@@ -318,7 +318,7 @@ docker tag -f openshift/ruby-20-centos7:latest ${DOCKER_REGISTRY}/cache/ruby-20-

 docker push ${DOCKER_REGISTRY}/cache/ruby-20-centos7:latest

 echo "[INFO] Pushed ruby-20-centos7"

-echo "[INFO] Back to 'master' context with 'admin' user..."

+echo "[INFO] Back to 'default' project with 'admin' user..."

 osc project ${CLUSTER_ADMIN_CONTEXT}

 # The build requires a dockercfg secret in the builder service account in order

@@ -338,12 +338,7 @@ osc project test

 echo "[INFO] Applying STI application config"

 osc create -f "${STI_CONFIG_FILE}"

-

-# this needs to be done before waiting for the build because right now only cluster-admins can see build logs, because that uses proxy

-echo "[INFO] Back to 'master' context with 'admin' user..."

-osc project default

-

-# Trigger build

+# Wait for build which should have triggered automatically

 echo "[INFO] Starting build from ${STI_CONFIG_FILE} and streaming its logs..."

 #osc start-build -n test ruby-sample-build --follow

 wait_for_build "test"

@@ -363,6 +358,9 @@ wait_for_app "test"

 #wait_for_build "custom"

 #wait_for_app "custom"

+echo "[INFO] Back to 'default' project with 'admin' user..."

+osc project ${CLUSTER_ADMIN_CONTEXT}

+

 # ensure the router is started

 # TODO: simplify when #4702 is fixed upstream

 wait_for_command '[[ "$(osc get endpoints router --output-version=v1beta3 -t "{{ if .subsets }}{{ len .subsets }}{{ else }}0{{ end }}" || echo "0")" != "0" ]]' $((5*TIME_MIN))

@@ -36,7 +36,7 @@ func TestSubjects(t *testing.T) {

 			Verb:     "get",

 			Resource: "pods",

 		},

-		expectedUsers:  util.NewStringSet("Anna", "ClusterAdmin", "Ellen", "Valerie", "system:openshift-client", "system:openshift-deployer"),

+		expectedUsers:  util.NewStringSet("Anna", "ClusterAdmin", "Ellen", "Valerie", "system:openshift-client"),

 		expectedGroups: util.NewStringSet("RootUsers", "system:cluster-admins", "system:cluster-readers", "system:nodes"),

 	}

 	test.clusterPolicies = newDefaultClusterPolicies()

@@ -77,7 +77,6 @@ func DefaultAPIClientCAFile(certDir string) string {

 func DefaultAPIClientCerts(certDir string) []ClientCertInfo {

 	return []ClientCertInfo{

-		DefaultDeployerClientCertInfo(certDir),

 		DefaultOpenshiftLoopbackClientCertInfo(certDir),

 		DefaultClusterAdminClientCertInfo(certDir),

 		DefaultRouterClientCertInfo(certDir),

@@ -109,18 +108,6 @@ func DefaultRegistryClientCertInfo(certDir string) ClientCertInfo {

 	}

 }

-func DefaultDeployerClientCertInfo(certDir string) ClientCertInfo {

-	return ClientCertInfo{

-		CertLocation: configapi.CertInfo{

-			CertFile: DefaultCertFilename(certDir, "openshift-deployer"),

-			KeyFile:  DefaultKeyFilename(certDir, "openshift-deployer"),

-		},

-		UnqualifiedUser: "openshift-deployer",

-		User:            "system:openshift-deployer",

-		Groups:          util.NewStringSet("system:deployers"),

-	}

-}

-

 func DefaultOpenshiftLoopbackClientCertInfo(certDir string) ClientCertInfo {

 	return ClientCertInfo{

 		CertLocation: configapi.CertInfo{

@@ -108,7 +108,6 @@ func GetMasterFileReferences(config *MasterConfig) []*string {

 		refs = append(refs, &config.ServiceAccountConfig.PublicKeyFiles[i])

 	}

-	refs = append(refs, &config.MasterClients.DeployerKubeConfig)

 	refs = append(refs, &config.MasterClients.OpenShiftLoopbackKubeConfig)

 	refs = append(refs, &config.MasterClients.ExternalKubernetesKubeConfig)

@@ -224,8 +224,6 @@ type ServingInfo struct {

 }

 type MasterClients struct {

-	// DeployerKubeConfig is a .kubeconfig filename for depoyment pods to use

-	DeployerKubeConfig string

 	// OpenShiftLoopbackKubeConfig is a .kubeconfig filename for system components to loopback to this master

 	OpenShiftLoopbackKubeConfig string

 	// ExternalKubernetesKubeConfig is a .kubeconfig filename for proxying to kubernetes

@@ -213,8 +213,6 @@ type ServingInfo struct {

 }

 type MasterClients struct {

-	// DeployerKubeConfig is a .kubeconfig filename for depoyment pods to use

-	DeployerKubeConfig string `json:"deployerKubeConfig"`

 	// OpenShiftLoopbackKubeConfig is a .kubeconfig filename for system components to loopback to this master

 	OpenShiftLoopbackKubeConfig string `json:"openshiftLoopbackKubeConfig"`

 	// ExternalKubernetesKubeConfig is a .kubeconfig filename for proxying to kubernetes

@@ -100,7 +100,6 @@ kubernetesMasterConfig:

   servicesSubnet: ""

   staticNodeNames: null

 masterClients:

-  deployerKubeConfig: ""

   externalKubernetesKubeConfig: ""

   openshiftLoopbackKubeConfig: ""

 masterPublicURL: ""

@@ -113,7 +113,6 @@ func ValidateMasterConfig(config *api.MasterConfig) ValidationResults {

 		validationResults.AddErrors(fielderrors.NewFieldInvalid("kubernetesMasterConfig", config.KubernetesMasterConfig, "kubernetesMasterConfig and masterClients.externalKubernetesKubeConfig are mutually exclusive"))

 	}

-	validationResults.AddErrors(ValidateKubeConfig(config.MasterClients.DeployerKubeConfig, "deployerKubeConfig").Prefix("masterClients")...)

 	validationResults.AddErrors(ValidateKubeConfig(config.MasterClients.OpenShiftLoopbackKubeConfig, "openShiftLoopbackKubeConfig").Prefix("masterClients")...)

 	if len(config.MasterClients.ExternalKubernetesKubeConfig) > 0 {

@@ -125,7 +124,7 @@ func ValidateMasterConfig(config *api.MasterConfig) ValidationResults {

 		validationResults.AddErrors(ValidateOAuthConfig(config.OAuthConfig).Prefix("oauthConfig")...)

 	}

-	validationResults.AddErrors(ValidateServiceAccountConfig(config.ServiceAccountConfig, builtInKubernetes).Prefix("serviceAccountConfig")...)

+	validationResults.Append(ValidateServiceAccountConfig(config.ServiceAccountConfig, builtInKubernetes).Prefix("serviceAccountConfig"))

 	validationResults.AddErrors(ValidateServingInfo(config.ServingInfo).Prefix("servingInfo")...)

@@ -177,47 +176,50 @@ func ValidateEtcdStorageConfig(config api.EtcdStorageConfig) fielderrors.Validat

 	return allErrs

 }

-func ValidateServiceAccountConfig(config api.ServiceAccountConfig, builtInKubernetes bool) fielderrors.ValidationErrorList {

-	allErrs := fielderrors.ValidationErrorList{}

+func ValidateServiceAccountConfig(config api.ServiceAccountConfig, builtInKubernetes bool) ValidationResults {

+	validationResults := ValidationResults{}

 	managedNames := util.NewStringSet(config.ManagedNames...)

 	if !managedNames.Has(bootstrappolicy.BuilderServiceAccountName) {

-		// TODO: warn that default builder service account won't be auto-created

+		validationResults.AddWarnings(fielderrors.NewFieldInvalid("managedNames", "", fmt.Sprintf("missing %q, which will require manual creation in each namespace before builds can run", bootstrappolicy.BuilderServiceAccountName)))

+	}

+	if !managedNames.Has(bootstrappolicy.DeployerServiceAccountName) {

+		validationResults.AddWarnings(fielderrors.NewFieldInvalid("managedNames", "", fmt.Sprintf("missing %q, which will require manual creation in each namespace before deployments can run", bootstrappolicy.DeployerServiceAccountName)))

 	}

 	if builtInKubernetes && !managedNames.Has(bootstrappolicy.DefaultServiceAccountName) {

-		// TODO: warn that default service account won't be auto-created

+		validationResults.AddWarnings(fielderrors.NewFieldInvalid("managedNames", "", fmt.Sprintf("missing %q, which will prevent creation of pods that do not specify a valid service account", bootstrappolicy.DefaultServiceAccountName)))

 	}

 	for i, name := range config.ManagedNames {

 		if ok, msg := kvalidation.ValidateServiceAccountName(name, false); !ok {

-			allErrs = append(allErrs, fielderrors.NewFieldInvalid(fmt.Sprintf("", i), name, msg))

+			validationResults.AddErrors(fielderrors.NewFieldInvalid(fmt.Sprintf("managedNames[%d]", i), name, msg))

 		}

 	}

 	if len(config.PrivateKeyFile) > 0 {

 		if fileErrs := ValidateFile(config.PrivateKeyFile, "privateKeyFile"); len(fileErrs) > 0 {

-			allErrs = append(allErrs, fileErrs...)

+			validationResults.AddErrors(fileErrs...)

 		} else if privateKey, err := serviceaccount.ReadPrivateKey(config.PrivateKeyFile); err != nil {

-			allErrs = append(allErrs, fielderrors.NewFieldInvalid("privateKeyFile", config.PrivateKeyFile, err.Error()))

+			validationResults.AddErrors(fielderrors.NewFieldInvalid("privateKeyFile", config.PrivateKeyFile, err.Error()))

 		} else if err := privateKey.Validate(); err != nil {

-			allErrs = append(allErrs, fielderrors.NewFieldInvalid("privateKeyFile", config.PrivateKeyFile, err.Error()))

+			validationResults.AddErrors(fielderrors.NewFieldInvalid("privateKeyFile", config.PrivateKeyFile, err.Error()))

 		}

 	} else if builtInKubernetes {

-		// TODO: warn that no service account tokens will be generated

+		validationResults.AddWarnings(fielderrors.NewFieldInvalid("privateKeyFile", "", "no service account tokens will be generated, which could prevent builds and deployments from working"))

 	}

 	if len(config.PublicKeyFiles) == 0 {

-		// TODO: warn that no service accounts will be able to authenticate

+		validationResults.AddWarnings(fielderrors.NewFieldInvalid("publicKeyFiles", "", "no service account tokens will be accepted by the API, which will prevent builds and deployments from working"))

 	}

 	for i, publicKeyFile := range config.PublicKeyFiles {

 		if fileErrs := ValidateFile(publicKeyFile, fmt.Sprintf("publicKeyFiles[%d]", i)); len(fileErrs) > 0 {

-			allErrs = append(allErrs, fileErrs...)

+			validationResults.AddErrors(fileErrs...)

 		} else if _, err := serviceaccount.ReadPublicKey(publicKeyFile); err != nil {

-			allErrs = append(allErrs, fielderrors.NewFieldInvalid(fmt.Sprintf("publicKeyFiles[%d]", i), publicKeyFile, err.Error()))

+			validationResults.AddErrors(fielderrors.NewFieldInvalid(fmt.Sprintf("publicKeyFiles[%d]", i), publicKeyFile, err.Error()))

 		}

 	}

-	return allErrs

+	return validationResults

 }

 func ValidateAssetConfig(config *api.AssetConfig) fielderrors.ValidationErrorList {

@@ -7,8 +7,9 @@ const (

 // users

 const (

-	DefaultServiceAccountName = "default"

-	BuilderServiceAccountName = "builder"

+	DefaultServiceAccountName  = "default"

+	BuilderServiceAccountName  = "builder"

+	DeployerServiceAccountName = "deployer"

 	RouterUnqualifiedUsername   = "openshift-router"

 	RegistryUnqualifiedUsername = "openshift-registry"

@@ -21,7 +22,6 @@ const (

 const (

 	UnauthenticatedUsername   = "system:anonymous"

 	InternalComponentUsername = "system:openshift-client"

-	DeployerUsername          = "system:openshift-deployer"

 	AuthenticatedGroup   = "system:authenticated"

 	UnauthenticatedGroup = "system:unauthenticated"

@@ -413,15 +413,6 @@ func GetBootstrapClusterRoleBindings() []authorizationapi.ClusterRoleBinding {

 		},

 		{

 			ObjectMeta: kapi.ObjectMeta{

-				Name: DeployerRoleBindingName,

-			},

-			RoleRef: kapi.ObjectReference{

-				Name: DeployerRoleName,

-			},

-			Users: util.NewStringSet(DeployerUsername),

-		},

-		{

-			ObjectMeta: kapi.ObjectMeta{

 				Name: ClusterAdminRoleBindingName,

 			},

 			RoleRef: kapi.ObjectReference{

@@ -30,5 +30,15 @@ func GetBootstrapServiceAccountProjectRoleBindings(namespace string) []authoriza

 			},

 			Users: util.NewStringSet(serviceaccount.MakeUsername(namespace, BuilderServiceAccountName)),

 		},

+		{

+			ObjectMeta: kapi.ObjectMeta{

+				Name:      DeployerRoleBindingName,

+				Namespace: namespace,

+			},

+			RoleRef: kapi.ObjectReference{

+				Name: DeployerRoleName,

+			},

+			Users: util.NewStringSet(serviceaccount.MakeUsername(namespace, DeployerServiceAccountName)),

+		},

 	}

 }

@@ -59,7 +59,6 @@ func BuildKubernetesMasterConfig(options configapi.MasterConfig, requestContextM

 	// in-order list of plug-ins that should intercept admission decisions

 	// TODO: Push node environment support to upstream in future

-	// TODO: JTL: update serviceaccount admission plugin to limit secrets to the ones held by the serviceaccount

 	admissionControlPluginNames := []string{"NamespaceExists", "NamespaceLifecycle", "OriginPodNodeEnvironment", "LimitRanger", "ServiceAccount", "ResourceQuota"}

 	admissionController := admission.NewFromPlugins(kubeClient, admissionControlPluginNames, "")

@@ -10,6 +10,7 @@ import (

 	"net"

 	"net/http"

 	"os"

+	"path"

 	"regexp"

 	"strings"

 	"time"

@@ -33,6 +34,7 @@ import (

 	etcdallocator "github.com/GoogleCloudPlatform/kubernetes/pkg/registry/service/allocator/etcd"

 	"github.com/GoogleCloudPlatform/kubernetes/pkg/serviceaccount"

 	"github.com/GoogleCloudPlatform/kubernetes/pkg/util"

+	serviceaccountadmission "github.com/GoogleCloudPlatform/kubernetes/plugin/pkg/admission/serviceaccount"

 	"github.com/openshift/origin/pkg/api/latest"

 	"github.com/openshift/origin/pkg/api/v1"

@@ -984,18 +986,20 @@ func (c *MasterConfig) RunDeploymentController() error {

 	if err != nil {

 		return err

 	}

-	// TODO eliminate these environment variables once we figure out what they do

-	env := []api.EnvVar{

-		{Name: "KUBERNETES_MASTER", Value: kclientConfig.Host},

-		{Name: "OPENSHIFT_MASTER", Value: kclientConfig.Host},

-	}

-	env = append(env, clientcmd.EnvVarsFromConfig(c.DeployerClientConfig())...)

+	// TODO eliminate these environment variables once service accounts provide a kubeconfig that includes all of this info

+	env := clientcmd.EnvVars(

+		kclientConfig.Host,

+		kclientConfig.CAData,

+		kclientConfig.Insecure,

+		path.Join(serviceaccountadmission.DefaultAPITokenMountPath, kapi.ServiceAccountTokenKey),

+	)

 	factory := deploycontroller.DeploymentControllerFactory{

-		KubeClient:    kclient,

-		Codec:         latest.Codec,

-		Environment:   env,

-		DeployerImage: c.ImageFor("deployer"),

+		KubeClient:     kclient,

+		Codec:          latest.Codec,

+		Environment:    env,

+		DeployerImage:  c.ImageFor("deployer"),

+		ServiceAccount: bootstrappolicy.DeployerServiceAccountName,

 	}

 	controller := factory.Create()

@@ -87,8 +87,6 @@ type MasterConfig struct {

 	// PrivilegedLoopbackClientConfig is the client configuration used to call OpenShift APIs from system components

 	// To apply different access control to a system component, create a client config specifically for that component.

 	PrivilegedLoopbackClientConfig kclient.Config

-	// DeployerPrivilegedLoopbackClientConfig is the client configuration used to call OpenShift APIs from launched deployer pods

-	DeployerOSClientConfig kclient.Config

 	// kubeClient is the client used to call Kubernetes APIs from system components, built from KubeClientConfig.

 	// It should only be accessed via the *Client() helper methods.

@@ -127,10 +125,6 @@ func BuildMasterConfig(options configapi.MasterConfig) (*MasterConfig, error) {

 	if err != nil {

 		return nil, err

 	}

-	_, deployerOSClientConfig, err := configapi.GetOpenShiftClient(options.MasterClients.DeployerKubeConfig)

-	if err != nil {

-		return nil, err

-	}

 	imageTemplate := variable.NewDefaultImageTemplate()

 	imageTemplate.Format = options.ImageConfig.Format

@@ -173,7 +167,6 @@ func BuildMasterConfig(options configapi.MasterConfig) (*MasterConfig, error) {

 		ClientCAs:    clientCAs,

 		APIClientCAs: apiClientCAs,

-		DeployerOSClientConfig:             *deployerOSClientConfig,

 		PrivilegedLoopbackClientConfig:     *privilegedLoopbackClientConfig,

 		PrivilegedLoopbackOpenShiftClient:  privilegedLoopbackOpenShiftClient,

 		PrivilegedLoopbackKubernetesClient: privilegedLoopbackKubeClient,

@@ -362,12 +355,6 @@ func (c *MasterConfig) DeploymentControllerClients() (*osclient.Client, *kclient

 	return c.PrivilegedLoopbackOpenShiftClient, c.PrivilegedLoopbackKubernetesClient

 }

-// DeployerClientConfig returns the client configuration a Deployer instance launched in a pod

-// should use when making API calls.

-func (c *MasterConfig) DeployerClientConfig() *kclient.Config {

-	return &c.DeployerOSClientConfig

-}

-

 func (c *MasterConfig) DeploymentConfigControllerClients() (*osclient.Client, *kclient.Client) {

 	return c.PrivilegedLoopbackOpenShiftClient, c.PrivilegedLoopbackKubernetesClient

 }

@@ -173,7 +173,6 @@ func (args MasterArgs) BuildSerializeableMasterConfig() (*configapi.MasterConfig

 		},

 		MasterClients: configapi.MasterClients{

-			DeployerKubeConfig:           admin.DefaultKubeConfigFilename(args.ConfigDir.Value(), "openshift-deployer"),

 			OpenShiftLoopbackKubeConfig:  admin.DefaultKubeConfigFilename(args.ConfigDir.Value(), "openshift-client"),

 			ExternalKubernetesKubeConfig: args.KubeConnectionArgs.ClientConfigLoadingRules.ExplicitPath,

 		},

@@ -229,10 +228,11 @@ func (args MasterArgs) BuildSerializeableMasterConfig() (*configapi.MasterConfig

 	}

 	if builtInKubernetes {

-		// When we start Kubernetes, we're responsible for generating the default account

+		// When we start Kubernetes, we're responsible for generating all the managed service accounts

 		config.ServiceAccountConfig.ManagedNames = []string{

 			bootstrappolicy.DefaultServiceAccountName,

 			bootstrappolicy.BuilderServiceAccountName,

+			bootstrappolicy.DeployerServiceAccountName,

 		}

 		// We also need the private key file to give to the token generator

 		config.ServiceAccountConfig.PrivateKeyFile = admin.DefaultServiceAccountPrivateKeyFile(args.ConfigDir.Value())

@@ -241,11 +241,12 @@ func (args MasterArgs) BuildSerializeableMasterConfig() (*configapi.MasterConfig

 			admin.DefaultServiceAccountPublicKeyFile(args.ConfigDir.Value()),

 		}

 	} else {

-		// When running against an external Kubernetes, we're only responsible for the builder account.

+		// When running against an external Kubernetes, we're only responsible for the builder and deployer accounts.

 		// We don't have the private key, but we need to get the public key to authenticate signed tokens.

 		// TODO: JTL: take arg for public key(s)?

 		config.ServiceAccountConfig.ManagedNames = []string{

 			bootstrappolicy.BuilderServiceAccountName,

+			bootstrappolicy.DeployerServiceAccountName,

 		}

 		config.ServiceAccountConfig.PublicKeyFiles = []string{}

 	}

@@ -48,17 +48,23 @@ func (cfg *Config) Bind(flags *pflag.FlagSet) {

 	BindClientConfigSecurityFlags(&cfg.CommonConfig, flags)

 }

-func EnvVarsFromConfig(config *kclient.Config) []api.EnvVar {

-	insecure := "false"

-	if config.Insecure {

-		insecure = "true"

+func EnvVars(host string, caData []byte, insecure bool, bearerTokenFile string) []api.EnvVar {

+	envvars := []api.EnvVar{

+		{Name: "KUBERNETES_MASTER", Value: host},

+		{Name: "OPENSHIFT_MASTER", Value: host},

 	}

-	return []api.EnvVar{

-		{Name: "OPENSHIFT_CA_DATA", Value: string(config.CAData)},

-		{Name: "OPENSHIFT_CERT_DATA", Value: string(config.CertData)},

-		{Name: "OPENSHIFT_KEY_DATA", Value: string(config.KeyData)},

-		{Name: "OPENSHIFT_INSECURE", Value: insecure},

+

+	if len(bearerTokenFile) > 0 {

+		envvars = append(envvars, api.EnvVar{Name: "BEARER_TOKEN_FILE", Value: bearerTokenFile})

+	}

+

+	if len(caData) > 0 {

+		envvars = append(envvars, api.EnvVar{Name: "OPENSHIFT_CA_DATA", Value: string(caData)})

+	} else if insecure {

+		envvars = append(envvars, api.EnvVar{Name: "OPENSHIFT_INSECURE", Value: "true"})

 	}

+

+	return envvars

 }

 func (cfg *Config) bindEnv() error {

@@ -25,6 +25,8 @@ import (

 //

 // Use the DeploymentControllerFactory to create this controller.

 type DeploymentController struct {

+	// serviceAccount to create deployment pods with

+	serviceAccount string

 	// deploymentClient provides access to deployments.

 	deploymentClient deploymentClient

 	// podClient provides access to pods.

@@ -210,6 +212,7 @@ func (c *DeploymentController) makeDeployerPod(deployment *kapi.ReplicationContr

 			},

 			ActiveDeadlineSeconds: &maxDeploymentDurationSeconds,

 			RestartPolicy:         kapi.RestartPolicyNever,

+			ServiceAccount:        c.serviceAccount,

 		},

 	}

@@ -26,6 +26,8 @@ type DeploymentControllerFactory struct {

 	KubeClient kclient.Interface

 	// Codec is used for encoding/decoding.

 	Codec runtime.Codec

+	// ServiceAccount is the service account name to run deployer pods as

+	ServiceAccount string

 	// Environment is a set of environment which should be injected into all deployer pod containers.

 	Environment []kapi.EnvVar

 	// DeployerImage specifies which Docker image can support the default strategies.

@@ -51,6 +53,7 @@ func (factory *DeploymentControllerFactory) Create() controller.RunnableControll

 	eventBroadcaster.StartRecordingToSink(factory.KubeClient.Events(""))

 	deployController := &DeploymentController{

+		serviceAccount: factory.ServiceAccount,

 		deploymentClient: &deploymentClientImpl{

 			getDeploymentFunc: func(namespace, name string) (*kapi.ReplicationController, error) {

 				return factory.KubeClient.ReplicationControllers(namespace).Get(name)