Add generated file

This PR adds generated files under pkg/client and vendor folder.

vendor/k8s.io/kubernetes/cmd/kubeadm/app/util/apiclient/BUILD

@@ -0,0 +1,74 @@
+package(default_visibility = ["//visibility:public"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+    "go_test",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "clientbacked_dryrun.go",
+        "dryrunclient.go",
+        "idempotency.go",
+        "init_dryrun.go",
+        "wait.go",
+    ],
+    importpath = "k8s.io/kubernetes/cmd/kubeadm/app/util/apiclient",
+    deps = [
+        "//cmd/kubeadm/app/constants:go_default_library",
+        "//cmd/kubeadm/app/util:go_default_library",
+        "//pkg/kubelet/apis:go_default_library",
+        "//pkg/kubelet/types:go_default_library",
+        "//pkg/registry/core/service/ipallocator:go_default_library",
+        "//vendor/k8s.io/api/apps/v1:go_default_library",
+        "//vendor/k8s.io/api/core/v1:go_default_library",
+        "//vendor/k8s.io/api/rbac/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/net:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/strategicpatch:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/wait:go_default_library",
+        "//vendor/k8s.io/client-go/dynamic:go_default_library",
+        "//vendor/k8s.io/client-go/kubernetes:go_default_library",
+        "//vendor/k8s.io/client-go/kubernetes/fake:go_default_library",
+        "//vendor/k8s.io/client-go/kubernetes/scheme:go_default_library",
+        "//vendor/k8s.io/client-go/rest:go_default_library",
+        "//vendor/k8s.io/client-go/testing:go_default_library",
+        "//vendor/k8s.io/client-go/tools/clientcmd:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = [
+        "dryrunclient_test.go",
+        "init_dryrun_test.go",
+    ],
+    embed = [":go_default_library"],
+    deps = [
+        "//vendor/k8s.io/api/core/v1:go_default_library",
+        "//vendor/k8s.io/api/rbac/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
+        "//vendor/k8s.io/client-go/testing:go_default_library",
+    ],
+)

vendor/k8s.io/kubernetes/cmd/kubeadm/app/util/apiclient/clientbacked_dryrun.go

@@ -0,0 +1,131 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package apiclient
+
+import (
+	"encoding/json"
+	"fmt"
+
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/dynamic"
+	clientset "k8s.io/client-go/kubernetes"
+	clientsetscheme "k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/client-go/rest"
+	core "k8s.io/client-go/testing"
+	"k8s.io/client-go/tools/clientcmd"
+)
+
+// ClientBackedDryRunGetter implements the DryRunGetter interface for use in NewDryRunClient() and proxies all GET and LIST requests to the backing API server reachable via rest.Config
+type ClientBackedDryRunGetter struct {
+	client        clientset.Interface
+	dynamicClient dynamic.Interface
+}
+
+// InitDryRunGetter should implement the DryRunGetter interface
+var _ DryRunGetter = &ClientBackedDryRunGetter{}
+
+// NewClientBackedDryRunGetter creates a new ClientBackedDryRunGetter instance based on the rest.Config object
+func NewClientBackedDryRunGetter(config *rest.Config) (*ClientBackedDryRunGetter, error) {
+	client, err := clientset.NewForConfig(config)
+	if err != nil {
+		return nil, err
+	}
+	dynamicClient, err := dynamic.NewForConfig(config)
+	if err != nil {
+		return nil, err
+	}
+
+	return &ClientBackedDryRunGetter{
+		client:        client,
+		dynamicClient: dynamicClient,
+	}, nil
+}
+
+// NewClientBackedDryRunGetterFromKubeconfig creates a new ClientBackedDryRunGetter instance from the given KubeConfig file
+func NewClientBackedDryRunGetterFromKubeconfig(file string) (*ClientBackedDryRunGetter, error) {
+	config, err := clientcmd.LoadFromFile(file)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load kubeconfig: %v", err)
+	}
+	clientConfig, err := clientcmd.NewDefaultClientConfig(*config, &clientcmd.ConfigOverrides{}).ClientConfig()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create API client configuration from kubeconfig: %v", err)
+	}
+	return NewClientBackedDryRunGetter(clientConfig)
+}
+
+// HandleGetAction handles GET actions to the dryrun clientset this interface supports
+func (clg *ClientBackedDryRunGetter) HandleGetAction(action core.GetAction) (bool, runtime.Object, error) {
+	unstructuredObj, err := clg.dynamicClient.Resource(action.GetResource()).Namespace(action.GetNamespace()).Get(action.GetName(), metav1.GetOptions{})
+	// Inform the user that the requested object wasn't found.
+	printIfNotExists(err)
+	if err != nil {
+		return true, nil, err
+	}
+	newObj, err := decodeUnstructuredIntoAPIObject(action, unstructuredObj)
+	if err != nil {
+		fmt.Printf("error after decode: %v %v\n", unstructuredObj, err)
+		return true, nil, err
+	}
+	return true, newObj, err
+}
+
+// HandleListAction handles LIST actions to the dryrun clientset this interface supports
+func (clg *ClientBackedDryRunGetter) HandleListAction(action core.ListAction) (bool, runtime.Object, error) {
+	listOpts := metav1.ListOptions{
+		LabelSelector: action.GetListRestrictions().Labels.String(),
+		FieldSelector: action.GetListRestrictions().Fields.String(),
+	}
+
+	unstructuredList, err := clg.dynamicClient.Resource(action.GetResource()).Namespace(action.GetNamespace()).List(listOpts)
+	if err != nil {
+		return true, nil, err
+	}
+	newObj, err := decodeUnstructuredIntoAPIObject(action, unstructuredList)
+	if err != nil {
+		fmt.Printf("error after decode: %v %v\n", unstructuredList, err)
+		return true, nil, err
+	}
+	return true, newObj, err
+}
+
+// Client gets the backing clientset.Interface
+func (clg *ClientBackedDryRunGetter) Client() clientset.Interface {
+	return clg.client
+}
+
+// decodeUnversionedIntoAPIObject converts the *unversioned.Unversioned object returned from the dynamic client
+// to bytes; and then decodes it back _to an external api version (k8s.io/api vs k8s.io/kubernetes/pkg/api*)_ using the normal API machinery
+func decodeUnstructuredIntoAPIObject(action core.Action, unstructuredObj runtime.Unstructured) (runtime.Object, error) {
+	objBytes, err := json.Marshal(unstructuredObj)
+	if err != nil {
+		return nil, err
+	}
+	newObj, err := runtime.Decode(clientsetscheme.Codecs.UniversalDecoder(action.GetResource().GroupVersion()), objBytes)
+	if err != nil {
+		return nil, err
+	}
+	return newObj, nil
+}
+
+func printIfNotExists(err error) {
+	if apierrors.IsNotFound(err) {
+		fmt.Println("[dryrun] The GET request didn't yield any result, the API Server returned a NotFound error.")
+	}
+}

vendor/k8s.io/kubernetes/cmd/kubeadm/app/util/apiclient/dryrunclient.go

@@ -0,0 +1,242 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package apiclient
+
+import (
+	"bufio"
+	"bytes"
+	"fmt"
+	"io"
+	"strings"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	clientset "k8s.io/client-go/kubernetes"
+	fakeclientset "k8s.io/client-go/kubernetes/fake"
+	core "k8s.io/client-go/testing"
+	kubeadmutil "k8s.io/kubernetes/cmd/kubeadm/app/util"
+)
+
+// DryRunGetter is an interface that must be supplied to the NewDryRunClient function in order to contstruct a fully functional fake dryrun clientset
+type DryRunGetter interface {
+	HandleGetAction(core.GetAction) (bool, runtime.Object, error)
+	HandleListAction(core.ListAction) (bool, runtime.Object, error)
+}
+
+// MarshalFunc takes care of converting any object to a byte array for displaying the object to the user
+type MarshalFunc func(runtime.Object, schema.GroupVersion) ([]byte, error)
+
+// DefaultMarshalFunc is the default MarshalFunc used; uses YAML to print objects to the user
+func DefaultMarshalFunc(obj runtime.Object, gv schema.GroupVersion) ([]byte, error) {
+	return kubeadmutil.MarshalToYaml(obj, gv)
+}
+
+// DryRunClientOptions specifies options to pass to NewDryRunClientWithOpts in order to get a dryrun clientset
+type DryRunClientOptions struct {
+	Writer          io.Writer
+	Getter          DryRunGetter
+	PrependReactors []core.Reactor
+	AppendReactors  []core.Reactor
+	MarshalFunc     MarshalFunc
+	PrintGETAndLIST bool
+}
+
+// GetDefaultDryRunClientOptions returns the default DryRunClientOptions values
+func GetDefaultDryRunClientOptions(drg DryRunGetter, w io.Writer) DryRunClientOptions {
+	return DryRunClientOptions{
+		Writer:          w,
+		Getter:          drg,
+		PrependReactors: []core.Reactor{},
+		AppendReactors:  []core.Reactor{},
+		MarshalFunc:     DefaultMarshalFunc,
+		PrintGETAndLIST: false,
+	}
+}
+
+// actionWithName is the generic interface for an action that has a name associated with it
+// This just makes it easier to catch all actions that has a name; instead of hard-coding all request that has it associated
+type actionWithName interface {
+	core.Action
+	GetName() string
+}
+
+// actionWithObject is the generic interface for an action that has an object associated with it
+// This just makes it easier to catch all actions that has an object; instead of hard-coding all request that has it associated
+type actionWithObject interface {
+	core.Action
+	GetObject() runtime.Object
+}
+
+// NewDryRunClient is a wrapper for NewDryRunClientWithOpts using some default values
+func NewDryRunClient(drg DryRunGetter, w io.Writer) clientset.Interface {
+	return NewDryRunClientWithOpts(GetDefaultDryRunClientOptions(drg, w))
+}
+
+// NewDryRunClientWithOpts returns a clientset.Interface that can be used normally for talking to the Kubernetes API.
+// This client doesn't apply changes to the backend. The client gets GET/LIST values from the DryRunGetter implementation.
+// This client logs all I/O to the writer w in YAML format
+func NewDryRunClientWithOpts(opts DryRunClientOptions) clientset.Interface {
+	// Build a chain of reactors to act like a normal clientset; but log everything that is happening and don't change any state
+	client := fakeclientset.NewSimpleClientset()
+
+	// Build the chain of reactors. Order matters; first item here will be invoked first on match, then the second one will be evaluated, etc.
+	defaultReactorChain := []core.Reactor{
+		// Log everything that happens. Default the object if it's about to be created/updated so that the logged object is representative.
+		&core.SimpleReactor{
+			Verb:     "*",
+			Resource: "*",
+			Reaction: func(action core.Action) (bool, runtime.Object, error) {
+				logDryRunAction(action, opts.Writer, opts.MarshalFunc)
+
+				return false, nil, nil
+			},
+		},
+		// Let the DryRunGetter implementation take care of all GET requests.
+		// The DryRunGetter implementation may call a real API Server behind the scenes or just fake everything
+		&core.SimpleReactor{
+			Verb:     "get",
+			Resource: "*",
+			Reaction: func(action core.Action) (bool, runtime.Object, error) {
+				getAction, ok := action.(core.GetAction)
+				if !ok {
+					// something's wrong, we can't handle this event
+					return true, nil, fmt.Errorf("can't cast get reactor event action object to GetAction interface")
+				}
+				handled, obj, err := opts.Getter.HandleGetAction(getAction)
+
+				if opts.PrintGETAndLIST {
+					// Print the marshalled object format with one tab indentation
+					objBytes, err := opts.MarshalFunc(obj, action.GetResource().GroupVersion())
+					if err == nil {
+						fmt.Println("[dryrun] Returning faked GET response:")
+						PrintBytesWithLinePrefix(opts.Writer, objBytes, "\t")
+					}
+				}
+
+				return handled, obj, err
+			},
+		},
+		// Let the DryRunGetter implementation take care of all GET requests.
+		// The DryRunGetter implementation may call a real API Server behind the scenes or just fake everything
+		&core.SimpleReactor{
+			Verb:     "list",
+			Resource: "*",
+			Reaction: func(action core.Action) (bool, runtime.Object, error) {
+				listAction, ok := action.(core.ListAction)
+				if !ok {
+					// something's wrong, we can't handle this event
+					return true, nil, fmt.Errorf("can't cast list reactor event action object to ListAction interface")
+				}
+				handled, objs, err := opts.Getter.HandleListAction(listAction)
+
+				if opts.PrintGETAndLIST {
+					// Print the marshalled object format with one tab indentation
+					objBytes, err := opts.MarshalFunc(objs, action.GetResource().GroupVersion())
+					if err == nil {
+						fmt.Println("[dryrun] Returning faked LIST response:")
+						PrintBytesWithLinePrefix(opts.Writer, objBytes, "\t")
+					}
+				}
+
+				return handled, objs, err
+			},
+		},
+		// For the verbs that modify anything on the server; just return the object if present and exit successfully
+		&core.SimpleReactor{
+			Verb:     "create",
+			Resource: "*",
+			Reaction: successfulModificationReactorFunc,
+		},
+		&core.SimpleReactor{
+			Verb:     "update",
+			Resource: "*",
+			Reaction: successfulModificationReactorFunc,
+		},
+		&core.SimpleReactor{
+			Verb:     "delete",
+			Resource: "*",
+			Reaction: successfulModificationReactorFunc,
+		},
+		&core.SimpleReactor{
+			Verb:     "delete-collection",
+			Resource: "*",
+			Reaction: successfulModificationReactorFunc,
+		},
+		&core.SimpleReactor{
+			Verb:     "patch",
+			Resource: "*",
+			Reaction: successfulModificationReactorFunc,
+		},
+	}
+
+	// The chain of reactors will look like this:
+	// opts.PrependReactors | defaultReactorChain | opts.AppendReactors | client.Fake.ReactionChain (default reactors for the fake clientset)
+	fullReactorChain := append(opts.PrependReactors, defaultReactorChain...)
+	fullReactorChain = append(fullReactorChain, opts.AppendReactors...)
+
+	// Prepend the reaction chain with our reactors. Important, these MUST be prepended; not appended due to how the fake clientset works by default
+	client.Fake.ReactionChain = append(fullReactorChain, client.Fake.ReactionChain...)
+	return client
+}
+
+// successfulModificationReactorFunc is a no-op that just returns the POSTed/PUTed value if present; but does nothing to edit any backing data store.
+func successfulModificationReactorFunc(action core.Action) (bool, runtime.Object, error) {
+	objAction, ok := action.(actionWithObject)
+	if ok {
+		return true, objAction.GetObject(), nil
+	}
+	return true, nil, nil
+}
+
+// logDryRunAction logs the action that was recorded by the "catch-all" (*,*) reactor and tells the user what would have happened in an user-friendly way
+func logDryRunAction(action core.Action, w io.Writer, marshalFunc MarshalFunc) {
+
+	group := action.GetResource().Group
+	if len(group) == 0 {
+		group = "core"
+	}
+	fmt.Fprintf(w, "[dryrun] Would perform action %s on resource %q in API group \"%s/%s\"\n", strings.ToUpper(action.GetVerb()), action.GetResource().Resource, group, action.GetResource().Version)
+
+	namedAction, ok := action.(actionWithName)
+	if ok {
+		fmt.Fprintf(w, "[dryrun] Resource name: %q\n", namedAction.GetName())
+	}
+
+	objAction, ok := action.(actionWithObject)
+	if ok && objAction.GetObject() != nil {
+		// Print the marshalled object with a tab indentation
+		objBytes, err := marshalFunc(objAction.GetObject(), action.GetResource().GroupVersion())
+		if err == nil {
+			fmt.Println("[dryrun] Attached object:")
+			PrintBytesWithLinePrefix(w, objBytes, "\t")
+		}
+	}
+
+	patchAction, ok := action.(core.PatchAction)
+	if ok {
+		// Replace all occurrences of \" with a simple " when printing
+		fmt.Fprintf(w, "[dryrun] Attached patch:\n\t%s\n", strings.Replace(string(patchAction.GetPatch()), `\"`, `"`, -1))
+	}
+}
+
+// PrintBytesWithLinePrefix prints objBytes to writer w with linePrefix in the beginning of every line
+func PrintBytesWithLinePrefix(w io.Writer, objBytes []byte, linePrefix string) {
+	scanner := bufio.NewScanner(bytes.NewReader(objBytes))
+	for scanner.Scan() {
+		fmt.Fprintf(w, "%s%s\n", linePrefix, scanner.Text())
+	}
+}

vendor/k8s.io/kubernetes/cmd/kubeadm/app/util/apiclient/dryrunclient_test.go

@@ -0,0 +1,102 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package apiclient
+
+import (
+	"bytes"
+	"testing"
+
+	"k8s.io/api/core/v1"
+	rbac "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	core "k8s.io/client-go/testing"
+)
+
+func TestLogDryRunAction(t *testing.T) {
+	var tests = []struct {
+		action        core.Action
+		expectedBytes []byte
+		buf           *bytes.Buffer
+	}{
+		{
+			action: core.NewGetAction(schema.GroupVersionResource{Version: "v1", Resource: "services"}, "default", "kubernetes"),
+			expectedBytes: []byte(`[dryrun] Would perform action GET on resource "services" in API group "core/v1"
+[dryrun] Resource name: "kubernetes"
+`),
+		},
+		{
+			action: core.NewRootGetAction(schema.GroupVersionResource{Group: rbac.GroupName, Version: rbac.SchemeGroupVersion.Version, Resource: "clusterrolebindings"}, "system:node"),
+			expectedBytes: []byte(`[dryrun] Would perform action GET on resource "clusterrolebindings" in API group "rbac.authorization.k8s.io/v1"
+[dryrun] Resource name: "system:node"
+`),
+		},
+		{
+			action: core.NewListAction(schema.GroupVersionResource{Version: "v1", Resource: "services"}, schema.GroupVersionKind{Version: "v1", Kind: "Service"}, "default", metav1.ListOptions{}),
+			expectedBytes: []byte(`[dryrun] Would perform action LIST on resource "services" in API group "core/v1"
+`),
+		},
+		{
+			action: core.NewCreateAction(schema.GroupVersionResource{Version: "v1", Resource: "services"}, "default", &v1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "foo",
+				},
+				Spec: v1.ServiceSpec{
+					ClusterIP: "1.1.1.1",
+				},
+			}),
+			expectedBytes: []byte(`[dryrun] Would perform action CREATE on resource "services" in API group "core/v1"
+	apiVersion: v1
+	kind: Service
+	metadata:
+	  creationTimestamp: null
+	  name: foo
+	spec:
+	  clusterIP: 1.1.1.1
+	status:
+	  loadBalancer: {}
+`),
+		},
+		{
+			action: core.NewPatchAction(schema.GroupVersionResource{Version: "v1", Resource: "nodes"}, "default", "my-node", []byte(`{"spec":{"taints":[{"key": "foo", "value": "bar"}]}}`)),
+			expectedBytes: []byte(`[dryrun] Would perform action PATCH on resource "nodes" in API group "core/v1"
+[dryrun] Resource name: "my-node"
+[dryrun] Attached patch:
+	{"spec":{"taints":[{"key": "foo", "value": "bar"}]}}
+`),
+		},
+		{
+			action: core.NewDeleteAction(schema.GroupVersionResource{Version: "v1", Resource: "pods"}, "default", "my-pod"),
+			expectedBytes: []byte(`[dryrun] Would perform action DELETE on resource "pods" in API group "core/v1"
+[dryrun] Resource name: "my-pod"
+`),
+		},
+	}
+	for _, rt := range tests {
+		rt.buf = bytes.NewBufferString("")
+		logDryRunAction(rt.action, rt.buf, DefaultMarshalFunc)
+		actualBytes := rt.buf.Bytes()
+
+		if !bytes.Equal(actualBytes, rt.expectedBytes) {
+			t.Errorf(
+				"failed LogDryRunAction:\n\texpected bytes: %q\n\t  actual: %q",
+				rt.expectedBytes,
+				actualBytes,
+			)
+		}
+	}
+}

vendor/k8s.io/kubernetes/cmd/kubeadm/app/util/apiclient/idempotency.go

@@ -0,0 +1,240 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package apiclient
+
+import (
+	"encoding/json"
+	"fmt"
+
+	apps "k8s.io/api/apps/v1"
+	"k8s.io/api/core/v1"
+	rbac "k8s.io/api/rbac/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/strategicpatch"
+	"k8s.io/apimachinery/pkg/util/wait"
+	clientset "k8s.io/client-go/kubernetes"
+	"k8s.io/kubernetes/cmd/kubeadm/app/constants"
+	kubeletapis "k8s.io/kubernetes/pkg/kubelet/apis"
+)
+
+// TODO: We should invent a dynamic mechanism for this using the dynamic client instead of hard-coding these functions per-type
+// TODO: We may want to retry if .Update() fails on 409 Conflict
+
+// CreateOrUpdateConfigMap creates a ConfigMap if the target resource doesn't exist. If the resource exists already, this function will update the resource instead.
+func CreateOrUpdateConfigMap(client clientset.Interface, cm *v1.ConfigMap) error {
+	if _, err := client.CoreV1().ConfigMaps(cm.ObjectMeta.Namespace).Create(cm); err != nil {
+		if !apierrors.IsAlreadyExists(err) {
+			return fmt.Errorf("unable to create configmap: %v", err)
+		}
+
+		if _, err := client.CoreV1().ConfigMaps(cm.ObjectMeta.Namespace).Update(cm); err != nil {
+			return fmt.Errorf("unable to update configmap: %v", err)
+		}
+	}
+	return nil
+}
+
+// CreateOrRetainConfigMap creates a ConfigMap if the target resource doesn't exist. If the resource exists already, this function will retain the resource instead.
+func CreateOrRetainConfigMap(client clientset.Interface, cm *v1.ConfigMap, configMapName string) error {
+	if _, err := client.CoreV1().ConfigMaps(cm.ObjectMeta.Namespace).Get(configMapName, metav1.GetOptions{}); err != nil {
+		if !apierrors.IsNotFound(err) {
+			return nil
+		}
+		if _, err := client.CoreV1().ConfigMaps(cm.ObjectMeta.Namespace).Create(cm); err != nil {
+			if !apierrors.IsAlreadyExists(err) {
+				return fmt.Errorf("unable to create configmap: %v", err)
+			}
+		}
+	}
+	return nil
+}
+
+// CreateOrUpdateSecret creates a Secret if the target resource doesn't exist. If the resource exists already, this function will update the resource instead.
+func CreateOrUpdateSecret(client clientset.Interface, secret *v1.Secret) error {
+	if _, err := client.CoreV1().Secrets(secret.ObjectMeta.Namespace).Create(secret); err != nil {
+		if !apierrors.IsAlreadyExists(err) {
+			return fmt.Errorf("unable to create secret: %v", err)
+		}
+
+		if _, err := client.CoreV1().Secrets(secret.ObjectMeta.Namespace).Update(secret); err != nil {
+			return fmt.Errorf("unable to update secret: %v", err)
+		}
+	}
+	return nil
+}
+
+// CreateOrUpdateServiceAccount creates a ServiceAccount if the target resource doesn't exist. If the resource exists already, this function will update the resource instead.
+func CreateOrUpdateServiceAccount(client clientset.Interface, sa *v1.ServiceAccount) error {
+	if _, err := client.CoreV1().ServiceAccounts(sa.ObjectMeta.Namespace).Create(sa); err != nil {
+		// Note: We don't run .Update here afterwards as that's probably not required
+		// Only thing that could be updated is annotations/labels in .metadata, but we don't use that currently
+		if !apierrors.IsAlreadyExists(err) {
+			return fmt.Errorf("unable to create serviceaccount: %v", err)
+		}
+	}
+	return nil
+}
+
+// CreateOrUpdateDeployment creates a Deployment if the target resource doesn't exist. If the resource exists already, this function will update the resource instead.
+func CreateOrUpdateDeployment(client clientset.Interface, deploy *apps.Deployment) error {
+	if _, err := client.AppsV1().Deployments(deploy.ObjectMeta.Namespace).Create(deploy); err != nil {
+		if !apierrors.IsAlreadyExists(err) {
+			return fmt.Errorf("unable to create deployment: %v", err)
+		}
+
+		if _, err := client.AppsV1().Deployments(deploy.ObjectMeta.Namespace).Update(deploy); err != nil {
+			return fmt.Errorf("unable to update deployment: %v", err)
+		}
+	}
+	return nil
+}
+
+// CreateOrUpdateDaemonSet creates a DaemonSet if the target resource doesn't exist. If the resource exists already, this function will update the resource instead.
+func CreateOrUpdateDaemonSet(client clientset.Interface, ds *apps.DaemonSet) error {
+	if _, err := client.AppsV1().DaemonSets(ds.ObjectMeta.Namespace).Create(ds); err != nil {
+		if !apierrors.IsAlreadyExists(err) {
+			return fmt.Errorf("unable to create daemonset: %v", err)
+		}
+
+		if _, err := client.AppsV1().DaemonSets(ds.ObjectMeta.Namespace).Update(ds); err != nil {
+			return fmt.Errorf("unable to update daemonset: %v", err)
+		}
+	}
+	return nil
+}
+
+// DeleteDaemonSetForeground deletes the specified DaemonSet in foreground mode; i.e. it blocks until/makes sure all the managed Pods are deleted
+func DeleteDaemonSetForeground(client clientset.Interface, namespace, name string) error {
+	foregroundDelete := metav1.DeletePropagationForeground
+	deleteOptions := &metav1.DeleteOptions{
+		PropagationPolicy: &foregroundDelete,
+	}
+	return client.AppsV1().DaemonSets(namespace).Delete(name, deleteOptions)
+}
+
+// DeleteDeploymentForeground deletes the specified Deployment in foreground mode; i.e. it blocks until/makes sure all the managed Pods are deleted
+func DeleteDeploymentForeground(client clientset.Interface, namespace, name string) error {
+	foregroundDelete := metav1.DeletePropagationForeground
+	deleteOptions := &metav1.DeleteOptions{
+		PropagationPolicy: &foregroundDelete,
+	}
+	return client.AppsV1().Deployments(namespace).Delete(name, deleteOptions)
+}
+
+// CreateOrUpdateRole creates a Role if the target resource doesn't exist. If the resource exists already, this function will update the resource instead.
+func CreateOrUpdateRole(client clientset.Interface, role *rbac.Role) error {
+	if _, err := client.RbacV1().Roles(role.ObjectMeta.Namespace).Create(role); err != nil {
+		if !apierrors.IsAlreadyExists(err) {
+			return fmt.Errorf("unable to create RBAC role: %v", err)
+		}
+
+		if _, err := client.RbacV1().Roles(role.ObjectMeta.Namespace).Update(role); err != nil {
+			return fmt.Errorf("unable to update RBAC role: %v", err)
+		}
+	}
+	return nil
+}
+
+// CreateOrUpdateRoleBinding creates a RoleBinding if the target resource doesn't exist. If the resource exists already, this function will update the resource instead.
+func CreateOrUpdateRoleBinding(client clientset.Interface, roleBinding *rbac.RoleBinding) error {
+	if _, err := client.RbacV1().RoleBindings(roleBinding.ObjectMeta.Namespace).Create(roleBinding); err != nil {
+		if !apierrors.IsAlreadyExists(err) {
+			return fmt.Errorf("unable to create RBAC rolebinding: %v", err)
+		}
+
+		if _, err := client.RbacV1().RoleBindings(roleBinding.ObjectMeta.Namespace).Update(roleBinding); err != nil {
+			return fmt.Errorf("unable to update RBAC rolebinding: %v", err)
+		}
+	}
+	return nil
+}
+
+// CreateOrUpdateClusterRole creates a ClusterRole if the target resource doesn't exist. If the resource exists already, this function will update the resource instead.
+func CreateOrUpdateClusterRole(client clientset.Interface, clusterRole *rbac.ClusterRole) error {
+	if _, err := client.RbacV1().ClusterRoles().Create(clusterRole); err != nil {
+		if !apierrors.IsAlreadyExists(err) {
+			return fmt.Errorf("unable to create RBAC clusterrole: %v", err)
+		}
+
+		if _, err := client.RbacV1().ClusterRoles().Update(clusterRole); err != nil {
+			return fmt.Errorf("unable to update RBAC clusterrole: %v", err)
+		}
+	}
+	return nil
+}
+
+// CreateOrUpdateClusterRoleBinding creates a ClusterRoleBinding if the target resource doesn't exist. If the resource exists already, this function will update the resource instead.
+func CreateOrUpdateClusterRoleBinding(client clientset.Interface, clusterRoleBinding *rbac.ClusterRoleBinding) error {
+	if _, err := client.RbacV1().ClusterRoleBindings().Create(clusterRoleBinding); err != nil {
+		if !apierrors.IsAlreadyExists(err) {
+			return fmt.Errorf("unable to create RBAC clusterrolebinding: %v", err)
+		}
+
+		if _, err := client.RbacV1().ClusterRoleBindings().Update(clusterRoleBinding); err != nil {
+			return fmt.Errorf("unable to update RBAC clusterrolebinding: %v", err)
+		}
+	}
+	return nil
+}
+
+// PatchNode tries to patch a node using the following client, executing patchFn for the actual mutating logic
+func PatchNode(client clientset.Interface, nodeName string, patchFn func(*v1.Node)) error {
+	// Loop on every false return. Return with an error if raised. Exit successfully if true is returned.
+	return wait.Poll(constants.APICallRetryInterval, constants.PatchNodeTimeout, func() (bool, error) {
+		// First get the node object
+		n, err := client.CoreV1().Nodes().Get(nodeName, metav1.GetOptions{})
+		if err != nil {
+			return false, nil
+		}
+
+		// The node may appear to have no labels at first,
+		// so we wait for it to get hostname label.
+		if _, found := n.ObjectMeta.Labels[kubeletapis.LabelHostname]; !found {
+			return false, nil
+		}
+
+		oldData, err := json.Marshal(n)
+		if err != nil {
+			return false, err
+		}
+
+		// Execute the mutating function
+		patchFn(n)
+
+		newData, err := json.Marshal(n)
+		if err != nil {
+			return false, err
+		}
+
+		patchBytes, err := strategicpatch.CreateTwoWayMergePatch(oldData, newData, v1.Node{})
+		if err != nil {
+			return false, err
+		}
+
+		if _, err := client.CoreV1().Nodes().Patch(n.Name, types.StrategicMergePatchType, patchBytes); err != nil {
+			if apierrors.IsConflict(err) {
+				fmt.Println("[patchnode] Temporarily unable to update node metadata due to conflict (will retry)")
+				return false, nil
+			}
+			return false, err
+		}
+
+		return true, nil
+	})
+}

vendor/k8s.io/kubernetes/cmd/kubeadm/app/util/apiclient/init_dryrun.go

@@ -0,0 +1,160 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package apiclient
+
+import (
+	"fmt"
+	"net"
+	"strings"
+
+	"k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/intstr"
+	core "k8s.io/client-go/testing"
+	"k8s.io/kubernetes/cmd/kubeadm/app/constants"
+	"k8s.io/kubernetes/pkg/registry/core/service/ipallocator"
+)
+
+// InitDryRunGetter implements the DryRunGetter interface and can be used to GET/LIST values in the dryrun fake clientset
+// Need to handle these routes in a special manner:
+// - GET /default/services/kubernetes -- must return a valid Service
+// - GET /clusterrolebindings/system:nodes -- can safely return a NotFound error
+// - GET /kube-system/secrets/bootstrap-token-* -- can safely return a NotFound error
+// - GET /nodes/<node-name> -- must return a valid Node
+// - ...all other, unknown GETs/LISTs will be logged
+type InitDryRunGetter struct {
+	masterName    string
+	serviceSubnet string
+}
+
+// InitDryRunGetter should implement the DryRunGetter interface
+var _ DryRunGetter = &InitDryRunGetter{}
+
+// NewInitDryRunGetter creates a new instance of the InitDryRunGetter struct
+func NewInitDryRunGetter(masterName string, serviceSubnet string) *InitDryRunGetter {
+	return &InitDryRunGetter{
+		masterName:    masterName,
+		serviceSubnet: serviceSubnet,
+	}
+}
+
+// HandleGetAction handles GET actions to the dryrun clientset this interface supports
+func (idr *InitDryRunGetter) HandleGetAction(action core.GetAction) (bool, runtime.Object, error) {
+	funcs := []func(core.GetAction) (bool, runtime.Object, error){
+		idr.handleKubernetesService,
+		idr.handleGetNode,
+		idr.handleSystemNodesClusterRoleBinding,
+		idr.handleGetBootstrapToken,
+	}
+	for _, f := range funcs {
+		handled, obj, err := f(action)
+		if handled {
+			return handled, obj, err
+		}
+	}
+
+	return false, nil, nil
+}
+
+// HandleListAction handles GET actions to the dryrun clientset this interface supports.
+// Currently there are no known LIST calls during kubeadm init this code has to take care of.
+func (idr *InitDryRunGetter) HandleListAction(action core.ListAction) (bool, runtime.Object, error) {
+	return false, nil, nil
+}
+
+// handleKubernetesService returns a faked Kubernetes service in order to be able to continue running kubeadm init.
+// The kube-dns addon code GETs the kubernetes service in order to extract the service subnet
+func (idr *InitDryRunGetter) handleKubernetesService(action core.GetAction) (bool, runtime.Object, error) {
+	if action.GetName() != "kubernetes" || action.GetNamespace() != metav1.NamespaceDefault || action.GetResource().Resource != "services" {
+		// We can't handle this event
+		return false, nil, nil
+	}
+
+	_, svcSubnet, err := net.ParseCIDR(idr.serviceSubnet)
+	if err != nil {
+		return true, nil, fmt.Errorf("error parsing CIDR %q: %v", idr.serviceSubnet, err)
+	}
+
+	internalAPIServerVirtualIP, err := ipallocator.GetIndexedIP(svcSubnet, 1)
+	if err != nil {
+		return true, nil, fmt.Errorf("unable to get first IP address from the given CIDR (%s): %v", svcSubnet.String(), err)
+	}
+
+	// The only used field of this Service object is the ClusterIP, which kube-dns uses to calculate its own IP
+	return true, &v1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "kubernetes",
+			Namespace: metav1.NamespaceDefault,
+			Labels: map[string]string{
+				"component": "apiserver",
+				"provider":  "kubernetes",
+			},
+		},
+		Spec: v1.ServiceSpec{
+			ClusterIP: internalAPIServerVirtualIP.String(),
+			Ports: []v1.ServicePort{
+				{
+					Name:       "https",
+					Port:       443,
+					TargetPort: intstr.FromInt(6443),
+				},
+			},
+		},
+	}, nil
+}
+
+// handleGetNode returns a fake node object for the purpose of moving kubeadm init forwards.
+func (idr *InitDryRunGetter) handleGetNode(action core.GetAction) (bool, runtime.Object, error) {
+	if action.GetName() != idr.masterName || action.GetResource().Resource != "nodes" {
+		// We can't handle this event
+		return false, nil, nil
+	}
+
+	return true, &v1.Node{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: idr.masterName,
+			Labels: map[string]string{
+				"kubernetes.io/hostname": idr.masterName,
+			},
+			Annotations: map[string]string{},
+		},
+	}, nil
+}
+
+// handleSystemNodesClusterRoleBinding handles the GET call to the system:nodes clusterrolebinding
+func (idr *InitDryRunGetter) handleSystemNodesClusterRoleBinding(action core.GetAction) (bool, runtime.Object, error) {
+	if action.GetName() != constants.NodesClusterRoleBinding || action.GetResource().Resource != "clusterrolebindings" {
+		// We can't handle this event
+		return false, nil, nil
+	}
+	// We can safely return a NotFound error here as the code will just proceed normally and don't care about modifying this clusterrolebinding
+	// This can only happen on an upgrade; and in that case the ClientBackedDryRunGetter impl will be used
+	return true, nil, apierrors.NewNotFound(action.GetResource().GroupResource(), "clusterrolebinding not found")
+}
+
+// handleGetBootstrapToken handles the case where kubeadm init creates the default token; and the token code GETs the
+// bootstrap token secret first in order to check if it already exists
+func (idr *InitDryRunGetter) handleGetBootstrapToken(action core.GetAction) (bool, runtime.Object, error) {
+	if !strings.HasPrefix(action.GetName(), "bootstrap-token-") || action.GetNamespace() != metav1.NamespaceSystem || action.GetResource().Resource != "secrets" {
+		// We can't handle this event
+		return false, nil, nil
+	}
+	// We can safely return a NotFound error here as the code will just proceed normally and create the Bootstrap Token
+	return true, nil, apierrors.NewNotFound(action.GetResource().GroupResource(), "secret not found")
+}

vendor/k8s.io/kubernetes/cmd/kubeadm/app/util/apiclient/init_dryrun_test.go

@@ -0,0 +1,126 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package apiclient
+
+import (
+	"bytes"
+	"encoding/json"
+	"testing"
+
+	rbac "k8s.io/api/rbac/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	core "k8s.io/client-go/testing"
+)
+
+func TestHandleGetAction(t *testing.T) {
+	masterName := "master-foo"
+	serviceSubnet := "10.96.0.1/12"
+	idr := NewInitDryRunGetter(masterName, serviceSubnet)
+
+	var tests = []struct {
+		action             core.GetActionImpl
+		expectedHandled    bool
+		expectedObjectJSON []byte
+		expectedErr        bool
+	}{
+		{
+			action:             core.NewGetAction(schema.GroupVersionResource{Version: "v1", Resource: "services"}, "default", "kubernetes"),
+			expectedHandled:    true,
+			expectedObjectJSON: []byte(`{"metadata":{"name":"kubernetes","namespace":"default","creationTimestamp":null,"labels":{"component":"apiserver","provider":"kubernetes"}},"spec":{"ports":[{"name":"https","port":443,"targetPort":6443}],"clusterIP":"10.96.0.1"},"status":{"loadBalancer":{}}}`),
+			expectedErr:        false,
+		},
+		{
+			action:             core.NewRootGetAction(schema.GroupVersionResource{Version: "v1", Resource: "nodes"}, masterName),
+			expectedHandled:    true,
+			expectedObjectJSON: []byte(`{"metadata":{"name":"master-foo","creationTimestamp":null,"labels":{"kubernetes.io/hostname":"master-foo"}},"spec":{},"status":{"daemonEndpoints":{"kubeletEndpoint":{"Port":0}},"nodeInfo":{"machineID":"","systemUUID":"","bootID":"","kernelVersion":"","osImage":"","containerRuntimeVersion":"","kubeletVersion":"","kubeProxyVersion":"","operatingSystem":"","architecture":""}}}`),
+			expectedErr:        false,
+		},
+		{
+			action:             core.NewRootGetAction(schema.GroupVersionResource{Group: rbac.GroupName, Version: rbac.SchemeGroupVersion.Version, Resource: "clusterrolebindings"}, "system:node"),
+			expectedHandled:    true,
+			expectedObjectJSON: []byte(``),
+			expectedErr:        true, // we expect a NotFound error here
+		},
+		{
+			action:             core.NewGetAction(schema.GroupVersionResource{Version: "v1", Resource: "secrets"}, "kube-system", "bootstrap-token-abcdef"),
+			expectedHandled:    true,
+			expectedObjectJSON: []byte(``),
+			expectedErr:        true, // we expect a NotFound error here
+		},
+		{ // an ask for a kubernetes service in the _kube-system_ ns should not be answered
+			action:             core.NewGetAction(schema.GroupVersionResource{Version: "v1", Resource: "services"}, "kube-system", "kubernetes"),
+			expectedHandled:    false,
+			expectedObjectJSON: []byte(``),
+			expectedErr:        false,
+		},
+		{ // an ask for an other service than kubernetes should not be answered
+			action:             core.NewGetAction(schema.GroupVersionResource{Version: "v1", Resource: "services"}, "default", "my-other-service"),
+			expectedHandled:    false,
+			expectedObjectJSON: []byte(``),
+			expectedErr:        false,
+		},
+		{ // an ask for an other node than the master should not be answered
+			action:             core.NewRootGetAction(schema.GroupVersionResource{Version: "v1", Resource: "nodes"}, "other-node"),
+			expectedHandled:    false,
+			expectedObjectJSON: []byte(``),
+			expectedErr:        false,
+		},
+		{ // an ask for a secret in any other ns than kube-system should not be answered
+			action:             core.NewGetAction(schema.GroupVersionResource{Version: "v1", Resource: "secrets"}, "default", "bootstrap-token-abcdef"),
+			expectedHandled:    false,
+			expectedObjectJSON: []byte(``),
+			expectedErr:        false,
+		},
+	}
+	for _, rt := range tests {
+		handled, obj, actualErr := idr.HandleGetAction(rt.action)
+		objBytes := []byte(``)
+		if obj != nil {
+			var err error
+			objBytes, err = json.Marshal(obj)
+			if err != nil {
+				t.Fatalf("couldn't marshal returned object")
+			}
+		}
+
+		if handled != rt.expectedHandled {
+			t.Errorf(
+				"failed HandleGetAction:\n\texpected handled: %t\n\t  actual: %t %v",
+				rt.expectedHandled,
+				handled,
+				rt.action,
+			)
+		}
+
+		if !bytes.Equal(objBytes, rt.expectedObjectJSON) {
+			t.Errorf(
+				"failed HandleGetAction:\n\texpected object: %q\n\t  actual: %q",
+				rt.expectedObjectJSON,
+				objBytes,
+			)
+		}
+
+		if (actualErr != nil) != rt.expectedErr {
+			t.Errorf(
+				"failed HandleGetAction:\n\texpected error: %t\n\t  actual: %t %v",
+				rt.expectedErr,
+				(actualErr != nil),
+				rt.action,
+			)
+		}
+	}
+}

vendor/k8s.io/kubernetes/cmd/kubeadm/app/util/apiclient/wait.go

@@ -0,0 +1,258 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package apiclient
+
+import (
+	"fmt"
+	"io"
+	"net/http"
+	"time"
+
+	"k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	netutil "k8s.io/apimachinery/pkg/util/net"
+	"k8s.io/apimachinery/pkg/util/wait"
+	clientset "k8s.io/client-go/kubernetes"
+	"k8s.io/kubernetes/cmd/kubeadm/app/constants"
+	kubetypes "k8s.io/kubernetes/pkg/kubelet/types"
+)
+
+// Waiter is an interface for waiting for criteria in Kubernetes to happen
+type Waiter interface {
+	// WaitForAPI waits for the API Server's /healthz endpoint to become "ok"
+	WaitForAPI() error
+	// WaitForPodsWithLabel waits for Pods in the kube-system namespace to become Ready
+	WaitForPodsWithLabel(kvLabel string) error
+	// WaitForPodToDisappear waits for the given Pod in the kube-system namespace to be deleted
+	WaitForPodToDisappear(staticPodName string) error
+	// WaitForStaticPodSingleHash fetches sha256 hash for the control plane static pod
+	WaitForStaticPodSingleHash(nodeName string, component string) (string, error)
+	// WaitForStaticPodHashChange waits for the given static pod component's static pod hash to get updated.
+	// By doing that we can be sure that the kubelet has restarted the given Static Pod
+	WaitForStaticPodHashChange(nodeName, component, previousHash string) error
+	// WaitForStaticPodControlPlaneHashes fetches sha256 hashes for the control plane static pods
+	WaitForStaticPodControlPlaneHashes(nodeName string) (map[string]string, error)
+	// WaitForHealthyKubelet blocks until the kubelet /healthz endpoint returns 'ok'
+	WaitForHealthyKubelet(initalTimeout time.Duration, healthzEndpoint string) error
+	// SetTimeout adjusts the timeout to the specified duration
+	SetTimeout(timeout time.Duration)
+}
+
+// KubeWaiter is an implementation of Waiter that is backed by a Kubernetes client
+type KubeWaiter struct {
+	client  clientset.Interface
+	timeout time.Duration
+	writer  io.Writer
+}
+
+// NewKubeWaiter returns a new Waiter object that talks to the given Kubernetes cluster
+func NewKubeWaiter(client clientset.Interface, timeout time.Duration, writer io.Writer) Waiter {
+	return &KubeWaiter{
+		client:  client,
+		timeout: timeout,
+		writer:  writer,
+	}
+}
+
+// WaitForAPI waits for the API Server's /healthz endpoint to report "ok"
+func (w *KubeWaiter) WaitForAPI() error {
+	start := time.Now()
+	return wait.PollImmediate(constants.APICallRetryInterval, w.timeout, func() (bool, error) {
+		healthStatus := 0
+		w.client.Discovery().RESTClient().Get().AbsPath("/healthz").Do().StatusCode(&healthStatus)
+		if healthStatus != http.StatusOK {
+			return false, nil
+		}
+
+		fmt.Printf("[apiclient] All control plane components are healthy after %f seconds\n", time.Since(start).Seconds())
+		return true, nil
+	})
+}
+
+// WaitForPodsWithLabel will lookup pods with the given label and wait until they are all
+// reporting status as running.
+func (w *KubeWaiter) WaitForPodsWithLabel(kvLabel string) error {
+
+	lastKnownPodNumber := -1
+	return wait.PollImmediate(constants.APICallRetryInterval, w.timeout, func() (bool, error) {
+		listOpts := metav1.ListOptions{LabelSelector: kvLabel}
+		pods, err := w.client.CoreV1().Pods(metav1.NamespaceSystem).List(listOpts)
+		if err != nil {
+			fmt.Fprintf(w.writer, "[apiclient] Error getting Pods with label selector %q [%v]\n", kvLabel, err)
+			return false, nil
+		}
+
+		if lastKnownPodNumber != len(pods.Items) {
+			fmt.Fprintf(w.writer, "[apiclient] Found %d Pods for label selector %s\n", len(pods.Items), kvLabel)
+			lastKnownPodNumber = len(pods.Items)
+		}
+
+		if len(pods.Items) == 0 {
+			return false, nil
+		}
+
+		for _, pod := range pods.Items {
+			if pod.Status.Phase != v1.PodRunning {
+				return false, nil
+			}
+		}
+
+		return true, nil
+	})
+}
+
+// WaitForPodToDisappear blocks until it timeouts or gets a "NotFound" response from the API Server when getting the Static Pod in question
+func (w *KubeWaiter) WaitForPodToDisappear(podName string) error {
+	return wait.PollImmediate(constants.APICallRetryInterval, w.timeout, func() (bool, error) {
+		_, err := w.client.CoreV1().Pods(metav1.NamespaceSystem).Get(podName, metav1.GetOptions{})
+		if apierrors.IsNotFound(err) {
+			fmt.Printf("[apiclient] The old Pod %q is now removed (which is desired)\n", podName)
+			return true, nil
+		}
+		return false, nil
+	})
+}
+
+// WaitForHealthyKubelet blocks until the kubelet /healthz endpoint returns 'ok'
+func (w *KubeWaiter) WaitForHealthyKubelet(initalTimeout time.Duration, healthzEndpoint string) error {
+	time.Sleep(initalTimeout)
+	return TryRunCommand(func() error {
+		client := &http.Client{Transport: netutil.SetOldTransportDefaults(&http.Transport{})}
+		resp, err := client.Get(healthzEndpoint)
+		if err != nil {
+			fmt.Printf("[kubelet-check] It seems like the kubelet isn't running or healthy.\n")
+			fmt.Printf("[kubelet-check] The HTTP call equal to 'curl -sSL %s' failed with error: %v.\n", healthzEndpoint, err)
+			return err
+		}
+		defer resp.Body.Close()
+		if resp.StatusCode != http.StatusOK {
+			fmt.Printf("[kubelet-check] It seems like the kubelet isn't running or healthy.")
+			fmt.Printf("[kubelet-check] The HTTP call equal to 'curl -sSL %s' returned HTTP code %d\n", healthzEndpoint, resp.StatusCode)
+			return fmt.Errorf("the kubelet healthz endpoint is unhealthy")
+		}
+		return nil
+	}, 5) // a failureThreshold of five means waiting for a total of 155 seconds
+}
+
+// SetTimeout adjusts the timeout to the specified duration
+func (w *KubeWaiter) SetTimeout(timeout time.Duration) {
+	w.timeout = timeout
+}
+
+// WaitForStaticPodControlPlaneHashes blocks until it timeouts or gets a hash map for all components and their Static Pods
+func (w *KubeWaiter) WaitForStaticPodControlPlaneHashes(nodeName string) (map[string]string, error) {
+
+	componentHash := ""
+	var err error
+	mirrorPodHashes := map[string]string{}
+	for _, component := range constants.MasterComponents {
+		err = wait.PollImmediate(constants.APICallRetryInterval, w.timeout, func() (bool, error) {
+			componentHash, err = getStaticPodSingleHash(w.client, nodeName, component)
+			if err != nil {
+				return false, nil
+			}
+			return true, nil
+		})
+		if err != nil {
+			return nil, err
+		}
+		mirrorPodHashes[component] = componentHash
+	}
+
+	return mirrorPodHashes, nil
+}
+
+// WaitForStaticPodSingleHash blocks until it timeouts or gets a hash for a single component and its Static Pod
+func (w *KubeWaiter) WaitForStaticPodSingleHash(nodeName string, component string) (string, error) {
+
+	componentPodHash := ""
+	var err error
+	err = wait.PollImmediate(constants.APICallRetryInterval, w.timeout, func() (bool, error) {
+		componentPodHash, err = getStaticPodSingleHash(w.client, nodeName, component)
+		if err != nil {
+			return false, nil
+		}
+		return true, nil
+	})
+
+	return componentPodHash, err
+}
+
+// WaitForStaticPodHashChange blocks until it timeouts or notices that the Mirror Pod (for the Static Pod, respectively) has changed
+// This implicitly means this function blocks until the kubelet has restarted the Static Pod in question
+func (w *KubeWaiter) WaitForStaticPodHashChange(nodeName, component, previousHash string) error {
+	return wait.PollImmediate(constants.APICallRetryInterval, w.timeout, func() (bool, error) {
+
+		hash, err := getStaticPodSingleHash(w.client, nodeName, component)
+		if err != nil {
+			return false, nil
+		}
+		// We should continue polling until the UID changes
+		if hash == previousHash {
+			return false, nil
+		}
+
+		return true, nil
+	})
+}
+
+// getStaticPodControlPlaneHashes computes hashes for all the control plane's Static Pod resources
+func getStaticPodControlPlaneHashes(client clientset.Interface, nodeName string) (map[string]string, error) {
+
+	mirrorPodHashes := map[string]string{}
+	for _, component := range constants.MasterComponents {
+		hash, err := getStaticPodSingleHash(client, nodeName, component)
+		if err != nil {
+			return nil, err
+		}
+		mirrorPodHashes[component] = hash
+	}
+	return mirrorPodHashes, nil
+}
+
+// getStaticSinglePodHash computes hashes for a single Static Pod resource
+func getStaticPodSingleHash(client clientset.Interface, nodeName string, component string) (string, error) {
+
+	staticPodName := fmt.Sprintf("%s-%s", component, nodeName)
+	staticPod, err := client.CoreV1().Pods(metav1.NamespaceSystem).Get(staticPodName, metav1.GetOptions{})
+	if err != nil {
+		return "", err
+	}
+
+	staticPodHash := staticPod.Annotations[kubetypes.ConfigHashAnnotationKey]
+	fmt.Printf("Static pod: %s hash: %s\n", staticPodName, staticPodHash)
+	return staticPodHash, nil
+}
+
+// TryRunCommand runs a function a maximum of failureThreshold times, and retries on error. If failureThreshold is hit; the last error is returned
+func TryRunCommand(f func() error, failureThreshold int) error {
+	backoff := wait.Backoff{
+		Duration: 5 * time.Second,
+		Factor:   2, // double the timeout for every failure
+		Steps:    failureThreshold,
+	}
+	return wait.ExponentialBackoff(backoff, func() (bool, error) {
+		err := f()
+		if err != nil {
+			// Retry until the timeout
+			return false, nil
+		}
+		// The last f() call was a success, return cleanly
+		return true, nil
+	})
+}