diff --git a/cmd/kubeadm/app/apis/kubeadm/v1alpha2/defaults.go b/cmd/kubeadm/app/apis/kubeadm/v1alpha2/defaults.go
new file mode 100644
index 00000000000..fa538281b9f
--- /dev/null
+++ b/cmd/kubeadm/app/apis/kubeadm/v1alpha2/defaults.go
@@ -0,0 +1,261 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha2
+
+import (
+	"net/url"
+	"strings"
+	"time"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/kubernetes/cmd/kubeadm/app/constants"
+	"k8s.io/kubernetes/cmd/kubeadm/app/features"
+	kubeletscheme "k8s.io/kubernetes/pkg/kubelet/apis/kubeletconfig/scheme"
+	kubeletconfigv1beta1 "k8s.io/kubernetes/pkg/kubelet/apis/kubeletconfig/v1beta1"
+	kubeproxyscheme "k8s.io/kubernetes/pkg/proxy/apis/kubeproxyconfig/scheme"
+	kubeproxyconfigv1alpha1 "k8s.io/kubernetes/pkg/proxy/apis/kubeproxyconfig/v1alpha1"
+)
+
+const (
+	// DefaultServiceDNSDomain defines default cluster-internal domain name for Services and Pods
+	DefaultServiceDNSDomain = "cluster.local"
+	// DefaultServicesSubnet defines default service subnet range
+	DefaultServicesSubnet = "10.96.0.0/12"
+	// DefaultClusterDNSIP defines default DNS IP
+	DefaultClusterDNSIP = "10.96.0.10"
+	// DefaultKubernetesVersion defines default kubernetes version
+	DefaultKubernetesVersion = "stable-1.10"
+	// DefaultAPIBindPort defines default API port
+	DefaultAPIBindPort = 6443
+	// DefaultAuthorizationModes defines default authorization modes
+	DefaultAuthorizationModes = "Node,RBAC"
+	// DefaultCertificatesDir defines default certificate directory
+	DefaultCertificatesDir = "/etc/kubernetes/pki"
+	// DefaultImageRepository defines default image registry
+	DefaultImageRepository = "k8s.gcr.io"
+	// DefaultManifestsDir defines default manifests directory
+	DefaultManifestsDir = "/etc/kubernetes/manifests"
+	// DefaultCRISocket defines the default cri socket
+	DefaultCRISocket = "/var/run/dockershim.sock"
+	// DefaultClusterName defines the default cluster name
+	DefaultClusterName = "kubernetes"
+
+	// DefaultEtcdDataDir defines default location of etcd where static pods will save data to
+	DefaultEtcdDataDir = "/var/lib/etcd"
+	// DefaultEtcdClusterSize defines the default cluster size when using the etcd-operator
+	DefaultEtcdClusterSize = 3
+	// DefaultEtcdOperatorVersion defines the default version of the etcd-operator to use
+	DefaultEtcdOperatorVersion = "v0.6.0"
+	// DefaultEtcdCertDir represents the directory where PKI assets are stored for self-hosted etcd
+	DefaultEtcdCertDir = "/etc/kubernetes/pki/etcd"
+	// DefaultEtcdClusterServiceName is the default name of the service backing the etcd cluster
+	DefaultEtcdClusterServiceName = "etcd-cluster"
+	// DefaultProxyBindAddressv4 is the default bind address when the advertise address is v4
+	DefaultProxyBindAddressv4 = "0.0.0.0"
+	// DefaultProxyBindAddressv6 is the default bind address when the advertise address is v6
+	DefaultProxyBindAddressv6 = "::"
+	// KubeproxyKubeConfigFileName defines the file name for the kube-proxy's KubeConfig file
+	KubeproxyKubeConfigFileName = "/var/lib/kube-proxy/kubeconfig.conf"
+
+	// DefaultDiscoveryTimeout specifies the default discovery timeout for kubeadm (used unless one is specified in the NodeConfiguration)
+	DefaultDiscoveryTimeout = 5 * time.Minute
+)
+
+var (
+	// DefaultAuditPolicyLogMaxAge is defined as a var so its address can be taken
+	// It is the number of days to store audit logs
+	DefaultAuditPolicyLogMaxAge = int32(2)
+)
+
+func addDefaultingFuncs(scheme *runtime.Scheme) error {
+	return RegisterDefaults(scheme)
+}
+
+// SetDefaults_MasterConfiguration assigns default values to Master node
+func SetDefaults_MasterConfiguration(obj *MasterConfiguration) {
+	if obj.KubernetesVersion == "" {
+		obj.KubernetesVersion = DefaultKubernetesVersion
+	}
+
+	if obj.API.BindPort == 0 {
+		obj.API.BindPort = DefaultAPIBindPort
+	}
+
+	if obj.Networking.ServiceSubnet == "" {
+		obj.Networking.ServiceSubnet = DefaultServicesSubnet
+	}
+
+	if obj.Networking.DNSDomain == "" {
+		obj.Networking.DNSDomain = DefaultServiceDNSDomain
+	}
+
+	if len(obj.AuthorizationModes) == 0 {
+		obj.AuthorizationModes = strings.Split(DefaultAuthorizationModes, ",")
+	}
+
+	if obj.CertificatesDir == "" {
+		obj.CertificatesDir = DefaultCertificatesDir
+	}
+
+	if obj.TokenTTL == nil {
+		obj.TokenTTL = &metav1.Duration{
+			Duration: constants.DefaultTokenDuration,
+		}
+	}
+
+	if obj.CRISocket == "" {
+		obj.CRISocket = DefaultCRISocket
+	}
+
+	if len(obj.TokenUsages) == 0 {
+		obj.TokenUsages = constants.DefaultTokenUsages
+	}
+
+	if len(obj.TokenGroups) == 0 {
+		obj.TokenGroups = constants.DefaultTokenGroups
+	}
+
+	if obj.ImageRepository == "" {
+		obj.ImageRepository = DefaultImageRepository
+	}
+
+	if obj.Etcd.DataDir == "" {
+		obj.Etcd.DataDir = DefaultEtcdDataDir
+	}
+
+	if obj.ClusterName == "" {
+		obj.ClusterName = DefaultClusterName
+	}
+
+	SetDefaultsEtcdSelfHosted(obj)
+	if features.Enabled(obj.FeatureGates, features.DynamicKubeletConfig) {
+		SetDefaults_KubeletConfiguration(obj)
+	}
+	SetDefaults_ProxyConfiguration(obj)
+	SetDefaults_AuditPolicyConfiguration(obj)
+}
+
+// SetDefaults_ProxyConfiguration assigns default values for the Proxy
+func SetDefaults_ProxyConfiguration(obj *MasterConfiguration) {
+	if obj.KubeProxy.Config == nil {
+		obj.KubeProxy.Config = &kubeproxyconfigv1alpha1.KubeProxyConfiguration{}
+	}
+	if obj.KubeProxy.Config.ClusterCIDR == "" && obj.Networking.PodSubnet != "" {
+		obj.KubeProxy.Config.ClusterCIDR = obj.Networking.PodSubnet
+	}
+
+	if obj.KubeProxy.Config.ClientConnection.KubeConfigFile == "" {
+		obj.KubeProxy.Config.ClientConnection.KubeConfigFile = KubeproxyKubeConfigFileName
+	}
+
+	kubeproxyscheme.Scheme.Default(obj.KubeProxy.Config)
+}
+
+// SetDefaults_NodeConfiguration assigns default values to a regular node
+func SetDefaults_NodeConfiguration(obj *NodeConfiguration) {
+	if obj.CACertPath == "" {
+		obj.CACertPath = DefaultCACertPath
+	}
+	if len(obj.TLSBootstrapToken) == 0 {
+		obj.TLSBootstrapToken = obj.Token
+	}
+	if len(obj.DiscoveryToken) == 0 && len(obj.DiscoveryFile) == 0 {
+		obj.DiscoveryToken = obj.Token
+	}
+	if obj.CRISocket == "" {
+		obj.CRISocket = DefaultCRISocket
+	}
+	// Make sure file URLs become paths
+	if len(obj.DiscoveryFile) != 0 {
+		u, err := url.Parse(obj.DiscoveryFile)
+		if err == nil && u.Scheme == "file" {
+			obj.DiscoveryFile = u.Path
+		}
+	}
+	if obj.DiscoveryTimeout == nil {
+		obj.DiscoveryTimeout = &metav1.Duration{
+			Duration: DefaultDiscoveryTimeout,
+		}
+	}
+	if obj.ClusterName == "" {
+		obj.ClusterName = DefaultClusterName
+	}
+}
+
+// SetDefaultsEtcdSelfHosted sets defaults for self-hosted etcd if used
+func SetDefaultsEtcdSelfHosted(obj *MasterConfiguration) {
+	if obj.Etcd.SelfHosted != nil {
+		if obj.Etcd.SelfHosted.ClusterServiceName == "" {
+			obj.Etcd.SelfHosted.ClusterServiceName = DefaultEtcdClusterServiceName
+		}
+
+		if obj.Etcd.SelfHosted.EtcdVersion == "" {
+			obj.Etcd.SelfHosted.EtcdVersion = constants.DefaultEtcdVersion
+		}
+
+		if obj.Etcd.SelfHosted.OperatorVersion == "" {
+			obj.Etcd.SelfHosted.OperatorVersion = DefaultEtcdOperatorVersion
+		}
+
+		if obj.Etcd.SelfHosted.CertificatesDir == "" {
+			obj.Etcd.SelfHosted.CertificatesDir = DefaultEtcdCertDir
+		}
+	}
+}
+
+// SetDefaults_KubeletConfiguration assigns default values to kubelet
+func SetDefaults_KubeletConfiguration(obj *MasterConfiguration) {
+	if obj.KubeletConfiguration.BaseConfig == nil {
+		obj.KubeletConfiguration.BaseConfig = &kubeletconfigv1beta1.KubeletConfiguration{}
+	}
+	if obj.KubeletConfiguration.BaseConfig.StaticPodPath == "" {
+		obj.KubeletConfiguration.BaseConfig.StaticPodPath = DefaultManifestsDir
+	}
+	if obj.KubeletConfiguration.BaseConfig.ClusterDNS == nil {
+		dnsIP, err := constants.GetDNSIP(obj.Networking.ServiceSubnet)
+		if err != nil {
+			obj.KubeletConfiguration.BaseConfig.ClusterDNS = []string{DefaultClusterDNSIP}
+		} else {
+			obj.KubeletConfiguration.BaseConfig.ClusterDNS = []string{dnsIP.String()}
+		}
+	}
+	if obj.KubeletConfiguration.BaseConfig.ClusterDomain == "" {
+		obj.KubeletConfiguration.BaseConfig.ClusterDomain = DefaultServiceDNSDomain
+	}
+	if obj.KubeletConfiguration.BaseConfig.Authorization.Mode == "" {
+		obj.KubeletConfiguration.BaseConfig.Authorization.Mode = kubeletconfigv1beta1.KubeletAuthorizationModeWebhook
+	}
+	if obj.KubeletConfiguration.BaseConfig.Authentication.X509.ClientCAFile == "" {
+		obj.KubeletConfiguration.BaseConfig.Authentication.X509.ClientCAFile = DefaultCACertPath
+	}
+
+	scheme, _, _ := kubeletscheme.NewSchemeAndCodecs()
+	if scheme != nil {
+		scheme.Default(obj.KubeletConfiguration.BaseConfig)
+	}
+}
+
+// SetDefaults_AuditPolicyConfiguration sets default values for the AuditPolicyConfiguration
+func SetDefaults_AuditPolicyConfiguration(obj *MasterConfiguration) {
+	if obj.AuditPolicyConfiguration.LogDir == "" {
+		obj.AuditPolicyConfiguration.LogDir = constants.StaticPodAuditPolicyLogDir
+	}
+	if obj.AuditPolicyConfiguration.LogMaxAge == nil {
+		obj.AuditPolicyConfiguration.LogMaxAge = &DefaultAuditPolicyLogMaxAge
+	}
+}
diff --git a/cmd/kubeadm/app/apis/kubeadm/v1alpha2/defaults_unix.go b/cmd/kubeadm/app/apis/kubeadm/v1alpha2/defaults_unix.go
new file mode 100644
index 00000000000..7dbc7f21aea
--- /dev/null
+++ b/cmd/kubeadm/app/apis/kubeadm/v1alpha2/defaults_unix.go
@@ -0,0 +1,22 @@
+// +build !windows
+
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha2
+
+// DefaultCACertPath defines default location of CA certificate on Linux
+const DefaultCACertPath = "/etc/kubernetes/pki/ca.crt"
diff --git a/cmd/kubeadm/app/apis/kubeadm/v1alpha2/defaults_windows.go b/cmd/kubeadm/app/apis/kubeadm/v1alpha2/defaults_windows.go
new file mode 100644
index 00000000000..bbbb4627238
--- /dev/null
+++ b/cmd/kubeadm/app/apis/kubeadm/v1alpha2/defaults_windows.go
@@ -0,0 +1,22 @@
+// +build windows
+
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha2
+
+// DefaultCACertPath defines default location of CA certificate on Windows
+const DefaultCACertPath = "C:/etc/kubernetes/pki/ca.crt"
diff --git a/cmd/kubeadm/app/apis/kubeadm/v1alpha2/doc.go b/cmd/kubeadm/app/apis/kubeadm/v1alpha2/doc.go
new file mode 100644
index 00000000000..578b1b2269e
--- /dev/null
+++ b/cmd/kubeadm/app/apis/kubeadm/v1alpha2/doc.go
@@ -0,0 +1,22 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package v1alpha2 is the package that contains the libraries that drive the kubeadm binary.
+// +k8s:defaulter-gen=TypeMeta
+// +groupName=kubeadm.k8s.io
+// +k8s:deepcopy-gen=package
+// +k8s:conversion-gen=k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm
+package v1alpha2 // import "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1alpha2"
diff --git a/cmd/kubeadm/app/apis/kubeadm/v1alpha2/register.go b/cmd/kubeadm/app/apis/kubeadm/v1alpha2/register.go
new file mode 100644
index 00000000000..a5e15f9e83f
--- /dev/null
+++ b/cmd/kubeadm/app/apis/kubeadm/v1alpha2/register.go
@@ -0,0 +1,66 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha2
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the group name use in this package
+const GroupName = "kubeadm.k8s.io"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha2"}
+
+var (
+	// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
+	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+
+	// SchemeBuilder points to a list of functions added to Scheme.
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	// AddToScheme applies all the stored functions to the scheme.
+	AddToScheme = localSchemeBuilder.AddToScheme
+)
+
+func init() {
+	// We only register manually written functions here. The registration of the
+	// generated functions takes place in the generated files. The separation
+	// makes the code compile even when the generated files are missing.
+	localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs)
+}
+
+// Kind takes an unqualified kind and returns a Group qualified GroupKind
+func Kind(kind string) schema.GroupKind {
+	return SchemeGroupVersion.WithKind(kind).GroupKind()
+}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&MasterConfiguration{},
+		&NodeConfiguration{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
diff --git a/cmd/kubeadm/app/apis/kubeadm/v1alpha2/types.go b/cmd/kubeadm/app/apis/kubeadm/v1alpha2/types.go
new file mode 100644
index 00000000000..883ae26fafb
--- /dev/null
+++ b/cmd/kubeadm/app/apis/kubeadm/v1alpha2/types.go
@@ -0,0 +1,299 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha2
+
+import (
+	"k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	kubeletconfigv1beta1 "k8s.io/kubernetes/pkg/kubelet/apis/kubeletconfig/v1beta1"
+	kubeproxyconfigv1alpha1 "k8s.io/kubernetes/pkg/proxy/apis/kubeproxyconfig/v1alpha1"
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// MasterConfiguration contains a list of elements which make up master's
+// configuration object.
+type MasterConfiguration struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// API holds configuration for the k8s apiserver.
+	API API `json:"api"`
+	// KubeProxy holds configuration for the k8s service proxy.
+	KubeProxy KubeProxy `json:"kubeProxy"`
+	// Etcd holds configuration for etcd.
+	Etcd Etcd `json:"etcd"`
+	// KubeletConfiguration holds configuration for the kubelet.
+	KubeletConfiguration KubeletConfiguration `json:"kubeletConfiguration"`
+	// Networking holds configuration for the networking topology of the cluster.
+	Networking Networking `json:"networking"`
+	// KubernetesVersion is the target version of the control plane.
+	KubernetesVersion string `json:"kubernetesVersion"`
+	// CloudProvider is the name of the cloud provider.
+	CloudProvider string `json:"cloudProvider"`
+	// NodeName is the name of the node that will host the k8s control plane.
+	// Defaults to the hostname if not provided.
+	NodeName string `json:"nodeName"`
+	// AuthorizationModes is a set of authorization modes used inside the cluster.
+	// If not specified, defaults to Node and RBAC, meaning both the node
+	// authorizer and RBAC are enabled.
+	AuthorizationModes []string `json:"authorizationModes,omitempty"`
+	// NoTaintMaster will, if set, suppress the tainting of the
+	// master node allowing workloads to be run on it (e.g. in
+	// single node configurations).
+	NoTaintMaster bool `json:"noTaintMaster,omitempty"`
+
+	// Mark the controller and api server pods as privileged as some cloud
+	// controllers like openstack need escalated privileges under some conditions
+	// example - loading a config drive to fetch node information
+	PrivilegedPods bool `json:"privilegedPods"`
+
+	// Token is used for establishing bidirectional trust between nodes and masters.
+	// Used for joining nodes in the cluster.
+	Token string `json:"token"`
+	// TokenTTL defines the ttl for Token. Defaults to 24h.
+	TokenTTL *metav1.Duration `json:"tokenTTL,omitempty"`
+	// TokenUsages describes the ways in which this token can be used.
+	TokenUsages []string `json:"tokenUsages,omitempty"`
+	// Extra groups that this token will authenticate as when used for authentication
+	TokenGroups []string `json:"tokenGroups,omitempty"`
+
+	// CRISocket is used to retrieve container runtime info.
+	CRISocket string `json:"criSocket,omitempty"`
+
+	// APIServerExtraArgs is a set of extra flags to pass to the API Server or override
+	// default ones in form of <flagname>=<value>.
+	// TODO: This is temporary and ideally we would like to switch all components to
+	// use ComponentConfig + ConfigMaps.
+	APIServerExtraArgs map[string]string `json:"apiServerExtraArgs,omitempty"`
+	// ControllerManagerExtraArgs is a set of extra flags to pass to the Controller Manager
+	// or override default ones in form of <flagname>=<value>
+	// TODO: This is temporary and ideally we would like to switch all components to
+	// use ComponentConfig + ConfigMaps.
+	ControllerManagerExtraArgs map[string]string `json:"controllerManagerExtraArgs,omitempty"`
+	// SchedulerExtraArgs is a set of extra flags to pass to the Scheduler or override
+	// default ones in form of <flagname>=<value>
+	// TODO: This is temporary and ideally we would like to switch all components to
+	// use ComponentConfig + ConfigMaps.
+	SchedulerExtraArgs map[string]string `json:"schedulerExtraArgs,omitempty"`
+
+	// APIServerExtraVolumes is an extra set of host volumes mounted to the API server.
+	APIServerExtraVolumes []HostPathMount `json:"apiServerExtraVolumes,omitempty"`
+	// ControllerManagerExtraVolumes is an extra set of host volumes mounted to the
+	// Controller Manager.
+	ControllerManagerExtraVolumes []HostPathMount `json:"controllerManagerExtraVolumes,omitempty"`
+	// SchedulerExtraVolumes is an extra set of host volumes mounted to the scheduler.
+	SchedulerExtraVolumes []HostPathMount `json:"schedulerExtraVolumes,omitempty"`
+
+	// APIServerCertSANs sets extra Subject Alternative Names for the API Server signing cert.
+	APIServerCertSANs []string `json:"apiServerCertSANs,omitempty"`
+	// CertificatesDir specifies where to store or look for all required certificates.
+	CertificatesDir string `json:"certificatesDir"`
+
+	// ImageRepository what container registry to pull control plane images from
+	ImageRepository string `json:"imageRepository"`
+	// ImagePullPolicy that control plane images. Can be Always, IfNotPresent or Never.
+	ImagePullPolicy v1.PullPolicy `json:"imagePullPolicy,omitempty"`
+	// UnifiedControlPlaneImage specifies if a specific container image should
+	// be used for all control plane components.
+	UnifiedControlPlaneImage string `json:"unifiedControlPlaneImage"`
+
+	// AuditPolicyConfiguration defines the options for the api server audit system
+	AuditPolicyConfiguration AuditPolicyConfiguration `json:"auditPolicy"`
+
+	// FeatureGates enabled by the user.
+	FeatureGates map[string]bool `json:"featureGates,omitempty"`
+
+	// The cluster name
+	ClusterName string `json:"clusterName,omitempty"`
+}
+
+// API struct contains elements of API server address.
+type API struct {
+	// AdvertiseAddress sets the IP address for the API server to advertise.
+	AdvertiseAddress string `json:"advertiseAddress"`
+	// ControlPlaneEndpoint sets a stable IP address or DNS name for the control plane; it
+	// can be a valid IP address or a RFC-1123 DNS subdomain, both with optional TCP port.
+	// In case the ControlPlaneEndpoint is not specified, the AdvertiseAddress + BindPort
+	// are used; in case the ControlPlaneEndpoint is specified but without a TCP port,
+	// the BindPort is used.
+	// Possible usages are:
+	// e.g. In an cluster with more than one control plane instances, this field should be
+	// assigned the address of the external load balancer in front of the
+	// control plane instances.
+	// e.g.  in environments with enforced node recycling, the ControlPlaneEndpoint
+	// could be used for assigning a stable DNS to the control plane.
+	ControlPlaneEndpoint string `json:"controlPlaneEndpoint"`
+	// BindPort sets the secure port for the API Server to bind to.
+	// Defaults to 6443.
+	BindPort int32 `json:"bindPort"`
+}
+
+// TokenDiscovery contains elements needed for token discovery.
+type TokenDiscovery struct {
+	// ID is the first part of a bootstrap token. Considered public information.
+	// It is used when referring to a token without leaking the secret part.
+	ID string `json:"id"`
+	// Secret is the second part of a bootstrap token. Should only be shared
+	// with trusted parties.
+	Secret string `json:"secret"`
+	// TODO: Seems unused. Remove?
+	// Addresses []string `json:"addresses"`
+}
+
+// Networking contains elements describing cluster's networking configuration
+type Networking struct {
+	// ServiceSubnet is the subnet used by k8s services. Defaults to "10.96.0.0/12".
+	ServiceSubnet string `json:"serviceSubnet"`
+	// PodSubnet is the subnet used by pods.
+	PodSubnet string `json:"podSubnet"`
+	// DNSDomain is the dns domain used by k8s services. Defaults to "cluster.local".
+	DNSDomain string `json:"dnsDomain"`
+}
+
+// Etcd contains elements describing Etcd configuration.
+type Etcd struct {
+	// Endpoints of etcd members. Useful for using external etcd.
+	// If not provided, kubeadm will run etcd in a static pod.
+	Endpoints []string `json:"endpoints"`
+	// CAFile is an SSL Certificate Authority file used to secure etcd communication.
+	CAFile string `json:"caFile"`
+	// CertFile is an SSL certification file used to secure etcd communication.
+	CertFile string `json:"certFile"`
+	// KeyFile is an SSL key file used to secure etcd communication.
+	KeyFile string `json:"keyFile"`
+	// DataDir is the directory etcd will place its data.
+	// Defaults to "/var/lib/etcd".
+	DataDir string `json:"dataDir"`
+	// ExtraArgs are extra arguments provided to the etcd binary
+	// when run inside a static pod.
+	ExtraArgs map[string]string `json:"extraArgs,omitempty"`
+	// Image specifies which container image to use for running etcd.
+	// If empty, automatically populated by kubeadm using the image
+	// repository and default etcd version.
+	Image string `json:"image"`
+	// SelfHosted holds configuration for self-hosting etcd.
+	SelfHosted *SelfHostedEtcd `json:"selfHosted,omitempty"`
+	// ServerCertSANs sets extra Subject Alternative Names for the etcd server signing cert.
+	ServerCertSANs []string `json:"serverCertSANs,omitempty"`
+	// PeerCertSANs sets extra Subject Alternative Names for the etcd peer signing cert.
+	PeerCertSANs []string `json:"peerCertSANs,omitempty"`
+}
+
+// SelfHostedEtcd describes options required to configure self-hosted etcd.
+type SelfHostedEtcd struct {
+	// CertificatesDir represents the directory where all etcd TLS assets are stored.
+	// Defaults to "/etc/kubernetes/pki/etcd".
+	CertificatesDir string `json:"certificatesDir"`
+	// ClusterServiceName is the name of the service that load balances the etcd cluster.
+	ClusterServiceName string `json:"clusterServiceName"`
+	// EtcdVersion is the version of etcd running in the cluster.
+	EtcdVersion string `json:"etcdVersion"`
+	// OperatorVersion is the version of the etcd-operator to use.
+	OperatorVersion string `json:"operatorVersion"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// NodeConfiguration contains elements describing a particular node.
+// TODO: This struct should be replaced by dynamic kubelet configuration.
+type NodeConfiguration struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// CACertPath is the path to the SSL certificate authority used to
+	// secure comunications between node and master.
+	// Defaults to "/etc/kubernetes/pki/ca.crt".
+	CACertPath string `json:"caCertPath"`
+	// DiscoveryFile is a file or url to a kubeconfig file from which to
+	// load cluster information.
+	DiscoveryFile string `json:"discoveryFile"`
+	// DiscoveryToken is a token used to validate cluster information
+	// fetched from the master.
+	DiscoveryToken string `json:"discoveryToken"`
+	// DiscoveryTokenAPIServers is a set of IPs to API servers from which info
+	// will be fetched. Currently we only pay attention to one API server but
+	// hope to support >1 in the future.
+	DiscoveryTokenAPIServers []string `json:"discoveryTokenAPIServers,omitempty"`
+	// DiscoveryTimeout modifies the discovery timeout
+	DiscoveryTimeout *metav1.Duration `json:"discoveryTimeout,omitempty"`
+	// NodeName is the name of the node to join the cluster. Defaults
+	// to the name of the host.
+	NodeName string `json:"nodeName"`
+	// TLSBootstrapToken is a token used for TLS bootstrapping.
+	// Defaults to Token.
+	TLSBootstrapToken string `json:"tlsBootstrapToken"`
+	// Token is used for both discovery and TLS bootstrapping.
+	Token string `json:"token"`
+	// CRISocket is used to retrieve container runtime info.
+	CRISocket string `json:"criSocket,omitempty"`
+	// ClusterName is the name for the cluster in kubeconfig.
+	ClusterName string `json:"clusterName,omitempty"`
+
+	// DiscoveryTokenCACertHashes specifies a set of public key pins to verify
+	// when token-based discovery is used. The root CA found during discovery
+	// must match one of these values. Specifying an empty set disables root CA
+	// pinning, which can be unsafe. Each hash is specified as "<type>:<value>",
+	// where the only currently supported type is "sha256". This is a hex-encoded
+	// SHA-256 hash of the Subject Public Key Info (SPKI) object in DER-encoded
+	// ASN.1. These hashes can be calculated using, for example, OpenSSL:
+	// openssl x509 -pubkey -in ca.crt openssl rsa -pubin -outform der 2>&/dev/null | openssl dgst -sha256 -hex
+	DiscoveryTokenCACertHashes []string `json:"discoveryTokenCACertHashes,omitempty"`
+
+	// DiscoveryTokenUnsafeSkipCAVerification allows token-based discovery
+	// without CA verification via DiscoveryTokenCACertHashes. This can weaken
+	// the security of kubeadm since other nodes can impersonate the master.
+	DiscoveryTokenUnsafeSkipCAVerification bool `json:"discoveryTokenUnsafeSkipCAVerification"`
+
+	// FeatureGates enabled by the user.
+	FeatureGates map[string]bool `json:"featureGates,omitempty"`
+}
+
+// KubeletConfiguration contains elements describing initial remote configuration of kubelet.
+type KubeletConfiguration struct {
+	BaseConfig *kubeletconfigv1beta1.KubeletConfiguration `json:"baseConfig,omitempty"`
+}
+
+// HostPathMount contains elements describing volumes that are mounted from the
+// host.
+type HostPathMount struct {
+	// Name of the volume inside the pod template.
+	Name string `json:"name"`
+	// HostPath is the path in the host that will be mounted inside
+	// the pod.
+	HostPath string `json:"hostPath"`
+	// MountPath is the path inside the pod where hostPath will be mounted.
+	MountPath string `json:"mountPath"`
+	// Writable controls write access to the volume
+	Writable bool `json:"writable,omitempty"`
+	// PathType is the type of the HostPath.
+	PathType v1.HostPathType `json:"pathType,omitempty"`
+}
+
+// KubeProxy contains elements describing the proxy configuration.
+type KubeProxy struct {
+	Config *kubeproxyconfigv1alpha1.KubeProxyConfiguration `json:"config,omitempty"`
+}
+
+// AuditPolicyConfiguration holds the options for configuring the api server audit policy.
+type AuditPolicyConfiguration struct {
+	// Path is the local path to an audit policy.
+	Path string `json:"path"`
+	// LogDir is the local path to the directory where logs should be stored.
+	LogDir string `json:"logDir"`
+	// LogMaxAge is the number of days logs will be stored for. 0 indicates forever.
+	LogMaxAge *int32 `json:"logMaxAge,omitempty"`
+	//TODO(chuckha) add other options for audit policy.
+}