@@ -81,15 +81,6 @@ func fuzzInternalObject(t *testing.T, forVersion unversioned.GroupVersion, item

 				obj.PodEvictionTimeout = "5m"

 			}

 		},

-		func(obj *configapi.LegacyClientPolicyConfig, c fuzz.Continue) {

-			c.FuzzNoCustom(obj)

-			if len(obj.LegacyClientPolicy) == 0 {

-				obj.LegacyClientPolicy = configapi.AllowAll

-			}

-			if len(obj.RestrictedHTTPVerbs) == 0 {

-				obj.RestrictedHTTPVerbs = []string{"PUT", "POST"}

-			}

-		},

 		func(obj *configapi.NodeConfig, c fuzz.Continue) {

 			c.FuzzNoCustom(obj)

 			// Defaults/migrations for NetworkConfig

@@ -318,28 +318,38 @@ type PolicyConfig struct {

 	// OpenShiftInfrastructureNamespace is the namespace where OpenShift infrastructure resources live (like controller service accounts)

 	OpenShiftInfrastructureNamespace string

-	// LegacyClientPolicyConfig controls how API calls from *voluntarily* identifying clients will be handled.  THIS DOES NOT DEFEND AGAINST MALICIOUS CLIENTS!

-	LegacyClientPolicyConfig LegacyClientPolicyConfig

+	// UserAgentMatchingConfig controls how API calls from *voluntarily* identifying clients will be handled.  THIS DOES NOT DEFEND AGAINST MALICIOUS CLIENTS!

+	UserAgentMatchingConfig UserAgentMatchingConfig

 }

-type LegacyClientPolicyConfig struct {

-	// LegacyClientPolicy controls how API calls from *voluntarily* identifying clients will be handled.  THIS DOES NOT DEFEND AGAINST MALICIOUS CLIENTS!

-	// The default is AllowAll

-	LegacyClientPolicy LegacyClientPolicy

-	// RestrictedHTTPVerbs specifies which HTTP verbs are restricted.  By default this is PUT and POST

-	RestrictedHTTPVerbs []string

+// UserAgentMatchingConfig controls how API calls from *voluntarily* identifying clients will be handled.  THIS DOES NOT DEFEND AGAINST MALICIOUS CLIENTS!

+type UserAgentMatchingConfig struct {

+	// If this list is non-empty, then a User-Agent must match one of the UserAgentRegexes to be allowed

+	RequiredClients []UserAgentMatchRule

+

+	// If this list is non-empty, then a User-Agent must not match any of the UserAgentRegexes

+	DeniedClients []UserAgentDenyRule

+

+	// DefaultRejectionMessage is the message shown when rejecting a client.  If it is not a set, a generic message is given.

+	DefaultRejectionMessage string

 }

-type LegacyClientPolicy string

+// UserAgentMatchRule describes how to match a given request based on User-Agent and HTTPVerb

+type UserAgentMatchRule struct {

+	// UserAgentRegex is a regex that is checked against the User-Agent.

+	Regex string

-var (

-	// AllowAll does not prevent any kinds of client version skew

-	AllowAll LegacyClientPolicy = "allow-all"

-	// DenyOldClients prevents older clients (but not newer ones) from issuing stomping requests

-	DenyOldClients LegacyClientPolicy = "deny-old-clients"

-	// DenySkewedClients prevents any non-matching client from issuing stomping requests

-	DenySkewedClients LegacyClientPolicy = "deny-skewed-clients"

-)

+	// HTTPVerbs specifies which HTTP verbs should be matched.  An empty list means "match all verbs".

+	HTTPVerbs []string

+}

+

+// UserAgentDenyRule adds a rejection message that can be used to help a user figure out how to get an approved client

+type UserAgentDenyRule struct {

+	UserAgentMatchRule

+

+	// RejectionMessage is the message shown when rejecting a client.  If it is not a set, the default message is used.

+	RejectionMessage string

+}

 // MasterNetworkConfig to be passed to the compiled in network plugin

 type MasterNetworkConfig struct {

@@ -65,14 +65,6 @@ func addDefaultingFuncs(scheme *runtime.Scheme) {

 				obj.PodEvictionTimeout = "5m"

 			}

 		},

-		func(obj *LegacyClientPolicyConfig) {

-			if len(obj.LegacyClientPolicy) == 0 {

-				obj.LegacyClientPolicy = AllowAll

-			}

-			if obj.LegacyClientPolicy != AllowAll && len(obj.RestrictedHTTPVerbs) == 0 {

-				obj.RestrictedHTTPVerbs = []string{"PUT", "POST"}

-			}

-		},

 		func(obj *NodeConfig) {

 			// Defaults/migrations for NetworkConfig

 			if len(obj.NetworkConfig.NetworkPluginName) == 0 {

@@ -362,16 +362,6 @@ func (LDAPSyncConfig) SwaggerDoc() map[string]string {

 	return map_LDAPSyncConfig

 }

-var map_LegacyClientPolicyConfig = map[string]string{

-	"":                    "LegacyClientPolicyConfig holds configuration options for preventing *opt-in* clients using some HTTP verbs when talking to the API",

-	"legacyClientPolicy":  "LegacyClientPolicy controls how API calls from *voluntarily* identifying clients will be handled.  THIS DOES NOT DEFEND AGAINST MALICIOUS CLIENTS! The default is AllowAll",

-	"restrictedHTTPVerbs": "RestrictedHTTPVerbs specifies which HTTP verbs are restricted.  By default this is PUT and POST",

-}

-

-func (LegacyClientPolicyConfig) SwaggerDoc() map[string]string {

-	return map_LegacyClientPolicyConfig

-}

-

 var map_MasterClients = map[string]string{

 	"": "MasterClients holds references to `.kubeconfig` files that qualify master clients for OpenShift and Kubernetes",

 	"openshiftLoopbackKubeConfig":  "OpenShiftLoopbackKubeConfig is a .kubeconfig filename for system components to loopback to this master",

@@ -565,7 +555,7 @@ var map_PolicyConfig = map[string]string{

 	"bootstrapPolicyFile":               "BootstrapPolicyFile points to a template that contains roles and rolebindings that will be created if no policy object exists in the master namespace",

 	"openshiftSharedResourcesNamespace": "OpenShiftSharedResourcesNamespace is the namespace where shared OpenShift resources live (like shared templates)",

 	"openshiftInfrastructureNamespace":  "OpenShiftInfrastructureNamespace is the namespace where OpenShift infrastructure resources live (like controller service accounts)",

-	"legacyClientPolicyConfig":          "LegacyClientPolicyConfig controls how API calls from *voluntarily* identifying clients will be handled.  THIS DOES NOT DEFEND AGAINST MALICIOUS CLIENTS!",

+	"userAgentMatchingConfig":           "UserAgentMatchingConfig controls how API calls from *voluntarily* identifying clients will be handled.  THIS DOES NOT DEFEND AGAINST MALICIOUS CLIENTS!",

 }

 func (PolicyConfig) SwaggerDoc() map[string]string {

@@ -730,3 +720,33 @@ var map_TokenConfig = map[string]string{

 func (TokenConfig) SwaggerDoc() map[string]string {

 	return map_TokenConfig

 }

+

+var map_UserAgentDenyRule = map[string]string{

+	"":                 "UserAgentDenyRule adds a rejection message that can be used to help a user figure out how to get an approved client",

+	"rejectionMessage": "RejectionMessage is the message shown when rejecting a client.  If it is not a set, the default message is used.",

+}

+

+func (UserAgentDenyRule) SwaggerDoc() map[string]string {

+	return map_UserAgentDenyRule

+}

+

+var map_UserAgentMatchRule = map[string]string{

+	"":          "UserAgentMatchRule describes how to match a given request based on User-Agent and HTTPVerb",

+	"regex":     "UserAgentRegex is a regex that is checked against the User-Agent. Known variants of oc clients 1. oc accessing kube resources: oc/v1.2.0 (linux/amd64) kubernetes/bc4550d 2. oc accessing openshift resources: oc/v1.1.3 (linux/amd64) openshift/b348c2f 3. openshift kubectl accessing kube resources:  openshift/v1.2.0 (linux/amd64) kubernetes/bc4550d 4. openshit kubectl accessing openshift resources: openshift/v1.1.3 (linux/amd64) openshift/b348c2f 5. oadm accessing kube resources: oadm/v1.2.0 (linux/amd64) kubernetes/bc4550d 6. oadm accessing openshift resources: oadm/v1.1.3 (linux/amd64) openshift/b348c2f 7. openshift cli accessing kube resources: openshift/v1.2.0 (linux/amd64) kubernetes/bc4550d 8. openshift cli accessing openshift resources: openshift/v1.1.3 (linux/amd64) openshift/b348c2f",

+	"httpVerbs": "HTTPVerbs specifies which HTTP verbs should be matched.  An empty list means \"match all verbs\".",

+}

+

+func (UserAgentMatchRule) SwaggerDoc() map[string]string {

+	return map_UserAgentMatchRule

+}

+

+var map_UserAgentMatchingConfig = map[string]string{

+	"":                        "UserAgentMatchingConfig controls how API calls from *voluntarily* identifying clients will be handled.  THIS DOES NOT DEFEND AGAINST MALICIOUS CLIENTS!",

+	"requiredClients":         "If this list is non-empty, then a User-Agent must match one of the UserAgentRegexes to be allowed",

+	"deniedClients":           "If this list is non-empty, then a User-Agent must not match any of the UserAgentRegexes",

+	"defaultRejectionMessage": "DefaultRejectionMessage is the message shown when rejecting a client.  If it is not a set, a generic message is given.",

+}

+

+func (UserAgentMatchingConfig) SwaggerDoc() map[string]string {

+	return map_UserAgentMatchingConfig

+}

@@ -270,29 +270,47 @@ type PolicyConfig struct {

 	// OpenShiftInfrastructureNamespace is the namespace where OpenShift infrastructure resources live (like controller service accounts)

 	OpenShiftInfrastructureNamespace string `json:"openshiftInfrastructureNamespace"`

-	// LegacyClientPolicyConfig controls how API calls from *voluntarily* identifying clients will be handled.  THIS DOES NOT DEFEND AGAINST MALICIOUS CLIENTS!

-	LegacyClientPolicyConfig LegacyClientPolicyConfig `json:"legacyClientPolicyConfig"`

+	// UserAgentMatchingConfig controls how API calls from *voluntarily* identifying clients will be handled.  THIS DOES NOT DEFEND AGAINST MALICIOUS CLIENTS!

+	UserAgentMatchingConfig UserAgentMatchingConfig `json:"userAgentMatchingConfig"`

 }

-// LegacyClientPolicyConfig holds configuration options for preventing *opt-in* clients using some HTTP verbs when talking to the API

-type LegacyClientPolicyConfig struct {

-	// LegacyClientPolicy controls how API calls from *voluntarily* identifying clients will be handled.  THIS DOES NOT DEFEND AGAINST MALICIOUS CLIENTS!

-	// The default is AllowAll

-	LegacyClientPolicy LegacyClientPolicy `json:"legacyClientPolicy"`

-	// RestrictedHTTPVerbs specifies which HTTP verbs are restricted.  By default this is PUT and POST

-	RestrictedHTTPVerbs []string `json:"restrictedHTTPVerbs"`

+// UserAgentMatchingConfig controls how API calls from *voluntarily* identifying clients will be handled.  THIS DOES NOT DEFEND AGAINST MALICIOUS CLIENTS!

+type UserAgentMatchingConfig struct {

+	// If this list is non-empty, then a User-Agent must match one of the UserAgentRegexes to be allowed

+	RequiredClients []UserAgentMatchRule `json:"requiredClients"`

+

+	// If this list is non-empty, then a User-Agent must not match any of the UserAgentRegexes

+	DeniedClients []UserAgentDenyRule `json:"deniedClients"`

+

+	// DefaultRejectionMessage is the message shown when rejecting a client.  If it is not a set, a generic message is given.

+	DefaultRejectionMessage string `json:"defaultRejectionMessage"`

+}

+

+// UserAgentMatchRule describes how to match a given request based on User-Agent and HTTPVerb

+type UserAgentMatchRule struct {

+	// UserAgentRegex is a regex that is checked against the User-Agent.

+	// Known variants of oc clients

+	// 1. oc accessing kube resources: oc/v1.2.0 (linux/amd64) kubernetes/bc4550d

+	// 2. oc accessing openshift resources: oc/v1.1.3 (linux/amd64) openshift/b348c2f

+	// 3. openshift kubectl accessing kube resources:  openshift/v1.2.0 (linux/amd64) kubernetes/bc4550d

+	// 4. openshit kubectl accessing openshift resources: openshift/v1.1.3 (linux/amd64) openshift/b348c2f

+	// 5. oadm accessing kube resources: oadm/v1.2.0 (linux/amd64) kubernetes/bc4550d

+	// 6. oadm accessing openshift resources: oadm/v1.1.3 (linux/amd64) openshift/b348c2f

+	// 7. openshift cli accessing kube resources: openshift/v1.2.0 (linux/amd64) kubernetes/bc4550d

+	// 8. openshift cli accessing openshift resources: openshift/v1.1.3 (linux/amd64) openshift/b348c2f

+	Regex string `json:"regex"`

+

+	// HTTPVerbs specifies which HTTP verbs should be matched.  An empty list means "match all verbs".

+	HTTPVerbs []string `json:"httpVerbs"`

 }

-type LegacyClientPolicy string

+// UserAgentDenyRule adds a rejection message that can be used to help a user figure out how to get an approved client

+type UserAgentDenyRule struct {

+	UserAgentMatchRule `json:", inline"`

-var (

-	// AllowAll does not prevent any kinds of client version skew

-	AllowAll LegacyClientPolicy = "allow-all"

-	// DenyOldClients prevents older clients (but not newer ones) from issuing stomping requests

-	DenyOldClients LegacyClientPolicy = "deny-old-clients"

-	// DenySkewedClients prevents any non-matching client from issuing stomping requests

-	DenySkewedClients LegacyClientPolicy = "deny-skewed-clients"

-)

+	// RejectionMessage is the message shown when rejecting a client.  If it is not a set, the default message is used.

+	RejectionMessage string `json:"rejectionMessage"`

+}

 // RoutingConfig holds the necessary configuration options for routing to subdomains

 type RoutingConfig struct {

@@ -421,11 +421,12 @@ oauthConfig:

 pauseControllers: false

 policyConfig:

   bootstrapPolicyFile: ""

-  legacyClientPolicyConfig:

-    legacyClientPolicy: ""

-    restrictedHTTPVerbs: null

   openshiftInfrastructureNamespace: ""

   openshiftSharedResourcesNamespace: ""

+  userAgentMatchingConfig:

+    defaultRejectionMessage: ""

+    deniedClients: null

+    requiredClients: null

 projectConfig:

   defaultNodeSelector: ""

   projectRequestMessage: ""

@@ -497,6 +497,19 @@ func ValidatePolicyConfig(config api.PolicyConfig, fldPath *field.Path) field.Er

 	allErrs = append(allErrs, ValidateNamespace(config.OpenShiftSharedResourcesNamespace, fldPath.Child("openShiftSharedResourcesNamespace"))...)

 	allErrs = append(allErrs, ValidateNamespace(config.OpenShiftInfrastructureNamespace, fldPath.Child("openShiftInfrastructureNamespace"))...)

+	for i, matchingRule := range config.UserAgentMatchingConfig.DeniedClients {

+		_, err := regexp.Compile(matchingRule.Regex)

+		if err != nil {

+			allErrs = append(allErrs, field.Invalid(fldPath.Child("userAgentMatchingConfig", "deniedClients").Index(i), matchingRule.Regex, err.Error()))

+		}

+	}

+	for i, matchingRule := range config.UserAgentMatchingConfig.RequiredClients {

+		_, err := regexp.Compile(matchingRule.Regex)

+		if err != nil {

+			allErrs = append(allErrs, field.Invalid(fldPath.Child("userAgentMatchingConfig", "requiredClients").Index(i), matchingRule.Regex, err.Error()))

+		}

+	}

+

 	return allErrs

 }

@@ -8,10 +8,9 @@ import (

 	"net/http"

 	"regexp"

 	"sort"

-	"strings"

-	"github.com/coreos/go-semver/semver"

 	restful "github.com/emicklei/go-restful"

+	"github.com/golang/glog"

 	kapi "k8s.io/kubernetes/pkg/api"

 	kapierrors "k8s.io/kubernetes/pkg/api/errors"

@@ -19,12 +18,10 @@ import (

 	"k8s.io/kubernetes/pkg/apiserver"

 	"k8s.io/kubernetes/pkg/runtime"

 	"k8s.io/kubernetes/pkg/util/sets"

-	kversion "k8s.io/kubernetes/pkg/version"

 	"github.com/openshift/origin/pkg/authorization/authorizer"

 	configapi "github.com/openshift/origin/pkg/cmd/server/api"

 	"github.com/openshift/origin/pkg/util/httprequest"

-	"github.com/openshift/origin/pkg/version"

 )

 // TODO We would like to use the IndexHandler from k8s but we do not yet have a

@@ -178,85 +175,100 @@ func namespacingFilter(handler http.Handler, contextMapper kapi.RequestContextMa

 	})

 }

-// variants I know I have to worry about

-// 1. oc kube resources: oc/v1.2.0 (linux/amd64) kubernetes/bc4550d

-// 2. oc openshift resources: oc/v1.1.3 (linux/amd64) openshift/b348c2f

-// 3. openshift kubectl kube resources:  openshift/v1.2.0 (linux/amd64) kubernetes/bc4550d

-// 4. openshit kubectl openshift resources: openshift/v1.1.3 (linux/amd64) openshift/b348c2f

-// 5. oadm kube resources: oadm/v1.2.0 (linux/amd64) kubernetes/bc4550d

-// 6. oadm openshift resources: oadm/v1.1.3 (linux/amd64) openshift/b348c2f

-// 7. openshift cli kube resources: openshift/v1.2.0 (linux/amd64) kubernetes/bc4550d

-// 8. openshift cli openshift resources: openshift/v1.1.3 (linux/amd64) openshift/b348c2f

-var (

-	kubeStyleUserAgent      = regexp.MustCompile(`\w+/v([\w\.]+) \(.+/.+\) kubernetes/\w{7}`)

-	openshiftStyleUserAgent = regexp.MustCompile(`\w+/v([\w\.]+) \(.+/.+\) openshift/\w{7}`)

-)

+type userAgentFilter struct {

+	regex   *regexp.Regexp

+	message string

+	verbs   sets.String

+}

+

+func newUserAgentFilter(config configapi.UserAgentMatchRule) (userAgentFilter, error) {

+	regex, err := regexp.Compile(config.Regex)

+	if err != nil {

+		return userAgentFilter{}, err

+	}

+	userAgentFilter := userAgentFilter{regex: regex, verbs: sets.NewString(config.HTTPVerbs...)}

+

+	return userAgentFilter, nil

+}

+

+func (f *userAgentFilter) matches(verb, userAgent string) bool {

+	if len(f.verbs) > 0 && !f.verbs.Has(verb) {

+		return false

+	}

+

+	return f.regex.MatchString(userAgent)

+}

 // versionSkewFilter adds a filter that may deny requests from skewed

 // oc clients, since we know that those clients will strip unknown fields which can lead to unexpected outcomes

-func (c *MasterConfig) versionSkewFilter(openshiftBinaryInfo version.Info, kubeBinaryInfo kversion.Info, handler http.Handler) http.Handler {

-	skewedClientPolicy := c.Options.PolicyConfig.LegacyClientPolicyConfig.LegacyClientPolicy

-	if skewedClientPolicy == configapi.AllowAll {

+func (c *MasterConfig) versionSkewFilter(handler http.Handler) http.Handler {

+	infoResolver := &apiserver.RequestInfoResolver{APIPrefixes: sets.NewString("api", "osapi", "oapi", "apis"), GrouplessAPIPrefixes: sets.NewString("api", "osapi", "oapi")}

+

+	filterConfig := c.Options.PolicyConfig.UserAgentMatchingConfig

+	if len(filterConfig.RequiredClients) == 0 && len(filterConfig.DeniedClients) == 0 {

 		return handler

 	}

-	seg := strings.SplitN(openshiftBinaryInfo.GitVersion, "-", 2)

-	openshiftServerVersion := seg[0][1:]

-	seg = strings.SplitN(kubeBinaryInfo.GitVersion, "-", 2)

-	kubeServerVersion := seg[0][1:]

-	restrictedVerbs := sets.NewString(c.Options.PolicyConfig.LegacyClientPolicyConfig.RestrictedHTTPVerbs...)

-

-	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {

-		if !restrictedVerbs.Has(req.Method) {

-			handler.ServeHTTP(w, req)

-			return

-		}

+	defaultMessage := filterConfig.DefaultRejectionMessage

+	if len(defaultMessage) == 0 {

+		defaultMessage = "the cluster administrator has disabled access for this client, please upgrade or consult your administrator"

+	}

-		userAgent := req.Header.Get("User-Agent")

-		if len(userAgent) == 0 {

-			handler.ServeHTTP(w, req)

-			return

+	// the structure of the legacyClientPolicyConfig is pretty easy to write, but its inefficient to use at runtime

+	// pre-process the config elements to make a more efficicent structure.

+	allowedFilters := []userAgentFilter{}

+	deniedFilters := []userAgentFilter{}

+	for _, config := range filterConfig.RequiredClients {

+		userAgentFilter, err := newUserAgentFilter(config)

+		if err != nil {

+			glog.Errorf("Failure to compile User-Agent regex %v: %v", config.Regex, err)

+			continue

 		}

-		clientVersion := ""

-		serverVersion := ""

-		if submatches := kubeStyleUserAgent.FindStringSubmatch(userAgent); len(submatches) == 2 {

-			clientVersion = submatches[1]

-			serverVersion = kubeServerVersion

+		allowedFilters = append(allowedFilters, userAgentFilter)

+	}

+	for _, config := range filterConfig.DeniedClients {

+		userAgentFilter, err := newUserAgentFilter(config.UserAgentMatchRule)

+		if err != nil {

+			glog.Errorf("Failure to compile User-Agent regex %v: %v", config.Regex, err)

+			continue

 		}

-		if submatches := openshiftStyleUserAgent.FindStringSubmatch(userAgent); len(submatches) == 2 {

-			clientVersion = submatches[1]

-			serverVersion = openshiftServerVersion

+		userAgentFilter.message = config.RejectionMessage

+		if len(userAgentFilter.message) == 0 {

+			userAgentFilter.message = defaultMessage

 		}

-		if len(clientVersion) == 0 {

+

+		deniedFilters = append(deniedFilters, userAgentFilter)

+	}

+

+	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {

+		if requestInfo, err := infoResolver.GetRequestInfo(req); err == nil && !requestInfo.IsResourceRequest {

 			handler.ServeHTTP(w, req)

 			return

 		}

-		switch skewedClientPolicy {

-		case configapi.DenyOldClients:

-			serverSemVer, err := semver.NewVersion(serverVersion)

-			if err != nil {

-				handler.ServeHTTP(w, req)

-				return

-			}

-			clientSemVer, err := semver.NewVersion(clientVersion)

-			if err != nil {

-				handler.ServeHTTP(w, req)

-				return

+		userAgent := req.Header.Get("User-Agent")

+

+		if len(allowedFilters) > 0 {

+			foundMatch := false

+			for _, filter := range allowedFilters {

+				if filter.matches(req.Method, userAgent) {

+					foundMatch = true

+					break

+				}

 			}

-			if clientSemVer.LessThan(*serverSemVer) {

-				forbidden(fmt.Sprintf("userVersion %v is older than the server version %v; mutation is denied", clientVersion, serverVersion), nil, w, req)

+			if !foundMatch {

+				forbidden(defaultMessage, nil, w, req)

 				return

 			}

+		}

-		case configapi.DenySkewedClients:

-			if clientVersion != serverVersion {

-				forbidden(fmt.Sprintf("userVersion %v is different than the server version %v; mutation is denied", clientVersion, serverVersion), nil, w, req)

+		for _, filter := range deniedFilters {

+			if filter.matches(req.Method, userAgent) {

+				forbidden(filter.message, nil, w, req)

 				return

 			}

-

 		}

 		handler.ServeHTTP(w, req)

@@ -7,10 +7,7 @@ import (

 	"strings"

 	"testing"

-	kversion "k8s.io/kubernetes/pkg/version"

-

 	configapi "github.com/openshift/origin/pkg/cmd/server/api"

-	"github.com/openshift/origin/pkg/version"

 )

 var (

@@ -25,12 +22,13 @@ var (

 	olderOCKubeResources                 = "oc/v1.1.10 (linux/amd64) kubernetes/bc4550d"

 	olderOCOriginResources               = "oc/v1.1.1 (linux/amd64) openshift/b348c2f"

+	oldestOCOriginResources              = "oc/v1.0.1 (linux/amd64) openshift/b348c2f"

 	olderOpenshiftKubectlKubeResources   = "openshift/v1.1.10 (linux/amd64) kubernetes/bc4550d"

 	olderOpenshiftKubectlOriginResources = "openshift/v1.1.1 (linux/amd64) openshift/b348c2f"

 	olderOADMKubeResources               = "oadm/v1.1.10 (linux/amd64) kubernetes/bc4550d"

 	olderOADMOriginResources             = "oadm/v1.1.1 (linux/amd64) openshift/b348c2f"

 	olderVersionUserAgents               = []string{

-		olderOCKubeResources, olderOCOriginResources, olderOpenshiftKubectlKubeResources, olderOpenshiftKubectlOriginResources, olderOADMKubeResources, olderOADMOriginResources}

+		olderOCKubeResources, olderOCOriginResources, oldestOCOriginResources, olderOpenshiftKubectlKubeResources, olderOpenshiftKubectlOriginResources, olderOADMKubeResources, olderOADMOriginResources}

 	newerOCKubeResources                 = "oc/v1.2.1 (linux/amd64) kubernetes/bc4550d"

 	newerOCOriginResources               = "oc/v1.1.4 (linux/amd64) openshift/b348c2f"

@@ -43,10 +41,24 @@ var (

 	notOCVersion = "something else"

-	openshiftServerVersion = version.Info{GitVersion: "v1.1.3"}

-	kubeServerVersion      = kversion.Info{GitVersion: "v1.2.0"}

+	openshiftServerVersion = `v1\.1\.3`

+	kubeServerVersion      = `v1\.2\.0`

 )

+// variants I know I have to worry about

+// 1. oc kube resources: oc/v1.2.0 (linux/amd64) kubernetes/bc4550d

+// 2. oc openshift resources: oc/v1.1.3 (linux/amd64) openshift/b348c2f

+// 3. openshift kubectl kube resources:  openshift/v1.2.0 (linux/amd64) kubernetes/bc4550d

+// 4. openshit kubectl openshift resources: openshift/v1.1.3 (linux/amd64) openshift/b348c2f

+// 5. oadm kube resources: oadm/v1.2.0 (linux/amd64) kubernetes/bc4550d

+// 6. oadm openshift resources: oadm/v1.1.3 (linux/amd64) openshift/b348c2f

+// 7. openshift cli kube resources: openshift/v1.2.0 (linux/amd64) kubernetes/bc4550d

+// 8. openshift cli openshift resources: openshift/v1.1.3 (linux/amd64) openshift/b348c2f

+// var (

+// 	kubeStyleUserAgent      = regexp.MustCompile(`\w+/v([\w\.]+) \(.+/.+\) kubernetes/\w{7}`)

+// 	openshiftStyleUserAgent = regexp.MustCompile(`\w+/v([\w\.]+) \(.+/.+\) openshift/\w{7}`)

+// )

+

 type versionSkewTestCase struct {

 	name           string

 	userAgents     []string

@@ -55,25 +67,6 @@ type versionSkewTestCase struct {

 }

 func (tc versionSkewTestCase) Run(url string, t *testing.T) {

-	// gets always succeed

-	for _, userAgent := range tc.userAgents {

-		req, err := http.NewRequest("GET", url, nil)

-		if err != nil {

-			t.Errorf("%s: unexpected error: %v", tc.name, err)

-			return

-		}

-		req.Header.Add("User-Agent", userAgent)

-		resp, err := http.DefaultClient.Do(req)

-		if err != nil {

-			t.Errorf("%s: unexpected error: %v", tc.name, err)

-			return

-		}

-		if resp.StatusCode != http.StatusOK {

-			t.Errorf("%s: unexpected status: %v", tc.name, resp.StatusCode)

-			return

-		}

-	}

-

 	for _, method := range tc.methods {

 		for _, userAgent := range tc.userAgents {

 			req, err := http.NewRequest(method, url, nil)

@@ -89,13 +82,13 @@ func (tc versionSkewTestCase) Run(url string, t *testing.T) {

 			}

 			if len(tc.failureMessage) == 0 {

 				if resp.StatusCode != http.StatusOK {

-					t.Errorf("%s: unexpected status: %v", tc.name, resp.StatusCode)

+					t.Errorf("%s: %s: unexpected status: %v", tc.name, userAgent, resp.StatusCode)

 					return

 				}

 			} else {

 				if resp.StatusCode != http.StatusForbidden {

-					t.Errorf("%s: unexpected status: %v", tc.name, resp.StatusCode)

+					t.Errorf("%s: %s: unexpected status: %v", tc.name, userAgent, resp.StatusCode)

 					return

 				}

@@ -115,14 +108,16 @@ func (tc versionSkewTestCase) Run(url string, t *testing.T) {

 }

-func TestVersionSkewFilterAllowAll(t *testing.T) {

-	verbs := []string{"PUT", "POST"}

+func TestVersionSkewFilterDenyOld(t *testing.T) {

+	verbs := []string{"PATCH", "POST"}

 	doNothingHandler := http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {

 	})

 	config := MasterConfig{}

-	config.Options.PolicyConfig.LegacyClientPolicyConfig.LegacyClientPolicy = configapi.AllowAll

-	config.Options.PolicyConfig.LegacyClientPolicyConfig.RestrictedHTTPVerbs = verbs

-	server := httptest.NewServer(config.versionSkewFilter(openshiftServerVersion, kubeServerVersion, doNothingHandler))

+	config.Options.PolicyConfig.UserAgentMatchingConfig.DeniedClients = []configapi.UserAgentDenyRule{

+		{UserAgentMatchRule: configapi.UserAgentMatchRule{Regex: `\w+/v1\.1\.10 \(.+/.+\) kubernetes/\w{7}`, HTTPVerbs: verbs}, RejectionMessage: "rejected for reasons!"},

+		{UserAgentMatchRule: configapi.UserAgentMatchRule{Regex: `\w+/v(?:(?:1\.1\.1)|(?:1\.0\.1)) \(.+/.+\) openshift/\w{7}`, HTTPVerbs: verbs}, RejectionMessage: "rejected for reasons!"},

+	}

+	server := httptest.NewServer(config.versionSkewFilter(doNothingHandler))

 	defer server.Close()

 	testCases := []versionSkewTestCase{

@@ -137,9 +132,10 @@ func TestVersionSkewFilterAllowAll(t *testing.T) {

 			methods:    verbs,

 		},

 		{

-			name:       "older",

-			userAgents: olderVersionUserAgents,

-			methods:    verbs,

+			name:           "older",

+			userAgents:     olderVersionUserAgents,

+			failureMessage: "rejected for reasons!",

+			methods:        verbs,

 		},

 		{

 			name:       "newer",

@@ -154,62 +150,71 @@ func TestVersionSkewFilterAllowAll(t *testing.T) {

 	}

 	for _, tc := range testCases {

-		tc.Run(server.URL, t)

+		tc.Run(server.URL+"/api/v1/namespaces", t)

 	}

 }

-func TestVersionSkewFilterDenyOld(t *testing.T) {

-	verbs := []string{"PATCH", "POST"}

+func TestVersionSkewFilterDenySkewed(t *testing.T) {

+	verbs := []string{"PUT", "DELETE"}

 	doNothingHandler := http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {

 	})

 	config := MasterConfig{}

-	config.Options.PolicyConfig.LegacyClientPolicyConfig.LegacyClientPolicy = configapi.DenyOldClients

-	config.Options.PolicyConfig.LegacyClientPolicyConfig.RestrictedHTTPVerbs = verbs

-	server := httptest.NewServer(config.versionSkewFilter(openshiftServerVersion, kubeServerVersion, doNothingHandler))

+	config.Options.PolicyConfig.UserAgentMatchingConfig.RequiredClients = []configapi.UserAgentMatchRule{

+		{Regex: `\w+/` + kubeServerVersion + ` \(.+/.+\) kubernetes/\w{7}`, HTTPVerbs: verbs},

+		{Regex: `\w+/` + openshiftServerVersion + ` \(.+/.+\) openshift/\w{7}`, HTTPVerbs: verbs},

+	}

+	config.Options.PolicyConfig.UserAgentMatchingConfig.DefaultRejectionMessage = "rejected for reasons!"

+	server := httptest.NewServer(config.versionSkewFilter(doNothingHandler))

 	defer server.Close()

 	testCases := []versionSkewTestCase{

 		{

-			name:       "missing",

-			userAgents: []string{""},

-			methods:    verbs,

+			name:           "missing",

+			userAgents:     []string{""},

+			failureMessage: "rejected for reasons!",

+			methods:        verbs,

 		},

 		{

-			name:       "not oc",

-			userAgents: []string{notOCVersion},

-			methods:    verbs,

+			name:           "not oc",

+			userAgents:     []string{notOCVersion},

+			failureMessage: "rejected for reasons!",

+			methods:        verbs,

 		},

 		{

 			name:           "older",

 			userAgents:     olderVersionUserAgents,

-			failureMessage: " is older than the server version",

+			failureMessage: "rejected for reasons!",

 			methods:        verbs,

 		},

 		{

-			name:       "newer",

-			userAgents: newerVersionUserAgents,

-			methods:    verbs,

+			name:           "newer",

+			userAgents:     newerVersionUserAgents,

+			failureMessage: "rejected for reasons!",

+			methods:        verbs,

 		},

 		{

-			name:       "exact",

+			name:       "current",

 			userAgents: currentVersionUserAgents,

 			methods:    verbs,

 		},

 	}

 	for _, tc := range testCases {

-		tc.Run(server.URL, t)

+		tc.Run(server.URL+"/api/v1/namespaces", t)

 	}

 }

-func TestVersionSkewFilterDenySkewed(t *testing.T) {

+func TestVersionSkewFilterSkippedOnNonAPIRequest(t *testing.T) {

 	verbs := []string{"PUT", "DELETE"}

 	doNothingHandler := http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {

 	})

 	config := MasterConfig{}

-	config.Options.PolicyConfig.LegacyClientPolicyConfig.LegacyClientPolicy = configapi.DenySkewedClients

-	config.Options.PolicyConfig.LegacyClientPolicyConfig.RestrictedHTTPVerbs = verbs

-	server := httptest.NewServer(config.versionSkewFilter(openshiftServerVersion, kubeServerVersion, doNothingHandler))

+	config.Options.PolicyConfig.UserAgentMatchingConfig.RequiredClients = []configapi.UserAgentMatchRule{

+		{Regex: `\w+/` + kubeServerVersion + ` \(.+/.+\) kubernetes/\w{7}`, HTTPVerbs: verbs},

+		{Regex: `\w+/` + openshiftServerVersion + ` \(.+/.+\) openshift/\w{7}`, HTTPVerbs: verbs},

+	}

+	config.Options.PolicyConfig.UserAgentMatchingConfig.DefaultRejectionMessage = "rejected for reasons!"

+	server := httptest.NewServer(config.versionSkewFilter(doNothingHandler))

 	defer server.Close()

 	testCases := []versionSkewTestCase{

@@ -224,16 +229,14 @@ func TestVersionSkewFilterDenySkewed(t *testing.T) {

 			methods:    verbs,

 		},

 		{

-			name:           "older",

-			userAgents:     olderVersionUserAgents,

-			failureMessage: "is different than the server version",

-			methods:        verbs,

+			name:       "older",

+			userAgents: olderVersionUserAgents,

+			methods:    verbs,

 		},

 		{

-			name:           "newer",

-			userAgents:     newerVersionUserAgents,

-			failureMessage: "is different than the server version",

-			methods:        verbs,

+			name:       "newer",

+			userAgents: newerVersionUserAgents,

+			methods:    verbs,

 		},

 		{

 			name:       "current",

@@ -243,6 +246,6 @@ func TestVersionSkewFilterDenySkewed(t *testing.T) {

 	}

 	for _, tc := range testCases {

-		tc.Run(server.URL, t)

+		tc.Run(server.URL+"/api/v1", t)

 	}

 }

@@ -29,7 +29,6 @@ import (

 	"k8s.io/kubernetes/pkg/util"

 	"k8s.io/kubernetes/pkg/util/sets"

 	utilwait "k8s.io/kubernetes/pkg/util/wait"

-	kversion "k8s.io/kubernetes/pkg/version"

 	"github.com/openshift/origin/pkg/api/v1"

 	"github.com/openshift/origin/pkg/api/v1beta3"

@@ -105,7 +104,6 @@ import (

 	"github.com/openshift/origin/pkg/authorization/rulevalidation"

 	configapi "github.com/openshift/origin/pkg/cmd/server/api"

 	routeplugin "github.com/openshift/origin/pkg/route/allocation/simple"

-	"github.com/openshift/origin/pkg/version"

 )

 const (

@@ -161,7 +159,7 @@ func (c *MasterConfig) Run(protected []APIInstaller, unprotected []APIInstaller)

 		}

 		extra = append(extra, msgs...)

 	}

-	handler := c.versionSkewFilter(version.Get(), kversion.Get(), safe)

+	handler := c.versionSkewFilter(safe)

 	handler = c.authorizationFilter(handler)

 	handler = authenticationHandlerFilter(handler, c.Authenticator, c.getRequestContextMapper())

 	handler = namespacingFilter(handler, c.getRequestContextMapper())