Switch to github.com/golang/dep for vendoring

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>

vendor/k8s.io/kubernetes/pkg/apis/abac/BUILD

@@ -0,0 +1,41 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "register.go",
+        "types.go",
+    ],
+    tags = ["automanaged"],
+    deps = [
+        "//vendor:k8s.io/apimachinery/pkg/apis/meta/v1",
+        "//vendor:k8s.io/apimachinery/pkg/runtime",
+        "//vendor:k8s.io/apimachinery/pkg/runtime/schema",
+        "//vendor:k8s.io/apimachinery/pkg/runtime/serializer",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [
+        ":package-srcs",
+        "//pkg/apis/abac/latest:all-srcs",
+        "//pkg/apis/abac/v0:all-srcs",
+        "//pkg/apis/abac/v1beta1:all-srcs",
+    ],
+    tags = ["automanaged"],
+)

vendor/k8s.io/kubernetes/pkg/apis/abac/OWNERS

@@ -0,0 +1,7 @@
+reviewers:
+- lavalamp
+- smarterclayton
+- deads2k
+- liggitt
+- mbohlool
+- david-mcmahon

vendor/k8s.io/kubernetes/pkg/apis/abac/latest/BUILD

@@ -0,0 +1,32 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["latest.go"],
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/apis/abac:go_default_library",
+        "//pkg/apis/abac/v0:go_default_library",
+        "//pkg/apis/abac/v1beta1:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+)

vendor/k8s.io/kubernetes/pkg/apis/abac/latest/latest.go

@@ -0,0 +1,26 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package latest
+
+import (
+	_ "k8s.io/kubernetes/pkg/apis/abac"
+	_ "k8s.io/kubernetes/pkg/apis/abac/v0"
+	_ "k8s.io/kubernetes/pkg/apis/abac/v1beta1"
+)
+
+// TODO: this file is totally wrong, it should look like other latest files.
+// lavalamp is in the middle of fixing this code, so wait for the new way of doing things..

vendor/k8s.io/kubernetes/pkg/apis/abac/register.go

@@ -0,0 +1,54 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package abac
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/runtime/serializer"
+)
+
+// Group is the API group for abac
+const GroupName = "abac.authorization.kubernetes.io"
+
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal}
+
+// Scheme is the default instance of runtime.Scheme to which types in the abac API group are api.Registry.
+// TODO: remove this, abac should not have its own scheme.
+var Scheme = runtime.NewScheme()
+
+// Codecs provides access to encoding and decoding for the scheme
+var Codecs = serializer.NewCodecFactory(Scheme)
+
+func init() {
+	// TODO: delete this, abac should not have its own scheme.
+	addKnownTypes(Scheme)
+}
+
+var (
+	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
+	AddToScheme   = SchemeBuilder.AddToScheme
+)
+
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&Policy{},
+	)
+	return nil
+}
+
+func (obj *Policy) GetObjectKind() schema.ObjectKind { return &obj.TypeMeta }

vendor/k8s.io/kubernetes/pkg/apis/abac/types.go

@@ -0,0 +1,72 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package abac
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// Policy contains a single ABAC policy rule
+type Policy struct {
+	metav1.TypeMeta
+
+	// Spec describes the policy rule
+	Spec PolicySpec
+}
+
+// PolicySpec contains the attributes for a policy rule
+type PolicySpec struct {
+
+	// User is the username this rule applies to.
+	// Either user or group is required to match the request.
+	// "*" matches all users.
+	User string
+
+	// Group is the group this rule applies to.
+	// Either user or group is required to match the request.
+	// "*" matches all groups.
+	Group string
+
+	// Readonly matches readonly requests when true, and all requests when false
+	Readonly bool
+
+	// APIGroup is the name of an API group. APIGroup, Resource, and Namespace are required to match resource requests.
+	// "*" matches all API groups
+	APIGroup string
+
+	// Resource is the name of a resource. APIGroup, Resource, and Namespace are required to match resource requests.
+	// "*" matches all resources
+	Resource string
+
+	// Namespace is the name of a namespace. APIGroup, Resource, and Namespace are required to match resource requests.
+	// "*" matches all namespaces (including unnamespaced requests)
+	Namespace string
+
+	// NonResourcePath matches non-resource request paths.
+	// "*" matches all paths
+	// "/foo/*" matches all subpaths of foo
+	NonResourcePath string
+
+	// TODO: "expires" string in RFC3339 format.
+
+	// TODO: want a way to allow some users to restart containers of a pod but
+	// not delete or modify it.
+
+	// TODO: want a way to allow a controller to create a pod based only on a
+	// certain podTemplates.
+
+}

vendor/k8s.io/kubernetes/pkg/apis/abac/v0/BUILD

@@ -0,0 +1,50 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+    "go_test",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "conversion.go",
+        "register.go",
+        "types.go",
+    ],
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/apis/abac:go_default_library",
+        "//vendor:k8s.io/apimachinery/pkg/apis/meta/v1",
+        "//vendor:k8s.io/apimachinery/pkg/conversion",
+        "//vendor:k8s.io/apimachinery/pkg/runtime",
+        "//vendor:k8s.io/apimachinery/pkg/runtime/schema",
+    ],
+)
+
+go_test(
+    name = "go_default_xtest",
+    srcs = ["conversion_test.go"],
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/apis/abac:go_default_library",
+        "//pkg/apis/abac/v0:go_default_library",
+        "//vendor:k8s.io/apiserver/pkg/authentication/user",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+)

vendor/k8s.io/kubernetes/pkg/apis/abac/v0/conversion.go

@@ -0,0 +1,68 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v0
+
+import (
+	"k8s.io/apimachinery/pkg/conversion"
+	"k8s.io/apimachinery/pkg/runtime"
+	api "k8s.io/kubernetes/pkg/apis/abac"
+)
+
+// allAuthenticated matches k8s.io/apiserver/pkg/authentication/user.AllAuthenticated,
+// but we don't want an client library (which must include types), depending on a server library
+const allAuthenticated = "system:authenticated"
+
+func addConversionFuncs(scheme *runtime.Scheme) error {
+	return scheme.AddConversionFuncs(
+		func(in *Policy, out *api.Policy, s conversion.Scope) error {
+			// Begin by copying all fields
+			out.Spec.User = in.User
+			out.Spec.Group = in.Group
+			out.Spec.Namespace = in.Namespace
+			out.Spec.Resource = in.Resource
+			out.Spec.Readonly = in.Readonly
+
+			// In v0, unspecified user and group matches all authenticated subjects
+			if len(in.User) == 0 && len(in.Group) == 0 {
+				out.Spec.Group = allAuthenticated
+			}
+			// In v0, user or group of * matches all authenticated subjects
+			if in.User == "*" || in.Group == "*" {
+				out.Spec.Group = allAuthenticated
+				out.Spec.User = ""
+			}
+
+			// In v0, leaving namespace empty matches all namespaces
+			if len(in.Namespace) == 0 {
+				out.Spec.Namespace = "*"
+			}
+			// In v0, leaving resource empty matches all resources
+			if len(in.Resource) == 0 {
+				out.Spec.Resource = "*"
+			}
+			// Any rule in v0 should match all API groups
+			out.Spec.APIGroup = "*"
+
+			// In v0, leaving namespace and resource blank allows non-resource paths
+			if len(in.Namespace) == 0 && len(in.Resource) == 0 {
+				out.Spec.NonResourcePath = "*"
+			}
+
+			return nil
+		},
+	)
+}

vendor/k8s.io/kubernetes/pkg/apis/abac/v0/conversion_test.go

@@ -0,0 +1,88 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v0_test
+
+import (
+	"reflect"
+	"testing"
+
+	"k8s.io/apiserver/pkg/authentication/user"
+	api "k8s.io/kubernetes/pkg/apis/abac"
+	"k8s.io/kubernetes/pkg/apis/abac/v0"
+)
+
+func TestV0Conversion(t *testing.T) {
+	testcases := map[string]struct {
+		old      *v0.Policy
+		expected *api.Policy
+	}{
+		// a completely empty policy rule allows everything to all users
+		"empty": {
+			old:      &v0.Policy{},
+			expected: &api.Policy{Spec: api.PolicySpec{Group: user.AllAuthenticated, Readonly: false, NonResourcePath: "*", Namespace: "*", Resource: "*", APIGroup: "*"}},
+		},
+
+		// specifying a user is preserved
+		"user": {
+			old:      &v0.Policy{User: "bob"},
+			expected: &api.Policy{Spec: api.PolicySpec{User: "bob", Readonly: false, NonResourcePath: "*", Namespace: "*", Resource: "*", APIGroup: "*"}},
+		},
+
+		// specifying a group is preserved (and no longer matches all users)
+		"group": {
+			old:      &v0.Policy{Group: "mygroup"},
+			expected: &api.Policy{Spec: api.PolicySpec{Group: "mygroup", Readonly: false, NonResourcePath: "*", Namespace: "*", Resource: "*", APIGroup: "*"}},
+		},
+
+		// specifying * for user or group maps to all authenticated subjects
+		"* user": {
+			old:      &v0.Policy{User: "*"},
+			expected: &api.Policy{Spec: api.PolicySpec{Group: user.AllAuthenticated, Readonly: false, NonResourcePath: "*", Namespace: "*", Resource: "*", APIGroup: "*"}},
+		},
+		"* group": {
+			old:      &v0.Policy{Group: "*"},
+			expected: &api.Policy{Spec: api.PolicySpec{Group: user.AllAuthenticated, Readonly: false, NonResourcePath: "*", Namespace: "*", Resource: "*", APIGroup: "*"}},
+		},
+
+		// specifying a namespace removes the * match on non-resource path
+		"namespace": {
+			old:      &v0.Policy{Namespace: "myns"},
+			expected: &api.Policy{Spec: api.PolicySpec{Group: user.AllAuthenticated, Readonly: false, NonResourcePath: "", Namespace: "myns", Resource: "*", APIGroup: "*"}},
+		},
+
+		// specifying a resource removes the * match on non-resource path
+		"resource": {
+			old:      &v0.Policy{Resource: "myresource"},
+			expected: &api.Policy{Spec: api.PolicySpec{Group: user.AllAuthenticated, Readonly: false, NonResourcePath: "", Namespace: "*", Resource: "myresource", APIGroup: "*"}},
+		},
+
+		// specifying a namespace+resource removes the * match on non-resource path
+		"namespace+resource": {
+			old:      &v0.Policy{Namespace: "myns", Resource: "myresource"},
+			expected: &api.Policy{Spec: api.PolicySpec{Group: user.AllAuthenticated, Readonly: false, NonResourcePath: "", Namespace: "myns", Resource: "myresource", APIGroup: "*"}},
+		},
+	}
+	for k, tc := range testcases {
+		internal := &api.Policy{}
+		if err := api.Scheme.Convert(tc.old, internal, nil); err != nil {
+			t.Errorf("%s: unexpected error: %v", k, err)
+		}
+		if !reflect.DeepEqual(internal, tc.expected) {
+			t.Errorf("%s: expected\n\t%#v, got \n\t%#v", k, tc.expected, internal)
+		}
+	}
+}

vendor/k8s.io/kubernetes/pkg/apis/abac/v0/register.go

@@ -0,0 +1,54 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v0
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	api "k8s.io/kubernetes/pkg/apis/abac"
+)
+
+const GroupName = "abac.authorization.kubernetes.io"
+
+// GroupVersion is the API group and version for abac v0
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v0"}
+
+func init() {
+	// TODO: Delete this init function, abac should not have its own scheme.
+	if err := addKnownTypes(api.Scheme); err != nil {
+		// Programmer error.
+		panic(err)
+	}
+	if err := addConversionFuncs(api.Scheme); err != nil {
+		// Programmer error.
+		panic(err)
+	}
+}
+
+var (
+	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes, addConversionFuncs)
+	AddToScheme   = SchemeBuilder.AddToScheme
+)
+
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&Policy{},
+	)
+	return nil
+}
+
+func (obj *Policy) GetObjectKind() schema.ObjectKind { return &obj.TypeMeta }

vendor/k8s.io/kubernetes/pkg/apis/abac/v0/types.go

@@ -0,0 +1,53 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:openapi-gen=true
+package v0
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// Policy contains a single ABAC policy rule
+type Policy struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// User is the username this rule applies to.
+	// Either user or group is required to match the request.
+	// "*" matches all users.
+	// +optional
+	User string `json:"user,omitempty"`
+
+	// Group is the group this rule applies to.
+	// Either user or group is required to match the request.
+	// "*" matches all groups.
+	// +optional
+	Group string `json:"group,omitempty"`
+
+	// Readonly matches readonly requests when true, and all requests when false
+	// +optional
+	Readonly bool `json:"readonly,omitempty"`
+
+	// Resource is the name of a resource
+	// "*" matches all resources
+	// +optional
+	Resource string `json:"resource,omitempty"`
+
+	// Namespace is the name of a namespace
+	// "*" matches all namespaces (including unnamespaced requests)
+	// +optional
+	Namespace string `json:"namespace,omitempty"`
+}

vendor/k8s.io/kubernetes/pkg/apis/abac/v1beta1/BUILD

@@ -0,0 +1,54 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+    "go_test",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "conversion.go",
+        "doc.go",
+        "register.go",
+        "types.go",
+        "zz_generated.conversion.go",
+        "zz_generated.deepcopy.go",
+        "zz_generated.defaults.go",
+    ],
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/apis/abac:go_default_library",
+        "//vendor:k8s.io/apimachinery/pkg/apis/meta/v1",
+        "//vendor:k8s.io/apimachinery/pkg/conversion",
+        "//vendor:k8s.io/apimachinery/pkg/runtime",
+        "//vendor:k8s.io/apimachinery/pkg/runtime/schema",
+    ],
+)
+
+go_test(
+    name = "go_default_xtest",
+    srcs = ["conversion_test.go"],
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/apis/abac:go_default_library",
+        "//pkg/apis/abac/v1beta1:go_default_library",
+        "//vendor:k8s.io/apiserver/pkg/authentication/user",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+)

vendor/k8s.io/kubernetes/pkg/apis/abac/v1beta1/conversion.go

@@ -0,0 +1,46 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	"k8s.io/apimachinery/pkg/conversion"
+	"k8s.io/apimachinery/pkg/runtime"
+	api "k8s.io/kubernetes/pkg/apis/abac"
+)
+
+// allAuthenticated matches k8s.io/apiserver/pkg/authentication/user.AllAuthenticated,
+// but we don't want an client library (which must include types), depending on a server library
+const allAuthenticated = "system:authenticated"
+
+func addConversionFuncs(scheme *runtime.Scheme) error {
+	return scheme.AddConversionFuncs(
+		func(in *Policy, out *api.Policy, s conversion.Scope) error {
+			// Begin by copying all fields
+			if err := autoConvert_v1beta1_Policy_To_abac_Policy(in, out, s); err != nil {
+				return err
+			}
+
+			// In v1beta1, * user or group maps to all authenticated subjects
+			if in.Spec.User == "*" || in.Spec.Group == "*" {
+				out.Spec.Group = allAuthenticated
+				out.Spec.User = ""
+			}
+
+			return nil
+		},
+	)
+}

vendor/k8s.io/kubernetes/pkg/apis/abac/v1beta1/conversion_test.go

@@ -0,0 +1,64 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1_test
+
+import (
+	"reflect"
+	"testing"
+
+	"k8s.io/apiserver/pkg/authentication/user"
+	api "k8s.io/kubernetes/pkg/apis/abac"
+	"k8s.io/kubernetes/pkg/apis/abac/v1beta1"
+)
+
+func TestV1Beta1Conversion(t *testing.T) {
+	testcases := map[string]struct {
+		old      *v1beta1.Policy
+		expected *api.Policy
+	}{
+		// specifying a user is preserved
+		"user": {
+			old:      &v1beta1.Policy{Spec: v1beta1.PolicySpec{User: "bob"}},
+			expected: &api.Policy{Spec: api.PolicySpec{User: "bob"}},
+		},
+
+		// specifying a group is preserved
+		"group": {
+			old:      &v1beta1.Policy{Spec: v1beta1.PolicySpec{Group: "mygroup"}},
+			expected: &api.Policy{Spec: api.PolicySpec{Group: "mygroup"}},
+		},
+
+		// specifying * for user or group maps to all authenticated subjects
+		"* user": {
+			old:      &v1beta1.Policy{Spec: v1beta1.PolicySpec{User: "*"}},
+			expected: &api.Policy{Spec: api.PolicySpec{Group: user.AllAuthenticated}},
+		},
+		"* group": {
+			old:      &v1beta1.Policy{Spec: v1beta1.PolicySpec{Group: "*"}},
+			expected: &api.Policy{Spec: api.PolicySpec{Group: user.AllAuthenticated}},
+		},
+	}
+	for k, tc := range testcases {
+		internal := &api.Policy{}
+		if err := api.Scheme.Convert(tc.old, internal, nil); err != nil {
+			t.Errorf("%s: unexpected error: %v", k, err)
+		}
+		if !reflect.DeepEqual(internal, tc.expected) {
+			t.Errorf("%s: expected\n\t%#v, got \n\t%#v", k, tc.expected, internal)
+		}
+	}
+}

vendor/k8s.io/kubernetes/pkg/apis/abac/v1beta1/doc.go

@@ -0,0 +1,23 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package,register
+// +k8s:conversion-gen=k8s.io/kubernetes/pkg/apis/abac
+// +k8s:openapi-gen=true
+// +k8s:defaulter-gen=TypeMeta
+
+// +groupName=abac.authorization.kubernetes.io
+package v1beta1 // import "k8s.io/kubernetes/pkg/apis/abac/v1beta1"

vendor/k8s.io/kubernetes/pkg/apis/abac/v1beta1/register.go

@@ -0,0 +1,54 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	api "k8s.io/kubernetes/pkg/apis/abac"
+)
+
+const GroupName = "abac.authorization.kubernetes.io"
+
+// SchemeGroupVersion is the API group and version for abac v1beta1
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1beta1"}
+
+func init() {
+	// TODO: delete this, abac should not have its own scheme.
+	if err := addKnownTypes(api.Scheme); err != nil {
+		// Programmer error.
+		panic(err)
+	}
+	if err := addConversionFuncs(api.Scheme); err != nil {
+		// Programmer error.
+		panic(err)
+	}
+}
+
+var (
+	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes, addConversionFuncs)
+	AddToScheme   = SchemeBuilder.AddToScheme
+)
+
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&Policy{},
+	)
+	return nil
+}
+
+func (obj *Policy) GetObjectKind() schema.ObjectKind { return &obj.TypeMeta }

vendor/k8s.io/kubernetes/pkg/apis/abac/v1beta1/types.go

@@ -0,0 +1,70 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:openapi-gen=true
+package v1beta1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// Policy contains a single ABAC policy rule
+type Policy struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// Spec describes the policy rule
+	Spec PolicySpec `json:"spec"`
+}
+
+// PolicySpec contains the attributes for a policy rule
+type PolicySpec struct {
+	// User is the username this rule applies to.
+	// Either user or group is required to match the request.
+	// "*" matches all users.
+	// +optional
+	User string `json:"user,omitempty"`
+
+	// Group is the group this rule applies to.
+	// Either user or group is required to match the request.
+	// "*" matches all groups.
+	// +optional
+	Group string `json:"group,omitempty"`
+
+	// Readonly matches readonly requests when true, and all requests when false
+	// +optional
+	Readonly bool `json:"readonly,omitempty"`
+
+	// APIGroup is the name of an API group. APIGroup, Resource, and Namespace are required to match resource requests.
+	// "*" matches all API groups
+	// +optional
+	APIGroup string `json:"apiGroup,omitempty"`
+
+	// Resource is the name of a resource. APIGroup, Resource, and Namespace are required to match resource requests.
+	// "*" matches all resources
+	// +optional
+	Resource string `json:"resource,omitempty"`
+
+	// Namespace is the name of a namespace. APIGroup, Resource, and Namespace are required to match resource requests.
+	// "*" matches all namespaces (including unnamespaced requests)
+	// +optional
+	Namespace string `json:"namespace,omitempty"`
+
+	// NonResourcePath matches non-resource request paths.
+	// "*" matches all paths
+	// "/foo/*" matches all subpaths of foo
+	// +optional
+	NonResourcePath string `json:"nonResourcePath,omitempty"`
+}

vendor/k8s.io/kubernetes/pkg/apis/abac/v1beta1/zz_generated.conversion.go

@@ -0,0 +1,94 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by conversion-gen. Do not edit it manually!
+
+package v1beta1
+
+import (
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	abac "k8s.io/kubernetes/pkg/apis/abac"
+)
+
+func init() {
+	SchemeBuilder.Register(RegisterConversions)
+}
+
+// RegisterConversions adds conversion functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterConversions(scheme *runtime.Scheme) error {
+	return scheme.AddGeneratedConversionFuncs(
+		Convert_v1beta1_Policy_To_abac_Policy,
+		Convert_abac_Policy_To_v1beta1_Policy,
+		Convert_v1beta1_PolicySpec_To_abac_PolicySpec,
+		Convert_abac_PolicySpec_To_v1beta1_PolicySpec,
+	)
+}
+
+func autoConvert_v1beta1_Policy_To_abac_Policy(in *Policy, out *abac.Policy, s conversion.Scope) error {
+	if err := Convert_v1beta1_PolicySpec_To_abac_PolicySpec(&in.Spec, &out.Spec, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+func Convert_v1beta1_Policy_To_abac_Policy(in *Policy, out *abac.Policy, s conversion.Scope) error {
+	return autoConvert_v1beta1_Policy_To_abac_Policy(in, out, s)
+}
+
+func autoConvert_abac_Policy_To_v1beta1_Policy(in *abac.Policy, out *Policy, s conversion.Scope) error {
+	if err := Convert_abac_PolicySpec_To_v1beta1_PolicySpec(&in.Spec, &out.Spec, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+func Convert_abac_Policy_To_v1beta1_Policy(in *abac.Policy, out *Policy, s conversion.Scope) error {
+	return autoConvert_abac_Policy_To_v1beta1_Policy(in, out, s)
+}
+
+func autoConvert_v1beta1_PolicySpec_To_abac_PolicySpec(in *PolicySpec, out *abac.PolicySpec, s conversion.Scope) error {
+	out.User = in.User
+	out.Group = in.Group
+	out.Readonly = in.Readonly
+	out.APIGroup = in.APIGroup
+	out.Resource = in.Resource
+	out.Namespace = in.Namespace
+	out.NonResourcePath = in.NonResourcePath
+	return nil
+}
+
+func Convert_v1beta1_PolicySpec_To_abac_PolicySpec(in *PolicySpec, out *abac.PolicySpec, s conversion.Scope) error {
+	return autoConvert_v1beta1_PolicySpec_To_abac_PolicySpec(in, out, s)
+}
+
+func autoConvert_abac_PolicySpec_To_v1beta1_PolicySpec(in *abac.PolicySpec, out *PolicySpec, s conversion.Scope) error {
+	out.User = in.User
+	out.Group = in.Group
+	out.Readonly = in.Readonly
+	out.APIGroup = in.APIGroup
+	out.Resource = in.Resource
+	out.Namespace = in.Namespace
+	out.NonResourcePath = in.NonResourcePath
+	return nil
+}
+
+func Convert_abac_PolicySpec_To_v1beta1_PolicySpec(in *abac.PolicySpec, out *PolicySpec, s conversion.Scope) error {
+	return autoConvert_abac_PolicySpec_To_v1beta1_PolicySpec(in, out, s)
+}

vendor/k8s.io/kubernetes/pkg/apis/abac/v1beta1/zz_generated.deepcopy.go

@@ -0,0 +1,58 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package v1beta1
+
+import (
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	reflect "reflect"
+)
+
+func init() {
+	SchemeBuilder.Register(RegisterDeepCopies)
+}
+
+// RegisterDeepCopies adds deep-copy functions to the given scheme. Public
+// to allow building arbitrary schemes.
+func RegisterDeepCopies(scheme *runtime.Scheme) error {
+	return scheme.AddGeneratedDeepCopyFuncs(
+		conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_v1beta1_Policy, InType: reflect.TypeOf(&Policy{})},
+		conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_v1beta1_PolicySpec, InType: reflect.TypeOf(&PolicySpec{})},
+	)
+}
+
+func DeepCopy_v1beta1_Policy(in interface{}, out interface{}, c *conversion.Cloner) error {
+	{
+		in := in.(*Policy)
+		out := out.(*Policy)
+		*out = *in
+		return nil
+	}
+}
+
+func DeepCopy_v1beta1_PolicySpec(in interface{}, out interface{}, c *conversion.Cloner) error {
+	{
+		in := in.(*PolicySpec)
+		out := out.(*PolicySpec)
+		*out = *in
+		return nil
+	}
+}

vendor/k8s.io/kubernetes/pkg/apis/abac/v1beta1/zz_generated.defaults.go

@@ -0,0 +1,32 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by defaulter-gen. Do not edit it manually!
+
+package v1beta1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// RegisterDefaults adds defaulters functions to the given scheme.
+// Public to allow building arbitrary schemes.
+// All generated defaulters are covering - they call all nested defaulters.
+func RegisterDefaults(scheme *runtime.Scheme) error {
+	return nil
+}