plugin/admission; including resourcequota admission

2025-07-27 13:37:30 +00:00 · 2016-11-18 12:54:08 -08:00 · 2016-11-18 12:54:08 -08:00 · 1044aa4500
commit 1044aa4500
parent f782aba56e
17 changed files with 77 additions and 53 deletions
--- a/plugin/pkg/admission/limitranger/admission.go
+++ b/plugin/pkg/admission/limitranger/admission.go
@ -68,9 +68,9 @@ type liveLookupEntry struct {
 }
 func (l *limitRanger) SetInformerFactory(f informers.SharedInformerFactory) {
-	limitRangeInformer := f.LimitRanges().Informer()
+	limitRangeInformer := f.InternalLimitRanges().Informer()
 	l.SetReadyFunc(limitRangeInformer.HasSynced)
-	l.lister = f.LimitRanges().Lister()
+	l.lister = f.InternalLimitRanges().Lister()
 }
 func (l *limitRanger) Validate() error {
--- a/plugin/pkg/admission/limitranger/admission_test.go
+++ b/plugin/pkg/admission/limitranger/admission_test.go
@ -588,7 +588,7 @@ func newMockClientForTest(limitRanges []api.LimitRange) *fake.Clientset {
 // newHandlerForTest returns a handler configured for testing.
 func newHandlerForTest(c clientset.Interface) (admission.Interface, informers.SharedInformerFactory, error) {
-	f := informers.NewSharedInformerFactory(c, 5*time.Minute)
+	f := informers.NewSharedInformerFactory(nil, c, 5*time.Minute)
 	handler, err := NewLimitRanger(c, &DefaultLimitRangerActions{})
 	if err != nil {
 		return nil, f, err
--- a/plugin/pkg/admission/namespace/autoprovision/admission.go
+++ b/plugin/pkg/admission/namespace/autoprovision/admission.go
@ -88,7 +88,7 @@ func NewProvision(c clientset.Interface) admission.Interface {
 }
 func (p *provision) SetInformerFactory(f informers.SharedInformerFactory) {
-	p.namespaceInformer = f.Namespaces().Informer()
+	p.namespaceInformer = f.InternalNamespaces().Informer()
 	p.SetReadyFunc(p.namespaceInformer.HasSynced)
 }
--- a/plugin/pkg/admission/namespace/autoprovision/admission_test.go
+++ b/plugin/pkg/admission/namespace/autoprovision/admission_test.go
@ -35,7 +35,7 @@ import (
 // newHandlerForTest returns the admission controller configured for testing.
 func newHandlerForTest(c clientset.Interface) (admission.Interface, informers.SharedInformerFactory, error) {
-	f := informers.NewSharedInformerFactory(c, 5*time.Minute)
+	f := informers.NewSharedInformerFactory(nil, c, 5*time.Minute)
 	handler := NewProvision(c)
 	plugins := []admission.Interface{handler}
 	pluginInitializer := admission.NewPluginInitializer(f, nil)
--- a/plugin/pkg/admission/namespace/exists/admission.go
+++ b/plugin/pkg/admission/namespace/exists/admission.go
@ -95,7 +95,7 @@ func NewExists(c clientset.Interface) admission.Interface {
 }
 func (e *exists) SetInformerFactory(f informers.SharedInformerFactory) {
-	e.namespaceInformer = f.Namespaces().Informer()
+	e.namespaceInformer = f.InternalNamespaces().Informer()
 	e.SetReadyFunc(e.namespaceInformer.HasSynced)
 }
--- a/plugin/pkg/admission/namespace/exists/admission_test.go
+++ b/plugin/pkg/admission/namespace/exists/admission_test.go
@ -34,7 +34,7 @@ import (
 // newHandlerForTest returns the admission controller configured for testing.
 func newHandlerForTest(c clientset.Interface) (admission.Interface, informers.SharedInformerFactory, error) {
-	f := informers.NewSharedInformerFactory(c, 5*time.Minute)
+	f := informers.NewSharedInformerFactory(nil, c, 5*time.Minute)
 	handler := NewExists(c)
 	plugins := []admission.Interface{handler}
 	pluginInitializer := admission.NewPluginInitializer(f, nil)
--- a/plugin/pkg/admission/namespace/lifecycle/admission.go
+++ b/plugin/pkg/admission/namespace/lifecycle/admission.go
@ -181,7 +181,7 @@ func newLifecycleWithClock(c clientset.Interface, immortalNamespaces sets.String
 }
 func (l *lifecycle) SetInformerFactory(f informers.SharedInformerFactory) {
-	l.namespaceInformer = f.Namespaces().Informer()
+	l.namespaceInformer = f.InternalNamespaces().Informer()
 	l.SetReadyFunc(l.namespaceInformer.HasSynced)
 }
--- a/plugin/pkg/admission/namespace/lifecycle/admission_test.go
+++ b/plugin/pkg/admission/namespace/lifecycle/admission_test.go
@ -41,7 +41,7 @@ func newHandlerForTest(c clientset.Interface) (admission.Interface, informers.Sh
 // newHandlerForTestWithClock returns a configured handler for testing.
 func newHandlerForTestWithClock(c clientset.Interface, cacheClock clock.Clock) (admission.Interface, informers.SharedInformerFactory, error) {
-	f := informers.NewSharedInformerFactory(c, 5*time.Minute)
+	f := informers.NewSharedInformerFactory(nil, c, 5*time.Minute)
 	handler, err := newLifecycleWithClock(c, sets.NewString(api.NamespaceDefault, api.NamespaceSystem), cacheClock)
 	if err != nil {
 		return nil, f, err
--- a/plugin/pkg/admission/podnodeselector/admission.go
+++ b/plugin/pkg/admission/podnodeselector/admission.go
@ -165,7 +165,7 @@ func NewPodNodeSelector(client clientset.Interface, clusterNodeSelectors map[str
 }
 func (p *podNodeSelector) SetInformerFactory(f informers.SharedInformerFactory) {
-	p.namespaceInformer = f.Namespaces().Informer()
+	p.namespaceInformer = f.InternalNamespaces().Informer()
 	p.SetReadyFunc(p.namespaceInformer.HasSynced)
 }
--- a/plugin/pkg/admission/podnodeselector/admission_test.go
+++ b/plugin/pkg/admission/podnodeselector/admission_test.go
@ -178,7 +178,7 @@ func TestHandles(t *testing.T) {
 // newHandlerForTest returns the admission controller configured for testing.
 func newHandlerForTest(c clientset.Interface) (*podNodeSelector, informers.SharedInformerFactory, error) {
-	f := informers.NewSharedInformerFactory(c, 5*time.Minute)
+	f := informers.NewSharedInformerFactory(nil, c, 5*time.Minute)
 	handler := NewPodNodeSelector(c, nil)
 	plugins := []admission.Interface{handler}
 	pluginInitializer := admission.NewPluginInitializer(f, nil)
--- a/plugin/pkg/admission/resourcequota/admission.go
+++ b/plugin/pkg/admission/resourcequota/admission.go
@ -33,7 +33,7 @@ func init() {
 		func(client clientset.Interface, config io.Reader) (admission.Interface, error) {
 			// NOTE: we do not provide informers to the registry because admission level decisions
 			// does not require us to open watches for all items tracked by quota.
-			registry := install.NewRegistry(client, nil)
+			registry := install.NewRegistry(nil, nil)
 			return NewResourceQuota(client, registry, 5, make(chan struct{}))
 		})
 }
--- a/plugin/pkg/admission/resourcequota/admission_test.go
+++ b/plugin/pkg/admission/resourcequota/admission_test.go
@ -126,7 +126,7 @@ func TestAdmissionIgnoresDelete(t *testing.T) {
 	kubeClient := fake.NewSimpleClientset()
 	stopCh := make(chan struct{})
 	defer close(stopCh)
-	handler, err := NewResourceQuota(kubeClient, install.NewRegistry(kubeClient, nil), 5, stopCh)
+	handler, err := NewResourceQuota(kubeClient, install.NewRegistry(nil, nil), 5, stopCh)
 	if err != nil {
 		t.Errorf("Unexpected error %v", err)
 	}
@ -158,7 +158,7 @@ func TestAdmissionIgnoresSubresources(t *testing.T) {
 	quotaAccessor, _ := newQuotaAccessor(kubeClient)
 	quotaAccessor.indexer = indexer
 	go quotaAccessor.Run(stopCh)
-	evaluator := NewQuotaEvaluator(quotaAccessor, install.NewRegistry(kubeClient, nil), nil, 5, stopCh)
+	evaluator := NewQuotaEvaluator(quotaAccessor, install.NewRegistry(nil, nil), nil, 5, stopCh)
 	handler := &quotaAdmission{
 		Handler:   admission.NewHandler(admission.Create, admission.Update),
@ -201,7 +201,7 @@ func TestAdmitBelowQuotaLimit(t *testing.T) {
 	quotaAccessor, _ := newQuotaAccessor(kubeClient)
 	quotaAccessor.indexer = indexer
 	go quotaAccessor.Run(stopCh)
-	evaluator := NewQuotaEvaluator(quotaAccessor, install.NewRegistry(kubeClient, nil), nil, 5, stopCh)
+	evaluator := NewQuotaEvaluator(quotaAccessor, install.NewRegistry(nil, nil), nil, 5, stopCh)
 	handler := &quotaAdmission{
 		Handler:   admission.NewHandler(admission.Create, admission.Update),
@ -283,7 +283,7 @@ func TestAdmitHandlesOldObjects(t *testing.T) {
 	quotaAccessor, _ := newQuotaAccessor(kubeClient)
 	quotaAccessor.indexer = indexer
 	go quotaAccessor.Run(stopCh)
-	evaluator := NewQuotaEvaluator(quotaAccessor, install.NewRegistry(kubeClient, nil), nil, 5, stopCh)
+	evaluator := NewQuotaEvaluator(quotaAccessor, install.NewRegistry(nil, nil), nil, 5, stopCh)
 	handler := &quotaAdmission{
 		Handler:   admission.NewHandler(admission.Create, admission.Update),
@ -379,7 +379,7 @@ func TestAdmitHandlesCreatingUpdates(t *testing.T) {
 	quotaAccessor, _ := newQuotaAccessor(kubeClient)
 	quotaAccessor.indexer = indexer
 	go quotaAccessor.Run(stopCh)
-	evaluator := NewQuotaEvaluator(quotaAccessor, install.NewRegistry(kubeClient, nil), nil, 5, stopCh)
+	evaluator := NewQuotaEvaluator(quotaAccessor, install.NewRegistry(nil, nil), nil, 5, stopCh)
 	handler := &quotaAdmission{
 		Handler:   admission.NewHandler(admission.Create, admission.Update),
@ -472,7 +472,7 @@ func TestAdmitExceedQuotaLimit(t *testing.T) {
 	quotaAccessor, _ := newQuotaAccessor(kubeClient)
 	quotaAccessor.indexer = indexer
 	go quotaAccessor.Run(stopCh)
-	evaluator := NewQuotaEvaluator(quotaAccessor, install.NewRegistry(kubeClient, nil), nil, 5, stopCh)
+	evaluator := NewQuotaEvaluator(quotaAccessor, install.NewRegistry(nil, nil), nil, 5, stopCh)
 	handler := &quotaAdmission{
 		Handler:   admission.NewHandler(admission.Create, admission.Update),
@ -515,7 +515,7 @@ func TestAdmitEnforceQuotaConstraints(t *testing.T) {
 	quotaAccessor, _ := newQuotaAccessor(kubeClient)
 	quotaAccessor.indexer = indexer
 	go quotaAccessor.Run(stopCh)
-	evaluator := NewQuotaEvaluator(quotaAccessor, install.NewRegistry(kubeClient, nil), nil, 5, stopCh)
+	evaluator := NewQuotaEvaluator(quotaAccessor, install.NewRegistry(nil, nil), nil, 5, stopCh)
 	handler := &quotaAdmission{
 		Handler:   admission.NewHandler(admission.Create, admission.Update),
@ -568,7 +568,7 @@ func TestAdmitPodInNamespaceWithoutQuota(t *testing.T) {
 	quotaAccessor.indexer = indexer
 	quotaAccessor.liveLookupCache = liveLookupCache
 	go quotaAccessor.Run(stopCh)
-	evaluator := NewQuotaEvaluator(quotaAccessor, install.NewRegistry(kubeClient, nil), nil, 5, stopCh)
+	evaluator := NewQuotaEvaluator(quotaAccessor, install.NewRegistry(nil, nil), nil, 5, stopCh)
 	handler := &quotaAdmission{
 		Handler:   admission.NewHandler(admission.Create, admission.Update),
@ -633,7 +633,7 @@ func TestAdmitBelowTerminatingQuotaLimit(t *testing.T) {
 	quotaAccessor, _ := newQuotaAccessor(kubeClient)
 	quotaAccessor.indexer = indexer
 	go quotaAccessor.Run(stopCh)
-	evaluator := NewQuotaEvaluator(quotaAccessor, install.NewRegistry(kubeClient, nil), nil, 5, stopCh)
+	evaluator := NewQuotaEvaluator(quotaAccessor, install.NewRegistry(nil, nil), nil, 5, stopCh)
 	handler := &quotaAdmission{
 		Handler:   admission.NewHandler(admission.Create, admission.Update),
@ -737,7 +737,7 @@ func TestAdmitBelowBestEffortQuotaLimit(t *testing.T) {
 	quotaAccessor, _ := newQuotaAccessor(kubeClient)
 	quotaAccessor.indexer = indexer
 	go quotaAccessor.Run(stopCh)
-	evaluator := NewQuotaEvaluator(quotaAccessor, install.NewRegistry(kubeClient, nil), nil, 5, stopCh)
+	evaluator := NewQuotaEvaluator(quotaAccessor, install.NewRegistry(nil, nil), nil, 5, stopCh)
 	handler := &quotaAdmission{
 		Handler:   admission.NewHandler(admission.Create, admission.Update),
@ -828,7 +828,7 @@ func TestAdmitBestEffortQuotaLimitIgnoresBurstable(t *testing.T) {
 	quotaAccessor, _ := newQuotaAccessor(kubeClient)
 	quotaAccessor.indexer = indexer
 	go quotaAccessor.Run(stopCh)
-	evaluator := NewQuotaEvaluator(quotaAccessor, install.NewRegistry(kubeClient, nil), nil, 5, stopCh)
+	evaluator := NewQuotaEvaluator(quotaAccessor, install.NewRegistry(nil, nil), nil, 5, stopCh)
 	handler := &quotaAdmission{
 		Handler:   admission.NewHandler(admission.Create, admission.Update),
@ -945,7 +945,7 @@ func TestAdmissionSetsMissingNamespace(t *testing.T) {
 	quotaAccessor, _ := newQuotaAccessor(kubeClient)
 	quotaAccessor.indexer = indexer
 	go quotaAccessor.Run(stopCh)
-	evaluator := NewQuotaEvaluator(quotaAccessor, install.NewRegistry(kubeClient, nil), nil, 5, stopCh)
+	evaluator := NewQuotaEvaluator(quotaAccessor, install.NewRegistry(nil, nil), nil, 5, stopCh)
 	evaluator.(*quotaEvaluator).registry = registry
 	handler := &quotaAdmission{
@ -990,7 +990,7 @@ func TestAdmitRejectsNegativeUsage(t *testing.T) {
 	quotaAccessor, _ := newQuotaAccessor(kubeClient)
 	quotaAccessor.indexer = indexer
 	go quotaAccessor.Run(stopCh)
-	evaluator := NewQuotaEvaluator(quotaAccessor, install.NewRegistry(kubeClient, nil), nil, 5, stopCh)
+	evaluator := NewQuotaEvaluator(quotaAccessor, install.NewRegistry(nil, nil), nil, 5, stopCh)
 	handler := &quotaAdmission{
 		Handler:   admission.NewHandler(admission.Create, admission.Update),
@ -1035,7 +1035,7 @@ func TestAdmitWhenUnrelatedResourceExceedsQuota(t *testing.T) {
 	quotaAccessor, _ := newQuotaAccessor(kubeClient)
 	quotaAccessor.indexer = indexer
 	go quotaAccessor.Run(stopCh)
-	evaluator := NewQuotaEvaluator(quotaAccessor, install.NewRegistry(kubeClient, nil), nil, 5, stopCh)
+	evaluator := NewQuotaEvaluator(quotaAccessor, install.NewRegistry(nil, nil), nil, 5, stopCh)
 	handler := &quotaAdmission{
 		Handler:   admission.NewHandler(admission.Create, admission.Update),
--- a/plugin/pkg/admission/resourcequota/resource_access.go
+++ b/plugin/pkg/admission/resourcequota/resource_access.go
@ -26,6 +26,7 @@ import (
 	clientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
 	"k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/api/v1"
 	"k8s.io/kubernetes/pkg/client/cache"
 	"k8s.io/kubernetes/pkg/runtime"
 	"k8s.io/kubernetes/pkg/storage/etcd"
@ -73,11 +74,15 @@ func newQuotaAccessor(client clientset.Interface) (*quotaAccessor, error) {
 		return nil, err
 	}
 	lw := &cache.ListWatch{
-		ListFunc: func(options api.ListOptions) (runtime.Object, error) {
+		ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
-			return client.Core().ResourceQuotas(api.NamespaceAll).List(options)
+			internalOptions := api.ListOptions{}
 			v1.Convert_v1_ListOptions_To_api_ListOptions(&options, &internalOptions, nil)
 			return client.Core().ResourceQuotas(api.NamespaceAll).List(internalOptions)
 		},
-		WatchFunc: func(options api.ListOptions) (watch.Interface, error) {
+		WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
-			return client.Core().ResourceQuotas(api.NamespaceAll).Watch(options)
+			internalOptions := api.ListOptions{}
 			v1.Convert_v1_ListOptions_To_api_ListOptions(&options, &internalOptions, nil)
 			return client.Core().ResourceQuotas(api.NamespaceAll).Watch(internalOptions)
 		},
 	}
 	indexer, reflector := cache.NewNamespaceKeyedIndexerAndReflector(lw, &api.ResourceQuota{}, 0)
--- a/plugin/pkg/admission/security/podsecuritypolicy/admission.go
+++ b/plugin/pkg/admission/security/podsecuritypolicy/admission.go
@ -26,6 +26,7 @@ import (
 	"k8s.io/kubernetes/pkg/admission"
 	"k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/api/errors"
 	"k8s.io/kubernetes/pkg/api/v1"
 	"k8s.io/kubernetes/pkg/apis/extensions"
 	"k8s.io/kubernetes/pkg/auth/authorizer"
 	"k8s.io/kubernetes/pkg/auth/user"
@ -91,11 +92,15 @@ func NewPlugin(kclient clientset.Interface, strategyFactory psp.StrategyFactory,
 	store := cache.NewStore(cache.MetaNamespaceKeyFunc)
 	reflector := cache.NewReflector(
 		&cache.ListWatch{
-			ListFunc: func(options api.ListOptions) (runtime.Object, error) {
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
-				return kclient.Extensions().PodSecurityPolicies().List(options)
+				internalOptions := api.ListOptions{}
 				v1.Convert_v1_ListOptions_To_api_ListOptions(&options, &internalOptions, nil)
 				return kclient.Extensions().PodSecurityPolicies().List(internalOptions)
 			},
-			WatchFunc: func(options api.ListOptions) (watch.Interface, error) {
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
-				return kclient.Extensions().PodSecurityPolicies().Watch(options)
+				internalOptions := api.ListOptions{}
 				v1.Convert_v1_ListOptions_To_api_ListOptions(&options, &internalOptions, nil)
 				return kclient.Extensions().PodSecurityPolicies().Watch(internalOptions)
 			},
 		},
 		&extensions.PodSecurityPolicy{},
@ -228,7 +233,7 @@ func assignSecurityContext(provider psp.Provider, pod *api.Pod, fldPath *field.P
 		// since that is how the sc provider will eventually apply settings in the runtime.
 		// This results in an SC that is based on the Pod's PSC with the set fields from the container
 		// overriding pod level settings.
-		containerCopy.SecurityContext = sc.DetermineEffectiveSecurityContext(pod, &containerCopy)
+		containerCopy.SecurityContext = sc.InternalDetermineEffectiveSecurityContext(pod, &containerCopy)
 		sc, scAnnotations, err := provider.CreateContainerSecurityContext(pod, &containerCopy)
 		if err != nil {
@ -249,7 +254,7 @@ func assignSecurityContext(provider psp.Provider, pod *api.Pod, fldPath *field.P
 		// since that is how the sc provider will eventually apply settings in the runtime.
 		// This results in an SC that is based on the Pod's PSC with the set fields from the container
 		// overriding pod level settings.
-		containerCopy.SecurityContext = sc.DetermineEffectiveSecurityContext(pod, &containerCopy)
+		containerCopy.SecurityContext = sc.InternalDetermineEffectiveSecurityContext(pod, &containerCopy)
 		sc, scAnnotations, err := provider.CreateContainerSecurityContext(pod, &containerCopy)
 		if err != nil {
--- a/plugin/pkg/admission/security/podsecuritypolicy/admission_test.go
+++ b/plugin/pkg/admission/security/podsecuritypolicy/admission_test.go
@ -751,7 +751,7 @@ func TestAdmitSELinux(t *testing.T) {
 func TestAdmitAppArmor(t *testing.T) {
 	createPodWithAppArmor := func(profile string) *kapi.Pod {
 		pod := goodPod()
-		apparmor.SetProfileName(pod, defaultContainerName, profile)
+		apparmor.SetProfileNameFromPodAnnotations(pod.Annotations, defaultContainerName, profile)
 		return pod
 	}
@ -822,7 +822,7 @@ func TestAdmitAppArmor(t *testing.T) {
 		testPSPAdmit(k, []*extensions.PodSecurityPolicy{v.psp}, v.pod, v.shouldPass, v.psp.Name, t)
 		if v.shouldPass {
-			assert.Equal(t, v.expectedProfile, apparmor.GetProfileName(v.pod, defaultContainerName), k)
+			assert.Equal(t, v.expectedProfile, apparmor.GetProfileNameFromPodAnnotations(v.pod.Annotations, defaultContainerName), k)
 		}
 	}
 }
--- a/plugin/pkg/admission/serviceaccount/admission.go
+++ b/plugin/pkg/admission/serviceaccount/admission.go
@ -29,6 +29,7 @@ import (
 	"k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/api/errors"
 	"k8s.io/kubernetes/pkg/api/unversioned"
 	"k8s.io/kubernetes/pkg/api/v1"
 	"k8s.io/kubernetes/pkg/client/cache"
 	"k8s.io/kubernetes/pkg/fields"
 	kubelet "k8s.io/kubernetes/pkg/kubelet/types"
@ -91,11 +92,15 @@ type serviceAccount struct {
 func NewServiceAccount(cl clientset.Interface) *serviceAccount {
 	serviceAccountsIndexer, serviceAccountsReflector := cache.NewNamespaceKeyedIndexerAndReflector(
 		&cache.ListWatch{
-			ListFunc: func(options api.ListOptions) (runtime.Object, error) {
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
-				return cl.Core().ServiceAccounts(api.NamespaceAll).List(options)
+				internalOptions := api.ListOptions{}
 				v1.Convert_v1_ListOptions_To_api_ListOptions(&options, &internalOptions, nil)
 				return cl.Core().ServiceAccounts(api.NamespaceAll).List(internalOptions)
 			},
-			WatchFunc: func(options api.ListOptions) (watch.Interface, error) {
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
-				return cl.Core().ServiceAccounts(api.NamespaceAll).Watch(options)
+				internalOptions := api.ListOptions{}
 				v1.Convert_v1_ListOptions_To_api_ListOptions(&options, &internalOptions, nil)
 				return cl.Core().ServiceAccounts(api.NamespaceAll).Watch(internalOptions)
 			},
 		},
 		&api.ServiceAccount{},
@ -105,13 +110,17 @@ func NewServiceAccount(cl clientset.Interface) *serviceAccount {
 	tokenSelector := fields.SelectorFromSet(map[string]string{api.SecretTypeField: string(api.SecretTypeServiceAccountToken)})
 	secretsIndexer, secretsReflector := cache.NewNamespaceKeyedIndexerAndReflector(
 		&cache.ListWatch{
-			ListFunc: func(options api.ListOptions) (runtime.Object, error) {
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
-				options.FieldSelector = tokenSelector
+				internalOptions := api.ListOptions{}
-				return cl.Core().Secrets(api.NamespaceAll).List(options)
+				v1.Convert_v1_ListOptions_To_api_ListOptions(&options, &internalOptions, nil)
 				internalOptions.FieldSelector = tokenSelector
 				return cl.Core().Secrets(api.NamespaceAll).List(internalOptions)
 			},
-			WatchFunc: func(options api.ListOptions) (watch.Interface, error) {
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
-				options.FieldSelector = tokenSelector
+				internalOptions := api.ListOptions{}
-				return cl.Core().Secrets(api.NamespaceAll).Watch(options)
+				v1.Convert_v1_ListOptions_To_api_ListOptions(&options, &internalOptions, nil)
 				internalOptions.FieldSelector = tokenSelector
 				return cl.Core().Secrets(api.NamespaceAll).Watch(internalOptions)
 			},
 		},
 		&api.Secret{},
@ -304,7 +313,7 @@ func (s *serviceAccount) getServiceAccountTokens(serviceAccount *api.ServiceAcco
 	for _, obj := range index {
 		token := obj.(*api.Secret)
-		if serviceaccount.IsServiceAccountToken(token, serviceAccount) {
+		if serviceaccount.InternalIsServiceAccountToken(token, serviceAccount) {
 			tokens = append(tokens, token)
 		}
 	}
--- a/plugin/pkg/admission/storageclass/default/admission.go
+++ b/plugin/pkg/admission/storageclass/default/admission.go
@ -25,6 +25,7 @@ import (
 	admission "k8s.io/kubernetes/pkg/admission"
 	api "k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/api/errors"
 	"k8s.io/kubernetes/pkg/api/v1"
 	"k8s.io/kubernetes/pkg/apis/storage"
 	storageutil "k8s.io/kubernetes/pkg/apis/storage/util"
 	"k8s.io/kubernetes/pkg/client/cache"
@ -62,11 +63,15 @@ func newPlugin(kclient clientset.Interface) *claimDefaulterPlugin {
 	store := cache.NewStore(cache.MetaNamespaceKeyFunc)
 	reflector := cache.NewReflector(
 		&cache.ListWatch{
-			ListFunc: func(options api.ListOptions) (runtime.Object, error) {
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
-				return kclient.Storage().StorageClasses().List(options)
+				internalOptions := api.ListOptions{}
 				v1.Convert_v1_ListOptions_To_api_ListOptions(&options, &internalOptions, nil)
 				return kclient.Storage().StorageClasses().List(internalOptions)
 			},
-			WatchFunc: func(options api.ListOptions) (watch.Interface, error) {
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
-				return kclient.Storage().StorageClasses().Watch(options)
+				internalOptions := api.ListOptions{}
 				v1.Convert_v1_ListOptions_To_api_ListOptions(&options, &internalOptions, nil)
 				return kclient.Storage().StorageClasses().Watch(internalOptions)
 			},
 		},
 		&storage.StorageClass{},