Add generated file

This PR adds generated files under pkg/client and vendor folder.

vendor/k8s.io/kubernetes/cmd/kube-controller-manager/BUILD

@@ -0,0 +1,47 @@
+package(default_visibility = ["//visibility:public"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_binary",
+    "go_library",
+)
+load("//pkg/version:def.bzl", "version_x_defs")
+
+go_binary(
+    name = "kube-controller-manager",
+    embed = [":go_default_library"],
+    pure = "on",
+    x_defs = version_x_defs(),
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["controller-manager.go"],
+    importpath = "k8s.io/kubernetes/cmd/kube-controller-manager",
+    deps = [
+        "//cmd/kube-controller-manager/app:go_default_library",
+        "//pkg/client/metrics/prometheus:go_default_library",
+        "//pkg/util/reflector/prometheus:go_default_library",
+        "//pkg/util/workqueue/prometheus:go_default_library",
+        "//pkg/version/prometheus:go_default_library",
+        "//vendor/github.com/spf13/pflag:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/util/flag:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/util/logs:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [
+        ":package-srcs",
+        "//cmd/kube-controller-manager/app:all-srcs",
+    ],
+    tags = ["automanaged"],
+)

vendor/k8s.io/kubernetes/cmd/kube-controller-manager/OWNERS

@@ -0,0 +1,65 @@
+approvers:
+- deads2k
+- lavalamp
+- mikedanese
+reviewers:
+- '249043822'
+- a-robinson
+- brendandburns
+- caesarxuchao
+- cjcullen
+- dalanlan
+- david-mcmahon
+- davidopp
+- ddysher
+- deads2k
+- derekwaynecarr
+- eparis
+- erictune
+- errordeveloper
+- feiskyer
+- fgrzadkowski
+- ghodss
+- girishkalele
+- gmarek
+- goltermann
+- humblec
+- ingvagabund
+- janetkuo
+- jayunit100
+- jbeda
+- jdef
+- jlowdermilk
+- johscheuer
+- jsafrane
+- jszczepkowski
+- justinsb
+- lavalamp
+- liggitt
+- luxas
+- madhusudancs
+- markturansky
+- mfanjie
+- mikedanese
+- mml
+- mqliang
+- mwielgus
+- nikhiljindal
+- ping035627
+- piosz
+- pmorie
+- quinton-hoole
+- resouer
+- roberthbailey
+- rootfs
+- rrati
+- saad-ali
+- screeley44
+- sjenning
+- smarterclayton
+- soltysh
+- spiffxp
+- sttts
+- thockin
+- timothysc
+- wojtek-t

vendor/k8s.io/kubernetes/cmd/kube-controller-manager/app/BUILD

@@ -0,0 +1,159 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "apps.go",
+        "autoscaling.go",
+        "batch.go",
+        "bootstrap.go",
+        "certificates.go",
+        "cloudproviders.go",
+        "controllermanager.go",
+        "core.go",
+        "import_known_versions.go",
+        "plugins.go",
+        "policy.go",
+        "rbac.go",
+    ],
+    importpath = "k8s.io/kubernetes/cmd/kube-controller-manager/app",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//cmd/controller-manager/app:go_default_library",
+        "//cmd/controller-manager/app/options:go_default_library",
+        "//cmd/kube-controller-manager/app/config:go_default_library",
+        "//cmd/kube-controller-manager/app/options:go_default_library",
+        "//pkg/apis/apps/install:go_default_library",
+        "//pkg/apis/authentication/install:go_default_library",
+        "//pkg/apis/authorization/install:go_default_library",
+        "//pkg/apis/autoscaling/install:go_default_library",
+        "//pkg/apis/batch/install:go_default_library",
+        "//pkg/apis/certificates/install:go_default_library",
+        "//pkg/apis/componentconfig:go_default_library",
+        "//pkg/apis/core/install:go_default_library",
+        "//pkg/apis/events/install:go_default_library",
+        "//pkg/apis/extensions/install:go_default_library",
+        "//pkg/apis/policy/install:go_default_library",
+        "//pkg/apis/rbac/install:go_default_library",
+        "//pkg/apis/scheduling/install:go_default_library",
+        "//pkg/apis/settings/install:go_default_library",
+        "//pkg/apis/storage/install:go_default_library",
+        "//pkg/cloudprovider:go_default_library",
+        "//pkg/cloudprovider/providers:go_default_library",
+        "//pkg/controller:go_default_library",
+        "//pkg/controller/bootstrap:go_default_library",
+        "//pkg/controller/certificates/approver:go_default_library",
+        "//pkg/controller/certificates/cleaner:go_default_library",
+        "//pkg/controller/certificates/signer:go_default_library",
+        "//pkg/controller/clusterroleaggregation:go_default_library",
+        "//pkg/controller/cronjob:go_default_library",
+        "//pkg/controller/daemon:go_default_library",
+        "//pkg/controller/deployment:go_default_library",
+        "//pkg/controller/disruption:go_default_library",
+        "//pkg/controller/endpoint:go_default_library",
+        "//pkg/controller/garbagecollector:go_default_library",
+        "//pkg/controller/job:go_default_library",
+        "//pkg/controller/namespace:go_default_library",
+        "//pkg/controller/nodeipam:go_default_library",
+        "//pkg/controller/nodeipam/ipam:go_default_library",
+        "//pkg/controller/nodelifecycle:go_default_library",
+        "//pkg/controller/podautoscaler:go_default_library",
+        "//pkg/controller/podautoscaler/metrics:go_default_library",
+        "//pkg/controller/podgc:go_default_library",
+        "//pkg/controller/replicaset:go_default_library",
+        "//pkg/controller/replication:go_default_library",
+        "//pkg/controller/resourcequota:go_default_library",
+        "//pkg/controller/route:go_default_library",
+        "//pkg/controller/service:go_default_library",
+        "//pkg/controller/serviceaccount:go_default_library",
+        "//pkg/controller/statefulset:go_default_library",
+        "//pkg/controller/ttl:go_default_library",
+        "//pkg/controller/volume/attachdetach:go_default_library",
+        "//pkg/controller/volume/expand:go_default_library",
+        "//pkg/controller/volume/persistentvolume:go_default_library",
+        "//pkg/controller/volume/pvcprotection:go_default_library",
+        "//pkg/controller/volume/pvprotection:go_default_library",
+        "//pkg/features:go_default_library",
+        "//pkg/quota/generic:go_default_library",
+        "//pkg/quota/install:go_default_library",
+        "//pkg/serviceaccount:go_default_library",
+        "//pkg/util/configz:go_default_library",
+        "//pkg/util/flag:go_default_library",
+        "//pkg/util/metrics:go_default_library",
+        "//pkg/version:go_default_library",
+        "//pkg/version/verflag:go_default_library",
+        "//pkg/volume:go_default_library",
+        "//pkg/volume/aws_ebs:go_default_library",
+        "//pkg/volume/azure_dd:go_default_library",
+        "//pkg/volume/azure_file:go_default_library",
+        "//pkg/volume/cinder:go_default_library",
+        "//pkg/volume/csi:go_default_library",
+        "//pkg/volume/fc:go_default_library",
+        "//pkg/volume/flexvolume:go_default_library",
+        "//pkg/volume/flocker:go_default_library",
+        "//pkg/volume/gce_pd:go_default_library",
+        "//pkg/volume/glusterfs:go_default_library",
+        "//pkg/volume/host_path:go_default_library",
+        "//pkg/volume/iscsi:go_default_library",
+        "//pkg/volume/local:go_default_library",
+        "//pkg/volume/nfs:go_default_library",
+        "//pkg/volume/photon_pd:go_default_library",
+        "//pkg/volume/portworx:go_default_library",
+        "//pkg/volume/quobyte:go_default_library",
+        "//pkg/volume/rbd:go_default_library",
+        "//pkg/volume/scaleio:go_default_library",
+        "//pkg/volume/storageos:go_default_library",
+        "//pkg/volume/util:go_default_library",
+        "//pkg/volume/vsphere_volume:go_default_library",
+        "//vendor/github.com/golang/glog:go_default_library",
+        "//vendor/github.com/spf13/cobra:go_default_library",
+        "//vendor/k8s.io/api/core/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/runtime:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/uuid:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/wait:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/util/feature:go_default_library",
+        "//vendor/k8s.io/client-go/discovery/cached:go_default_library",
+        "//vendor/k8s.io/client-go/dynamic:go_default_library",
+        "//vendor/k8s.io/client-go/informers:go_default_library",
+        "//vendor/k8s.io/client-go/kubernetes:go_default_library",
+        "//vendor/k8s.io/client-go/rest:go_default_library",
+        "//vendor/k8s.io/client-go/restmapper:go_default_library",
+        "//vendor/k8s.io/client-go/scale:go_default_library",
+        "//vendor/k8s.io/client-go/tools/leaderelection:go_default_library",
+        "//vendor/k8s.io/client-go/tools/leaderelection/resourcelock:go_default_library",
+        "//vendor/k8s.io/client-go/util/cert:go_default_library",
+        "//vendor/k8s.io/metrics/pkg/client/clientset_generated/clientset/typed/metrics/v1beta1:go_default_library",
+        "//vendor/k8s.io/metrics/pkg/client/custom_metrics:go_default_library",
+        "//vendor/k8s.io/metrics/pkg/client/external_metrics:go_default_library",
+    ],
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["controller_manager_test.go"],
+    embed = [":go_default_library"],
+    deps = [
+        "//vendor/github.com/stretchr/testify/assert:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [
+        ":package-srcs",
+        "//cmd/kube-controller-manager/app/config:all-srcs",
+        "//cmd/kube-controller-manager/app/options:all-srcs",
+    ],
+    tags = ["automanaged"],
+    visibility = ["//visibility:public"],
+)

vendor/k8s.io/kubernetes/cmd/kube-controller-manager/app/apps.go

@@ -0,0 +1,93 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package app implements a server that runs a set of active
+// components.  This includes replication controllers, service endpoints and
+// nodes.
+//
+package app
+
+import (
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/kubernetes/pkg/controller/daemon"
+	"k8s.io/kubernetes/pkg/controller/deployment"
+	"k8s.io/kubernetes/pkg/controller/replicaset"
+	"k8s.io/kubernetes/pkg/controller/statefulset"
+)
+
+func startDaemonSetController(ctx ControllerContext) (bool, error) {
+	if !ctx.AvailableResources[schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "daemonsets"}] {
+		return false, nil
+	}
+	dsc, err := daemon.NewDaemonSetsController(
+		ctx.InformerFactory.Apps().V1().DaemonSets(),
+		ctx.InformerFactory.Apps().V1().ControllerRevisions(),
+		ctx.InformerFactory.Core().V1().Pods(),
+		ctx.InformerFactory.Core().V1().Nodes(),
+		ctx.ClientBuilder.ClientOrDie("daemon-set-controller"),
+	)
+	if err != nil {
+		return true, fmt.Errorf("error creating DaemonSets controller: %v", err)
+	}
+	go dsc.Run(int(ctx.ComponentConfig.DaemonSetController.ConcurrentDaemonSetSyncs), ctx.Stop)
+	return true, nil
+}
+
+func startStatefulSetController(ctx ControllerContext) (bool, error) {
+	if !ctx.AvailableResources[schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "statefulsets"}] {
+		return false, nil
+	}
+	go statefulset.NewStatefulSetController(
+		ctx.InformerFactory.Core().V1().Pods(),
+		ctx.InformerFactory.Apps().V1().StatefulSets(),
+		ctx.InformerFactory.Core().V1().PersistentVolumeClaims(),
+		ctx.InformerFactory.Apps().V1().ControllerRevisions(),
+		ctx.ClientBuilder.ClientOrDie("statefulset-controller"),
+	).Run(1, ctx.Stop)
+	return true, nil
+}
+
+func startReplicaSetController(ctx ControllerContext) (bool, error) {
+	if !ctx.AvailableResources[schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "replicasets"}] {
+		return false, nil
+	}
+	go replicaset.NewReplicaSetController(
+		ctx.InformerFactory.Apps().V1().ReplicaSets(),
+		ctx.InformerFactory.Core().V1().Pods(),
+		ctx.ClientBuilder.ClientOrDie("replicaset-controller"),
+		replicaset.BurstReplicas,
+	).Run(int(ctx.ComponentConfig.ReplicaSetController.ConcurrentRSSyncs), ctx.Stop)
+	return true, nil
+}
+
+func startDeploymentController(ctx ControllerContext) (bool, error) {
+	if !ctx.AvailableResources[schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"}] {
+		return false, nil
+	}
+	dc, err := deployment.NewDeploymentController(
+		ctx.InformerFactory.Apps().V1().Deployments(),
+		ctx.InformerFactory.Apps().V1().ReplicaSets(),
+		ctx.InformerFactory.Core().V1().Pods(),
+		ctx.ClientBuilder.ClientOrDie("deployment-controller"),
+	)
+	if err != nil {
+		return true, fmt.Errorf("error creating Deployment controller: %v", err)
+	}
+	go dc.Run(int(ctx.ComponentConfig.DeploymentController.ConcurrentDeploymentSyncs), ctx.Stop)
+	return true, nil
+}

vendor/k8s.io/kubernetes/cmd/kube-controller-manager/app/autoscaling.go

@@ -0,0 +1,99 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package app implements a server that runs a set of active
+// components.  This includes replication controllers, service endpoints and
+// nodes.
+//
+package app
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/dynamic"
+	"k8s.io/client-go/scale"
+	"k8s.io/kubernetes/pkg/controller/podautoscaler"
+	"k8s.io/kubernetes/pkg/controller/podautoscaler/metrics"
+	resourceclient "k8s.io/metrics/pkg/client/clientset_generated/clientset/typed/metrics/v1beta1"
+	"k8s.io/metrics/pkg/client/custom_metrics"
+	"k8s.io/metrics/pkg/client/external_metrics"
+)
+
+func startHPAController(ctx ControllerContext) (bool, error) {
+	if !ctx.AvailableResources[schema.GroupVersionResource{Group: "autoscaling", Version: "v1", Resource: "horizontalpodautoscalers"}] {
+		return false, nil
+	}
+
+	if ctx.ComponentConfig.HPAController.HorizontalPodAutoscalerUseRESTClients {
+		// use the new-style clients if support for custom metrics is enabled
+		return startHPAControllerWithRESTClient(ctx)
+	}
+
+	return startHPAControllerWithLegacyClient(ctx)
+}
+
+func startHPAControllerWithRESTClient(ctx ControllerContext) (bool, error) {
+	clientConfig := ctx.ClientBuilder.ConfigOrDie("horizontal-pod-autoscaler")
+	metricsClient := metrics.NewRESTMetricsClient(
+		resourceclient.NewForConfigOrDie(clientConfig),
+		custom_metrics.NewForConfigOrDie(clientConfig),
+		external_metrics.NewForConfigOrDie(clientConfig),
+	)
+	return startHPAControllerWithMetricsClient(ctx, metricsClient)
+}
+
+func startHPAControllerWithLegacyClient(ctx ControllerContext) (bool, error) {
+	hpaClient := ctx.ClientBuilder.ClientOrDie("horizontal-pod-autoscaler")
+	metricsClient := metrics.NewHeapsterMetricsClient(
+		hpaClient,
+		metrics.DefaultHeapsterNamespace,
+		metrics.DefaultHeapsterScheme,
+		metrics.DefaultHeapsterService,
+		metrics.DefaultHeapsterPort,
+	)
+	return startHPAControllerWithMetricsClient(ctx, metricsClient)
+}
+
+func startHPAControllerWithMetricsClient(ctx ControllerContext, metricsClient metrics.MetricsClient) (bool, error) {
+	hpaClientGoClient := ctx.ClientBuilder.ClientGoClientOrDie("horizontal-pod-autoscaler")
+	hpaClient := ctx.ClientBuilder.ClientOrDie("horizontal-pod-autoscaler")
+	hpaClientConfig := ctx.ClientBuilder.ConfigOrDie("horizontal-pod-autoscaler")
+
+	// we don't use cached discovery because DiscoveryScaleKindResolver does its own caching,
+	// so we want to re-fetch every time when we actually ask for it
+	scaleKindResolver := scale.NewDiscoveryScaleKindResolver(hpaClientGoClient.Discovery())
+	scaleClient, err := scale.NewForConfig(hpaClientConfig, ctx.RESTMapper, dynamic.LegacyAPIPathResolverFunc, scaleKindResolver)
+	if err != nil {
+		return false, err
+	}
+
+	replicaCalc := podautoscaler.NewReplicaCalculator(
+		metricsClient,
+		hpaClient.CoreV1(),
+		ctx.ComponentConfig.HPAController.HorizontalPodAutoscalerTolerance,
+	)
+	go podautoscaler.NewHorizontalController(
+		hpaClientGoClient.CoreV1(),
+		scaleClient,
+		hpaClient.AutoscalingV1(),
+		ctx.RESTMapper,
+		replicaCalc,
+		ctx.InformerFactory.Autoscaling().V1().HorizontalPodAutoscalers(),
+		ctx.ComponentConfig.HPAController.HorizontalPodAutoscalerSyncPeriod.Duration,
+		ctx.ComponentConfig.HPAController.HorizontalPodAutoscalerUpscaleForbiddenWindow.Duration,
+		ctx.ComponentConfig.HPAController.HorizontalPodAutoscalerDownscaleForbiddenWindow.Duration,
+	).Run(ctx.Stop)
+	return true, nil
+}

vendor/k8s.io/kubernetes/cmd/kube-controller-manager/app/batch.go

@@ -0,0 +1,55 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package app implements a server that runs a set of active
+// components.  This includes replication controllers, service endpoints and
+// nodes.
+//
+package app
+
+import (
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/kubernetes/pkg/controller/cronjob"
+	"k8s.io/kubernetes/pkg/controller/job"
+)
+
+func startJobController(ctx ControllerContext) (bool, error) {
+	if !ctx.AvailableResources[schema.GroupVersionResource{Group: "batch", Version: "v1", Resource: "jobs"}] {
+		return false, nil
+	}
+	go job.NewJobController(
+		ctx.InformerFactory.Core().V1().Pods(),
+		ctx.InformerFactory.Batch().V1().Jobs(),
+		ctx.ClientBuilder.ClientOrDie("job-controller"),
+	).Run(int(ctx.ComponentConfig.JobController.ConcurrentJobSyncs), ctx.Stop)
+	return true, nil
+}
+
+func startCronJobController(ctx ControllerContext) (bool, error) {
+	if !ctx.AvailableResources[schema.GroupVersionResource{Group: "batch", Version: "v1beta1", Resource: "cronjobs"}] {
+		return false, nil
+	}
+	cjc, err := cronjob.NewCronJobController(
+		ctx.ClientBuilder.ClientOrDie("cronjob-controller"),
+	)
+	if err != nil {
+		return true, fmt.Errorf("error creating CronJob controller: %v", err)
+	}
+	go cjc.Run(ctx.Stop)
+	return true, nil
+}

vendor/k8s.io/kubernetes/cmd/kube-controller-manager/app/bootstrap.go

@@ -0,0 +1,50 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package app
+
+import (
+	"fmt"
+
+	"k8s.io/kubernetes/pkg/controller/bootstrap"
+)
+
+func startBootstrapSignerController(ctx ControllerContext) (bool, error) {
+	bsc, err := bootstrap.NewBootstrapSigner(
+		ctx.ClientBuilder.ClientGoClientOrDie("bootstrap-signer"),
+		ctx.InformerFactory.Core().V1().Secrets(),
+		ctx.InformerFactory.Core().V1().ConfigMaps(),
+		bootstrap.DefaultBootstrapSignerOptions(),
+	)
+	if err != nil {
+		return true, fmt.Errorf("error creating BootstrapSigner controller: %v", err)
+	}
+	go bsc.Run(ctx.Stop)
+	return true, nil
+}
+
+func startTokenCleanerController(ctx ControllerContext) (bool, error) {
+	tcc, err := bootstrap.NewTokenCleaner(
+		ctx.ClientBuilder.ClientGoClientOrDie("token-cleaner"),
+		ctx.InformerFactory.Core().V1().Secrets(),
+		bootstrap.DefaultTokenCleanerOptions(),
+	)
+	if err != nil {
+		return true, fmt.Errorf("error creating TokenCleaner controller: %v", err)
+	}
+	go tcc.Run(ctx.Stop)
+	return true, nil
+}

vendor/k8s.io/kubernetes/cmd/kube-controller-manager/app/certificates.go

@@ -0,0 +1,120 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package app implements a server that runs a set of active
+// components.  This includes replication controllers, service endpoints and
+// nodes.
+//
+package app
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/golang/glog"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	cmoptions "k8s.io/kubernetes/cmd/controller-manager/app/options"
+	"k8s.io/kubernetes/pkg/controller/certificates/approver"
+	"k8s.io/kubernetes/pkg/controller/certificates/cleaner"
+	"k8s.io/kubernetes/pkg/controller/certificates/signer"
+)
+
+func startCSRSigningController(ctx ControllerContext) (bool, error) {
+	if !ctx.AvailableResources[schema.GroupVersionResource{Group: "certificates.k8s.io", Version: "v1beta1", Resource: "certificatesigningrequests"}] {
+		return false, nil
+	}
+	if ctx.ComponentConfig.CSRSigningController.ClusterSigningCertFile == "" || ctx.ComponentConfig.CSRSigningController.ClusterSigningKeyFile == "" {
+		return false, nil
+	}
+
+	// Deprecation warning for old defaults.
+	//
+	// * If the signing cert and key are the default paths but the files
+	// exist, warn that the paths need to be specified explicitly in a
+	// later release and the defaults will be removed. We don't expect this
+	// to be the case.
+	//
+	// * If the signing cert and key are default paths but the files don't exist,
+	// bail out of startController without logging.
+	var keyFileExists, keyUsesDefault, certFileExists, certUsesDefault bool
+
+	_, err := os.Stat(ctx.ComponentConfig.CSRSigningController.ClusterSigningCertFile)
+	certFileExists = !os.IsNotExist(err)
+
+	certUsesDefault = (ctx.ComponentConfig.CSRSigningController.ClusterSigningCertFile == cmoptions.DefaultClusterSigningCertFile)
+
+	_, err = os.Stat(ctx.ComponentConfig.CSRSigningController.ClusterSigningKeyFile)
+	keyFileExists = !os.IsNotExist(err)
+
+	keyUsesDefault = (ctx.ComponentConfig.CSRSigningController.ClusterSigningKeyFile == cmoptions.DefaultClusterSigningKeyFile)
+
+	switch {
+	case (keyFileExists && keyUsesDefault) || (certFileExists && certUsesDefault):
+		glog.Warningf("You might be using flag defaulting for --cluster-signing-cert-file and" +
+			" --cluster-signing-key-file. These defaults are deprecated and will be removed" +
+			" in a subsequent release. Please pass these options explicitly.")
+	case (!keyFileExists && keyUsesDefault) && (!certFileExists && certUsesDefault):
+		// This is what we expect right now if people aren't
+		// setting up the signing controller. This isn't
+		// actually a problem since the signer is not a
+		// required controller.
+		return false, nil
+	default:
+		// Note that '!filesExist && !usesDefaults' is obviously
+		// operator error. We don't handle this case here and instead
+		// allow it to be handled by NewCSR... below.
+	}
+
+	c := ctx.ClientBuilder.ClientOrDie("certificate-controller")
+
+	signer, err := signer.NewCSRSigningController(
+		c,
+		ctx.InformerFactory.Certificates().V1beta1().CertificateSigningRequests(),
+		ctx.ComponentConfig.CSRSigningController.ClusterSigningCertFile,
+		ctx.ComponentConfig.CSRSigningController.ClusterSigningKeyFile,
+		ctx.ComponentConfig.CSRSigningController.ClusterSigningDuration.Duration,
+	)
+	if err != nil {
+		return false, fmt.Errorf("failed to start certificate controller: %v", err)
+	}
+	go signer.Run(1, ctx.Stop)
+
+	return true, nil
+}
+
+func startCSRApprovingController(ctx ControllerContext) (bool, error) {
+	if !ctx.AvailableResources[schema.GroupVersionResource{Group: "certificates.k8s.io", Version: "v1beta1", Resource: "certificatesigningrequests"}] {
+		return false, nil
+	}
+
+	approver := approver.NewCSRApprovingController(
+		ctx.ClientBuilder.ClientOrDie("certificate-controller"),
+		ctx.InformerFactory.Certificates().V1beta1().CertificateSigningRequests(),
+	)
+	go approver.Run(1, ctx.Stop)
+
+	return true, nil
+}
+
+func startCSRCleanerController(ctx ControllerContext) (bool, error) {
+	cleaner := cleaner.NewCSRCleanerController(
+		ctx.ClientBuilder.ClientOrDie("certificate-controller").CertificatesV1beta1().CertificateSigningRequests(),
+		ctx.InformerFactory.Certificates().V1beta1().CertificateSigningRequests(),
+	)
+	go cleaner.Run(1, ctx.Stop)
+	return true, nil
+}

vendor/k8s.io/kubernetes/cmd/kube-controller-manager/app/cloudproviders.go

@@ -0,0 +1,63 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package app
+
+import (
+	"fmt"
+
+	"github.com/golang/glog"
+
+	"k8s.io/client-go/informers"
+	"k8s.io/kubernetes/pkg/cloudprovider"
+)
+
+// createCloudProvider helps consolidate what is needed for cloud providers, we explicitly list the things
+// that the cloud providers need as parameters, so we can control
+func createCloudProvider(cloudProvider string, externalCloudVolumePlugin string, cloudConfigFile string,
+	allowUntaggedCloud bool, sharedInformers informers.SharedInformerFactory) (cloudprovider.Interface, ControllerLoopMode, error) {
+	var cloud cloudprovider.Interface
+	var loopMode ControllerLoopMode
+	var err error
+	if cloudprovider.IsExternal(cloudProvider) {
+		loopMode = ExternalLoops
+		if externalCloudVolumePlugin == "" {
+			// externalCloudVolumePlugin is temporary until we split all cloud providers out.
+			// So we just tell the caller that we need to run ExternalLoops without any cloud provider.
+			return nil, loopMode, nil
+		}
+		cloud, err = cloudprovider.InitCloudProvider(externalCloudVolumePlugin, cloudConfigFile)
+	} else {
+		loopMode = IncludeCloudLoops
+		cloud, err = cloudprovider.InitCloudProvider(cloudProvider, cloudConfigFile)
+	}
+	if err != nil {
+		return nil, loopMode, fmt.Errorf("cloud provider could not be initialized: %v", err)
+	}
+
+	if cloud != nil && cloud.HasClusterID() == false {
+		if allowUntaggedCloud == true {
+			glog.Warning("detected a cluster without a ClusterID.  A ClusterID will be required in the future.  Please tag your cluster to avoid any future issues")
+		} else {
+			return nil, loopMode, fmt.Errorf("no ClusterID Found.  A ClusterID is required for the cloud provider to function properly.  This check can be bypassed by setting the allow-untagged-cloud option")
+		}
+	}
+
+	if informerUserCloud, ok := cloud.(cloudprovider.InformerUser); ok {
+		informerUserCloud.SetInformers(sharedInformers)
+	}
+	return cloud, loopMode, err
+}

vendor/k8s.io/kubernetes/cmd/kube-controller-manager/app/config/BUILD

@@ -0,0 +1,30 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+go_library(
+    name = "go_default_library",
+    srcs = ["config.go"],
+    importpath = "k8s.io/kubernetes/cmd/kube-controller-manager/app/config",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//cmd/controller-manager/app:go_default_library",
+        "//pkg/apis/componentconfig:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/server:go_default_library",
+        "//vendor/k8s.io/client-go/kubernetes:go_default_library",
+        "//vendor/k8s.io/client-go/rest:go_default_library",
+        "//vendor/k8s.io/client-go/tools/record:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+    visibility = ["//visibility:public"],
+)

vendor/k8s.io/kubernetes/cmd/kube-controller-manager/app/config/config.go

@@ -0,0 +1,65 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package config
+
+import (
+	apiserver "k8s.io/apiserver/pkg/server"
+	clientset "k8s.io/client-go/kubernetes"
+	restclient "k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/record"
+	genericcontrollermanager "k8s.io/kubernetes/cmd/controller-manager/app"
+	"k8s.io/kubernetes/pkg/apis/componentconfig"
+)
+
+// Config is the main context object for the controller manager.
+type Config struct {
+	ComponentConfig componentconfig.KubeControllerManagerConfiguration
+
+	SecureServing *apiserver.SecureServingInfo
+	// TODO: remove deprecated insecure serving
+	InsecureServing *genericcontrollermanager.InsecureServingInfo
+	Authentication  apiserver.AuthenticationInfo
+	Authorization   apiserver.AuthorizationInfo
+
+	// the general kube client
+	Client *clientset.Clientset
+
+	// the client only used for leader election
+	LeaderElectionClient *clientset.Clientset
+
+	// the rest config for the master
+	Kubeconfig *restclient.Config
+
+	// the event sink
+	EventRecorder record.EventRecorder
+}
+
+type completedConfig struct {
+	*Config
+}
+
+// CompletedConfig same as Config, just to swap private object.
+type CompletedConfig struct {
+	// Embed a private pointer that cannot be instantiated outside of this package.
+	*completedConfig
+}
+
+// Complete fills in any fields not set that are required to have valid data. It's mutating the receiver.
+func (c *Config) Complete() *CompletedConfig {
+	cc := completedConfig{c}
+	return &CompletedConfig{&cc}
+}

vendor/k8s.io/kubernetes/cmd/kube-controller-manager/app/controller_manager_test.go

@@ -0,0 +1,81 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package app implements a server that runs a set of active
+// components.  This includes replication controllers, service endpoints and
+// nodes.
+//
+package app
+
+import (
+	"testing"
+
+	"k8s.io/apimachinery/pkg/util/sets"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestIsControllerEnabled(t *testing.T) {
+	tcs := []struct {
+		name                         string
+		controllerName               string
+		controllers                  []string
+		disabledByDefaultControllers []string
+		expected                     bool
+	}{
+		{
+			name:                         "on by name",
+			controllerName:               "bravo",
+			controllers:                  []string{"alpha", "bravo", "-charlie"},
+			disabledByDefaultControllers: []string{"delta", "echo"},
+			expected:                     true,
+		},
+		{
+			name:                         "off by name",
+			controllerName:               "charlie",
+			controllers:                  []string{"alpha", "bravo", "-charlie"},
+			disabledByDefaultControllers: []string{"delta", "echo"},
+			expected:                     false,
+		},
+		{
+			name:                         "on by default",
+			controllerName:               "alpha",
+			controllers:                  []string{"*"},
+			disabledByDefaultControllers: []string{"delta", "echo"},
+			expected:                     true,
+		},
+		{
+			name:                         "off by default",
+			controllerName:               "delta",
+			controllers:                  []string{"*"},
+			disabledByDefaultControllers: []string{"delta", "echo"},
+			expected:                     false,
+		},
+		{
+			name:                         "off by default implicit, no star",
+			controllerName:               "foxtrot",
+			controllers:                  []string{"alpha", "bravo", "-charlie"},
+			disabledByDefaultControllers: []string{"delta", "echo"},
+			expected:                     false,
+		},
+	}
+
+	for _, tc := range tcs {
+		actual := IsControllerEnabled(tc.controllerName, sets.NewString(tc.disabledByDefaultControllers...), tc.controllers...)
+		assert.Equal(t, tc.expected, actual, "%v: expected %v, got %v", tc.name, tc.expected, actual)
+	}
+
+}

vendor/k8s.io/kubernetes/cmd/kube-controller-manager/app/controllermanager.go

@@ -0,0 +1,527 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package app implements a server that runs a set of active
+// components.  This includes replication controllers, service endpoints and
+// nodes.
+//
+package app
+
+import (
+	"fmt"
+	"io/ioutil"
+	"math/rand"
+	"os"
+	"time"
+
+	"github.com/golang/glog"
+	"github.com/spf13/cobra"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apimachinery/pkg/util/uuid"
+	"k8s.io/apimachinery/pkg/util/wait"
+	cacheddiscovery "k8s.io/client-go/discovery/cached"
+	"k8s.io/client-go/informers"
+	restclient "k8s.io/client-go/rest"
+	"k8s.io/client-go/restmapper"
+	"k8s.io/client-go/tools/leaderelection"
+	"k8s.io/client-go/tools/leaderelection/resourcelock"
+	certutil "k8s.io/client-go/util/cert"
+	genericcontrollermanager "k8s.io/kubernetes/cmd/controller-manager/app"
+	"k8s.io/kubernetes/cmd/kube-controller-manager/app/config"
+	"k8s.io/kubernetes/cmd/kube-controller-manager/app/options"
+	"k8s.io/kubernetes/pkg/apis/componentconfig"
+	"k8s.io/kubernetes/pkg/cloudprovider"
+	"k8s.io/kubernetes/pkg/controller"
+	serviceaccountcontroller "k8s.io/kubernetes/pkg/controller/serviceaccount"
+	"k8s.io/kubernetes/pkg/serviceaccount"
+	"k8s.io/kubernetes/pkg/util/configz"
+	utilflag "k8s.io/kubernetes/pkg/util/flag"
+	"k8s.io/kubernetes/pkg/version"
+	"k8s.io/kubernetes/pkg/version/verflag"
+)
+
+const (
+	// Jitter used when starting controller managers
+	ControllerStartJitter = 1.0
+)
+
+type ControllerLoopMode int
+
+const (
+	IncludeCloudLoops ControllerLoopMode = iota
+	ExternalLoops
+)
+
+// NewControllerManagerCommand creates a *cobra.Command object with default parameters
+func NewControllerManagerCommand() *cobra.Command {
+	s, err := options.NewKubeControllerManagerOptions()
+	if err != nil {
+		glog.Fatalf("unable to initialize command options: %v", err)
+	}
+
+	cmd := &cobra.Command{
+		Use: "kube-controller-manager",
+		Long: `The Kubernetes controller manager is a daemon that embeds
+the core control loops shipped with Kubernetes. In applications of robotics and
+automation, a control loop is a non-terminating loop that regulates the state of
+the system. In Kubernetes, a controller is a control loop that watches the shared
+state of the cluster through the apiserver and makes changes attempting to move the
+current state towards the desired state. Examples of controllers that ship with
+Kubernetes today are the replication controller, endpoints controller, namespace
+controller, and serviceaccounts controller.`,
+		Run: func(cmd *cobra.Command, args []string) {
+			verflag.PrintAndExitIfRequested()
+			utilflag.PrintFlags(cmd.Flags())
+
+			c, err := s.Config(KnownControllers(), ControllersDisabledByDefault.List())
+			if err != nil {
+				fmt.Fprintf(os.Stderr, "%v\n", err)
+				os.Exit(1)
+			}
+
+			if err := Run(c.Complete()); err != nil {
+				fmt.Fprintf(os.Stderr, "%v\n", err)
+				os.Exit(1)
+			}
+		},
+	}
+	s.AddFlags(cmd.Flags(), KnownControllers(), ControllersDisabledByDefault.List())
+
+	return cmd
+}
+
+// ResyncPeriod returns a function which generates a duration each time it is
+// invoked; this is so that multiple controllers don't get into lock-step and all
+// hammer the apiserver with list requests simultaneously.
+func ResyncPeriod(c *config.CompletedConfig) func() time.Duration {
+	return func() time.Duration {
+		factor := rand.Float64() + 1
+		return time.Duration(float64(c.ComponentConfig.GenericComponent.MinResyncPeriod.Nanoseconds()) * factor)
+	}
+}
+
+// Run runs the KubeControllerManagerOptions.  This should never exit.
+func Run(c *config.CompletedConfig) error {
+	// To help debugging, immediately log version
+	glog.Infof("Version: %+v", version.Get())
+
+	if cfgz, err := configz.New("componentconfig"); err == nil {
+		cfgz.Set(c.ComponentConfig)
+	} else {
+		glog.Errorf("unable to register configz: %c", err)
+	}
+
+	// Start the controller manager HTTP server
+	stopCh := make(chan struct{})
+	if c.SecureServing != nil {
+		handler := genericcontrollermanager.NewBaseHandler(&c.ComponentConfig.Debugging)
+		handler = genericcontrollermanager.BuildHandlerChain(handler, &c.Authorization, &c.Authentication)
+		if err := c.SecureServing.Serve(handler, 0, stopCh); err != nil {
+			return err
+		}
+	}
+	if c.InsecureServing != nil {
+		handler := genericcontrollermanager.NewBaseHandler(&c.ComponentConfig.Debugging)
+		handler = genericcontrollermanager.BuildHandlerChain(handler, &c.Authorization, &c.Authentication)
+		if err := c.InsecureServing.Serve(handler, 0, stopCh); err != nil {
+			return err
+		}
+	}
+
+	run := func(stop <-chan struct{}) {
+		rootClientBuilder := controller.SimpleControllerClientBuilder{
+			ClientConfig: c.Kubeconfig,
+		}
+		var clientBuilder controller.ControllerClientBuilder
+		if c.ComponentConfig.KubeCloudShared.UseServiceAccountCredentials {
+			if len(c.ComponentConfig.SAController.ServiceAccountKeyFile) == 0 {
+				// It'c possible another controller process is creating the tokens for us.
+				// If one isn't, we'll timeout and exit when our client builder is unable to create the tokens.
+				glog.Warningf("--use-service-account-credentials was specified without providing a --service-account-private-key-file")
+			}
+			clientBuilder = controller.SAControllerClientBuilder{
+				ClientConfig:         restclient.AnonymousClientConfig(c.Kubeconfig),
+				CoreClient:           c.Client.CoreV1(),
+				AuthenticationClient: c.Client.AuthenticationV1(),
+				Namespace:            "kube-system",
+			}
+		} else {
+			clientBuilder = rootClientBuilder
+		}
+		ctx, err := CreateControllerContext(c, rootClientBuilder, clientBuilder, stop)
+		if err != nil {
+			glog.Fatalf("error building controller context: %v", err)
+		}
+		saTokenControllerInitFunc := serviceAccountTokenControllerStarter{rootClientBuilder: rootClientBuilder}.startServiceAccountTokenController
+
+		if err := StartControllers(ctx, saTokenControllerInitFunc, NewControllerInitializers(ctx.LoopMode)); err != nil {
+			glog.Fatalf("error starting controllers: %v", err)
+		}
+
+		ctx.InformerFactory.Start(ctx.Stop)
+		close(ctx.InformersStarted)
+
+		select {}
+	}
+
+	if !c.ComponentConfig.GenericComponent.LeaderElection.LeaderElect {
+		run(wait.NeverStop)
+		panic("unreachable")
+	}
+
+	id, err := os.Hostname()
+	if err != nil {
+		return err
+	}
+
+	// add a uniquifier so that two processes on the same host don't accidentally both become active
+	id = id + "_" + string(uuid.NewUUID())
+	rl, err := resourcelock.New(c.ComponentConfig.GenericComponent.LeaderElection.ResourceLock,
+		"kube-system",
+		"kube-controller-manager",
+		c.LeaderElectionClient.CoreV1(),
+		resourcelock.ResourceLockConfig{
+			Identity:      id,
+			EventRecorder: c.EventRecorder,
+		})
+	if err != nil {
+		glog.Fatalf("error creating lock: %v", err)
+	}
+
+	leaderelection.RunOrDie(leaderelection.LeaderElectionConfig{
+		Lock:          rl,
+		LeaseDuration: c.ComponentConfig.GenericComponent.LeaderElection.LeaseDuration.Duration,
+		RenewDeadline: c.ComponentConfig.GenericComponent.LeaderElection.RenewDeadline.Duration,
+		RetryPeriod:   c.ComponentConfig.GenericComponent.LeaderElection.RetryPeriod.Duration,
+		Callbacks: leaderelection.LeaderCallbacks{
+			OnStartedLeading: run,
+			OnStoppedLeading: func() {
+				glog.Fatalf("leaderelection lost")
+			},
+		},
+	})
+	panic("unreachable")
+}
+
+type ControllerContext struct {
+	// ClientBuilder will provide a client for this controller to use
+	ClientBuilder controller.ControllerClientBuilder
+
+	// InformerFactory gives access to informers for the controller.
+	InformerFactory informers.SharedInformerFactory
+
+	// ComponentConfig provides access to init options for a given controller
+	ComponentConfig componentconfig.KubeControllerManagerConfiguration
+
+	// DeferredDiscoveryRESTMapper is a RESTMapper that will defer
+	// initialization of the RESTMapper until the first mapping is
+	// requested.
+	RESTMapper *restmapper.DeferredDiscoveryRESTMapper
+
+	// AvailableResources is a map listing currently available resources
+	AvailableResources map[schema.GroupVersionResource]bool
+
+	// Cloud is the cloud provider interface for the controllers to use.
+	// It must be initialized and ready to use.
+	Cloud cloudprovider.Interface
+
+	// Control for which control loops to be run
+	// IncludeCloudLoops is for a kube-controller-manager running all loops
+	// ExternalLoops is for a kube-controller-manager running with a cloud-controller-manager
+	LoopMode ControllerLoopMode
+
+	// Stop is the stop channel
+	Stop <-chan struct{}
+
+	// InformersStarted is closed after all of the controllers have been initialized and are running.  After this point it is safe,
+	// for an individual controller to start the shared informers. Before it is closed, they should not.
+	InformersStarted chan struct{}
+
+	// ResyncPeriod generates a duration each time it is invoked; this is so that
+	// multiple controllers don't get into lock-step and all hammer the apiserver
+	// with list requests simultaneously.
+	ResyncPeriod func() time.Duration
+}
+
+func (c ControllerContext) IsControllerEnabled(name string) bool {
+	return IsControllerEnabled(name, ControllersDisabledByDefault, c.ComponentConfig.Controllers...)
+}
+
+func IsControllerEnabled(name string, disabledByDefaultControllers sets.String, controllers ...string) bool {
+	hasStar := false
+	for _, ctrl := range controllers {
+		if ctrl == name {
+			return true
+		}
+		if ctrl == "-"+name {
+			return false
+		}
+		if ctrl == "*" {
+			hasStar = true
+		}
+	}
+	// if we get here, there was no explicit choice
+	if !hasStar {
+		// nothing on by default
+		return false
+	}
+	if disabledByDefaultControllers.Has(name) {
+		return false
+	}
+
+	return true
+}
+
+// InitFunc is used to launch a particular controller.  It may run additional "should I activate checks".
+// Any error returned will cause the controller process to `Fatal`
+// The bool indicates whether the controller was enabled.
+type InitFunc func(ctx ControllerContext) (bool, error)
+
+func KnownControllers() []string {
+	ret := sets.StringKeySet(NewControllerInitializers(IncludeCloudLoops))
+
+	// add "special" controllers that aren't initialized normally.  These controllers cannot be initialized
+	// using a normal function.  The only known special case is the SA token controller which *must* be started
+	// first to ensure that the SA tokens for future controllers will exist.  Think very carefully before adding
+	// to this list.
+	ret.Insert(
+		saTokenControllerName,
+	)
+
+	return ret.List()
+}
+
+var ControllersDisabledByDefault = sets.NewString(
+	"bootstrapsigner",
+	"tokencleaner",
+)
+
+const (
+	saTokenControllerName = "serviceaccount-token"
+)
+
+// NewControllerInitializers is a public map of named controller groups (you can start more than one in an init func)
+// paired to their InitFunc.  This allows for structured downstream composition and subdivision.
+func NewControllerInitializers(loopMode ControllerLoopMode) map[string]InitFunc {
+	controllers := map[string]InitFunc{}
+	controllers["endpoint"] = startEndpointController
+	controllers["replicationcontroller"] = startReplicationController
+	controllers["podgc"] = startPodGCController
+	controllers["resourcequota"] = startResourceQuotaController
+	controllers["namespace"] = startNamespaceController
+	controllers["serviceaccount"] = startServiceAccountController
+	controllers["garbagecollector"] = startGarbageCollectorController
+	controllers["daemonset"] = startDaemonSetController
+	controllers["job"] = startJobController
+	controllers["deployment"] = startDeploymentController
+	controllers["replicaset"] = startReplicaSetController
+	controllers["horizontalpodautoscaling"] = startHPAController
+	controllers["disruption"] = startDisruptionController
+	controllers["statefulset"] = startStatefulSetController
+	controllers["cronjob"] = startCronJobController
+	controllers["csrsigning"] = startCSRSigningController
+	controllers["csrapproving"] = startCSRApprovingController
+	controllers["csrcleaner"] = startCSRCleanerController
+	controllers["ttl"] = startTTLController
+	controllers["bootstrapsigner"] = startBootstrapSignerController
+	controllers["tokencleaner"] = startTokenCleanerController
+	controllers["nodeipam"] = startNodeIpamController
+	if loopMode == IncludeCloudLoops {
+		controllers["service"] = startServiceController
+		controllers["route"] = startRouteController
+		// TODO: volume controller into the IncludeCloudLoops only set.
+		// TODO: Separate cluster in cloud check from node lifecycle controller.
+	}
+	controllers["nodelifecycle"] = startNodeLifecycleController
+	controllers["persistentvolume-binder"] = startPersistentVolumeBinderController
+	controllers["attachdetach"] = startAttachDetachController
+	controllers["persistentvolume-expander"] = startVolumeExpandController
+	controllers["clusterrole-aggregation"] = startClusterRoleAggregrationController
+	controllers["pvc-protection"] = startPVCProtectionController
+	controllers["pv-protection"] = startPVProtectionController
+
+	return controllers
+}
+
+// TODO: In general, any controller checking this needs to be dynamic so
+//  users don't have to restart their controller manager if they change the apiserver.
+// Until we get there, the structure here needs to be exposed for the construction of a proper ControllerContext.
+func GetAvailableResources(clientBuilder controller.ControllerClientBuilder) (map[schema.GroupVersionResource]bool, error) {
+	client := clientBuilder.ClientOrDie("controller-discovery")
+	discoveryClient := client.Discovery()
+	resourceMap, err := discoveryClient.ServerResources()
+	if err != nil {
+		utilruntime.HandleError(fmt.Errorf("unable to get all supported resources from server: %v", err))
+	}
+	if len(resourceMap) == 0 {
+		return nil, fmt.Errorf("unable to get any supported resources from server")
+	}
+
+	allResources := map[schema.GroupVersionResource]bool{}
+	for _, apiResourceList := range resourceMap {
+		version, err := schema.ParseGroupVersion(apiResourceList.GroupVersion)
+		if err != nil {
+			return nil, err
+		}
+		for _, apiResource := range apiResourceList.APIResources {
+			allResources[version.WithResource(apiResource.Name)] = true
+		}
+	}
+
+	return allResources, nil
+}
+
+// CreateControllerContext creates a context struct containing references to resources needed by the
+// controllers such as the cloud provider and clientBuilder. rootClientBuilder is only used for
+// the shared-informers client and token controller.
+func CreateControllerContext(s *config.CompletedConfig, rootClientBuilder, clientBuilder controller.ControllerClientBuilder, stop <-chan struct{}) (ControllerContext, error) {
+	versionedClient := rootClientBuilder.ClientOrDie("shared-informers")
+	sharedInformers := informers.NewSharedInformerFactory(versionedClient, ResyncPeriod(s)())
+
+	// If apiserver is not running we should wait for some time and fail only then. This is particularly
+	// important when we start apiserver and controller manager at the same time.
+	if err := genericcontrollermanager.WaitForAPIServer(versionedClient, 10*time.Second); err != nil {
+		return ControllerContext{}, fmt.Errorf("failed to wait for apiserver being healthy: %v", err)
+	}
+
+	// Use a discovery client capable of being refreshed.
+	discoveryClient := rootClientBuilder.ClientOrDie("controller-discovery")
+	cachedClient := cacheddiscovery.NewMemCacheClient(discoveryClient.Discovery())
+	restMapper := restmapper.NewDeferredDiscoveryRESTMapper(cachedClient)
+	go wait.Until(func() {
+		restMapper.Reset()
+	}, 30*time.Second, stop)
+
+	availableResources, err := GetAvailableResources(rootClientBuilder)
+	if err != nil {
+		return ControllerContext{}, err
+	}
+
+	cloud, loopMode, err := createCloudProvider(s.ComponentConfig.CloudProvider.Name, s.ComponentConfig.ExternalCloudVolumePlugin,
+		s.ComponentConfig.CloudProvider.CloudConfigFile, s.ComponentConfig.KubeCloudShared.AllowUntaggedCloud, sharedInformers)
+	if err != nil {
+		return ControllerContext{}, err
+	}
+
+	ctx := ControllerContext{
+		ClientBuilder:      clientBuilder,
+		InformerFactory:    sharedInformers,
+		ComponentConfig:    s.ComponentConfig,
+		RESTMapper:         restMapper,
+		AvailableResources: availableResources,
+		Cloud:              cloud,
+		LoopMode:           loopMode,
+		Stop:               stop,
+		InformersStarted:   make(chan struct{}),
+		ResyncPeriod:       ResyncPeriod(s),
+	}
+	return ctx, nil
+}
+
+func StartControllers(ctx ControllerContext, startSATokenController InitFunc, controllers map[string]InitFunc) error {
+	// Always start the SA token controller first using a full-power client, since it needs to mint tokens for the rest
+	// If this fails, just return here and fail since other controllers won't be able to get credentials.
+	if _, err := startSATokenController(ctx); err != nil {
+		return err
+	}
+
+	// Initialize the cloud provider with a reference to the clientBuilder only after token controller
+	// has started in case the cloud provider uses the client builder.
+	if ctx.Cloud != nil {
+		ctx.Cloud.Initialize(ctx.ClientBuilder)
+	}
+
+	for controllerName, initFn := range controllers {
+		if !ctx.IsControllerEnabled(controllerName) {
+			glog.Warningf("%q is disabled", controllerName)
+			continue
+		}
+
+		time.Sleep(wait.Jitter(ctx.ComponentConfig.GenericComponent.ControllerStartInterval.Duration, ControllerStartJitter))
+
+		glog.V(1).Infof("Starting %q", controllerName)
+		started, err := initFn(ctx)
+		if err != nil {
+			glog.Errorf("Error starting %q", controllerName)
+			return err
+		}
+		if !started {
+			glog.Warningf("Skipping %q", controllerName)
+			continue
+		}
+		glog.Infof("Started %q", controllerName)
+	}
+
+	return nil
+}
+
+// serviceAccountTokenControllerStarter is special because it must run first to set up permissions for other controllers.
+// It cannot use the "normal" client builder, so it tracks its own. It must also avoid being included in the "normal"
+// init map so that it can always run first.
+type serviceAccountTokenControllerStarter struct {
+	rootClientBuilder controller.ControllerClientBuilder
+}
+
+func (c serviceAccountTokenControllerStarter) startServiceAccountTokenController(ctx ControllerContext) (bool, error) {
+	if !ctx.IsControllerEnabled(saTokenControllerName) {
+		glog.Warningf("%q is disabled", saTokenControllerName)
+		return false, nil
+	}
+
+	if len(ctx.ComponentConfig.SAController.ServiceAccountKeyFile) == 0 {
+		glog.Warningf("%q is disabled because there is no private key", saTokenControllerName)
+		return false, nil
+	}
+	privateKey, err := certutil.PrivateKeyFromFile(ctx.ComponentConfig.SAController.ServiceAccountKeyFile)
+	if err != nil {
+		return true, fmt.Errorf("error reading key for service account token controller: %v", err)
+	}
+
+	var rootCA []byte
+	if ctx.ComponentConfig.SAController.RootCAFile != "" {
+		rootCA, err = ioutil.ReadFile(ctx.ComponentConfig.SAController.RootCAFile)
+		if err != nil {
+			return true, fmt.Errorf("error reading root-ca-file at %s: %v", ctx.ComponentConfig.SAController.RootCAFile, err)
+		}
+		if _, err := certutil.ParseCertsPEM(rootCA); err != nil {
+			return true, fmt.Errorf("error parsing root-ca-file at %s: %v", ctx.ComponentConfig.SAController.RootCAFile, err)
+		}
+	} else {
+		rootCA = c.rootClientBuilder.ConfigOrDie("tokens-controller").CAData
+	}
+
+	controller, err := serviceaccountcontroller.NewTokensController(
+		ctx.InformerFactory.Core().V1().ServiceAccounts(),
+		ctx.InformerFactory.Core().V1().Secrets(),
+		c.rootClientBuilder.ClientOrDie("tokens-controller"),
+		serviceaccountcontroller.TokensControllerOptions{
+			TokenGenerator: serviceaccount.JWTTokenGenerator(serviceaccount.LegacyIssuer, privateKey),
+			RootCA:         rootCA,
+		},
+	)
+	if err != nil {
+		return true, fmt.Errorf("error creating Tokens controller: %v", err)
+	}
+	go controller.Run(int(ctx.ComponentConfig.SAController.ConcurrentSATokenSyncs), ctx.Stop)
+
+	// start the first set of informers now so that other controllers can start
+	ctx.InformerFactory.Start(ctx.Stop)
+
+	return true, nil
+}

vendor/k8s.io/kubernetes/cmd/kube-controller-manager/app/core.go

@@ -0,0 +1,407 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package app implements a server that runs a set of active
+// components.  This includes replication controllers, service endpoints and
+// nodes.
+//
+package app
+
+import (
+	"fmt"
+	"net"
+	"strings"
+	"time"
+
+	"github.com/golang/glog"
+
+	"k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	cacheddiscovery "k8s.io/client-go/discovery/cached"
+	"k8s.io/client-go/dynamic"
+	clientset "k8s.io/client-go/kubernetes"
+	"k8s.io/kubernetes/pkg/controller"
+	endpointcontroller "k8s.io/kubernetes/pkg/controller/endpoint"
+	"k8s.io/kubernetes/pkg/controller/garbagecollector"
+	namespacecontroller "k8s.io/kubernetes/pkg/controller/namespace"
+	nodeipamcontroller "k8s.io/kubernetes/pkg/controller/nodeipam"
+	"k8s.io/kubernetes/pkg/controller/nodeipam/ipam"
+	lifecyclecontroller "k8s.io/kubernetes/pkg/controller/nodelifecycle"
+	"k8s.io/kubernetes/pkg/controller/podgc"
+	replicationcontroller "k8s.io/kubernetes/pkg/controller/replication"
+	resourcequotacontroller "k8s.io/kubernetes/pkg/controller/resourcequota"
+	routecontroller "k8s.io/kubernetes/pkg/controller/route"
+	servicecontroller "k8s.io/kubernetes/pkg/controller/service"
+	serviceaccountcontroller "k8s.io/kubernetes/pkg/controller/serviceaccount"
+	ttlcontroller "k8s.io/kubernetes/pkg/controller/ttl"
+	"k8s.io/kubernetes/pkg/controller/volume/attachdetach"
+	"k8s.io/kubernetes/pkg/controller/volume/expand"
+	persistentvolumecontroller "k8s.io/kubernetes/pkg/controller/volume/persistentvolume"
+	"k8s.io/kubernetes/pkg/controller/volume/pvcprotection"
+	"k8s.io/kubernetes/pkg/controller/volume/pvprotection"
+	"k8s.io/kubernetes/pkg/features"
+	"k8s.io/kubernetes/pkg/quota/generic"
+	quotainstall "k8s.io/kubernetes/pkg/quota/install"
+	"k8s.io/kubernetes/pkg/util/metrics"
+)
+
+func startServiceController(ctx ControllerContext) (bool, error) {
+	serviceController, err := servicecontroller.New(
+		ctx.Cloud,
+		ctx.ClientBuilder.ClientOrDie("service-controller"),
+		ctx.InformerFactory.Core().V1().Services(),
+		ctx.InformerFactory.Core().V1().Nodes(),
+		ctx.ComponentConfig.KubeCloudShared.ClusterName,
+	)
+	if err != nil {
+		// This error shouldn't fail. It lives like this as a legacy.
+		glog.Errorf("Failed to start service controller: %v", err)
+		return false, nil
+	}
+	go serviceController.Run(ctx.Stop, int(ctx.ComponentConfig.ServiceController.ConcurrentServiceSyncs))
+	return true, nil
+}
+
+func startNodeIpamController(ctx ControllerContext) (bool, error) {
+	var clusterCIDR *net.IPNet = nil
+	var serviceCIDR *net.IPNet = nil
+
+	if !ctx.ComponentConfig.KubeCloudShared.AllocateNodeCIDRs {
+		return false, nil
+	}
+
+	var err error
+	if len(strings.TrimSpace(ctx.ComponentConfig.KubeCloudShared.ClusterCIDR)) != 0 {
+		_, clusterCIDR, err = net.ParseCIDR(ctx.ComponentConfig.KubeCloudShared.ClusterCIDR)
+		if err != nil {
+			glog.Warningf("Unsuccessful parsing of cluster CIDR %v: %v", ctx.ComponentConfig.KubeCloudShared.ClusterCIDR, err)
+		}
+	}
+
+	if len(strings.TrimSpace(ctx.ComponentConfig.NodeIpamController.ServiceCIDR)) != 0 {
+		_, serviceCIDR, err = net.ParseCIDR(ctx.ComponentConfig.NodeIpamController.ServiceCIDR)
+		if err != nil {
+			glog.Warningf("Unsuccessful parsing of service CIDR %v: %v", ctx.ComponentConfig.NodeIpamController.ServiceCIDR, err)
+		}
+	}
+
+	nodeIpamController, err := nodeipamcontroller.NewNodeIpamController(
+		ctx.InformerFactory.Core().V1().Nodes(),
+		ctx.Cloud,
+		ctx.ClientBuilder.ClientOrDie("node-controller"),
+		clusterCIDR,
+		serviceCIDR,
+		int(ctx.ComponentConfig.NodeIpamController.NodeCIDRMaskSize),
+		ipam.CIDRAllocatorType(ctx.ComponentConfig.KubeCloudShared.CIDRAllocatorType),
+	)
+	if err != nil {
+		return true, err
+	}
+	go nodeIpamController.Run(ctx.Stop)
+	return true, nil
+}
+
+func startNodeLifecycleController(ctx ControllerContext) (bool, error) {
+	lifecycleController, err := lifecyclecontroller.NewNodeLifecycleController(
+		ctx.InformerFactory.Core().V1().Pods(),
+		ctx.InformerFactory.Core().V1().Nodes(),
+		ctx.InformerFactory.Extensions().V1beta1().DaemonSets(),
+		ctx.Cloud,
+		ctx.ClientBuilder.ClientOrDie("node-controller"),
+		ctx.ComponentConfig.KubeCloudShared.NodeMonitorPeriod.Duration,
+		ctx.ComponentConfig.NodeLifecycleController.NodeStartupGracePeriod.Duration,
+		ctx.ComponentConfig.NodeLifecycleController.NodeMonitorGracePeriod.Duration,
+		ctx.ComponentConfig.NodeLifecycleController.PodEvictionTimeout.Duration,
+		ctx.ComponentConfig.NodeLifecycleController.NodeEvictionRate,
+		ctx.ComponentConfig.NodeLifecycleController.SecondaryNodeEvictionRate,
+		ctx.ComponentConfig.NodeLifecycleController.LargeClusterSizeThreshold,
+		ctx.ComponentConfig.NodeLifecycleController.UnhealthyZoneThreshold,
+		ctx.ComponentConfig.NodeLifecycleController.EnableTaintManager,
+		utilfeature.DefaultFeatureGate.Enabled(features.TaintBasedEvictions),
+		utilfeature.DefaultFeatureGate.Enabled(features.TaintNodesByCondition),
+	)
+	if err != nil {
+		return true, err
+	}
+	go lifecycleController.Run(ctx.Stop)
+	return true, nil
+}
+
+func startRouteController(ctx ControllerContext) (bool, error) {
+	if !ctx.ComponentConfig.KubeCloudShared.AllocateNodeCIDRs || !ctx.ComponentConfig.KubeCloudShared.ConfigureCloudRoutes {
+		glog.Infof("Will not configure cloud provider routes for allocate-node-cidrs: %v, configure-cloud-routes: %v.", ctx.ComponentConfig.KubeCloudShared.AllocateNodeCIDRs, ctx.ComponentConfig.KubeCloudShared.ConfigureCloudRoutes)
+		return false, nil
+	}
+	if ctx.Cloud == nil {
+		glog.Warning("configure-cloud-routes is set, but no cloud provider specified. Will not configure cloud provider routes.")
+		return false, nil
+	}
+	routes, ok := ctx.Cloud.Routes()
+	if !ok {
+		glog.Warning("configure-cloud-routes is set, but cloud provider does not support routes. Will not configure cloud provider routes.")
+		return false, nil
+	}
+	_, clusterCIDR, err := net.ParseCIDR(ctx.ComponentConfig.KubeCloudShared.ClusterCIDR)
+	if err != nil {
+		glog.Warningf("Unsuccessful parsing of cluster CIDR %v: %v", ctx.ComponentConfig.KubeCloudShared.ClusterCIDR, err)
+	}
+	routeController := routecontroller.New(routes, ctx.ClientBuilder.ClientOrDie("route-controller"), ctx.InformerFactory.Core().V1().Nodes(), ctx.ComponentConfig.KubeCloudShared.ClusterName, clusterCIDR)
+	go routeController.Run(ctx.Stop, ctx.ComponentConfig.KubeCloudShared.RouteReconciliationPeriod.Duration)
+	return true, nil
+}
+
+func startPersistentVolumeBinderController(ctx ControllerContext) (bool, error) {
+	params := persistentvolumecontroller.ControllerParameters{
+		KubeClient:                ctx.ClientBuilder.ClientOrDie("persistent-volume-binder"),
+		SyncPeriod:                ctx.ComponentConfig.PersistentVolumeBinderController.PVClaimBinderSyncPeriod.Duration,
+		VolumePlugins:             ProbeControllerVolumePlugins(ctx.Cloud, ctx.ComponentConfig.PersistentVolumeBinderController.VolumeConfiguration),
+		Cloud:                     ctx.Cloud,
+		ClusterName:               ctx.ComponentConfig.KubeCloudShared.ClusterName,
+		VolumeInformer:            ctx.InformerFactory.Core().V1().PersistentVolumes(),
+		ClaimInformer:             ctx.InformerFactory.Core().V1().PersistentVolumeClaims(),
+		ClassInformer:             ctx.InformerFactory.Storage().V1().StorageClasses(),
+		PodInformer:               ctx.InformerFactory.Core().V1().Pods(),
+		NodeInformer:              ctx.InformerFactory.Core().V1().Nodes(),
+		EnableDynamicProvisioning: ctx.ComponentConfig.PersistentVolumeBinderController.VolumeConfiguration.EnableDynamicProvisioning,
+	}
+	volumeController, volumeControllerErr := persistentvolumecontroller.NewController(params)
+	if volumeControllerErr != nil {
+		return true, fmt.Errorf("failed to construct persistentvolume controller: %v", volumeControllerErr)
+	}
+	go volumeController.Run(ctx.Stop)
+	return true, nil
+}
+
+func startAttachDetachController(ctx ControllerContext) (bool, error) {
+	if ctx.ComponentConfig.AttachDetachController.ReconcilerSyncLoopPeriod.Duration < time.Second {
+		return true, fmt.Errorf("Duration time must be greater than one second as set via command line option reconcile-sync-loop-period.")
+	}
+	attachDetachController, attachDetachControllerErr :=
+		attachdetach.NewAttachDetachController(
+			ctx.ClientBuilder.ClientOrDie("attachdetach-controller"),
+			ctx.InformerFactory.Core().V1().Pods(),
+			ctx.InformerFactory.Core().V1().Nodes(),
+			ctx.InformerFactory.Core().V1().PersistentVolumeClaims(),
+			ctx.InformerFactory.Core().V1().PersistentVolumes(),
+			ctx.Cloud,
+			ProbeAttachableVolumePlugins(),
+			GetDynamicPluginProber(ctx.ComponentConfig.PersistentVolumeBinderController.VolumeConfiguration),
+			ctx.ComponentConfig.AttachDetachController.DisableAttachDetachReconcilerSync,
+			ctx.ComponentConfig.AttachDetachController.ReconcilerSyncLoopPeriod.Duration,
+			attachdetach.DefaultTimerConfig,
+		)
+	if attachDetachControllerErr != nil {
+		return true, fmt.Errorf("failed to start attach/detach controller: %v", attachDetachControllerErr)
+	}
+	go attachDetachController.Run(ctx.Stop)
+	return true, nil
+}
+
+func startVolumeExpandController(ctx ControllerContext) (bool, error) {
+	if utilfeature.DefaultFeatureGate.Enabled(features.ExpandPersistentVolumes) {
+		expandController, expandControllerErr := expand.NewExpandController(
+			ctx.ClientBuilder.ClientOrDie("expand-controller"),
+			ctx.InformerFactory.Core().V1().PersistentVolumeClaims(),
+			ctx.InformerFactory.Core().V1().PersistentVolumes(),
+			ctx.Cloud,
+			ProbeExpandableVolumePlugins(ctx.ComponentConfig.PersistentVolumeBinderController.VolumeConfiguration))
+
+		if expandControllerErr != nil {
+			return true, fmt.Errorf("Failed to start volume expand controller : %v", expandControllerErr)
+		}
+		go expandController.Run(ctx.Stop)
+		return true, nil
+	}
+	return false, nil
+}
+
+func startEndpointController(ctx ControllerContext) (bool, error) {
+	go endpointcontroller.NewEndpointController(
+		ctx.InformerFactory.Core().V1().Pods(),
+		ctx.InformerFactory.Core().V1().Services(),
+		ctx.InformerFactory.Core().V1().Endpoints(),
+		ctx.ClientBuilder.ClientOrDie("endpoint-controller"),
+	).Run(int(ctx.ComponentConfig.EndPointController.ConcurrentEndpointSyncs), ctx.Stop)
+	return true, nil
+}
+
+func startReplicationController(ctx ControllerContext) (bool, error) {
+	go replicationcontroller.NewReplicationManager(
+		ctx.InformerFactory.Core().V1().Pods(),
+		ctx.InformerFactory.Core().V1().ReplicationControllers(),
+		ctx.ClientBuilder.ClientOrDie("replication-controller"),
+		replicationcontroller.BurstReplicas,
+	).Run(int(ctx.ComponentConfig.ReplicationController.ConcurrentRCSyncs), ctx.Stop)
+	return true, nil
+}
+
+func startPodGCController(ctx ControllerContext) (bool, error) {
+	go podgc.NewPodGC(
+		ctx.ClientBuilder.ClientOrDie("pod-garbage-collector"),
+		ctx.InformerFactory.Core().V1().Pods(),
+		int(ctx.ComponentConfig.PodGCController.TerminatedPodGCThreshold),
+	).Run(ctx.Stop)
+	return true, nil
+}
+
+func startResourceQuotaController(ctx ControllerContext) (bool, error) {
+	resourceQuotaControllerClient := ctx.ClientBuilder.ClientOrDie("resourcequota-controller")
+	discoveryFunc := resourceQuotaControllerClient.Discovery().ServerPreferredNamespacedResources
+	listerFuncForResource := generic.ListerFuncForResourceFunc(ctx.InformerFactory.ForResource)
+	quotaConfiguration := quotainstall.NewQuotaConfigurationForControllers(listerFuncForResource)
+
+	resourceQuotaControllerOptions := &resourcequotacontroller.ResourceQuotaControllerOptions{
+		QuotaClient:               resourceQuotaControllerClient.CoreV1(),
+		ResourceQuotaInformer:     ctx.InformerFactory.Core().V1().ResourceQuotas(),
+		ResyncPeriod:              controller.StaticResyncPeriodFunc(ctx.ComponentConfig.ResourceQuotaController.ResourceQuotaSyncPeriod.Duration),
+		InformerFactory:           ctx.InformerFactory,
+		ReplenishmentResyncPeriod: ctx.ResyncPeriod,
+		DiscoveryFunc:             discoveryFunc,
+		IgnoredResourcesFunc:      quotaConfiguration.IgnoredResources,
+		InformersStarted:          ctx.InformersStarted,
+		Registry:                  generic.NewRegistry(quotaConfiguration.Evaluators()),
+	}
+	if resourceQuotaControllerClient.CoreV1().RESTClient().GetRateLimiter() != nil {
+		if err := metrics.RegisterMetricAndTrackRateLimiterUsage("resource_quota_controller", resourceQuotaControllerClient.CoreV1().RESTClient().GetRateLimiter()); err != nil {
+			return true, err
+		}
+	}
+
+	resourceQuotaController, err := resourcequotacontroller.NewResourceQuotaController(resourceQuotaControllerOptions)
+	if err != nil {
+		return false, err
+	}
+	go resourceQuotaController.Run(int(ctx.ComponentConfig.ResourceQuotaController.ConcurrentResourceQuotaSyncs), ctx.Stop)
+
+	// Periodically the quota controller to detect new resource types
+	go resourceQuotaController.Sync(discoveryFunc, 30*time.Second, ctx.Stop)
+
+	return true, nil
+}
+
+func startNamespaceController(ctx ControllerContext) (bool, error) {
+	// the namespace cleanup controller is very chatty.  It makes lots of discovery calls and then it makes lots of delete calls
+	// the ratelimiter negatively affects its speed.  Deleting 100 total items in a namespace (that's only a few of each resource
+	// including events), takes ~10 seconds by default.
+	nsKubeconfig := ctx.ClientBuilder.ConfigOrDie("namespace-controller")
+	nsKubeconfig.QPS *= 20
+	nsKubeconfig.Burst *= 100
+	namespaceKubeClient := clientset.NewForConfigOrDie(nsKubeconfig)
+
+	dynamicClient, err := dynamic.NewForConfig(nsKubeconfig)
+	if err != nil {
+		return true, err
+	}
+
+	discoverResourcesFn := namespaceKubeClient.Discovery().ServerPreferredNamespacedResources
+
+	namespaceController := namespacecontroller.NewNamespaceController(
+		namespaceKubeClient,
+		dynamicClient,
+		discoverResourcesFn,
+		ctx.InformerFactory.Core().V1().Namespaces(),
+		ctx.ComponentConfig.NamespaceController.NamespaceSyncPeriod.Duration,
+		v1.FinalizerKubernetes,
+	)
+	go namespaceController.Run(int(ctx.ComponentConfig.NamespaceController.ConcurrentNamespaceSyncs), ctx.Stop)
+
+	return true, nil
+}
+
+func startServiceAccountController(ctx ControllerContext) (bool, error) {
+	sac, err := serviceaccountcontroller.NewServiceAccountsController(
+		ctx.InformerFactory.Core().V1().ServiceAccounts(),
+		ctx.InformerFactory.Core().V1().Namespaces(),
+		ctx.ClientBuilder.ClientOrDie("service-account-controller"),
+		serviceaccountcontroller.DefaultServiceAccountsControllerOptions(),
+	)
+	if err != nil {
+		return true, fmt.Errorf("error creating ServiceAccount controller: %v", err)
+	}
+	go sac.Run(1, ctx.Stop)
+	return true, nil
+}
+
+func startTTLController(ctx ControllerContext) (bool, error) {
+	go ttlcontroller.NewTTLController(
+		ctx.InformerFactory.Core().V1().Nodes(),
+		ctx.ClientBuilder.ClientOrDie("ttl-controller"),
+	).Run(5, ctx.Stop)
+	return true, nil
+}
+
+func startGarbageCollectorController(ctx ControllerContext) (bool, error) {
+	if !ctx.ComponentConfig.GarbageCollectorController.EnableGarbageCollector {
+		return false, nil
+	}
+
+	gcClientset := ctx.ClientBuilder.ClientOrDie("generic-garbage-collector")
+	discoveryClient := cacheddiscovery.NewMemCacheClient(gcClientset.Discovery())
+
+	config := ctx.ClientBuilder.ConfigOrDie("generic-garbage-collector")
+	dynamicClient, err := dynamic.NewForConfig(config)
+	if err != nil {
+		return true, err
+	}
+
+	// Get an initial set of deletable resources to prime the garbage collector.
+	deletableResources := garbagecollector.GetDeletableResources(discoveryClient)
+	ignoredResources := make(map[schema.GroupResource]struct{})
+	for _, r := range ctx.ComponentConfig.GarbageCollectorController.GCIgnoredResources {
+		ignoredResources[schema.GroupResource{Group: r.Group, Resource: r.Resource}] = struct{}{}
+	}
+	garbageCollector, err := garbagecollector.NewGarbageCollector(
+		dynamicClient,
+		ctx.RESTMapper,
+		deletableResources,
+		ignoredResources,
+		ctx.InformerFactory,
+		ctx.InformersStarted,
+	)
+	if err != nil {
+		return true, fmt.Errorf("Failed to start the generic garbage collector: %v", err)
+	}
+
+	// Start the garbage collector.
+	workers := int(ctx.ComponentConfig.GarbageCollectorController.ConcurrentGCSyncs)
+	go garbageCollector.Run(workers, ctx.Stop)
+
+	// Periodically refresh the RESTMapper with new discovery information and sync
+	// the garbage collector.
+	go garbageCollector.Sync(gcClientset.Discovery(), 30*time.Second, ctx.Stop)
+
+	return true, nil
+}
+
+func startPVCProtectionController(ctx ControllerContext) (bool, error) {
+	go pvcprotection.NewPVCProtectionController(
+		ctx.InformerFactory.Core().V1().PersistentVolumeClaims(),
+		ctx.InformerFactory.Core().V1().Pods(),
+		ctx.ClientBuilder.ClientOrDie("pvc-protection-controller"),
+		utilfeature.DefaultFeatureGate.Enabled(features.StorageObjectInUseProtection),
+	).Run(1, ctx.Stop)
+	return true, nil
+}
+
+func startPVProtectionController(ctx ControllerContext) (bool, error) {
+	go pvprotection.NewPVProtectionController(
+		ctx.InformerFactory.Core().V1().PersistentVolumes(),
+		ctx.ClientBuilder.ClientOrDie("pv-protection-controller"),
+		utilfeature.DefaultFeatureGate.Enabled(features.StorageObjectInUseProtection),
+	).Run(1, ctx.Stop)
+	return true, nil
+}

vendor/k8s.io/kubernetes/cmd/kube-controller-manager/app/import_known_versions.go

@@ -0,0 +1,37 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// TODO: Remove this file when namespace controller and garbage collector
+// stops using legacyscheme.Registry.RESTMapper()
+package app
+
+// These imports are the API groups the client will support.
+import (
+	_ "k8s.io/kubernetes/pkg/apis/apps/install"
+	_ "k8s.io/kubernetes/pkg/apis/authentication/install"
+	_ "k8s.io/kubernetes/pkg/apis/authorization/install"
+	_ "k8s.io/kubernetes/pkg/apis/autoscaling/install"
+	_ "k8s.io/kubernetes/pkg/apis/batch/install"
+	_ "k8s.io/kubernetes/pkg/apis/certificates/install"
+	_ "k8s.io/kubernetes/pkg/apis/core/install"
+	_ "k8s.io/kubernetes/pkg/apis/events/install"
+	_ "k8s.io/kubernetes/pkg/apis/extensions/install"
+	_ "k8s.io/kubernetes/pkg/apis/policy/install"
+	_ "k8s.io/kubernetes/pkg/apis/rbac/install"
+	_ "k8s.io/kubernetes/pkg/apis/scheduling/install"
+	_ "k8s.io/kubernetes/pkg/apis/settings/install"
+	_ "k8s.io/kubernetes/pkg/apis/storage/install"
+)

vendor/k8s.io/kubernetes/cmd/kube-controller-manager/app/options/BUILD

@@ -0,0 +1,64 @@
+package(default_visibility = ["//visibility:public"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+    "go_test",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["options.go"],
+    importpath = "k8s.io/kubernetes/cmd/kube-controller-manager/app/options",
+    deps = [
+        "//cmd/controller-manager/app/options:go_default_library",
+        "//cmd/kube-controller-manager/app/config:go_default_library",
+        "//pkg/api/legacyscheme:go_default_library",
+        "//pkg/apis/componentconfig:go_default_library",
+        "//pkg/apis/componentconfig/v1alpha1:go_default_library",
+        "//pkg/controller/garbagecollector:go_default_library",
+        "//pkg/features:go_default_library",
+        "//pkg/master/ports:go_default_library",
+        "//vendor/github.com/golang/glog:go_default_library",
+        "//vendor/github.com/spf13/pflag:go_default_library",
+        "//vendor/k8s.io/api/core/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/server/options:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/util/feature:go_default_library",
+        "//vendor/k8s.io/client-go/kubernetes:go_default_library",
+        "//vendor/k8s.io/client-go/kubernetes/typed/core/v1:go_default_library",
+        "//vendor/k8s.io/client-go/rest:go_default_library",
+        "//vendor/k8s.io/client-go/tools/clientcmd:go_default_library",
+        "//vendor/k8s.io/client-go/tools/record:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["options_test.go"],
+    embed = [":go_default_library"],
+    tags = ["automanaged"],
+    deps = [
+        "//cmd/controller-manager/app/options:go_default_library",
+        "//pkg/apis/componentconfig:go_default_library",
+        "//vendor/github.com/spf13/pflag:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/diff:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/server/options:go_default_library",
+    ],
+)

vendor/k8s.io/kubernetes/cmd/kube-controller-manager/app/options/options.go

@@ -0,0 +1,448 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package options provides the flags used for the controller manager.
+//
+package options
+
+import (
+	"fmt"
+	"net"
+	"strings"
+
+	"k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	"k8s.io/apimachinery/pkg/util/sets"
+	apiserveroptions "k8s.io/apiserver/pkg/server/options"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	"k8s.io/client-go/kubernetes"
+	clientset "k8s.io/client-go/kubernetes"
+	v1core "k8s.io/client-go/kubernetes/typed/core/v1"
+	restclient "k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
+	"k8s.io/client-go/tools/record"
+	cmoptions "k8s.io/kubernetes/cmd/controller-manager/app/options"
+	kubecontrollerconfig "k8s.io/kubernetes/cmd/kube-controller-manager/app/config"
+	"k8s.io/kubernetes/pkg/api/legacyscheme"
+	"k8s.io/kubernetes/pkg/apis/componentconfig"
+	componentconfigv1alpha1 "k8s.io/kubernetes/pkg/apis/componentconfig/v1alpha1"
+	"k8s.io/kubernetes/pkg/controller/garbagecollector"
+	"k8s.io/kubernetes/pkg/master/ports"
+	// add the kubernetes feature gates
+	_ "k8s.io/kubernetes/pkg/features"
+
+	"github.com/golang/glog"
+	"github.com/spf13/pflag"
+)
+
+// KubeControllerManagerOptions is the main context object for the kube-controller manager.
+type KubeControllerManagerOptions struct {
+	CloudProvider    *cmoptions.CloudProviderOptions
+	Debugging        *cmoptions.DebuggingOptions
+	GenericComponent *cmoptions.GenericComponentConfigOptions
+	KubeCloudShared  *cmoptions.KubeCloudSharedOptions
+
+	AttachDetachController           *cmoptions.AttachDetachControllerOptions
+	CSRSigningController             *cmoptions.CSRSigningControllerOptions
+	DaemonSetController              *cmoptions.DaemonSetControllerOptions
+	DeploymentController             *cmoptions.DeploymentControllerOptions
+	DeprecatedFlags                  *cmoptions.DeprecatedControllerOptions
+	EndPointController               *cmoptions.EndPointControllerOptions
+	GarbageCollectorController       *cmoptions.GarbageCollectorControllerOptions
+	HPAController                    *cmoptions.HPAControllerOptions
+	JobController                    *cmoptions.JobControllerOptions
+	NamespaceController              *cmoptions.NamespaceControllerOptions
+	NodeIpamController               *cmoptions.NodeIpamControllerOptions
+	NodeLifecycleController          *cmoptions.NodeLifecycleControllerOptions
+	PersistentVolumeBinderController *cmoptions.PersistentVolumeBinderControllerOptions
+	PodGCController                  *cmoptions.PodGCControllerOptions
+	ReplicaSetController             *cmoptions.ReplicaSetControllerOptions
+	ReplicationController            *cmoptions.ReplicationControllerOptions
+	ResourceQuotaController          *cmoptions.ResourceQuotaControllerOptions
+	SAController                     *cmoptions.SAControllerOptions
+	ServiceController                *cmoptions.ServiceControllerOptions
+
+	Controllers               []string
+	ExternalCloudVolumePlugin string
+
+	SecureServing *apiserveroptions.SecureServingOptions
+	// TODO: remove insecure serving mode
+	InsecureServing *cmoptions.InsecureServingOptions
+	Authentication  *apiserveroptions.DelegatingAuthenticationOptions
+	Authorization   *apiserveroptions.DelegatingAuthorizationOptions
+
+	Master     string
+	Kubeconfig string
+}
+
+// NewKubeControllerManagerOptions creates a new KubeControllerManagerOptions with a default config.
+func NewKubeControllerManagerOptions() (*KubeControllerManagerOptions, error) {
+	componentConfig, err := NewDefaultComponentConfig(ports.InsecureKubeControllerManagerPort)
+	if err != nil {
+		return nil, err
+	}
+
+	s := KubeControllerManagerOptions{
+		CloudProvider:    &cmoptions.CloudProviderOptions{},
+		Debugging:        &cmoptions.DebuggingOptions{},
+		GenericComponent: cmoptions.NewGenericComponentConfigOptions(componentConfig.GenericComponent),
+		KubeCloudShared:  cmoptions.NewKubeCloudSharedOptions(componentConfig.KubeCloudShared),
+		AttachDetachController: &cmoptions.AttachDetachControllerOptions{
+			ReconcilerSyncLoopPeriod: componentConfig.AttachDetachController.ReconcilerSyncLoopPeriod,
+		},
+		CSRSigningController: &cmoptions.CSRSigningControllerOptions{
+			ClusterSigningCertFile: componentConfig.CSRSigningController.ClusterSigningCertFile,
+			ClusterSigningKeyFile:  componentConfig.CSRSigningController.ClusterSigningKeyFile,
+			ClusterSigningDuration: componentConfig.CSRSigningController.ClusterSigningDuration,
+		},
+		DaemonSetController: &cmoptions.DaemonSetControllerOptions{
+			ConcurrentDaemonSetSyncs: componentConfig.DaemonSetController.ConcurrentDaemonSetSyncs,
+		},
+		DeploymentController: &cmoptions.DeploymentControllerOptions{
+			ConcurrentDeploymentSyncs:      componentConfig.DeploymentController.ConcurrentDeploymentSyncs,
+			DeploymentControllerSyncPeriod: componentConfig.DeploymentController.DeploymentControllerSyncPeriod,
+		},
+		DeprecatedFlags: &cmoptions.DeprecatedControllerOptions{
+			RegisterRetryCount: componentConfig.DeprecatedController.RegisterRetryCount,
+		},
+		EndPointController: &cmoptions.EndPointControllerOptions{
+			ConcurrentEndpointSyncs: componentConfig.EndPointController.ConcurrentEndpointSyncs,
+		},
+		GarbageCollectorController: &cmoptions.GarbageCollectorControllerOptions{
+			ConcurrentGCSyncs:      componentConfig.GarbageCollectorController.ConcurrentGCSyncs,
+			EnableGarbageCollector: componentConfig.GarbageCollectorController.EnableGarbageCollector,
+		},
+		HPAController: &cmoptions.HPAControllerOptions{
+			HorizontalPodAutoscalerSyncPeriod:               componentConfig.HPAController.HorizontalPodAutoscalerSyncPeriod,
+			HorizontalPodAutoscalerUpscaleForbiddenWindow:   componentConfig.HPAController.HorizontalPodAutoscalerUpscaleForbiddenWindow,
+			HorizontalPodAutoscalerDownscaleForbiddenWindow: componentConfig.HPAController.HorizontalPodAutoscalerDownscaleForbiddenWindow,
+			HorizontalPodAutoscalerTolerance:                componentConfig.HPAController.HorizontalPodAutoscalerTolerance,
+			HorizontalPodAutoscalerUseRESTClients:           componentConfig.HPAController.HorizontalPodAutoscalerUseRESTClients,
+		},
+		JobController: &cmoptions.JobControllerOptions{
+			ConcurrentJobSyncs: componentConfig.JobController.ConcurrentJobSyncs,
+		},
+		NamespaceController: &cmoptions.NamespaceControllerOptions{
+			NamespaceSyncPeriod:      componentConfig.NamespaceController.NamespaceSyncPeriod,
+			ConcurrentNamespaceSyncs: componentConfig.NamespaceController.ConcurrentNamespaceSyncs,
+		},
+		NodeIpamController: &cmoptions.NodeIpamControllerOptions{
+			NodeCIDRMaskSize: componentConfig.NodeIpamController.NodeCIDRMaskSize,
+		},
+		NodeLifecycleController: &cmoptions.NodeLifecycleControllerOptions{
+			EnableTaintManager:     componentConfig.NodeLifecycleController.EnableTaintManager,
+			NodeMonitorGracePeriod: componentConfig.NodeLifecycleController.NodeMonitorGracePeriod,
+			NodeStartupGracePeriod: componentConfig.NodeLifecycleController.NodeStartupGracePeriod,
+			PodEvictionTimeout:     componentConfig.NodeLifecycleController.PodEvictionTimeout,
+		},
+		PersistentVolumeBinderController: &cmoptions.PersistentVolumeBinderControllerOptions{
+			PVClaimBinderSyncPeriod: componentConfig.PersistentVolumeBinderController.PVClaimBinderSyncPeriod,
+			VolumeConfiguration:     componentConfig.PersistentVolumeBinderController.VolumeConfiguration,
+		},
+		PodGCController: &cmoptions.PodGCControllerOptions{
+			TerminatedPodGCThreshold: componentConfig.PodGCController.TerminatedPodGCThreshold,
+		},
+		ReplicaSetController: &cmoptions.ReplicaSetControllerOptions{
+			ConcurrentRSSyncs: componentConfig.ReplicaSetController.ConcurrentRSSyncs,
+		},
+		ReplicationController: &cmoptions.ReplicationControllerOptions{
+			ConcurrentRCSyncs: componentConfig.ReplicationController.ConcurrentRCSyncs,
+		},
+		ResourceQuotaController: &cmoptions.ResourceQuotaControllerOptions{
+			ResourceQuotaSyncPeriod:      componentConfig.ResourceQuotaController.ResourceQuotaSyncPeriod,
+			ConcurrentResourceQuotaSyncs: componentConfig.ResourceQuotaController.ConcurrentResourceQuotaSyncs,
+		},
+		SAController: &cmoptions.SAControllerOptions{
+			ConcurrentSATokenSyncs: componentConfig.SAController.ConcurrentSATokenSyncs,
+		},
+		ServiceController: &cmoptions.ServiceControllerOptions{
+			ConcurrentServiceSyncs: componentConfig.ServiceController.ConcurrentServiceSyncs,
+		},
+		Controllers:   componentConfig.Controllers,
+		SecureServing: apiserveroptions.NewSecureServingOptions(),
+		InsecureServing: &cmoptions.InsecureServingOptions{
+			BindAddress: net.ParseIP(componentConfig.KubeCloudShared.Address),
+			BindPort:    int(componentConfig.KubeCloudShared.Port),
+			BindNetwork: "tcp",
+		},
+		Authentication: nil, // TODO: enable with apiserveroptions.NewDelegatingAuthenticationOptions()
+		Authorization:  nil, // TODO: enable with apiserveroptions.NewDelegatingAuthorizationOptions()
+	}
+
+	s.SecureServing.ServerCert.CertDirectory = "/var/run/kubernetes"
+	s.SecureServing.ServerCert.PairName = "kube-controller-manager"
+
+	// disable secure serving for now
+	// TODO: enable HTTPS by default
+	s.SecureServing.BindPort = 0
+
+	gcIgnoredResources := make([]componentconfig.GroupResource, 0, len(garbagecollector.DefaultIgnoredResources()))
+	for r := range garbagecollector.DefaultIgnoredResources() {
+		gcIgnoredResources = append(gcIgnoredResources, componentconfig.GroupResource{Group: r.Group, Resource: r.Resource})
+	}
+
+	s.GarbageCollectorController.GCIgnoredResources = gcIgnoredResources
+
+	return &s, nil
+}
+
+// NewDefaultComponentConfig returns kube-controller manager configuration object.
+func NewDefaultComponentConfig(insecurePort int32) (componentconfig.KubeControllerManagerConfiguration, error) {
+	scheme := runtime.NewScheme()
+	componentconfigv1alpha1.AddToScheme(scheme)
+	componentconfig.AddToScheme(scheme)
+
+	versioned := componentconfigv1alpha1.KubeControllerManagerConfiguration{}
+	scheme.Default(&versioned)
+
+	internal := componentconfig.KubeControllerManagerConfiguration{}
+	if err := scheme.Convert(&versioned, &internal, nil); err != nil {
+		return internal, err
+	}
+	internal.KubeCloudShared.Port = insecurePort
+	return internal, nil
+}
+
+// AddFlags adds flags for a specific KubeControllerManagerOptions to the specified FlagSet
+func (s *KubeControllerManagerOptions) AddFlags(fs *pflag.FlagSet, allControllers []string, disabledByDefaultControllers []string) {
+	s.CloudProvider.AddFlags(fs)
+	s.Debugging.AddFlags(fs)
+	s.GenericComponent.AddFlags(fs)
+	s.KubeCloudShared.AddFlags(fs)
+	s.ServiceController.AddFlags(fs)
+
+	s.SecureServing.AddFlags(fs)
+	s.InsecureServing.AddFlags(fs)
+	s.Authentication.AddFlags(fs)
+	s.Authorization.AddFlags(fs)
+
+	s.AttachDetachController.AddFlags(fs)
+	s.CSRSigningController.AddFlags(fs)
+	s.DeploymentController.AddFlags(fs)
+	s.DaemonSetController.AddFlags(fs)
+	s.DeprecatedFlags.AddFlags(fs)
+	s.EndPointController.AddFlags(fs)
+	s.GarbageCollectorController.AddFlags(fs)
+	s.HPAController.AddFlags(fs)
+	s.JobController.AddFlags(fs)
+	s.NamespaceController.AddFlags(fs)
+	s.NodeIpamController.AddFlags(fs)
+	s.NodeLifecycleController.AddFlags(fs)
+	s.PersistentVolumeBinderController.AddFlags(fs)
+	s.PodGCController.AddFlags(fs)
+	s.ReplicaSetController.AddFlags(fs)
+	s.ReplicationController.AddFlags(fs)
+	s.ResourceQuotaController.AddFlags(fs)
+	s.SAController.AddFlags(fs)
+
+	fs.StringVar(&s.Master, "master", s.Master, "The address of the Kubernetes API server (overrides any value in kubeconfig).")
+	fs.StringVar(&s.Kubeconfig, "kubeconfig", s.Kubeconfig, "Path to kubeconfig file with authorization and master location information.")
+	fs.StringSliceVar(&s.Controllers, "controllers", s.Controllers, fmt.Sprintf(""+
+		"A list of controllers to enable.  '*' enables all on-by-default controllers, 'foo' enables the controller "+
+		"named 'foo', '-foo' disables the controller named 'foo'.\nAll controllers: %s\nDisabled-by-default controllers: %s",
+		strings.Join(allControllers, ", "), strings.Join(disabledByDefaultControllers, ", ")))
+	fs.StringVar(&s.ExternalCloudVolumePlugin, "external-cloud-volume-plugin", s.ExternalCloudVolumePlugin, "The plugin to use when cloud provider is set to external. Can be empty, should only be set when cloud-provider is external. Currently used to allow node and volume controllers to work for in tree cloud providers.")
+	var dummy string
+	fs.MarkDeprecated("insecure-experimental-approve-all-kubelet-csrs-for-group", "This flag does nothing.")
+	fs.StringVar(&dummy, "insecure-experimental-approve-all-kubelet-csrs-for-group", "", "This flag does nothing.")
+	utilfeature.DefaultFeatureGate.AddFlag(fs)
+}
+
+// ApplyTo fills up controller manager config with options.
+func (s *KubeControllerManagerOptions) ApplyTo(c *kubecontrollerconfig.Config, userAgent string) error {
+	if err := s.CloudProvider.ApplyTo(&c.ComponentConfig.CloudProvider); err != nil {
+		return err
+	}
+	if err := s.Debugging.ApplyTo(&c.ComponentConfig.Debugging); err != nil {
+		return err
+	}
+	if err := s.GenericComponent.ApplyTo(&c.ComponentConfig.GenericComponent); err != nil {
+		return err
+	}
+	if err := s.KubeCloudShared.ApplyTo(&c.ComponentConfig.KubeCloudShared); err != nil {
+		return err
+	}
+	if err := s.AttachDetachController.ApplyTo(&c.ComponentConfig.AttachDetachController); err != nil {
+		return err
+	}
+	if err := s.CSRSigningController.ApplyTo(&c.ComponentConfig.CSRSigningController); err != nil {
+		return err
+	}
+	if err := s.DaemonSetController.ApplyTo(&c.ComponentConfig.DaemonSetController); err != nil {
+		return err
+	}
+	if err := s.DeploymentController.ApplyTo(&c.ComponentConfig.DeploymentController); err != nil {
+		return err
+	}
+	if err := s.DeprecatedFlags.ApplyTo(&c.ComponentConfig.DeprecatedController); err != nil {
+		return err
+	}
+	if err := s.EndPointController.ApplyTo(&c.ComponentConfig.EndPointController); err != nil {
+		return err
+	}
+	if err := s.GarbageCollectorController.ApplyTo(&c.ComponentConfig.GarbageCollectorController); err != nil {
+		return err
+	}
+	if err := s.HPAController.ApplyTo(&c.ComponentConfig.HPAController); err != nil {
+		return err
+	}
+	if err := s.JobController.ApplyTo(&c.ComponentConfig.JobController); err != nil {
+		return err
+	}
+	if err := s.NamespaceController.ApplyTo(&c.ComponentConfig.NamespaceController); err != nil {
+		return err
+	}
+	if err := s.NodeIpamController.ApplyTo(&c.ComponentConfig.NodeIpamController); err != nil {
+		return err
+	}
+	if err := s.NodeLifecycleController.ApplyTo(&c.ComponentConfig.NodeLifecycleController); err != nil {
+		return err
+	}
+	if err := s.PersistentVolumeBinderController.ApplyTo(&c.ComponentConfig.PersistentVolumeBinderController); err != nil {
+		return err
+	}
+	if err := s.PodGCController.ApplyTo(&c.ComponentConfig.PodGCController); err != nil {
+		return err
+	}
+	if err := s.ReplicaSetController.ApplyTo(&c.ComponentConfig.ReplicaSetController); err != nil {
+		return err
+	}
+	if err := s.ReplicationController.ApplyTo(&c.ComponentConfig.ReplicationController); err != nil {
+		return err
+	}
+	if err := s.ResourceQuotaController.ApplyTo(&c.ComponentConfig.ResourceQuotaController); err != nil {
+		return err
+	}
+	if err := s.SAController.ApplyTo(&c.ComponentConfig.SAController); err != nil {
+		return err
+	}
+	if err := s.ServiceController.ApplyTo(&c.ComponentConfig.ServiceController); err != nil {
+		return err
+	}
+	if err := s.SecureServing.ApplyTo(&c.SecureServing); err != nil {
+		return err
+	}
+	if err := s.InsecureServing.ApplyTo(&c.InsecureServing); err != nil {
+		return err
+	}
+	if err := s.Authentication.ApplyTo(&c.Authentication, c.SecureServing, nil); err != nil {
+		return err
+	}
+	if err := s.Authorization.ApplyTo(&c.Authorization); err != nil {
+		return err
+	}
+
+	// sync back to component config
+	// TODO: find more elegant way than synching back the values.
+	c.ComponentConfig.KubeCloudShared.Port = int32(s.InsecureServing.BindPort)
+	c.ComponentConfig.KubeCloudShared.Address = s.InsecureServing.BindAddress.String()
+
+	var err error
+	c.Kubeconfig, err = clientcmd.BuildConfigFromFlags(s.Master, s.Kubeconfig)
+	if err != nil {
+		return err
+	}
+	c.Kubeconfig.ContentConfig.ContentType = s.GenericComponent.ContentType
+	c.Kubeconfig.QPS = s.GenericComponent.KubeAPIQPS
+	c.Kubeconfig.Burst = int(s.GenericComponent.KubeAPIBurst)
+
+	c.Client, err = clientset.NewForConfig(restclient.AddUserAgent(c.Kubeconfig, userAgent))
+	if err != nil {
+		return err
+	}
+
+	c.LeaderElectionClient = clientset.NewForConfigOrDie(restclient.AddUserAgent(c.Kubeconfig, "leader-election"))
+
+	c.EventRecorder = createRecorder(c.Client, userAgent)
+
+	c.ComponentConfig.Controllers = s.Controllers
+	c.ComponentConfig.ExternalCloudVolumePlugin = s.ExternalCloudVolumePlugin
+
+	return err
+}
+
+// Validate is used to validate the options and config before launching the controller manager
+func (s *KubeControllerManagerOptions) Validate(allControllers []string, disabledByDefaultControllers []string) error {
+	var errs []error
+
+	errs = append(errs, s.CloudProvider.Validate()...)
+	errs = append(errs, s.Debugging.Validate()...)
+	errs = append(errs, s.GenericComponent.Validate()...)
+	errs = append(errs, s.KubeCloudShared.Validate()...)
+	errs = append(errs, s.AttachDetachController.Validate()...)
+	errs = append(errs, s.CSRSigningController.Validate()...)
+	errs = append(errs, s.DaemonSetController.Validate()...)
+	errs = append(errs, s.DeploymentController.Validate()...)
+	errs = append(errs, s.DeprecatedFlags.Validate()...)
+	errs = append(errs, s.EndPointController.Validate()...)
+	errs = append(errs, s.GarbageCollectorController.Validate()...)
+	errs = append(errs, s.HPAController.Validate()...)
+	errs = append(errs, s.JobController.Validate()...)
+	errs = append(errs, s.NamespaceController.Validate()...)
+	errs = append(errs, s.NodeIpamController.Validate()...)
+	errs = append(errs, s.NodeLifecycleController.Validate()...)
+	errs = append(errs, s.PersistentVolumeBinderController.Validate()...)
+	errs = append(errs, s.PodGCController.Validate()...)
+	errs = append(errs, s.ReplicaSetController.Validate()...)
+	errs = append(errs, s.ReplicationController.Validate()...)
+	errs = append(errs, s.ResourceQuotaController.Validate()...)
+	errs = append(errs, s.SAController.Validate()...)
+	errs = append(errs, s.ServiceController.Validate()...)
+	errs = append(errs, s.SecureServing.Validate()...)
+	errs = append(errs, s.InsecureServing.Validate()...)
+	errs = append(errs, s.Authentication.Validate()...)
+	errs = append(errs, s.Authorization.Validate()...)
+
+	// TODO: validate component config, master and kubeconfig
+
+	allControllersSet := sets.NewString(allControllers...)
+	for _, controller := range s.Controllers {
+		if controller == "*" {
+			continue
+		}
+		if strings.HasPrefix(controller, "-") {
+			controller = controller[1:]
+		}
+
+		if !allControllersSet.Has(controller) {
+			errs = append(errs, fmt.Errorf("%q is not in the list of known controllers", controller))
+		}
+	}
+
+	return utilerrors.NewAggregate(errs)
+}
+
+// Config return a controller manager config objective
+func (s KubeControllerManagerOptions) Config(allControllers []string, disabledByDefaultControllers []string) (*kubecontrollerconfig.Config, error) {
+	if err := s.Validate(allControllers, disabledByDefaultControllers); err != nil {
+		return nil, err
+	}
+
+	c := &kubecontrollerconfig.Config{}
+	if err := s.ApplyTo(c, "kube-controller-manager"); err != nil {
+		return nil, err
+	}
+
+	return c, nil
+}
+
+func createRecorder(kubeClient kubernetes.Interface, userAgent string) record.EventRecorder {
+	eventBroadcaster := record.NewBroadcaster()
+	eventBroadcaster.StartLogging(glog.Infof)
+	eventBroadcaster.StartRecordingToSink(&v1core.EventSinkImpl{Interface: kubeClient.CoreV1().Events("")})
+	return eventBroadcaster.NewRecorder(legacyscheme.Scheme, v1.EventSource{Component: userAgent})
+}

vendor/k8s.io/kubernetes/cmd/kube-controller-manager/app/options/options_test.go

@@ -0,0 +1,300 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package options
+
+import (
+	"net"
+	"reflect"
+	"sort"
+	"testing"
+	"time"
+
+	"github.com/spf13/pflag"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/diff"
+	apiserveroptions "k8s.io/apiserver/pkg/server/options"
+	cmoptions "k8s.io/kubernetes/cmd/controller-manager/app/options"
+	"k8s.io/kubernetes/pkg/apis/componentconfig"
+)
+
+func TestAddFlags(t *testing.T) {
+	f := pflag.NewFlagSet("addflagstest", pflag.ContinueOnError)
+	s, _ := NewKubeControllerManagerOptions()
+	s.AddFlags(f, []string{""}, []string{""})
+
+	args := []string{
+		"--address=192.168.4.10",
+		"--allocate-node-cidrs=true",
+		"--attach-detach-reconcile-sync-period=30s",
+		"--cidr-allocator-type=CloudAllocator",
+		"--cloud-config=/cloud-config",
+		"--cloud-provider=gce",
+		"--cluster-cidr=1.2.3.4/24",
+		"--cluster-name=k8s",
+		"--cluster-signing-cert-file=/cluster-signing-cert",
+		"--cluster-signing-key-file=/cluster-signing-key",
+		"--concurrent-deployment-syncs=10",
+		"--concurrent-endpoint-syncs=10",
+		"--concurrent-gc-syncs=30",
+		"--concurrent-namespace-syncs=20",
+		"--concurrent-replicaset-syncs=10",
+		"--concurrent-resource-quota-syncs=10",
+		"--concurrent-service-syncs=2",
+		"--concurrent-serviceaccount-token-syncs=10",
+		"--concurrent_rc_syncs=10",
+		"--configure-cloud-routes=false",
+		"--contention-profiling=true",
+		"--controller-start-interval=2m",
+		"--controllers=foo,bar",
+		"--deployment-controller-sync-period=45s",
+		"--disable-attach-detach-reconcile-sync=true",
+		"--enable-dynamic-provisioning=false",
+		"--enable-garbage-collector=false",
+		"--enable-hostpath-provisioner=true",
+		"--enable-taint-manager=false",
+		"--experimental-cluster-signing-duration=10h",
+		"--flex-volume-plugin-dir=/flex-volume-plugin",
+		"--horizontal-pod-autoscaler-downscale-delay=2m",
+		"--horizontal-pod-autoscaler-sync-period=45s",
+		"--horizontal-pod-autoscaler-upscale-delay=1m",
+		"--http2-max-streams-per-connection=47",
+		"--kube-api-burst=100",
+		"--kube-api-content-type=application/json",
+		"--kube-api-qps=50.0",
+		"--kubeconfig=/kubeconfig",
+		"--large-cluster-size-threshold=100",
+		"--leader-elect=false",
+		"--leader-elect-lease-duration=30s",
+		"--leader-elect-renew-deadline=15s",
+		"--leader-elect-resource-lock=configmap",
+		"--leader-elect-retry-period=5s",
+		"--master=192.168.4.20",
+		"--min-resync-period=8h",
+		"--namespace-sync-period=10m",
+		"--node-cidr-mask-size=48",
+		"--node-eviction-rate=0.2",
+		"--node-monitor-grace-period=30s",
+		"--node-monitor-period=10s",
+		"--node-startup-grace-period=30s",
+		"--pod-eviction-timeout=2m",
+		"--port=10000",
+		"--profiling=false",
+		"--pv-recycler-increment-timeout-nfs=45",
+		"--pv-recycler-minimum-timeout-hostpath=45",
+		"--pv-recycler-minimum-timeout-nfs=200",
+		"--pv-recycler-timeout-increment-hostpath=45",
+		"--pvclaimbinder-sync-period=30s",
+		"--resource-quota-sync-period=10m",
+		"--route-reconciliation-period=30s",
+		"--secondary-node-eviction-rate=0.05",
+		"--service-account-private-key-file=/service-account-private-key",
+		"--terminated-pod-gc-threshold=12000",
+		"--unhealthy-zone-threshold=0.6",
+		"--use-service-account-credentials=true",
+		"--cert-dir=/a/b/c",
+		"--bind-address=192.168.4.21",
+		"--secure-port=10001",
+	}
+	f.Parse(args)
+	// Sort GCIgnoredResources because it's built from a map, which means the
+	// insertion order is random.
+	sort.Sort(sortedGCIgnoredResources(s.GarbageCollectorController.GCIgnoredResources))
+
+	expected := &KubeControllerManagerOptions{
+		CloudProvider: &cmoptions.CloudProviderOptions{
+			Name:            "gce",
+			CloudConfigFile: "/cloud-config",
+		},
+		Debugging: &cmoptions.DebuggingOptions{
+			EnableProfiling:           false,
+			EnableContentionProfiling: true,
+		},
+		GenericComponent: &cmoptions.GenericComponentConfigOptions{
+			MinResyncPeriod:         metav1.Duration{Duration: 8 * time.Hour},
+			ContentType:             "application/json",
+			KubeAPIQPS:              50.0,
+			KubeAPIBurst:            100,
+			ControllerStartInterval: metav1.Duration{Duration: 2 * time.Minute},
+			LeaderElection: componentconfig.LeaderElectionConfiguration{
+				ResourceLock:  "configmap",
+				LeaderElect:   false,
+				LeaseDuration: metav1.Duration{Duration: 30 * time.Second},
+				RenewDeadline: metav1.Duration{Duration: 15 * time.Second},
+				RetryPeriod:   metav1.Duration{Duration: 5 * time.Second},
+			},
+		},
+		KubeCloudShared: &cmoptions.KubeCloudSharedOptions{
+			Port:    10252,     // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config		 +				AllocateNodeCIDRs:         true,
+			Address: "0.0.0.0", // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config
+			UseServiceAccountCredentials: true,
+			RouteReconciliationPeriod:    metav1.Duration{Duration: 30 * time.Second},
+			NodeMonitorPeriod:            metav1.Duration{Duration: 10 * time.Second},
+			ClusterName:                  "k8s",
+			ClusterCIDR:                  "1.2.3.4/24",
+			AllocateNodeCIDRs:            true,
+			CIDRAllocatorType:            "CloudAllocator",
+			ConfigureCloudRoutes:         false,
+		},
+		AttachDetachController: &cmoptions.AttachDetachControllerOptions{
+			ReconcilerSyncLoopPeriod:          metav1.Duration{Duration: 30 * time.Second},
+			DisableAttachDetachReconcilerSync: true,
+		},
+		CSRSigningController: &cmoptions.CSRSigningControllerOptions{
+			ClusterSigningCertFile: "/cluster-signing-cert",
+			ClusterSigningKeyFile:  "/cluster-signing-key",
+			ClusterSigningDuration: metav1.Duration{Duration: 10 * time.Hour},
+		},
+		DaemonSetController: &cmoptions.DaemonSetControllerOptions{
+			ConcurrentDaemonSetSyncs: 2,
+		},
+		DeploymentController: &cmoptions.DeploymentControllerOptions{
+			ConcurrentDeploymentSyncs:      10,
+			DeploymentControllerSyncPeriod: metav1.Duration{Duration: 45 * time.Second},
+		},
+		DeprecatedFlags: &cmoptions.DeprecatedControllerOptions{
+			DeletingPodsQPS:    0.1,
+			RegisterRetryCount: 10,
+		},
+		EndPointController: &cmoptions.EndPointControllerOptions{
+			ConcurrentEndpointSyncs: 10,
+		},
+		GarbageCollectorController: &cmoptions.GarbageCollectorControllerOptions{
+			ConcurrentGCSyncs: 30,
+			GCIgnoredResources: []componentconfig.GroupResource{
+				{Group: "extensions", Resource: "replicationcontrollers"},
+				{Group: "", Resource: "bindings"},
+				{Group: "", Resource: "componentstatuses"},
+				{Group: "", Resource: "events"},
+				{Group: "authentication.k8s.io", Resource: "tokenreviews"},
+				{Group: "authorization.k8s.io", Resource: "subjectaccessreviews"},
+				{Group: "authorization.k8s.io", Resource: "selfsubjectaccessreviews"},
+				{Group: "authorization.k8s.io", Resource: "localsubjectaccessreviews"},
+				{Group: "authorization.k8s.io", Resource: "selfsubjectrulesreviews"},
+				{Group: "apiregistration.k8s.io", Resource: "apiservices"},
+				{Group: "apiextensions.k8s.io", Resource: "customresourcedefinitions"},
+			},
+			EnableGarbageCollector: false,
+		},
+		HPAController: &cmoptions.HPAControllerOptions{
+			HorizontalPodAutoscalerSyncPeriod:               metav1.Duration{Duration: 45 * time.Second},
+			HorizontalPodAutoscalerUpscaleForbiddenWindow:   metav1.Duration{Duration: 1 * time.Minute},
+			HorizontalPodAutoscalerDownscaleForbiddenWindow: metav1.Duration{Duration: 2 * time.Minute},
+			HorizontalPodAutoscalerTolerance:                0.1,
+			HorizontalPodAutoscalerUseRESTClients:           true,
+		},
+		JobController: &cmoptions.JobControllerOptions{
+			ConcurrentJobSyncs: 5,
+		},
+		NamespaceController: &cmoptions.NamespaceControllerOptions{
+			NamespaceSyncPeriod:      metav1.Duration{Duration: 10 * time.Minute},
+			ConcurrentNamespaceSyncs: 20,
+		},
+		NodeIpamController: &cmoptions.NodeIpamControllerOptions{
+			NodeCIDRMaskSize: 48,
+		},
+		NodeLifecycleController: &cmoptions.NodeLifecycleControllerOptions{
+			EnableTaintManager:        false,
+			NodeEvictionRate:          0.2,
+			SecondaryNodeEvictionRate: 0.05,
+			NodeMonitorGracePeriod:    metav1.Duration{Duration: 30 * time.Second},
+			NodeStartupGracePeriod:    metav1.Duration{Duration: 30 * time.Second},
+			PodEvictionTimeout:        metav1.Duration{Duration: 2 * time.Minute},
+			LargeClusterSizeThreshold: 100,
+			UnhealthyZoneThreshold:    0.6,
+		},
+		PersistentVolumeBinderController: &cmoptions.PersistentVolumeBinderControllerOptions{
+			PVClaimBinderSyncPeriod: metav1.Duration{Duration: 30 * time.Second},
+			VolumeConfiguration: componentconfig.VolumeConfiguration{
+				EnableDynamicProvisioning:  false,
+				EnableHostPathProvisioning: true,
+				FlexVolumePluginDir:        "/flex-volume-plugin",
+				PersistentVolumeRecyclerConfiguration: componentconfig.PersistentVolumeRecyclerConfiguration{
+					MaximumRetry:             3,
+					MinimumTimeoutNFS:        200,
+					IncrementTimeoutNFS:      45,
+					MinimumTimeoutHostPath:   45,
+					IncrementTimeoutHostPath: 45,
+				},
+			},
+		},
+		PodGCController: &cmoptions.PodGCControllerOptions{
+			TerminatedPodGCThreshold: 12000,
+		},
+		ReplicaSetController: &cmoptions.ReplicaSetControllerOptions{
+			ConcurrentRSSyncs: 10,
+		},
+		ReplicationController: &cmoptions.ReplicationControllerOptions{
+			ConcurrentRCSyncs: 10,
+		},
+		ResourceQuotaController: &cmoptions.ResourceQuotaControllerOptions{
+			ResourceQuotaSyncPeriod:      metav1.Duration{Duration: 10 * time.Minute},
+			ConcurrentResourceQuotaSyncs: 10,
+		},
+		SAController: &cmoptions.SAControllerOptions{
+			ServiceAccountKeyFile:  "/service-account-private-key",
+			ConcurrentSATokenSyncs: 10,
+		},
+		ServiceController: &cmoptions.ServiceControllerOptions{
+			ConcurrentServiceSyncs: 2,
+		},
+		Controllers: []string{"foo", "bar"},
+		SecureServing: &apiserveroptions.SecureServingOptions{
+			BindPort:    10001,
+			BindAddress: net.ParseIP("192.168.4.21"),
+			ServerCert: apiserveroptions.GeneratableKeyCert{
+				CertDirectory: "/a/b/c",
+				PairName:      "kube-controller-manager",
+			},
+			HTTP2MaxStreamsPerConnection: 47,
+		},
+		InsecureServing: &cmoptions.InsecureServingOptions{
+			BindAddress: net.ParseIP("192.168.4.10"),
+			BindPort:    int(10000),
+			BindNetwork: "tcp",
+		},
+		Kubeconfig: "/kubeconfig",
+		Master:     "192.168.4.20",
+	}
+
+	// Sort GCIgnoredResources because it's built from a map, which means the
+	// insertion order is random.
+	sort.Sort(sortedGCIgnoredResources(expected.GarbageCollectorController.GCIgnoredResources))
+
+	if !reflect.DeepEqual(expected, s) {
+		t.Errorf("Got different run options than expected.\nDifference detected on:\n%s", diff.ObjectReflectDiff(expected, s))
+	}
+}
+
+type sortedGCIgnoredResources []componentconfig.GroupResource
+
+func (r sortedGCIgnoredResources) Len() int {
+	return len(r)
+}
+
+func (r sortedGCIgnoredResources) Less(i, j int) bool {
+	if r[i].Group < r[j].Group {
+		return true
+	} else if r[i].Group > r[j].Group {
+		return false
+	}
+	return r[i].Resource < r[j].Resource
+}
+
+func (r sortedGCIgnoredResources) Swap(i, j int) {
+	r[i], r[j] = r[j], r[i]
+}

vendor/k8s.io/kubernetes/cmd/kube-controller-manager/app/plugins.go

@@ -0,0 +1,185 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package app
+
+import (
+	// This file exists to force the desired plugin implementations to be linked.
+	// This should probably be part of some configuration fed into the build for a
+	// given binary target.
+
+	"fmt"
+
+	// Cloud providers
+	"k8s.io/kubernetes/pkg/apis/componentconfig"
+	_ "k8s.io/kubernetes/pkg/cloudprovider/providers"
+
+	// Volume plugins
+	"github.com/golang/glog"
+	"k8s.io/kubernetes/pkg/cloudprovider"
+	"k8s.io/kubernetes/pkg/volume"
+	"k8s.io/kubernetes/pkg/volume/aws_ebs"
+	"k8s.io/kubernetes/pkg/volume/azure_dd"
+	"k8s.io/kubernetes/pkg/volume/azure_file"
+	"k8s.io/kubernetes/pkg/volume/cinder"
+	"k8s.io/kubernetes/pkg/volume/csi"
+	"k8s.io/kubernetes/pkg/volume/fc"
+	"k8s.io/kubernetes/pkg/volume/flexvolume"
+	"k8s.io/kubernetes/pkg/volume/flocker"
+	"k8s.io/kubernetes/pkg/volume/gce_pd"
+	"k8s.io/kubernetes/pkg/volume/glusterfs"
+	"k8s.io/kubernetes/pkg/volume/host_path"
+	"k8s.io/kubernetes/pkg/volume/iscsi"
+	"k8s.io/kubernetes/pkg/volume/local"
+	"k8s.io/kubernetes/pkg/volume/nfs"
+	"k8s.io/kubernetes/pkg/volume/photon_pd"
+	"k8s.io/kubernetes/pkg/volume/portworx"
+	"k8s.io/kubernetes/pkg/volume/quobyte"
+	"k8s.io/kubernetes/pkg/volume/rbd"
+	"k8s.io/kubernetes/pkg/volume/scaleio"
+	"k8s.io/kubernetes/pkg/volume/storageos"
+	volumeutil "k8s.io/kubernetes/pkg/volume/util"
+	"k8s.io/kubernetes/pkg/volume/vsphere_volume"
+
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	"k8s.io/kubernetes/pkg/features"
+)
+
+// ProbeAttachableVolumePlugins collects all volume plugins for the attach/
+// detach controller.
+// The list of plugins is manually compiled. This code and the plugin
+// initialization code for kubelet really, really need a through refactor.
+func ProbeAttachableVolumePlugins() []volume.VolumePlugin {
+	allPlugins := []volume.VolumePlugin{}
+
+	allPlugins = append(allPlugins, aws_ebs.ProbeVolumePlugins()...)
+	allPlugins = append(allPlugins, gce_pd.ProbeVolumePlugins()...)
+	allPlugins = append(allPlugins, cinder.ProbeVolumePlugins()...)
+	allPlugins = append(allPlugins, portworx.ProbeVolumePlugins()...)
+	allPlugins = append(allPlugins, vsphere_volume.ProbeVolumePlugins()...)
+	allPlugins = append(allPlugins, azure_dd.ProbeVolumePlugins()...)
+	allPlugins = append(allPlugins, photon_pd.ProbeVolumePlugins()...)
+	allPlugins = append(allPlugins, scaleio.ProbeVolumePlugins()...)
+	allPlugins = append(allPlugins, storageos.ProbeVolumePlugins()...)
+	allPlugins = append(allPlugins, fc.ProbeVolumePlugins()...)
+	allPlugins = append(allPlugins, iscsi.ProbeVolumePlugins()...)
+	allPlugins = append(allPlugins, rbd.ProbeVolumePlugins()...)
+	if utilfeature.DefaultFeatureGate.Enabled(features.CSIPersistentVolume) {
+		allPlugins = append(allPlugins, csi.ProbeVolumePlugins()...)
+	}
+	return allPlugins
+}
+
+// GetDynamicPluginProber gets the probers of dynamically discoverable plugins
+// for the attach/detach controller.
+// Currently only Flexvolume plugins are dynamically discoverable.
+func GetDynamicPluginProber(config componentconfig.VolumeConfiguration) volume.DynamicPluginProber {
+	return flexvolume.GetDynamicPluginProber(config.FlexVolumePluginDir)
+}
+
+// ProbeExpandableVolumePlugins returns volume plugins which are expandable
+func ProbeExpandableVolumePlugins(config componentconfig.VolumeConfiguration) []volume.VolumePlugin {
+	allPlugins := []volume.VolumePlugin{}
+
+	allPlugins = append(allPlugins, aws_ebs.ProbeVolumePlugins()...)
+	allPlugins = append(allPlugins, gce_pd.ProbeVolumePlugins()...)
+	allPlugins = append(allPlugins, cinder.ProbeVolumePlugins()...)
+	allPlugins = append(allPlugins, portworx.ProbeVolumePlugins()...)
+	allPlugins = append(allPlugins, vsphere_volume.ProbeVolumePlugins()...)
+	allPlugins = append(allPlugins, glusterfs.ProbeVolumePlugins()...)
+	allPlugins = append(allPlugins, rbd.ProbeVolumePlugins()...)
+	allPlugins = append(allPlugins, azure_dd.ProbeVolumePlugins()...)
+	allPlugins = append(allPlugins, azure_file.ProbeVolumePlugins()...)
+	allPlugins = append(allPlugins, photon_pd.ProbeVolumePlugins()...)
+	allPlugins = append(allPlugins, scaleio.ProbeVolumePlugins()...)
+	allPlugins = append(allPlugins, storageos.ProbeVolumePlugins()...)
+	allPlugins = append(allPlugins, fc.ProbeVolumePlugins()...)
+	return allPlugins
+}
+
+// ProbeControllerVolumePlugins collects all persistent volume plugins into an
+// easy to use list. Only volume plugins that implement any of
+// provisioner/recycler/deleter interface should be returned.
+func ProbeControllerVolumePlugins(cloud cloudprovider.Interface, config componentconfig.VolumeConfiguration) []volume.VolumePlugin {
+	allPlugins := []volume.VolumePlugin{}
+
+	// The list of plugins to probe is decided by this binary, not
+	// by dynamic linking or other "magic".  Plugins will be analyzed and
+	// initialized later.
+
+	// Each plugin can make use of VolumeConfig.  The single arg to this func contains *all* enumerated
+	// options meant to configure volume plugins.  From that single config, create an instance of volume.VolumeConfig
+	// for a specific plugin and pass that instance to the plugin's ProbeVolumePlugins(config) func.
+
+	// HostPath recycling is for testing and development purposes only!
+	hostPathConfig := volume.VolumeConfig{
+		RecyclerMinimumTimeout:   int(config.PersistentVolumeRecyclerConfiguration.MinimumTimeoutHostPath),
+		RecyclerTimeoutIncrement: int(config.PersistentVolumeRecyclerConfiguration.IncrementTimeoutHostPath),
+		RecyclerPodTemplate:      volume.NewPersistentVolumeRecyclerPodTemplate(),
+		ProvisioningEnabled:      config.EnableHostPathProvisioning,
+	}
+	if err := AttemptToLoadRecycler(config.PersistentVolumeRecyclerConfiguration.PodTemplateFilePathHostPath, &hostPathConfig); err != nil {
+		glog.Fatalf("Could not create hostpath recycler pod from file %s: %+v", config.PersistentVolumeRecyclerConfiguration.PodTemplateFilePathHostPath, err)
+	}
+	allPlugins = append(allPlugins, host_path.ProbeVolumePlugins(hostPathConfig)...)
+
+	nfsConfig := volume.VolumeConfig{
+		RecyclerMinimumTimeout:   int(config.PersistentVolumeRecyclerConfiguration.MinimumTimeoutNFS),
+		RecyclerTimeoutIncrement: int(config.PersistentVolumeRecyclerConfiguration.IncrementTimeoutNFS),
+		RecyclerPodTemplate:      volume.NewPersistentVolumeRecyclerPodTemplate(),
+	}
+	if err := AttemptToLoadRecycler(config.PersistentVolumeRecyclerConfiguration.PodTemplateFilePathNFS, &nfsConfig); err != nil {
+		glog.Fatalf("Could not create NFS recycler pod from file %s: %+v", config.PersistentVolumeRecyclerConfiguration.PodTemplateFilePathNFS, err)
+	}
+	allPlugins = append(allPlugins, nfs.ProbeVolumePlugins(nfsConfig)...)
+	allPlugins = append(allPlugins, glusterfs.ProbeVolumePlugins()...)
+	// add rbd provisioner
+	allPlugins = append(allPlugins, rbd.ProbeVolumePlugins()...)
+	allPlugins = append(allPlugins, quobyte.ProbeVolumePlugins()...)
+	allPlugins = append(allPlugins, azure_file.ProbeVolumePlugins()...)
+
+	allPlugins = append(allPlugins, flocker.ProbeVolumePlugins()...)
+	allPlugins = append(allPlugins, portworx.ProbeVolumePlugins()...)
+	allPlugins = append(allPlugins, scaleio.ProbeVolumePlugins()...)
+	allPlugins = append(allPlugins, local.ProbeVolumePlugins()...)
+	allPlugins = append(allPlugins, storageos.ProbeVolumePlugins()...)
+
+	allPlugins = append(allPlugins, aws_ebs.ProbeVolumePlugins()...)
+	allPlugins = append(allPlugins, gce_pd.ProbeVolumePlugins()...)
+	allPlugins = append(allPlugins, cinder.ProbeVolumePlugins()...)
+	allPlugins = append(allPlugins, vsphere_volume.ProbeVolumePlugins()...)
+	allPlugins = append(allPlugins, azure_dd.ProbeVolumePlugins()...)
+	allPlugins = append(allPlugins, photon_pd.ProbeVolumePlugins()...)
+
+	return allPlugins
+}
+
+// AttemptToLoadRecycler tries decoding a pod from a filepath for use as a recycler for a volume.
+// If successful, this method will set the recycler on the config.
+// If unsuccessful, an error is returned. Function is exported for reuse downstream.
+func AttemptToLoadRecycler(path string, config *volume.VolumeConfig) error {
+	if path != "" {
+		recyclerPod, err := volumeutil.LoadPodFromFile(path)
+		if err != nil {
+			return err
+		}
+		if err = volume.ValidateRecyclerPodTemplate(recyclerPod); err != nil {
+			return fmt.Errorf("Pod specification (%v): %v", path, err)
+		}
+		config.RecyclerPodTemplate = recyclerPod
+	}
+	return nil
+}

vendor/k8s.io/kubernetes/cmd/kube-controller-manager/app/policy.go

@@ -0,0 +1,51 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package app implements a server that runs a set of active
+// components.  This includes replication controllers, service endpoints and
+// nodes.
+//
+package app
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/kubernetes/pkg/controller/disruption"
+
+	"github.com/golang/glog"
+)
+
+func startDisruptionController(ctx ControllerContext) (bool, error) {
+	var group = "policy"
+	var version = "v1beta1"
+	var resource = "poddisruptionbudgets"
+
+	if !ctx.AvailableResources[schema.GroupVersionResource{Group: group, Version: version, Resource: resource}] {
+		glog.Infof(
+			"Refusing to start disruption because resource %q in group %q is not available.",
+			resource, group+"/"+version)
+		return false, nil
+	}
+	go disruption.NewDisruptionController(
+		ctx.InformerFactory.Core().V1().Pods(),
+		ctx.InformerFactory.Policy().V1beta1().PodDisruptionBudgets(),
+		ctx.InformerFactory.Core().V1().ReplicationControllers(),
+		ctx.InformerFactory.Extensions().V1beta1().ReplicaSets(),
+		ctx.InformerFactory.Extensions().V1beta1().Deployments(),
+		ctx.InformerFactory.Apps().V1beta1().StatefulSets(),
+		ctx.ClientBuilder.ClientOrDie("disruption-controller"),
+	).Run(ctx.Stop)
+	return true, nil
+}

vendor/k8s.io/kubernetes/cmd/kube-controller-manager/app/rbac.go

@@ -0,0 +1,33 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package app
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/kubernetes/pkg/controller/clusterroleaggregation"
+)
+
+func startClusterRoleAggregrationController(ctx ControllerContext) (bool, error) {
+	if !ctx.AvailableResources[schema.GroupVersionResource{Group: "rbac.authorization.k8s.io", Version: "v1", Resource: "clusterroles"}] {
+		return false, nil
+	}
+	go clusterroleaggregation.NewClusterRoleAggregation(
+		ctx.InformerFactory.Rbac().V1().ClusterRoles(),
+		ctx.ClientBuilder.ClientOrDie("clusterrole-aggregation-controller").RbacV1(),
+	).Run(5, ctx.Stop)
+	return true, nil
+}

vendor/k8s.io/kubernetes/cmd/kube-controller-manager/controller-manager.go

@@ -0,0 +1,59 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// The controller manager is responsible for monitoring replication
+// controllers, and creating corresponding pods to achieve the desired
+// state.  It uses the API to listen for new controllers and to create/delete
+// pods.
+package main
+
+import (
+	goflag "flag"
+	"fmt"
+	"math/rand"
+	"os"
+	"time"
+
+	"github.com/spf13/pflag"
+
+	utilflag "k8s.io/apiserver/pkg/util/flag"
+	"k8s.io/apiserver/pkg/util/logs"
+	"k8s.io/kubernetes/cmd/kube-controller-manager/app"
+	_ "k8s.io/kubernetes/pkg/client/metrics/prometheus" // for client metric registration
+	_ "k8s.io/kubernetes/pkg/util/reflector/prometheus" // for reflector metric registration
+	_ "k8s.io/kubernetes/pkg/util/workqueue/prometheus" // for workqueue metric registration
+	_ "k8s.io/kubernetes/pkg/version/prometheus"        // for version metric registration
+)
+
+func main() {
+	rand.Seed(time.Now().UTC().UnixNano())
+
+	command := app.NewControllerManagerCommand()
+
+	// TODO: once we switch everything over to Cobra commands, we can go back to calling
+	// utilflag.InitFlags() (by removing its pflag.Parse() call). For now, we have to set the
+	// normalize func and add the go flag set by hand.
+	pflag.CommandLine.SetNormalizeFunc(utilflag.WordSepNormalizeFunc)
+	pflag.CommandLine.AddGoFlagSet(goflag.CommandLine)
+	// utilflag.InitFlags()
+	logs.InitLogs()
+	defer logs.FlushLogs()
+
+	if err := command.Execute(); err != nil {
+		fmt.Fprintf(os.Stderr, "%v\n", err)
+		os.Exit(1)
+	}
+}