diff --git a/cmd/importverifier/importverifier.go b/cmd/importverifier/importverifier.go
index 584a74bdb33..ee3f07c7bb0 100644
--- a/cmd/importverifier/importverifier.go
+++ b/cmd/importverifier/importverifier.go
@@ -57,6 +57,8 @@ type ImportRestriction struct {
 	// given as paths that would be used in a Go
 	// import statement
 	AllowedImports []string `yaml:"allowedImports"`
+	// ExcludeTests will skip checking test dependencies.
+	ExcludeTests bool `yaml:"excludeTests"`
 }
 
 // ForbiddenImportsFor determines all of the forbidden
@@ -120,7 +122,11 @@ func isPathUnder(base, path string) (bool, error) {
 // and returns a deduplicated list of them
 func (i *ImportRestriction) forbiddenImportsFor(pkg Package) []string {
 	forbiddenImportSet := map[string]struct{}{}
-	for _, imp := range append(pkg.Imports, append(pkg.TestImports, pkg.XTestImports...)...) {
+	imports := pkg.Imports
+	if !i.ExcludeTests {
+		imports = append(imports, append(pkg.TestImports, pkg.XTestImports...)...)
+	}
+	for _, imp := range imports {
 		path := extractVendorPath(imp)
 		if i.isForbidden(path) {
 			forbiddenImportSet[path] = struct{}{}
diff --git a/hack/import-restrictions.yaml b/hack/import-restrictions.yaml
index 7294a8c3624..939bc4e4c74 100644
--- a/hack/import-restrictions.yaml
+++ b/hack/import-restrictions.yaml
@@ -45,6 +45,28 @@
   - k8s.io/apimachinery
   - k8s.io/client-go
 
+# prevent core machinery from taking explicit v1 references unless
+# necessary
+- baseImportPath: "./vendor/k8s.io/client-go/rest/"
+  excludeTests: true
+  allowedImports:
+  - k8s.io/apimachinery
+  - k8s.io/client-go
+- baseImportPath: "./vendor/k8s.io/client-go/tools/"
+  excludeTests: true
+  ignoredSubTrees:
+  - "./vendor/k8s.io/client-go/tools/bootstrap/token/api"
+  - "./vendor/k8s.io/client-go/tools/cache/testing"
+  - "./vendor/k8s.io/client-go/tools/leaderelection/resourcelock"
+  - "./vendor/k8s.io/client-go/tools/portforward"
+  - "./vendor/k8s.io/client-go/tools/record"
+  - "./vendor/k8s.io/client-go/tools/reference"
+  - "./vendor/k8s.io/client-go/tools/remotecommand"
+  allowedImports:
+  - k8s.io/apimachinery
+  - k8s.io/client-go
+
+
 - baseImportPath: "./vendor/k8s.io/apiserver/"
   allowedImports:
   - k8s.io/api
diff --git a/staging/src/k8s.io/client-go/rest/BUILD b/staging/src/k8s.io/client-go/rest/BUILD
index 0cb24bcff3f..130ec31a330 100644
--- a/staging/src/k8s.io/client-go/rest/BUILD
+++ b/staging/src/k8s.io/client-go/rest/BUILD
@@ -60,7 +60,6 @@ go_library(
     deps = [
         "//vendor/github.com/golang/glog:go_default_library",
         "//vendor/golang.org/x/net/http2:go_default_library",
-        "//vendor/k8s.io/api/core/v1:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
diff --git a/staging/src/k8s.io/client-go/rest/config.go b/staging/src/k8s.io/client-go/rest/config.go
index 72a78bc0a00..af2cbb99a9e 100644
--- a/staging/src/k8s.io/client-go/rest/config.go
+++ b/staging/src/k8s.io/client-go/rest/config.go
@@ -29,7 +29,6 @@ import (
 
 	"github.com/golang/glog"
 
-	"k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -316,12 +315,12 @@ func InClusterConfig() (*Config, error) {
 		return nil, fmt.Errorf("unable to load in-cluster configuration, KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT must be defined")
 	}
 
-	token, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/" + v1.ServiceAccountTokenKey)
+	token, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/token")
 	if err != nil {
 		return nil, err
 	}
 	tlsClientConfig := TLSClientConfig{}
-	rootCAFile := "/var/run/secrets/kubernetes.io/serviceaccount/" + v1.ServiceAccountRootCAKey
+	rootCAFile := "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
 	if _, err := certutil.NewPool(rootCAFile); err != nil {
 		glog.Errorf("Expected to load root CA config from %s, but got err: %v", rootCAFile, err)
 	} else {
diff --git a/staging/src/k8s.io/client-go/tools/clientcmd/BUILD b/staging/src/k8s.io/client-go/tools/clientcmd/BUILD
index 788687dcd79..afc2770201c 100644
--- a/staging/src/k8s.io/client-go/tools/clientcmd/BUILD
+++ b/staging/src/k8s.io/client-go/tools/clientcmd/BUILD
@@ -48,7 +48,6 @@ go_library(
         "//vendor/github.com/imdario/mergo:go_default_library",
         "//vendor/github.com/spf13/pflag:go_default_library",
         "//vendor/golang.org/x/crypto/ssh/terminal:go_default_library",
-        "//vendor/k8s.io/api/core/v1:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library",
diff --git a/staging/src/k8s.io/client-go/tools/clientcmd/client_config.go b/staging/src/k8s.io/client-go/tools/clientcmd/client_config.go
index 93e99a942c3..66331a7ad3b 100644
--- a/staging/src/k8s.io/client-go/tools/clientcmd/client_config.go
+++ b/staging/src/k8s.io/client-go/tools/clientcmd/client_config.go
@@ -27,7 +27,6 @@ import (
 	"github.com/golang/glog"
 	"github.com/imdario/mergo"
 
-	"k8s.io/api/core/v1"
 	restclient "k8s.io/client-go/rest"
 	clientauth "k8s.io/client-go/tools/auth"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
@@ -338,7 +337,7 @@ func (config *DirectClientConfig) Namespace() (string, bool, error) {
 	}
 
 	if len(configContext.Namespace) == 0 {
-		return v1.NamespaceDefault, false, nil
+		return "default", false, nil
 	}
 
 	return configContext.Namespace, false, nil
diff --git a/staging/src/k8s.io/client-go/tools/clientcmd/merged_client_builder.go b/staging/src/k8s.io/client-go/tools/clientcmd/merged_client_builder.go
index 3f02111bd56..05038133b6b 100644
--- a/staging/src/k8s.io/client-go/tools/clientcmd/merged_client_builder.go
+++ b/staging/src/k8s.io/client-go/tools/clientcmd/merged_client_builder.go
@@ -22,7 +22,6 @@ import (
 
 	"github.com/golang/glog"
 
-	"k8s.io/api/core/v1"
 	restclient "k8s.io/client-go/rest"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 )
@@ -145,7 +144,7 @@ func (config *DeferredLoadingClientConfig) Namespace() (string, bool, error) {
 
 	if len(ns) > 0 {
 		// if we got a non-default namespace from the kubeconfig, use it
-		if ns != v1.NamespaceDefault {
+		if ns != "default" {
 			return ns, false, nil
 		}