )
 func init() {
-	kubeapiserveradmission.Plugins.Register("ResourceQuota",
+	Register(&kubeapiserveradmission.Plugins)
 }
 // Register registers a plugin
 func Register(plugins *admission.Plugins) {
 	plugins.Register("ResourceQuota",
 		func(config io.Reader) (admission.Interface, error) {
 			// load the configuration provided (if any)
 			configuration, err := LoadConfiguration(config)
--- a/plugin/pkg/admission/security/podsecuritypolicy/admission.go
+++ b/plugin/pkg/admission/security/podsecuritypolicy/admission.go
@@ -45,7 +45,12 @@ const (
 )
 func init() {
-	kubeapiserveradmission.Plugins.Register(PluginName, func(config io.Reader) (admission.Interface, error) {
+	Register(&kubeapiserveradmission.Plugins)
 }
 // Register registers a plugin
 func Register(plugins *admission.Plugins) {
 	plugins.Register(PluginName, func(config io.Reader) (admission.Interface, error) {
 		plugin := NewPlugin(psp.NewSimpleStrategyFactory(), getMatchingPolicies, true)
 		return plugin, nil
 	})
--- a/plugin/pkg/admission/securitycontext/scdeny/admission.go
+++ b/plugin/pkg/admission/securitycontext/scdeny/admission.go
@@ -27,7 +27,12 @@ import (
 )
 func init() {
-	kubeapiserveradmission.Plugins.Register("SecurityContextDeny", func(config io.Reader) (admission.Interface, error) {
+	Register(&kubeapiserveradmission.Plugins)
 }
 // Register registers a plugin
 func Register(plugins *admission.Plugins) {
 	plugins.Register("SecurityContextDeny", func(config io.Reader) (admission.Interface, error) {
 		return NewSecurityContextDeny(), nil
 	})
 }
--- a/plugin/pkg/admission/serviceaccount/admission.go
+++ b/plugin/pkg/admission/serviceaccount/admission.go
@@ -54,7 +54,12 @@ const DefaultAPITokenMountPath = "/var/run/secrets/kubernetes.io/serviceaccount"
 const PluginName = "ServiceAccount"
 func init() {
-	kubeapiserveradmission.Plugins.Register(PluginName, func(config io.Reader) (admission.Interface, error) {
+	Register(&kubeapiserveradmission.Plugins)
 }
 // Register registers a plugin
 func Register(plugins *admission.Plugins) {
 	plugins.Register(PluginName, func(config io.Reader) (admission.Interface, error) {
 		serviceAccountAdmission := NewServiceAccount()
 		return serviceAccountAdmission, nil
 	})
--- a/plugin/pkg/admission/storageclass/default/admission.go
+++ b/plugin/pkg/admission/storageclass/default/admission.go
@@ -39,7 +39,12 @@ const (
 )
 func init() {
-	kubeapiserveradmission.Plugins.Register(PluginName, func(config io.Reader) (admission.Interface, error) {
+	Register(&kubeapiserveradmission.Plugins)
 }
 // Register registers a plugin
 func Register(plugins *admission.Plugins) {
 	plugins.Register(PluginName, func(config io.Reader) (admission.Interface, error) {
 		plugin := newPlugin()
 		return plugin, nil
 	})
--- a/staging/src/k8s.io/apiserver/pkg/endpoints/metrics/metrics.go
+++ b/staging/src/k8s.io/apiserver/pkg/endpoints/metrics/metrics.go
@@ -103,10 +103,11 @@ func InstrumentRouteFunc(verb, resource string, routeFunc restful.RouteFunction)
 		routeFunc(request, response)
 		reportedVerb := verb
 		if verb == "LIST" && strings.ToLower(request.QueryParameter("watch")) == "true" {
-			verb = "WATCH"
+			reportedVerb = "WATCH"
 		}
-		Monitor(&verb, &resource, cleanUserAgent(utilnet.GetHTTPClient(request.Request)), rw.Header().Get("Content-Type"), delegate.status, now)
+		Monitor(&reportedVerb, &resource, cleanUserAgent(utilnet.GetHTTPClient(request.Request)), rw.Header().Get("Content-Type"), delegate.status, now)
 	})
 }
--- a/staging/src/k8s.io/kube-apiextensions-server/artifacts/customresource-01/noxu-apiservice.yaml
+++ b/staging/src/k8s.io/kube-apiextensions-server/artifacts/customresource-01/noxu-apiservice.yaml
@@ -1,4 +1,4 @@
-apiVersion: apiregistration.k8s.io/v1alpha1
+apiVersion: apiregistration.k8s.io/v1beta1
 kind: APIService
 metadata:
  name: v1alpha1.mygroup.example.com
--- a/staging/src/k8s.io/kube-apiextensions-server/artifacts/example/apiservice.yaml
+++ b/staging/src/k8s.io/kube-apiextensions-server/artifacts/example/apiservice.yaml
@@ -1,4 +1,4 @@
-apiVersion: apiregistration.k8s.io/v1alpha1
+apiVersion: apiregistration.k8s.io/v1beta1
 kind: APIService
 metadata:
  name: v1alpha1.apiextensions.k8s.io
--- a/staging/src/k8s.io/kube-apiextensions-server/pkg/apis/apiextensions/BUILD
+++ b/staging/src/k8s.io/kube-apiextensions-server/pkg/apis/apiextensions/BUILD
@@ -5,6 +5,7 @@ licenses(["notice"])
 load(
    "@io_bazel_rules_go//go:def.bzl",
    "go_library",
    "go_test",
 )
 go_library(
@@ -24,3 +25,11 @@ go_library(
        "//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
    ],
 )
 go_test(
    name = "go_default_test",
    srcs = ["helpers_test.go"],
    library = ":go_default_library",
    tags = ["automanaged"],
    deps = ["//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library"],
 )
--- a/staging/src/k8s.io/kube-apiextensions-server/pkg/apis/apiextensions/helpers.go
+++ b/staging/src/k8s.io/kube-apiextensions-server/pkg/apis/apiextensions/helpers.go
@@ -18,10 +18,10 @@ package apiextensions
 // SetCRDCondition sets the status condition.  It either overwrites the existing one or
 // creates a new one
-func SetCRDCondition(customResourceDefinition *CustomResourceDefinition, newCondition CustomResourceDefinitionCondition) {
+func SetCRDCondition(crd *CustomResourceDefinition, newCondition CustomResourceDefinitionCondition) {
-	existingCondition := FindCRDCondition(customResourceDefinition, newCondition.Type)
+	existingCondition := FindCRDCondition(crd, newCondition.Type)
 	if existingCondition == nil {
-		customResourceDefinition.Status.Conditions = append(customResourceDefinition.Status.Conditions, newCondition)
+		crd.Status.Conditions = append(crd.Status.Conditions, newCondition)
 		return
 	}
@@ -34,11 +34,22 @@ func SetCRDCondition(customResourceDefinition *CustomResourceDefinition, newCond
 	existingCondition.Message = newCondition.Message
 }
 // RemoveCRDCondition removes the status condition.
 func RemoveCRDCondition(crd *CustomResourceDefinition, conditionType CustomResourceDefinitionConditionType) {
 	newConditions := []CustomResourceDefinitionCondition{}
 	for _, condition := range crd.Status.Conditions {
 		if condition.Type != conditionType {
 			newConditions = append(newConditions, condition)
 		}
 	}
 	crd.Status.Conditions = newConditions
 }
 // FindCRDCondition returns the condition you're looking for or nil
-func FindCRDCondition(customResourceDefinition *CustomResourceDefinition, conditionType CustomResourceDefinitionConditionType) *CustomResourceDefinitionCondition {
+func FindCRDCondition(crd *CustomResourceDefinition, conditionType CustomResourceDefinitionConditionType) *CustomResourceDefinitionCondition {
-	for i := range customResourceDefinition.Status.Conditions {
+	for i := range crd.Status.Conditions {
-		if customResourceDefinition.Status.Conditions[i].Type == conditionType {
+		if crd.Status.Conditions[i].Type == conditionType {
-			return &customResourceDefinition.Status.Conditions[i]
+			return &crd.Status.Conditions[i]
 		}
 	}
@@ -46,18 +57,18 @@ func FindCRDCondition(customResourceDefinition *CustomResourceDefinition, condit
 }
 // IsCRDConditionTrue indicates if the condition is present and strictly true
-func IsCRDConditionTrue(customResourceDefinition *CustomResourceDefinition, conditionType CustomResourceDefinitionConditionType) bool {
+func IsCRDConditionTrue(crd *CustomResourceDefinition, conditionType CustomResourceDefinitionConditionType) bool {
-	return IsCRDConditionPresentAndEqual(customResourceDefinition, conditionType, ConditionTrue)
+	return IsCRDConditionPresentAndEqual(crd, conditionType, ConditionTrue)
 }
 // IsCRDConditionFalse indicates if the condition is present and false true
-func IsCRDConditionFalse(customResourceDefinition *CustomResourceDefinition, conditionType CustomResourceDefinitionConditionType) bool {
+func IsCRDConditionFalse(crd *CustomResourceDefinition, conditionType CustomResourceDefinitionConditionType) bool {
-	return IsCRDConditionPresentAndEqual(customResourceDefinition, conditionType, ConditionFalse)
+	return IsCRDConditionPresentAndEqual(crd, conditionType, ConditionFalse)
 }
 // IsCRDConditionPresentAndEqual indicates if the condition is present and equal to the arg
-func IsCRDConditionPresentAndEqual(customResourceDefinition *CustomResourceDefinition, conditionType CustomResourceDefinitionConditionType, status ConditionStatus) bool {
+func IsCRDConditionPresentAndEqual(crd *CustomResourceDefinition, conditionType CustomResourceDefinitionConditionType, status ConditionStatus) bool {
-	for _, condition := range customResourceDefinition.Status.Conditions {
+	for _, condition := range crd.Status.Conditions {
 		if condition.Type == conditionType {
 			return condition.Status == status
 		}
@@ -76,3 +87,25 @@ func IsCRDConditionEquivalent(lhs, rhs *CustomResourceDefinitionCondition) bool
 	return lhs.Message == rhs.Message && lhs.Reason == rhs.Reason && lhs.Status == rhs.Status && lhs.Type == rhs.Type
 }
 // CRDHasFinalizer returns true if the finalizer is in the list
 func CRDHasFinalizer(crd *CustomResourceDefinition, needle string) bool {
 	for _, finalizer := range crd.Finalizers {
 		if finalizer == needle {
 			return true
 		}
 	}
 	return false
 }
 // CRDRemoveFinalizer removes the finalizer if present
 func CRDRemoveFinalizer(crd *CustomResourceDefinition, needle string) {
 	newFinalizers := []string{}
 	for _, finalizer := range crd.Finalizers {
 		if finalizer != needle {
 			newFinalizers = append(newFinalizers, finalizer)
 		}
 	}
 	crd.Finalizers = newFinalizers
 }
--- a/staging/src/k8s.io/kube-apiextensions-server/pkg/apis/apiextensions/helpers_test.go
+++ b/staging/src/k8s.io/kube-apiextensions-server/pkg/apis/apiextensions/helpers_test.go
@@ -0,0 +1,90 @@
 /*
 Copyright 2016 The Kubernetes Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package apiextensions
 import (
 	"reflect"
 	"testing"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 func TestCRDHasFinalizer(t *testing.T) {
 	tests := []struct {
 		name             string
 		crd              *CustomResourceDefinition
 		finalizerToCheck string
 		expected bool
 	}{
 		{
 			name: "missing",
 			crd: &CustomResourceDefinition{
 				ObjectMeta: metav1.ObjectMeta{Finalizers: []string{"not-it"}},
 			},
 			finalizerToCheck: "it",
 			expected:         false,
 		},
 		{
 			name: "present",
 			crd: &CustomResourceDefinition{
 				ObjectMeta: metav1.ObjectMeta{Finalizers: []string{"not-it", "it"}},
 			},
 			finalizerToCheck: "it",
 			expected:         true,
 		},
 	}
 	for _, tc := range tests {
 		actual := CRDHasFinalizer(tc.crd, tc.finalizerToCheck)
 		if tc.expected != actual {
 			t.Errorf("%v expected %v, got %v", tc.name, tc.expected, actual)
 		}
 	}
 }
 func TestCRDRemoveFinalizer(t *testing.T) {
 	tests := []struct {
 		name             string
 		crd              *CustomResourceDefinition
 		finalizerToCheck string
 		expected []string
 	}{
 		{
 			name: "missing",
 			crd: &CustomResourceDefinition{
 				ObjectMeta: metav1.ObjectMeta{Finalizers: []string{"not-it"}},
 			},
 			finalizerToCheck: "it",
 			expected:         []string{"not-it"},
 		},
 		{
 			name: "present",
 			crd: &CustomResourceDefinition{
 				ObjectMeta: metav1.ObjectMeta{Finalizers: []string{"not-it", "it"}},
 			},
 			finalizerToCheck: "it",
 			expected:         []string{"not-it"},
 		},
 	}
 	for _, tc := range tests {
 		CRDRemoveFinalizer(tc.crd, tc.finalizerToCheck)
 		if !reflect.DeepEqual(tc.expected, tc.crd.Finalizers) {
 			t.Errorf("%v expected %v, got %v", tc.name, tc.expected, tc.crd.Finalizers)
 		}
 	}
 }
--- a/staging/src/k8s.io/kube-apiextensions-server/pkg/apis/apiextensions/types.go
+++ b/staging/src/k8s.io/kube-apiextensions-server/pkg/apis/apiextensions/types.go
@@ -104,6 +104,10 @@ type CustomResourceDefinitionStatus struct {
 	AcceptedNames CustomResourceDefinitionNames
 }
 // CustomResourceCleanupFinalizer is the name of the finalizer which will delete instances of
 // a CustomResourceDefinition
 const CustomResourceCleanupFinalizer = "customresourcecleanup.apiextensions.k8s.io"
 // +genclient=true
 // +nonNamespaced=true
--- a/staging/src/k8s.io/kube-apiextensions-server/pkg/apis/apiextensions/v1alpha1/types.go
+++ b/staging/src/k8s.io/kube-apiextensions-server/pkg/apis/apiextensions/v1alpha1/types.go
@@ -104,6 +104,10 @@ type CustomResourceDefinitionStatus struct {
 	AcceptedNames CustomResourceDefinitionNames `json:"acceptedNames" protobuf:"bytes,2,opt,name=acceptedNames"`
 }
 // CustomResourceCleanupFinalizer is the name of the finalizer which will delete instances of
 // a CustomResourceDefinition
 const CustomResourceCleanupFinalizer = "customresourcecleanup.apiextensions.k8s.io"
 // +genclient=true
 // +nonNamespaced=true
--- a/staging/src/k8s.io/kube-apiextensions-server/pkg/apiserver/BUILD
+++ b/staging/src/k8s.io/kube-apiextensions-server/pkg/apiserver/BUILD
@@ -43,6 +43,7 @@ go_library(
        "//vendor/k8s.io/apiserver/pkg/server:go_default_library",
        "//vendor/k8s.io/apiserver/pkg/storage/storagebackend:go_default_library",
        "//vendor/k8s.io/client-go/discovery:go_default_library",
        "//vendor/k8s.io/client-go/dynamic:go_default_library",
        "//vendor/k8s.io/client-go/tools/cache:go_default_library",
        "//vendor/k8s.io/client-go/util/workqueue:go_default_library",
        "//vendor/k8s.io/kube-apiextensions-server/pkg/apis/apiextensions:go_default_library",
@@ -54,6 +55,7 @@ go_library(
        "//vendor/k8s.io/kube-apiextensions-server/pkg/client/informers/internalversion:go_default_library",
        "//vendor/k8s.io/kube-apiextensions-server/pkg/client/informers/internalversion/apiextensions/internalversion:go_default_library",
        "//vendor/k8s.io/kube-apiextensions-server/pkg/client/listers/apiextensions/internalversion:go_default_library",
        "//vendor/k8s.io/kube-apiextensions-server/pkg/controller/finalizer:go_default_library",
        "//vendor/k8s.io/kube-apiextensions-server/pkg/controller/status:go_default_library",
        "//vendor/k8s.io/kube-apiextensions-server/pkg/registry/customresource:go_default_library",
        "//vendor/k8s.io/kube-apiextensions-server/pkg/registry/customresourcedefinition:go_default_library",
--- a/staging/src/k8s.io/kube-apiextensions-server/pkg/apiserver/apiserver.go
+++ b/staging/src/k8s.io/kube-apiextensions-server/pkg/apiserver/apiserver.go
@@ -31,12 +31,14 @@ import (
 	genericregistry "k8s.io/apiserver/pkg/registry/generic"
 	"k8s.io/apiserver/pkg/registry/rest"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	"k8s.io/client-go/dynamic"
 	"k8s.io/kube-apiextensions-server/pkg/apis/apiextensions"
 	"k8s.io/kube-apiextensions-server/pkg/apis/apiextensions/install"
 	"k8s.io/kube-apiextensions-server/pkg/apis/apiextensions/v1alpha1"
 	"k8s.io/kube-apiextensions-server/pkg/client/clientset/internalclientset"
 	internalinformers "k8s.io/kube-apiextensions-server/pkg/client/informers/internalversion"
 	"k8s.io/kube-apiextensions-server/pkg/controller/finalizer"
 	"k8s.io/kube-apiextensions-server/pkg/controller/status"
 	"k8s.io/kube-apiextensions-server/pkg/registry/customresourcedefinition"
@@ -157,6 +159,10 @@ func (c completedConfig) New(delegationTarget genericapiserver.DelegationTarget)
 	customResourceDefinitionController := NewDiscoveryController(customResourceDefinitionInformers.Apiextensions().InternalVersion().CustomResourceDefinitions(), versionDiscoveryHandler, groupDiscoveryHandler)
 	namingController := status.NewNamingConditionController(customResourceDefinitionInformers.Apiextensions().InternalVersion().CustomResourceDefinitions(), customResourceDefinitionClient)
 	finalizingController := finalizer.NewCRDFinalizer(
 		customResourceDefinitionInformers.Apiextensions().InternalVersion().CustomResourceDefinitions(),
 		customResourceDefinitionClient,
 		dynamic.NewDynamicClientPool(s.GenericAPIServer.LoopbackClientConfig))
 	s.GenericAPIServer.AddPostStartHook("start-apiextensions-informers", func(context genericapiserver.PostStartHookContext) error {
 		customResourceDefinitionInformers.Start(context.StopCh)
@@ -165,6 +171,7 @@ func (c completedConfig) New(delegationTarget genericapiserver.DelegationTarget)
 	s.GenericAPIServer.AddPostStartHook("start-apiextensions-controllers", func(context genericapiserver.PostStartHookContext) error {
 		go customResourceDefinitionController.Run(context.StopCh)
 		go namingController.Run(context.StopCh)
 		go finalizingController.Run(5, context.StopCh)
 		return nil
 	})
--- a/staging/src/k8s.io/kube-apiextensions-server/pkg/apiserver/customresource_discovery_controller.go
+++ b/staging/src/k8s.io/kube-apiextensions-server/pkg/apiserver/customresource_discovery_controller.go
@@ -101,12 +101,18 @@ func (c *DiscoveryController) sync(version schema.GroupVersion) error {
 		}
 		foundVersion = true
 		verbs := metav1.Verbs([]string{"delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"})
 		// if we're terminating we don't allow some verbs
 		if apiextensions.IsCRDConditionTrue(crd, apiextensions.Terminating) {
 			verbs = metav1.Verbs([]string{"delete", "deletecollection", "get", "list", "watch"})
 		}
 		apiResourcesForDiscovery = append(apiResourcesForDiscovery, metav1.APIResource{
 			Name:         crd.Status.AcceptedNames.Plural,
 			SingularName: crd.Status.AcceptedNames.Singular,
 			Namespaced:   crd.Spec.Scope == apiextensions.NamespaceScoped,
 			Kind:         crd.Status.AcceptedNames.Kind,
-			Verbs:        metav1.Verbs([]string{"delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"}),
+			Verbs:        verbs,
 			ShortNames:   crd.Status.AcceptedNames.ShortNames,
 		})
 	}
--- a/staging/src/k8s.io/kube-apiextensions-server/pkg/apiserver/customresource_handler.go
+++ b/staging/src/k8s.io/kube-apiextensions-server/pkg/apiserver/customresource_handler.go
@@ -104,13 +104,11 @@ func (r *crdHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 	if !ok {
 		// programmer error
 		panic("missing context")
 		return
 	}
 	requestInfo, ok := apirequest.RequestInfoFrom(ctx)
 	if !ok {
 		// programmer error
 		panic("missing requestInfo")
 		return
 	}
 	if !requestInfo.IsResourceRequest {
 		pathParts := splitPath(requestInfo.Path)
@@ -153,6 +151,8 @@ func (r *crdHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 		r.delegate.ServeHTTP(w, req)
 	}
 	terminating := apiextensions.IsCRDConditionTrue(crd, apiextensions.Terminating)
 	crdInfo := r.getServingInfoFor(crd)
 	storage := crdInfo.storage
 	requestScope := crdInfo.requestScope
@@ -174,14 +174,26 @@ func (r *crdHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 		handler(w, req)
 		return
 	case "create":
 		if terminating {
 			http.Error(w, fmt.Sprintf("%v not allowed while CustomResourceDefinition is terminating", requestInfo.Verb), http.StatusMethodNotAllowed)
 			return
 		}
 		handler := handlers.CreateResource(storage, requestScope, discovery.NewUnstructuredObjectTyper(nil), r.admission)
 		handler(w, req)
 		return
 	case "update":
 		if terminating {
 			http.Error(w, fmt.Sprintf("%v not allowed while CustomResourceDefinition is terminating", requestInfo.Verb), http.StatusMethodNotAllowed)
 			return
 		}
 		handler := handlers.UpdateResource(storage, requestScope, discovery.NewUnstructuredObjectTyper(nil), r.admission)
 		handler(w, req)
 		return
 	case "patch":
 		if terminating {
 			http.Error(w, fmt.Sprintf("%v not allowed while CustomResourceDefinition is terminating", requestInfo.Verb), http.StatusMethodNotAllowed)
 			return
 		}
 		handler := handlers.PatchResource(storage, requestScope, r.admission, unstructured.UnstructuredObjectConverter{})
 		handler(w, req)
 		return
@@ -190,6 +202,11 @@ func (r *crdHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 		handler := handlers.DeleteResource(storage, allowsOptions, requestScope, r.admission)
 		handler(w, req)
 		return
 	case "deletecollection":
 		checkBody := true
 		handler := handlers.DeleteCollection(storage, checkBody, requestScope, r.admission)
 		handler(w, req)
 		return
 	default:
 		http.Error(w, fmt.Sprintf("unhandled verb %q", requestInfo.Verb), http.StatusMethodNotAllowed)
--- a/Show More
+++ b/Show More