1. photon
  2. Commit 6c0225e33376e0c779674c5ab43b5d451912478d
Browse code

VMware Admission Controller patch for Kubernetes 1.9 and 1.10

Change-Id: I1b6215dbdab4847d56cf7920029256216d43b2fc
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/5224
Reviewed-by: Anish Swaminathan <anishs@vmware.com>
Reviewed-by: Bo Gan <ganb@vmware.com>
Tested-by: gerrit-photon <photon-checkins@vmware.com>

Bo Gan authored on 2018/06/03 08:42:43
Showing 4 changed files
SPECS/kubernetes/k8s-cascade.patch
History View file @ 6c0225e
... ... 
@@ -1,6 +1,81 @@
1 
-diff -uNr --no-dereference kubernetes-original/api/swagger-spec/apps_v1alpha1.json kubernetes-modified/src/k8s.io/kubernetes/api/swagger-spec/apps_v1alpha1.json
2 
-+++ kubernetes-modified/src/k8s.io/kubernetes/api/swagger-spec/apps_v1alpha1.json	2018-04-30 21:11:51.000000000 +0000
1 
+From e6e701d8663ca3dbcf298ed4a10bf5b6120ce4d3 Mon Sep 17 00:00:00 2001
2 
+From: Bo Gan <ganb@vmware.com>
3 
+Date: Sat, 2 Jun 2018 16:24:59 -0700
4 
+Subject: [PATCH] Cascade Kubernetes patches for v1.9.6 (8ef8da7)
5 
+
6 
+---
7 
+ api/swagger-spec/apps_v1alpha1.json                |  21 +
8 
+ api/swagger-spec/apps_v1beta1.json                 |  21 +
9 
+ api/swagger-spec/apps_v1beta2.json                 |  21 +
10 
+ api/swagger-spec/batch_v1.json                     |  21 +
11 
+ api/swagger-spec/batch_v1beta1.json                |  21 +
12 
+ api/swagger-spec/batch_v2alpha1.json               |  21 +
13 
+ api/swagger-spec/extensions_v1beta1.json           |  21 +
14 
+ api/swagger-spec/settings.k8s.io_v1alpha1.json     |  21 +
15 
+ api/swagger-spec/v1.json                           |  25 +
16 
+ cmd/kube-apiserver/app/options/plugins.go          |   2 +
17 
+ cmd/kube-controller-manager/app/BUILD              |   1 +
18 
+ cmd/kube-controller-manager/app/plugins.go         |   4 +
19 
+ cmd/kubelet/app/BUILD                              |   1 +
20 
+ cmd/kubelet/app/plugins.go                         |   2 +
21 
+ pkg/apis/core/types.go                             |  14 +
22 
+ pkg/apis/core/validation/validation.go             |  25 +
23 
+ pkg/apis/extensions/types.go                       |   1 +
24 
+ pkg/cloudprovider/providers/BUILD                  |   2 +
25 
+ pkg/cloudprovider/providers/cascade/BUILD          |  44 ++
26 
+ pkg/cloudprovider/providers/cascade/OWNERS         |   3 +
27 
+ pkg/cloudprovider/providers/cascade/apitypes.go    | 227 +++++++++
28 
+ pkg/cloudprovider/providers/cascade/auth.go        | 145 ++++++
29 
+ pkg/cloudprovider/providers/cascade/cascade.go     | 216 ++++++++
30 
+ .../providers/cascade/cascade_disks.go             | 225 +++++++++
31 
+ .../providers/cascade/cascade_instances.go         |  90 ++++
32 
+ .../providers/cascade/cascade_loadbalancer.go      | 284 +++++++++++
33 
+ pkg/cloudprovider/providers/cascade/client.go      | 394 +++++++++++++++
34 
+ pkg/cloudprovider/providers/cascade/oidcclient.go  | 297 +++++++++++
35 
+ pkg/cloudprovider/providers/cascade/restclient.go  | 262 ++++++++++
36 
+ pkg/cloudprovider/providers/cascade/tests_owed     |   5 +
37 
+ pkg/cloudprovider/providers/cascade/utils.go       |  25 +
38 
+ pkg/cloudprovider/providers/providers.go           |   1 +
39 
+ pkg/printers/internalversion/describe.go           |  11 +
40 
+ pkg/security/podsecuritypolicy/util/util.go        |   3 +
41 
+ pkg/volume/cascade_disk/BUILD                      |  43 ++
42 
+ pkg/volume/cascade_disk/OWNERS                     |   2 +
43 
+ pkg/volume/cascade_disk/attacher.go                | 269 ++++++++++
44 
+ pkg/volume/cascade_disk/cascade_disk.go            | 391 +++++++++++++++
45 
+ pkg/volume/cascade_disk/cascade_util.go            | 107 ++++
46 
+ .../admission/persistentvolume/label/admission.go  |  54 ++
47 
+ plugin/pkg/admission/vke/BUILD                     |  58 +++
48 
+ plugin/pkg/admission/vke/admission.go              | 374 ++++++++++++++
49 
+ plugin/pkg/admission/vke/admission_test.go         | 541 +++++++++++++++++++++
50 
+ staging/src/k8s.io/api/core/v1/generated.pb.go     | 310 +++++++++++-
51 
+ staging/src/k8s.io/api/core/v1/types.go            |  26 +-
52 
+ 45 files changed, 4623 insertions(+), 29 deletions(-)
53 
+ create mode 100644 pkg/cloudprovider/providers/cascade/BUILD
54 
+ create mode 100644 pkg/cloudprovider/providers/cascade/OWNERS
55 
+ create mode 100644 pkg/cloudprovider/providers/cascade/apitypes.go
56 
+ create mode 100644 pkg/cloudprovider/providers/cascade/auth.go
57 
+ create mode 100644 pkg/cloudprovider/providers/cascade/cascade.go
58 
+ create mode 100644 pkg/cloudprovider/providers/cascade/cascade_disks.go
59 
+ create mode 100644 pkg/cloudprovider/providers/cascade/cascade_instances.go
60 
+ create mode 100644 pkg/cloudprovider/providers/cascade/cascade_loadbalancer.go
61 
+ create mode 100644 pkg/cloudprovider/providers/cascade/client.go
62 
+ create mode 100644 pkg/cloudprovider/providers/cascade/oidcclient.go
63 
+ create mode 100644 pkg/cloudprovider/providers/cascade/restclient.go
64 
+ create mode 100644 pkg/cloudprovider/providers/cascade/tests_owed
65 
+ create mode 100644 pkg/cloudprovider/providers/cascade/utils.go
66 
+ create mode 100644 pkg/volume/cascade_disk/BUILD
67 
+ create mode 100644 pkg/volume/cascade_disk/OWNERS
68 
+ create mode 100644 pkg/volume/cascade_disk/attacher.go
69 
+ create mode 100644 pkg/volume/cascade_disk/cascade_disk.go
70 
+ create mode 100644 pkg/volume/cascade_disk/cascade_util.go
71 
+ create mode 100644 plugin/pkg/admission/vke/BUILD
72 
+ create mode 100644 plugin/pkg/admission/vke/admission.go
73 
+ create mode 100644 plugin/pkg/admission/vke/admission_test.go
74 
+
75 
+diff --git a/api/swagger-spec/apps_v1alpha1.json b/api/swagger-spec/apps_v1alpha1.json
76 
+index aa3fbdc..9dba11e 100644
77 
+--- a/api/swagger-spec/apps_v1alpha1.json
3 78 
 @@ -1459,6 +1459,10 @@
4 79 
       "photonPersistentDisk": {
5 80 
        "$ref": "v1.PhotonPersistentDiskVolumeSource",
... ... 
@@ -12,14 +87,10 @@ diff -uNr --no-dereference kubernetes-original/api/swagger-spec/apps_v1alpha1.js
12 12 
       }
13 13 
      }
14 14 
     },
15 
-@@ -2105,6 +2109,23 @@
16 
-      },
17 
-      "fsType": {
18 
-       "type": "string",
19 
-+      "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
20 
-+     }
21 
-+    }
22 
-+   },
15 
+@@ -2109,6 +2113,23 @@
16 
+      }
17 
+     }
18 
+    },
23 19 
 +   "v1.CascadeDiskVolumeSource": {
24 20 
 +    "id": "v1.CascadeDiskVolumeSource",
25 21 
 +    "description": "Represents a Cascade persistent disk resource.",
... ... 
@@ -33,12 +104,17 @@ diff -uNr --no-dereference kubernetes-original/api/swagger-spec/apps_v1alpha1.js
33 33 
 +     },
34 34 
 +     "fsType": {
35 35 
 +      "type": "string",
36 
-       "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
37 
-      }
38 
-     }
39 
-diff -uNr --no-dereference kubernetes-original/api/swagger-spec/apps_v1beta1.json kubernetes-modified/src/k8s.io/kubernetes/api/swagger-spec/apps_v1beta1.json
40 
-+++ kubernetes-modified/src/k8s.io/kubernetes/api/swagger-spec/apps_v1beta1.json	2018-04-30 21:11:51.000000000 +0000
36 
++      "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
37 
++     }
38 
++    }
39 
++   },
40 
+    "v1.Container": {
41 
+     "id": "v1.Container",
42 
+     "description": "A single application container that you want to run within a pod.",
43 
+diff --git a/api/swagger-spec/apps_v1beta1.json b/api/swagger-spec/apps_v1beta1.json
44 
+index e253317..6968ed0 100644
45 
+--- a/api/swagger-spec/apps_v1beta1.json
41 46 
 @@ -4479,6 +4479,10 @@
42 47 
        "$ref": "v1.PhotonPersistentDiskVolumeSource",
43 48 
        "description": "PhotonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine"
... ... 
@@ -50,14 +126,10 @@ diff -uNr --no-dereference kubernetes-original/api/swagger-spec/apps_v1beta1.jso
50 50 
       "projected": {
51 51 
        "$ref": "v1.ProjectedVolumeSource",
52 52 
        "description": "Items for all in one resources secrets, configmaps, and downward API"
53 
-@@ -5202,6 +5206,23 @@
54 
-      },
55 
-      "fsType": {
56 
-       "type": "string",
57 
-+      "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
58 
-+     }
59 
-+    }
60 
-+   },
53 
+@@ -5206,6 +5210,23 @@
54 
+      }
55 
+     }
56 
+    },
61 57 
 +   "v1.CascadeDiskVolumeSource": {
62 58 
 +    "id": "v1.CascadeDiskVolumeSource",
63 59 
 +    "description": "Represents a Cascade persistent disk resource.",
... ... 
@@ -71,12 +143,17 @@ diff -uNr --no-dereference kubernetes-original/api/swagger-spec/apps_v1beta1.jso
71 71 
 +     },
72 72 
 +     "fsType": {
73 73 
 +      "type": "string",
74 
-       "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
75 
-      }
76 
-     }
77 
-diff -uNr --no-dereference kubernetes-original/api/swagger-spec/apps_v1beta2.json kubernetes-modified/src/k8s.io/kubernetes/api/swagger-spec/apps_v1beta2.json
78 
-+++ kubernetes-modified/src/k8s.io/kubernetes/api/swagger-spec/apps_v1beta2.json	2018-04-30 21:11:51.000000000 +0000
74 
++      "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
75 
++     }
76 
++    }
77 
++   },
78 
+    "v1.ProjectedVolumeSource": {
79 
+     "id": "v1.ProjectedVolumeSource",
80 
+     "description": "Represents a projected volume source",
81 
+diff --git a/api/swagger-spec/apps_v1beta2.json b/api/swagger-spec/apps_v1beta2.json
82 
+index be42788..28d0247 100644
83 
+--- a/api/swagger-spec/apps_v1beta2.json
79 84 
 @@ -6845,6 +6845,10 @@
80 85 
        "$ref": "v1.PhotonPersistentDiskVolumeSource",
81 86 
        "description": "PhotonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine"
... ... 
@@ -88,14 +165,10 @@ diff -uNr --no-dereference kubernetes-original/api/swagger-spec/apps_v1beta2.jso
88 88 
       "projected": {
89 89 
        "$ref": "v1.ProjectedVolumeSource",
90 90 
        "description": "Items for all in one resources secrets, configmaps, and downward API"
91 
-@@ -7568,6 +7572,23 @@
92 
-      },
93 
-      "fsType": {
94 
-       "type": "string",
95 
-+      "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
96 
-+     }
97 
-+    }
98 
-+   },
91 
+@@ -7572,6 +7576,23 @@
92 
+      }
93 
+     }
94 
+    },
99 95 
 +   "v1.CascadeDiskVolumeSource": {
100 96 
 +    "id": "v1.CascadeDiskVolumeSource",
101 97 
 +    "description": "Represents a Cascade persistent disk resource.",
... ... 
@@ -109,13 +182,18 @@ diff -uNr --no-dereference kubernetes-original/api/swagger-spec/apps_v1beta2.jso
109 109 
 +     },
110 110 
 +     "fsType": {
111 111 
 +      "type": "string",
112 
-       "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
113 
-      }
114 
-     }
115 
-diff -uNr --no-dereference kubernetes-original/api/swagger-spec/batch_v1beta1.json kubernetes-modified/src/k8s.io/kubernetes/api/swagger-spec/batch_v1beta1.json
116 
-+++ kubernetes-modified/src/k8s.io/kubernetes/api/swagger-spec/batch_v1beta1.json	2018-04-30 21:11:51.000000000 +0000
117 
-@@ -1874,6 +1874,10 @@
112 
++      "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
113 
++     }
114 
++    }
115 
++   },
116 
+    "v1.ProjectedVolumeSource": {
117 
+     "id": "v1.ProjectedVolumeSource",
118 
+     "description": "Represents a projected volume source",
119 
+diff --git a/api/swagger-spec/batch_v1.json b/api/swagger-spec/batch_v1.json
120 
+index 28787d8..9adba42 100644
121 
+--- a/api/swagger-spec/batch_v1.json
122 
+@@ -1819,6 +1819,10 @@
118 123 
        "$ref": "v1.PhotonPersistentDiskVolumeSource",
119 124 
        "description": "PhotonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine"
120 125 
       },
... ... 
@@ -126,14 +204,10 @@ diff -uNr --no-dereference kubernetes-original/api/swagger-spec/batch_v1beta1.js
126 126 
       "projected": {
127 127 
        "$ref": "v1.ProjectedVolumeSource",
128 128 
        "description": "Items for all in one resources secrets, configmaps, and downward API"
129 
-@@ -2597,6 +2601,23 @@
130 
-      },
131 
-      "fsType": {
132 
-       "type": "string",
133 
-+      "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
134 
-+     }
135 
-+    }
136 
-+   },
129 
+@@ -2546,6 +2550,23 @@
130 
+      }
131 
+     }
132 
+    },
137 133 
 +   "v1.CascadeDiskVolumeSource": {
138 134 
 +    "id": "v1.CascadeDiskVolumeSource",
139 135 
 +    "description": "Represents a Cascade persistent disk resource.",
... ... 
@@ -147,13 +221,18 @@ diff -uNr --no-dereference kubernetes-original/api/swagger-spec/batch_v1beta1.js
147 147 
 +     },
148 148 
 +     "fsType": {
149 149 
 +      "type": "string",
150 
-       "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
151 
-      }
152 
-     }
153 
-diff -uNr --no-dereference kubernetes-original/api/swagger-spec/batch_v1.json kubernetes-modified/src/k8s.io/kubernetes/api/swagger-spec/batch_v1.json
154 
-+++ kubernetes-modified/src/k8s.io/kubernetes/api/swagger-spec/batch_v1.json	2018-04-30 21:11:51.000000000 +0000
155 
-@@ -1819,6 +1819,10 @@
150 
++      "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
151 
++     }
152 
++    }
153 
++   },
154 
+    "v1.ProjectedVolumeSource": {
155 
+     "id": "v1.ProjectedVolumeSource",
156 
+     "description": "Represents a projected volume source",
157 
+diff --git a/api/swagger-spec/batch_v1beta1.json b/api/swagger-spec/batch_v1beta1.json
158 
+index bb9b870..8bab946 100644
159 
+--- a/api/swagger-spec/batch_v1beta1.json
160 
+@@ -1874,6 +1874,10 @@
156 161 
        "$ref": "v1.PhotonPersistentDiskVolumeSource",
157 162 
        "description": "PhotonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine"
158 163 
       },
... ... 
@@ -164,14 +243,10 @@ diff -uNr --no-dereference kubernetes-original/api/swagger-spec/batch_v1.json ku
164 164 
       "projected": {
165 165 
        "$ref": "v1.ProjectedVolumeSource",
166 166 
        "description": "Items for all in one resources secrets, configmaps, and downward API"
167 
-@@ -2542,6 +2546,23 @@
168 
-      },
169 
-      "fsType": {
170 
-       "type": "string",
171 
-+      "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
172 
-+     }
173 
-+    }
174 
-+   },
167 
+@@ -2601,6 +2605,23 @@
168 
+      }
169 
+     }
170 
+    },
175 171 
 +   "v1.CascadeDiskVolumeSource": {
176 172 
 +    "id": "v1.CascadeDiskVolumeSource",
177 173 
 +    "description": "Represents a Cascade persistent disk resource.",
... ... 
@@ -185,12 +260,17 @@ diff -uNr --no-dereference kubernetes-original/api/swagger-spec/batch_v1.json ku
185 185 
 +     },
186 186 
 +     "fsType": {
187 187 
 +      "type": "string",
188 
-       "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
189 
-      }
190 
-     }
191 
-diff -uNr --no-dereference kubernetes-original/api/swagger-spec/batch_v2alpha1.json kubernetes-modified/src/k8s.io/kubernetes/api/swagger-spec/batch_v2alpha1.json
192 
-+++ kubernetes-modified/src/k8s.io/kubernetes/api/swagger-spec/batch_v2alpha1.json	2018-04-30 21:11:51.000000000 +0000
188 
++      "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
189 
++     }
190 
++    }
191 
++   },
192 
+    "v1.ProjectedVolumeSource": {
193 
+     "id": "v1.ProjectedVolumeSource",
194 
+     "description": "Represents a projected volume source",
195 
+diff --git a/api/swagger-spec/batch_v2alpha1.json b/api/swagger-spec/batch_v2alpha1.json
196 
+index cde6619..1e428a5 100644
197 
+--- a/api/swagger-spec/batch_v2alpha1.json
193 198 
 @@ -1889,6 +1889,10 @@
194 199 
       "storageos": {
195 200 
        "$ref": "v1.StorageOSVolumeSource",
... ... 
@@ -226,9 +306,10 @@ diff -uNr --no-dereference kubernetes-original/api/swagger-spec/batch_v2alpha1.j
226 226 
     "v1.Container": {
227 227 
      "id": "v1.Container",
228 228 
      "description": "A single application container that you want to run within a pod.",
229 
-diff -uNr --no-dereference kubernetes-original/api/swagger-spec/extensions_v1beta1.json kubernetes-modified/src/k8s.io/kubernetes/api/swagger-spec/extensions_v1beta1.json
230 
-+++ kubernetes-modified/src/k8s.io/kubernetes/api/swagger-spec/extensions_v1beta1.json	2018-04-30 21:11:51.000000000 +0000
229 
+diff --git a/api/swagger-spec/extensions_v1beta1.json b/api/swagger-spec/extensions_v1beta1.json
230 
+index d8b20a3..ea271e1 100644
231 
+--- a/api/swagger-spec/extensions_v1beta1.json
231 232 
 @@ -7502,6 +7502,10 @@
232 233 
       "storageos": {
233 234 
        "$ref": "v1.StorageOSVolumeSource",
... ... 
@@ -240,14 +321,10 @@ diff -uNr --no-dereference kubernetes-original/api/swagger-spec/extensions_v1bet
240 240 
       }
241 241 
      }
242 242 
     },
243 
-@@ -8210,6 +8214,23 @@
244 
-      },
245 
-      "fsType": {
246 
-       "type": "string",
247 
-+      "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
248 
-+     }
249 
-+    }
250 
-+   },
243 
+@@ -8214,6 +8218,23 @@
244 
+      }
245 
+     }
246 
+    },
251 247 
 +   "v1.CascadeDiskVolumeSource": {
252 248 
 +    "id": "v1.CascadeDiskVolumeSource",
253 249 
 +    "description": "Represents a Cascade persistent disk resource.",
... ... 
@@ -261,12 +338,17 @@ diff -uNr --no-dereference kubernetes-original/api/swagger-spec/extensions_v1bet
261 261 
 +     },
262 262 
 +     "fsType": {
263 263 
 +      "type": "string",
264 
-       "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
265 
-      }
266 
-     }
267 
-diff -uNr --no-dereference kubernetes-original/api/swagger-spec/settings.k8s.io_v1alpha1.json kubernetes-modified/src/k8s.io/kubernetes/api/swagger-spec/settings.k8s.io_v1alpha1.json
268 
-+++ kubernetes-modified/src/k8s.io/kubernetes/api/swagger-spec/settings.k8s.io_v1alpha1.json	2018-04-30 21:11:51.000000000 +0000
264 
++      "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
265 
++     }
266 
++    }
267 
++   },
268 
+    "v1.ProjectedVolumeSource": {
269 
+     "id": "v1.ProjectedVolumeSource",
270 
+     "description": "Represents a projected volume source",
271 
+diff --git a/api/swagger-spec/settings.k8s.io_v1alpha1.json b/api/swagger-spec/settings.k8s.io_v1alpha1.json
272 
+index dc442a8..c1b2d1e 100644
273 
+--- a/api/swagger-spec/settings.k8s.io_v1alpha1.json
269 274 
 @@ -1676,6 +1676,10 @@
270 275 
       "storageos": {
271 276 
        "$ref": "v1.StorageOSVolumeSource",
... ... 
@@ -278,14 +360,10 @@ diff -uNr --no-dereference kubernetes-original/api/swagger-spec/settings.k8s.io_
278 278 
       }
279 279 
      }
280 280 
     },
281 
-@@ -2346,6 +2350,23 @@
282 
-      },
283 
-      "fsType": {
284 
-       "type": "string",
285 
-+      "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
286 
-+     }
287 
-+    }
288 
-+   },
281 
+@@ -2350,6 +2354,23 @@
282 
+      }
283 
+     }
284 
+    },
289 285 
 +   "v1.CascadeDiskVolumeSource": {
290 286 
 +    "id": "v1.CascadeDiskVolumeSource",
291 287 
 +    "description": "Represents a Cascade persistent disk resource.",
... ... 
@@ -299,12 +377,17 @@ diff -uNr --no-dereference kubernetes-original/api/swagger-spec/settings.k8s.io_
299 299 
 +     },
300 300 
 +     "fsType": {
301 301 
 +      "type": "string",
302 
-       "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
303 
-      }
304 
-     }
305 
-diff -uNr --no-dereference kubernetes-original/api/swagger-spec/v1.json kubernetes-modified/src/k8s.io/kubernetes/api/swagger-spec/v1.json
306 
-+++ kubernetes-modified/src/k8s.io/kubernetes/api/swagger-spec/v1.json	2018-04-30 21:11:51.000000000 +0000
302 
++      "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
303 
++     }
304 
++    }
305 
++   },
306 
+    "v1.ProjectedVolumeSource": {
307 
+     "id": "v1.ProjectedVolumeSource",
308 
+     "description": "Represents a projected volume source",
309 
+diff --git a/api/swagger-spec/v1.json b/api/swagger-spec/v1.json
310 
+index 97be62b..e1cba2b 100644
311 
+--- a/api/swagger-spec/v1.json
307 312 
 @@ -20629,6 +20629,10 @@
308 313 
        "$ref": "v1.PhotonPersistentDiskVolumeSource",
309 314 
        "description": "PhotonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine"
... ... 
@@ -351,10 +434,29 @@ diff -uNr --no-dereference kubernetes-original/api/swagger-spec/v1.json kubernet
351 351 
       }
352 352 
      }
353 353 
     },
354 
-diff -uNr --no-dereference kubernetes-original/cmd/kube-controller-manager/app/BUILD kubernetes-modified/src/k8s.io/kubernetes/cmd/kube-controller-manager/app/BUILD
355 
-+++ kubernetes-modified/src/k8s.io/kubernetes/cmd/kube-controller-manager/app/BUILD	2018-04-30 21:11:51.000000000 +0000
356 
-@@ -86,6 +86,7 @@
354 
+diff --git a/cmd/kube-apiserver/app/options/plugins.go b/cmd/kube-apiserver/app/options/plugins.go
355 
+index a0d2502..4fe32e4 100644
356 
+--- a/cmd/kube-apiserver/app/options/plugins.go
357 
+@@ -52,6 +52,7 @@ import (
358 
+ 	"k8s.io/kubernetes/plugin/pkg/admission/securitycontext/scdeny"
359 
+ 	"k8s.io/kubernetes/plugin/pkg/admission/serviceaccount"
360 
+ 	"k8s.io/kubernetes/plugin/pkg/admission/storageclass/setdefault"
361 
++	"k8s.io/kubernetes/plugin/pkg/admission/vke"
362 
+ )
363 
+
364 
+ // RegisterAllAdmissionPlugins registers all admission plugins
365 
+@@ -83,4 +84,5 @@ func RegisterAllAdmissionPlugins(plugins *admission.Plugins) {
366 
+ 	setdefault.Register(plugins)
367 
+ 	resize.Register(plugins)
368 
+ 	pvcprotection.Register(plugins)
369 
++	vke.Register(plugins)
370 
+ }
371 
+diff --git a/cmd/kube-controller-manager/app/BUILD b/cmd/kube-controller-manager/app/BUILD
372 
+index c518b36..f1a91f6 100644
373 
+--- a/cmd/kube-controller-manager/app/BUILD
374 
+@@ -86,6 +86,7 @@ go_library(
357 375 
          "//pkg/volume/aws_ebs:go_default_library",
358 376 
          "//pkg/volume/azure_dd:go_default_library",
359 377 
          "//pkg/volume/azure_file:go_default_library",
... ... 
@@ -362,10 +464,11 @@ diff -uNr --no-dereference kubernetes-original/cmd/kube-controller-manager/app/B
362 362 
          "//pkg/volume/cinder:go_default_library",
363 363 
          "//pkg/volume/csi:go_default_library",
364 364 
          "//pkg/volume/fc:go_default_library",
365 
-diff -uNr --no-dereference kubernetes-original/cmd/kube-controller-manager/app/plugins.go kubernetes-modified/src/k8s.io/kubernetes/cmd/kube-controller-manager/app/plugins.go
366 
-+++ kubernetes-modified/src/k8s.io/kubernetes/cmd/kube-controller-manager/app/plugins.go	2018-04-30 21:11:51.000000000 +0000
367 
-@@ -34,6 +34,7 @@
365 
+diff --git a/cmd/kube-controller-manager/app/plugins.go b/cmd/kube-controller-manager/app/plugins.go
366 
+index 170c366..5fa1cb1 100644
367 
+--- a/cmd/kube-controller-manager/app/plugins.go
368 
+@@ -34,6 +34,7 @@ import (
368 369 
  	"k8s.io/kubernetes/pkg/volume/aws_ebs"
369 370 
  	"k8s.io/kubernetes/pkg/volume/azure_dd"
370 371 
  	"k8s.io/kubernetes/pkg/volume/azure_file"
... ... 
@@ -373,7 +476,7 @@ diff -uNr --no-dereference kubernetes-original/cmd/kube-controller-manager/app/p
373 373 
  	"k8s.io/kubernetes/pkg/volume/cinder"
374 374 
  	"k8s.io/kubernetes/pkg/volume/csi"
375 375 
  	"k8s.io/kubernetes/pkg/volume/fc"
376 
-@@ -77,6 +78,7 @@
376 
+@@ -77,6 +78,7 @@ func ProbeAttachableVolumePlugins() []volume.VolumePlugin {
377 377 
  	allPlugins = append(allPlugins, fc.ProbeVolumePlugins()...)
378 378 
  	allPlugins = append(allPlugins, iscsi.ProbeVolumePlugins()...)
379 379 
  	allPlugins = append(allPlugins, rbd.ProbeVolumePlugins()...)
... ... 
@@ -381,7 +484,7 @@ diff -uNr --no-dereference kubernetes-original/cmd/kube-controller-manager/app/p
381 381 
  	if utilfeature.DefaultFeatureGate.Enabled(features.CSIPersistentVolume) {
382 382 
  		allPlugins = append(allPlugins, csi.ProbeVolumePlugins()...)
383 383 
  	}
384 
-@@ -106,6 +108,7 @@
384 
+@@ -106,6 +108,7 @@ func ProbeExpandableVolumePlugins(config componentconfig.VolumeConfiguration) []
385 385 
  	allPlugins = append(allPlugins, scaleio.ProbeVolumePlugins()...)
386 386 
  	allPlugins = append(allPlugins, storageos.ProbeVolumePlugins()...)
387 387 
  	allPlugins = append(allPlugins, fc.ProbeVolumePlugins()...)
... ... 
@@ -389,7 +492,7 @@ diff -uNr --no-dereference kubernetes-original/cmd/kube-controller-manager/app/p
389 389 
  	if !utilfeature.DefaultFeatureGate.Enabled(features.CSIPersistentVolume) {
390 390 
  		allPlugins = append(allPlugins, csi.ProbeVolumePlugins()...)
391 391 
  	}
392 
-@@ -165,6 +168,7 @@
392 
+@@ -165,6 +168,7 @@ func ProbeControllerVolumePlugins(cloud cloudprovider.Interface, config componen
393 393 
  	allPlugins = append(allPlugins, vsphere_volume.ProbeVolumePlugins()...)
394 394 
  	allPlugins = append(allPlugins, azure_dd.ProbeVolumePlugins()...)
395 395 
  	allPlugins = append(allPlugins, photon_pd.ProbeVolumePlugins()...)
... ... 
@@ -397,10 +500,11 @@ diff -uNr --no-dereference kubernetes-original/cmd/kube-controller-manager/app/p
397 397
398 398 
  	return allPlugins
399 399 
  }
400 
-diff -uNr --no-dereference kubernetes-original/cmd/kubelet/app/BUILD kubernetes-modified/src/k8s.io/kubernetes/cmd/kubelet/app/BUILD
401 
-+++ kubernetes-modified/src/k8s.io/kubernetes/cmd/kubelet/app/BUILD	2018-04-30 21:11:51.000000000 +0000
402 
-@@ -74,6 +74,7 @@
400 
+diff --git a/cmd/kubelet/app/BUILD b/cmd/kubelet/app/BUILD
401 
+index c7e482f..0d3645a 100644
402 
+--- a/cmd/kubelet/app/BUILD
403 
+@@ -74,6 +74,7 @@ go_library(
403 404 
          "//pkg/volume/aws_ebs:go_default_library",
404 405 
          "//pkg/volume/azure_dd:go_default_library",
405 406 
          "//pkg/volume/azure_file:go_default_library",
... ... 
@@ -408,10 +512,11 @@ diff -uNr --no-dereference kubernetes-original/cmd/kubelet/app/BUILD kubernetes-
408 408 
          "//pkg/volume/cephfs:go_default_library",
409 409 
          "//pkg/volume/cinder:go_default_library",
410 410 
          "//pkg/volume/configmap:go_default_library",
411 
-diff -uNr --no-dereference kubernetes-original/cmd/kubelet/app/plugins.go kubernetes-modified/src/k8s.io/kubernetes/cmd/kubelet/app/plugins.go
412 
-+++ kubernetes-modified/src/k8s.io/kubernetes/cmd/kubelet/app/plugins.go	2018-04-30 21:11:51.000000000 +0000
413 
-@@ -32,6 +32,7 @@
411 
+diff --git a/cmd/kubelet/app/plugins.go b/cmd/kubelet/app/plugins.go
412 
+index ef41bb8..c9806f7 100644
413 
+--- a/cmd/kubelet/app/plugins.go
414 
+@@ -32,6 +32,7 @@ import (
414 415 
  	"k8s.io/kubernetes/pkg/volume/aws_ebs"
415 416 
  	"k8s.io/kubernetes/pkg/volume/azure_dd"
416 417 
  	"k8s.io/kubernetes/pkg/volume/azure_file"
... ... 
@@ -419,7 +524,7 @@ diff -uNr --no-dereference kubernetes-original/cmd/kubelet/app/plugins.go kubern
419 419 
  	"k8s.io/kubernetes/pkg/volume/cephfs"
420 420 
  	"k8s.io/kubernetes/pkg/volume/cinder"
421 421 
  	"k8s.io/kubernetes/pkg/volume/configmap"
422 
-@@ -100,6 +101,7 @@
422 
+@@ -100,6 +101,7 @@ func ProbeVolumePlugins() []volume.VolumePlugin {
423 423 
  	allPlugins = append(allPlugins, scaleio.ProbeVolumePlugins()...)
424 424 
  	allPlugins = append(allPlugins, local.ProbeVolumePlugins()...)
425 425 
  	allPlugins = append(allPlugins, storageos.ProbeVolumePlugins()...)
... ... 
@@ -427,259 +532,11 @@ diff -uNr --no-dereference kubernetes-original/cmd/kubelet/app/plugins.go kubern
427 427 
  	if utilfeature.DefaultFeatureGate.Enabled(features.CSIPersistentVolume) {
428 428 
  		allPlugins = append(allPlugins, csi.ProbeVolumePlugins()...)
429 429 
  	}
430 
-diff -uNr --no-dereference kubernetes-original/.idea/kubernetes.iml kubernetes-modified/src/k8s.io/kubernetes/.idea/kubernetes.iml
431 
-+++ kubernetes-modified/src/k8s.io/kubernetes/.idea/kubernetes.iml	2018-04-30 21:11:51.000000000 +0000
432 
-@@ -0,0 +1,9 @@
433 
-+<?xml version="1.0" encoding="UTF-8"?>
434 
-+<module type="JAVA_MODULE" version="4">
435 
-+  <component name="NewModuleRootManager" inherit-compiler-output="true">
436 
-+    <exclude-output />
437 
-+    <content url="file://$MODULE_DIR$" />
438 
-+    <orderEntry type="inheritedJdk" />
439 
-+    <orderEntry type="sourceFolder" forTests="false" />
440 
-+  </component>
441 
-+</module>
442 
-\ No newline at end of file
443 
-diff -uNr --no-dereference kubernetes-original/.idea/modules.xml kubernetes-modified/src/k8s.io/kubernetes/.idea/modules.xml
444 
-+++ kubernetes-modified/src/k8s.io/kubernetes/.idea/modules.xml	2018-04-30 21:11:51.000000000 +0000
445 
-@@ -0,0 +1,8 @@
446 
-+<?xml version="1.0" encoding="UTF-8"?>
447 
-+<project version="4">
448 
-+  <component name="ProjectModuleManager">
449 
-+    <modules>
450 
-+      <module fileurl="file://$PROJECT_DIR$/.idea/kubernetes.iml" filepath="$PROJECT_DIR$/.idea/kubernetes.iml" />
451 
-+    </modules>
452 
-+  </component>
453 
-+</project>
454 
-\ No newline at end of file
455 
-diff -uNr --no-dereference kubernetes-original/.idea/workspace.xml kubernetes-modified/src/k8s.io/kubernetes/.idea/workspace.xml
456 
-+++ kubernetes-modified/src/k8s.io/kubernetes/.idea/workspace.xml	2018-04-30 21:11:51.000000000 +0000
457 
-@@ -0,0 +1,217 @@
458 
-+<?xml version="1.0" encoding="UTF-8"?>
459 
-+<project version="4">
460 
-+  <component name="ChangeListManager">
461 
-+    <list default="true" id="76c7d3c7-31f8-4430-8717-7c15514d1ce9" name="Default" comment="" />
462 
-+    <option name="EXCLUDED_CONVERTED_TO_IGNORED" value="true" />
463 
-+    <option name="TRACKING_ENABLED" value="true" />
464 
-+    <option name="SHOW_DIALOG" value="false" />
465 
-+    <option name="HIGHLIGHT_CONFLICTS" value="true" />
466 
-+    <option name="HIGHLIGHT_NON_ACTIVE_CHANGELIST" value="false" />
467 
-+    <option name="LAST_RESOLUTION" value="IGNORE" />
468 
-+  </component>
469 
-+  <component name="ExecutionTargetManager" SELECTED_TARGET="default_target" />
470 
-+  <component name="GradleLocalSettings">
471 
-+    <option name="externalProjectsViewState">
472 
-+      <projects_view />
473 
-+    </option>
474 
-+  </component>
475 
-+  <component name="ProjectFrameBounds">
476 
-+    <option name="x" value="1680" />
477 
-+    <option name="y" value="-235" />
478 
-+    <option name="width" value="2560" />
479 
-+    <option name="height" value="1417" />
480 
-+  </component>
481 
-+  <component name="ProjectView">
482 
-+    <navigator currentView="ProjectPane" proportions="" version="1">
483 
-+      <flattenPackages />
484 
-+      <showMembers />
485 
-+      <showModules />
486 
-+      <showLibraryContents />
487 
-+      <hideEmptyPackages />
488 
-+      <abbreviatePackageNames />
489 
-+      <autoscrollToSource />
490 
-+      <autoscrollFromSource />
491 
-+      <sortByType />
492 
-+      <manualOrder />
493 
-+      <foldersAlwaysOnTop value="true" />
494 
-+    </navigator>
495 
-+    <panes>
496 
-+      <pane id="Scope" />
497 
-+      <pane id="Scratches" />
498 
-+      <pane id="PackagesPane" />
499 
-+      <pane id="ProjectPane">
500 
-+        <subPane>
501 
-+          <PATH>
502 
-+            <PATH_ELEMENT>
503 
-+              <option name="myItemId" value="kubernetes" />
504 
-+              <option name="myItemType" value="com.intellij.ide.projectView.impl.nodes.ProjectViewProjectNode" />
505 
-+            </PATH_ELEMENT>
506 
-+            <PATH_ELEMENT>
507 
-+              <option name="myItemId" value="kubernetes" />
508 
-+              <option name="myItemType" value="com.intellij.ide.projectView.impl.nodes.PsiDirectoryNode" />
509 
-+            </PATH_ELEMENT>
510 
-+          </PATH>
511 
-+        </subPane>
512 
-+      </pane>
513 
-+    </panes>
514 
-+  </component>
515 
-+  <component name="PropertiesComponent">
516 
-+    <property name="settings.editor.selected.configurable" value="com.goide.configuration.GoLibrariesConfigurableProvider$1" />
517 
-+    <property name="configurable.Global.libraries.is.expanded" value="true" />
518 
-+    <property name="last_opened_file_path" value="$PROJECT_DIR$" />
519 
-+  </component>
520 
-+  <component name="RunDashboard">
521 
-+    <option name="ruleStates">
522 
-+      <list>
523 
-+        <RuleState>
524 
-+          <option name="name" value="ConfigurationTypeDashboardGroupingRule" />
525 
-+        </RuleState>
526 
-+        <RuleState>
527 
-+          <option name="name" value="StatusDashboardGroupingRule" />
528 
-+        </RuleState>
529 
-+      </list>
530 
-+    </option>
531 
-+  </component>
532 
-+  <component name="RunManager">
533 
-+    <configuration default="true" type="#org.jetbrains.idea.devkit.run.PluginConfigurationType" factoryName="Plugin">
534 
-+      <module name="" />
535 
-+      <option name="VM_PARAMETERS" value="-Xmx512m -Xms256m -XX:MaxPermSize=250m -ea" />
536 
-+      <option name="PROGRAM_PARAMETERS" />
537 
-+      <predefined_log_file id="idea.log" enabled="true" />
538 
-+      <method />
539 
-+    </configuration>
540 
-+    <configuration default="true" type="Applet" factoryName="Applet">
541 
-+      <option name="HTML_USED" value="false" />
542 
-+      <option name="WIDTH" value="400" />
543 
-+      <option name="HEIGHT" value="300" />
544 
-+      <option name="POLICY_FILE" value="$APPLICATION_HOME_DIR$/bin/appletviewer.policy" />
545 
-+      <module />
546 
-+      <method />
547 
-+    </configuration>
548 
-+    <configuration default="true" type="Application" factoryName="Application">
549 
-+      <extension name="coverage" enabled="false" merge="false" sample_coverage="true" runner="idea" />
550 
-+      <option name="MAIN_CLASS_NAME" />
551 
-+      <option name="VM_PARAMETERS" />
552 
-+      <option name="PROGRAM_PARAMETERS" />
553 
-+      <option name="WORKING_DIRECTORY" value="$PROJECT_DIR$" />
554 
-+      <option name="ALTERNATIVE_JRE_PATH_ENABLED" value="false" />
555 
-+      <option name="ALTERNATIVE_JRE_PATH" />
556 
-+      <option name="ENABLE_SWING_INSPECTOR" value="false" />
557 
-+      <option name="ENV_VARIABLES" />
558 
-+      <option name="PASS_PARENT_ENVS" value="true" />
559 
-+      <module name="" />
560 
-+      <envs />
561 
-+      <method />
562 
-+    </configuration>
563 
-+    <configuration default="true" type="JUnit" factoryName="JUnit">
564 
-+      <extension name="coverage" enabled="false" merge="false" sample_coverage="true" runner="idea" />
565 
-+      <module name="" />
566 
-+      <option name="ALTERNATIVE_JRE_PATH_ENABLED" value="false" />
567 
-+      <option name="ALTERNATIVE_JRE_PATH" />
568 
-+      <option name="PACKAGE_NAME" />
569 
-+      <option name="MAIN_CLASS_NAME" />
570 
-+      <option name="METHOD_NAME" />
571 
-+      <option name="TEST_OBJECT" value="class" />
572 
-+      <option name="VM_PARAMETERS" value="-ea" />
573 
-+      <option name="PARAMETERS" />
574 
-+      <option name="WORKING_DIRECTORY" value="$MODULE_DIR$" />
575 
-+      <option name="ENV_VARIABLES" />
576 
-+      <option name="PASS_PARENT_ENVS" value="true" />
577 
-+      <option name="TEST_SEARCH_SCOPE">
578 
-+        <value defaultName="singleModule" />
579 
-+      </option>
580 
-+      <envs />
581 
-+      <patterns />
582 
-+      <method />
583 
-+    </configuration>
584 
-+    <configuration default="true" type="Remote" factoryName="Remote">
585 
-+      <option name="USE_SOCKET_TRANSPORT" value="true" />
586 
-+      <option name="SERVER_MODE" value="false" />
587 
-+      <option name="SHMEM_ADDRESS" value="javadebug" />
588 
-+      <option name="HOST" value="localhost" />
589 
-+      <option name="PORT" value="5005" />
590 
-+      <method />
591 
-+    </configuration>
592 
-+    <configuration default="true" type="TestNG" factoryName="TestNG">
593 
-+      <extension name="coverage" enabled="false" merge="false" sample_coverage="true" runner="idea" />
594 
-+      <module name="" />
595 
-+      <option name="ALTERNATIVE_JRE_PATH_ENABLED" value="false" />
596 
-+      <option name="ALTERNATIVE_JRE_PATH" />
597 
-+      <option name="SUITE_NAME" />
598 
-+      <option name="PACKAGE_NAME" />
599 
-+      <option name="MAIN_CLASS_NAME" />
600 
-+      <option name="METHOD_NAME" />
601 
-+      <option name="GROUP_NAME" />
602 
-+      <option name="TEST_OBJECT" value="CLASS" />
603 
-+      <option name="VM_PARAMETERS" value="-ea" />
604 
-+      <option name="PARAMETERS" />
605 
-+      <option name="WORKING_DIRECTORY" value="$MODULE_DIR$" />
606 
-+      <option name="OUTPUT_DIRECTORY" />
607 
-+      <option name="ANNOTATION_TYPE" />
608 
-+      <option name="ENV_VARIABLES" />
609 
-+      <option name="PASS_PARENT_ENVS" value="true" />
610 
-+      <option name="TEST_SEARCH_SCOPE">
611 
-+        <value defaultName="singleModule" />
612 
-+      </option>
613 
-+      <option name="USE_DEFAULT_REPORTERS" value="false" />
614 
-+      <option name="PROPERTIES_FILE" />
615 
-+      <envs />
616 
-+      <properties />
617 
-+      <listeners />
618 
-+      <method />
619 
-+    </configuration>
620 
-+  </component>
621 
-+  <component name="ShelveChangesManager" show_recycled="false">
622 
-+    <option name="remove_strategy" value="false" />
623 
-+  </component>
624 
-+  <component name="TaskManager">
625 
-+    <task active="true" id="Default" summary="Default task">
626 
-+      <changelist id="76c7d3c7-31f8-4430-8717-7c15514d1ce9" name="Default" comment="" />
627 
-+      <created>1510772775522</created>
628 
-+      <option name="number" value="Default" />
629 
-+      <option name="presentableId" value="Default" />
630 
-+      <updated>1510772775522</updated>
631 
-+    </task>
632 
-+    <servers />
633 
-+  </component>
634 
-+  <component name="ToolWindowManager">
635 
-+    <frame x="1680" y="-235" width="2560" height="1417" extended-state="6" />
636 
-+    <layout>
637 
-+      <window_info id="Palette" active="false" anchor="right" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="3" side_tool="false" content_ui="tabs" />
638 
-+      <window_info id="TODO" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="6" side_tool="false" content_ui="tabs" />
639 
-+      <window_info id="Nl-Palette" active="false" anchor="left" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="2" side_tool="false" content_ui="tabs" />
640 
-+      <window_info id="Palette&#9;" active="false" anchor="right" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="3" side_tool="false" content_ui="tabs" />
641 
-+      <window_info id="Image Layers" active="false" anchor="left" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="2" side_tool="false" content_ui="tabs" />
642 
-+      <window_info id="Capture Analysis" active="false" anchor="right" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="3" side_tool="false" content_ui="tabs" />
643 
-+      <window_info id="Event Log" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="7" side_tool="true" content_ui="tabs" />
644 
-+      <window_info id="Maven Projects" active="false" anchor="right" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="3" side_tool="false" content_ui="tabs" />
645 
-+      <window_info id="Run" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="2" side_tool="false" content_ui="tabs" />
646 
-+      <window_info id="Version Control" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="false" weight="0.33" sideWeight="0.5" order="7" side_tool="false" content_ui="tabs" />
647 
-+      <window_info id="Properties" active="false" anchor="right" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="3" side_tool="false" content_ui="tabs" />
648 
-+      <window_info id="Terminal" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="7" side_tool="false" content_ui="tabs" />
649 
-+      <window_info id="Capture Tool" active="false" anchor="left" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="2" side_tool="false" content_ui="tabs" />
650 
-+      <window_info id="Designer" active="false" anchor="left" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="2" side_tool="false" content_ui="tabs" />
651 
-+      <window_info id="Project" active="true" anchor="left" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="true" show_stripe_button="true" weight="0.25178713" sideWeight="0.5" order="0" side_tool="false" content_ui="combo" />
652 
-+      <window_info id="Structure" active="false" anchor="left" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.25" sideWeight="0.5" order="1" side_tool="false" content_ui="tabs" />
653 
-+      <window_info id="Ant Build" active="false" anchor="right" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.25" sideWeight="0.5" order="1" side_tool="false" content_ui="tabs" />
654 
-+      <window_info id="UI Designer" active="false" anchor="left" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="2" side_tool="false" content_ui="tabs" />
655 
-+      <window_info id="Theme Preview" active="false" anchor="right" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="3" side_tool="false" content_ui="tabs" />
656 
-+      <window_info id="Debug" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.4" sideWeight="0.5" order="3" side_tool="false" content_ui="tabs" />
657 
-+      <window_info id="Favorites" active="false" anchor="left" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="2" side_tool="true" content_ui="tabs" />
658 
-+      <window_info id="Data View" active="false" anchor="right" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="3" side_tool="false" content_ui="tabs" />
659 
-+      <window_info id="Cvs" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.25" sideWeight="0.5" order="4" side_tool="false" content_ui="tabs" />
660 
-+      <window_info id="Message" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="0" side_tool="false" content_ui="tabs" />
661 
-+      <window_info id="Commander" active="false" anchor="right" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.4" sideWeight="0.5" order="0" side_tool="false" content_ui="tabs" />
662 
-+      <window_info id="Hierarchy" active="false" anchor="right" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.25" sideWeight="0.5" order="2" side_tool="false" content_ui="combo" />
663 
-+      <window_info id="Inspection" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.4" sideWeight="0.5" order="5" side_tool="false" content_ui="tabs" />
664 
-+      <window_info id="Find" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="1" side_tool="false" content_ui="tabs" />
665 
-+    </layout>
666 
-+  </component>
667 
-+  <component name="VcsContentAnnotationSettings">
668 
-+    <option name="myLimit" value="2678400000" />
669 
-+  </component>
670 
-+  <component name="XDebuggerManager">
671 
-+    <breakpoint-manager />
672 
-+    <watches-manager />
673 
-+  </component>
674 
-+</project>
675 
-\ No newline at end of file
676 
-diff -uNr --no-dereference kubernetes-original/pkg/apis/core/types.go kubernetes-modified/src/k8s.io/kubernetes/pkg/apis/core/types.go
677 
-+++ kubernetes-modified/src/k8s.io/kubernetes/pkg/apis/core/types.go	2018-04-30 21:11:51.000000000 +0000
678 
-@@ -316,6 +316,8 @@
430 
+diff --git a/pkg/apis/core/types.go b/pkg/apis/core/types.go
431 
+index b6b570b..1d9db5e 100644
432 
+--- a/pkg/apis/core/types.go
433 
+@@ -316,6 +316,8 @@ type VolumeSource struct {
679 434 
  	// StorageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod
680 435 
  	// +optional
681 436 
  	StorageOS *StorageOSVolumeSource
... ... 
@@ -688,7 +545,7 @@ diff -uNr --no-dereference kubernetes-original/pkg/apis/core/types.go kubernetes
688 688 
  }
689 689
690 690 
  // Similar to VolumeSource but meant for the administrator who creates PVs.
691 
-@@ -394,6 +396,8 @@
691 
+@@ -394,6 +396,8 @@ type PersistentVolumeSource struct {
692 692 
  	// CSI (Container Storage Interface) represents storage that handled by an external CSI driver
693 693 
  	// +optional
694 694 
  	CSI *CSIPersistentVolumeSource
... ... 
@@ -697,7 +554,7 @@ diff -uNr --no-dereference kubernetes-original/pkg/apis/core/types.go kubernetes
697 697 
  }
698 698
699 699 
  type PersistentVolumeClaimVolumeSource struct {
700 
-@@ -1471,6 +1475,16 @@
700 
+@@ -1471,6 +1475,16 @@ type StorageOSPersistentVolumeSource struct {
701 701 
  	SecretRef *ObjectReference
702 702 
  }
703 703
... ... 
@@ -714,10 +571,11 @@ diff -uNr --no-dereference kubernetes-original/pkg/apis/core/types.go kubernetes
714 714 
  // Adapts a ConfigMap into a volume.
715 715 
  //
716 716 
  // The contents of the target ConfigMap's Data field will be presented in a
717 
-diff -uNr --no-dereference kubernetes-original/pkg/apis/core/validation/validation.go kubernetes-modified/src/k8s.io/kubernetes/pkg/apis/core/validation/validation.go
718 
-+++ kubernetes-modified/src/k8s.io/kubernetes/pkg/apis/core/validation/validation.go	2018-04-30 21:11:51.000000000 +0000
719 
-@@ -681,6 +681,14 @@
717 
+diff --git a/pkg/apis/core/validation/validation.go b/pkg/apis/core/validation/validation.go
718 
+index f6ab55f..2fa447d 100644
719 
+--- a/pkg/apis/core/validation/validation.go
720 
+@@ -681,6 +681,14 @@ func validateVolumeSource(source *core.VolumeSource, fldPath *field.Path, volNam
720 721 
  			allErrs = append(allErrs, validateScaleIOVolumeSource(source.ScaleIO, fldPath.Child("scaleIO"))...)
721 722 
  		}
722 723 
  	}
... ... 
@@ -732,7 +590,7 @@ diff -uNr --no-dereference kubernetes-original/pkg/apis/core/validation/validati
732 732
733 733 
  	if numVolumes == 0 {
734 734 
  		allErrs = append(allErrs, field.Required(fldPath, "must specify a volume type"))
735 
-@@ -1440,6 +1448,14 @@
735 
+@@ -1440,6 +1448,14 @@ func validateCSIPersistentVolumeSource(csi *core.CSIPersistentVolumeSource, fldP
736 736 
  	return allErrs
737 737 
  }
738 738
... ... 
@@ -747,7 +605,7 @@ diff -uNr --no-dereference kubernetes-original/pkg/apis/core/validation/validati
747 747 
  // ValidatePersistentVolumeName checks that a name is appropriate for a
748 748 
  // PersistentVolumeName object.
749 749 
  var ValidatePersistentVolumeName = NameIsDNSSubdomain
750 
-@@ -1674,6 +1690,15 @@
750 
+@@ -1674,6 +1690,15 @@ func ValidatePersistentVolume(pv *core.PersistentVolume) field.ErrorList {
751 751 
  		}
752 752 
  	}
753 753
... ... 
@@ -763,10 +621,11 @@ diff -uNr --no-dereference kubernetes-original/pkg/apis/core/validation/validati
763 763 
  	if numVolumes == 0 {
764 764 
  		allErrs = append(allErrs, field.Required(specPath, "must specify a volume type"))
765 765 
  	}
766 
-diff -uNr --no-dereference kubernetes-original/pkg/apis/extensions/types.go kubernetes-modified/src/k8s.io/kubernetes/pkg/apis/extensions/types.go
767 
-+++ kubernetes-modified/src/k8s.io/kubernetes/pkg/apis/extensions/types.go	2018-04-30 21:11:51.000000000 +0000
768 
-@@ -925,6 +925,7 @@
766 
+diff --git a/pkg/apis/extensions/types.go b/pkg/apis/extensions/types.go
767 
+index e369728..a5406ab 100644
768 
+--- a/pkg/apis/extensions/types.go
769 
+@@ -925,6 +925,7 @@ var (
769 770 
  	PortworxVolume        FSType = "portworxVolume"
770 771 
  	ScaleIO               FSType = "scaleIO"
771 772 
  	CSI                   FSType = "csi"
... ... 
@@ -774,10 +633,11 @@ diff -uNr --no-dereference kubernetes-original/pkg/apis/extensions/types.go kube
774 774 
  	All                   FSType = "*"
775 775 
  )
776 776
777 
-diff -uNr --no-dereference kubernetes-original/pkg/cloudprovider/providers/BUILD kubernetes-modified/src/k8s.io/kubernetes/pkg/cloudprovider/providers/BUILD
778 
-+++ kubernetes-modified/src/k8s.io/kubernetes/pkg/cloudprovider/providers/BUILD	2018-04-30 21:11:51.000000000 +0000
779 
-@@ -12,6 +12,7 @@
777 
+diff --git a/pkg/cloudprovider/providers/BUILD b/pkg/cloudprovider/providers/BUILD
778 
+index aeccfa1..4313576 100644
779 
+--- a/pkg/cloudprovider/providers/BUILD
780 
+@@ -12,6 +12,7 @@ go_library(
780 781 
      deps = [
781 782 
          "//pkg/cloudprovider/providers/aws:go_default_library",
782 783 
          "//pkg/cloudprovider/providers/azure:go_default_library",
... ... 
@@ -785,7 +645,7 @@ diff -uNr --no-dereference kubernetes-original/pkg/cloudprovider/providers/BUILD
785 785 
          "//pkg/cloudprovider/providers/cloudstack:go_default_library",
786 786 
          "//pkg/cloudprovider/providers/gce:go_default_library",
787 787 
          "//pkg/cloudprovider/providers/openstack:go_default_library",
788 
-@@ -34,6 +35,7 @@
788 
+@@ -34,6 +35,7 @@ filegroup(
789 789 
          ":package-srcs",
790 790 
          "//pkg/cloudprovider/providers/aws:all-srcs",
791 791 
          "//pkg/cloudprovider/providers/azure:all-srcs",
... ... 
@@ -793,9 +653,70 @@ diff -uNr --no-dereference kubernetes-original/pkg/cloudprovider/providers/BUILD
793 793 
          "//pkg/cloudprovider/providers/cloudstack:all-srcs",
794 794 
          "//pkg/cloudprovider/providers/fake:all-srcs",
795 795 
          "//pkg/cloudprovider/providers/gce:all-srcs",
796 
-diff -uNr --no-dereference kubernetes-original/pkg/cloudprovider/providers/cascade/apitypes.go kubernetes-modified/src/k8s.io/kubernetes/pkg/cloudprovider/providers/cascade/apitypes.go
797 
-+++ kubernetes-modified/src/k8s.io/kubernetes/pkg/cloudprovider/providers/cascade/apitypes.go	2018-04-30 21:11:51.000000000 +0000
796 
+diff --git a/pkg/cloudprovider/providers/cascade/BUILD b/pkg/cloudprovider/providers/cascade/BUILD
797 
+new file mode 100644
798 
+index 0000000..1ff2ad1
799 
+--- /dev/null
800 
+@@ -0,0 +1,44 @@
801 
++package(default_visibility = ["//visibility:public"])
802 
++
803 
++load(
804 
++    "@io_bazel_rules_go//go:def.bzl",
805 
++    "go_library",
806 
++)
807 
++
808 
++go_library(
809 
++    name = "go_default_library",
810 
++    srcs = [
811 
++        "apitypes.go",
812 
++        "auth.go",
813 
++        "cascade.go",
814 
++        "cascade_disks.go",
815 
++        "cascade_instances.go",
816 
++        "cascade_loadbalancer.go",
817 
++        "client.go",
818 
++        "oidcclient.go",
819 
++        "restclient.go",
820 
++        "utils.go"
821 
++        ],
822 
++    deps = [
823 
++        "//pkg/api/v1/helper:go_default_library",
824 
++        "//pkg/cloudprovider:go_default_library",
825 
++        "//pkg/controller:go_default_library",
826 
++        "//vendor/github.com/golang/glog:go_default_library",
827 
++        "//vendor/gopkg.in/gcfg.v1:go_default_library",
828 
++        "//vendor/k8s.io/api/core/v1:go_default_library",
829 
++        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
830 
++    ],
831 
++)
832 
++
833 
++filegroup(
834 
++    name = "package-srcs",
835 
++    srcs = glob(["**"]),
836 
++    tags = ["automanaged"],
837 
++    visibility = ["//visibility:private"],
838 
++)
839 
++
840 
++filegroup(
841 
++    name = "all-srcs",
842 
++    srcs = [":package-srcs"],
843 
++    tags = ["automanaged"],
844 
++)
845 
+diff --git a/pkg/cloudprovider/providers/cascade/OWNERS b/pkg/cloudprovider/providers/cascade/OWNERS
846 
+new file mode 100644
847 
+index 0000000..70efc9d
848 
+--- /dev/null
849 
+@@ -0,0 +1,3 @@
850 
++maintainers:
851 
++- ashokc
852 
++- ysheng
853 
+diff --git a/pkg/cloudprovider/providers/cascade/apitypes.go b/pkg/cloudprovider/providers/cascade/apitypes.go
854 
+new file mode 100644
855 
+index 0000000..4a94068
856 
+--- /dev/null
798 857 
 @@ -0,0 +1,227 @@
799 858 
 +package cascade
800 859 
 +
... ... 
@@ -1024,9 +945,11 @@ diff -uNr --no-dereference kubernetes-original/pkg/cloudprovider/providers/casca
1024 1024 
 +type LoadBalancerVMUpdate struct {
1025 1025 
 +	VMIds []*LoadBalancerVM `json:"vmIds"`
1026 1026 
 +}
1027 
-diff -uNr --no-dereference kubernetes-original/pkg/cloudprovider/providers/cascade/auth.go kubernetes-modified/src/k8s.io/kubernetes/pkg/cloudprovider/providers/cascade/auth.go
1028 
-+++ kubernetes-modified/src/k8s.io/kubernetes/pkg/cloudprovider/providers/cascade/auth.go	2018-04-30 21:11:51.000000000 +0000
1027 
+diff --git a/pkg/cloudprovider/providers/cascade/auth.go b/pkg/cloudprovider/providers/cascade/auth.go
1028 
+new file mode 100644
1029 
+index 0000000..fc92377
1030 
+--- /dev/null
1029 1031 
 @@ -0,0 +1,145 @@
1030 1032 
 +package cascade
1031 1033 
 +
... ... 
@@ -1174,57 +1097,234 @@ diff -uNr --no-dereference kubernetes-original/pkg/cloudprovider/providers/casca
1174 1174 
 +	return pwd, nil
1175 1175 
 +}
1176 1176 
 \ No newline at end of file
1177 
-diff -uNr --no-dereference kubernetes-original/pkg/cloudprovider/providers/cascade/BUILD kubernetes-modified/src/k8s.io/kubernetes/pkg/cloudprovider/providers/cascade/BUILD
1178 
-+++ kubernetes-modified/src/k8s.io/kubernetes/pkg/cloudprovider/providers/cascade/BUILD	2018-04-30 21:11:51.000000000 +0000
1179 
-@@ -0,0 +1,44 @@
1180 
-+package(default_visibility = ["//visibility:public"])
1177 
+diff --git a/pkg/cloudprovider/providers/cascade/cascade.go b/pkg/cloudprovider/providers/cascade/cascade.go
1178 
+new file mode 100644
1179 
+index 0000000..e5e2baf
1180 
+--- /dev/null
1181 
+@@ -0,0 +1,216 @@
1182 
++// The use of Cascade cloud provider requires the kubelet, kube-apiserver, and kube-controller-manager to be started
1183 
++// with config flag: '--cloud-provider=cascade --cloud-config=[path_to_config_file]'.
1184 
++package cascade
1181 1185 
 +
1182 
-+load(
1183 
-+    "@io_bazel_rules_go//go:def.bzl",
1184 
-+    "go_library",
1186 
++import (
1187 
++	"errors"
1188 
++	"fmt"
1189 
++	"io"
1190 
++	"os"
1191 
++	"github.com/golang/glog"
1192 
++	"gopkg.in/gcfg.v1"
1193 
++	k8stypes "k8s.io/apimachinery/pkg/types"
1194 
++	"k8s.io/kubernetes/pkg/cloudprovider"
1195 
++	"k8s.io/kubernetes/pkg/controller"
1196 
++	"strings"
1185 1197 
 +)
1186 1198 
 +
1187 
-+go_library(
1188 
-+    name = "go_default_library",
1189 
-+    srcs = [
1190 
-+        "apitypes.go",
1191 
-+        "auth.go",
1192 
-+        "cascade.go",
1193 
-+        "cascade_disks.go",
1194 
-+        "cascade_instances.go",
1195 
-+        "cascade_loadbalancer.go",
1196 
-+        "client.go",
1197 
-+        "oidcclient.go",
1198 
-+        "restclient.go",
1199 
-+        "utils.go"
1200 
-+        ],
1201 
-+    deps = [
1202 
-+        "//pkg/api/v1/helper:go_default_library",
1203 
-+        "//pkg/cloudprovider:go_default_library",
1204 
-+        "//pkg/controller:go_default_library",
1205 
-+        "//vendor/github.com/golang/glog:go_default_library",
1206 
-+        "//vendor/gopkg.in/gcfg.v1:go_default_library",
1207 
-+        "//vendor/k8s.io/api/core/v1:go_default_library",
1208 
-+        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
1209 
-+    ],
1199 
++const (
1200 
++	ProviderName = "cascade"
1201 
++	DiskSpecKind = "persistent-disk"
1202 
++	MasterPrefix = "master"
1210 1203 
 +)
1211 1204 
 +
1212 
-+filegroup(
1213 
-+    name = "package-srcs",
1214 
-+    srcs = glob(["**"]),
1215 
-+    tags = ["automanaged"],
1216 
-+    visibility = ["//visibility:private"],
1217 
-+)
1205 
++// CascadeCloud is an implementation of the cloud provider interface for Cascade Controller.
1206 
++type CascadeCloud struct {
1207 
++	cfg *CascadeConfig
1208 
++	// Authentication client to get token for Cascade API calls
1209 
++	authClient *AuthClient
1210 
++	// API Client to make Cascade API calls
1211 
++	apiClient *Client
1212 
++	// local $HOSTNAME
1213 
++	localHostname string
1214 
++	// hostname from K8S, could be overridden
1215 
++	localK8sHostname string
1216 
++}
1218 1217 
 +
1219 
-+filegroup(
1220 
-+    name = "all-srcs",
1221 
-+    srcs = [":package-srcs"],
1222 
-+    tags = ["automanaged"],
1223 
-+)
1224 
-diff -uNr --no-dereference kubernetes-original/pkg/cloudprovider/providers/cascade/cascade_disks.go kubernetes-modified/src/k8s.io/kubernetes/pkg/cloudprovider/providers/cascade/cascade_disks.go
1225 
-+++ kubernetes-modified/src/k8s.io/kubernetes/pkg/cloudprovider/providers/cascade/cascade_disks.go	2018-04-30 21:11:51.000000000 +0000
1218 
++// CascadeCloud represents Cascade cloud provider's configuration.
1219 
++type CascadeConfig struct {
1220 
++	Global struct {
1221 
++		// the Cascade Controller endpoint
1222 
++		CloudTarget string `gcfg:"target"`
1223 
++		// Cascade Controller tenantName name
1224 
++		TenantName string `gcfg:"tenantName"`
1225 
++		// Cascade Controller cluster ID
1226 
++		ClusterID string `gcfg:"clusterID"`
1227 
++		// Authentication server endpoint for Cascade Controller
1228 
++		AuthEndpoint string `gcfg:"authEndpoint"`
1229 
++		// Lightwave domain name for the node
1230 
++		DomainName string `gcfg:"domainName"`
1231 
++		// DNS name of the node.
1232 
++		DNSName string `gcfg:"dnsName"`
1233 
++		// Region in which the cluster is in
1234 
++		Region string `gcfg:"region"`
1235 
++		// Availability zone in which the cluster is in
1236 
++		Zone string `gcfg:"zone"`
1237 
++	}
1238 
++}
1239 
++
1240 
++// Disks is interface for manipulation with Cascade Controller Persistent Disks.
1241 
++type Disks interface {
1242 
++	// AttachDisk attaches given disk to given node. Current node
1243 
++	// is used when nodeName is empty string.
1244 
++	AttachDisk(diskID string, nodeName k8stypes.NodeName) (string, error)
1245 
++
1246 
++	// DetachDisk detaches given disk to given node. Current node
1247 
++	// is used when nodeName is empty string.
1248 
++	DetachDisk(diskID string, nodeName k8stypes.NodeName) error
1249 
++
1250 
++	// DiskIsAttached checks if a disk is attached to the given node.
1251 
++	DiskIsAttached(diskID string, nodeName k8stypes.NodeName) (bool, error)
1252 
++
1253 
++	// DisksAreAttached is a batch function to check if a list of disks are attached
1254 
++	// to the node with the specified NodeName.
1255 
++	DisksAreAttached(diskID []string, nodeName k8stypes.NodeName) (map[string]bool, error)
1256 
++
1257 
++	// CreateDisk creates a new PD with given properties.
1258 
++	CreateDisk(volumeOptions *VolumeOptions) (diskID string, err error)
1259 
++
1260 
++	// DeleteDisk deletes PD.
1261 
++	DeleteDisk(diskID string) error
1262 
++
1263 
++	// Get labels to apply to volume on creation.
1264 
++	GetVolumeLabels(diskID string) (map[string]string, error)
1265 
++}
1266 
++
1267 
++// VolumeOptions specifies capacity, tags, name and flavorID for a volume.
1268 
++type VolumeOptions struct {
1269 
++	CapacityGB int
1270 
++	Tags       map[string]string
1271 
++	Name       string
1272 
++	Flavor     string
1273 
++}
1274 
++
1275 
++func readConfig(config io.Reader) (*CascadeConfig, error) {
1276 
++	if config == nil {
1277 
++		err := fmt.Errorf("Cascade Cloud Provider: config file is missing. Please restart with " +
1278 
++			"--cloud-provider=cascade --cloud-config=[path_to_config_file]")
1279 
++		return nil, err
1280 
++	}
1281 
++
1282 
++	var cfg CascadeConfig
1283 
++	err := gcfg.ReadInto(&cfg, config)
1284 
++	return &cfg, err
1285 
++}
1286 
++
1287 
++func init() {
1288 
++	cloudprovider.RegisterCloudProvider(ProviderName, func(config io.Reader) (cloudprovider.Interface, error) {
1289 
++		cfg, err := readConfig(config)
1290 
++		if err != nil {
1291 
++			glog.Errorf("Cascade Cloud Provider: failed to read in cloud provider config file. Error[%v]", err)
1292 
++			return nil, err
1293 
++		}
1294 
++		return newCascadeCloud(cfg)
1295 
++	})
1296 
++}
1297 
++
1298 
++func newCascadeCloud(cfg *CascadeConfig) (*CascadeCloud, error) {
1299 
++	if len(cfg.Global.CloudTarget) == 0 {
1300 
++		return nil, fmt.Errorf("Cascade Controller endpoint was not specified.")
1301 
++	}
1302 
++
1303 
++	// Get local hostname
1304 
++	hostname, err := os.Hostname()
1305 
++	if err != nil {
1306 
++		glog.Errorf("Cascade Cloud Provider: get hostname failed. Error[%v]", err)
1307 
++		return nil, err
1308 
++	}
1309 
++
1310 
++	cc := CascadeCloud{
1311 
++		cfg:              cfg,
1312 
++		localHostname:    hostname,
1313 
++		localK8sHostname: "",
1314 
++	}
1315 
++
1316 
++	// Instantiate the auth and API clients only on the master nodes. Kubelets running on the workers don't need them as
1317 
++	// they are used primarily for making API calls to Cascade.
1318 
++	if strings.HasPrefix(hostname, MasterPrefix) {
1319 
++		if cc.authClient, err = NewAuthClient(cfg); err != nil {
1320 
++			return nil, err
1321 
++		}
1322 
++
1323 
++		if cc.apiClient, err = NewClient(cfg, cc.authClient); err != nil {
1324 
++			return nil, err
1325 
++		}
1326 
++	}
1327 
++
1328 
++	return &cc, nil
1329 
++}
1330 
++
1331 
++// Initialize passes a Kubernetes clientBuilder interface to the cloud provider
1332 
++func (cc *CascadeCloud) Initialize(clientBuilder controller.ControllerClientBuilder) {}
1333 
++
1334 
++// Instances returns an implementation of Instances for Cascade Controller.
1335 
++func (cc *CascadeCloud) Instances() (cloudprovider.Instances, bool) {
1336 
++	return cc, true
1337 
++}
1338 
++
1339 
++// List is an implementation of Instances.List.
1340 
++func (cc *CascadeCloud) List(filter string) ([]k8stypes.NodeName, error) {
1341 
++	return nil, errors.New("unimplemented")
1342 
++}
1343 
++
1344 
++func (cc *CascadeCloud) Clusters() (cloudprovider.Clusters, bool) {
1345 
++	return nil, true
1346 
++}
1347 
++
1348 
++// ProviderName returns the cloud provider ID.
1349 
++func (cc *CascadeCloud) ProviderName() string {
1350 
++	return ProviderName
1351 
++}
1352 
++
1353 
++// LoadBalancer returns an implementation of LoadBalancer for Cascade Controller.
1354 
++func (cc *CascadeCloud) LoadBalancer() (cloudprovider.LoadBalancer, bool) {
1355 
++	return cc, true
1356 
++}
1357 
++
1358 
++// Zones returns an implementation of Zones for Cascade Controller.
1359 
++func (cc *CascadeCloud) Zones() (cloudprovider.Zones, bool) {
1360 
++	return cc, true
1361 
++}
1362 
++
1363 
++func (cc *CascadeCloud) GetZone() (cloudprovider.Zone, error) {
1364 
++	return cloudprovider.Zone{
1365 
++		Region: cc.cfg.Global.Region,
1366 
++		FailureDomain: cc.cfg.Global.Zone,
1367 
++	}, nil
1368 
++}
1369 
++
1370 
++// GetZoneByProviderID implements Zones.GetZoneByProviderID
1371 
++// This is particularly useful in external cloud providers where the kubelet
1372 
++// does not initialize node data.
1373 
++func (cc *CascadeCloud) GetZoneByProviderID(providerID string) (cloudprovider.Zone, error) {
1374 
++	return cloudprovider.Zone{}, errors.New("unimplemented")
1375 
++}
1376 
++
1377 
++// GetZoneByNodeName implements Zones.GetZoneByNodeName
1378 
++// This is particularly useful in external cloud providers where the kubelet
1379 
++// does not initialize node data.
1380 
++func (cc *CascadeCloud) GetZoneByNodeName(nodeName k8stypes.NodeName) (cloudprovider.Zone, error) {
1381 
++	return cloudprovider.Zone{}, errors.New("unimeplemented")
1382 
++}
1383 
++
1384 
++// Routes returns a false since the interface is not supported for Cascade controller.
1385 
++func (cc *CascadeCloud) Routes() (cloudprovider.Routes, bool) {
1386 
++	return nil, false
1387 
++}
1388 
++
1389 
++// ScrubDNS filters DNS settings for pods.
1390 
++func (cc *CascadeCloud) ScrubDNS(nameservers, searches []string) (nsOut, srchOut []string) {
1391 
++	return nameservers, searches
1392 
++}
1393 
++
1394 
++// HasClusterID returns true if the cluster has a clusterID
1395 
++func (cc *CascadeCloud) HasClusterID() bool {
1396 
++	return true
1397 
++}
1398 
+\ No newline at end of file
1399 
+diff --git a/pkg/cloudprovider/providers/cascade/cascade_disks.go b/pkg/cloudprovider/providers/cascade/cascade_disks.go
1400 
+new file mode 100644
1401 
+index 0000000..320e123
1402 
+--- /dev/null
1226 1403 
 @@ -0,0 +1,225 @@
1227 1404 
 +package cascade
1228 1405 
 +
... ... 
@@ -1451,230 +1551,11 @@ diff -uNr --no-dereference kubernetes-original/pkg/cloudprovider/providers/casca
1451 1451 
 +
1452 1452 
 +	return labels, nil
1453 1453 
 +}
1454 
-diff -uNr --no-dereference kubernetes-original/pkg/cloudprovider/providers/cascade/cascade.go kubernetes-modified/src/k8s.io/kubernetes/pkg/cloudprovider/providers/cascade/cascade.go
1455 
-+++ kubernetes-modified/src/k8s.io/kubernetes/pkg/cloudprovider/providers/cascade/cascade.go	2018-04-30 21:11:51.000000000 +0000
1456 
-@@ -0,0 +1,216 @@
1457 
-+// The use of Cascade cloud provider requires the kubelet, kube-apiserver, and kube-controller-manager to be started
1458 
-+// with config flag: '--cloud-provider=cascade --cloud-config=[path_to_config_file]'.
1459 
-+package cascade
1460 
-+
1461 
-+import (
1462 
-+	"errors"
1463 
-+	"fmt"
1464 
-+	"io"
1465 
-+	"os"
1466 
-+	"github.com/golang/glog"
1467 
-+	"gopkg.in/gcfg.v1"
1468 
-+	k8stypes "k8s.io/apimachinery/pkg/types"
1469 
-+	"k8s.io/kubernetes/pkg/cloudprovider"
1470 
-+	"k8s.io/kubernetes/pkg/controller"
1471 
-+	"strings"
1472 
-+)
1473 
-+
1474 
-+const (
1475 
-+	ProviderName = "cascade"
1476 
-+	DiskSpecKind = "persistent-disk"
1477 
-+	MasterPrefix = "master"
1478 
-+)
1479 
-+
1480 
-+// CascadeCloud is an implementation of the cloud provider interface for Cascade Controller.
1481 
-+type CascadeCloud struct {
1482 
-+	cfg *CascadeConfig
1483 
-+	// Authentication client to get token for Cascade API calls
1484 
-+	authClient *AuthClient
1485 
-+	// API Client to make Cascade API calls
1486 
-+	apiClient *Client
1487 
-+	// local $HOSTNAME
1488 
-+	localHostname string
1489 
-+	// hostname from K8S, could be overridden
1490 
-+	localK8sHostname string
1491 
-+}
1492 
-+
1493 
-+// CascadeCloud represents Cascade cloud provider's configuration.
1494 
-+type CascadeConfig struct {
1495 
-+	Global struct {
1496 
-+		// the Cascade Controller endpoint
1497 
-+		CloudTarget string `gcfg:"target"`
1498 
-+		// Cascade Controller tenantName name
1499 
-+		TenantName string `gcfg:"tenantName"`
1500 
-+		// Cascade Controller cluster ID
1501 
-+		ClusterID string `gcfg:"clusterID"`
1502 
-+		// Authentication server endpoint for Cascade Controller
1503 
-+		AuthEndpoint string `gcfg:"authEndpoint"`
1504 
-+		// Lightwave domain name for the node
1505 
-+		DomainName string `gcfg:"domainName"`
1506 
-+		// DNS name of the node.
1507 
-+		DNSName string `gcfg:"dnsName"`
1508 
-+		// Region in which the cluster is in
1509 
-+		Region string `gcfg:"region"`
1510 
-+		// Availability zone in which the cluster is in
1511 
-+		Zone string `gcfg:"zone"`
1512 
-+	}
1513 
-+}
1514 
-+
1515 
-+// Disks is interface for manipulation with Cascade Controller Persistent Disks.
1516 
-+type Disks interface {
1517 
-+	// AttachDisk attaches given disk to given node. Current node
1518 
-+	// is used when nodeName is empty string.
1519 
-+	AttachDisk(diskID string, nodeName k8stypes.NodeName) (string, error)
1520 
-+
1521 
-+	// DetachDisk detaches given disk to given node. Current node
1522 
-+	// is used when nodeName is empty string.
1523 
-+	DetachDisk(diskID string, nodeName k8stypes.NodeName) error
1524 
-+
1525 
-+	// DiskIsAttached checks if a disk is attached to the given node.
1526 
-+	DiskIsAttached(diskID string, nodeName k8stypes.NodeName) (bool, error)
1527 
-+
1528 
-+	// DisksAreAttached is a batch function to check if a list of disks are attached
1529 
-+	// to the node with the specified NodeName.
1530 
-+	DisksAreAttached(diskID []string, nodeName k8stypes.NodeName) (map[string]bool, error)
1531 
-+
1532 
-+	// CreateDisk creates a new PD with given properties.
1533 
-+	CreateDisk(volumeOptions *VolumeOptions) (diskID string, err error)
1534 
-+
1535 
-+	// DeleteDisk deletes PD.
1536 
-+	DeleteDisk(diskID string) error
1537 
-+
1538 
-+	// Get labels to apply to volume on creation.
1539 
-+	GetVolumeLabels(diskID string) (map[string]string, error)
1540 
-+}
1541 
-+
1542 
-+// VolumeOptions specifies capacity, tags, name and flavorID for a volume.
1543 
-+type VolumeOptions struct {
1544 
-+	CapacityGB int
1545 
-+	Tags       map[string]string
1546 
-+	Name       string
1547 
-+	Flavor     string
1548 
-+}
1549 
-+
1550 
-+func readConfig(config io.Reader) (*CascadeConfig, error) {
1551 
-+	if config == nil {
1552 
-+		err := fmt.Errorf("Cascade Cloud Provider: config file is missing. Please restart with " +
1553 
-+			"--cloud-provider=cascade --cloud-config=[path_to_config_file]")
1554 
-+		return nil, err
1555 
-+	}
1556 
-+
1557 
-+	var cfg CascadeConfig
1558 
-+	err := gcfg.ReadInto(&cfg, config)
1559 
-+	return &cfg, err
1560 
-+}
1561 
-+
1562 
-+func init() {
1563 
-+	cloudprovider.RegisterCloudProvider(ProviderName, func(config io.Reader) (cloudprovider.Interface, error) {
1564 
-+		cfg, err := readConfig(config)
1565 
-+		if err != nil {
1566 
-+			glog.Errorf("Cascade Cloud Provider: failed to read in cloud provider config file. Error[%v]", err)
1567 
-+			return nil, err
1568 
-+		}
1569 
-+		return newCascadeCloud(cfg)
1570 
-+	})
1571 
-+}
1572 
-+
1573 
-+func newCascadeCloud(cfg *CascadeConfig) (*CascadeCloud, error) {
1574 
-+	if len(cfg.Global.CloudTarget) == 0 {
1575 
-+		return nil, fmt.Errorf("Cascade Controller endpoint was not specified.")
1576 
-+	}
1577 
-+
1578 
-+	// Get local hostname
1579 
-+	hostname, err := os.Hostname()
1580 
-+	if err != nil {
1581 
-+		glog.Errorf("Cascade Cloud Provider: get hostname failed. Error[%v]", err)
1582 
-+		return nil, err
1583 
-+	}
1584 
-+
1585 
-+	cc := CascadeCloud{
1586 
-+		cfg:              cfg,
1587 
-+		localHostname:    hostname,
1588 
-+		localK8sHostname: "",
1589 
-+	}
1590 
-+
1591 
-+	// Instantiate the auth and API clients only on the master nodes. Kubelets running on the workers don't need them as
1592 
-+	// they are used primarily for making API calls to Cascade.
1593 
-+	if strings.HasPrefix(hostname, MasterPrefix) {
1594 
-+		if cc.authClient, err = NewAuthClient(cfg); err != nil {
1595 
-+			return nil, err
1596 
-+		}
1597 
-+
1598 
-+		if cc.apiClient, err = NewClient(cfg, cc.authClient); err != nil {
1599 
-+			return nil, err
1600 
-+		}
1601 
-+	}
1602 
-+
1603 
-+	return &cc, nil
1604 
-+}
1605 
-+
1606 
-+// Initialize passes a Kubernetes clientBuilder interface to the cloud provider
1607 
-+func (cc *CascadeCloud) Initialize(clientBuilder controller.ControllerClientBuilder) {}
1608 
-+
1609 
-+// Instances returns an implementation of Instances for Cascade Controller.
1610 
-+func (cc *CascadeCloud) Instances() (cloudprovider.Instances, bool) {
1611 
-+	return cc, true
1612 
-+}
1613 
-+
1614 
-+// List is an implementation of Instances.List.
1615 
-+func (cc *CascadeCloud) List(filter string) ([]k8stypes.NodeName, error) {
1616 
-+	return nil, errors.New("unimplemented")
1617 
-+}
1618 
-+
1619 
-+func (cc *CascadeCloud) Clusters() (cloudprovider.Clusters, bool) {
1620 
-+	return nil, true
1621 
-+}
1622 
-+
1623 
-+// ProviderName returns the cloud provider ID.
1624 
-+func (cc *CascadeCloud) ProviderName() string {
1625 
-+	return ProviderName
1626 
-+}
1627 
-+
1628 
-+// LoadBalancer returns an implementation of LoadBalancer for Cascade Controller.
1629 
-+func (cc *CascadeCloud) LoadBalancer() (cloudprovider.LoadBalancer, bool) {
1630 
-+	return cc, true
1631 
-+}
1632 
-+
1633 
-+// Zones returns an implementation of Zones for Cascade Controller.
1634 
-+func (cc *CascadeCloud) Zones() (cloudprovider.Zones, bool) {
1635 
-+	return cc, true
1636 
-+}
1637 
-+
1638 
-+func (cc *CascadeCloud) GetZone() (cloudprovider.Zone, error) {
1639 
-+	return cloudprovider.Zone{
1640 
-+		Region: cc.cfg.Global.Region,
1641 
-+		FailureDomain: cc.cfg.Global.Zone,
1642 
-+	}, nil
1643 
-+}
1644 
-+
1645 
-+// GetZoneByProviderID implements Zones.GetZoneByProviderID
1646 
-+// This is particularly useful in external cloud providers where the kubelet
1647 
-+// does not initialize node data.
1648 
-+func (cc *CascadeCloud) GetZoneByProviderID(providerID string) (cloudprovider.Zone, error) {
1649 
-+	return cloudprovider.Zone{}, errors.New("unimplemented")
1650 
-+}
1651 
-+
1652 
-+// GetZoneByNodeName implements Zones.GetZoneByNodeName
1653 
-+// This is particularly useful in external cloud providers where the kubelet
1654 
-+// does not initialize node data.
1655 
-+func (cc *CascadeCloud) GetZoneByNodeName(nodeName k8stypes.NodeName) (cloudprovider.Zone, error) {
1656 
-+	return cloudprovider.Zone{}, errors.New("unimeplemented")
1657 
-+}
1658 
-+
1659 
-+// Routes returns a false since the interface is not supported for Cascade controller.
1660 
-+func (cc *CascadeCloud) Routes() (cloudprovider.Routes, bool) {
1661 
-+	return nil, false
1662 
-+}
1663 
-+
1664 
-+// ScrubDNS filters DNS settings for pods.
1665 
-+func (cc *CascadeCloud) ScrubDNS(nameservers, searches []string) (nsOut, srchOut []string) {
1666 
-+	return nameservers, searches
1667 
-+}
1668 
-+
1669 
-+// HasClusterID returns true if the cluster has a clusterID
1670 
-+func (cc *CascadeCloud) HasClusterID() bool {
1671 
-+	return true
1672 
-+}
1673 
-\ No newline at end of file
1674 
-diff -uNr --no-dereference kubernetes-original/pkg/cloudprovider/providers/cascade/cascade_instances.go kubernetes-modified/src/k8s.io/kubernetes/pkg/cloudprovider/providers/cascade/cascade_instances.go
1675 
-+++ kubernetes-modified/src/k8s.io/kubernetes/pkg/cloudprovider/providers/cascade/cascade_instances.go	2018-04-30 21:11:51.000000000 +0000
1454 
+diff --git a/pkg/cloudprovider/providers/cascade/cascade_instances.go b/pkg/cloudprovider/providers/cascade/cascade_instances.go
1455 
+new file mode 100644
1456 
+index 0000000..f270a3d
1457 
+--- /dev/null
1676 1458 
 @@ -0,0 +1,90 @@
1677 1459 
 +package cascade
1678 1460 
 +
... ... 
@@ -1766,9 +1647,11 @@ diff -uNr --no-dereference kubernetes-original/pkg/cloudprovider/providers/casca
1766 1766 
 +func (cc *CascadeCloud) InstanceType(nodeName k8stypes.NodeName) (string, error) {
1767 1767 
 +	return "", nil
1768 1768 
 +}
1769 
-diff -uNr --no-dereference kubernetes-original/pkg/cloudprovider/providers/cascade/cascade_loadbalancer.go kubernetes-modified/src/k8s.io/kubernetes/pkg/cloudprovider/providers/cascade/cascade_loadbalancer.go
1770 
-+++ kubernetes-modified/src/k8s.io/kubernetes/pkg/cloudprovider/providers/cascade/cascade_loadbalancer.go	2018-04-30 21:11:51.000000000 +0000
1769 
+diff --git a/pkg/cloudprovider/providers/cascade/cascade_loadbalancer.go b/pkg/cloudprovider/providers/cascade/cascade_loadbalancer.go
1770 
+new file mode 100644
1771 
+index 0000000..e28282f
1772 
+--- /dev/null
1771 1773 
 @@ -0,0 +1,284 @@
1772 1774 
 +package cascade
1773 1775 
 +
... ... 
@@ -2055,9 +1938,11 @@ diff -uNr --no-dereference kubernetes-original/pkg/cloudprovider/providers/casca
2055 2055 
 +	glog.Infoln(l.getLogMsg(msgTemplate, args))
2056 2056 
 +}
2057 2057 
 \ No newline at end of file
2058 
-diff -uNr --no-dereference kubernetes-original/pkg/cloudprovider/providers/cascade/client.go kubernetes-modified/src/k8s.io/kubernetes/pkg/cloudprovider/providers/cascade/client.go
2059 
-+++ kubernetes-modified/src/k8s.io/kubernetes/pkg/cloudprovider/providers/cascade/client.go	2018-04-30 21:11:51.000000000 +0000
2058 
+diff --git a/pkg/cloudprovider/providers/cascade/client.go b/pkg/cloudprovider/providers/cascade/client.go
2059 
+new file mode 100644
2060 
+index 0000000..72049e0
2061 
+--- /dev/null
2060 2062 
 @@ -0,0 +1,394 @@
2061 2063 
 +package cascade
2062 2064 
 +
... ... 
@@ -2453,9 +2338,11 @@ diff -uNr --no-dereference kubernetes-original/pkg/cloudprovider/providers/casca
2453 2453 
 +
2454 2454 
 +	return errorStep
2455 2455 
 +}
2456 
-diff -uNr --no-dereference kubernetes-original/pkg/cloudprovider/providers/cascade/oidcclient.go kubernetes-modified/src/k8s.io/kubernetes/pkg/cloudprovider/providers/cascade/oidcclient.go
2457 
-+++ kubernetes-modified/src/k8s.io/kubernetes/pkg/cloudprovider/providers/cascade/oidcclient.go	2018-04-30 21:11:51.000000000 +0000
2456 
+diff --git a/pkg/cloudprovider/providers/cascade/oidcclient.go b/pkg/cloudprovider/providers/cascade/oidcclient.go
2457 
+new file mode 100644
2458 
+index 0000000..6a71cc1
2459 
+--- /dev/null
2458 2460 
 @@ -0,0 +1,297 @@
2459 2461 
 +package cascade
2460 2462 
 +
... ... 
@@ -2754,16 +2641,11 @@ diff -uNr --no-dereference kubernetes-original/pkg/cloudprovider/providers/casca
2754 2754 
 +
2755 2755 
 +	return oidcErr
2756 2756 
 +}
2757 
-diff -uNr --no-dereference kubernetes-original/pkg/cloudprovider/providers/cascade/OWNERS kubernetes-modified/src/k8s.io/kubernetes/pkg/cloudprovider/providers/cascade/OWNERS
2758 
-+++ kubernetes-modified/src/k8s.io/kubernetes/pkg/cloudprovider/providers/cascade/OWNERS	2018-04-30 21:11:51.000000000 +0000
2759 
-@@ -0,0 +1,3 @@
2760 
-+maintainers:
2761 
-+- ashokc
2762 
-+- ysheng
2763 
-diff -uNr --no-dereference kubernetes-original/pkg/cloudprovider/providers/cascade/restclient.go kubernetes-modified/src/k8s.io/kubernetes/pkg/cloudprovider/providers/cascade/restclient.go
2764 
-+++ kubernetes-modified/src/k8s.io/kubernetes/pkg/cloudprovider/providers/cascade/restclient.go	2018-04-30 21:11:51.000000000 +0000
2757 
+diff --git a/pkg/cloudprovider/providers/cascade/restclient.go b/pkg/cloudprovider/providers/cascade/restclient.go
2758 
+new file mode 100644
2759 
+index 0000000..71d8d1c
2760 
+--- /dev/null
2765 2761 
 @@ -0,0 +1,262 @@
2766 2762 
 +package cascade
2767 2763 
 +
... ... 
@@ -3027,18 +2909,22 @@ diff -uNr --no-dereference kubernetes-original/pkg/cloudprovider/providers/casca
3027 3027 
 +	apiError.HttpStatusCode = res.StatusCode
3028 3028 
 +	return nil, apiError
3029 3029 
 +}
3030 
-diff -uNr --no-dereference kubernetes-original/pkg/cloudprovider/providers/cascade/tests_owed kubernetes-modified/src/k8s.io/kubernetes/pkg/cloudprovider/providers/cascade/tests_owed
3031 
-+++ kubernetes-modified/src/k8s.io/kubernetes/pkg/cloudprovider/providers/cascade/tests_owed	2018-04-30 21:11:51.000000000 +0000
3030 
+diff --git a/pkg/cloudprovider/providers/cascade/tests_owed b/pkg/cloudprovider/providers/cascade/tests_owed
3031 
+new file mode 100644
3032 
+index 0000000..dff5ab1
3033 
+--- /dev/null
3032 3034 
 @@ -0,0 +1,5 @@
3033 3035 
 +
3034 3036 
 +Yu Sheng
3035 3037 
 +Change-Id: Ifc11818f65a3e018aeea6988d9e2c0719b592920
3036 3038 
 +
3037 3039 
 +
3038 
-diff -uNr --no-dereference kubernetes-original/pkg/cloudprovider/providers/cascade/utils.go kubernetes-modified/src/k8s.io/kubernetes/pkg/cloudprovider/providers/cascade/utils.go
3039 
-+++ kubernetes-modified/src/k8s.io/kubernetes/pkg/cloudprovider/providers/cascade/utils.go	2018-04-30 21:11:51.000000000 +0000
3040 
+diff --git a/pkg/cloudprovider/providers/cascade/utils.go b/pkg/cloudprovider/providers/cascade/utils.go
3041 
+new file mode 100644
3042 
+index 0000000..4e9e44c
3043 
+--- /dev/null
3040 3044 
 @@ -0,0 +1,25 @@
3041 3045 
 +package cascade
3042 3046 
 +
... ... 
@@ -3066,10 +2952,11 @@ diff -uNr --no-dereference kubernetes-original/pkg/cloudprovider/providers/casca
3066 3066 
 +	return &s
3067 3067 
 +}
3068 3068 
 \ No newline at end of file
3069 
-diff -uNr --no-dereference kubernetes-original/pkg/cloudprovider/providers/providers.go kubernetes-modified/src/k8s.io/kubernetes/pkg/cloudprovider/providers/providers.go
3070 
-+++ kubernetes-modified/src/k8s.io/kubernetes/pkg/cloudprovider/providers/providers.go	2018-04-30 21:11:51.000000000 +0000
3071 
-@@ -20,6 +20,7 @@
3069 
+diff --git a/pkg/cloudprovider/providers/providers.go b/pkg/cloudprovider/providers/providers.go
3070 
+index 7de9ca9..6d8a1d2 100644
3071 
+--- a/pkg/cloudprovider/providers/providers.go
3072 
+@@ -20,6 +20,7 @@ import (
3072 3073 
  	// Cloud providers
3073 3074 
  	_ "k8s.io/kubernetes/pkg/cloudprovider/providers/aws"
3074 3075 
  	_ "k8s.io/kubernetes/pkg/cloudprovider/providers/azure"
... ... 
@@ -3077,10 +2964,11 @@ diff -uNr --no-dereference kubernetes-original/pkg/cloudprovider/providers/provi
3077 3077 
  	_ "k8s.io/kubernetes/pkg/cloudprovider/providers/cloudstack"
3078 3078 
  	_ "k8s.io/kubernetes/pkg/cloudprovider/providers/gce"
3079 3079 
  	_ "k8s.io/kubernetes/pkg/cloudprovider/providers/openstack"
3080 
-diff -uNr --no-dereference kubernetes-original/pkg/printers/internalversion/describe.go kubernetes-modified/src/k8s.io/kubernetes/pkg/printers/internalversion/describe.go
3081 
-+++ kubernetes-modified/src/k8s.io/kubernetes/pkg/printers/internalversion/describe.go	2018-04-30 21:11:51.000000000 +0000
3082 
-@@ -751,6 +751,8 @@
3080 
+diff --git a/pkg/printers/internalversion/describe.go b/pkg/printers/internalversion/describe.go
3081 
+index c33b1c6..11e6c8b 100644
3082 
+--- a/pkg/printers/internalversion/describe.go
3083 
+@@ -751,6 +751,8 @@ func describeVolumes(volumes []api.Volume, w PrefixWriter, space string) {
3083 3084 
  			printFlexVolumeSource(volume.VolumeSource.FlexVolume, w)
3084 3085 
  		case volume.VolumeSource.Flocker != nil:
3085 3086 
  			printFlockerVolumeSource(volume.VolumeSource.Flocker, w)
... ... 
@@ -3089,7 +2977,7 @@ diff -uNr --no-dereference kubernetes-original/pkg/printers/internalversion/desc
3089 3089 
  		default:
3090 3090 
  			w.Write(LEVEL_1, "<unknown>\n")
3091 3091 
  		}
3092 
-@@ -1101,6 +1103,13 @@
3092 
+@@ -1101,6 +1103,13 @@ func printCSIPersistentVolumeSource(csi *api.CSIPersistentVolumeSource, w Prefix
3093 3093 
  		csi.Driver, csi.VolumeHandle, csi.ReadOnly)
3094 3094 
  }
3095 3095
... ... 
@@ -3103,7 +2991,7 @@ diff -uNr --no-dereference kubernetes-original/pkg/printers/internalversion/desc
3103 3103 
  type PersistentVolumeDescriber struct {
3104 3104 
  	clientset.Interface
3105 3105 
  }
3106 
-@@ -1189,6 +1198,8 @@
3106 
+@@ -1189,6 +1198,8 @@ func describePersistentVolume(pv *api.PersistentVolume, events *api.EventList) (
3107 3107 
  			printFlockerVolumeSource(pv.Spec.Flocker, w)
3108 3108 
  		case pv.Spec.CSI != nil:
3109 3109 
  			printCSIPersistentVolumeSource(pv.Spec.CSI, w)
... ... 
@@ -3112,10 +3000,11 @@ diff -uNr --no-dereference kubernetes-original/pkg/printers/internalversion/desc
3112 3112 
  		default:
3113 3113 
  			w.Write(LEVEL_1, "<unknown>\n")
3114 3114 
  		}
3115 
-diff -uNr --no-dereference kubernetes-original/pkg/security/podsecuritypolicy/util/util.go kubernetes-modified/src/k8s.io/kubernetes/pkg/security/podsecuritypolicy/util/util.go
3116 
-+++ kubernetes-modified/src/k8s.io/kubernetes/pkg/security/podsecuritypolicy/util/util.go	2018-04-30 21:11:51.000000000 +0000
3117 
-@@ -68,6 +68,7 @@
3115 
+diff --git a/pkg/security/podsecuritypolicy/util/util.go b/pkg/security/podsecuritypolicy/util/util.go
3116 
+index d654f88..422fe0d 100644
3117 
+--- a/pkg/security/podsecuritypolicy/util/util.go
3118 
+@@ -68,6 +68,7 @@ func GetAllFSTypesAsSet() sets.String {
3118 3119 
  		string(extensions.PortworxVolume),
3119 3120 
  		string(extensions.ScaleIO),
3120 3121 
  		string(extensions.CSI),
... ... 
@@ -3123,7 +3012,7 @@ diff -uNr --no-dereference kubernetes-original/pkg/security/podsecuritypolicy/ut
3123 3123 
  	)
3124 3124 
  	return fstypes
3125 3125 
  }
3126 
-@@ -129,6 +130,8 @@
3126 
+@@ -129,6 +130,8 @@ func GetVolumeFSType(v api.Volume) (extensions.FSType, error) {
3127 3127 
  		return extensions.PortworxVolume, nil
3128 3128 
  	case v.ScaleIO != nil:
3129 3129 
  		return extensions.ScaleIO, nil
... ... 
@@ -3132,9 +3021,68 @@ diff -uNr --no-dereference kubernetes-original/pkg/security/podsecuritypolicy/ut
3132 3132 
  	}
3133 3133
3134 3134 
  	return "", fmt.Errorf("unknown volume type for volume: %#v", v)
3135 
-diff -uNr --no-dereference kubernetes-original/pkg/volume/cascade_disk/attacher.go kubernetes-modified/src/k8s.io/kubernetes/pkg/volume/cascade_disk/attacher.go
3136 
-+++ kubernetes-modified/src/k8s.io/kubernetes/pkg/volume/cascade_disk/attacher.go	2018-04-30 21:11:51.000000000 +0000
3135 
+diff --git a/pkg/volume/cascade_disk/BUILD b/pkg/volume/cascade_disk/BUILD
3136 
+new file mode 100644
3137 
+index 0000000..3386612
3138 
+--- /dev/null
3139 
+@@ -0,0 +1,43 @@
3140 
++package(default_visibility = ["//visibility:public"])
3141 
++
3142 
++load(
3143 
++    "@io_bazel_rules_go//go:def.bzl",
3144 
++    "go_library",
3145 
++    "go_test",
3146 
++)
3147 
++
3148 
++go_library(
3149 
++    name = "go_default_library",
3150 
++    srcs = [
3151 
++        "attacher.go",
3152 
++        "cascade_disk.go",
3153 
++        "cascade_util.go",
3154 
++    ],
3155 
++    deps = [
3156 
++        "//pkg/cloudprovider:go_default_library",
3157 
++        "//pkg/cloudprovider/providers/cascade:go_default_library",
3158 
++        "//pkg/util/mount:go_default_library",
3159 
++        "//pkg/util/strings:go_default_library",
3160 
++        "//pkg/volume:go_default_library",
3161 
++        "//pkg/volume/util:go_default_library",
3162 
++        "//pkg/volume/util/volumehelper:go_default_library",
3163 
++        "//vendor/github.com/golang/glog:go_default_library",
3164 
++        "//vendor/k8s.io/api/core/v1:go_default_library",
3165 
++        "//vendor/k8s.io/apimachinery/pkg/api/resource:go_default_library",
3166 
++        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
3167 
++        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
3168 
++    ],
3169 
++)
3170 
++
3171 
++filegroup(
3172 
++    name = "package-srcs",
3173 
++    srcs = glob(["**"]),
3174 
++    tags = ["automanaged"],
3175 
++    visibility = ["//visibility:private"],
3176 
++)
3177 
++
3178 
++filegroup(
3179 
++    name = "all-srcs",
3180 
++    srcs = [":package-srcs"],
3181 
++    tags = ["automanaged"],
3182 
++)
3183 
+diff --git a/pkg/volume/cascade_disk/OWNERS b/pkg/volume/cascade_disk/OWNERS
3184 
+new file mode 100644
3185 
+index 0000000..c3a4ed7
3186 
+--- /dev/null
3187 
+@@ -0,0 +1,2 @@
3188 
++maintainers:
3189 
++- ashokc
3190 
+diff --git a/pkg/volume/cascade_disk/attacher.go b/pkg/volume/cascade_disk/attacher.go
3191 
+new file mode 100644
3192 
+index 0000000..607fcb5
3193 
+--- /dev/null
3137 3194 
 @@ -0,0 +1,269 @@
3138 3195 
 +package cascade_disk
3139 3196 
 +
... ... 
@@ -3405,56 +3353,11 @@ diff -uNr --no-dereference kubernetes-original/pkg/volume/cascade_disk/attacher.
3405 3405 
 +func (detacher *cascadeDiskDetacher) UnmountDevice(deviceMountPath string) error {
3406 3406 
 +	return volumeutil.UnmountPath(deviceMountPath, detacher.mounter)
3407 3407 
 +}
3408 
-diff -uNr --no-dereference kubernetes-original/pkg/volume/cascade_disk/BUILD kubernetes-modified/src/k8s.io/kubernetes/pkg/volume/cascade_disk/BUILD
3409 
-+++ kubernetes-modified/src/k8s.io/kubernetes/pkg/volume/cascade_disk/BUILD	2018-04-30 21:11:51.000000000 +0000
3410 
-@@ -0,0 +1,43 @@
3411 
-+package(default_visibility = ["//visibility:public"])
3412 
-+
3413 
-+load(
3414 
-+    "@io_bazel_rules_go//go:def.bzl",
3415 
-+    "go_library",
3416 
-+    "go_test",
3417 
-+)
3418 
-+
3419 
-+go_library(
3420 
-+    name = "go_default_library",
3421 
-+    srcs = [
3422 
-+        "attacher.go",
3423 
-+        "cascade_disk.go",
3424 
-+        "cascade_util.go",
3425 
-+    ],
3426 
-+    deps = [
3427 
-+        "//pkg/cloudprovider:go_default_library",
3428 
-+        "//pkg/cloudprovider/providers/cascade:go_default_library",
3429 
-+        "//pkg/util/mount:go_default_library",
3430 
-+        "//pkg/util/strings:go_default_library",
3431 
-+        "//pkg/volume:go_default_library",
3432 
-+        "//pkg/volume/util:go_default_library",
3433 
-+        "//pkg/volume/util/volumehelper:go_default_library",
3434 
-+        "//vendor/github.com/golang/glog:go_default_library",
3435 
-+        "//vendor/k8s.io/api/core/v1:go_default_library",
3436 
-+        "//vendor/k8s.io/apimachinery/pkg/api/resource:go_default_library",
3437 
-+        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
3438 
-+        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
3439 
-+    ],
3440 
-+)
3441 
-+
3442 
-+filegroup(
3443 
-+    name = "package-srcs",
3444 
-+    srcs = glob(["**"]),
3445 
-+    tags = ["automanaged"],
3446 
-+    visibility = ["//visibility:private"],
3447 
-+)
3448 
-+
3449 
-+filegroup(
3450 
-+    name = "all-srcs",
3451 
-+    srcs = [":package-srcs"],
3452 
-+    tags = ["automanaged"],
3453 
-+)
3454 
-diff -uNr --no-dereference kubernetes-original/pkg/volume/cascade_disk/cascade_disk.go kubernetes-modified/src/k8s.io/kubernetes/pkg/volume/cascade_disk/cascade_disk.go
3455 
-+++ kubernetes-modified/src/k8s.io/kubernetes/pkg/volume/cascade_disk/cascade_disk.go	2018-04-30 21:11:51.000000000 +0000
3408 
+diff --git a/pkg/volume/cascade_disk/cascade_disk.go b/pkg/volume/cascade_disk/cascade_disk.go
3409 
+new file mode 100644
3410 
+index 0000000..88945c3
3411 
+--- /dev/null
3456 3412 
 @@ -0,0 +1,391 @@
3457 3413 
 +package cascade_disk
3458 3414 
 +
... ... 
@@ -3848,9 +3751,11 @@ diff -uNr --no-dereference kubernetes-original/pkg/volume/cascade_disk/cascade_d
3848 3848 
 +	return nil, false, fmt.Errorf("Spec does not reference a Cascade disk type")
3849 3849 
 +}
3850 3850 
 \ No newline at end of file
3851 
-diff -uNr --no-dereference kubernetes-original/pkg/volume/cascade_disk/cascade_util.go kubernetes-modified/src/k8s.io/kubernetes/pkg/volume/cascade_disk/cascade_util.go
3852 
-+++ kubernetes-modified/src/k8s.io/kubernetes/pkg/volume/cascade_disk/cascade_util.go	2018-04-30 21:11:51.000000000 +0000
3851 
+diff --git a/pkg/volume/cascade_disk/cascade_util.go b/pkg/volume/cascade_disk/cascade_util.go
3852 
+new file mode 100644
3853 
+index 0000000..3dcef3d
3854 
+--- /dev/null
3853 3855 
 @@ -0,0 +1,107 @@
3854 3856 
 +package cascade_disk
3855 3857 
 +
... ... 
@@ -3959,16 +3864,11 @@ diff -uNr --no-dereference kubernetes-original/pkg/volume/cascade_disk/cascade_u
3959 3959 
 +	}
3960 3960 
 +	return cc, nil
3961 3961 
 +}
3962 
-diff -uNr --no-dereference kubernetes-original/pkg/volume/cascade_disk/OWNERS kubernetes-modified/src/k8s.io/kubernetes/pkg/volume/cascade_disk/OWNERS
3963 
-+++ kubernetes-modified/src/k8s.io/kubernetes/pkg/volume/cascade_disk/OWNERS	2018-04-30 21:11:51.000000000 +0000
3964 
-@@ -0,0 +1,2 @@
3965 
-+maintainers:
3966 
-+- ashokc
3967 
-diff -uNr --no-dereference kubernetes-original/plugin/pkg/admission/persistentvolume/label/admission.go kubernetes-modified/src/k8s.io/kubernetes/plugin/pkg/admission/persistentvolume/label/admission.go
3968 
-+++ kubernetes-modified/src/k8s.io/kubernetes/plugin/pkg/admission/persistentvolume/label/admission.go	2018-04-30 21:11:51.000000000 +0000
3969 
-@@ -27,6 +27,7 @@
3962 
+diff --git a/plugin/pkg/admission/persistentvolume/label/admission.go b/plugin/pkg/admission/persistentvolume/label/admission.go
3963 
+index 86e1921..b9b546f 100644
3964 
+--- a/plugin/pkg/admission/persistentvolume/label/admission.go
3965 
+@@ -27,6 +27,7 @@ import (
3970 3966 
  	api "k8s.io/kubernetes/pkg/apis/core"
3971 3967 
  	"k8s.io/kubernetes/pkg/cloudprovider"
3972 3968 
  	"k8s.io/kubernetes/pkg/cloudprovider/providers/aws"
... ... 
@@ -3976,7 +3876,7 @@ diff -uNr --no-dereference kubernetes-original/plugin/pkg/admission/persistentvo
3976 3976 
  	"k8s.io/kubernetes/pkg/cloudprovider/providers/gce"
3977 3977 
  	kubeapiserveradmission "k8s.io/kubernetes/pkg/kubeapiserver/admission"
3978 3978 
  	kubeletapis "k8s.io/kubernetes/pkg/kubelet/apis"
3979 
-@@ -50,6 +51,7 @@
3979 
+@@ -50,6 +51,7 @@ type persistentVolumeLabel struct {
3980 3980 
  	ebsVolumes       aws.Volumes
3981 3981 
  	cloudConfig      []byte
3982 3982 
  	gceCloudProvider *gce.GCECloud
... ... 
@@ -3984,7 +3884,7 @@ diff -uNr --no-dereference kubernetes-original/plugin/pkg/admission/persistentvo
3984 3984 
  }
3985 3985
3986 3986 
  var _ admission.MutationInterface = &persistentVolumeLabel{}
3987 
-@@ -102,6 +104,13 @@
3987 
+@@ -102,6 +104,13 @@ func (l *persistentVolumeLabel) Admit(a admission.Attributes) (err error) {
3988 3988 
  		}
3989 3989 
  		volumeLabels = labels
3990 3990 
  	}
... ... 
@@ -3998,7 +3898,7 @@ diff -uNr --no-dereference kubernetes-original/plugin/pkg/admission/persistentvo
3998 3998
3999 3999 
  	if len(volumeLabels) != 0 {
4000 4000 
  		if volume.Labels == nil {
4001 
-@@ -214,3 +223,48 @@
4001 
+@@ -214,3 +223,48 @@ func (l *persistentVolumeLabel) getGCECloudProvider() (*gce.GCECloud, error) {
4002 4002 
  	}
4003 4003 
  	return l.gceCloudProvider, nil
4004 4004 
  }
... ... 
@@ -4047,10 +3947,1003 @@ diff -uNr --no-dereference kubernetes-original/plugin/pkg/admission/persistentvo
4047 4047 
 +	}
4048 4048 
 +	return l.cascadeDisks, nil
4049 4049 
 +}
4050 
-diff -uNr --no-dereference kubernetes-original/staging/src/k8s.io/api/core/v1/generated.pb.go kubernetes-modified/src/k8s.io/kubernetes/staging/src/k8s.io/api/core/v1/generated.pb.go
4051 
-+++ kubernetes-modified/src/k8s.io/kubernetes/staging/src/k8s.io/api/core/v1/generated.pb.go	2018-04-30 21:11:51.000000000 +0000
4052 
-@@ -35,6 +35,7 @@
4050 
+diff --git a/plugin/pkg/admission/vke/BUILD b/plugin/pkg/admission/vke/BUILD
4051 
+new file mode 100644
4052 
+index 0000000..b0a6026
4053 
+--- /dev/null
4054 
+@@ -0,0 +1,58 @@
4055 
++package(default_visibility = ["//visibility:public"])
4056 
++
4057 
++load(
4058 
++    "@io_bazel_rules_go//go:def.bzl",
4059 
++    "go_library",
4060 
++)
4061 
++
4062 
++go_library(
4063 
++    name = "go_default_library",
4064 
++    srcs = ["admission.go"],
4065 
++    importpath = "k8s.io/kubernetes/plugin/pkg/admission/vke",
4066 
++    deps = [
4067 
++        "//pkg/apis/core:go_default_library",
4068 
++        "//pkg/apis/extensions:go_default_library",
4069 
++        "//pkg/apis/rbac:go_default_library",
4070 
++        "//pkg/registry/rbac:go_default_library",
4071 
++        "//pkg/security/podsecuritypolicy:go_default_library",
4072 
++        "//vendor/github.com/golang/glog:go_default_library",
4073 
++        "//vendor/k8s.io/apimachinery/pkg/api/equality:go_default_library",
4074 
++        "//vendor/k8s.io/apimachinery/pkg/util/yaml:go_default_library",
4075 
++        "//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
4076 
++        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
4077 
++        "//vendor/k8s.io/apiserver/pkg/admission:go_default_library",
4078 
++    ],
4079 
++)
4080 
++
4081 
++go_test(
4082 
++    name = "go_default_test",
4083 
++    srcs = ["admission_test.go"],
4084 
++    embed = [":go_default_library"],
4085 
++    deps = [
4086 
++        "//pkg/apis/core:go_default_library",
4087 
++        "//pkg/apis/extensions:go_default_library",
4088 
++        "//pkg/apis/rbac:go_default_library",
4089 
++        "//pkg/registry/rbac:go_default_library",
4090 
++        "//pkg/security/podsecuritypolicy:go_default_library",
4091 
++        "//vendor/github.com/golang/glog:go_default_library",
4092 
++        "//vendor/github.com/stretchr/testify/assert:go_default_library",
4093 
++        "//vendor/k8s.io/apimachinery/pkg/api/equality:go_default_library",
4094 
++        "//vendor/k8s.io/apimachinery/pkg/util/yaml:go_default_library",
4095 
++        "//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
4096 
++        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
4097 
++        "//vendor/k8s.io/apiserver/pkg/admission:go_default_library",
4098 
++    ],
4099 
++)
4100 
++
4101 
++filegroup(
4102 
++    name = "package-srcs",
4103 
++    srcs = glob(["**"]),
4104 
++    tags = ["automanaged"],
4105 
++    visibility = ["//visibility:private"],
4106 
++)
4107 
++
4108 
++filegroup(
4109 
++    name = "all-srcs",
4110 
++    srcs = [":package-srcs"],
4111 
++    tags = ["automanaged"],
4112 
++)
4113 
+\ No newline at end of file
4114 
+diff --git a/plugin/pkg/admission/vke/admission.go b/plugin/pkg/admission/vke/admission.go
4115 
+new file mode 100644
4116 
+index 0000000..4cfc8c5
4117 
+--- /dev/null
4118 
+@@ -0,0 +1,374 @@
4119 
++package vke
4120 
++
4121 
++import (
4122 
++	"fmt"
4123 
++	"io"
4124 
++	"strings"
4125 
++
4126 
++	"github.com/golang/glog"
4127 
++	apiequality "k8s.io/apimachinery/pkg/api/equality"
4128 
++	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
4129 
++	"k8s.io/apimachinery/pkg/util/validation/field"
4130 
++	"k8s.io/apimachinery/pkg/util/yaml"
4131 
++	"k8s.io/apiserver/pkg/admission"
4132 
++	api "k8s.io/kubernetes/pkg/apis/core"
4133 
++	"k8s.io/kubernetes/pkg/apis/extensions"
4134 
++	"k8s.io/kubernetes/pkg/apis/rbac"
4135 
++	rbacregistry "k8s.io/kubernetes/pkg/registry/rbac"
4136 
++	"k8s.io/kubernetes/pkg/security/podsecuritypolicy"
4137 
++)
4138 
++
4139 
++const (
4140 
++	// PluginName indicates name of admission plugin.
4141 
++	PluginName = "VMwareAdmissionController"
4142 
++
4143 
++	systemUnsecuredUser      = "system:unsecured"
4144 
++	privilegedNamespace      = "vke-system"
4145 
++	privilegedServiceAccount = "system:serviceaccount:" + privilegedNamespace + ":"
4146 
++	reservedPrefix           = "vke"
4147 
++	kubeletGroup             = "system:nodes"
4148 
++	kubeProxyGroup           = "cascade:kube-proxies"
4149 
++	dashboardPod             = "vke-dashboard-0"
4150 
++	kubeSystemNamespace      = "kube-system"
4151 
++)
4152 
++
4153 
++// Register registers a plugin.
4154 
++func Register(plugins *admission.Plugins) {
4155 
++	plugins.Register(PluginName, func(config io.Reader) (admission.Interface, error) {
4156 
++		return NewVMwareAdmissionController(config)
4157 
++	})
4158 
++}
4159 
++
4160 
++// vmwareAdmissionController is an implementation of admission.Interface.
4161 
++// It restricts access to VKE namespace for users and prevents the users from creating privileged pods.
4162 
++type vmwareAdmissionController struct {
4163 
++	psp             *extensions.PodSecurityPolicy
4164 
++	strategyFactory podsecuritypolicy.StrategyFactory
4165 
++	privilegedGroup string
4166 
++}
4167 
++
4168 
++// vmwareAdmissionControllerConfig holds config data for VMwareAdmissionController.
4169 
++type vmwareAdmissionControllerConfig struct {
4170 
++	PrivilegedGroup string `yaml:"privilegedGroup"`
4171 
++}
4172 
++
4173 
++// AdmissionConfig holds config data for admission controllers.
4174 
++type AdmissionConfig struct {
4175 
++	VMwareAdmissionController vmwareAdmissionControllerConfig `yaml:"vmwareAdmissionController"`
4176 
++}
4177 
++
4178 
++var _ admission.ValidationInterface = &vmwareAdmissionController{}
4179 
++
4180 
++// Validate makes an admission decision based on the request attributes.  It is NOT allowed to mutate.
4181 
++func (vac *vmwareAdmissionController) Validate(a admission.Attributes) (err error) {
4182 
++	if isPrivilegedUser(vac, a) {
4183 
++		return nil
4184 
++	}
4185 
++
4186 
++	if isSystemUnsecuredUser(a) {
4187 
++		return validateSystemUnsecuredUser(vac, a)
4188 
++	}
4189 
++
4190 
++	if isPrivilegedNamespace(a) {
4191 
++		return admission.NewForbidden(a,
4192 
++			fmt.Errorf("%s validation failed: cannot modify resources in namespace %s", PluginName, a.GetNamespace()))
4193 
++	}
4194 
++
4195 
++	switch a.GetResource().GroupResource() {
4196 
++	case api.Resource("pods"):
4197 
++		err = validatePods(vac, a)
4198 
++	case api.Resource("nodes"):
4199 
++		err = admission.NewForbidden(a, fmt.Errorf("%s validation failed: cannot modify nodes", PluginName))
4200 
++	case rbac.Resource("clusterroles"):
4201 
++		err = validateClusterRoles(a)
4202 
++	case rbac.Resource("clusterrolebindings"):
4203 
++		err = validateClusterRoleBindings(a)
4204 
++	}
4205 
++
4206 
++	return err
4207 
++}
4208 
++
4209 
++// Handles returns true if this admission controller can handle the given operation
4210 
++// where operation can be one of CREATE, UPDATE, DELETE, or CONNECT.
4211 
++func (vac *vmwareAdmissionController) Handles(operation admission.Operation) bool {
4212 
++	return true
4213 
++}
4214 
++
4215 
++// NewVMwareAdmissionController creates a new VMwareAdmissionController.
4216 
++func NewVMwareAdmissionController(configFile io.Reader) (*vmwareAdmissionController, error) {
4217 
++	glog.V(2).Infof("%s is enabled", PluginName)
4218 
++	if configFile == nil {
4219 
++		glog.Warningf("No config specified for %s. Using default configuration", PluginName)
4220 
++		return nil, fmt.Errorf("no config file specified for %s", PluginName)
4221 
++	}
4222 
++
4223 
++	var config AdmissionConfig
4224 
++	d := yaml.NewYAMLOrJSONDecoder(configFile, 4096)
4225 
++	err := d.Decode(&config)
4226 
++	if err != nil {
4227 
++		return nil, err
4228 
++	}
4229 
++
4230 
++	return &vmwareAdmissionController{
4231 
++		psp:             getDefaultPSP(),
4232 
++		strategyFactory: podsecuritypolicy.NewSimpleStrategyFactory(),
4233 
++		privilegedGroup: config.VMwareAdmissionController.PrivilegedGroup,
4234 
++	}, nil
4235 
++}
4236 
++
4237 
++func getDefaultPSP() *extensions.PodSecurityPolicy {
4238 
++	return &extensions.PodSecurityPolicy{
4239 
++		TypeMeta: metav1.TypeMeta{
4240 
++			Kind:       "PodSecurityPolicy",
4241 
++			APIVersion: "extensions/v1beta1",
4242 
++		},
4243 
++		Spec: extensions.PodSecurityPolicySpec{
4244 
++			Privileged:               false,
4245 
++			HostNetwork:              false,
4246 
++			HostIPC:                  false,
4247 
++			HostPID:                  false,
4248 
++			AllowPrivilegeEscalation: false,
4249 
++			Volumes: []extensions.FSType{
4250 
++				"emptyDir",
4251 
++				"secret",
4252 
++				"downwardAPI",
4253 
++				"configMap",
4254 
++				"persistentVolumeClaim",
4255 
++				"projected",
4256 
++			},
4257 
++			FSGroup: extensions.FSGroupStrategyOptions{
4258 
++				Rule: extensions.FSGroupStrategyRunAsAny,
4259 
++			},
4260 
++			RunAsUser: extensions.RunAsUserStrategyOptions{
4261 
++				Rule: extensions.RunAsUserStrategyRunAsAny,
4262 
++			},
4263 
++			SELinux: extensions.SELinuxStrategyOptions{
4264 
++				Rule: extensions.SELinuxStrategyRunAsAny,
4265 
++			},
4266 
++			SupplementalGroups: extensions.SupplementalGroupsStrategyOptions{
4267 
++				Rule: extensions.SupplementalGroupsStrategyRunAsAny,
4268 
++			},
4269 
++		},
4270 
++	}
4271 
++}
4272 
++
4273 
++func isPrivilegedUser(vac *vmwareAdmissionController, a admission.Attributes) bool {
4274 
++	// We need to allow the service accounts inside the privileged namespace to be able to access pods and nodes.
4275 
++	// Node-monitor agent, Photon OS update controller and Cluster autoscaler depend on this.
4276 
++	user := a.GetUserInfo().GetName()
4277 
++	if strings.HasPrefix(user, privilegedServiceAccount) {
4278 
++		return true
4279 
++	}
4280 
++
4281 
++	// If the request comes from a user belonging to a privileged group, then we allow it. Only calls from Cascade
4282 
++	// controller will belong to this privileged group.
4283 
++	// If the request comes from kubelet or kube-proxy, we allow those too. We don't want to prevent kubelet from being
4284 
++	// able to create a privileged pod or update nodes. The same way we don't want to prevent kube-proxy from creating
4285 
++	// events.
4286 
++	groups := a.GetUserInfo().GetGroups()
4287 
++	for _, group := range groups {
4288 
++		if group == vac.privilegedGroup || group == kubeletGroup || group == kubeProxyGroup {
4289 
++			return true
4290 
++		}
4291 
++	}
4292 
++
4293 
++	return false
4294 
++}
4295 
++
4296 
++func isSystemUnsecuredUser(a admission.Attributes) bool {
4297 
++	return a.GetUserInfo().GetName() == systemUnsecuredUser
4298 
++}
4299 
++
4300 
++func validateSystemUnsecuredUser(vac *vmwareAdmissionController, a admission.Attributes) (err error) {
4301 
++	// Currently the insecure port 8080 is exposed to only localhost inside the Kubernetes master VMs. So it can be used
4302 
++	// only by kube-controller-manager, kube-scheduler and cloud-init script which creates our pods and other resources.
4303 
++	// When a call comes on insecure port 8080, Kubernetes assigns them system:unsecured user name. We need to allow
4304 
++	// this so that our master components can be started successfully and kube-controller-manager and kube-scheduler can
4305 
++	// work as expected.
4306 
++	// But this needs to be allowed only inside our privileged namespace. If the request comes to any other namespace,
4307 
++	// we need to make it go through our pod validation. This is needed because a user can create a deployment or
4308 
++	// replica set which has a privileged pod. Since our admission controller does not look at deployments or replica
4309 
++	// sets, we will allow it. The actual pod inside the deployment or replica set will be created by the
4310 
++	// controller-manager and if we allow it to create pods in any namespace, then a user can create a privileged pod
4311 
++	// totally bypassing our security checks.
4312 
++	if !isPrivilegedNamespace(a) && (a.GetResource().GroupResource() == api.Resource("pods")) {
4313 
++		return validatePods(vac, a)
4314 
++	}
4315 
++
4316 
++	// For all other resources, allow.
4317 
++	return nil
4318 
++}
4319 
++
4320 
++func isPrivilegedNamespace(a admission.Attributes) bool {
4321 
++	// If the namespace mentioned in the resource is privileged, return true. We will hit this for calls made to all
4322 
++	// resources in this namespace and during delete and update operation on the namespace itself.
4323 
++	if a.GetNamespace() == privilegedNamespace {
4324 
++		return true
4325 
++	}
4326 
++
4327 
++	// If the resource is a namespace and if its name matched the privileged namespace, return true. We will hit this
4328 
++	// during creation of the namespace.
4329 
++	if a.GetResource().GroupResource() == api.Resource("namespaces") {
4330 
++		if namespace, ok := a.GetObject().(*api.Namespace); ok {
4331 
++			if namespace.Name == privilegedNamespace {
4332 
++				return true
4333 
++			}
4334 
++		}
4335 
++	}
4336 
++
4337 
++	return false
4338 
++}
4339 
++
4340 
++func validateClusterRoles(a admission.Attributes) error {
4341 
++	// If the name in the request is not empty and has the reserved prefix, then fail. We will hit this during delete
4342 
++	// and update operations on the cluster roles. If it does not have the reserved prefix, allow it. If the name is
4343 
++	// empty then proceed to read it from the object in the request.
4344 
++	if a.GetName() != "" {
4345 
++		return checkReservedPrefix(a.GetName(), a)
4346 
++	}
4347 
++
4348 
++	clusterRole, ok := a.GetObject().(*rbac.ClusterRole)
4349 
++	// If we cannot get the cluster role binding object, fail.
4350 
++	if !ok {
4351 
++		return admission.NewForbidden(a,
4352 
++			fmt.Errorf("%s validation failed: unexpected type %T", PluginName, a.GetObject()))
4353 
++	}
4354 
++	// If we get the object and the name has the reserved prefix, fail. We will hit this when someone tries to create a
4355 
++	// cluster role with the reserved prefix.
4356 
++	return checkReservedPrefix(clusterRole.Name, a)
4357 
++}
4358 
++
4359 
++func validateClusterRoleBindings(a admission.Attributes) error {
4360 
++	// If the name in the request is not empty and has the reserved prefix, then fail. We will hit this during delete
4361 
++	// and update operations on the cluster role bindings. If it does not have the reserved prefix, allow it. If the
4362 
++	// name is empty then proceed to read it from the object in the request.
4363 
++	if a.GetName() != "" {
4364 
++		return checkReservedPrefix(a.GetName(), a)
4365 
++	}
4366 
++
4367 
++	clusterRoleBinding, ok := a.GetObject().(*rbac.ClusterRoleBinding)
4368 
++	// If we cannot get the cluster role binding object, fail.
4369 
++	if !ok {
4370 
++		return admission.NewForbidden(a,
4371 
++			fmt.Errorf("%s validation failed: unexpected type %T", PluginName, a.GetObject()))
4372 
++	}
4373 
++	// If we get the object and the name has the reserved prefix, fail. We will hit this when someone tries to create a
4374 
++	// cluster role binding with the reserved prefix.
4375 
++	return checkReservedPrefix(clusterRoleBinding.Name, a)
4376 
++}
4377 
++
4378 
++func validatePods(vac *vmwareAdmissionController, a admission.Attributes) error {
4379 
++	// If the request is acting on a sub resource of a pod then allow it. This request is not directly coming to a pod,
4380 
++	// but to a sub-resource like pods/foo/status. So, this does not have to be blocked.
4381 
++	if len(a.GetSubresource()) != 0 {
4382 
++		return nil
4383 
++	}
4384 
++
4385 
++	// If it is a Connect operation, allow it. We restrict access to connect to any pods in the vke-system namespace.
4386 
++	// Also, DenyEscalatingExec admission controller denies access to connect to any privileged pod in general. So it is
4387 
++	// OK to allow this.
4388 
++	if a.GetOperation() == admission.Connect {
4389 
++		return nil
4390 
++	}
4391 
++
4392 
++	// If it is a Delete operation and it is not a pod with a reserved prefix, allow it. We restrict access to delete
4393 
++	// any pods in the vke-system namespace. So it is OK to allow this.
4394 
++	// TODO: Make sure we do not have a need to delete the dashboard stateful set. If we do then it will fail.
4395 
++	if a.GetOperation() == admission.Delete {
4396 
++		return checkReservedPrefix(a.GetName(), a)
4397 
++	}
4398 
++
4399 
++	// If we cannot get the pod object, fail.
4400 
++	if _, ok := a.GetObject().(*api.Pod); !ok {
4401 
++		return admission.NewForbidden(a,
4402 
++			fmt.Errorf("%s validation failed: unexpected type %T", PluginName, a.GetObject()))
4403 
++	}
4404 
++
4405 
++	// If this is an update, see if we are only updating the ownerRef/finalizers.  Garbage collection does this
4406 
++	// and we should allow it in general, since you had the power to update and the power to delete.
4407 
++	// The worst that happens is that you delete something, but you aren't controlling the privileged object itself
4408 
++	if a.GetOperation() == admission.Update &&
4409 
++		rbacregistry.IsOnlyMutatingGCFields(a.GetObject(), a.GetOldObject(), apiequality.Semantic) {
4410 
++		return nil
4411 
++	}
4412 
++
4413 
++	errs := field.ErrorList{}
4414 
++	originalPod := a.GetObject().(*api.Pod)
4415 
++
4416 
++	// If the pod is our dashboard pod, its namespace is kube-system and it is created by the controller-manager then
4417 
++	// skip validation. This pod is in kube-system namespace which is not privileged. But we need to allow the dashboard
4418 
++	// pod to be privileged because it has the OIDC proxy container which requires hostPath volume mount. Just to make
4419 
++	// sure we allow only this one pod, we make sure that it is created by the controller manager and name matches the
4420 
++	// dashboard pod and it is in kube-system.
4421 
++	if a.GetUserInfo().GetName() == systemUnsecuredUser && a.GetNamespace() == kubeSystemNamespace &&
4422 
++		(a.GetName() == dashboardPod || originalPod.Name == dashboardPod) {
4423 
++		return nil
4424 
++	}
4425 
++
4426 
++	// Check if the pod that needs to be created or updated has the reserved prefix. If it does, deny the request.
4427 
++	podName := a.GetName()
4428 
++	if podName == "" {
4429 
++		podName = originalPod.Name
4430 
++	}
4431 
++	if err := checkReservedPrefix(podName, a); err != nil {
4432 
++		return err
4433 
++	}
4434 
++
4435 
++	// Generate a copy of the pod object because we are not allowed to mutate the pod object.
4436 
++	pod := originalPod.DeepCopy()
4437 
++
4438 
++	provider, err := podsecuritypolicy.NewSimpleProvider(vac.psp, pod.Namespace, vac.strategyFactory)
4439 
++	if err != nil {
4440 
++		return admission.NewForbidden(a, fmt.Errorf("%s validation failed: %v", PluginName, err))
4441 
++	}
4442 
++
4443 
++	// Set default security context for the pod. This fills in the defaults for the security context values that are not
4444 
++	// provided. This is needed to validate the security context correctly.
4445 
++	pod.Spec.SecurityContext, _, err = provider.CreatePodSecurityContext(pod)
4446 
++	if err != nil {
4447 
++		errs = append(errs, field.Invalid(field.NewPath("spec", "securityContext"),
4448 
++			pod.Spec.SecurityContext, err.Error()))
4449 
++	}
4450 
++
4451 
++	// Validate the pod.
4452 
++	errs = append(errs, provider.ValidatePodSecurityContext(pod, field.NewPath("spec", "securityContext"))...)
4453 
++
4454 
++	// Validate the initContainers that are part of the pod.
4455 
++	for i := range pod.Spec.InitContainers {
4456 
++		pod.Spec.InitContainers[i].SecurityContext, _, err = provider.CreateContainerSecurityContext(pod, &pod.Spec.InitContainers[i])
4457 
++		if err != nil {
4458 
++			errs = append(errs, field.Invalid(field.NewPath("spec", "initContainers").Index(i).
4459 
++				Child("securityContext"), "", err.Error()))
4460 
++			continue
4461 
++		}
4462 
++		errs = append(errs, provider.ValidateContainerSecurityContext(pod, &pod.Spec.InitContainers[i],
4463 
++			field.NewPath("spec", "initContainers").Index(i).Child("securityContext"))...)
4464 
++	}
4465 
++
4466 
++	// Validate the containers that are part of the pod.
4467 
++	for i := range pod.Spec.Containers {
4468 
++		pod.Spec.Containers[i].SecurityContext, _, err = provider.CreateContainerSecurityContext(pod, &pod.Spec.Containers[i])
4469 
++		if err != nil {
4470 
++			errs = append(errs, field.Invalid(field.NewPath("spec", "containers").Index(i).
4471 
++				Child("securityContext"), "", err.Error()))
4472 
++			continue
4473 
++		}
4474 
++		errs = append(errs, provider.ValidateContainerSecurityContext(pod, &pod.Spec.Containers[i],
4475 
++			field.NewPath("spec", "containers").Index(i).Child("securityContext"))...)
4476 
++	}
4477 
++
4478 
++	if len(errs) > 0 {
4479 
++		return admission.NewForbidden(a,
4480 
++			fmt.Errorf("%s validation failed: %v", PluginName, errs))
4481 
++	}
4482 
++
4483 
++	return nil
4484 
++}
4485 
++
4486 
++func checkReservedPrefix(resourceName string, a admission.Attributes) error {
4487 
++	if strings.HasPrefix(resourceName, reservedPrefix) {
4488 
++		return admission.NewForbidden(a,
4489 
++			fmt.Errorf("%s validation failed: cannot modify resources with prefix %s", PluginName, reservedPrefix))
4490 
++	}
4491 
++	return nil
4492 
++}
4493 
+diff --git a/plugin/pkg/admission/vke/admission_test.go b/plugin/pkg/admission/vke/admission_test.go
4494 
+new file mode 100644
4495 
+index 0000000..81acbe1
4496 
+--- /dev/null
4497 
+@@ -0,0 +1,541 @@
4498 
++package vke
4499 
++
4500 
++import (
4501 
++	"fmt"
4502 
++	"strings"
4503 
++	"testing"
4504 
++
4505 
++	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
4506 
++	kadmission "k8s.io/apiserver/pkg/admission"
4507 
++	kapi "k8s.io/kubernetes/pkg/apis/core"
4508 
++	"k8s.io/kubernetes/pkg/apis/rbac"
4509 
++	"k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/authentication/user"
4510 
++)
4511 
++
4512 
++const (
4513 
++	testServiceAccountsGroup = "system.test\\cascade-controller-service-accounts"
4514 
++	defaultConfigFileFormat  = `
4515 
++vmwareAdmissionController:
4516 
++  privilegedGroup: %s
4517 
++`
4518 
++)
4519 
++
4520 
++func TestAdmitPrivileged(t *testing.T) {
4521 
++	tests := map[string]struct {
4522 
++		operation          kadmission.Operation
4523 
++		pod                *kapi.Pod
4524 
++		name               string
4525 
++		userInfo           user.Info
4526 
++		shouldPassValidate bool
4527 
++	}{
4528 
++		"create pod with Privileged=nil allowed": {
4529 
++			operation:          kadmission.Create,
4530 
++			pod:                newTestPodBuilder().build(),
4531 
++			userInfo:           newTestUserBuilder().build(),
4532 
++			shouldPassValidate: true,
4533 
++		},
4534 
++		"create pod with Privileged=false allowed": {
4535 
++			operation:          kadmission.Create,
4536 
++			pod:                newTestPodBuilder().withPrivileged(false).build(),
4537 
++			userInfo:           newTestUserBuilder().build(),
4538 
++			shouldPassValidate: true,
4539 
++		},
4540 
++		"create pod with Privileged=true denied": {
4541 
++			operation:          kadmission.Create,
4542 
++			pod:                newTestPodBuilder().withPrivileged(true).build(),
4543 
++			userInfo:           newTestUserBuilder().build(),
4544 
++			shouldPassValidate: false,
4545 
++		},
4546 
++		"create pod with multiple containers, one has Privileged=true denied": {
4547 
++			operation:          kadmission.Create,
4548 
++			pod:                newTestPodBuilder().withPrivileged(true).withInitContainer().withContainer().build(),
4549 
++			userInfo:           newTestUserBuilder().build(),
4550 
++			shouldPassValidate: false,
4551 
++		},
4552 
++		"update pod with Privileged=true denied": {
4553 
++			operation:          kadmission.Update,
4554 
++			pod:                newTestPodBuilder().withPrivileged(true).build(),
4555 
++			userInfo:           newTestUserBuilder().build(),
4556 
++			shouldPassValidate: false,
4557 
++		},
4558 
++		"create pod with HostNetwork=true denied": {
4559 
++			operation:          kadmission.Create,
4560 
++			pod:                newTestPodBuilder().withHostNetwork(true).build(),
4561 
++			userInfo:           newTestUserBuilder().build(),
4562 
++			shouldPassValidate: false,
4563 
++		},
4564 
++		"create pod with HostIPC=true denied": {
4565 
++			operation:          kadmission.Create,
4566 
++			pod:                newTestPodBuilder().withHostIPC(true).build(),
4567 
++			userInfo:           newTestUserBuilder().build(),
4568 
++			shouldPassValidate: false,
4569 
++		},
4570 
++		"create pod with HostPID=true denied": {
4571 
++			operation:          kadmission.Create,
4572 
++			pod:                newTestPodBuilder().withHostPID(true).build(),
4573 
++			userInfo:           newTestUserBuilder().build(),
4574 
++			shouldPassValidate: false,
4575 
++		},
4576 
++		"create pod with HostVolume denied": {
4577 
++			operation:          kadmission.Create,
4578 
++			pod:                newTestPodBuilder().withHostVolume().build(),
4579 
++			userInfo:           newTestUserBuilder().build(),
4580 
++			shouldPassValidate: false,
4581 
++		},
4582 
++		"create pod with CascadeDisk allowed": {
4583 
++			operation:          kadmission.Create,
4584 
++			pod:                newTestPodBuilder().withCascadeDisk().build(),
4585 
++			userInfo:           newTestUserBuilder().build(),
4586 
++			shouldPassValidate: true,
4587 
++		},
4588 
++		"create pod with HostVolume and CascadeDisk denied": {
4589 
++			operation:          kadmission.Create,
4590 
++			pod:                newTestPodBuilder().withHostVolume().withCascadeDisk().build(),
4591 
++			userInfo:           newTestUserBuilder().build(),
4592 
++			shouldPassValidate: false,
4593 
++		},
4594 
++		"create pod with vke prefix denied": {
4595 
++			operation:          kadmission.Create,
4596 
++			pod:                newTestPodBuilder().build(),
4597 
++			name:               "vke-dashboard",
4598 
++			userInfo:           newTestUserBuilder().build(),
4599 
++			shouldPassValidate: false,
4600 
++		},
4601 
++		"create dashboard pod with vke prefix by privileged user in kube-system allowed": {
4602 
++			operation:          kadmission.Create,
4603 
++			pod:                newTestPodBuilder().withNamespace(kubeSystemNamespace).build(),
4604 
++			name:               "vke-dashboard-0",
4605 
++			userInfo:           newTestUserBuilder().withName(systemUnsecuredUser).build(),
4606 
++			shouldPassValidate: true,
4607 
++		},
4608 
++		"connect pod allowed": {
4609 
++			operation:          kadmission.Connect,
4610 
++			pod:                newTestPodBuilder().build(),
4611 
++			userInfo:           newTestUserBuilder().build(),
4612 
++			shouldPassValidate: true,
4613 
++		},
4614 
++		"delete pod allowed": {
4615 
++			operation:          kadmission.Delete,
4616 
++			pod:                newTestPodBuilder().build(),
4617 
++			userInfo:           newTestUserBuilder().build(),
4618 
++			shouldPassValidate: true,
4619 
++		},
4620 
++		"delete pod with vke prefix denied": {
4621 
++			operation:          kadmission.Delete,
4622 
++			pod:                newTestPodBuilder().build(),
4623 
++			name:               "vke-dashboard",
4624 
++			userInfo:           newTestUserBuilder().build(),
4625 
++			shouldPassValidate: false,
4626 
++		},
4627 
++	}
4628 
++
4629 
++	for k, v := range tests {
4630 
++		testPodValidation(k, v.operation, v.pod, v.name, v.userInfo, v.shouldPassValidate, t)
4631 
++	}
4632 
++}
4633 
++
4634 
++func TestPrivilegedNamespace(t *testing.T) {
4635 
++	tests := map[string]struct {
4636 
++		operation          kadmission.Operation
4637 
++		pod                *kapi.Pod
4638 
++		name               string
4639 
++		userInfo           user.Info
4640 
++		shouldPassValidate bool
4641 
++	}{
4642 
++		"denied: regular lightwave user creates pod in vke-system namespace": {
4643 
++			operation:          kadmission.Create,
4644 
++			pod:                newTestPodBuilder().withNamespace(privilegedNamespace).build(),
4645 
++			userInfo:           newTestUserBuilder().build(),
4646 
++			shouldPassValidate: false,
4647 
++		},
4648 
++		"denied: regular lightwave user cannot escalate privilege using service account": {
4649 
++			operation:          kadmission.Create,
4650 
++			pod:                newTestPodBuilder().withNamespace(privilegedNamespace).withServiceAccount("system:serviceaccount:" + privilegedNamespace + ":default").build(),
4651 
++			userInfo:           newTestUserBuilder().build(),
4652 
++			shouldPassValidate: false,
4653 
++		},
4654 
++		"denied: regular service account creates pod in vke-system namespace": {
4655 
++			operation:          kadmission.Create,
4656 
++			pod:                newTestPodBuilder().withNamespace(privilegedNamespace).build(),
4657 
++			userInfo:           newTestUserBuilder().withName("system:serviceaccount:kube-system:default").build(),
4658 
++			shouldPassValidate: false,
4659 
++		},
4660 
++		"allowed: regular user creates pod in other namespace": {
4661 
++			operation:          kadmission.Create,
4662 
++			pod:                newTestPodBuilder().withNamespace("default").build(),
4663 
++			userInfo:           newTestUserBuilder().build(),
4664 
++			shouldPassValidate: true,
4665 
++		},
4666 
++		"allowed: Cascade Controller Service Account creates pod in vke-system namespace": {
4667 
++			operation:          kadmission.Create,
4668 
++			pod:                newTestPodBuilder().withNamespace(privilegedNamespace).build(),
4669 
++			userInfo:           newTestUserBuilder().withGroup(testServiceAccountsGroup).build(),
4670 
++			shouldPassValidate: true,
4671 
++		},
4672 
++		"allowed: systemUnsecuredUser creates pod in vke-system namespace": {
4673 
++			operation:          kadmission.Create,
4674 
++			pod:                newTestPodBuilder().withNamespace(privilegedNamespace).build(),
4675 
++			userInfo:           newTestUserBuilder().withName(systemUnsecuredUser).build(),
4676 
++			shouldPassValidate: true,
4677 
++		},
4678 
++		"allowed: vke-system service account creates pod in vke-system namespace": {
4679 
++			operation:          kadmission.Create,
4680 
++			pod:                newTestPodBuilder().withNamespace(privilegedNamespace).build(),
4681 
++			userInfo:           newTestUserBuilder().withName("system:serviceaccount:" + privilegedNamespace + ":default").build(),
4682 
++			shouldPassValidate: true,
4683 
++		},
4684 
++		"allowed: kubelet group creates pod in vke-system namespace": {
4685 
++			operation:          kadmission.Create,
4686 
++			pod:                newTestPodBuilder().withNamespace(privilegedNamespace).build(),
4687 
++			userInfo:           newTestUserBuilder().withGroup(kubeletGroup).build(),
4688 
++			shouldPassValidate: true,
4689 
++		},
4690 
++		"allowed: kubeProxy group creates pod in vke-system namespace": {
4691 
++			operation:          kadmission.Create,
4692 
++			pod:                newTestPodBuilder().withNamespace(privilegedNamespace).build(),
4693 
++			userInfo:           newTestUserBuilder().withGroup(kubeProxyGroup).build(),
4694 
++			shouldPassValidate: true,
4695 
++		},
4696 
++		"denied: regular lightwave group does not grant privileged access": {
4697 
++			operation:          kadmission.Create,
4698 
++			pod:                newTestPodBuilder().withNamespace(privilegedNamespace).build(),
4699 
++			userInfo:           newTestUserBuilder().withGroup("test1\\group1").build(),
4700 
++			shouldPassValidate: false,
4701 
++		},
4702 
++		"allowed: if user has multiple groups, any privileged group can grant privileged access": {
4703 
++			operation:          kadmission.Create,
4704 
++			pod:                newTestPodBuilder().withNamespace(privilegedNamespace).build(),
4705 
++			userInfo:           newTestUserBuilder().withGroup("test1\\group1").withGroup(testServiceAccountsGroup).build(),
4706 
++			shouldPassValidate: true,
4707 
++		},
4708 
++	}
4709 
++	for k, v := range tests {
4710 
++		testPodValidation(k, v.operation, v.pod, v.name, v.userInfo, v.shouldPassValidate, t)
4711 
++	}
4712 
++}
4713 
++
4714 
++func TestClusterLevelResources(t *testing.T) {
4715 
++	tests := map[string]struct {
4716 
++		operation          kadmission.Operation
4717 
++		resource           string
4718 
++		name               string
4719 
++		namespace          string
4720 
++		userInfo           user.Info
4721 
++		shouldPassValidate bool
4722 
++	}{
4723 
++		"denied: regular lightwave user update configmaps in vke-system namespace": {
4724 
++			operation:          kadmission.Update,
4725 
++			resource:           "configmaps",
4726 
++			namespace:          privilegedNamespace,
4727 
++			userInfo:           newTestUserBuilder().build(),
4728 
++			shouldPassValidate: false,
4729 
++		},
4730 
++		"denied: regular lightwave user delete daemonsets in vke-system namespace": {
4731 
++			operation:          kadmission.Delete,
4732 
++			resource:           "daemonsets",
4733 
++			namespace:          privilegedNamespace,
4734 
++			userInfo:           newTestUserBuilder().build(),
4735 
++			shouldPassValidate: false,
4736 
++		},
4737 
++		"denied: regular lightwave user create deployments in vke-system namespace": {
4738 
++			operation:          kadmission.Create,
4739 
++			resource:           "deployments",
4740 
++			namespace:          privilegedNamespace,
4741 
++			userInfo:           newTestUserBuilder().build(),
4742 
++			shouldPassValidate: false,
4743 
++		},
4744 
++		"denied: regular lightwave user create rolebindings in vke-system namespace": {
4745 
++			operation:          kadmission.Create,
4746 
++			resource:           "rolebindings",
4747 
++			namespace:          privilegedNamespace,
4748 
++			userInfo:           newTestUserBuilder().build(),
4749 
++			shouldPassValidate: false,
4750 
++		},
4751 
++		"allowed: regular lightwave user create rolebindings in other namespace": {
4752 
++			operation:          kadmission.Create,
4753 
++			resource:           "rolebindings",
4754 
++			namespace:          "default",
4755 
++			userInfo:           newTestUserBuilder().build(),
4756 
++			shouldPassValidate: true,
4757 
++		},
4758 
++		"allowed: regular lightwave user create clusterroles": {
4759 
++			operation:          kadmission.Create,
4760 
++			resource:           "clusterroles",
4761 
++			name:               "cluster-role",
4762 
++			namespace:          "",
4763 
++			userInfo:           newTestUserBuilder().build(),
4764 
++			shouldPassValidate: true,
4765 
++		},
4766 
++		"denied: regular lightwave user create clusterroles with vke: prefix": {
4767 
++			operation:          kadmission.Create,
4768 
++			resource:           "clusterroles",
4769 
++			name:               "vke:clusterrole",
4770 
++			namespace:          "",
4771 
++			userInfo:           newTestUserBuilder().build(),
4772 
++			shouldPassValidate: false,
4773 
++		},
4774 
++		"denied: regular lightwave user delete clusterroles with vke: prefix": {
4775 
++			operation:          kadmission.Delete,
4776 
++			resource:           "clusterroles",
4777 
++			name:               "vke:clusterrole",
4778 
++			namespace:          "",
4779 
++			userInfo:           newTestUserBuilder().build(),
4780 
++			shouldPassValidate: false,
4781 
++		},
4782 
++		"allowed: systemUnsecuredUser update clusterroles with vke: prefix": {
4783 
++			operation:          kadmission.Update,
4784 
++			resource:           "clusterroles",
4785 
++			name:               "vke:clusterrole",
4786 
++			namespace:          "",
4787 
++			userInfo:           newTestUserBuilder().withName(systemUnsecuredUser).build(),
4788 
++			shouldPassValidate: true,
4789 
++		},
4790 
++		"allowed: regular lightwave user create clusterrolebindings": {
4791 
++			operation:          kadmission.Create,
4792 
++			resource:           "clusterrolebindings",
4793 
++			name:               "cluster-role-binding",
4794 
++			namespace:          "",
4795 
++			userInfo:           newTestUserBuilder().build(),
4796 
++			shouldPassValidate: true,
4797 
++		},
4798 
++		"denied: regular lightwave user create clusterrolebindings with vke: prefix": {
4799 
++			operation:          kadmission.Create,
4800 
++			resource:           "clusterrolebindings",
4801 
++			name:               "vke:clusterrolebinding",
4802 
++			namespace:          "",
4803 
++			userInfo:           newTestUserBuilder().build(),
4804 
++			shouldPassValidate: false,
4805 
++		},
4806 
++		"denied: regular lightwave user update clusterrolebindings with vke: prefix": {
4807 
++			operation:          kadmission.Delete,
4808 
++			resource:           "clusterrolebindings",
4809 
++			name:               "vke:clusterrolebinding",
4810 
++			namespace:          "",
4811 
++			userInfo:           newTestUserBuilder().build(),
4812 
++			shouldPassValidate: false,
4813 
++		},
4814 
++		"allowed: systemUnsecuredUser update clusterrolebindings with vke: prefix": {
4815 
++			operation:          kadmission.Update,
4816 
++			resource:           "clusterrolebindings",
4817 
++			name:               "vke:clusterrolebinding",
4818 
++			namespace:          "",
4819 
++			userInfo:           newTestUserBuilder().withName(systemUnsecuredUser).build(),
4820 
++			shouldPassValidate: true,
4821 
++		},
4822 
++		"denied: regular lightwave user update nodes": {
4823 
++			operation:          kadmission.Update,
4824 
++			resource:           "nodes",
4825 
++			namespace:          "",
4826 
++			userInfo:           newTestUserBuilder().build(),
4827 
++			shouldPassValidate: false,
4828 
++		},
4829 
++		"allowed: systemUnsecuredUser update nodes": {
4830 
++			operation:          kadmission.Update,
4831 
++			resource:           "nodes",
4832 
++			namespace:          "",
4833 
++			userInfo:           newTestUserBuilder().withName(systemUnsecuredUser).build(),
4834 
++			shouldPassValidate: true,
4835 
++		},
4836 
++	}
4837 
++	for k, v := range tests {
4838 
++		testResourceValidation(k, v.operation, v.resource, v.name, v.namespace, v.userInfo, v.shouldPassValidate, t)
4839 
++	}
4840 
++}
4841 
++
4842 
++func testPodValidation(testCaseName string, op kadmission.Operation, pod *kapi.Pod, name string, userInfo user.Info,
4843 
++	shouldPassValidate bool, t *testing.T) {
4844 
++
4845 
++	defaultConfigFile := fmt.Sprintf(defaultConfigFileFormat, testServiceAccountsGroup)
4846 
++	configFile := strings.NewReader(defaultConfigFile)
4847 
++	plugin, err := NewVMwareAdmissionController(configFile)
4848 
++	if err != nil {
4849 
++		t.Errorf("%s: failed to create admission controller %v", testCaseName, err)
4850 
++	}
4851 
++
4852 
++	attrs := kadmission.NewAttributesRecord(pod, nil, kapi.Kind("Pod").WithVersion("version"),
4853 
++		pod.Namespace, name, kapi.Resource("pods").WithVersion("version"), "", op, userInfo)
4854 
++
4855 
++	err = plugin.Validate(attrs)
4856 
++	if shouldPassValidate && err != nil {
4857 
++		t.Errorf("%s: expected no errors on Validate but received %v", testCaseName, err)
4858 
++	} else if !shouldPassValidate && err == nil {
4859 
++		t.Errorf("%s: expected errors on Validate but received none", testCaseName)
4860 
++	}
4861 
++}
4862 
++
4863 
++func testResourceValidation(testCaseName string, op kadmission.Operation, resource string, name string,
4864 
++	namespace string, userInfo user.Info, shouldPassValidate bool, t *testing.T) {
4865 
++
4866 
++	defaultConfigFile := fmt.Sprintf(defaultConfigFileFormat, testServiceAccountsGroup)
4867 
++	configFile := strings.NewReader(defaultConfigFile)
4868 
++	plugin, err := NewVMwareAdmissionController(configFile)
4869 
++	if err != nil {
4870 
++		t.Errorf("%s: failed to create admission controller %v", testCaseName, err)
4871 
++	}
4872 
++
4873 
++	groupResource := kapi.Resource(resource).WithVersion("version")
4874 
++	if resource == "clusterroles" || resource == "clusterrolebindings" {
4875 
++		groupResource = rbac.Resource(resource).WithVersion("version")
4876 
++	}
4877 
++
4878 
++	attrs := kadmission.NewAttributesRecord(nil, nil, kapi.Kind("kind").WithVersion("version"),
4879 
++		namespace, name, groupResource, "", op, userInfo)
4880 
++
4881 
++	err = plugin.Validate(attrs)
4882 
++	if shouldPassValidate && err != nil {
4883 
++		t.Errorf("%s: expected no errors on Validate but received %v", testCaseName, err)
4884 
++	} else if !shouldPassValidate && err == nil {
4885 
++		t.Errorf("%s: expected errors on Validate but received none", testCaseName)
4886 
++	}
4887 
++}
4888 
++
4889 
++// testPodBuilder
4890 
++type testPodBuilder struct {
4891 
++	pod kapi.Pod
4892 
++}
4893 
++
4894 
++func newTestPodBuilder() *testPodBuilder {
4895 
++	builder := new(testPodBuilder)
4896 
++	return builder.init()
4897 
++}
4898 
++
4899 
++func (p *testPodBuilder) init() *testPodBuilder {
4900 
++	p.pod = kapi.Pod{
4901 
++		ObjectMeta: metav1.ObjectMeta{
4902 
++			Name:        "pod",
4903 
++			Namespace:   "namespace",
4904 
++			Annotations: map[string]string{},
4905 
++		},
4906 
++		Spec: kapi.PodSpec{
4907 
++			ServiceAccountName: "default",
4908 
++			SecurityContext:    &kapi.PodSecurityContext{},
4909 
++			Containers: []kapi.Container{
4910 
++				{
4911 
++					Name:            "test-container-1",
4912 
++					SecurityContext: &kapi.SecurityContext{},
4913 
++				},
4914 
++			},
4915 
++		},
4916 
++	}
4917 
++	return p
4918 
++}
4919 
++
4920 
++func (p *testPodBuilder) build() *kapi.Pod {
4921 
++	return &p.pod
4922 
++}
4923 
++
4924 
++func (p *testPodBuilder) withNamespace(namespace string) *testPodBuilder {
4925 
++	p.pod.ObjectMeta.Namespace = namespace
4926 
++	return p
4927 
++}
4928 
++
4929 
++func (p *testPodBuilder) withServiceAccount(sa string) *testPodBuilder {
4930 
++	p.pod.Spec.ServiceAccountName = sa
4931 
++	return p
4932 
++}
4933 
++
4934 
++func (p *testPodBuilder) withPrivileged(v bool) *testPodBuilder {
4935 
++	p.pod.Spec.Containers[0].SecurityContext.Privileged = &v
4936 
++	return p
4937 
++}
4938 
++
4939 
++func (p *testPodBuilder) withHostNetwork(v bool) *testPodBuilder {
4940 
++	p.pod.Spec.SecurityContext.HostNetwork = v
4941 
++	return p
4942 
++}
4943 
++
4944 
++func (p *testPodBuilder) withHostIPC(v bool) *testPodBuilder {
4945 
++	p.pod.Spec.SecurityContext.HostIPC = v
4946 
++	return p
4947 
++}
4948 
++
4949 
++func (p *testPodBuilder) withHostPID(v bool) *testPodBuilder {
4950 
++	p.pod.Spec.SecurityContext.HostPID = v
4951 
++	return p
4952 
++}
4953 
++
4954 
++func (p *testPodBuilder) withHostVolume() *testPodBuilder {
4955 
++	volume := kapi.Volume{
4956 
++		Name: "host",
4957 
++		VolumeSource: kapi.VolumeSource{
4958 
++			HostPath: &kapi.HostPathVolumeSource{
4959 
++				Path: "/",
4960 
++			},
4961 
++		},
4962 
++	}
4963 
++	device := kapi.VolumeDevice{Name: "host", DevicePath: "/host"}
4964 
++
4965 
++	p.pod.Spec.Volumes = append(p.pod.Spec.Volumes, volume)
4966 
++	p.pod.Spec.Containers[0].VolumeDevices = append(p.pod.Spec.Containers[0].VolumeDevices, device)
4967 
++	return p
4968 
++}
4969 
++
4970 
++func (p *testPodBuilder) withCascadeDisk() *testPodBuilder {
4971 
++	volume := kapi.Volume{
4972 
++		Name: "cascadeDisk",
4973 
++		VolumeSource: kapi.VolumeSource{
4974 
++			PersistentVolumeClaim: &kapi.PersistentVolumeClaimVolumeSource{
4975 
++				ClaimName: "00000000-0000-0000-0000-000000000001",
4976 
++				ReadOnly:  false,
4977 
++			},
4978 
++		},
4979 
++	}
4980 
++	device := kapi.VolumeDevice{Name: "cascadeDisk", DevicePath: "/cascadeDisk"}
4981 
++
4982 
++	p.pod.Spec.Volumes = append(p.pod.Spec.Volumes, volume)
4983 
++	p.pod.Spec.Containers[0].VolumeDevices = append(p.pod.Spec.Containers[0].VolumeDevices, device)
4984 
++	return p
4985 
++}
4986 
++
4987 
++func (p *testPodBuilder) withContainer() *testPodBuilder {
4988 
++	container := kapi.Container{
4989 
++		Name:            "test-container-2",
4990 
++		SecurityContext: &kapi.SecurityContext{},
4991 
++	}
4992 
++
4993 
++	p.pod.Spec.Containers = append(p.pod.Spec.Containers, container)
4994 
++	return p
4995 
++}
4996 
++
4997 
++func (p *testPodBuilder) withInitContainer() *testPodBuilder {
4998 
++	container := kapi.Container{
4999 
++		Name:            "test-init-container",
5000 
++		SecurityContext: &kapi.SecurityContext{},
5001 
++	}
5002 
++
5003 
++	p.pod.Spec.Containers = append(p.pod.Spec.Containers, container)
5004 
++	return p
5005 
++}
5006 
++
5007 
++// testUserBuilder
5008 
++type testUserBuilder struct {
5009 
++	user *user.DefaultInfo
5010 
++}
5011 
++
5012 
++func newTestUserBuilder() *testUserBuilder {
5013 
++	builder := new(testUserBuilder)
5014 
++	return builder.init()
5015 
++}
5016 
++
5017 
++func (p *testUserBuilder) init() *testUserBuilder {
5018 
++	p.user = &user.DefaultInfo{
5019 
++		Name:   "https://lightwave.cascade-cloud.com/openidconnect/00000000-0000-0000-0000-000000000001#joe@vmware.com",
5020 
++		UID:    "10001",
5021 
++		Groups: []string{},
5022 
++	}
5023 
++	return p
5024 
++}
5025 
++
5026 
++func (p *testUserBuilder) build() *user.DefaultInfo {
5027 
++	return p.user
5028 
++}
5029 
++
5030 
++func (p *testUserBuilder) withName(name string) *testUserBuilder {
5031 
++	p.user.Name = name
5032 
++	return p
5033 
++}
5034 
++
5035 
++func (p *testUserBuilder) withGroup(group string) *testUserBuilder {
5036 
++	p.user.Groups = append(p.user.Groups, group)
5037 
++	return p
5038 
++}
5039 
+diff --git a/staging/src/k8s.io/api/core/v1/generated.pb.go b/staging/src/k8s.io/api/core/v1/generated.pb.go
5040 
+index 5aeae2c..a7d5b12 100644
5041 
+--- a/staging/src/k8s.io/api/core/v1/generated.pb.go
5042 
+@@ -35,6 +35,7 @@ limitations under the License.
4053 5043 
  		Binding
4054 5044 
  		CSIPersistentVolumeSource
4055 5045 
  		Capabilities
... ... 
@@ -4058,7 +4951,7 @@ diff -uNr --no-dereference kubernetes-original/staging/src/k8s.io/api/core/v1/ge
4058 4058 
  		CephFSPersistentVolumeSource
4059 4059 
  		CephFSVolumeSource
4060 4060 
  		CinderVolumeSource
4061 
-@@ -260,9 +261,11 @@
4061 
+@@ -260,9 +261,11 @@ func (m *AvoidPods) Reset()                    { *m = AvoidPods{} }
4062 4062 
  func (*AvoidPods) ProtoMessage()               {}
4063 4063 
  func (*AvoidPods) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{3} }
4064 4064
... ... 
@@ -4073,7 +4966,7 @@ diff -uNr --no-dereference kubernetes-original/staging/src/k8s.io/api/core/v1/ge
4073 4073
4074 4074 
  func (m *AzureFilePersistentVolumeSource) Reset()      { *m = AzureFilePersistentVolumeSource{} }
4075 4075 
  func (*AzureFilePersistentVolumeSource) ProtoMessage() {}
4076 
-@@ -1040,6 +1043,11 @@
4076 
+@@ -1040,6 +1043,11 @@ func (*WeightedPodAffinityTerm) Descriptor() ([]byte, []int) {
4077 4077 
  	return fileDescriptorGenerated, []int{185}
4078 4078 
  }
4079 4079
... ... 
@@ -4085,7 +4978,7 @@ diff -uNr --no-dereference kubernetes-original/staging/src/k8s.io/api/core/v1/ge
4085 4085 
  func init() {
4086 4086 
  	proto.RegisterType((*AWSElasticBlockStoreVolumeSource)(nil), "k8s.io.api.core.v1.AWSElasticBlockStoreVolumeSource")
4087 4087 
  	proto.RegisterType((*Affinity)(nil), "k8s.io.api.core.v1.Affinity")
4088 
-@@ -1051,6 +1059,7 @@
4088 
+@@ -1051,6 +1059,7 @@ func init() {
4089 4089 
  	proto.RegisterType((*Binding)(nil), "k8s.io.api.core.v1.Binding")
4090 4090 
  	proto.RegisterType((*CSIPersistentVolumeSource)(nil), "k8s.io.api.core.v1.CSIPersistentVolumeSource")
4091 4091 
  	proto.RegisterType((*Capabilities)(nil), "k8s.io.api.core.v1.Capabilities")
... ... 
@@ -4093,7 +4986,7 @@ diff -uNr --no-dereference kubernetes-original/staging/src/k8s.io/api/core/v1/ge
4093 4093 
  	proto.RegisterType((*CephFSPersistentVolumeSource)(nil), "k8s.io.api.core.v1.CephFSPersistentVolumeSource")
4094 4094 
  	proto.RegisterType((*CephFSVolumeSource)(nil), "k8s.io.api.core.v1.CephFSVolumeSource")
4095 4095 
  	proto.RegisterType((*CinderVolumeSource)(nil), "k8s.io.api.core.v1.CinderVolumeSource")
4096 
-@@ -1613,6 +1622,32 @@
4096 
+@@ -1613,6 +1622,32 @@ func (m *Capabilities) MarshalTo(dAtA []byte) (int, error) {
4097 4097 
  	return i, nil
4098 4098 
  }
4099 4099
... ... 
@@ -4126,7 +5019,7 @@ diff -uNr --no-dereference kubernetes-original/staging/src/k8s.io/api/core/v1/ge
4126 4126 
  func (m *CephFSPersistentVolumeSource) Marshal() (dAtA []byte, err error) {
4127 4127 
  	size := m.Size()
4128 4128 
  	dAtA = make([]byte, size)
4129 
-@@ -6283,13 +6318,13 @@
4129 
+@@ -6283,13 +6318,13 @@ func (m *PersistentVolumeSource) MarshalTo(dAtA []byte) (int, error) {
4130 4130 
  		}
4131 4131 
  		i += n120
4132 4132 
  	}
... ... 
@@ -4143,7 +5036,7 @@ diff -uNr --no-dereference kubernetes-original/staging/src/k8s.io/api/core/v1/ge
4143 4143 
  		if err != nil {
4144 4144 
  			return 0, err
4145 4145 
  		}
4146 
-@@ -6367,6 +6402,18 @@
4146 
+@@ -6367,6 +6402,18 @@ func (m *PersistentVolumeSource) MarshalTo(dAtA []byte) (int, error) {
4147 4147 
  		}
4148 4148 
  		i += n127
4149 4149 
  	}
... ... 
@@ -4162,7 +5055,7 @@ diff -uNr --no-dereference kubernetes-original/staging/src/k8s.io/api/core/v1/ge
4162 4162 
  	return i, nil
4163 4163 
  }
4164 4164
4165 
-@@ -10316,13 +10363,13 @@
4165 
+@@ -10316,13 +10363,13 @@ func (m *VolumeSource) MarshalTo(dAtA []byte) (int, error) {
4166 4166 
  		}
4167 4167 
  		i += n223
4168 4168 
  	}
... ... 
@@ -4179,7 +5072,7 @@ diff -uNr --no-dereference kubernetes-original/staging/src/k8s.io/api/core/v1/ge
4179 4179 
  		if err != nil {
4180 4180 
  			return 0, err
4181 4181 
  		}
4182 
-@@ -10388,6 +10435,18 @@
4182 
+@@ -10388,6 +10435,18 @@ func (m *VolumeSource) MarshalTo(dAtA []byte) (int, error) {
4183 4183 
  		}
4184 4184 
  		i += n229
4185 4185 
  	}
... ... 
@@ -4198,7 +5091,7 @@ diff -uNr --no-dereference kubernetes-original/staging/src/k8s.io/api/core/v1/ge
4198 4198 
  	return i, nil
4199 4199 
  }
4200 4200
4201 
-@@ -10623,6 +10682,16 @@
4201 
+@@ -10623,6 +10682,16 @@ func (m *Capabilities) Size() (n int) {
4202 4202 
  	return n
4203 4203 
  }
4204 4204
... ... 
@@ -4215,7 +5108,7 @@ diff -uNr --no-dereference kubernetes-original/staging/src/k8s.io/api/core/v1/ge
4215 4215 
  func (m *CephFSPersistentVolumeSource) Size() (n int) {
4216 4216 
  	var l int
4217 4217 
  	_ = l
4218 
-@@ -12331,8 +12400,8 @@
4218 
+@@ -12331,8 +12400,8 @@ func (m *PersistentVolumeSource) Size() (n int) {
4219 4219 
  		l = m.Quobyte.Size()
4220 4220 
  		n += 1 + l + sovGenerated(uint64(l))
4221 4221 
  	}
... ... 
@@ -4226,7 +5119,7 @@ diff -uNr --no-dereference kubernetes-original/staging/src/k8s.io/api/core/v1/ge
4226 4226 
  		n += 2 + l + sovGenerated(uint64(l))
4227 4227 
  	}
4228 4228 
  	if m.PhotonPersistentDisk != nil {
4229 
-@@ -12359,6 +12428,10 @@
4229 
+@@ -12359,6 +12428,10 @@ func (m *PersistentVolumeSource) Size() (n int) {
4230 4230 
  		l = m.CSI.Size()
4231 4231 
  		n += 2 + l + sovGenerated(uint64(l))
4232 4232 
  	}
... ... 
@@ -4237,7 +5130,7 @@ diff -uNr --no-dereference kubernetes-original/staging/src/k8s.io/api/core/v1/ge
4237 4237 
  	return n
4238 4238 
  }
4239 4239
4240 
-@@ -13788,8 +13861,8 @@
4240 
+@@ -13788,8 +13861,8 @@ func (m *VolumeSource) Size() (n int) {
4241 4241 
  		l = m.Quobyte.Size()
4242 4242 
  		n += 2 + l + sovGenerated(uint64(l))
4243 4243 
  	}
... ... 
@@ -4248,7 +5141,7 @@ diff -uNr --no-dereference kubernetes-original/staging/src/k8s.io/api/core/v1/ge
4248 4248 
  		n += 2 + l + sovGenerated(uint64(l))
4249 4249 
  	}
4250 4250 
  	if m.PhotonPersistentDisk != nil {
4251 
-@@ -13812,6 +13885,10 @@
4251 
+@@ -13812,6 +13885,10 @@ func (m *VolumeSource) Size() (n int) {
4252 4252 
  		l = m.StorageOS.Size()
4253 4253 
  		n += 2 + l + sovGenerated(uint64(l))
4254 4254 
  	}
... ... 
@@ -4259,7 +5152,7 @@ diff -uNr --no-dereference kubernetes-original/staging/src/k8s.io/api/core/v1/ge
4259 4259 
  	return n
4260 4260 
  }
4261 4261
4262 
-@@ -13971,6 +14048,17 @@
4262 
+@@ -13971,6 +14048,17 @@ func (this *Capabilities) String() string {
4263 4263 
  	}, "")
4264 4264 
  	return s
4265 4265 
  }
... ... 
@@ -4277,7 +5170,7 @@ diff -uNr --no-dereference kubernetes-original/staging/src/k8s.io/api/core/v1/ge
4277 4277 
  func (this *CephFSPersistentVolumeSource) String() string {
4278 4278 
  	if this == nil {
4279 4279 
  		return "nil"
4280 
-@@ -15335,13 +15423,14 @@
4280 
+@@ -15335,13 +15423,14 @@ func (this *PersistentVolumeSource) String() string {
4281 4281 
  		`AzureFile:` + strings.Replace(fmt.Sprintf("%v", this.AzureFile), "AzureFilePersistentVolumeSource", "AzureFilePersistentVolumeSource", 1) + `,`,
4282 4282 
  		`VsphereVolume:` + strings.Replace(fmt.Sprintf("%v", this.VsphereVolume), "VsphereVirtualDiskVolumeSource", "VsphereVirtualDiskVolumeSource", 1) + `,`,
4283 4283 
  		`Quobyte:` + strings.Replace(fmt.Sprintf("%v", this.Quobyte), "QuobyteVolumeSource", "QuobyteVolumeSource", 1) + `,`,
... ... 
@@ -4293,7 +5186,7 @@ diff -uNr --no-dereference kubernetes-original/staging/src/k8s.io/api/core/v1/ge
4293 4293 
  		`}`,
4294 4294 
  	}, "")
4295 4295 
  	return s
4296 
-@@ -16468,12 +16557,13 @@
4296 
+@@ -16468,12 +16557,13 @@ func (this *VolumeSource) String() string {
4297 4297 
  		`ConfigMap:` + strings.Replace(fmt.Sprintf("%v", this.ConfigMap), "ConfigMapVolumeSource", "ConfigMapVolumeSource", 1) + `,`,
4298 4298 
  		`VsphereVolume:` + strings.Replace(fmt.Sprintf("%v", this.VsphereVolume), "VsphereVirtualDiskVolumeSource", "VsphereVirtualDiskVolumeSource", 1) + `,`,
4299 4299 
  		`Quobyte:` + strings.Replace(fmt.Sprintf("%v", this.Quobyte), "QuobyteVolumeSource", "QuobyteVolumeSource", 1) + `,`,
... ... 
@@ -4308,7 +5201,7 @@ diff -uNr --no-dereference kubernetes-original/staging/src/k8s.io/api/core/v1/ge
4308 4308 
  		`}`,
4309 4309 
  	}, "")
4310 4310 
  	return s
4311 
-@@ -34322,7 +34412,7 @@
4311 
+@@ -34322,7 +34412,7 @@ func (m *PersistentVolumeSource) Unmarshal(dAtA []byte) error {
4312 4312 
  			iNdEx = postIndex
4313 4313 
  		case 16:
4314 4314 
  			if wireType != 2 {
... ... 
@@ -4317,7 +5210,7 @@ diff -uNr --no-dereference kubernetes-original/staging/src/k8s.io/api/core/v1/ge
4317 4317 
  			}
4318 4318 
  			var msglen int
4319 4319 
  			for shift := uint(0); ; shift += 7 {
4320 
-@@ -34346,10 +34436,10 @@
4320 
+@@ -34346,10 +34436,10 @@ func (m *PersistentVolumeSource) Unmarshal(dAtA []byte) error {
4321 4321 
  			if postIndex > l {
4322 4322 
  				return io.ErrUnexpectedEOF
4323 4323 
  			}
... ... 
@@ -4331,7 +5224,7 @@ diff -uNr --no-dereference kubernetes-original/staging/src/k8s.io/api/core/v1/ge
4331 4331 
  				return err
4332 4332 
  			}
4333 4333 
  			iNdEx = postIndex
4334 
-@@ -34551,6 +34641,39 @@
4334 
+@@ -34551,6 +34641,39 @@ func (m *PersistentVolumeSource) Unmarshal(dAtA []byte) error {
4335 4335 
  				return err
4336 4336 
  			}
4337 4337 
  			iNdEx = postIndex
... ... 
@@ -4371,7 +5264,7 @@ diff -uNr --no-dereference kubernetes-original/staging/src/k8s.io/api/core/v1/ge
4371 4371 
  		default:
4372 4372 
  			iNdEx = preIndex
4373 4373 
  			skippy, err := skipGenerated(dAtA[iNdEx:])
4374 
-@@ -35089,6 +35212,114 @@
4374 
+@@ -35089,6 +35212,114 @@ func (m *PersistentVolumeStatus) Unmarshal(dAtA []byte) error {
4375 4375 
  	}
4376 4376 
  	return nil
4377 4377 
  }
... ... 
@@ -4486,7 +5379,7 @@ diff -uNr --no-dereference kubernetes-original/staging/src/k8s.io/api/core/v1/ge
4486 4486 
  func (m *PhotonPersistentDiskVolumeSource) Unmarshal(dAtA []byte) error {
4487 4487 
  	l := len(dAtA)
4488 4488 
  	iNdEx := 0
4489 
-@@ -48522,7 +48753,7 @@
4489 
+@@ -48522,7 +48753,7 @@ func (m *VolumeSource) Unmarshal(dAtA []byte) error {
4490 4490 
  			iNdEx = postIndex
4491 4491 
  		case 22:
4492 4492 
  			if wireType != 2 {
... ... 
@@ -4495,7 +5388,7 @@ diff -uNr --no-dereference kubernetes-original/staging/src/k8s.io/api/core/v1/ge
4495 4495 
  			}
4496 4496 
  			var msglen int
4497 4497 
  			for shift := uint(0); ; shift += 7 {
4498 
-@@ -48546,10 +48777,10 @@
4498 
+@@ -48546,10 +48777,10 @@ func (m *VolumeSource) Unmarshal(dAtA []byte) error {
4499 4499 
  			if postIndex > l {
4500 4500 
  				return io.ErrUnexpectedEOF
4501 4501 
  			}
... ... 
@@ -4509,7 +5402,7 @@ diff -uNr --no-dereference kubernetes-original/staging/src/k8s.io/api/core/v1/ge
4509 4509 
  				return err
4510 4510 
  			}
4511 4511 
  			iNdEx = postIndex
4512 
-@@ -48718,6 +48949,39 @@
4512 
+@@ -48718,6 +48949,39 @@ func (m *VolumeSource) Unmarshal(dAtA []byte) error {
4513 4513 
  				return err
4514 4514 
  			}
4515 4515 
  			iNdEx = postIndex
... ... 
@@ -4549,10 +5442,11 @@ diff -uNr --no-dereference kubernetes-original/staging/src/k8s.io/api/core/v1/ge
4549 4549 
  		default:
4550 4550 
  			iNdEx = preIndex
4551 4551 
  			skippy, err := skipGenerated(dAtA[iNdEx:])
4552 
-diff -uNr --no-dereference kubernetes-original/staging/src/k8s.io/api/core/v1/types.go kubernetes-modified/src/k8s.io/kubernetes/staging/src/k8s.io/api/core/v1/types.go
4553 
-+++ kubernetes-modified/src/k8s.io/kubernetes/staging/src/k8s.io/api/core/v1/types.go	2018-04-30 21:11:51.000000000 +0000
4554 
-@@ -333,9 +333,8 @@
4552 
+diff --git a/staging/src/k8s.io/api/core/v1/types.go b/staging/src/k8s.io/api/core/v1/types.go
4553 
+index 728cbd5..8c50888 100644
4554 
+--- a/staging/src/k8s.io/api/core/v1/types.go
4555 
+@@ -333,9 +333,8 @@ type VolumeSource struct {
4555 4556 
  	// Quobyte represents a Quobyte mount on the host that shares a pod's lifetime
4556 4557 
  	// +optional
4557 4558 
  	Quobyte *QuobyteVolumeSource `json:"quobyte,omitempty" protobuf:"bytes,21,opt,name=quobyte"`
... ... 
@@ -4564,7 +5458,7 @@ diff -uNr --no-dereference kubernetes-original/staging/src/k8s.io/api/core/v1/ty
4564 4564 
  	// PhotonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine
4565 4565 
  	PhotonPersistentDisk *PhotonPersistentDiskVolumeSource `json:"photonPersistentDisk,omitempty" protobuf:"bytes,23,opt,name=photonPersistentDisk"`
4566 4566 
  	// Items for all in one resources secrets, configmaps, and downward API
4567 
-@@ -349,6 +348,9 @@
4567 
+@@ -349,6 +348,9 @@ type VolumeSource struct {
4568 4568 
  	// StorageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
4569 4569 
  	// +optional
4570 4570 
  	StorageOS *StorageOSVolumeSource `json:"storageos,omitempty" protobuf:"bytes,27,opt,name=storageos"`
... ... 
@@ -4574,7 +5468,7 @@ diff -uNr --no-dereference kubernetes-original/staging/src/k8s.io/api/core/v1/ty
4574 4574 
  }
4575 4575
4576 4576 
  // PersistentVolumeClaimVolumeSource references the user's PVC in the same namespace.
4577 
-@@ -428,9 +430,8 @@
4577 
+@@ -428,9 +430,8 @@ type PersistentVolumeSource struct {
4578 4578 
  	// Quobyte represents a Quobyte mount on the host that shares a pod's lifetime
4579 4579 
  	// +optional
4580 4580 
  	Quobyte *QuobyteVolumeSource `json:"quobyte,omitempty" protobuf:"bytes,15,opt,name=quobyte"`
... ... 
@@ -4586,7 +5480,7 @@ diff -uNr --no-dereference kubernetes-original/staging/src/k8s.io/api/core/v1/ty
4586 4586 
  	// PhotonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine
4587 4587 
  	PhotonPersistentDisk *PhotonPersistentDiskVolumeSource `json:"photonPersistentDisk,omitempty" protobuf:"bytes,17,opt,name=photonPersistentDisk"`
4588 4588 
  	// PortworxVolume represents a portworx volume attached and mounted on kubelets host machine
4589 
-@@ -449,6 +450,9 @@
4589 
+@@ -449,6 +450,9 @@ type PersistentVolumeSource struct {
4590 4590 
  	// CSI represents storage that handled by an external CSI driver
4591 4591 
  	// +optional
4592 4592 
  	CSI *CSIPersistentVolumeSource `json:"csi,omitempty" protobuf:"bytes,22,opt,name=csi"`
... ... 
@@ -4596,7 +5490,7 @@ diff -uNr --no-dereference kubernetes-original/staging/src/k8s.io/api/core/v1/ty
4596 4596 
  }
4597 4597
4598 4598 
  const (
4599 
-@@ -1578,6 +1582,16 @@
4599 
+@@ -1578,6 +1582,16 @@ type StorageOSPersistentVolumeSource struct {
4600 4600 
  	SecretRef *ObjectReference `json:"secretRef,omitempty" protobuf:"bytes,5,opt,name=secretRef"`
4601 4601 
  }
4602 4602
... ... 
@@ -4613,3 +5507,6 @@ diff -uNr --no-dereference kubernetes-original/staging/src/k8s.io/api/core/v1/ty
4613 4613 
  // Adapts a ConfigMap into a volume.
4614 4614 
  //
4615 4615 
  // The contents of the target ConfigMap's Data field will be presented in a
4616 
+--
4617 
+2.7.4
4618 
+
SPECS/kubernetes/k8s-vke.patch
History View file @ 6c0225e
... ... 
@@ -1,6 +1,81 @@
1 
-diff -uNr --no-dereference kubernetes-orig/api/swagger-spec/apps_v1alpha1.json kubernetes/api/swagger-spec/apps_v1alpha1.json
2 
-+++ kubernetes/api/swagger-spec/apps_v1alpha1.json	2018-05-17 00:03:37.000000000 +0000
1 
+From e1297ed2ee86ca1fca087b06ae1227c1e5e4d61f Mon Sep 17 00:00:00 2001
2 
+From: Bo Gan <ganb@vmware.com>
3 
+Date: Sat, 2 Jun 2018 16:12:09 -0700
4 
+Subject: [PATCH] Cascade Kubernetes patches for v1.10.2 (7b1ec01)
5 
+
6 
+---
7 
+ api/swagger-spec/apps_v1alpha1.json                |  21 +
8 
+ api/swagger-spec/apps_v1beta1.json                 |  21 +
9 
+ api/swagger-spec/apps_v1beta2.json                 |  21 +
10 
+ api/swagger-spec/batch_v1.json                     |  21 +
11 
+ api/swagger-spec/batch_v1beta1.json                |  21 +
12 
+ api/swagger-spec/batch_v2alpha1.json               |  21 +
13 
+ api/swagger-spec/extensions_v1beta1.json           |  21 +
14 
+ api/swagger-spec/settings.k8s.io_v1alpha1.json     |  21 +
15 
+ api/swagger-spec/v1.json                           |  25 +
16 
+ cmd/kube-controller-manager/app/BUILD              |   1 +
17 
+ cmd/kube-controller-manager/app/plugins.go         |   4 +
18 
+ cmd/kubelet/app/BUILD                              |   1 +
19 
+ cmd/kubelet/app/plugins.go                         |   2 +
20 
+ pkg/apis/core/types.go                             |  14 +
21 
+ pkg/apis/core/validation/validation.go             |  29 +-
22 
+ pkg/apis/extensions/types.go                       |   1 +
23 
+ pkg/cloudprovider/providers/BUILD                  |   2 +
24 
+ pkg/cloudprovider/providers/cascade/BUILD          |  44 ++
25 
+ pkg/cloudprovider/providers/cascade/OWNERS         |   3 +
26 
+ pkg/cloudprovider/providers/cascade/apitypes.go    | 227 +++++++++
27 
+ pkg/cloudprovider/providers/cascade/auth.go        | 145 ++++++
28 
+ pkg/cloudprovider/providers/cascade/cascade.go     | 212 ++++++++
29 
+ .../providers/cascade/cascade_disks.go             | 227 +++++++++
30 
+ .../providers/cascade/cascade_instances.go         |  91 ++++
31 
+ .../providers/cascade/cascade_loadbalancer.go      | 285 +++++++++++
32 
+ pkg/cloudprovider/providers/cascade/client.go      | 394 +++++++++++++++
33 
+ pkg/cloudprovider/providers/cascade/oidcclient.go  | 297 +++++++++++
34 
+ pkg/cloudprovider/providers/cascade/restclient.go  | 262 ++++++++++
35 
+ pkg/cloudprovider/providers/cascade/tests_owed     |   5 +
36 
+ pkg/cloudprovider/providers/cascade/utils.go       |  25 +
37 
+ pkg/cloudprovider/providers/providers.go           |   1 +
38 
+ pkg/kubeapiserver/options/plugins.go               |   3 +
39 
+ pkg/printers/internalversion/describe.go           |  11 +
40 
+ pkg/security/podsecuritypolicy/util/util.go        |   3 +
41 
+ pkg/volume/cascade_disk/BUILD                      |  43 ++
42 
+ pkg/volume/cascade_disk/OWNERS                     |   2 +
43 
+ pkg/volume/cascade_disk/attacher.go                | 268 ++++++++++
44 
+ pkg/volume/cascade_disk/cascade_disk.go            | 390 +++++++++++++++
45 
+ pkg/volume/cascade_disk/cascade_util.go            | 107 ++++
46 
+ .../admission/persistentvolume/label/admission.go  |  54 ++
47 
+ plugin/pkg/admission/vke/BUILD                     |  58 +++
48 
+ plugin/pkg/admission/vke/admission.go              | 374 ++++++++++++++
49 
+ plugin/pkg/admission/vke/admission_test.go         | 541 +++++++++++++++++++++
50 
+ staging/src/k8s.io/api/core/v1/generated.pb.go     | 310 +++++++++++-
51 
+ staging/src/k8s.io/api/core/v1/types.go            |  24 +-
52 
+ 45 files changed, 4624 insertions(+), 29 deletions(-)
53 
+ create mode 100644 pkg/cloudprovider/providers/cascade/BUILD
54 
+ create mode 100644 pkg/cloudprovider/providers/cascade/OWNERS
55 
+ create mode 100644 pkg/cloudprovider/providers/cascade/apitypes.go
56 
+ create mode 100644 pkg/cloudprovider/providers/cascade/auth.go
57 
+ create mode 100644 pkg/cloudprovider/providers/cascade/cascade.go
58 
+ create mode 100644 pkg/cloudprovider/providers/cascade/cascade_disks.go
59 
+ create mode 100644 pkg/cloudprovider/providers/cascade/cascade_instances.go
60 
+ create mode 100644 pkg/cloudprovider/providers/cascade/cascade_loadbalancer.go
61 
+ create mode 100644 pkg/cloudprovider/providers/cascade/client.go
62 
+ create mode 100644 pkg/cloudprovider/providers/cascade/oidcclient.go
63 
+ create mode 100644 pkg/cloudprovider/providers/cascade/restclient.go
64 
+ create mode 100644 pkg/cloudprovider/providers/cascade/tests_owed
65 
+ create mode 100644 pkg/cloudprovider/providers/cascade/utils.go
66 
+ create mode 100644 pkg/volume/cascade_disk/BUILD
67 
+ create mode 100644 pkg/volume/cascade_disk/OWNERS
68 
+ create mode 100644 pkg/volume/cascade_disk/attacher.go
69 
+ create mode 100644 pkg/volume/cascade_disk/cascade_disk.go
70 
+ create mode 100644 pkg/volume/cascade_disk/cascade_util.go
71 
+ create mode 100644 plugin/pkg/admission/vke/BUILD
72 
+ create mode 100644 plugin/pkg/admission/vke/admission.go
73 
+ create mode 100644 plugin/pkg/admission/vke/admission_test.go
74 
+
75 
+diff --git a/api/swagger-spec/apps_v1alpha1.json b/api/swagger-spec/apps_v1alpha1.json
76 
+index 6f54662..bf61f93 100644
77 
+--- a/api/swagger-spec/apps_v1alpha1.json
3 78 
 @@ -1459,6 +1459,10 @@
4 79 
       "photonPersistentDisk": {
5 80 
        "$ref": "v1.PhotonPersistentDiskVolumeSource",
... ... 
@@ -12,14 +87,10 @@ diff -uNr --no-dereference kubernetes-orig/api/swagger-spec/apps_v1alpha1.json k
12 12 
       }
13 13 
      }
14 14 
     },
15 
-@@ -2105,6 +2109,23 @@
16 
-      },
17 
-      "fsType": {
18 
-       "type": "string",
19 
-+      "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
20 
-+     }
21 
-+    }
22 
-+   },
15 
+@@ -2109,6 +2113,23 @@
16 
+      }
17 
+     }
18 
+    },
23 19 
 +   "v1.CascadeDiskVolumeSource": {
24 20 
 +    "id": "v1.CascadeDiskVolumeSource",
25 21 
 +    "description": "Represents a Cascade persistent disk resource.",
... ... 
@@ -33,12 +104,17 @@ diff -uNr --no-dereference kubernetes-orig/api/swagger-spec/apps_v1alpha1.json k
33 33 
 +     },
34 34 
 +     "fsType": {
35 35 
 +      "type": "string",
36 
-       "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
37 
-      }
38 
-     }
39 
-diff -uNr --no-dereference kubernetes-orig/api/swagger-spec/apps_v1beta1.json kubernetes/api/swagger-spec/apps_v1beta1.json
40 
-+++ kubernetes/api/swagger-spec/apps_v1beta1.json	2018-05-17 00:03:37.000000000 +0000
36 
++      "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
37 
++     }
38 
++    }
39 
++   },
40 
+    "v1.Container": {
41 
+     "id": "v1.Container",
42 
+     "description": "A single application container that you want to run within a pod.",
43 
+diff --git a/api/swagger-spec/apps_v1beta1.json b/api/swagger-spec/apps_v1beta1.json
44 
+index a4b090a..6e6471b 100644
45 
+--- a/api/swagger-spec/apps_v1beta1.json
41 46 
 @@ -4483,6 +4483,10 @@
42 47 
        "$ref": "v1.PhotonPersistentDiskVolumeSource",
43 48 
        "description": "PhotonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine"
... ... 
@@ -50,14 +126,10 @@ diff -uNr --no-dereference kubernetes-orig/api/swagger-spec/apps_v1beta1.json ku
50 50 
       "projected": {
51 51 
        "$ref": "v1.ProjectedVolumeSource",
52 52 
        "description": "Items for all in one resources secrets, configmaps, and downward API"
53 
-@@ -5206,6 +5210,23 @@
54 
-      },
55 
-      "fsType": {
56 
-       "type": "string",
57 
-+      "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
58 
-+     }
59 
-+    }
60 
-+   },
53 
+@@ -5210,6 +5214,23 @@
54 
+      }
55 
+     }
56 
+    },
61 57 
 +   "v1.CascadeDiskVolumeSource": {
62 58 
 +    "id": "v1.CascadeDiskVolumeSource",
63 59 
 +    "description": "Represents a Cascade persistent disk resource.",
... ... 
@@ -71,12 +143,17 @@ diff -uNr --no-dereference kubernetes-orig/api/swagger-spec/apps_v1beta1.json ku
71 71 
 +     },
72 72 
 +     "fsType": {
73 73 
 +      "type": "string",
74 
-       "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
75 
-      }
76 
-     }
77 
-diff -uNr --no-dereference kubernetes-orig/api/swagger-spec/apps_v1beta2.json kubernetes/api/swagger-spec/apps_v1beta2.json
78 
-+++ kubernetes/api/swagger-spec/apps_v1beta2.json	2018-05-17 00:03:37.000000000 +0000
74 
++      "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
75 
++     }
76 
++    }
77 
++   },
78 
+    "v1.ProjectedVolumeSource": {
79 
+     "id": "v1.ProjectedVolumeSource",
80 
+     "description": "Represents a projected volume source",
81 
+diff --git a/api/swagger-spec/apps_v1beta2.json b/api/swagger-spec/apps_v1beta2.json
82 
+index b1fcb48..b00e42e 100644
83 
+--- a/api/swagger-spec/apps_v1beta2.json
79 84 
 @@ -6849,6 +6849,10 @@
80 85 
        "$ref": "v1.PhotonPersistentDiskVolumeSource",
81 86 
        "description": "PhotonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine"
... ... 
@@ -88,14 +165,10 @@ diff -uNr --no-dereference kubernetes-orig/api/swagger-spec/apps_v1beta2.json ku
88 88 
       "projected": {
89 89 
        "$ref": "v1.ProjectedVolumeSource",
90 90 
        "description": "Items for all in one resources secrets, configmaps, and downward API"
91 
-@@ -7572,6 +7576,23 @@
92 
-      },
93 
-      "fsType": {
94 
-       "type": "string",
95 
-+      "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
96 
-+     }
97 
-+    }
98 
-+   },
91 
+@@ -7576,6 +7580,23 @@
92 
+      }
93 
+     }
94 
+    },
99 95 
 +   "v1.CascadeDiskVolumeSource": {
100 96 
 +    "id": "v1.CascadeDiskVolumeSource",
101 97 
 +    "description": "Represents a Cascade persistent disk resource.",
... ... 
@@ -109,13 +182,18 @@ diff -uNr --no-dereference kubernetes-orig/api/swagger-spec/apps_v1beta2.json ku
109 109 
 +     },
110 110 
 +     "fsType": {
111 111 
 +      "type": "string",
112 
-       "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
113 
-      }
114 
-     }
115 
-diff -uNr --no-dereference kubernetes-orig/api/swagger-spec/batch_v1beta1.json kubernetes/api/swagger-spec/batch_v1beta1.json
116 
-+++ kubernetes/api/swagger-spec/batch_v1beta1.json	2018-05-17 00:03:37.000000000 +0000
117 
-@@ -1878,6 +1878,10 @@
112 
++      "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
113 
++     }
114 
++    }
115 
++   },
116 
+    "v1.ProjectedVolumeSource": {
117 
+     "id": "v1.ProjectedVolumeSource",
118 
+     "description": "Represents a projected volume source",
119 
+diff --git a/api/swagger-spec/batch_v1.json b/api/swagger-spec/batch_v1.json
120 
+index b6d6cea..fafdd88 100644
121 
+--- a/api/swagger-spec/batch_v1.json
122 
+@@ -1823,6 +1823,10 @@
118 123 
        "$ref": "v1.PhotonPersistentDiskVolumeSource",
119 124 
        "description": "PhotonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine"
120 125 
       },
... ... 
@@ -126,14 +204,10 @@ diff -uNr --no-dereference kubernetes-orig/api/swagger-spec/batch_v1beta1.json k
126 126 
       "projected": {
127 127 
        "$ref": "v1.ProjectedVolumeSource",
128 128 
        "description": "Items for all in one resources secrets, configmaps, and downward API"
129 
-@@ -2601,6 +2605,23 @@
130 
-      },
131 
-      "fsType": {
132 
-       "type": "string",
133 
-+      "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
134 
-+     }
135 
-+    }
136 
-+   },
129 
+@@ -2550,6 +2554,23 @@
130 
+      }
131 
+     }
132 
+    },
137 133 
 +   "v1.CascadeDiskVolumeSource": {
138 134 
 +    "id": "v1.CascadeDiskVolumeSource",
139 135 
 +    "description": "Represents a Cascade persistent disk resource.",
... ... 
@@ -147,13 +221,18 @@ diff -uNr --no-dereference kubernetes-orig/api/swagger-spec/batch_v1beta1.json k
147 147 
 +     },
148 148 
 +     "fsType": {
149 149 
 +      "type": "string",
150 
-       "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
151 
-      }
152 
-     }
153 
-diff -uNr --no-dereference kubernetes-orig/api/swagger-spec/batch_v1.json kubernetes/api/swagger-spec/batch_v1.json
154 
-+++ kubernetes/api/swagger-spec/batch_v1.json	2018-05-17 00:03:37.000000000 +0000
155 
-@@ -1823,6 +1823,10 @@
150 
++      "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
151 
++     }
152 
++    }
153 
++   },
154 
+    "v1.ProjectedVolumeSource": {
155 
+     "id": "v1.ProjectedVolumeSource",
156 
+     "description": "Represents a projected volume source",
157 
+diff --git a/api/swagger-spec/batch_v1beta1.json b/api/swagger-spec/batch_v1beta1.json
158 
+index 32cdfc0..a91eca5 100644
159 
+--- a/api/swagger-spec/batch_v1beta1.json
160 
+@@ -1878,6 +1878,10 @@
156 161 
        "$ref": "v1.PhotonPersistentDiskVolumeSource",
157 162 
        "description": "PhotonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine"
158 163 
       },
... ... 
@@ -164,14 +243,10 @@ diff -uNr --no-dereference kubernetes-orig/api/swagger-spec/batch_v1.json kubern
164 164 
       "projected": {
165 165 
        "$ref": "v1.ProjectedVolumeSource",
166 166 
        "description": "Items for all in one resources secrets, configmaps, and downward API"
167 
-@@ -2546,6 +2550,23 @@
168 
-      },
169 
-      "fsType": {
170 
-       "type": "string",
171 
-+      "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
172 
-+     }
173 
-+    }
174 
-+   },
167 
+@@ -2605,6 +2609,23 @@
168 
+      }
169 
+     }
170 
+    },
175 171 
 +   "v1.CascadeDiskVolumeSource": {
176 172 
 +    "id": "v1.CascadeDiskVolumeSource",
177 173 
 +    "description": "Represents a Cascade persistent disk resource.",
... ... 
@@ -185,12 +260,17 @@ diff -uNr --no-dereference kubernetes-orig/api/swagger-spec/batch_v1.json kubern
185 185 
 +     },
186 186 
 +     "fsType": {
187 187 
 +      "type": "string",
188 
-       "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
189 
-      }
190 
-     }
191 
-diff -uNr --no-dereference kubernetes-orig/api/swagger-spec/batch_v2alpha1.json kubernetes/api/swagger-spec/batch_v2alpha1.json
192 
-+++ kubernetes/api/swagger-spec/batch_v2alpha1.json	2018-05-17 00:03:37.000000000 +0000
188 
++      "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
189 
++     }
190 
++    }
191 
++   },
192 
+    "v1.ProjectedVolumeSource": {
193 
+     "id": "v1.ProjectedVolumeSource",
194 
+     "description": "Represents a projected volume source",
195 
+diff --git a/api/swagger-spec/batch_v2alpha1.json b/api/swagger-spec/batch_v2alpha1.json
196 
+index 57acdbb..7866e56 100644
197 
+--- a/api/swagger-spec/batch_v2alpha1.json
193 198 
 @@ -1893,6 +1893,10 @@
194 199 
       "storageos": {
195 200 
        "$ref": "v1.StorageOSVolumeSource",
... ... 
@@ -226,9 +306,10 @@ diff -uNr --no-dereference kubernetes-orig/api/swagger-spec/batch_v2alpha1.json
226 226 
     "v1.Container": {
227 227 
      "id": "v1.Container",
228 228 
      "description": "A single application container that you want to run within a pod.",
229 
-diff -uNr --no-dereference kubernetes-orig/api/swagger-spec/extensions_v1beta1.json kubernetes/api/swagger-spec/extensions_v1beta1.json
230 
-+++ kubernetes/api/swagger-spec/extensions_v1beta1.json	2018-05-17 00:03:37.000000000 +0000
229 
+diff --git a/api/swagger-spec/extensions_v1beta1.json b/api/swagger-spec/extensions_v1beta1.json
230 
+index 6d2e049..d0c687e 100644
231 
+--- a/api/swagger-spec/extensions_v1beta1.json
231 232 
 @@ -7506,6 +7506,10 @@
232 233 
       "storageos": {
233 234 
        "$ref": "v1.StorageOSVolumeSource",
... ... 
@@ -240,14 +321,10 @@ diff -uNr --no-dereference kubernetes-orig/api/swagger-spec/extensions_v1beta1.j
240 240 
       }
241 241 
      }
242 242 
     },
243 
-@@ -8214,6 +8218,23 @@
244 
-      },
245 
-      "fsType": {
246 
-       "type": "string",
247 
-+      "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
248 
-+     }
249 
-+    }
250 
-+   },
243 
+@@ -8218,6 +8222,23 @@
244 
+      }
245 
+     }
246 
+    },
251 247 
 +   "v1.CascadeDiskVolumeSource": {
252 248 
 +    "id": "v1.CascadeDiskVolumeSource",
253 249 
 +    "description": "Represents a Cascade persistent disk resource.",
... ... 
@@ -261,12 +338,17 @@ diff -uNr --no-dereference kubernetes-orig/api/swagger-spec/extensions_v1beta1.j
261 261 
 +     },
262 262 
 +     "fsType": {
263 263 
 +      "type": "string",
264 
-       "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
265 
-      }
266 
-     }
267 
-diff -uNr --no-dereference kubernetes-orig/api/swagger-spec/settings.k8s.io_v1alpha1.json kubernetes/api/swagger-spec/settings.k8s.io_v1alpha1.json
268 
-+++ kubernetes/api/swagger-spec/settings.k8s.io_v1alpha1.json	2018-05-17 00:03:37.000000000 +0000
264 
++      "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
265 
++     }
266 
++    }
267 
++   },
268 
+    "v1.ProjectedVolumeSource": {
269 
+     "id": "v1.ProjectedVolumeSource",
270 
+     "description": "Represents a projected volume source",
271 
+diff --git a/api/swagger-spec/settings.k8s.io_v1alpha1.json b/api/swagger-spec/settings.k8s.io_v1alpha1.json
272 
+index d4427ba..5fc467e 100644
273 
+--- a/api/swagger-spec/settings.k8s.io_v1alpha1.json
269 274 
 @@ -1676,6 +1676,10 @@
270 275 
       "storageos": {
271 276 
        "$ref": "v1.StorageOSVolumeSource",
... ... 
@@ -278,14 +360,10 @@ diff -uNr --no-dereference kubernetes-orig/api/swagger-spec/settings.k8s.io_v1al
278 278 
       }
279 279 
      }
280 280 
     },
281 
-@@ -2346,6 +2350,23 @@
282 
-      },
283 
-      "fsType": {
284 
-       "type": "string",
285 
-+      "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
286 
-+     }
287 
-+    }
288 
-+   },
281 
+@@ -2350,6 +2354,23 @@
282 
+      }
283 
+     }
284 
+    },
289 285 
 +   "v1.CascadeDiskVolumeSource": {
290 286 
 +    "id": "v1.CascadeDiskVolumeSource",
291 287 
 +    "description": "Represents a Cascade persistent disk resource.",
... ... 
@@ -299,12 +377,17 @@ diff -uNr --no-dereference kubernetes-orig/api/swagger-spec/settings.k8s.io_v1al
299 299 
 +     },
300 300 
 +     "fsType": {
301 301 
 +      "type": "string",
302 
-       "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
303 
-      }
304 
-     }
305 
-diff -uNr --no-dereference kubernetes-orig/api/swagger-spec/v1.json kubernetes/api/swagger-spec/v1.json
306 
-+++ kubernetes/api/swagger-spec/v1.json	2018-05-17 00:03:37.000000000 +0000
302 
++      "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified."
303 
++     }
304 
++    }
305 
++   },
306 
+    "v1.ProjectedVolumeSource": {
307 
+     "id": "v1.ProjectedVolumeSource",
308 
+     "description": "Represents a projected volume source",
309 
+diff --git a/api/swagger-spec/v1.json b/api/swagger-spec/v1.json
310 
+index 3f1198e..6eaf2fa 100644
311 
+--- a/api/swagger-spec/v1.json
307 312 
 @@ -19310,6 +19310,10 @@
308 313 
        "$ref": "v1.PhotonPersistentDiskVolumeSource",
309 314 
        "description": "PhotonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine"
... ... 
@@ -351,10 +434,11 @@ diff -uNr --no-dereference kubernetes-orig/api/swagger-spec/v1.json kubernetes/a
351 351 
       }
352 352 
      }
353 353 
     },
354 
-diff -uNr --no-dereference kubernetes-orig/cmd/kube-controller-manager/app/BUILD kubernetes/cmd/kube-controller-manager/app/BUILD
355 
-+++ kubernetes/cmd/kube-controller-manager/app/BUILD	2018-05-17 00:03:37.000000000 +0000
356 
-@@ -88,6 +88,7 @@
354 
+diff --git a/cmd/kube-controller-manager/app/BUILD b/cmd/kube-controller-manager/app/BUILD
355 
+index a3f98b1..3410214 100644
356 
+--- a/cmd/kube-controller-manager/app/BUILD
357 
+@@ -88,6 +88,7 @@ go_library(
357 358 
          "//pkg/volume/aws_ebs:go_default_library",
358 359 
          "//pkg/volume/azure_dd:go_default_library",
359 360 
          "//pkg/volume/azure_file:go_default_library",
... ... 
@@ -362,10 +446,11 @@ diff -uNr --no-dereference kubernetes-orig/cmd/kube-controller-manager/app/BUILD
362 362 
          "//pkg/volume/cinder:go_default_library",
363 363 
          "//pkg/volume/csi:go_default_library",
364 364 
          "//pkg/volume/fc:go_default_library",
365 
-diff -uNr --no-dereference kubernetes-orig/cmd/kube-controller-manager/app/plugins.go kubernetes/cmd/kube-controller-manager/app/plugins.go
366 
-+++ kubernetes/cmd/kube-controller-manager/app/plugins.go	2018-05-17 00:03:37.000000000 +0000
367 
-@@ -34,6 +34,7 @@
365 
+diff --git a/cmd/kube-controller-manager/app/plugins.go b/cmd/kube-controller-manager/app/plugins.go
366 
+index 42034d5..e729785 100644
367 
+--- a/cmd/kube-controller-manager/app/plugins.go
368 
+@@ -34,6 +34,7 @@ import (
368 369 
  	"k8s.io/kubernetes/pkg/volume/aws_ebs"
369 370 
  	"k8s.io/kubernetes/pkg/volume/azure_dd"
370 371 
  	"k8s.io/kubernetes/pkg/volume/azure_file"
... ... 
@@ -373,7 +458,7 @@ diff -uNr --no-dereference kubernetes-orig/cmd/kube-controller-manager/app/plugi
373 373 
  	"k8s.io/kubernetes/pkg/volume/cinder"
374 374 
  	"k8s.io/kubernetes/pkg/volume/csi"
375 375 
  	"k8s.io/kubernetes/pkg/volume/fc"
376 
-@@ -77,6 +78,7 @@
376 
+@@ -77,6 +78,7 @@ func ProbeAttachableVolumePlugins() []volume.VolumePlugin {
377 377 
  	allPlugins = append(allPlugins, fc.ProbeVolumePlugins()...)
378 378 
  	allPlugins = append(allPlugins, iscsi.ProbeVolumePlugins()...)
379 379 
  	allPlugins = append(allPlugins, rbd.ProbeVolumePlugins()...)
... ... 
@@ -381,7 +466,7 @@ diff -uNr --no-dereference kubernetes-orig/cmd/kube-controller-manager/app/plugi
381 381 
  	if utilfeature.DefaultFeatureGate.Enabled(features.CSIPersistentVolume) {
382 382 
  		allPlugins = append(allPlugins, csi.ProbeVolumePlugins()...)
383 383 
  	}
384 
-@@ -107,6 +109,7 @@
384 
+@@ -107,6 +109,7 @@ func ProbeExpandableVolumePlugins(config componentconfig.VolumeConfiguration) []
385 385 
  	allPlugins = append(allPlugins, scaleio.ProbeVolumePlugins()...)
386 386 
  	allPlugins = append(allPlugins, storageos.ProbeVolumePlugins()...)
387 387 
  	allPlugins = append(allPlugins, fc.ProbeVolumePlugins()...)
... ... 
@@ -389,7 +474,7 @@ diff -uNr --no-dereference kubernetes-orig/cmd/kube-controller-manager/app/plugi
389 389 
  	return allPlugins
390 390 
  }
391 391
392 
-@@ -163,6 +166,7 @@
392 
+@@ -163,6 +166,7 @@ func ProbeControllerVolumePlugins(cloud cloudprovider.Interface, config componen
393 393 
  	allPlugins = append(allPlugins, vsphere_volume.ProbeVolumePlugins()...)
394 394 
  	allPlugins = append(allPlugins, azure_dd.ProbeVolumePlugins()...)
395 395 
  	allPlugins = append(allPlugins, photon_pd.ProbeVolumePlugins()...)
... ... 
@@ -397,10 +482,11 @@ diff -uNr --no-dereference kubernetes-orig/cmd/kube-controller-manager/app/plugi
397 397
398 398 
  	return allPlugins
399 399 
  }
400 
-diff -uNr --no-dereference kubernetes-orig/cmd/kubelet/app/BUILD kubernetes/cmd/kubelet/app/BUILD
401 
-+++ kubernetes/cmd/kubelet/app/BUILD	2018-05-17 00:03:37.000000000 +0000
402 
-@@ -117,6 +117,7 @@
400 
+diff --git a/cmd/kubelet/app/BUILD b/cmd/kubelet/app/BUILD
401 
+index cbfb90f..6264d0c 100644
402 
+--- a/cmd/kubelet/app/BUILD
403 
+@@ -117,6 +117,7 @@ go_library(
403 404 
          "//pkg/volume/aws_ebs:go_default_library",
404 405 
          "//pkg/volume/azure_dd:go_default_library",
405 406 
          "//pkg/volume/azure_file:go_default_library",
... ... 
@@ -408,10 +494,11 @@ diff -uNr --no-dereference kubernetes-orig/cmd/kubelet/app/BUILD kubernetes/cmd/
408 408 
          "//pkg/volume/cephfs:go_default_library",
409 409 
          "//pkg/volume/cinder:go_default_library",
410 410 
          "//pkg/volume/configmap:go_default_library",
411 
-diff -uNr --no-dereference kubernetes-orig/cmd/kubelet/app/plugins.go kubernetes/cmd/kubelet/app/plugins.go
412 
-+++ kubernetes/cmd/kubelet/app/plugins.go	2018-05-17 00:03:37.000000000 +0000
413 
-@@ -32,6 +32,7 @@
411 
+diff --git a/cmd/kubelet/app/plugins.go b/cmd/kubelet/app/plugins.go
412 
+index ef41bb8..c9806f7 100644
413 
+--- a/cmd/kubelet/app/plugins.go
414 
+@@ -32,6 +32,7 @@ import (
414 415 
  	"k8s.io/kubernetes/pkg/volume/aws_ebs"
415 416 
  	"k8s.io/kubernetes/pkg/volume/azure_dd"
416 417 
  	"k8s.io/kubernetes/pkg/volume/azure_file"
... ... 
@@ -419,7 +506,7 @@ diff -uNr --no-dereference kubernetes-orig/cmd/kubelet/app/plugins.go kubernetes
419 419 
  	"k8s.io/kubernetes/pkg/volume/cephfs"
420 420 
  	"k8s.io/kubernetes/pkg/volume/cinder"
421 421 
  	"k8s.io/kubernetes/pkg/volume/configmap"
422 
-@@ -100,6 +101,7 @@
422 
+@@ -100,6 +101,7 @@ func ProbeVolumePlugins() []volume.VolumePlugin {
423 423 
  	allPlugins = append(allPlugins, scaleio.ProbeVolumePlugins()...)
424 424 
  	allPlugins = append(allPlugins, local.ProbeVolumePlugins()...)
425 425 
  	allPlugins = append(allPlugins, storageos.ProbeVolumePlugins()...)
... ... 
@@ -427,10 +514,11 @@ diff -uNr --no-dereference kubernetes-orig/cmd/kubelet/app/plugins.go kubernetes
427 427 
  	if utilfeature.DefaultFeatureGate.Enabled(features.CSIPersistentVolume) {
428 428 
  		allPlugins = append(allPlugins, csi.ProbeVolumePlugins()...)
429 429 
  	}
430 
-diff -uNr --no-dereference kubernetes-orig/pkg/apis/core/types.go kubernetes/pkg/apis/core/types.go
431 
-+++ kubernetes/pkg/apis/core/types.go	2018-05-17 00:03:37.000000000 +0000
432 
-@@ -316,6 +316,8 @@
430 
+diff --git a/pkg/apis/core/types.go b/pkg/apis/core/types.go
431 
+index 8b183de..cfe4c85 100644
432 
+--- a/pkg/apis/core/types.go
433 
+@@ -316,6 +316,8 @@ type VolumeSource struct {
433 434 
  	// StorageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod
434 435 
  	// +optional
435 436 
  	StorageOS *StorageOSVolumeSource
... ... 
@@ -439,7 +527,7 @@ diff -uNr --no-dereference kubernetes-orig/pkg/apis/core/types.go kubernetes/pkg
439 439 
  }
440 440
441 441 
  // Similar to VolumeSource but meant for the administrator who creates PVs.
442 
-@@ -394,6 +396,8 @@
442 
+@@ -394,6 +396,8 @@ type PersistentVolumeSource struct {
443 443 
  	// CSI (Container Storage Interface) represents storage that handled by an external CSI driver (Beta feature).
444 444 
  	// +optional
445 445 
  	CSI *CSIPersistentVolumeSource
... ... 
@@ -448,7 +536,7 @@ diff -uNr --no-dereference kubernetes-orig/pkg/apis/core/types.go kubernetes/pkg
448 448 
  }
449 449
450 450 
  type PersistentVolumeClaimVolumeSource struct {
451 
-@@ -1510,6 +1514,16 @@
451 
+@@ -1510,6 +1514,16 @@ type StorageOSPersistentVolumeSource struct {
452 452 
  	SecretRef *ObjectReference
453 453 
  }
454 454
... ... 
@@ -465,10 +553,11 @@ diff -uNr --no-dereference kubernetes-orig/pkg/apis/core/types.go kubernetes/pkg
465 465 
  // Adapts a ConfigMap into a volume.
466 466 
  //
467 467 
  // The contents of the target ConfigMap's Data field will be presented in a
468 
-diff -uNr --no-dereference kubernetes-orig/pkg/apis/core/validation/validation.go kubernetes/pkg/apis/core/validation/validation.go
469 
-+++ kubernetes/pkg/apis/core/validation/validation.go	2018-05-17 00:03:37.000000000 +0000
470 
-@@ -664,6 +664,14 @@
468 
+diff --git a/pkg/apis/core/validation/validation.go b/pkg/apis/core/validation/validation.go
469 
+index b66fd6f..7f0e6bd 100644
470 
+--- a/pkg/apis/core/validation/validation.go
471 
+@@ -664,6 +664,14 @@ func validateVolumeSource(source *core.VolumeSource, fldPath *field.Path, volNam
471 472 
  			allErrs = append(allErrs, validateScaleIOVolumeSource(source.ScaleIO, fldPath.Child("scaleIO"))...)
472 473 
  		}
473 474 
  	}
... ... 
@@ -483,7 +572,7 @@ diff -uNr --no-dereference kubernetes-orig/pkg/apis/core/validation/validation.g
483 483
484 484 
  	if numVolumes == 0 {
485 485 
  		allErrs = append(allErrs, field.Required(fldPath, "must specify a volume type"))
486 
-@@ -1494,6 +1502,14 @@
486 
+@@ -1494,6 +1502,14 @@ func validateCSIPersistentVolumeSource(csi *core.CSIPersistentVolumeSource, fldP
487 487 
  	return allErrs
488 488 
  }
489 489
... ... 
@@ -498,7 +587,7 @@ diff -uNr --no-dereference kubernetes-orig/pkg/apis/core/validation/validation.g
498 498 
  // ValidatePersistentVolumeName checks that a name is appropriate for a
499 499 
  // PersistentVolumeName object.
500 500 
  var ValidatePersistentVolumeName = NameIsDNSSubdomain
501 
-@@ -1737,6 +1753,15 @@
501 
+@@ -1737,6 +1753,15 @@ func ValidatePersistentVolume(pv *core.PersistentVolume) field.ErrorList {
502 502 
  		}
503 503 
  	}
504 504
... ... 
@@ -514,7 +603,7 @@ diff -uNr --no-dereference kubernetes-orig/pkg/apis/core/validation/validation.g
514 514 
  	if numVolumes == 0 {
515 515 
  		allErrs = append(allErrs, field.Required(specPath, "must specify a volume type"))
516 516 
  	}
517 
-@@ -4370,7 +4395,7 @@
517 
+@@ -4370,7 +4395,7 @@ func ValidateSecret(secret *core.Secret) field.ErrorList {
518 518 
  			allErrs = append(allErrs, field.Required(field.NewPath("metadata", "annotations").Key(core.ServiceAccountNameKey), ""))
519 519 
  		}
520 520 
  	case core.SecretTypeOpaque, "":
... ... 
@@ -523,7 +612,7 @@ diff -uNr --no-dereference kubernetes-orig/pkg/apis/core/validation/validation.g
523 523 
  	case core.SecretTypeDockercfg:
524 524 
  		dockercfgBytes, exists := secret.Data[core.DockerConfigKey]
525 525 
  		if !exists {
526 
-@@ -4416,7 +4441,7 @@
526 
+@@ -4416,7 +4441,7 @@ func ValidateSecret(secret *core.Secret) field.ErrorList {
527 527 
  		if _, exists := secret.Data[core.TLSPrivateKeyKey]; !exists {
528 528 
  			allErrs = append(allErrs, field.Required(dataPath.Key(core.TLSPrivateKeyKey), ""))
529 529 
  		}
... ... 
@@ -532,10 +621,11 @@ diff -uNr --no-dereference kubernetes-orig/pkg/apis/core/validation/validation.g
532 532 
  	default:
533 533 
  		// no-op
534 534 
  	}
535 
-diff -uNr --no-dereference kubernetes-orig/pkg/apis/extensions/types.go kubernetes/pkg/apis/extensions/types.go
536 
-+++ kubernetes/pkg/apis/extensions/types.go	2018-05-17 00:03:37.000000000 +0000
537 
-@@ -925,6 +925,7 @@
535 
+diff --git a/pkg/apis/extensions/types.go b/pkg/apis/extensions/types.go
536 
+index e369728..a5406ab 100644
537 
+--- a/pkg/apis/extensions/types.go
538 
+@@ -925,6 +925,7 @@ var (
538 539 
  	PortworxVolume        FSType = "portworxVolume"
539 540 
  	ScaleIO               FSType = "scaleIO"
540 541 
  	CSI                   FSType = "csi"
... ... 
@@ -543,10 +633,11 @@ diff -uNr --no-dereference kubernetes-orig/pkg/apis/extensions/types.go kubernet
543 543 
  	All                   FSType = "*"
544 544 
  )
545 545
546 
-diff -uNr --no-dereference kubernetes-orig/pkg/cloudprovider/providers/BUILD kubernetes/pkg/cloudprovider/providers/BUILD
547 
-+++ kubernetes/pkg/cloudprovider/providers/BUILD	2018-05-17 00:03:37.000000000 +0000
548 
-@@ -12,6 +12,7 @@
546 
+diff --git a/pkg/cloudprovider/providers/BUILD b/pkg/cloudprovider/providers/BUILD
547 
+index aeccfa1..4313576 100644
548 
+--- a/pkg/cloudprovider/providers/BUILD
549 
+@@ -12,6 +12,7 @@ go_library(
549 550 
      deps = [
550 551 
          "//pkg/cloudprovider/providers/aws:go_default_library",
551 552 
          "//pkg/cloudprovider/providers/azure:go_default_library",
... ... 
@@ -554,7 +645,7 @@ diff -uNr --no-dereference kubernetes-orig/pkg/cloudprovider/providers/BUILD kub
554 554 
          "//pkg/cloudprovider/providers/cloudstack:go_default_library",
555 555 
          "//pkg/cloudprovider/providers/gce:go_default_library",
556 556 
          "//pkg/cloudprovider/providers/openstack:go_default_library",
557 
-@@ -34,6 +35,7 @@
557 
+@@ -34,6 +35,7 @@ filegroup(
558 558 
          ":package-srcs",
559 559 
          "//pkg/cloudprovider/providers/aws:all-srcs",
560 560 
          "//pkg/cloudprovider/providers/azure:all-srcs",
... ... 
@@ -562,9 +653,70 @@ diff -uNr --no-dereference kubernetes-orig/pkg/cloudprovider/providers/BUILD kub
562 562 
          "//pkg/cloudprovider/providers/cloudstack:all-srcs",
563 563 
          "//pkg/cloudprovider/providers/fake:all-srcs",
564 564 
          "//pkg/cloudprovider/providers/gce:all-srcs",
565 
-diff -uNr --no-dereference kubernetes-orig/pkg/cloudprovider/providers/cascade/apitypes.go kubernetes/pkg/cloudprovider/providers/cascade/apitypes.go
566 
-+++ kubernetes/pkg/cloudprovider/providers/cascade/apitypes.go	2018-05-17 00:03:37.000000000 +0000
565 
+diff --git a/pkg/cloudprovider/providers/cascade/BUILD b/pkg/cloudprovider/providers/cascade/BUILD
566 
+new file mode 100644
567 
+index 0000000..1ff2ad1
568 
+--- /dev/null
569 
+@@ -0,0 +1,44 @@
570 
++package(default_visibility = ["//visibility:public"])
571 
++
572 
++load(
573 
++    "@io_bazel_rules_go//go:def.bzl",
574 
++    "go_library",
575 
++)
576 
++
577 
++go_library(
578 
++    name = "go_default_library",
579 
++    srcs = [
580 
++        "apitypes.go",
581 
++        "auth.go",
582 
++        "cascade.go",
583 
++        "cascade_disks.go",
584 
++        "cascade_instances.go",
585 
++        "cascade_loadbalancer.go",
586 
++        "client.go",
587 
++        "oidcclient.go",
588 
++        "restclient.go",
589 
++        "utils.go"
590 
++        ],
591 
++    deps = [
592 
++        "//pkg/api/v1/helper:go_default_library",
593 
++        "//pkg/cloudprovider:go_default_library",
594 
++        "//pkg/controller:go_default_library",
595 
++        "//vendor/github.com/golang/glog:go_default_library",
596 
++        "//vendor/gopkg.in/gcfg.v1:go_default_library",
597 
++        "//vendor/k8s.io/api/core/v1:go_default_library",
598 
++        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
599 
++    ],
600 
++)
601 
++
602 
++filegroup(
603 
++    name = "package-srcs",
604 
++    srcs = glob(["**"]),
605 
++    tags = ["automanaged"],
606 
++    visibility = ["//visibility:private"],
607 
++)
608 
++
609 
++filegroup(
610 
++    name = "all-srcs",
611 
++    srcs = [":package-srcs"],
612 
++    tags = ["automanaged"],
613 
++)
614 
+diff --git a/pkg/cloudprovider/providers/cascade/OWNERS b/pkg/cloudprovider/providers/cascade/OWNERS
615 
+new file mode 100644
616 
+index 0000000..70efc9d
617 
+--- /dev/null
618 
+@@ -0,0 +1,3 @@
619 
++maintainers:
620 
++- ashokc
621 
++- ysheng
622 
+diff --git a/pkg/cloudprovider/providers/cascade/apitypes.go b/pkg/cloudprovider/providers/cascade/apitypes.go
623 
+new file mode 100644
624 
+index 0000000..4a94068
625 
+--- /dev/null
567 626 
 @@ -0,0 +1,227 @@
568 627 
 +package cascade
569 628 
 +
... ... 
@@ -793,9 +945,11 @@ diff -uNr --no-dereference kubernetes-orig/pkg/cloudprovider/providers/cascade/a
793 793 
 +type LoadBalancerVMUpdate struct {
794 794 
 +	VMIds []*LoadBalancerVM `json:"vmIds"`
795 795 
 +}
796 
-diff -uNr --no-dereference kubernetes-orig/pkg/cloudprovider/providers/cascade/auth.go kubernetes/pkg/cloudprovider/providers/cascade/auth.go
797 
-+++ kubernetes/pkg/cloudprovider/providers/cascade/auth.go	2018-05-17 00:03:37.000000000 +0000
796 
+diff --git a/pkg/cloudprovider/providers/cascade/auth.go b/pkg/cloudprovider/providers/cascade/auth.go
797 
+new file mode 100644
798 
+index 0000000..fc92377
799 
+--- /dev/null
798 800 
 @@ -0,0 +1,145 @@
799 801 
 +package cascade
800 802 
 +
... ... 
@@ -943,57 +1097,229 @@ diff -uNr --no-dereference kubernetes-orig/pkg/cloudprovider/providers/cascade/a
943 943 
 +	return pwd, nil
944 944 
 +}
945 945 
 \ No newline at end of file
946 
-diff -uNr --no-dereference kubernetes-orig/pkg/cloudprovider/providers/cascade/BUILD kubernetes/pkg/cloudprovider/providers/cascade/BUILD
947 
-+++ kubernetes/pkg/cloudprovider/providers/cascade/BUILD	2018-05-17 00:03:37.000000000 +0000
948 
-@@ -0,0 +1,44 @@
949 
-+package(default_visibility = ["//visibility:public"])
946 
+diff --git a/pkg/cloudprovider/providers/cascade/cascade.go b/pkg/cloudprovider/providers/cascade/cascade.go
947 
+new file mode 100644
948 
+index 0000000..5901c58
949 
+--- /dev/null
950 
+@@ -0,0 +1,212 @@
951 
++// The use of Cascade cloud provider requires the kubelet, kube-apiserver, and kube-controller-manager to be started
952 
++// with config flag: '--cloud-provider=cascade --cloud-config=[path_to_config_file]'.
953 
++package cascade
950 954 
 +
951 
-+load(
952 
-+    "@io_bazel_rules_go//go:def.bzl",
953 
-+    "go_library",
955 
++import (
956 
++	"context"
957 
++	"errors"
958 
++	"fmt"
959 
++	"github.com/golang/glog"
960 
++	"gopkg.in/gcfg.v1"
961 
++	"io"
962 
++	k8stypes "k8s.io/apimachinery/pkg/types"
963 
++	"k8s.io/kubernetes/pkg/cloudprovider"
964 
++	"k8s.io/kubernetes/pkg/controller"
965 
++	"os"
966 
++	"strings"
954 967 
 +)
955 968 
 +
956 
-+go_library(
957 
-+    name = "go_default_library",
958 
-+    srcs = [
959 
-+        "apitypes.go",
960 
-+        "auth.go",
961 
-+        "cascade.go",
962 
-+        "cascade_disks.go",
963 
-+        "cascade_instances.go",
964 
-+        "cascade_loadbalancer.go",
965 
-+        "client.go",
966 
-+        "oidcclient.go",
967 
-+        "restclient.go",
968 
-+        "utils.go"
969 
-+        ],
970 
-+    deps = [
971 
-+        "//pkg/api/v1/helper:go_default_library",
972 
-+        "//pkg/cloudprovider:go_default_library",
973 
-+        "//pkg/controller:go_default_library",
974 
-+        "//vendor/github.com/golang/glog:go_default_library",
975 
-+        "//vendor/gopkg.in/gcfg.v1:go_default_library",
976 
-+        "//vendor/k8s.io/api/core/v1:go_default_library",
977 
-+        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
978 
-+    ],
969 
++const (
970 
++	ProviderName = "cascade"
971 
++	DiskSpecKind = "persistent-disk"
972 
++	MasterPrefix = "master"
979 973 
 +)
980 974 
 +
981 
-+filegroup(
982 
-+    name = "package-srcs",
983 
-+    srcs = glob(["**"]),
984 
-+    tags = ["automanaged"],
985 
-+    visibility = ["//visibility:private"],
986 
-+)
975 
++// CascadeCloud is an implementation of the cloud provider interface for Cascade Controller.
976 
++type CascadeCloud struct {
977 
++	cfg *CascadeConfig
978 
++	// Authentication client to get token for Cascade API calls
979 
++	authClient *AuthClient
980 
++	// API Client to make Cascade API calls
981 
++	apiClient *Client
982 
++	// local $HOSTNAME
983 
++	localHostname string
984 
++	// hostname from K8S, could be overridden
985 
++	localK8sHostname string
986 
++}
987 987 
 +
988 
-+filegroup(
989 
-+    name = "all-srcs",
990 
-+    srcs = [":package-srcs"],
991 
-+    tags = ["automanaged"],
992 
-+)
993 
-diff -uNr --no-dereference kubernetes-orig/pkg/cloudprovider/providers/cascade/cascade_disks.go kubernetes/pkg/cloudprovider/providers/cascade/cascade_disks.go
994 
-+++ kubernetes/pkg/cloudprovider/providers/cascade/cascade_disks.go	2018-05-17 00:03:37.000000000 +0000
988 
++// CascadeCloud represents Cascade cloud provider's configuration.
989 
++type CascadeConfig struct {
990 
++	Global struct {
991 
++		// the Cascade Controller endpoint
992 
++		CloudTarget string `gcfg:"target"`
993 
++		// Cascade Controller tenantName name
994 
++		TenantName string `gcfg:"tenantName"`
995 
++		// Cascade Controller cluster ID
996 
++		ClusterID string `gcfg:"clusterID"`
997 
++		// Authentication server endpoint for Cascade Controller
998 
++		AuthEndpoint string `gcfg:"authEndpoint"`
999 
++		// Lightwave domain name for the node
1000 
++		DomainName string `gcfg:"domainName"`
1001 
++		// DNS name of the node.
1002 
++		DNSName string `gcfg:"dnsName"`
1003 
++		// Region in which the cluster is in
1004 
++		Region string `gcfg:"region"`
1005 
++		// Availability zone in which the cluster is in
1006 
++		Zone string `gcfg:"zone"`
1007 
++	}
1008 
++}
1009 
++
1010 
++// Disks is interface for manipulation with Cascade Controller Persistent Disks.
1011 
++type Disks interface {
1012 
++	// AttachDisk attaches given disk to given node. Current node
1013 
++	// is used when nodeName is empty string.
1014 
++	AttachDisk(diskID string, nodeName k8stypes.NodeName) (string, error)
1015 
++
1016 
++	// DetachDisk detaches given disk to given node. Current node
1017 
++	// is used when nodeName is empty string.
1018 
++	DetachDisk(diskID string, nodeName k8stypes.NodeName) error
1019 
++
1020 
++	// DiskIsAttached checks if a disk is attached to the given node.
1021 
++	DiskIsAttached(diskID string, nodeName k8stypes.NodeName) (bool, error)
1022 
++
1023 
++	// DisksAreAttached is a batch function to check if a list of disks are attached
1024 
++	// to the node with the specified NodeName.
1025 
++	DisksAreAttached(diskID []string, nodeName k8stypes.NodeName) (map[string]bool, error)
1026 
++
1027 
++	// CreateDisk creates a new PD with given properties.
1028 
++	CreateDisk(volumeOptions *VolumeOptions) (diskID string, err error)
1029 
++
1030 
++	// DeleteDisk deletes PD.
1031 
++	DeleteDisk(diskID string) error
1032 
++
1033 
++	// Get labels to apply to volume on creation.
1034 
++	GetVolumeLabels(diskID string) (map[string]string, error)
1035 
++}
1036 
++
1037 
++// VolumeOptions specifies capacity, tags, name and flavorID for a volume.
1038 
++type VolumeOptions struct {
1039 
++	CapacityGB int
1040 
++	Tags       map[string]string
1041 
++	Name       string
1042 
++	Flavor     string
1043 
++}
1044 
++
1045 
++func readConfig(config io.Reader) (*CascadeConfig, error) {
1046 
++	if config == nil {
1047 
++		err := fmt.Errorf("Cascade Cloud Provider: config file is missing. Please restart with " +
1048 
++			"--cloud-provider=cascade --cloud-config=[path_to_config_file]")
1049 
++		return nil, err
1050 
++	}
1051 
++
1052 
++	var cfg CascadeConfig
1053 
++	err := gcfg.ReadInto(&cfg, config)
1054 
++	return &cfg, err
1055 
++}
1056 
++
1057 
++func init() {
1058 
++	cloudprovider.RegisterCloudProvider(ProviderName, func(config io.Reader) (cloudprovider.Interface, error) {
1059 
++		cfg, err := readConfig(config)
1060 
++		if err != nil {
1061 
++			glog.Errorf("Cascade Cloud Provider: failed to read in cloud provider config file. Error[%v]", err)
1062 
++			return nil, err
1063 
++		}
1064 
++		return newCascadeCloud(cfg)
1065 
++	})
1066 
++}
1067 
++
1068 
++func newCascadeCloud(cfg *CascadeConfig) (*CascadeCloud, error) {
1069 
++	if len(cfg.Global.CloudTarget) == 0 {
1070 
++		return nil, fmt.Errorf("Cascade Controller endpoint was not specified.")
1071 
++	}
1072 
++
1073 
++	// Get local hostname
1074 
++	hostname, err := os.Hostname()
1075 
++	if err != nil {
1076 
++		glog.Errorf("Cascade Cloud Provider: get hostname failed. Error[%v]", err)
1077 
++		return nil, err
1078 
++	}
1079 
++
1080 
++	cc := CascadeCloud{
1081 
++		cfg:              cfg,
1082 
++		localHostname:    hostname,
1083 
++		localK8sHostname: "",
1084 
++	}
1085 
++
1086 
++	// Instantiate the auth and API clients only on the master nodes. Kubelets running on the workers don't need them as
1087 
++	// they are used primarily for making API calls to Cascade.
1088 
++	if strings.HasPrefix(hostname, MasterPrefix) {
1089 
++		if cc.authClient, err = NewAuthClient(cfg); err != nil {
1090 
++			return nil, err
1091 
++		}
1092 
++
1093 
++		if cc.apiClient, err = NewClient(cfg, cc.authClient); err != nil {
1094 
++			return nil, err
1095 
++		}
1096 
++	}
1097 
++
1098 
++	return &cc, nil
1099 
++}
1100 
++
1101 
++// Initialize passes a Kubernetes clientBuilder interface to the cloud provider
1102 
++func (cc *CascadeCloud) Initialize(clientBuilder controller.ControllerClientBuilder) {}
1103 
++
1104 
++// Instances returns an implementation of Instances for Cascade Controller.
1105 
++func (cc *CascadeCloud) Instances() (cloudprovider.Instances, bool) {
1106 
++	return cc, true
1107 
++}
1108 
++
1109 
++func (cc *CascadeCloud) Clusters() (cloudprovider.Clusters, bool) {
1110 
++	return nil, true
1111 
++}
1112 
++
1113 
++// ProviderName returns the cloud provider ID.
1114 
++func (cc *CascadeCloud) ProviderName() string {
1115 
++	return ProviderName
1116 
++}
1117 
++
1118 
++// LoadBalancer returns an implementation of LoadBalancer for Cascade Controller.
1119 
++func (cc *CascadeCloud) LoadBalancer() (cloudprovider.LoadBalancer, bool) {
1120 
++	return cc, true
1121 
++}
1122 
++
1123 
++// Zones returns an implementation of Zones for Cascade Controller.
1124 
++func (cc *CascadeCloud) Zones() (cloudprovider.Zones, bool) {
1125 
++	return cc, true
1126 
++}
1127 
++
1128 
++func (cc *CascadeCloud) GetZone(ctx context.Context) (cloudprovider.Zone, error) {
1129 
++	return cloudprovider.Zone{
1130 
++		Region:        cc.cfg.Global.Region,
1131 
++		FailureDomain: cc.cfg.Global.Zone,
1132 
++	}, nil
1133 
++}
1134 
++
1135 
++// GetZoneByProviderID implements Zones.GetZoneByProviderID
1136 
++// This is particularly useful in external cloud providers where the kubelet
1137 
++// does not initialize node data.
1138 
++func (cc *CascadeCloud) GetZoneByProviderID(ctx context.Context, providerID string) (cloudprovider.Zone, error) {
1139 
++	return cloudprovider.Zone{}, errors.New("unimplemented")
1140 
++}
1141 
++
1142 
++// GetZoneByNodeName implements Zones.GetZoneByNodeName
1143 
++// This is particularly useful in external cloud providers where the kubelet
1144 
++// does not initialize node data.
1145 
++func (cc *CascadeCloud) GetZoneByNodeName(ctx context.Context, nodeName k8stypes.NodeName) (cloudprovider.Zone, error) {
1146 
++	return cloudprovider.Zone{}, errors.New("unimeplemented")
1147 
++}
1148 
++
1149 
++// Routes returns a false since the interface is not supported for Cascade controller.
1150 
++func (cc *CascadeCloud) Routes() (cloudprovider.Routes, bool) {
1151 
++	return nil, false
1152 
++}
1153 
++
1154 
++// ScrubDNS filters DNS settings for pods.
1155 
++func (cc *CascadeCloud) ScrubDNS(nameservers, searches []string) (nsOut, srchOut []string) {
1156 
++	return nameservers, searches
1157 
++}
1158 
++
1159 
++// HasClusterID returns true if the cluster has a clusterID
1160 
++func (cc *CascadeCloud) HasClusterID() bool {
1161 
++	return true
1162 
++}
1163 
+diff --git a/pkg/cloudprovider/providers/cascade/cascade_disks.go b/pkg/cloudprovider/providers/cascade/cascade_disks.go
1164 
+new file mode 100644
1165 
+index 0000000..7e43846
1166 
+--- /dev/null
995 1167 
 @@ -0,0 +1,227 @@
996 1168 
 +package cascade
997 1169 
 +
... ... 
@@ -1222,225 +1548,11 @@ diff -uNr --no-dereference kubernetes-orig/pkg/cloudprovider/providers/cascade/c
1222 1222 
 +
1223 1223 
 +	return labels, nil
1224 1224 
 +}
1225 
-diff -uNr --no-dereference kubernetes-orig/pkg/cloudprovider/providers/cascade/cascade.go kubernetes/pkg/cloudprovider/providers/cascade/cascade.go
1226 
-+++ kubernetes/pkg/cloudprovider/providers/cascade/cascade.go	2018-05-17 00:03:37.000000000 +0000
1227 
-@@ -0,0 +1,212 @@
1228 
-+// The use of Cascade cloud provider requires the kubelet, kube-apiserver, and kube-controller-manager to be started
1229 
-+// with config flag: '--cloud-provider=cascade --cloud-config=[path_to_config_file]'.
1230 
-+package cascade
1231 
-+
1232 
-+import (
1233 
-+	"context"
1234 
-+	"errors"
1235 
-+	"fmt"
1236 
-+	"github.com/golang/glog"
1237 
-+	"gopkg.in/gcfg.v1"
1238 
-+	"io"
1239 
-+	k8stypes "k8s.io/apimachinery/pkg/types"
1240 
-+	"k8s.io/kubernetes/pkg/cloudprovider"
1241 
-+	"k8s.io/kubernetes/pkg/controller"
1242 
-+	"os"
1243 
-+	"strings"
1244 
-+)
1245 
-+
1246 
-+const (
1247 
-+	ProviderName = "cascade"
1248 
-+	DiskSpecKind = "persistent-disk"
1249 
-+	MasterPrefix = "master"
1250 
-+)
1251 
-+
1252 
-+// CascadeCloud is an implementation of the cloud provider interface for Cascade Controller.
1253 
-+type CascadeCloud struct {
1254 
-+	cfg *CascadeConfig
1255 
-+	// Authentication client to get token for Cascade API calls
1256 
-+	authClient *AuthClient
1257 
-+	// API Client to make Cascade API calls
1258 
-+	apiClient *Client
1259 
-+	// local $HOSTNAME
1260 
-+	localHostname string
1261 
-+	// hostname from K8S, could be overridden
1262 
-+	localK8sHostname string
1263 
-+}
1264 
-+
1265 
-+// CascadeCloud represents Cascade cloud provider's configuration.
1266 
-+type CascadeConfig struct {
1267 
-+	Global struct {
1268 
-+		// the Cascade Controller endpoint
1269 
-+		CloudTarget string `gcfg:"target"`
1270 
-+		// Cascade Controller tenantName name
1271 
-+		TenantName string `gcfg:"tenantName"`
1272 
-+		// Cascade Controller cluster ID
1273 
-+		ClusterID string `gcfg:"clusterID"`
1274 
-+		// Authentication server endpoint for Cascade Controller
1275 
-+		AuthEndpoint string `gcfg:"authEndpoint"`
1276 
-+		// Lightwave domain name for the node
1277 
-+		DomainName string `gcfg:"domainName"`
1278 
-+		// DNS name of the node.
1279 
-+		DNSName string `gcfg:"dnsName"`
1280 
-+		// Region in which the cluster is in
1281 
-+		Region string `gcfg:"region"`
1282 
-+		// Availability zone in which the cluster is in
1283 
-+		Zone string `gcfg:"zone"`
1284 
-+	}
1285 
-+}
1286 
-+
1287 
-+// Disks is interface for manipulation with Cascade Controller Persistent Disks.
1288 
-+type Disks interface {
1289 
-+	// AttachDisk attaches given disk to given node. Current node
1290 
-+	// is used when nodeName is empty string.
1291 
-+	AttachDisk(diskID string, nodeName k8stypes.NodeName) (string, error)
1292 
-+
1293 
-+	// DetachDisk detaches given disk to given node. Current node
1294 
-+	// is used when nodeName is empty string.
1295 
-+	DetachDisk(diskID string, nodeName k8stypes.NodeName) error
1296 
-+
1297 
-+	// DiskIsAttached checks if a disk is attached to the given node.
1298 
-+	DiskIsAttached(diskID string, nodeName k8stypes.NodeName) (bool, error)
1299 
-+
1300 
-+	// DisksAreAttached is a batch function to check if a list of disks are attached
1301 
-+	// to the node with the specified NodeName.
1302 
-+	DisksAreAttached(diskID []string, nodeName k8stypes.NodeName) (map[string]bool, error)
1303 
-+
1304 
-+	// CreateDisk creates a new PD with given properties.
1305 
-+	CreateDisk(volumeOptions *VolumeOptions) (diskID string, err error)
1306 
-+
1307 
-+	// DeleteDisk deletes PD.
1308 
-+	DeleteDisk(diskID string) error
1309 
-+
1310 
-+	// Get labels to apply to volume on creation.
1311 
-+	GetVolumeLabels(diskID string) (map[string]string, error)
1312 
-+}
1313 
-+
1314 
-+// VolumeOptions specifies capacity, tags, name and flavorID for a volume.
1315 
-+type VolumeOptions struct {
1316 
-+	CapacityGB int
1317 
-+	Tags       map[string]string
1318 
-+	Name       string
1319 
-+	Flavor     string
1320 
-+}
1321 
-+
1322 
-+func readConfig(config io.Reader) (*CascadeConfig, error) {
1323 
-+	if config == nil {
1324 
-+		err := fmt.Errorf("Cascade Cloud Provider: config file is missing. Please restart with " +
1325 
-+			"--cloud-provider=cascade --cloud-config=[path_to_config_file]")
1326 
-+		return nil, err
1327 
-+	}
1328 
-+
1329 
-+	var cfg CascadeConfig
1330 
-+	err := gcfg.ReadInto(&cfg, config)
1331 
-+	return &cfg, err
1332 
-+}
1333 
-+
1334 
-+func init() {
1335 
-+	cloudprovider.RegisterCloudProvider(ProviderName, func(config io.Reader) (cloudprovider.Interface, error) {
1336 
-+		cfg, err := readConfig(config)
1337 
-+		if err != nil {
1338 
-+			glog.Errorf("Cascade Cloud Provider: failed to read in cloud provider config file. Error[%v]", err)
1339 
-+			return nil, err
1340 
-+		}
1341 
-+		return newCascadeCloud(cfg)
1342 
-+	})
1343 
-+}
1344 
-+
1345 
-+func newCascadeCloud(cfg *CascadeConfig) (*CascadeCloud, error) {
1346 
-+	if len(cfg.Global.CloudTarget) == 0 {
1347 
-+		return nil, fmt.Errorf("Cascade Controller endpoint was not specified.")
1348 
-+	}
1349 
-+
1350 
-+	// Get local hostname
1351 
-+	hostname, err := os.Hostname()
1352 
-+	if err != nil {
1353 
-+		glog.Errorf("Cascade Cloud Provider: get hostname failed. Error[%v]", err)
1354 
-+		return nil, err
1355 
-+	}
1356 
-+
1357 
-+	cc := CascadeCloud{
1358 
-+		cfg:              cfg,
1359 
-+		localHostname:    hostname,
1360 
-+		localK8sHostname: "",
1361 
-+	}
1362 
-+
1363 
-+	// Instantiate the auth and API clients only on the master nodes. Kubelets running on the workers don't need them as
1364 
-+	// they are used primarily for making API calls to Cascade.
1365 
-+	if strings.HasPrefix(hostname, MasterPrefix) {
1366 
-+		if cc.authClient, err = NewAuthClient(cfg); err != nil {
1367 
-+			return nil, err
1368 
-+		}
1369 
-+
1370 
-+		if cc.apiClient, err = NewClient(cfg, cc.authClient); err != nil {
1371 
-+			return nil, err
1372 
-+		}
1373 
-+	}
1374 
-+
1375 
-+	return &cc, nil
1376 
-+}
1377 
-+
1378 
-+// Initialize passes a Kubernetes clientBuilder interface to the cloud provider
1379 
-+func (cc *CascadeCloud) Initialize(clientBuilder controller.ControllerClientBuilder) {}
1380 
-+
1381 
-+// Instances returns an implementation of Instances for Cascade Controller.
1382 
-+func (cc *CascadeCloud) Instances() (cloudprovider.Instances, bool) {
1383 
-+	return cc, true
1384 
-+}
1385 
-+
1386 
-+func (cc *CascadeCloud) Clusters() (cloudprovider.Clusters, bool) {
1387 
-+	return nil, true
1388 
-+}
1389 
-+
1390 
-+// ProviderName returns the cloud provider ID.
1391 
-+func (cc *CascadeCloud) ProviderName() string {
1392 
-+	return ProviderName
1393 
-+}
1394 
-+
1395 
-+// LoadBalancer returns an implementation of LoadBalancer for Cascade Controller.
1396 
-+func (cc *CascadeCloud) LoadBalancer() (cloudprovider.LoadBalancer, bool) {
1397 
-+	return cc, true
1398 
-+}
1399 
-+
1400 
-+// Zones returns an implementation of Zones for Cascade Controller.
1401 
-+func (cc *CascadeCloud) Zones() (cloudprovider.Zones, bool) {
1402 
-+	return cc, true
1403 
-+}
1404 
-+
1405 
-+func (cc *CascadeCloud) GetZone(ctx context.Context) (cloudprovider.Zone, error) {
1406 
-+	return cloudprovider.Zone{
1407 
-+		Region:        cc.cfg.Global.Region,
1408 
-+		FailureDomain: cc.cfg.Global.Zone,
1409 
-+	}, nil
1410 
-+}
1411 
-+
1412 
-+// GetZoneByProviderID implements Zones.GetZoneByProviderID
1413 
-+// This is particularly useful in external cloud providers where the kubelet
1414 
-+// does not initialize node data.
1415 
-+func (cc *CascadeCloud) GetZoneByProviderID(ctx context.Context, providerID string) (cloudprovider.Zone, error) {
1416 
-+	return cloudprovider.Zone{}, errors.New("unimplemented")
1417 
-+}
1418 
-+
1419 
-+// GetZoneByNodeName implements Zones.GetZoneByNodeName
1420 
-+// This is particularly useful in external cloud providers where the kubelet
1421 
-+// does not initialize node data.
1422 
-+func (cc *CascadeCloud) GetZoneByNodeName(ctx context.Context, nodeName k8stypes.NodeName) (cloudprovider.Zone, error) {
1423 
-+	return cloudprovider.Zone{}, errors.New("unimeplemented")
1424 
-+}
1425 
-+
1426 
-+// Routes returns a false since the interface is not supported for Cascade controller.
1427 
-+func (cc *CascadeCloud) Routes() (cloudprovider.Routes, bool) {
1428 
-+	return nil, false
1429 
-+}
1430 
-+
1431 
-+// ScrubDNS filters DNS settings for pods.
1432 
-+func (cc *CascadeCloud) ScrubDNS(nameservers, searches []string) (nsOut, srchOut []string) {
1433 
-+	return nameservers, searches
1434 
-+}
1435 
-+
1436 
-+// HasClusterID returns true if the cluster has a clusterID
1437 
-+func (cc *CascadeCloud) HasClusterID() bool {
1438 
-+	return true
1439 
-+}
1440 
-diff -uNr --no-dereference kubernetes-orig/pkg/cloudprovider/providers/cascade/cascade_instances.go kubernetes/pkg/cloudprovider/providers/cascade/cascade_instances.go
1441 
-+++ kubernetes/pkg/cloudprovider/providers/cascade/cascade_instances.go	2018-05-17 00:03:37.000000000 +0000
1225 
+diff --git a/pkg/cloudprovider/providers/cascade/cascade_instances.go b/pkg/cloudprovider/providers/cascade/cascade_instances.go
1226 
+new file mode 100644
1227 
+index 0000000..58aa1b1
1228 
+--- /dev/null
1442 1229 
 @@ -0,0 +1,91 @@
1443 1230 
 +package cascade
1444 1231 
 +
... ... 
@@ -1533,9 +1645,11 @@ diff -uNr --no-dereference kubernetes-orig/pkg/cloudprovider/providers/cascade/c
1533 1533 
 +func (cc *CascadeCloud) InstanceType(ctx context.Context, nodeName k8stypes.NodeName) (string, error) {
1534 1534 
 +	return "", nil
1535 1535 
 +}
1536 
-diff -uNr --no-dereference kubernetes-orig/pkg/cloudprovider/providers/cascade/cascade_loadbalancer.go kubernetes/pkg/cloudprovider/providers/cascade/cascade_loadbalancer.go
1537 
-+++ kubernetes/pkg/cloudprovider/providers/cascade/cascade_loadbalancer.go	2018-05-17 00:03:37.000000000 +0000
1536 
+diff --git a/pkg/cloudprovider/providers/cascade/cascade_loadbalancer.go b/pkg/cloudprovider/providers/cascade/cascade_loadbalancer.go
1537 
+new file mode 100644
1538 
+index 0000000..1038639
1539 
+--- /dev/null
1538 1540 
 @@ -0,0 +1,285 @@
1539 1541 
 +package cascade
1540 1542 
 +
... ... 
@@ -1822,9 +1936,11 @@ diff -uNr --no-dereference kubernetes-orig/pkg/cloudprovider/providers/cascade/c
1822 1822 
 +func (l *loadBalancerLogger) Infof(msgTemplate string, args ...interface{}) {
1823 1823 
 +	glog.Infoln(l.getLogMsg(msgTemplate, args))
1824 1824 
 +}
1825 
-diff -uNr --no-dereference kubernetes-orig/pkg/cloudprovider/providers/cascade/client.go kubernetes/pkg/cloudprovider/providers/cascade/client.go
1826 
-+++ kubernetes/pkg/cloudprovider/providers/cascade/client.go	2018-05-17 00:03:37.000000000 +0000
1825 
+diff --git a/pkg/cloudprovider/providers/cascade/client.go b/pkg/cloudprovider/providers/cascade/client.go
1826 
+new file mode 100644
1827 
+index 0000000..72049e0
1828 
+--- /dev/null
1827 1829 
 @@ -0,0 +1,394 @@
1828 1830 
 +package cascade
1829 1831 
 +
... ... 
@@ -2220,9 +2336,11 @@ diff -uNr --no-dereference kubernetes-orig/pkg/cloudprovider/providers/cascade/c
2220 2220 
 +
2221 2221 
 +	return errorStep
2222 2222 
 +}
2223 
-diff -uNr --no-dereference kubernetes-orig/pkg/cloudprovider/providers/cascade/oidcclient.go kubernetes/pkg/cloudprovider/providers/cascade/oidcclient.go
2224 
-+++ kubernetes/pkg/cloudprovider/providers/cascade/oidcclient.go	2018-05-17 00:03:37.000000000 +0000
2223 
+diff --git a/pkg/cloudprovider/providers/cascade/oidcclient.go b/pkg/cloudprovider/providers/cascade/oidcclient.go
2224 
+new file mode 100644
2225 
+index 0000000..6a71cc1
2226 
+--- /dev/null
2225 2227 
 @@ -0,0 +1,297 @@
2226 2228 
 +package cascade
2227 2229 
 +
... ... 
@@ -2521,16 +2639,11 @@ diff -uNr --no-dereference kubernetes-orig/pkg/cloudprovider/providers/cascade/o
2521 2521 
 +
2522 2522 
 +	return oidcErr
2523 2523 
 +}
2524 
-diff -uNr --no-dereference kubernetes-orig/pkg/cloudprovider/providers/cascade/OWNERS kubernetes/pkg/cloudprovider/providers/cascade/OWNERS
2525 
-+++ kubernetes/pkg/cloudprovider/providers/cascade/OWNERS	2018-05-17 00:03:37.000000000 +0000
2526 
-@@ -0,0 +1,3 @@
2527 
-+maintainers:
2528 
-+- ashokc
2529 
-+- ysheng
2530 
-diff -uNr --no-dereference kubernetes-orig/pkg/cloudprovider/providers/cascade/restclient.go kubernetes/pkg/cloudprovider/providers/cascade/restclient.go
2531 
-+++ kubernetes/pkg/cloudprovider/providers/cascade/restclient.go	2018-05-17 00:03:37.000000000 +0000
2524 
+diff --git a/pkg/cloudprovider/providers/cascade/restclient.go b/pkg/cloudprovider/providers/cascade/restclient.go
2525 
+new file mode 100644
2526 
+index 0000000..71d8d1c
2527 
+--- /dev/null
2532 2528 
 @@ -0,0 +1,262 @@
2533 2529 
 +package cascade
2534 2530 
 +
... ... 
@@ -2794,18 +2907,22 @@ diff -uNr --no-dereference kubernetes-orig/pkg/cloudprovider/providers/cascade/r
2794 2794 
 +	apiError.HttpStatusCode = res.StatusCode
2795 2795 
 +	return nil, apiError
2796 2796 
 +}
2797 
-diff -uNr --no-dereference kubernetes-orig/pkg/cloudprovider/providers/cascade/tests_owed kubernetes/pkg/cloudprovider/providers/cascade/tests_owed
2798 
-+++ kubernetes/pkg/cloudprovider/providers/cascade/tests_owed	2018-05-17 00:03:37.000000000 +0000
2797 
+diff --git a/pkg/cloudprovider/providers/cascade/tests_owed b/pkg/cloudprovider/providers/cascade/tests_owed
2798 
+new file mode 100644
2799 
+index 0000000..dff5ab1
2800 
+--- /dev/null
2799 2801 
 @@ -0,0 +1,5 @@
2800 2802 
 +
2801 2803 
 +Yu Sheng
2802 2804 
 +Change-Id: Ifc11818f65a3e018aeea6988d9e2c0719b592920
2803 2805 
 +
2804 2806 
 +
2805 
-diff -uNr --no-dereference kubernetes-orig/pkg/cloudprovider/providers/cascade/utils.go kubernetes/pkg/cloudprovider/providers/cascade/utils.go
2806 
-+++ kubernetes/pkg/cloudprovider/providers/cascade/utils.go	2018-05-17 00:03:37.000000000 +0000
2807 
+diff --git a/pkg/cloudprovider/providers/cascade/utils.go b/pkg/cloudprovider/providers/cascade/utils.go
2808 
+new file mode 100644
2809 
+index 0000000..4e9e44c
2810 
+--- /dev/null
2807 2811 
 @@ -0,0 +1,25 @@
2808 2812 
 +package cascade
2809 2813 
 +
... ... 
@@ -2833,10 +2950,11 @@ diff -uNr --no-dereference kubernetes-orig/pkg/cloudprovider/providers/cascade/u
2833 2833 
 +	return &s
2834 2834 
 +}
2835 2835 
 \ No newline at end of file
2836 
-diff -uNr --no-dereference kubernetes-orig/pkg/cloudprovider/providers/providers.go kubernetes/pkg/cloudprovider/providers/providers.go
2837 
-+++ kubernetes/pkg/cloudprovider/providers/providers.go	2018-05-17 00:03:37.000000000 +0000
2838 
-@@ -20,6 +20,7 @@
2836 
+diff --git a/pkg/cloudprovider/providers/providers.go b/pkg/cloudprovider/providers/providers.go
2837 
+index 7de9ca9..6d8a1d2 100644
2838 
+--- a/pkg/cloudprovider/providers/providers.go
2839 
+@@ -20,6 +20,7 @@ import (
2839 2840 
  	// Cloud providers
2840 2841 
  	_ "k8s.io/kubernetes/pkg/cloudprovider/providers/aws"
2841 2842 
  	_ "k8s.io/kubernetes/pkg/cloudprovider/providers/azure"
... ... 
@@ -2844,10 +2962,39 @@ diff -uNr --no-dereference kubernetes-orig/pkg/cloudprovider/providers/providers
2844 2844 
  	_ "k8s.io/kubernetes/pkg/cloudprovider/providers/cloudstack"
2845 2845 
  	_ "k8s.io/kubernetes/pkg/cloudprovider/providers/gce"
2846 2846 
  	_ "k8s.io/kubernetes/pkg/cloudprovider/providers/openstack"
2847 
-diff -uNr --no-dereference kubernetes-orig/pkg/printers/internalversion/describe.go kubernetes/pkg/printers/internalversion/describe.go
2848 
-+++ kubernetes/pkg/printers/internalversion/describe.go	2018-05-17 00:03:37.000000000 +0000
2849 
-@@ -754,6 +754,8 @@
2847 
+diff --git a/pkg/kubeapiserver/options/plugins.go b/pkg/kubeapiserver/options/plugins.go
2848 
+index 75095b2..0914847 100644
2849 
+--- a/pkg/kubeapiserver/options/plugins.go
2850 
+@@ -58,6 +58,7 @@ import (
2851 
+ 	"k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle"
2852 
+ 	mutatingwebhook "k8s.io/apiserver/pkg/admission/plugin/webhook/mutating"
2853 
+ 	validatingwebhook "k8s.io/apiserver/pkg/admission/plugin/webhook/validating"
2854 
++	"k8s.io/kubernetes/plugin/pkg/admission/vke"
2855 
+ )
2856 
+
2857 
+ // AllOrderedPlugins is the list of all the plugins in order.
2858 
+@@ -93,6 +94,7 @@ var AllOrderedPlugins = []string{
2859 
+ 	initialization.PluginName,               // Initializers
2860 
+ 	validatingwebhook.PluginName,            // ValidatingAdmissionWebhook
2861 
+ 	resourcequota.PluginName,                // ResourceQuota
2862 
++	vke.PluginName,                          // VMwareAdmissionController
2863 
+ 	deny.PluginName,                         // AlwaysDeny
2864 
+ }
2865 
+
2866 
+@@ -126,6 +128,7 @@ func RegisterAllAdmissionPlugins(plugins *admission.Plugins) {
2867 
+ 	setdefault.Register(plugins)
2868 
+ 	resize.Register(plugins)
2869 
+ 	storageobjectinuseprotection.Register(plugins)
2870 
++	vke.Register(plugins)
2871 
+ }
2872 
+
2873 
+ // DefaultOffAdmissionPlugins get admission plugins off by default for kube-apiserver.
2874 
+diff --git a/pkg/printers/internalversion/describe.go b/pkg/printers/internalversion/describe.go
2875 
+index 318148d..994f6ec 100644
2876 
+--- a/pkg/printers/internalversion/describe.go
2877 
+@@ -754,6 +754,8 @@ func describeVolumes(volumes []api.Volume, w PrefixWriter, space string) {
2850 2878 
  			printFlexVolumeSource(volume.VolumeSource.FlexVolume, w)
2851 2879 
  		case volume.VolumeSource.Flocker != nil:
2852 2880 
  			printFlockerVolumeSource(volume.VolumeSource.Flocker, w)
... ... 
@@ -2856,7 +3003,7 @@ diff -uNr --no-dereference kubernetes-orig/pkg/printers/internalversion/describe
2856 2856 
  		default:
2857 2857 
  			w.Write(LEVEL_1, "<unknown>\n")
2858 2858 
  		}
2859 
-@@ -1114,6 +1116,13 @@
2859 
+@@ -1114,6 +1116,13 @@ func printCSIPersistentVolumeSource(csi *api.CSIPersistentVolumeSource, w Prefix
2860 2860 
  		csi.Driver, csi.VolumeHandle, csi.ReadOnly)
2861 2861 
  }
2862 2862
... ... 
@@ -2870,7 +3017,7 @@ diff -uNr --no-dereference kubernetes-orig/pkg/printers/internalversion/describe
2870 2870 
  type PersistentVolumeDescriber struct {
2871 2871 
  	clientset.Interface
2872 2872 
  }
2873 
-@@ -1250,6 +1259,8 @@
2873 
+@@ -1250,6 +1259,8 @@ func describePersistentVolume(pv *api.PersistentVolume, events *api.EventList) (
2874 2874 
  			printFlockerVolumeSource(pv.Spec.Flocker, w)
2875 2875 
  		case pv.Spec.CSI != nil:
2876 2876 
  			printCSIPersistentVolumeSource(pv.Spec.CSI, w)
... ... 
@@ -2879,10 +3026,11 @@ diff -uNr --no-dereference kubernetes-orig/pkg/printers/internalversion/describe
2879 2879 
  		default:
2880 2880 
  			w.Write(LEVEL_1, "<unknown>\n")
2881 2881 
  		}
2882 
-diff -uNr --no-dereference kubernetes-orig/pkg/security/podsecuritypolicy/util/util.go kubernetes/pkg/security/podsecuritypolicy/util/util.go
2883 
-+++ kubernetes/pkg/security/podsecuritypolicy/util/util.go	2018-05-17 00:03:37.000000000 +0000
2884 
-@@ -68,6 +68,7 @@
2882 
+diff --git a/pkg/security/podsecuritypolicy/util/util.go b/pkg/security/podsecuritypolicy/util/util.go
2883 
+index d581f50..bfd21b1 100644
2884 
+--- a/pkg/security/podsecuritypolicy/util/util.go
2885 
+@@ -68,6 +68,7 @@ func GetAllFSTypesAsSet() sets.String {
2885 2886 
  		string(extensions.PortworxVolume),
2886 2887 
  		string(extensions.ScaleIO),
2887 2888 
  		string(extensions.CSI),
... ... 
@@ -2890,7 +3038,7 @@ diff -uNr --no-dereference kubernetes-orig/pkg/security/podsecuritypolicy/util/u
2890 2890 
  	)
2891 2891 
  	return fstypes
2892 2892 
  }
2893 
-@@ -129,6 +130,8 @@
2893 
+@@ -129,6 +130,8 @@ func GetVolumeFSType(v api.Volume) (extensions.FSType, error) {
2894 2894 
  		return extensions.PortworxVolume, nil
2895 2895 
  	case v.ScaleIO != nil:
2896 2896 
  		return extensions.ScaleIO, nil
... ... 
@@ -2899,9 +3047,68 @@ diff -uNr --no-dereference kubernetes-orig/pkg/security/podsecuritypolicy/util/u
2899 2899 
  	}
2900 2900
2901 2901 
  	return "", fmt.Errorf("unknown volume type for volume: %#v", v)
2902 
-diff -uNr --no-dereference kubernetes-orig/pkg/volume/cascade_disk/attacher.go kubernetes/pkg/volume/cascade_disk/attacher.go
2903 
-+++ kubernetes/pkg/volume/cascade_disk/attacher.go	2018-05-17 00:03:37.000000000 +0000
2902 
+diff --git a/pkg/volume/cascade_disk/BUILD b/pkg/volume/cascade_disk/BUILD
2903 
+new file mode 100644
2904 
+index 0000000..3386612
2905 
+--- /dev/null
2906 
+@@ -0,0 +1,43 @@
2907 
++package(default_visibility = ["//visibility:public"])
2908 
++
2909 
++load(
2910 
++    "@io_bazel_rules_go//go:def.bzl",
2911 
++    "go_library",
2912 
++    "go_test",
2913 
++)
2914 
++
2915 
++go_library(
2916 
++    name = "go_default_library",
2917 
++    srcs = [
2918 
++        "attacher.go",
2919 
++        "cascade_disk.go",
2920 
++        "cascade_util.go",
2921 
++    ],
2922 
++    deps = [
2923 
++        "//pkg/cloudprovider:go_default_library",
2924 
++        "//pkg/cloudprovider/providers/cascade:go_default_library",
2925 
++        "//pkg/util/mount:go_default_library",
2926 
++        "//pkg/util/strings:go_default_library",
2927 
++        "//pkg/volume:go_default_library",
2928 
++        "//pkg/volume/util:go_default_library",
2929 
++        "//pkg/volume/util/volumehelper:go_default_library",
2930 
++        "//vendor/github.com/golang/glog:go_default_library",
2931 
++        "//vendor/k8s.io/api/core/v1:go_default_library",
2932 
++        "//vendor/k8s.io/apimachinery/pkg/api/resource:go_default_library",
2933 
++        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
2934 
++        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
2935 
++    ],
2936 
++)
2937 
++
2938 
++filegroup(
2939 
++    name = "package-srcs",
2940 
++    srcs = glob(["**"]),
2941 
++    tags = ["automanaged"],
2942 
++    visibility = ["//visibility:private"],
2943 
++)
2944 
++
2945 
++filegroup(
2946 
++    name = "all-srcs",
2947 
++    srcs = [":package-srcs"],
2948 
++    tags = ["automanaged"],
2949 
++)
2950 
+diff --git a/pkg/volume/cascade_disk/OWNERS b/pkg/volume/cascade_disk/OWNERS
2951 
+new file mode 100644
2952 
+index 0000000..c3a4ed7
2953 
+--- /dev/null
2954 
+@@ -0,0 +1,2 @@
2955 
++maintainers:
2956 
++- ashokc
2957 
+diff --git a/pkg/volume/cascade_disk/attacher.go b/pkg/volume/cascade_disk/attacher.go
2958 
+new file mode 100644
2959 
+index 0000000..80d8d3a
2960 
+--- /dev/null
2904 2961 
 @@ -0,0 +1,268 @@
2905 2962 
 +package cascade_disk
2906 2963 
 +
... ... 
@@ -3171,56 +3378,11 @@ diff -uNr --no-dereference kubernetes-orig/pkg/volume/cascade_disk/attacher.go k
3171 3171 
 +func (detacher *cascadeDiskDetacher) UnmountDevice(deviceMountPath string) error {
3172 3172 
 +	return volumeutil.UnmountPath(deviceMountPath, detacher.mounter)
3173 3173 
 +}
3174 
-diff -uNr --no-dereference kubernetes-orig/pkg/volume/cascade_disk/BUILD kubernetes/pkg/volume/cascade_disk/BUILD
3175 
-+++ kubernetes/pkg/volume/cascade_disk/BUILD	2018-05-17 00:03:37.000000000 +0000
3176 
-@@ -0,0 +1,43 @@
3177 
-+package(default_visibility = ["//visibility:public"])
3178 
-+
3179 
-+load(
3180 
-+    "@io_bazel_rules_go//go:def.bzl",
3181 
-+    "go_library",
3182 
-+    "go_test",
3183 
-+)
3184 
-+
3185 
-+go_library(
3186 
-+    name = "go_default_library",
3187 
-+    srcs = [
3188 
-+        "attacher.go",
3189 
-+        "cascade_disk.go",
3190 
-+        "cascade_util.go",
3191 
-+    ],
3192 
-+    deps = [
3193 
-+        "//pkg/cloudprovider:go_default_library",
3194 
-+        "//pkg/cloudprovider/providers/cascade:go_default_library",
3195 
-+        "//pkg/util/mount:go_default_library",
3196 
-+        "//pkg/util/strings:go_default_library",
3197 
-+        "//pkg/volume:go_default_library",
3198 
-+        "//pkg/volume/util:go_default_library",
3199 
-+        "//pkg/volume/util/volumehelper:go_default_library",
3200 
-+        "//vendor/github.com/golang/glog:go_default_library",
3201 
-+        "//vendor/k8s.io/api/core/v1:go_default_library",
3202 
-+        "//vendor/k8s.io/apimachinery/pkg/api/resource:go_default_library",
3203 
-+        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
3204 
-+        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
3205 
-+    ],
3206 
-+)
3207 
-+
3208 
-+filegroup(
3209 
-+    name = "package-srcs",
3210 
-+    srcs = glob(["**"]),
3211 
-+    tags = ["automanaged"],
3212 
-+    visibility = ["//visibility:private"],
3213 
-+)
3214 
-+
3215 
-+filegroup(
3216 
-+    name = "all-srcs",
3217 
-+    srcs = [":package-srcs"],
3218 
-+    tags = ["automanaged"],
3219 
-+)
3220 
-diff -uNr --no-dereference kubernetes-orig/pkg/volume/cascade_disk/cascade_disk.go kubernetes/pkg/volume/cascade_disk/cascade_disk.go
3221 
-+++ kubernetes/pkg/volume/cascade_disk/cascade_disk.go	2018-05-17 00:03:37.000000000 +0000
3174 
+diff --git a/pkg/volume/cascade_disk/cascade_disk.go b/pkg/volume/cascade_disk/cascade_disk.go
3175 
+new file mode 100644
3176 
+index 0000000..769c876
3177 
+--- /dev/null
3222 3178 
 @@ -0,0 +1,390 @@
3223 3179 
 +package cascade_disk
3224 3180 
 +
... ... 
@@ -3612,9 +3774,11 @@ diff -uNr --no-dereference kubernetes-orig/pkg/volume/cascade_disk/cascade_disk.
3612 3612 
 +
3613 3613 
 +	return nil, false, fmt.Errorf("Spec does not reference a Cascade disk type")
3614 3614 
 +}
3615 
-diff -uNr --no-dereference kubernetes-orig/pkg/volume/cascade_disk/cascade_util.go kubernetes/pkg/volume/cascade_disk/cascade_util.go
3616 
-+++ kubernetes/pkg/volume/cascade_disk/cascade_util.go	2018-05-17 00:03:37.000000000 +0000
3615 
+diff --git a/pkg/volume/cascade_disk/cascade_util.go b/pkg/volume/cascade_disk/cascade_util.go
3616 
+new file mode 100644
3617 
+index 0000000..19ddb7f
3618 
+--- /dev/null
3617 3619 
 @@ -0,0 +1,107 @@
3618 3620 
 +package cascade_disk
3619 3621 
 +
... ... 
@@ -3723,16 +3887,11 @@ diff -uNr --no-dereference kubernetes-orig/pkg/volume/cascade_disk/cascade_util.
3723 3723 
 +	}
3724 3724 
 +	return cc, nil
3725 3725 
 +}
3726 
-diff -uNr --no-dereference kubernetes-orig/pkg/volume/cascade_disk/OWNERS kubernetes/pkg/volume/cascade_disk/OWNERS
3727 
-+++ kubernetes/pkg/volume/cascade_disk/OWNERS	2018-05-17 00:03:37.000000000 +0000
3728 
-@@ -0,0 +1,2 @@
3729 
-+maintainers:
3730 
-+- ashokc
3731 
-diff -uNr --no-dereference kubernetes-orig/plugin/pkg/admission/persistentvolume/label/admission.go kubernetes/plugin/pkg/admission/persistentvolume/label/admission.go
3732 
-+++ kubernetes/plugin/pkg/admission/persistentvolume/label/admission.go	2018-05-17 00:03:37.000000000 +0000
3733 
-@@ -27,6 +27,7 @@
3726 
+diff --git a/plugin/pkg/admission/persistentvolume/label/admission.go b/plugin/pkg/admission/persistentvolume/label/admission.go
3727 
+index 819adae..ef72cf5 100644
3728 
+--- a/plugin/pkg/admission/persistentvolume/label/admission.go
3729 
+@@ -27,6 +27,7 @@ import (
3734 3730 
  	api "k8s.io/kubernetes/pkg/apis/core"
3735 3731 
  	"k8s.io/kubernetes/pkg/cloudprovider"
3736 3732 
  	"k8s.io/kubernetes/pkg/cloudprovider/providers/aws"
... ... 
@@ -3740,7 +3899,7 @@ diff -uNr --no-dereference kubernetes-orig/plugin/pkg/admission/persistentvolume
3740 3740 
  	"k8s.io/kubernetes/pkg/cloudprovider/providers/gce"
3741 3741 
  	kubeapiserveradmission "k8s.io/kubernetes/pkg/kubeapiserver/admission"
3742 3742 
  	kubeletapis "k8s.io/kubernetes/pkg/kubelet/apis"
3743 
-@@ -52,6 +53,7 @@
3743 
+@@ -52,6 +53,7 @@ type persistentVolumeLabel struct {
3744 3744 
  	ebsVolumes       aws.Volumes
3745 3745 
  	cloudConfig      []byte
3746 3746 
  	gceCloudProvider *gce.GCECloud
... ... 
@@ -3748,7 +3907,7 @@ diff -uNr --no-dereference kubernetes-orig/plugin/pkg/admission/persistentvolume
3748 3748 
  }
3749 3749
3750 3750 
  var _ admission.MutationInterface = &persistentVolumeLabel{}
3751 
-@@ -104,6 +106,13 @@
3751 
+@@ -104,6 +106,13 @@ func (l *persistentVolumeLabel) Admit(a admission.Attributes) (err error) {
3752 3752 
  		}
3753 3753 
  		volumeLabels = labels
3754 3754 
  	}
... ... 
@@ -3762,7 +3921,7 @@ diff -uNr --no-dereference kubernetes-orig/plugin/pkg/admission/persistentvolume
3762 3762
3763 3763 
  	if len(volumeLabels) != 0 {
3764 3764 
  		if volume.Labels == nil {
3765 
-@@ -216,3 +225,48 @@
3765 
+@@ -216,3 +225,48 @@ func (l *persistentVolumeLabel) getGCECloudProvider() (*gce.GCECloud, error) {
3766 3766 
  	}
3767 3767 
  	return l.gceCloudProvider, nil
3768 3768 
  }
... ... 
@@ -3811,10 +3970,1003 @@ diff -uNr --no-dereference kubernetes-orig/plugin/pkg/admission/persistentvolume
3811 3811 
 +	}
3812 3812 
 +	return l.cascadeDisks, nil
3813 3813 
 +}
3814 
-diff -uNr --no-dereference kubernetes-orig/staging/src/k8s.io/api/core/v1/generated.pb.go kubernetes/staging/src/k8s.io/api/core/v1/generated.pb.go
3815 
-+++ kubernetes/staging/src/k8s.io/api/core/v1/generated.pb.go	2018-05-17 00:03:37.000000000 +0000
3816 
-@@ -35,6 +35,7 @@
3814 
+diff --git a/plugin/pkg/admission/vke/BUILD b/plugin/pkg/admission/vke/BUILD
3815 
+new file mode 100644
3816 
+index 0000000..b0a6026
3817 
+--- /dev/null
3818 
+@@ -0,0 +1,58 @@
3819 
++package(default_visibility = ["//visibility:public"])
3820 
++
3821 
++load(
3822 
++    "@io_bazel_rules_go//go:def.bzl",
3823 
++    "go_library",
3824 
++)
3825 
++
3826 
++go_library(
3827 
++    name = "go_default_library",
3828 
++    srcs = ["admission.go"],
3829 
++    importpath = "k8s.io/kubernetes/plugin/pkg/admission/vke",
3830 
++    deps = [
3831 
++        "//pkg/apis/core:go_default_library",
3832 
++        "//pkg/apis/extensions:go_default_library",
3833 
++        "//pkg/apis/rbac:go_default_library",
3834 
++        "//pkg/registry/rbac:go_default_library",
3835 
++        "//pkg/security/podsecuritypolicy:go_default_library",
3836 
++        "//vendor/github.com/golang/glog:go_default_library",
3837 
++        "//vendor/k8s.io/apimachinery/pkg/api/equality:go_default_library",
3838 
++        "//vendor/k8s.io/apimachinery/pkg/util/yaml:go_default_library",
3839 
++        "//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
3840 
++        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
3841 
++        "//vendor/k8s.io/apiserver/pkg/admission:go_default_library",
3842 
++    ],
3843 
++)
3844 
++
3845 
++go_test(
3846 
++    name = "go_default_test",
3847 
++    srcs = ["admission_test.go"],
3848 
++    embed = [":go_default_library"],
3849 
++    deps = [
3850 
++        "//pkg/apis/core:go_default_library",
3851 
++        "//pkg/apis/extensions:go_default_library",
3852 
++        "//pkg/apis/rbac:go_default_library",
3853 
++        "//pkg/registry/rbac:go_default_library",
3854 
++        "//pkg/security/podsecuritypolicy:go_default_library",
3855 
++        "//vendor/github.com/golang/glog:go_default_library",
3856 
++        "//vendor/github.com/stretchr/testify/assert:go_default_library",
3857 
++        "//vendor/k8s.io/apimachinery/pkg/api/equality:go_default_library",
3858 
++        "//vendor/k8s.io/apimachinery/pkg/util/yaml:go_default_library",
3859 
++        "//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
3860 
++        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
3861 
++        "//vendor/k8s.io/apiserver/pkg/admission:go_default_library",
3862 
++    ],
3863 
++)
3864 
++
3865 
++filegroup(
3866 
++    name = "package-srcs",
3867 
++    srcs = glob(["**"]),
3868 
++    tags = ["automanaged"],
3869 
++    visibility = ["//visibility:private"],
3870 
++)
3871 
++
3872 
++filegroup(
3873 
++    name = "all-srcs",
3874 
++    srcs = [":package-srcs"],
3875 
++    tags = ["automanaged"],
3876 
++)
3877 
+\ No newline at end of file
3878 
+diff --git a/plugin/pkg/admission/vke/admission.go b/plugin/pkg/admission/vke/admission.go
3879 
+new file mode 100644
3880 
+index 0000000..e029ce6
3881 
+--- /dev/null
3882 
+@@ -0,0 +1,374 @@
3883 
++package vke
3884 
++
3885 
++import (
3886 
++	"fmt"
3887 
++	"io"
3888 
++	"strings"
3889 
++
3890 
++	"github.com/golang/glog"
3891 
++	apiequality "k8s.io/apimachinery/pkg/api/equality"
3892 
++	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
3893 
++	"k8s.io/apimachinery/pkg/util/validation/field"
3894 
++	"k8s.io/apimachinery/pkg/util/yaml"
3895 
++	"k8s.io/apiserver/pkg/admission"
3896 
++	api "k8s.io/kubernetes/pkg/apis/core"
3897 
++	"k8s.io/kubernetes/pkg/apis/extensions"
3898 
++	"k8s.io/kubernetes/pkg/apis/rbac"
3899 
++	rbacregistry "k8s.io/kubernetes/pkg/registry/rbac"
3900 
++	"k8s.io/kubernetes/pkg/security/podsecuritypolicy"
3901 
++)
3902 
++
3903 
++const (
3904 
++	// PluginName indicates name of admission plugin.
3905 
++	PluginName = "VMwareAdmissionController"
3906 
++
3907 
++	systemUnsecuredUser      = "system:unsecured"
3908 
++	privilegedNamespace      = "vke-system"
3909 
++	privilegedServiceAccount = "system:serviceaccount:" + privilegedNamespace + ":"
3910 
++	reservedPrefix           = "vke"
3911 
++	kubeletGroup             = "system:nodes"
3912 
++	kubeProxyGroup           = "cascade:kube-proxies"
3913 
++	dashboardPod             = "vke-dashboard-0"
3914 
++	kubeSystemNamespace      = "kube-system"
3915 
++)
3916 
++
3917 
++// Register registers a plugin.
3918 
++func Register(plugins *admission.Plugins) {
3919 
++	plugins.Register(PluginName, func(config io.Reader) (admission.Interface, error) {
3920 
++		return NewVMwareAdmissionController(config)
3921 
++	})
3922 
++}
3923 
++
3924 
++// vmwareAdmissionController is an implementation of admission.Interface.
3925 
++// It restricts access to VKE namespace for users and prevents the users from creating privileged pods.
3926 
++type vmwareAdmissionController struct {
3927 
++	psp             *extensions.PodSecurityPolicy
3928 
++	strategyFactory podsecuritypolicy.StrategyFactory
3929 
++	privilegedGroup string
3930 
++}
3931 
++
3932 
++// vmwareAdmissionControllerConfig holds config data for VMwareAdmissionController.
3933 
++type vmwareAdmissionControllerConfig struct {
3934 
++	PrivilegedGroup string `yaml:"privilegedGroup"`
3935 
++}
3936 
++
3937 
++// AdmissionConfig holds config data for admission controllers.
3938 
++type AdmissionConfig struct {
3939 
++	VMwareAdmissionController vmwareAdmissionControllerConfig `yaml:"vmwareAdmissionController"`
3940 
++}
3941 
++
3942 
++var _ admission.ValidationInterface = &vmwareAdmissionController{}
3943 
++
3944 
++// Validate makes an admission decision based on the request attributes.  It is NOT allowed to mutate.
3945 
++func (vac *vmwareAdmissionController) Validate(a admission.Attributes) (err error) {
3946 
++	if isPrivilegedUser(vac, a) {
3947 
++		return nil
3948 
++	}
3949 
++
3950 
++	if isSystemUnsecuredUser(a) {
3951 
++		return validateSystemUnsecuredUser(vac, a)
3952 
++	}
3953 
++
3954 
++	if isPrivilegedNamespace(a) {
3955 
++		return admission.NewForbidden(a,
3956 
++			fmt.Errorf("%s validation failed: cannot modify resources in namespace %s", PluginName, a.GetNamespace()))
3957 
++	}
3958 
++
3959 
++	switch a.GetResource().GroupResource() {
3960 
++	case api.Resource("pods"):
3961 
++		err = validatePods(vac, a)
3962 
++	case api.Resource("nodes"):
3963 
++		err = admission.NewForbidden(a, fmt.Errorf("%s validation failed: cannot modify nodes", PluginName))
3964 
++	case rbac.Resource("clusterroles"):
3965 
++		err = validateClusterRoles(a)
3966 
++	case rbac.Resource("clusterrolebindings"):
3967 
++		err = validateClusterRoleBindings(a)
3968 
++	}
3969 
++
3970 
++	return err
3971 
++}
3972 
++
3973 
++// Handles returns true if this admission controller can handle the given operation
3974 
++// where operation can be one of CREATE, UPDATE, DELETE, or CONNECT.
3975 
++func (vac *vmwareAdmissionController) Handles(operation admission.Operation) bool {
3976 
++	return true
3977 
++}
3978 
++
3979 
++// NewVMwareAdmissionController creates a new VMwareAdmissionController.
3980 
++func NewVMwareAdmissionController(configFile io.Reader) (*vmwareAdmissionController, error) {
3981 
++	glog.V(2).Infof("%s is enabled", PluginName)
3982 
++	if configFile == nil {
3983 
++		glog.Warningf("No config specified for %s. Using default configuration", PluginName)
3984 
++		return nil, fmt.Errorf("no config file specified for %s", PluginName)
3985 
++	}
3986 
++
3987 
++	var config AdmissionConfig
3988 
++	d := yaml.NewYAMLOrJSONDecoder(configFile, 4096)
3989 
++	err := d.Decode(&config)
3990 
++	if err != nil {
3991 
++		return nil, err
3992 
++	}
3993 
++
3994 
++	return &vmwareAdmissionController{
3995 
++		psp:             getDefaultPSP(),
3996 
++		strategyFactory: podsecuritypolicy.NewSimpleStrategyFactory(),
3997 
++		privilegedGroup: config.VMwareAdmissionController.PrivilegedGroup,
3998 
++	}, nil
3999 
++}
4000 
++
4001 
++func getDefaultPSP() *extensions.PodSecurityPolicy {
4002 
++	return &extensions.PodSecurityPolicy{
4003 
++		TypeMeta: metav1.TypeMeta{
4004 
++			Kind:       "PodSecurityPolicy",
4005 
++			APIVersion: "extensions/v1beta1",
4006 
++		},
4007 
++		Spec: extensions.PodSecurityPolicySpec{
4008 
++			Privileged:               false,
4009 
++			HostNetwork:              false,
4010 
++			HostIPC:                  false,
4011 
++			HostPID:                  false,
4012 
++			AllowPrivilegeEscalation: false,
4013 
++			Volumes: []extensions.FSType{
4014 
++				"emptyDir",
4015 
++				"secret",
4016 
++				"downwardAPI",
4017 
++				"configMap",
4018 
++				"persistentVolumeClaim",
4019 
++				"projected",
4020 
++			},
4021 
++			FSGroup: extensions.FSGroupStrategyOptions{
4022 
++				Rule: extensions.FSGroupStrategyRunAsAny,
4023 
++			},
4024 
++			RunAsUser: extensions.RunAsUserStrategyOptions{
4025 
++				Rule: extensions.RunAsUserStrategyRunAsAny,
4026 
++			},
4027 
++			SELinux: extensions.SELinuxStrategyOptions{
4028 
++				Rule: extensions.SELinuxStrategyRunAsAny,
4029 
++			},
4030 
++			SupplementalGroups: extensions.SupplementalGroupsStrategyOptions{
4031 
++				Rule: extensions.SupplementalGroupsStrategyRunAsAny,
4032 
++			},
4033 
++		},
4034 
++	}
4035 
++}
4036 
++
4037 
++func isPrivilegedUser(vac *vmwareAdmissionController, a admission.Attributes) bool {
4038 
++	// We need to allow the service accounts inside the privileged namespace to be able to access pods and nodes.
4039 
++	// Node-monitor agent, Photon OS update controller and Cluster autoscaler depend on this.
4040 
++	user := a.GetUserInfo().GetName()
4041 
++	if strings.HasPrefix(user, privilegedServiceAccount) {
4042 
++		return true
4043 
++	}
4044 
++
4045 
++	// If the request comes from a user belonging to a privileged group, then we allow it. Only calls from Cascade
4046 
++	// controller will belong to this privileged group.
4047 
++	// If the request comes from kubelet or kube-proxy, we allow those too. We don't want to prevent kubelet from being
4048 
++	// able to create a privileged pod or update nodes. The same way we don't want to prevent kube-proxy from creating
4049 
++	// events.
4050 
++	groups := a.GetUserInfo().GetGroups()
4051 
++	for _, group := range groups {
4052 
++		if group == vac.privilegedGroup || group == kubeletGroup || group == kubeProxyGroup {
4053 
++			return true
4054 
++		}
4055 
++	}
4056 
++
4057 
++	return false
4058 
++}
4059 
++
4060 
++func isSystemUnsecuredUser(a admission.Attributes) bool {
4061 
++	return a.GetUserInfo().GetName() == systemUnsecuredUser
4062 
++}
4063 
++
4064 
++func validateSystemUnsecuredUser(vac *vmwareAdmissionController, a admission.Attributes) (err error) {
4065 
++	// Currently the insecure port 8080 is exposed to only localhost inside the Kubernetes master VMs. So it can be used
4066 
++	// only by kube-controller-manager, kube-scheduler and cloud-init script which creates our pods and other resources.
4067 
++	// When a call comes on insecure port 8080, Kubernetes assigns them system:unsecured user name. We need to allow
4068 
++	// this so that our master components can be started successfully and kube-controller-manager and kube-scheduler can
4069 
++	// work as expected.
4070 
++	// But this needs to be allowed only inside our privileged namespace. If the request comes to any other namespace,
4071 
++	// we need to make it go through our pod validation. This is needed because a user can create a deployment or
4072 
++	// replica set which has a privileged pod. Since our admission controller does not look at deployments or replica
4073 
++	// sets, we will allow it. The actual pod inside the deployment or replica set will be created by the
4074 
++	// controller-manager and if we allow it to create pods in any namespace, then a user can create a privileged pod
4075 
++	// totally bypassing our security checks.
4076 
++	if !isPrivilegedNamespace(a) && (a.GetResource().GroupResource() == api.Resource("pods")) {
4077 
++		return validatePods(vac, a)
4078 
++	}
4079 
++
4080 
++	// For all other resources, allow.
4081 
++	return nil
4082 
++}
4083 
++
4084 
++func isPrivilegedNamespace(a admission.Attributes) bool {
4085 
++	// If the namespace mentioned in the resource is privileged, return true. We will hit this for calls made to all
4086 
++	// resources in this namespace and during delete and update operation on the namespace itself.
4087 
++	if a.GetNamespace() == privilegedNamespace {
4088 
++		return true
4089 
++	}
4090 
++
4091 
++	// If the resource is a namespace and if its name matched the privileged namespace, return true. We will hit this
4092 
++	// during creation of the namespace.
4093 
++	if a.GetResource().GroupResource() == api.Resource("namespaces") {
4094 
++		if namespace, ok := a.GetObject().(*api.Namespace); ok {
4095 
++			if namespace.Name == privilegedNamespace {
4096 
++				return true
4097 
++			}
4098 
++		}
4099 
++	}
4100 
++
4101 
++	return false
4102 
++}
4103 
++
4104 
++func validateClusterRoles(a admission.Attributes) error {
4105 
++	// If the name in the request is not empty and has the reserved prefix, then fail. We will hit this during delete
4106 
++	// and update operations on the cluster roles. If it does not have the reserved prefix, allow it. If the name is
4107 
++	// empty then proceed to read it from the object in the request.
4108 
++	if a.GetName() != "" {
4109 
++		return checkReservedPrefix(a.GetName(), a)
4110 
++	}
4111 
++
4112 
++	clusterRole, ok := a.GetObject().(*rbac.ClusterRole)
4113 
++	// If we cannot get the cluster role binding object, fail.
4114 
++	if !ok {
4115 
++		return admission.NewForbidden(a,
4116 
++			fmt.Errorf("%s validation failed: unexpected type %T", PluginName, a.GetObject()))
4117 
++	}
4118 
++	// If we get the object and the name has the reserved prefix, fail. We will hit this when someone tries to create a
4119 
++	// cluster role with the reserved prefix.
4120 
++	return checkReservedPrefix(clusterRole.Name, a)
4121 
++}
4122 
++
4123 
++func validateClusterRoleBindings(a admission.Attributes) error {
4124 
++	// If the name in the request is not empty and has the reserved prefix, then fail. We will hit this during delete
4125 
++	// and update operations on the cluster role bindings. If it does not have the reserved prefix, allow it. If the
4126 
++	// name is empty then proceed to read it from the object in the request.
4127 
++	if a.GetName() != "" {
4128 
++		return checkReservedPrefix(a.GetName(), a)
4129 
++	}
4130 
++
4131 
++	clusterRoleBinding, ok := a.GetObject().(*rbac.ClusterRoleBinding)
4132 
++	// If we cannot get the cluster role binding object, fail.
4133 
++	if !ok {
4134 
++		return admission.NewForbidden(a,
4135 
++			fmt.Errorf("%s validation failed: unexpected type %T", PluginName, a.GetObject()))
4136 
++	}
4137 
++	// If we get the object and the name has the reserved prefix, fail. We will hit this when someone tries to create a
4138 
++	// cluster role binding with the reserved prefix.
4139 
++	return checkReservedPrefix(clusterRoleBinding.Name, a)
4140 
++}
4141 
++
4142 
++func validatePods(vac *vmwareAdmissionController, a admission.Attributes) error {
4143 
++	// If the request is acting on a sub resource of a pod then allow it. This request is not directly coming to a pod,
4144 
++	// but to a sub-resource like pods/foo/status. So, this does not have to be blocked.
4145 
++	if len(a.GetSubresource()) != 0 {
4146 
++		return nil
4147 
++	}
4148 
++
4149 
++	// If it is a Connect operation, allow it. We restrict access to connect to any pods in the vke-system namespace.
4150 
++	// Also, DenyEscalatingExec admission controller denies access to connect to any privileged pod in general. So it is
4151 
++	// OK to allow this.
4152 
++	if a.GetOperation() == admission.Connect {
4153 
++		return nil
4154 
++	}
4155 
++
4156 
++	// If it is a Delete operation and it is not a pod with a reserved prefix, allow it. We restrict access to delete
4157 
++	// any pods in the vke-system namespace. So it is OK to allow this.
4158 
++	// TODO: Make sure we do not have a need to delete the dashboard stateful set. If we do then it will fail.
4159 
++	if a.GetOperation() == admission.Delete {
4160 
++		return checkReservedPrefix(a.GetName(), a)
4161 
++	}
4162 
++
4163 
++	// If we cannot get the pod object, fail.
4164 
++	if _, ok := a.GetObject().(*api.Pod); !ok {
4165 
++		return admission.NewForbidden(a,
4166 
++			fmt.Errorf("%s validation failed: unexpected type %T", PluginName, a.GetObject()))
4167 
++	}
4168 
++
4169 
++	// If this is an update, see if we are only updating the ownerRef/finalizers.  Garbage collection does this
4170 
++	// and we should allow it in general, since you had the power to update and the power to delete.
4171 
++	// The worst that happens is that you delete something, but you aren't controlling the privileged object itself
4172 
++	if a.GetOperation() == admission.Update &&
4173 
++		rbacregistry.IsOnlyMutatingGCFields(a.GetObject(), a.GetOldObject(), apiequality.Semantic) {
4174 
++		return nil
4175 
++	}
4176 
++
4177 
++	errs := field.ErrorList{}
4178 
++	originalPod := a.GetObject().(*api.Pod)
4179 
++
4180 
++	// If the pod is our dashboard pod, its namespace is kube-system and it is created by the controller-manager then
4181 
++	// skip validation. This pod is in kube-system namespace which is not privileged. But we need to allow the dashboard
4182 
++	// pod to be privileged because it has the OIDC proxy container which requires hostPath volume mount. Just to make
4183 
++	// sure we allow only this one pod, we make sure that it is created by the controller manager and name matches the
4184 
++	// dashboard pod and it is in kube-system.
4185 
++	if a.GetUserInfo().GetName() == systemUnsecuredUser && a.GetNamespace() == kubeSystemNamespace &&
4186 
++		(a.GetName() == dashboardPod || originalPod.Name == dashboardPod) {
4187 
++		return nil
4188 
++	}
4189 
++
4190 
++	// Check if the pod that needs to be created or updated has the reserved prefix. If it does, deny the request.
4191 
++	podName := a.GetName()
4192 
++	if podName == "" {
4193 
++		podName = originalPod.Name
4194 
++	}
4195 
++	if err := checkReservedPrefix(podName, a); err != nil {
4196 
++		return err
4197 
++	}
4198 
++
4199 
++	// Generate a copy of the pod object because we are not allowed to mutate the pod object.
4200 
++	pod := originalPod.DeepCopy()
4201 
++
4202 
++	provider, err := podsecuritypolicy.NewSimpleProvider(vac.psp, pod.Namespace, vac.strategyFactory)
4203 
++	if err != nil {
4204 
++		return admission.NewForbidden(a, fmt.Errorf("%s validation failed: %v", PluginName, err))
4205 
++	}
4206 
++
4207 
++	// Set default security context for the pod. This fills in the defaults for the security context values that are not
4208 
++	// provided. This is needed to validate the security context correctly.
4209 
++	err = provider.DefaultPodSecurityContext(pod)
4210 
++	if err != nil {
4211 
++		errs = append(errs, field.Invalid(field.NewPath("spec", "securityContext"),
4212 
++			pod.Spec.SecurityContext, err.Error()))
4213 
++	}
4214 
++
4215 
++	// Validate the pod.
4216 
++	errs = append(errs, provider.ValidatePod(pod, field.NewPath("spec", "securityContext"))...)
4217 
++
4218 
++	// Validate the initContainers that are part of the pod.
4219 
++	for i := range pod.Spec.InitContainers {
4220 
++		err := provider.DefaultContainerSecurityContext(pod, &pod.Spec.InitContainers[i])
4221 
++		if err != nil {
4222 
++			errs = append(errs, field.Invalid(field.NewPath("spec", "initContainers").Index(i).
4223 
++				Child("securityContext"), "", err.Error()))
4224 
++			continue
4225 
++		}
4226 
++		errs = append(errs, provider.ValidateContainerSecurityContext(pod, &pod.Spec.InitContainers[i],
4227 
++			field.NewPath("spec", "initContainers").Index(i).Child("securityContext"))...)
4228 
++	}
4229 
++
4230 
++	// Validate the containers that are part of the pod.
4231 
++	for i := range pod.Spec.Containers {
4232 
++		err := provider.DefaultContainerSecurityContext(pod, &pod.Spec.Containers[i])
4233 
++		if err != nil {
4234 
++			errs = append(errs, field.Invalid(field.NewPath("spec", "containers").Index(i).
4235 
++				Child("securityContext"), "", err.Error()))
4236 
++			continue
4237 
++		}
4238 
++		errs = append(errs, provider.ValidateContainerSecurityContext(pod, &pod.Spec.Containers[i],
4239 
++			field.NewPath("spec", "containers").Index(i).Child("securityContext"))...)
4240 
++	}
4241 
++
4242 
++	if len(errs) > 0 {
4243 
++		return admission.NewForbidden(a,
4244 
++			fmt.Errorf("%s validation failed: %v", PluginName, errs))
4245 
++	}
4246 
++
4247 
++	return nil
4248 
++}
4249 
++
4250 
++func checkReservedPrefix(resourceName string, a admission.Attributes) error {
4251 
++	if strings.HasPrefix(resourceName, reservedPrefix) {
4252 
++		return admission.NewForbidden(a,
4253 
++			fmt.Errorf("%s validation failed: cannot modify resources with prefix %s", PluginName, reservedPrefix))
4254 
++	}
4255 
++	return nil
4256 
++}
4257 
+diff --git a/plugin/pkg/admission/vke/admission_test.go b/plugin/pkg/admission/vke/admission_test.go
4258 
+new file mode 100644
4259 
+index 0000000..779f412
4260 
+--- /dev/null
4261 
+@@ -0,0 +1,541 @@
4262 
++package vke
4263 
++
4264 
++import (
4265 
++	"fmt"
4266 
++	"strings"
4267 
++	"testing"
4268 
++
4269 
++	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
4270 
++	kadmission "k8s.io/apiserver/pkg/admission"
4271 
++	kapi "k8s.io/kubernetes/pkg/apis/core"
4272 
++	"k8s.io/kubernetes/pkg/apis/rbac"
4273 
++	"k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/authentication/user"
4274 
++)
4275 
++
4276 
++const (
4277 
++	testServiceAccountsGroup = "system.test\\cascade-controller-service-accounts"
4278 
++	defaultConfigFileFormat  = `
4279 
++vmwareAdmissionController:
4280 
++  privilegedGroup: %s
4281 
++`
4282 
++)
4283 
++
4284 
++func TestAdmitPrivileged(t *testing.T) {
4285 
++	tests := map[string]struct {
4286 
++		operation          kadmission.Operation
4287 
++		pod                *kapi.Pod
4288 
++		name               string
4289 
++		userInfo           user.Info
4290 
++		shouldPassValidate bool
4291 
++	}{
4292 
++		"create pod with Privileged=nil allowed": {
4293 
++			operation:          kadmission.Create,
4294 
++			pod:                newTestPodBuilder().build(),
4295 
++			userInfo:           newTestUserBuilder().build(),
4296 
++			shouldPassValidate: true,
4297 
++		},
4298 
++		"create pod with Privileged=false allowed": {
4299 
++			operation:          kadmission.Create,
4300 
++			pod:                newTestPodBuilder().withPrivileged(false).build(),
4301 
++			userInfo:           newTestUserBuilder().build(),
4302 
++			shouldPassValidate: true,
4303 
++		},
4304 
++		"create pod with Privileged=true denied": {
4305 
++			operation:          kadmission.Create,
4306 
++			pod:                newTestPodBuilder().withPrivileged(true).build(),
4307 
++			userInfo:           newTestUserBuilder().build(),
4308 
++			shouldPassValidate: false,
4309 
++		},
4310 
++		"create pod with multiple containers, one has Privileged=true denied": {
4311 
++			operation:          kadmission.Create,
4312 
++			pod:                newTestPodBuilder().withPrivileged(true).withInitContainer().withContainer().build(),
4313 
++			userInfo:           newTestUserBuilder().build(),
4314 
++			shouldPassValidate: false,
4315 
++		},
4316 
++		"update pod with Privileged=true denied": {
4317 
++			operation:          kadmission.Update,
4318 
++			pod:                newTestPodBuilder().withPrivileged(true).build(),
4319 
++			userInfo:           newTestUserBuilder().build(),
4320 
++			shouldPassValidate: false,
4321 
++		},
4322 
++		"create pod with HostNetwork=true denied": {
4323 
++			operation:          kadmission.Create,
4324 
++			pod:                newTestPodBuilder().withHostNetwork(true).build(),
4325 
++			userInfo:           newTestUserBuilder().build(),
4326 
++			shouldPassValidate: false,
4327 
++		},
4328 
++		"create pod with HostIPC=true denied": {
4329 
++			operation:          kadmission.Create,
4330 
++			pod:                newTestPodBuilder().withHostIPC(true).build(),
4331 
++			userInfo:           newTestUserBuilder().build(),
4332 
++			shouldPassValidate: false,
4333 
++		},
4334 
++		"create pod with HostPID=true denied": {
4335 
++			operation:          kadmission.Create,
4336 
++			pod:                newTestPodBuilder().withHostPID(true).build(),
4337 
++			userInfo:           newTestUserBuilder().build(),
4338 
++			shouldPassValidate: false,
4339 
++		},
4340 
++		"create pod with HostVolume denied": {
4341 
++			operation:          kadmission.Create,
4342 
++			pod:                newTestPodBuilder().withHostVolume().build(),
4343 
++			userInfo:           newTestUserBuilder().build(),
4344 
++			shouldPassValidate: false,
4345 
++		},
4346 
++		"create pod with CascadeDisk allowed": {
4347 
++			operation:          kadmission.Create,
4348 
++			pod:                newTestPodBuilder().withCascadeDisk().build(),
4349 
++			userInfo:           newTestUserBuilder().build(),
4350 
++			shouldPassValidate: true,
4351 
++		},
4352 
++		"create pod with HostVolume and CascadeDisk denied": {
4353 
++			operation:          kadmission.Create,
4354 
++			pod:                newTestPodBuilder().withHostVolume().withCascadeDisk().build(),
4355 
++			userInfo:           newTestUserBuilder().build(),
4356 
++			shouldPassValidate: false,
4357 
++		},
4358 
++		"create pod with vke prefix denied": {
4359 
++			operation:          kadmission.Create,
4360 
++			pod:                newTestPodBuilder().build(),
4361 
++			name:               "vke-dashboard",
4362 
++			userInfo:           newTestUserBuilder().build(),
4363 
++			shouldPassValidate: false,
4364 
++		},
4365 
++		"create dashboard pod with vke prefix by privileged user in kube-system allowed": {
4366 
++			operation:          kadmission.Create,
4367 
++			pod:                newTestPodBuilder().withNamespace(kubeSystemNamespace).build(),
4368 
++			name:               "vke-dashboard-0",
4369 
++			userInfo:           newTestUserBuilder().withName(systemUnsecuredUser).build(),
4370 
++			shouldPassValidate: true,
4371 
++		},
4372 
++		"connect pod allowed": {
4373 
++			operation:          kadmission.Connect,
4374 
++			pod:                newTestPodBuilder().build(),
4375 
++			userInfo:           newTestUserBuilder().build(),
4376 
++			shouldPassValidate: true,
4377 
++		},
4378 
++		"delete pod allowed": {
4379 
++			operation:          kadmission.Delete,
4380 
++			pod:                newTestPodBuilder().build(),
4381 
++			userInfo:           newTestUserBuilder().build(),
4382 
++			shouldPassValidate: true,
4383 
++		},
4384 
++		"delete pod with vke prefix denied": {
4385 
++			operation:          kadmission.Delete,
4386 
++			pod:                newTestPodBuilder().build(),
4387 
++			name:               "vke-dashboard",
4388 
++			userInfo:           newTestUserBuilder().build(),
4389 
++			shouldPassValidate: false,
4390 
++		},
4391 
++	}
4392 
++
4393 
++	for k, v := range tests {
4394 
++		testPodValidation(k, v.operation, v.pod, v.name, v.userInfo, v.shouldPassValidate, t)
4395 
++	}
4396 
++}
4397 
++
4398 
++func TestPrivilegedNamespace(t *testing.T) {
4399 
++	tests := map[string]struct {
4400 
++		operation          kadmission.Operation
4401 
++		pod                *kapi.Pod
4402 
++		name               string
4403 
++		userInfo           user.Info
4404 
++		shouldPassValidate bool
4405 
++	}{
4406 
++		"denied: regular lightwave user creates pod in vke-system namespace": {
4407 
++			operation:          kadmission.Create,
4408 
++			pod:                newTestPodBuilder().withNamespace(privilegedNamespace).build(),
4409 
++			userInfo:           newTestUserBuilder().build(),
4410 
++			shouldPassValidate: false,
4411 
++		},
4412 
++		"denied: regular lightwave user cannot escalate privilege using service account": {
4413 
++			operation:          kadmission.Create,
4414 
++			pod:                newTestPodBuilder().withNamespace(privilegedNamespace).withServiceAccount("system:serviceaccount:" + privilegedNamespace + ":default").build(),
4415 
++			userInfo:           newTestUserBuilder().build(),
4416 
++			shouldPassValidate: false,
4417 
++		},
4418 
++		"denied: regular service account creates pod in vke-system namespace": {
4419 
++			operation:          kadmission.Create,
4420 
++			pod:                newTestPodBuilder().withNamespace(privilegedNamespace).build(),
4421 
++			userInfo:           newTestUserBuilder().withName("system:serviceaccount:kube-system:default").build(),
4422 
++			shouldPassValidate: false,
4423 
++		},
4424 
++		"allowed: regular user creates pod in other namespace": {
4425 
++			operation:          kadmission.Create,
4426 
++			pod:                newTestPodBuilder().withNamespace("default").build(),
4427 
++			userInfo:           newTestUserBuilder().build(),
4428 
++			shouldPassValidate: true,
4429 
++		},
4430 
++		"allowed: Cascade Controller Service Account creates pod in vke-system namespace": {
4431 
++			operation:          kadmission.Create,
4432 
++			pod:                newTestPodBuilder().withNamespace(privilegedNamespace).build(),
4433 
++			userInfo:           newTestUserBuilder().withGroup(testServiceAccountsGroup).build(),
4434 
++			shouldPassValidate: true,
4435 
++		},
4436 
++		"allowed: systemUnsecuredUser creates pod in vke-system namespace": {
4437 
++			operation:          kadmission.Create,
4438 
++			pod:                newTestPodBuilder().withNamespace(privilegedNamespace).build(),
4439 
++			userInfo:           newTestUserBuilder().withName(systemUnsecuredUser).build(),
4440 
++			shouldPassValidate: true,
4441 
++		},
4442 
++		"allowed: vke-system service account creates pod in vke-system namespace": {
4443 
++			operation:          kadmission.Create,
4444 
++			pod:                newTestPodBuilder().withNamespace(privilegedNamespace).build(),
4445 
++			userInfo:           newTestUserBuilder().withName("system:serviceaccount:" + privilegedNamespace + ":default").build(),
4446 
++			shouldPassValidate: true,
4447 
++		},
4448 
++		"allowed: kubelet group creates pod in vke-system namespace": {
4449 
++			operation:          kadmission.Create,
4450 
++			pod:                newTestPodBuilder().withNamespace(privilegedNamespace).build(),
4451 
++			userInfo:           newTestUserBuilder().withGroup(kubeletGroup).build(),
4452 
++			shouldPassValidate: true,
4453 
++		},
4454 
++		"allowed: kubeProxy group creates pod in vke-system namespace": {
4455 
++			operation:          kadmission.Create,
4456 
++			pod:                newTestPodBuilder().withNamespace(privilegedNamespace).build(),
4457 
++			userInfo:           newTestUserBuilder().withGroup(kubeProxyGroup).build(),
4458 
++			shouldPassValidate: true,
4459 
++		},
4460 
++		"denied: regular lightwave group does not grant privileged access": {
4461 
++			operation:          kadmission.Create,
4462 
++			pod:                newTestPodBuilder().withNamespace(privilegedNamespace).build(),
4463 
++			userInfo:           newTestUserBuilder().withGroup("test1\\group1").build(),
4464 
++			shouldPassValidate: false,
4465 
++		},
4466 
++		"allowed: if user has multiple groups, any privileged group can grant privileged access": {
4467 
++			operation:          kadmission.Create,
4468 
++			pod:                newTestPodBuilder().withNamespace(privilegedNamespace).build(),
4469 
++			userInfo:           newTestUserBuilder().withGroup("test1\\group1").withGroup(testServiceAccountsGroup).build(),
4470 
++			shouldPassValidate: true,
4471 
++		},
4472 
++	}
4473 
++	for k, v := range tests {
4474 
++		testPodValidation(k, v.operation, v.pod, v.name, v.userInfo, v.shouldPassValidate, t)
4475 
++	}
4476 
++}
4477 
++
4478 
++func TestClusterLevelResources(t *testing.T) {
4479 
++	tests := map[string]struct {
4480 
++		operation          kadmission.Operation
4481 
++		resource           string
4482 
++		name               string
4483 
++		namespace          string
4484 
++		userInfo           user.Info
4485 
++		shouldPassValidate bool
4486 
++	}{
4487 
++		"denied: regular lightwave user update configmaps in vke-system namespace": {
4488 
++			operation:          kadmission.Update,
4489 
++			resource:           "configmaps",
4490 
++			namespace:          privilegedNamespace,
4491 
++			userInfo:           newTestUserBuilder().build(),
4492 
++			shouldPassValidate: false,
4493 
++		},
4494 
++		"denied: regular lightwave user delete daemonsets in vke-system namespace": {
4495 
++			operation:          kadmission.Delete,
4496 
++			resource:           "daemonsets",
4497 
++			namespace:          privilegedNamespace,
4498 
++			userInfo:           newTestUserBuilder().build(),
4499 
++			shouldPassValidate: false,
4500 
++		},
4501 
++		"denied: regular lightwave user create deployments in vke-system namespace": {
4502 
++			operation:          kadmission.Create,
4503 
++			resource:           "deployments",
4504 
++			namespace:          privilegedNamespace,
4505 
++			userInfo:           newTestUserBuilder().build(),
4506 
++			shouldPassValidate: false,
4507 
++		},
4508 
++		"denied: regular lightwave user create rolebindings in vke-system namespace": {
4509 
++			operation:          kadmission.Create,
4510 
++			resource:           "rolebindings",
4511 
++			namespace:          privilegedNamespace,
4512 
++			userInfo:           newTestUserBuilder().build(),
4513 
++			shouldPassValidate: false,
4514 
++		},
4515 
++		"allowed: regular lightwave user create rolebindings in other namespace": {
4516 
++			operation:          kadmission.Create,
4517 
++			resource:           "rolebindings",
4518 
++			namespace:          "default",
4519 
++			userInfo:           newTestUserBuilder().build(),
4520 
++			shouldPassValidate: true,
4521 
++		},
4522 
++		"allowed: regular lightwave user create clusterroles": {
4523 
++			operation:          kadmission.Create,
4524 
++			resource:           "clusterroles",
4525 
++			name:               "cluster-role",
4526 
++			namespace:          "",
4527 
++			userInfo:           newTestUserBuilder().build(),
4528 
++			shouldPassValidate: true,
4529 
++		},
4530 
++		"denied: regular lightwave user create clusterroles with vke: prefix": {
4531 
++			operation:          kadmission.Create,
4532 
++			resource:           "clusterroles",
4533 
++			name:               "vke:clusterrole",
4534 
++			namespace:          "",
4535 
++			userInfo:           newTestUserBuilder().build(),
4536 
++			shouldPassValidate: false,
4537 
++		},
4538 
++		"denied: regular lightwave user delete clusterroles with vke: prefix": {
4539 
++			operation:          kadmission.Delete,
4540 
++			resource:           "clusterroles",
4541 
++			name:               "vke:clusterrole",
4542 
++			namespace:          "",
4543 
++			userInfo:           newTestUserBuilder().build(),
4544 
++			shouldPassValidate: false,
4545 
++		},
4546 
++		"allowed: privileged user update clusterroles with vke: prefix": {
4547 
++			operation:          kadmission.Update,
4548 
++			resource:           "clusterroles",
4549 
++			name:               "vke:clusterrole",
4550 
++			namespace:          "",
4551 
++			userInfo:           newTestUserBuilder().withName(systemUnsecuredUser).build(),
4552 
++			shouldPassValidate: true,
4553 
++		},
4554 
++		"allowed: regular lightwave user create clusterrolebindings": {
4555 
++			operation:          kadmission.Create,
4556 
++			resource:           "clusterrolebindings",
4557 
++			name:               "cluster-role-binding",
4558 
++			namespace:          "",
4559 
++			userInfo:           newTestUserBuilder().build(),
4560 
++			shouldPassValidate: true,
4561 
++		},
4562 
++		"denied: regular lightwave user create clusterrolebindings with vke: prefix": {
4563 
++			operation:          kadmission.Create,
4564 
++			resource:           "clusterrolebindings",
4565 
++			name:               "vke:clusterrolebinding",
4566 
++			namespace:          "",
4567 
++			userInfo:           newTestUserBuilder().build(),
4568 
++			shouldPassValidate: false,
4569 
++		},
4570 
++		"denied: regular lightwave user update clusterrolebindings with vke: prefix": {
4571 
++			operation:          kadmission.Delete,
4572 
++			resource:           "clusterrolebindings",
4573 
++			name:               "vke:clusterrolebinding",
4574 
++			namespace:          "",
4575 
++			userInfo:           newTestUserBuilder().build(),
4576 
++			shouldPassValidate: false,
4577 
++		},
4578 
++		"allowed: privileged user update clusterrolebindings with vke: prefix": {
4579 
++			operation:          kadmission.Update,
4580 
++			resource:           "clusterrolebindings",
4581 
++			name:               "vke:clusterrolebinding",
4582 
++			namespace:          "",
4583 
++			userInfo:           newTestUserBuilder().withName(systemUnsecuredUser).build(),
4584 
++			shouldPassValidate: true,
4585 
++		},
4586 
++		"denied: regular lightwave user update nodes": {
4587 
++			operation:          kadmission.Update,
4588 
++			resource:           "nodes",
4589 
++			namespace:          "",
4590 
++			userInfo:           newTestUserBuilder().build(),
4591 
++			shouldPassValidate: false,
4592 
++		},
4593 
++		"allowed: privileged user update nodes": {
4594 
++			operation:          kadmission.Update,
4595 
++			resource:           "nodes",
4596 
++			namespace:          "",
4597 
++			userInfo:           newTestUserBuilder().withName(systemUnsecuredUser).build(),
4598 
++			shouldPassValidate: true,
4599 
++		},
4600 
++	}
4601 
++	for k, v := range tests {
4602 
++		testResourceValidation(k, v.operation, v.resource, v.name, v.namespace, v.userInfo, v.shouldPassValidate, t)
4603 
++	}
4604 
++}
4605 
++
4606 
++func testPodValidation(testCaseName string, op kadmission.Operation, pod *kapi.Pod, name string, userInfo user.Info,
4607 
++	shouldPassValidate bool, t *testing.T) {
4608 
++
4609 
++	defaultConfigFile := fmt.Sprintf(defaultConfigFileFormat, testServiceAccountsGroup)
4610 
++	configFile := strings.NewReader(defaultConfigFile)
4611 
++	plugin, err := NewVMwareAdmissionController(configFile)
4612 
++	if err != nil {
4613 
++		t.Errorf("%s: failed to create admission controller %v", testCaseName, err)
4614 
++	}
4615 
++
4616 
++	attrs := kadmission.NewAttributesRecord(pod, nil, kapi.Kind("Pod").WithVersion("version"),
4617 
++		pod.Namespace, name, kapi.Resource("pods").WithVersion("version"), "", op, userInfo)
4618 
++
4619 
++	err = plugin.Validate(attrs)
4620 
++	if shouldPassValidate && err != nil {
4621 
++		t.Errorf("%s: expected no errors on Validate but received %v", testCaseName, err)
4622 
++	} else if !shouldPassValidate && err == nil {
4623 
++		t.Errorf("%s: expected errors on Validate but received none", testCaseName)
4624 
++	}
4625 
++}
4626 
++
4627 
++func testResourceValidation(testCaseName string, op kadmission.Operation, resource string, name string,
4628 
++	namespace string, userInfo user.Info, shouldPassValidate bool, t *testing.T) {
4629 
++
4630 
++	defaultConfigFile := fmt.Sprintf(defaultConfigFileFormat, testServiceAccountsGroup)
4631 
++	configFile := strings.NewReader(defaultConfigFile)
4632 
++	plugin, err := NewVMwareAdmissionController(configFile)
4633 
++	if err != nil {
4634 
++		t.Errorf("%s: failed to create admission controller %v", testCaseName, err)
4635 
++	}
4636 
++
4637 
++	groupResource := kapi.Resource(resource).WithVersion("version")
4638 
++	if resource == "clusterroles" || resource == "clusterrolebindings" {
4639 
++		groupResource = rbac.Resource(resource).WithVersion("version")
4640 
++	}
4641 
++
4642 
++	attrs := kadmission.NewAttributesRecord(nil, nil, kapi.Kind("kind").WithVersion("version"),
4643 
++		namespace, name, groupResource, "", op, userInfo)
4644 
++
4645 
++	err = plugin.Validate(attrs)
4646 
++	if shouldPassValidate && err != nil {
4647 
++		t.Errorf("%s: expected no errors on Validate but received %v", testCaseName, err)
4648 
++	} else if !shouldPassValidate && err == nil {
4649 
++		t.Errorf("%s: expected errors on Validate but received none", testCaseName)
4650 
++	}
4651 
++}
4652 
++
4653 
++// testPodBuilder
4654 
++type testPodBuilder struct {
4655 
++	pod kapi.Pod
4656 
++}
4657 
++
4658 
++func newTestPodBuilder() *testPodBuilder {
4659 
++	builder := new(testPodBuilder)
4660 
++	return builder.init()
4661 
++}
4662 
++
4663 
++func (p *testPodBuilder) init() *testPodBuilder {
4664 
++	p.pod = kapi.Pod{
4665 
++		ObjectMeta: metav1.ObjectMeta{
4666 
++			Name:        "pod",
4667 
++			Namespace:   "namespace",
4668 
++			Annotations: map[string]string{},
4669 
++		},
4670 
++		Spec: kapi.PodSpec{
4671 
++			ServiceAccountName: "default",
4672 
++			SecurityContext:    &kapi.PodSecurityContext{},
4673 
++			Containers: []kapi.Container{
4674 
++				{
4675 
++					Name:            "test-container-1",
4676 
++					SecurityContext: &kapi.SecurityContext{},
4677 
++				},
4678 
++			},
4679 
++		},
4680 
++	}
4681 
++	return p
4682 
++}
4683 
++
4684 
++func (p *testPodBuilder) build() *kapi.Pod {
4685 
++	return &p.pod
4686 
++}
4687 
++
4688 
++func (p *testPodBuilder) withNamespace(namespace string) *testPodBuilder {
4689 
++	p.pod.ObjectMeta.Namespace = namespace
4690 
++	return p
4691 
++}
4692 
++
4693 
++func (p *testPodBuilder) withServiceAccount(sa string) *testPodBuilder {
4694 
++	p.pod.Spec.ServiceAccountName = sa
4695 
++	return p
4696 
++}
4697 
++
4698 
++func (p *testPodBuilder) withPrivileged(v bool) *testPodBuilder {
4699 
++	p.pod.Spec.Containers[0].SecurityContext.Privileged = &v
4700 
++	return p
4701 
++}
4702 
++
4703 
++func (p *testPodBuilder) withHostNetwork(v bool) *testPodBuilder {
4704 
++	p.pod.Spec.SecurityContext.HostNetwork = v
4705 
++	return p
4706 
++}
4707 
++
4708 
++func (p *testPodBuilder) withHostIPC(v bool) *testPodBuilder {
4709 
++	p.pod.Spec.SecurityContext.HostIPC = v
4710 
++	return p
4711 
++}
4712 
++
4713 
++func (p *testPodBuilder) withHostPID(v bool) *testPodBuilder {
4714 
++	p.pod.Spec.SecurityContext.HostPID = v
4715 
++	return p
4716 
++}
4717 
++
4718 
++func (p *testPodBuilder) withHostVolume() *testPodBuilder {
4719 
++	volume := kapi.Volume{
4720 
++		Name: "host",
4721 
++		VolumeSource: kapi.VolumeSource{
4722 
++			HostPath: &kapi.HostPathVolumeSource{
4723 
++				Path: "/",
4724 
++			},
4725 
++		},
4726 
++	}
4727 
++	device := kapi.VolumeDevice{Name: "host", DevicePath: "/host"}
4728 
++
4729 
++	p.pod.Spec.Volumes = append(p.pod.Spec.Volumes, volume)
4730 
++	p.pod.Spec.Containers[0].VolumeDevices = append(p.pod.Spec.Containers[0].VolumeDevices, device)
4731 
++	return p
4732 
++}
4733 
++
4734 
++func (p *testPodBuilder) withCascadeDisk() *testPodBuilder {
4735 
++	volume := kapi.Volume{
4736 
++		Name: "cascadeDisk",
4737 
++		VolumeSource: kapi.VolumeSource{
4738 
++			PersistentVolumeClaim: &kapi.PersistentVolumeClaimVolumeSource{
4739 
++				ClaimName: "00000000-0000-0000-0000-000000000001",
4740 
++				ReadOnly:  false,
4741 
++			},
4742 
++		},
4743 
++	}
4744 
++	device := kapi.VolumeDevice{Name: "cascadeDisk", DevicePath: "/cascadeDisk"}
4745 
++
4746 
++	p.pod.Spec.Volumes = append(p.pod.Spec.Volumes, volume)
4747 
++	p.pod.Spec.Containers[0].VolumeDevices = append(p.pod.Spec.Containers[0].VolumeDevices, device)
4748 
++	return p
4749 
++}
4750 
++
4751 
++func (p *testPodBuilder) withContainer() *testPodBuilder {
4752 
++	container := kapi.Container{
4753 
++		Name:            "test-container-2",
4754 
++		SecurityContext: &kapi.SecurityContext{},
4755 
++	}
4756 
++
4757 
++	p.pod.Spec.Containers = append(p.pod.Spec.Containers, container)
4758 
++	return p
4759 
++}
4760 
++
4761 
++func (p *testPodBuilder) withInitContainer() *testPodBuilder {
4762 
++	container := kapi.Container{
4763 
++		Name:            "test-init-container",
4764 
++		SecurityContext: &kapi.SecurityContext{},
4765 
++	}
4766 
++
4767 
++	p.pod.Spec.Containers = append(p.pod.Spec.Containers, container)
4768 
++	return p
4769 
++}
4770 
++
4771 
++// testUserBuilder
4772 
++type testUserBuilder struct {
4773 
++	user *user.DefaultInfo
4774 
++}
4775 
++
4776 
++func newTestUserBuilder() *testUserBuilder {
4777 
++	builder := new(testUserBuilder)
4778 
++	return builder.init()
4779 
++}
4780 
++
4781 
++func (p *testUserBuilder) init() *testUserBuilder {
4782 
++	p.user = &user.DefaultInfo{
4783 
++		Name:   "https://lightwave.cascade-cloud.com/openidconnect/00000000-0000-0000-0000-000000000001#joe@vmware.com",
4784 
++		UID:    "10001",
4785 
++		Groups: []string{},
4786 
++	}
4787 
++	return p
4788 
++}
4789 
++
4790 
++func (p *testUserBuilder) build() *user.DefaultInfo {
4791 
++	return p.user
4792 
++}
4793 
++
4794 
++func (p *testUserBuilder) withName(name string) *testUserBuilder {
4795 
++	p.user.Name = name
4796 
++	return p
4797 
++}
4798 
++
4799 
++func (p *testUserBuilder) withGroup(group string) *testUserBuilder {
4800 
++	p.user.Groups = append(p.user.Groups, group)
4801 
++	return p
4802 
++}
4803 
+diff --git a/staging/src/k8s.io/api/core/v1/generated.pb.go b/staging/src/k8s.io/api/core/v1/generated.pb.go
4804 
+index 85c7b63..b97b2f1 100644
4805 
+--- a/staging/src/k8s.io/api/core/v1/generated.pb.go
4806 
+@@ -35,6 +35,7 @@ limitations under the License.
3817 4807 
  		Binding
3818 4808 
  		CSIPersistentVolumeSource
3819 4809 
  		Capabilities
... ... 
@@ -3822,7 +4974,7 @@ diff -uNr --no-dereference kubernetes-orig/staging/src/k8s.io/api/core/v1/genera
3822 3822 
  		CephFSPersistentVolumeSource
3823 3823 
  		CephFSVolumeSource
3824 3824 
  		CinderVolumeSource
3825 
-@@ -262,9 +263,11 @@
3825 
+@@ -262,9 +263,11 @@ func (m *AvoidPods) Reset()                    { *m = AvoidPods{} }
3826 3826 
  func (*AvoidPods) ProtoMessage()               {}
3827 3827 
  func (*AvoidPods) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{3} }
3828 3828
... ... 
@@ -3837,7 +4989,7 @@ diff -uNr --no-dereference kubernetes-orig/staging/src/k8s.io/api/core/v1/genera
3837 3837
3838 3838 
  func (m *AzureFilePersistentVolumeSource) Reset()      { *m = AzureFilePersistentVolumeSource{} }
3839 3839 
  func (*AzureFilePersistentVolumeSource) ProtoMessage() {}
3840 
-@@ -1052,6 +1055,11 @@
3840 
+@@ -1052,6 +1055,11 @@ func (*WeightedPodAffinityTerm) Descriptor() ([]byte, []int) {
3841 3841 
  	return fileDescriptorGenerated, []int{187}
3842 3842 
  }
3843 3843
... ... 
@@ -3849,7 +5001,7 @@ diff -uNr --no-dereference kubernetes-orig/staging/src/k8s.io/api/core/v1/genera
3849 3849 
  func init() {
3850 3850 
  	proto.RegisterType((*AWSElasticBlockStoreVolumeSource)(nil), "k8s.io.api.core.v1.AWSElasticBlockStoreVolumeSource")
3851 3851 
  	proto.RegisterType((*Affinity)(nil), "k8s.io.api.core.v1.Affinity")
3852 
-@@ -1063,6 +1071,7 @@
3852 
+@@ -1063,6 +1071,7 @@ func init() {
3853 3853 
  	proto.RegisterType((*Binding)(nil), "k8s.io.api.core.v1.Binding")
3854 3854 
  	proto.RegisterType((*CSIPersistentVolumeSource)(nil), "k8s.io.api.core.v1.CSIPersistentVolumeSource")
3855 3855 
  	proto.RegisterType((*Capabilities)(nil), "k8s.io.api.core.v1.Capabilities")
... ... 
@@ -3857,7 +5009,7 @@ diff -uNr --no-dereference kubernetes-orig/staging/src/k8s.io/api/core/v1/genera
3857 3857 
  	proto.RegisterType((*CephFSPersistentVolumeSource)(nil), "k8s.io.api.core.v1.CephFSPersistentVolumeSource")
3858 3858 
  	proto.RegisterType((*CephFSVolumeSource)(nil), "k8s.io.api.core.v1.CephFSVolumeSource")
3859 3859 
  	proto.RegisterType((*CinderVolumeSource)(nil), "k8s.io.api.core.v1.CinderVolumeSource")
3860 
-@@ -1683,6 +1692,32 @@
3860 
+@@ -1683,6 +1692,32 @@ func (m *Capabilities) MarshalTo(dAtA []byte) (int, error) {
3861 3861 
  	return i, nil
3862 3862 
  }
3863 3863
... ... 
@@ -3890,7 +5042,7 @@ diff -uNr --no-dereference kubernetes-orig/staging/src/k8s.io/api/core/v1/genera
3890 3890 
  func (m *CephFSPersistentVolumeSource) Marshal() (dAtA []byte, err error) {
3891 3891 
  	size := m.Size()
3892 3892 
  	dAtA = make([]byte, size)
3893 
-@@ -6447,13 +6482,13 @@
3893 
+@@ -6447,13 +6482,13 @@ func (m *PersistentVolumeSource) MarshalTo(dAtA []byte) (int, error) {
3894 3894 
  		}
3895 3895 
  		i += n124
3896 3896 
  	}
... ... 
@@ -3907,7 +5059,7 @@ diff -uNr --no-dereference kubernetes-orig/staging/src/k8s.io/api/core/v1/genera
3907 3907 
  		if err != nil {
3908 3908 
  			return 0, err
3909 3909 
  		}
3910 
-@@ -6531,6 +6566,18 @@
3910 
+@@ -6531,6 +6566,18 @@ func (m *PersistentVolumeSource) MarshalTo(dAtA []byte) (int, error) {
3911 3911 
  		}
3912 3912 
  		i += n131
3913 3913 
  	}
... ... 
@@ -3926,7 +5078,7 @@ diff -uNr --no-dereference kubernetes-orig/staging/src/k8s.io/api/core/v1/genera
3926 3926 
  	return i, nil
3927 3927 
  }
3928 3928
3929 
-@@ -10544,13 +10591,13 @@
3929 
+@@ -10544,13 +10591,13 @@ func (m *VolumeSource) MarshalTo(dAtA []byte) (int, error) {
3930 3930 
  		}
3931 3931 
  		i += n229
3932 3932 
  	}
... ... 
@@ -3943,7 +5095,7 @@ diff -uNr --no-dereference kubernetes-orig/staging/src/k8s.io/api/core/v1/genera
3943 3943 
  		if err != nil {
3944 3944 
  			return 0, err
3945 3945 
  		}
3946 
-@@ -10616,6 +10663,18 @@
3946 
+@@ -10616,6 +10663,18 @@ func (m *VolumeSource) MarshalTo(dAtA []byte) (int, error) {
3947 3947 
  		}
3948 3948 
  		i += n235
3949 3949 
  	}
... ... 
@@ -3962,7 +5114,7 @@ diff -uNr --no-dereference kubernetes-orig/staging/src/k8s.io/api/core/v1/genera
3962 3962 
  	return i, nil
3963 3963 
  }
3964 3964
3965 
-@@ -10873,6 +10932,16 @@
3965 
+@@ -10873,6 +10932,16 @@ func (m *Capabilities) Size() (n int) {
3966 3966 
  	return n
3967 3967 
  }
3968 3968
... ... 
@@ -3979,7 +5131,7 @@ diff -uNr --no-dereference kubernetes-orig/staging/src/k8s.io/api/core/v1/genera
3979 3979 
  func (m *CephFSPersistentVolumeSource) Size() (n int) {
3980 3980 
  	var l int
3981 3981 
  	_ = l
3982 
-@@ -12616,8 +12685,8 @@
3982 
+@@ -12616,8 +12685,8 @@ func (m *PersistentVolumeSource) Size() (n int) {
3983 3983 
  		l = m.Quobyte.Size()
3984 3984 
  		n += 1 + l + sovGenerated(uint64(l))
3985 3985 
  	}
... ... 
@@ -3990,7 +5142,7 @@ diff -uNr --no-dereference kubernetes-orig/staging/src/k8s.io/api/core/v1/genera
3990 3990 
  		n += 2 + l + sovGenerated(uint64(l))
3991 3991 
  	}
3992 3992 
  	if m.PhotonPersistentDisk != nil {
3993 
-@@ -12644,6 +12713,10 @@
3993 
+@@ -12644,6 +12713,10 @@ func (m *PersistentVolumeSource) Size() (n int) {
3994 3994 
  		l = m.CSI.Size()
3995 3995 
  		n += 2 + l + sovGenerated(uint64(l))
3996 3996 
  	}
... ... 
@@ -4001,7 +5153,7 @@ diff -uNr --no-dereference kubernetes-orig/staging/src/k8s.io/api/core/v1/genera
4001 4001 
  	return n
4002 4002 
  }
4003 4003
4004 
-@@ -14098,8 +14171,8 @@
4004 
+@@ -14098,8 +14171,8 @@ func (m *VolumeSource) Size() (n int) {
4005 4005 
  		l = m.Quobyte.Size()
4006 4006 
  		n += 2 + l + sovGenerated(uint64(l))
4007 4007 
  	}
... ... 
@@ -4012,7 +5164,7 @@ diff -uNr --no-dereference kubernetes-orig/staging/src/k8s.io/api/core/v1/genera
4012 4012 
  		n += 2 + l + sovGenerated(uint64(l))
4013 4013 
  	}
4014 4014 
  	if m.PhotonPersistentDisk != nil {
4015 
-@@ -14122,6 +14195,10 @@
4015 
+@@ -14122,6 +14195,10 @@ func (m *VolumeSource) Size() (n int) {
4016 4016 
  		l = m.StorageOS.Size()
4017 4017 
  		n += 2 + l + sovGenerated(uint64(l))
4018 4018 
  	}
... ... 
@@ -4023,7 +5175,7 @@ diff -uNr --no-dereference kubernetes-orig/staging/src/k8s.io/api/core/v1/genera
4023 4023 
  	return n
4024 4024 
  }
4025 4025
4026 
-@@ -14296,6 +14373,17 @@
4026 
+@@ -14296,6 +14373,17 @@ func (this *Capabilities) String() string {
4027 4027 
  	}, "")
4028 4028 
  	return s
4029 4029 
  }
... ... 
@@ -4041,7 +5193,7 @@ diff -uNr --no-dereference kubernetes-orig/staging/src/k8s.io/api/core/v1/genera
4041 4041 
  func (this *CephFSPersistentVolumeSource) String() string {
4042 4042 
  	if this == nil {
4043 4043 
  		return "nil"
4044 
-@@ -15695,13 +15783,14 @@
4044 
+@@ -15695,13 +15783,14 @@ func (this *PersistentVolumeSource) String() string {
4045 4045 
  		`AzureFile:` + strings.Replace(fmt.Sprintf("%v", this.AzureFile), "AzureFilePersistentVolumeSource", "AzureFilePersistentVolumeSource", 1) + `,`,
4046 4046 
  		`VsphereVolume:` + strings.Replace(fmt.Sprintf("%v", this.VsphereVolume), "VsphereVirtualDiskVolumeSource", "VsphereVirtualDiskVolumeSource", 1) + `,`,
4047 4047 
  		`Quobyte:` + strings.Replace(fmt.Sprintf("%v", this.Quobyte), "QuobyteVolumeSource", "QuobyteVolumeSource", 1) + `,`,
... ... 
@@ -4057,7 +5209,7 @@ diff -uNr --no-dereference kubernetes-orig/staging/src/k8s.io/api/core/v1/genera
4057 4057 
  		`}`,
4058 4058 
  	}, "")
4059 4059 
  	return s
4060 
-@@ -16843,12 +16932,13 @@
4060 
+@@ -16843,12 +16932,13 @@ func (this *VolumeSource) String() string {
4061 4061 
  		`ConfigMap:` + strings.Replace(fmt.Sprintf("%v", this.ConfigMap), "ConfigMapVolumeSource", "ConfigMapVolumeSource", 1) + `,`,
4062 4062 
  		`VsphereVolume:` + strings.Replace(fmt.Sprintf("%v", this.VsphereVolume), "VsphereVirtualDiskVolumeSource", "VsphereVirtualDiskVolumeSource", 1) + `,`,
4063 4063 
  		`Quobyte:` + strings.Replace(fmt.Sprintf("%v", this.Quobyte), "QuobyteVolumeSource", "QuobyteVolumeSource", 1) + `,`,
... ... 
@@ -4072,7 +5224,7 @@ diff -uNr --no-dereference kubernetes-orig/staging/src/k8s.io/api/core/v1/genera
4072 4072 
  		`}`,
4073 4073 
  	}, "")
4074 4074 
  	return s
4075 
-@@ -35335,7 +35425,7 @@
4075 
+@@ -35335,7 +35425,7 @@ func (m *PersistentVolumeSource) Unmarshal(dAtA []byte) error {
4076 4076 
  			iNdEx = postIndex
4077 4077 
  		case 16:
4078 4078 
  			if wireType != 2 {
... ... 
@@ -4081,7 +5233,7 @@ diff -uNr --no-dereference kubernetes-orig/staging/src/k8s.io/api/core/v1/genera
4081 4081 
  			}
4082 4082 
  			var msglen int
4083 4083 
  			for shift := uint(0); ; shift += 7 {
4084 
-@@ -35359,10 +35449,10 @@
4084 
+@@ -35359,10 +35449,10 @@ func (m *PersistentVolumeSource) Unmarshal(dAtA []byte) error {
4085 4085 
  			if postIndex > l {
4086 4086 
  				return io.ErrUnexpectedEOF
4087 4087 
  			}
... ... 
@@ -4095,7 +5247,7 @@ diff -uNr --no-dereference kubernetes-orig/staging/src/k8s.io/api/core/v1/genera
4095 4095 
  				return err
4096 4096 
  			}
4097 4097 
  			iNdEx = postIndex
4098 
-@@ -35564,6 +35654,39 @@
4098 
+@@ -35564,6 +35654,39 @@ func (m *PersistentVolumeSource) Unmarshal(dAtA []byte) error {
4099 4099 
  				return err
4100 4100 
  			}
4101 4101 
  			iNdEx = postIndex
... ... 
@@ -4135,7 +5287,7 @@ diff -uNr --no-dereference kubernetes-orig/staging/src/k8s.io/api/core/v1/genera
4135 4135 
  		default:
4136 4136 
  			iNdEx = preIndex
4137 4137 
  			skippy, err := skipGenerated(dAtA[iNdEx:])
4138 
-@@ -36135,6 +36258,114 @@
4138 
+@@ -36135,6 +36258,114 @@ func (m *PersistentVolumeStatus) Unmarshal(dAtA []byte) error {
4139 4139 
  	}
4140 4140 
  	return nil
4141 4141 
  }
... ... 
@@ -4250,7 +5402,7 @@ diff -uNr --no-dereference kubernetes-orig/staging/src/k8s.io/api/core/v1/genera
4250 4250 
  func (m *PhotonPersistentDiskVolumeSource) Unmarshal(dAtA []byte) error {
4251 4251 
  	l := len(dAtA)
4252 4252 
  	iNdEx := 0
4253 
-@@ -49741,7 +49972,7 @@
4253 
+@@ -49741,7 +49972,7 @@ func (m *VolumeSource) Unmarshal(dAtA []byte) error {
4254 4254 
  			iNdEx = postIndex
4255 4255 
  		case 22:
4256 4256 
  			if wireType != 2 {
... ... 
@@ -4259,7 +5411,7 @@ diff -uNr --no-dereference kubernetes-orig/staging/src/k8s.io/api/core/v1/genera
4259 4259 
  			}
4260 4260 
  			var msglen int
4261 4261 
  			for shift := uint(0); ; shift += 7 {
4262 
-@@ -49765,10 +49996,10 @@
4262 
+@@ -49765,10 +49996,10 @@ func (m *VolumeSource) Unmarshal(dAtA []byte) error {
4263 4263 
  			if postIndex > l {
4264 4264 
  				return io.ErrUnexpectedEOF
4265 4265 
  			}
... ... 
@@ -4273,7 +5425,7 @@ diff -uNr --no-dereference kubernetes-orig/staging/src/k8s.io/api/core/v1/genera
4273 4273 
  				return err
4274 4274 
  			}
4275 4275 
  			iNdEx = postIndex
4276 
-@@ -49937,6 +50168,39 @@
4276 
+@@ -49937,6 +50168,39 @@ func (m *VolumeSource) Unmarshal(dAtA []byte) error {
4277 4277 
  				return err
4278 4278 
  			}
4279 4279 
  			iNdEx = postIndex
... ... 
@@ -4313,10 +5465,11 @@ diff -uNr --no-dereference kubernetes-orig/staging/src/k8s.io/api/core/v1/genera
4313 4313 
  		default:
4314 4314 
  			iNdEx = preIndex
4315 4315 
  			skippy, err := skipGenerated(dAtA[iNdEx:])
4316 
-diff -uNr --no-dereference kubernetes-orig/staging/src/k8s.io/api/core/v1/types.go kubernetes/staging/src/k8s.io/api/core/v1/types.go
4317 
-+++ kubernetes/staging/src/k8s.io/api/core/v1/types.go	2018-05-17 00:03:37.000000000 +0000
4318 
-@@ -333,9 +333,9 @@
4316 
+diff --git a/staging/src/k8s.io/api/core/v1/types.go b/staging/src/k8s.io/api/core/v1/types.go
4317 
+index 08ef419..19184ed 100644
4318 
+--- a/staging/src/k8s.io/api/core/v1/types.go
4319 
+@@ -333,9 +333,9 @@ type VolumeSource struct {
4319 4320 
  	// Quobyte represents a Quobyte mount on the host that shares a pod's lifetime
4320 4321 
  	// +optional
4321 4322 
  	Quobyte *QuobyteVolumeSource `json:"quobyte,omitempty" protobuf:"bytes,21,opt,name=quobyte"`
... ... 
@@ -4328,7 +5481,7 @@ diff -uNr --no-dereference kubernetes-orig/staging/src/k8s.io/api/core/v1/types.
4328 4328 
  	// PhotonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine
4329 4329 
  	PhotonPersistentDisk *PhotonPersistentDiskVolumeSource `json:"photonPersistentDisk,omitempty" protobuf:"bytes,23,opt,name=photonPersistentDisk"`
4330 4330 
  	// Items for all in one resources secrets, configmaps, and downward API
4331 
-@@ -349,6 +349,9 @@
4331 
+@@ -349,6 +349,9 @@ type VolumeSource struct {
4332 4332 
  	// StorageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
4333 4333 
  	// +optional
4334 4334 
  	StorageOS *StorageOSVolumeSource `json:"storageos,omitempty" protobuf:"bytes,27,opt,name=storageos"`
... ... 
@@ -4338,7 +5491,7 @@ diff -uNr --no-dereference kubernetes-orig/staging/src/k8s.io/api/core/v1/types.
4338 4338 
  }
4339 4339
4340 4340 
  // PersistentVolumeClaimVolumeSource references the user's PVC in the same namespace.
4341 
-@@ -428,9 +431,9 @@
4341 
+@@ -428,9 +431,9 @@ type PersistentVolumeSource struct {
4342 4342 
  	// Quobyte represents a Quobyte mount on the host that shares a pod's lifetime
4343 4343 
  	// +optional
4344 4344 
  	Quobyte *QuobyteVolumeSource `json:"quobyte,omitempty" protobuf:"bytes,15,opt,name=quobyte"`
... ... 
@@ -4350,7 +5503,7 @@ diff -uNr --no-dereference kubernetes-orig/staging/src/k8s.io/api/core/v1/types.
4350 4350 
  	// PhotonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine
4351 4351 
  	PhotonPersistentDisk *PhotonPersistentDiskVolumeSource `json:"photonPersistentDisk,omitempty" protobuf:"bytes,17,opt,name=photonPersistentDisk"`
4352 4352 
  	// PortworxVolume represents a portworx volume attached and mounted on kubelets host machine
4353 
-@@ -449,6 +452,9 @@
4353 
+@@ -449,6 +452,9 @@ type PersistentVolumeSource struct {
4354 4354 
  	// CSI represents storage that handled by an external CSI driver (Beta feature).
4355 4355 
  	// +optional
4356 4356 
  	CSI *CSIPersistentVolumeSource `json:"csi,omitempty" protobuf:"bytes,22,opt,name=csi"`
... ... 
@@ -4360,7 +5513,7 @@ diff -uNr --no-dereference kubernetes-orig/staging/src/k8s.io/api/core/v1/types.
4360 4360 
  }
4361 4361
4362 4362 
  const (
4363 
-@@ -1617,6 +1623,16 @@
4363 
+@@ -1617,6 +1623,16 @@ type StorageOSPersistentVolumeSource struct {
4364 4364 
  	SecretRef *ObjectReference `json:"secretRef,omitempty" protobuf:"bytes,5,opt,name=secretRef"`
4365 4365 
  }
4366 4366
... ... 
@@ -4377,3 +5530,6 @@ diff -uNr --no-dereference kubernetes-orig/staging/src/k8s.io/api/core/v1/types.
4377 4377 
  // Adapts a ConfigMap into a volume.
4378 4378 
  //
4379 4379 
  // The contents of the target ConfigMap's Data field will be presented in a
4380 
+--
4381 
+2.7.4
4382 
+
SPECS/kubernetes/kubernetes-1.10.spec
History View file @ 6c0225e
... ... 
@@ -1,7 +1,7 @@
1 1 
 Summary:        Kubernetes cluster management
2 2 
 Name:           kubernetes
3 3 
 Version:        1.10.2
4 
-Release:        3%{?dist}
4 
+Release:        4%{?dist}
5 5 
 License:        ASL 2.0
6 6 
 URL:            https://github.com/kubernetes/kubernetes/archive/v%{version}.tar.gz
7 7 
 Source0:        kubernetes-%{version}.tar.gz
... ... 
@@ -207,6 +207,8 @@ fi
207 207 
 /opt/vmware/kubernetes/windows/amd64/kubectl.exe
208 208
209 209 
 %changelog
210 
+*   Sat Jun 02 2018 Bo Gan <ganb@vmware.com> 1.10.2-4
211 
+-   Update vke patch (7b1ec01)
210 212 
 *   Tue May 23 2018 A. Walton <waltona@vmware.com> 1.10.2-3
211 213 
 -   Add kubectl-extras package.
212 214 
 *   Thu May 17 2018 Sharath George <sharathg@vmware.com> 1.10.2-2
SPECS/kubernetes/kubernetes-1.9.spec
History View file @ 6c0225e
... ... 
@@ -1,7 +1,7 @@
1 1 
 Summary:        Kubernetes cluster management
2 2 
 Name:           kubernetes
3 3 
 Version:        1.9.6
4 
-Release:        2%{?dist}
4 
+Release:        3%{?dist}
5 5 
 License:        ASL 2.0
6 6 
 URL:            https://github.com/kubernetes/kubernetes/archive/v%{version}.tar.gz
7 7 
 Source0:        kubernetes-v%{version}.tar.gz
... ... 
@@ -185,6 +185,8 @@ fi
185 185 
 %{_bindir}/pause-amd64
186 186
187 187 
 %changelog
188 
+*   Sat Jun 02 2018 Bo Gan <ganb@vmware.com> 1.9.6-3
189 
+-   Update vke patch (8ef8da7)
188 190 
 *   Tue May 01 2018 Dheeraj Shetty <dheerajs@vmware.com> 1.9.6-2
189 191 
 -   Enable TLS certificate validation in Cascade CLoud Provider
190 192 
 *   Wed Mar 21 2018 Dheeraj Shetty <dheerajs@vmware.com> 1.9.6-1