Merge pull request #28860 from ericchiang/separate-apiserver-authz-options

Automatic merge from submit-queue pkg/genericapiserver/options: don't import pkg/apiserver Refactor the authorization options for the API server so pkg/apiserver isn't directly imported by the options package. Closes #28544 cc @smarterclayton @madhusudancs, @nikhiljindal I've updated `federation/cmd/federation-apiserver/app/server.go` to include the RBAC options with this change. I don't know if this was intentionally left out in the first place but would like your feedback.
2025-07-24 20:24:09 +00:00 · 2016-08-21 09:49:14 -07:00 · 2016-08-21 09:49:14 -07:00 · 7979801e54
commit 7979801e54
parent a956dd1c25 b4eaf625a0
7 changed files with 150 additions and 96 deletions
--- a/cmd/kube-apiserver/app/server.go
+++ b/cmd/kube-apiserver/app/server.go
@ -46,6 +46,8 @@ import (
 	"k8s.io/kubernetes/pkg/controller/framework/informers"
 	serviceaccountcontroller "k8s.io/kubernetes/pkg/controller/serviceaccount"
 	"k8s.io/kubernetes/pkg/genericapiserver"
+	"k8s.io/kubernetes/pkg/genericapiserver/authorizer"
+	genericoptions "k8s.io/kubernetes/pkg/genericapiserver/options"
 	genericvalidation "k8s.io/kubernetes/pkg/genericapiserver/validation"
 	kubeletclient "k8s.io/kubernetes/pkg/kubelet/client"
 	"k8s.io/kubernetes/pkg/master"
@ -225,7 +227,14 @@ func Run(s *options.APIServer) error {
 		return false
 	}

-	if modeEnabled(apiserver.ModeRBAC) {
+	authorizationConfig := authorizer.AuthorizationConfig{
+		PolicyFile:                  s.AuthorizationPolicyFile,
+		WebhookConfigFile:           s.AuthorizationWebhookConfigFile,
+		WebhookCacheAuthorizedTTL:   s.AuthorizationWebhookCacheAuthorizedTTL,
+		WebhookCacheUnauthorizedTTL: s.AuthorizationWebhookCacheUnauthorizedTTL,
+		RBACSuperUser:               s.AuthorizationRBACSuperUser,
+	}
+	if modeEnabled(genericoptions.ModeRBAC) {
 		mustGetRESTOptions := func(resource string) generic.RESTOptions {
 			config, err := storageFactory.NewConfig(rbac.Resource(resource))
 			if err != nil {
@ -235,13 +244,13 @@ func Run(s *options.APIServer) error {
 		}

 		// For initial bootstrapping go directly to etcd to avoid privillege escalation check.
-		s.AuthorizationConfig.RBACRoleRegistry = role.NewRegistry(roleetcd.NewREST(mustGetRESTOptions("roles")))
-		s.AuthorizationConfig.RBACRoleBindingRegistry = rolebinding.NewRegistry(rolebindingetcd.NewREST(mustGetRESTOptions("rolebindings")))
-		s.AuthorizationConfig.RBACClusterRoleRegistry = clusterrole.NewRegistry(clusterroleetcd.NewREST(mustGetRESTOptions("clusterroles")))
-		s.AuthorizationConfig.RBACClusterRoleBindingRegistry = clusterrolebinding.NewRegistry(clusterrolebindingetcd.NewREST(mustGetRESTOptions("clusterrolebindings")))
+		authorizationConfig.RBACRoleRegistry = role.NewRegistry(roleetcd.NewREST(mustGetRESTOptions("roles")))
+		authorizationConfig.RBACRoleBindingRegistry = rolebinding.NewRegistry(rolebindingetcd.NewREST(mustGetRESTOptions("rolebindings")))
+		authorizationConfig.RBACClusterRoleRegistry = clusterrole.NewRegistry(clusterroleetcd.NewREST(mustGetRESTOptions("clusterroles")))
+		authorizationConfig.RBACClusterRoleBindingRegistry = clusterrolebinding.NewRegistry(clusterrolebindingetcd.NewREST(mustGetRESTOptions("clusterrolebindings")))
 	}

-	authorizer, err := apiserver.NewAuthorizerFromAuthorizationConfig(authorizationModeNames, s.AuthorizationConfig)
+	authorizer, err := authorizer.NewAuthorizerFromAuthorizationConfig(authorizationModeNames, authorizationConfig)
 	if err != nil {
 		glog.Fatalf("Invalid Authorization Config: %v", err)
 	}
@ -265,7 +274,7 @@ func Run(s *options.APIServer) error {
 	genericConfig.Authenticator = authenticator
 	genericConfig.SupportsBasicAuth = len(s.BasicAuthFile) > 0
 	genericConfig.Authorizer = authorizer
-	genericConfig.AuthorizerRBACSuperUser = s.AuthorizationConfig.RBACSuperUser
+	genericConfig.AuthorizerRBACSuperUser = s.AuthorizationRBACSuperUser
 	genericConfig.AdmissionControl = admissionController
 	genericConfig.APIResourceConfigSource = storageFactory.APIResourceConfigSource
 	genericConfig.MasterServiceNamespace = s.MasterServiceNamespace
--- a/federation/cmd/federation-apiserver/app/server.go
+++ b/federation/cmd/federation-apiserver/app/server.go
@ -31,13 +31,23 @@ import (
 	"k8s.io/kubernetes/pkg/admission"
 	"k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/api/unversioned"
-	"k8s.io/kubernetes/pkg/apiserver"
+	"k8s.io/kubernetes/pkg/apis/rbac"
 	"k8s.io/kubernetes/pkg/apiserver/authenticator"
 	"k8s.io/kubernetes/pkg/controller/framework/informers"
 	"k8s.io/kubernetes/pkg/genericapiserver"
+	"k8s.io/kubernetes/pkg/genericapiserver/authorizer"
+	genericoptions "k8s.io/kubernetes/pkg/genericapiserver/options"
 	genericvalidation "k8s.io/kubernetes/pkg/genericapiserver/validation"
 	"k8s.io/kubernetes/pkg/registry/cachesize"
+	"k8s.io/kubernetes/pkg/registry/clusterrole"
+	clusterroleetcd "k8s.io/kubernetes/pkg/registry/clusterrole/etcd"
+	"k8s.io/kubernetes/pkg/registry/clusterrolebinding"
+	clusterrolebindingetcd "k8s.io/kubernetes/pkg/registry/clusterrolebinding/etcd"
 	"k8s.io/kubernetes/pkg/registry/generic"
+	"k8s.io/kubernetes/pkg/registry/role"
+	roleetcd "k8s.io/kubernetes/pkg/registry/role/etcd"
+	"k8s.io/kubernetes/pkg/registry/rolebinding"
+	rolebindingetcd "k8s.io/kubernetes/pkg/registry/rolebinding/etcd"
 	"k8s.io/kubernetes/pkg/util/wait"
 )

@ -113,7 +123,40 @@ func Run(s *options.ServerRunOptions) error {
 	}

 	authorizationModeNames := strings.Split(s.AuthorizationMode, ",")
-	authorizer, err := apiserver.NewAuthorizerFromAuthorizationConfig(authorizationModeNames, s.AuthorizationConfig)
+
+	modeEnabled := func(mode string) bool {
+		for _, m := range authorizationModeNames {
+			if m == mode {
+				return true
+			}
+		}
+		return false
+	}
+
+	authorizationConfig := authorizer.AuthorizationConfig{
+		PolicyFile:                  s.AuthorizationPolicyFile,
+		WebhookConfigFile:           s.AuthorizationWebhookConfigFile,
+		WebhookCacheAuthorizedTTL:   s.AuthorizationWebhookCacheAuthorizedTTL,
+		WebhookCacheUnauthorizedTTL: s.AuthorizationWebhookCacheUnauthorizedTTL,
+		RBACSuperUser:               s.AuthorizationRBACSuperUser,
+	}
+	if modeEnabled(genericoptions.ModeRBAC) {
+		mustGetRESTOptions := func(resource string) generic.RESTOptions {
+			config, err := storageFactory.NewConfig(rbac.Resource(resource))
+			if err != nil {
+				glog.Fatalf("Unable to get %s storage: %v", resource, err)
+			}
+			return generic.RESTOptions{StorageConfig: config, Decorator: generic.UndecoratedStorage, ResourcePrefix: storageFactory.ResourcePrefix(rbac.Resource(resource))}
+		}
+
+		// For initial bootstrapping go directly to etcd to avoid privillege escalation check.
+		authorizationConfig.RBACRoleRegistry = role.NewRegistry(roleetcd.NewREST(mustGetRESTOptions("roles")))
+		authorizationConfig.RBACRoleBindingRegistry = rolebinding.NewRegistry(rolebindingetcd.NewREST(mustGetRESTOptions("rolebindings")))
+		authorizationConfig.RBACClusterRoleRegistry = clusterrole.NewRegistry(clusterroleetcd.NewREST(mustGetRESTOptions("clusterroles")))
+		authorizationConfig.RBACClusterRoleBindingRegistry = clusterrolebinding.NewRegistry(clusterrolebindingetcd.NewREST(mustGetRESTOptions("clusterrolebindings")))
+	}
+
+	authorizer, err := authorizer.NewAuthorizerFromAuthorizationConfig(authorizationModeNames, authorizationConfig)
 	if err != nil {
 		glog.Fatalf("Invalid Authorization Config: %v", err)
 	}
@ -136,6 +179,7 @@ func Run(s *options.ServerRunOptions) error {
 	genericConfig.Authenticator = authenticator
 	genericConfig.SupportsBasicAuth = len(s.BasicAuthFile) > 0
 	genericConfig.Authorizer = authorizer
+	genericConfig.AuthorizerRBACSuperUser = s.AuthorizationRBACSuperUser
 	genericConfig.AdmissionControl = admissionController
 	genericConfig.APIResourceConfigSource = storageFactory.APIResourceConfigSource
 	genericConfig.MasterServiceNamespace = s.MasterServiceNamespace
--- a/pkg/genericapiserver/authorizer/authz.go
+++ b/pkg/genericapiserver/authorizer/authz.go
@ -1,5 +1,5 @@
 /*
-Copyright 2014 The Kubernetes Authors.
+Copyright 2016 The Kubernetes Authors.

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

-package apiserver
+package authorizer

 import (
 	"errors"
@ -24,6 +24,7 @@ import (
 	"k8s.io/kubernetes/pkg/auth/authorizer"
 	"k8s.io/kubernetes/pkg/auth/authorizer/abac"
 	"k8s.io/kubernetes/pkg/auth/authorizer/union"
+	"k8s.io/kubernetes/pkg/genericapiserver/options"
 	"k8s.io/kubernetes/pkg/registry/clusterrole"
 	"k8s.io/kubernetes/pkg/registry/clusterrolebinding"
 	"k8s.io/kubernetes/pkg/registry/role"
@ -32,11 +33,6 @@ import (
 	"k8s.io/kubernetes/plugin/pkg/auth/authorizer/webhook"
 )

-// Attributes implements authorizer.Attributes interface.
-type Attributes struct {
-	// TODO: add fields and methods when authorizer.Attributes is completed.
-}
-
 // alwaysAllowAuthorizer is an implementation of authorizer.Attributes
 // which always says yes to an authorization request.
 // It is useful in tests and when using kubernetes in an open manner.
@ -76,17 +72,6 @@ func NewAlwaysFailAuthorizer() authorizer.Authorizer {
 	return new(alwaysFailAuthorizer)
 }

-const (
-	ModeAlwaysAllow string = "AlwaysAllow"
-	ModeAlwaysDeny  string = "AlwaysDeny"
-	ModeABAC        string = "ABAC"
-	ModeWebhook     string = "Webhook"
-	ModeRBAC        string = "RBAC"
-)
-
-// Keep this list in sync with constant list above.
-var AuthorizationModeChoices = []string{ModeAlwaysAllow, ModeAlwaysDeny, ModeABAC, ModeWebhook, ModeRBAC}
-
 type AuthorizationConfig struct {
 	// Options for ModeABAC

@ -115,7 +100,7 @@ type AuthorizationConfig struct {

 // NewAuthorizerFromAuthorizationConfig returns the right sort of union of multiple authorizer.Authorizer objects
 // based on the authorizationMode or an error.  authorizationMode should be a comma separated values
-// of AuthorizationModeChoices.
+// of options.AuthorizationModeChoices.
 func NewAuthorizerFromAuthorizationConfig(authorizationModes []string, config AuthorizationConfig) (authorizer.Authorizer, error) {

 	if len(authorizationModes) == 0 {
@ -131,11 +116,11 @@ func NewAuthorizerFromAuthorizationConfig(authorizationModes []string, config Au
 		}
 		// Keep cases in sync with constant list above.
 		switch authorizationMode {
-		case ModeAlwaysAllow:
+		case options.ModeAlwaysAllow:
 			authorizers = append(authorizers, NewAlwaysAllowAuthorizer())
-		case ModeAlwaysDeny:
+		case options.ModeAlwaysDeny:
 			authorizers = append(authorizers, NewAlwaysDenyAuthorizer())
-		case ModeABAC:
+		case options.ModeABAC:
 			if config.PolicyFile == "" {
 				return nil, errors.New("ABAC's authorization policy file not passed")
 			}
@ -144,7 +129,7 @@ func NewAuthorizerFromAuthorizationConfig(authorizationModes []string, config Au
 				return nil, err
 			}
 			authorizers = append(authorizers, abacAuthorizer)
-		case ModeWebhook:
+		case options.ModeWebhook:
 			if config.WebhookConfigFile == "" {
 				return nil, errors.New("Webhook's configuration file not passed")
 			}
@ -155,7 +140,7 @@ func NewAuthorizerFromAuthorizationConfig(authorizationModes []string, config Au
 				return nil, err
 			}
 			authorizers = append(authorizers, webhookAuthorizer)
-		case ModeRBAC:
+		case options.ModeRBAC:
 			rbacAuthorizer := rbac.New(
 				config.RBACRoleRegistry,
 				config.RBACRoleBindingRegistry,
@ -170,13 +155,13 @@ func NewAuthorizerFromAuthorizationConfig(authorizationModes []string, config Au
 		authorizerMap[authorizationMode] = true
 	}

-	if !authorizerMap[ModeABAC] && config.PolicyFile != "" {
+	if !authorizerMap[options.ModeABAC] && config.PolicyFile != "" {
 		return nil, errors.New("Cannot specify --authorization-policy-file without mode ABAC")
 	}
-	if !authorizerMap[ModeWebhook] && config.WebhookConfigFile != "" {
+	if !authorizerMap[options.ModeWebhook] && config.WebhookConfigFile != "" {
 		return nil, errors.New("Cannot specify --authorization-webhook-config-file without mode Webhook")
 	}
-	if !authorizerMap[ModeRBAC] && config.RBACSuperUser != "" {
+	if !authorizerMap[options.ModeRBAC] && config.RBACSuperUser != "" {
 		return nil, errors.New("Cannot specify --authorization-rbac-super-user without mode RBAC")
 	}

--- a/pkg/genericapiserver/authorizer/authz_test.go
+++ b/pkg/genericapiserver/authorizer/authz_test.go
@ -1,5 +1,5 @@
 /*
-Copyright 2014 The Kubernetes Authors.
+Copyright 2016 The Kubernetes Authors.

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@ -14,10 +14,12 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

-package apiserver
+package authorizer

 import (
 	"testing"
+
+	"k8s.io/kubernetes/pkg/genericapiserver/options"
 )

 // NewAlwaysAllowAuthorizer must return a struct which implements authorizer.Authorizer
@ -42,7 +44,7 @@ func TestNewAlwaysDenyAuthorizer(t *testing.T) {
 // validates that errors are returned only when proper.
 func TestNewAuthorizerFromAuthorizationConfig(t *testing.T) {

-	examplePolicyFile := "../auth/authorizer/abac/example_policy_file.jsonl"
+	examplePolicyFile := "../../auth/authorizer/abac/example_policy_file.jsonl"

 	tests := []struct {
 		modes   []string
@ -59,25 +61,25 @@ func TestNewAuthorizerFromAuthorizationConfig(t *testing.T) {
 		{
 			// ModeAlwaysAllow and ModeAlwaysDeny should return without authorizationPolicyFile
 			// but error if one is given
-			modes: []string{ModeAlwaysAllow, ModeAlwaysDeny},
+			modes: []string{options.ModeAlwaysAllow, options.ModeAlwaysDeny},
 			msg:   "returned an error for valid config",
 		},
 		{
 			// ModeABAC requires a policy file
-			modes:   []string{ModeAlwaysAllow, ModeAlwaysDeny, ModeABAC},
+			modes:   []string{options.ModeAlwaysAllow, options.ModeAlwaysDeny, options.ModeABAC},
 			wantErr: true,
 			msg:     "specifying ABAC with no policy file should return an error",
 		},
 		{
 			// ModeABAC should not error if a valid policy path is provided
-			modes:  []string{ModeAlwaysAllow, ModeAlwaysDeny, ModeABAC},
+			modes:  []string{options.ModeAlwaysAllow, options.ModeAlwaysDeny, options.ModeABAC},
 			config: AuthorizationConfig{PolicyFile: examplePolicyFile},
 			msg:    "errored while using a valid policy file",
 		},
 		{

 			// Authorization Policy file cannot be used without ModeABAC
-			modes:   []string{ModeAlwaysAllow, ModeAlwaysDeny},
+			modes:   []string{options.ModeAlwaysAllow, options.ModeAlwaysDeny},
 			config:  AuthorizationConfig{PolicyFile: examplePolicyFile},
 			wantErr: true,
 			msg:     "should have errored when Authorization Policy File is used without ModeABAC",
@ -91,13 +93,13 @@ func TestNewAuthorizerFromAuthorizationConfig(t *testing.T) {
 		},
 		{
 			// ModeWebhook requires at minimum a target.
-			modes:   []string{ModeWebhook},
+			modes:   []string{options.ModeWebhook},
 			wantErr: true,
 			msg:     "should have errored when config was empty with ModeWebhook",
 		},
 		{
 			// Cannot provide webhook flags without ModeWebhook
-			modes:   []string{ModeAlwaysAllow},
+			modes:   []string{options.ModeAlwaysAllow},
 			config:  AuthorizationConfig{WebhookConfigFile: "authz_webhook_config.yml"},
 			wantErr: true,
 			msg:     "should have errored when Webhook config file is used without ModeWebhook",
--- a/pkg/genericapiserver/options/server_run_options.go
+++ b/pkg/genericapiserver/options/server_run_options.go
@ -27,7 +27,6 @@ import (
 	"k8s.io/kubernetes/pkg/api/unversioned"
 	apiutil "k8s.io/kubernetes/pkg/api/util"
 	"k8s.io/kubernetes/pkg/apimachinery/registered"
-	"k8s.io/kubernetes/pkg/apiserver"
 	clientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
 	"k8s.io/kubernetes/pkg/client/restclient"
 	"k8s.io/kubernetes/pkg/storage/storagebackend"
@ -47,6 +46,16 @@ const (

 var DefaultServiceNodePortRange = utilnet.PortRange{Base: 30000, Size: 2768}

+const (
+	ModeAlwaysAllow string = "AlwaysAllow"
+	ModeAlwaysDeny  string = "AlwaysDeny"
+	ModeABAC        string = "ABAC"
+	ModeWebhook     string = "Webhook"
+	ModeRBAC        string = "RBAC"
+)
+
+var AuthorizationModeChoices = []string{ModeAlwaysAllow, ModeAlwaysDeny, ModeABAC, ModeWebhook, ModeRBAC}
+
 // ServerRunOptions contains the options while running a generic api server.
 type ServerRunOptions struct {
 	APIGroupPrefix             string
@ -54,17 +63,24 @@ type ServerRunOptions struct {
 	AdmissionControl           string
 	AdmissionControlConfigFile string
 	AdvertiseAddress           net.IP
-	AuthorizationConfig        apiserver.AuthorizationConfig
-	AuthorizationMode          string
-	BasicAuthFile              string
-	BindAddress                net.IP
-	CertDirectory              string
-	ClientCAFile               string
-	CloudConfigFile            string
-	CloudProvider              string
-	CorsAllowedOriginList      []string
-	DefaultStorageMediaType    string
-	DeleteCollectionWorkers    int
+
+	// Authorization mode and associated flags.
+	AuthorizationMode                        string
+	AuthorizationPolicyFile                  string
+	AuthorizationWebhookConfigFile           string
+	AuthorizationWebhookCacheAuthorizedTTL   time.Duration
+	AuthorizationWebhookCacheUnauthorizedTTL time.Duration
+	AuthorizationRBACSuperUser               string
+
+	BasicAuthFile           string
+	BindAddress             net.IP
+	CertDirectory           string
+	ClientCAFile            string
+	CloudConfigFile         string
+	CloudProvider           string
+	CorsAllowedOriginList   []string
+	DefaultStorageMediaType string
+	DeleteCollectionWorkers int
 	// Used to specify the storage version that should be used for the legacy v1 api group.
 	DeprecatedStorageVersion  string
 	AuditLogPath              string
@ -110,33 +126,31 @@ type ServerRunOptions struct {

 func NewServerRunOptions() *ServerRunOptions {
 	return &ServerRunOptions{
-		APIGroupPrefix:    "/apis",
-		APIPrefix:         "/api",
-		AdmissionControl:  "AlwaysAdmit",
-		AuthorizationMode: "AlwaysAllow",
-		AuthorizationConfig: apiserver.AuthorizationConfig{
-			WebhookCacheAuthorizedTTL:   5 * time.Minute,
-			WebhookCacheUnauthorizedTTL: 30 * time.Second,
-		},
-		BindAddress:             net.ParseIP("0.0.0.0"),
-		CertDirectory:           "/var/run/kubernetes",
-		DefaultStorageMediaType: "application/json",
-		DefaultStorageVersions:  registered.AllPreferredGroupVersions(),
-		DeleteCollectionWorkers: 1,
-		EnableLogsSupport:       true,
-		EnableProfiling:         true,
-		EnableWatchCache:        true,
-		InsecureBindAddress:     net.ParseIP("127.0.0.1"),
-		InsecurePort:            8080,
-		LongRunningRequestRE:    defaultLongRunningRequestRE,
-		MasterCount:             1,
-		MasterServiceNamespace:  api.NamespaceDefault,
-		MaxRequestsInFlight:     400,
-		MinRequestTimeout:       1800,
-		RuntimeConfig:           make(config.ConfigurationMap),
-		SecurePort:              6443,
-		ServiceNodePortRange:    DefaultServiceNodePortRange,
-		StorageVersions:         registered.AllPreferredGroupVersions(),
+		APIGroupPrefix:                           "/apis",
+		APIPrefix:                                "/api",
+		AdmissionControl:                         "AlwaysAdmit",
+		AuthorizationMode:                        "AlwaysAllow",
+		AuthorizationWebhookCacheAuthorizedTTL:   5 * time.Minute,
+		AuthorizationWebhookCacheUnauthorizedTTL: 30 * time.Second,
+		BindAddress:                              net.ParseIP("0.0.0.0"),
+		CertDirectory:                            "/var/run/kubernetes",
+		DefaultStorageMediaType:                  "application/json",
+		DefaultStorageVersions:                   registered.AllPreferredGroupVersions(),
+		DeleteCollectionWorkers:                  1,
+		EnableLogsSupport:                        true,
+		EnableProfiling:                          true,
+		EnableWatchCache:                         true,
+		InsecureBindAddress:                      net.ParseIP("127.0.0.1"),
+		InsecurePort:                             8080,
+		LongRunningRequestRE:                     defaultLongRunningRequestRE,
+		MasterCount:                              1,
+		MasterServiceNamespace:                   api.NamespaceDefault,
+		MaxRequestsInFlight:                      400,
+		MinRequestTimeout:                        1800,
+		RuntimeConfig:                            make(config.ConfigurationMap),
+		SecurePort:                               6443,
+		ServiceNodePortRange:                     DefaultServiceNodePortRange,
+		StorageVersions:                          registered.AllPreferredGroupVersions(),
 	}
 }

@ -238,24 +252,24 @@ func (s *ServerRunOptions) AddUniversalFlags(fs *pflag.FlagSet) {

 	fs.StringVar(&s.AuthorizationMode, "authorization-mode", s.AuthorizationMode, ""+
 		"Ordered list of plug-ins to do authorization on secure port. Comma-delimited list of: "+
-		strings.Join(apiserver.AuthorizationModeChoices, ",")+".")
+		strings.Join(AuthorizationModeChoices, ",")+".")

-	fs.StringVar(&s.AuthorizationConfig.PolicyFile, "authorization-policy-file", s.AuthorizationConfig.PolicyFile, ""+
+	fs.StringVar(&s.AuthorizationPolicyFile, "authorization-policy-file", s.AuthorizationPolicyFile, ""+
 		"File with authorization policy in csv format, used with --authorization-mode=ABAC, on the secure port.")

-	fs.StringVar(&s.AuthorizationConfig.WebhookConfigFile, "authorization-webhook-config-file", s.AuthorizationConfig.WebhookConfigFile, ""+
+	fs.StringVar(&s.AuthorizationWebhookConfigFile, "authorization-webhook-config-file", s.AuthorizationWebhookConfigFile, ""+
 		"File with webhook configuration in kubeconfig format, used with --authorization-mode=Webhook. "+
 		"The API server will query the remote service to determine access on the API server's secure port.")

-	fs.DurationVar(&s.AuthorizationConfig.WebhookCacheAuthorizedTTL, "authorization-webhook-cache-authorized-ttl",
-		s.AuthorizationConfig.WebhookCacheAuthorizedTTL,
+	fs.DurationVar(&s.AuthorizationWebhookCacheAuthorizedTTL, "authorization-webhook-cache-authorized-ttl",
+		s.AuthorizationWebhookCacheAuthorizedTTL,
 		"The duration to cache 'authorized' responses from the webhook authorizer. Default is 5m.")

-	fs.DurationVar(&s.AuthorizationConfig.WebhookCacheUnauthorizedTTL,
-		"authorization-webhook-cache-unauthorized-ttl", s.AuthorizationConfig.WebhookCacheUnauthorizedTTL,
+	fs.DurationVar(&s.AuthorizationWebhookCacheUnauthorizedTTL,
+		"authorization-webhook-cache-unauthorized-ttl", s.AuthorizationWebhookCacheUnauthorizedTTL,
 		"The duration to cache 'unauthorized' responses from the webhook authorizer. Default is 30s.")

-	fs.StringVar(&s.AuthorizationConfig.RBACSuperUser, "authorization-rbac-super-user", s.AuthorizationConfig.RBACSuperUser, ""+
+	fs.StringVar(&s.AuthorizationRBACSuperUser, "authorization-rbac-super-user", s.AuthorizationRBACSuperUser, ""+
 		"If specified, a username which avoids RBAC authorization checks and role binding "+
 		"privilege escalation checks, to be used with --authorization-mode=RBAC.")

--- a/test/integration/auth/auth_test.go
+++ b/test/integration/auth/auth_test.go
@ -41,13 +41,13 @@ import (
 	authenticationv1beta1 "k8s.io/kubernetes/pkg/apis/authentication/v1beta1"
 	"k8s.io/kubernetes/pkg/apis/autoscaling"
 	"k8s.io/kubernetes/pkg/apis/extensions"
-	"k8s.io/kubernetes/pkg/apiserver"
 	"k8s.io/kubernetes/pkg/auth/authenticator"
 	"k8s.io/kubernetes/pkg/auth/authenticator/bearertoken"
 	"k8s.io/kubernetes/pkg/auth/authorizer"
 	"k8s.io/kubernetes/pkg/auth/authorizer/abac"
 	"k8s.io/kubernetes/pkg/auth/user"
 	"k8s.io/kubernetes/pkg/client/unversioned/clientcmd/api/v1"
+	apiserverauthorizer "k8s.io/kubernetes/pkg/genericapiserver/authorizer"
 	"k8s.io/kubernetes/pkg/serviceaccount"
 	"k8s.io/kubernetes/plugin/pkg/admission/admit"
 	"k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/tokentest"
@ -500,7 +500,7 @@ func getPreviousResourceVersionKey(url, id string) string {
 func TestAuthModeAlwaysDeny(t *testing.T) {
 	// Set up a master
 	masterConfig := framework.NewIntegrationTestMasterConfig()
-	masterConfig.Authorizer = apiserver.NewAlwaysDenyAuthorizer()
+	masterConfig.Authorizer = apiserverauthorizer.NewAlwaysDenyAuthorizer()
 	_, s := framework.RunAMaster(masterConfig)
 	defer s.Close()

--- a/test/integration/framework/master_utils.go
+++ b/test/integration/framework/master_utils.go
@ -37,7 +37,6 @@ import (
 	"k8s.io/kubernetes/pkg/apis/extensions"
 	"k8s.io/kubernetes/pkg/apis/policy"
 	"k8s.io/kubernetes/pkg/apis/rbac"
-	"k8s.io/kubernetes/pkg/apiserver"
 	clientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
 	"k8s.io/kubernetes/pkg/client/record"
 	"k8s.io/kubernetes/pkg/client/restclient"
@ -46,6 +45,7 @@ import (
 	replicationcontroller "k8s.io/kubernetes/pkg/controller/replication"
 	"k8s.io/kubernetes/pkg/fields"
 	"k8s.io/kubernetes/pkg/genericapiserver"
+	"k8s.io/kubernetes/pkg/genericapiserver/authorizer"
 	"k8s.io/kubernetes/pkg/kubectl"
 	kubeletclient "k8s.io/kubernetes/pkg/kubelet/client"
 	"k8s.io/kubernetes/pkg/master"
@ -216,7 +216,7 @@ func NewMasterConfig() *master.Config {
 			APIResourceConfigSource: master.DefaultAPIResourceConfigSource(),
 			APIPrefix:               "/api",
 			APIGroupPrefix:          "/apis",
-			Authorizer:              apiserver.NewAlwaysAllowAuthorizer(),
+			Authorizer:              authorizer.NewAlwaysAllowAuthorizer(),
 			AdmissionControl:        admit.NewAlwaysAdmit(),
 			Serializer:              api.Codecs,
 			EnableWatchCache:        true,