fix golint failures in pkg/kubeapiserver/options, use API Server in commemts instead of APIServer

2025-09-04 02:37:36 +00:00 · 2020-07-23 18:41:37 +08:00
parent e2838df7c7
commit e441c07fe2
3 changed files with 135 additions and 135 deletions
--- a/pkg/kubeapiserver/options/authentication.go
+++ b/pkg/kubeapiserver/options/authentication.go
@@ -115,8 +115,8 @@ func NewBuiltInAuthenticationOptions() *BuiltInAuthenticationOptions {
 }
 // WithAll set default value for every build-in authentication option
-func (s *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions {
+func (o *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions {
-	return s.
+	return o.
 		WithAnonymous().
 		WithBootstrapToken().
 		WithClientCert().
@@ -128,94 +128,94 @@ func (s *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions {
 }
 // WithAnonymous set default value for anonymous authentication
-func (s *BuiltInAuthenticationOptions) WithAnonymous() *BuiltInAuthenticationOptions {
+func (o *BuiltInAuthenticationOptions) WithAnonymous() *BuiltInAuthenticationOptions {
-	s.Anonymous = &AnonymousAuthenticationOptions{Allow: true}
+	o.Anonymous = &AnonymousAuthenticationOptions{Allow: true}
-	return s
+	return o
 }
 // WithBootstrapToken set default value for bootstrap token authentication
-func (s *BuiltInAuthenticationOptions) WithBootstrapToken() *BuiltInAuthenticationOptions {
+func (o *BuiltInAuthenticationOptions) WithBootstrapToken() *BuiltInAuthenticationOptions {
-	s.BootstrapToken = &BootstrapTokenAuthenticationOptions{}
+	o.BootstrapToken = &BootstrapTokenAuthenticationOptions{}
-	return s
+	return o
 }
 // WithClientCert set default value for client cert
-func (s *BuiltInAuthenticationOptions) WithClientCert() *BuiltInAuthenticationOptions {
+func (o *BuiltInAuthenticationOptions) WithClientCert() *BuiltInAuthenticationOptions {
-	s.ClientCert = &genericoptions.ClientCertAuthenticationOptions{}
+	o.ClientCert = &genericoptions.ClientCertAuthenticationOptions{}
-	return s
+	return o
 }
 // WithOIDC set default value for OIDC authentication
-func (s *BuiltInAuthenticationOptions) WithOIDC() *BuiltInAuthenticationOptions {
+func (o *BuiltInAuthenticationOptions) WithOIDC() *BuiltInAuthenticationOptions {
-	s.OIDC = &OIDCAuthenticationOptions{}
+	o.OIDC = &OIDCAuthenticationOptions{}
-	return s
+	return o
 }
 // WithRequestHeader set default value for request header authentication
-func (s *BuiltInAuthenticationOptions) WithRequestHeader() *BuiltInAuthenticationOptions {
+func (o *BuiltInAuthenticationOptions) WithRequestHeader() *BuiltInAuthenticationOptions {
-	s.RequestHeader = &genericoptions.RequestHeaderAuthenticationOptions{}
+	o.RequestHeader = &genericoptions.RequestHeaderAuthenticationOptions{}
-	return s
+	return o
 }
 // WithServiceAccounts set default value for service account authentication
-func (s *BuiltInAuthenticationOptions) WithServiceAccounts() *BuiltInAuthenticationOptions {
+func (o *BuiltInAuthenticationOptions) WithServiceAccounts() *BuiltInAuthenticationOptions {
-	s.ServiceAccounts = &ServiceAccountAuthenticationOptions{Lookup: true}
+	o.ServiceAccounts = &ServiceAccountAuthenticationOptions{Lookup: true}
-	return s
+	return o
 }
 // WithTokenFile set default value for token file authentication
-func (s *BuiltInAuthenticationOptions) WithTokenFile() *BuiltInAuthenticationOptions {
+func (o *BuiltInAuthenticationOptions) WithTokenFile() *BuiltInAuthenticationOptions {
-	s.TokenFile = &TokenFileAuthenticationOptions{}
+	o.TokenFile = &TokenFileAuthenticationOptions{}
-	return s
+	return o
 }
 // WithWebHook set default value for web hook authentication
-func (s *BuiltInAuthenticationOptions) WithWebHook() *BuiltInAuthenticationOptions {
+func (o *BuiltInAuthenticationOptions) WithWebHook() *BuiltInAuthenticationOptions {
-	s.WebHook = &WebHookAuthenticationOptions{
+	o.WebHook = &WebHookAuthenticationOptions{
 		Version:  "v1beta1",
 		CacheTTL: 2 * time.Minute,
 	}
-	return s
+	return o
 }
 // Validate checks invalid config combination
-func (s *BuiltInAuthenticationOptions) Validate() []error {
+func (o *BuiltInAuthenticationOptions) Validate() []error {
 	allErrors := []error{}
-	if s.OIDC != nil && (len(s.OIDC.IssuerURL) > 0) != (len(s.OIDC.ClientID) > 0) {
+	if o.OIDC != nil && (len(o.OIDC.IssuerURL) > 0) != (len(o.OIDC.ClientID) > 0) {
 		allErrors = append(allErrors, fmt.Errorf("oidc-issuer-url and oidc-client-id should be specified together"))
 	}
-	if s.ServiceAccounts != nil && len(s.ServiceAccounts.Issuer) > 0 && strings.Contains(s.ServiceAccounts.Issuer, ":") {
+	if o.ServiceAccounts != nil && len(o.ServiceAccounts.Issuer) > 0 && strings.Contains(o.ServiceAccounts.Issuer, ":") {
-		if _, err := url.Parse(s.ServiceAccounts.Issuer); err != nil {
+		if _, err := url.Parse(o.ServiceAccounts.Issuer); err != nil {
 			allErrors = append(allErrors, fmt.Errorf("service-account-issuer contained a ':' but was not a valid URL: %v", err))
 		}
 	}
-	if s.ServiceAccounts != nil && utilfeature.DefaultFeatureGate.Enabled(features.BoundServiceAccountTokenVolume) {
+	if o.ServiceAccounts != nil && utilfeature.DefaultFeatureGate.Enabled(features.BoundServiceAccountTokenVolume) {
 		if !utilfeature.DefaultFeatureGate.Enabled(features.TokenRequest) || !utilfeature.DefaultFeatureGate.Enabled(features.TokenRequestProjection) {
 			allErrors = append(allErrors, errors.New("if the BoundServiceAccountTokenVolume feature is enabled,"+
 				" the TokenRequest and TokenRequestProjection features must also be enabled"))
 		}
-		if len(s.ServiceAccounts.Issuer) == 0 {
+		if len(o.ServiceAccounts.Issuer) == 0 {
 			allErrors = append(allErrors, errors.New("service-account-issuer is a required flag when BoundServiceAccountTokenVolume is enabled"))
 		}
-		if len(s.ServiceAccounts.KeyFiles) == 0 {
+		if len(o.ServiceAccounts.KeyFiles) == 0 {
 			allErrors = append(allErrors, errors.New("service-account-key-file is a required flag when BoundServiceAccountTokenVolume is enabled"))
 		}
 	}
-	if s.ServiceAccounts != nil {
+	if o.ServiceAccounts != nil {
 		if utilfeature.DefaultFeatureGate.Enabled(features.ServiceAccountIssuerDiscovery) {
 			// Validate the JWKS URI when it is explicitly set.
 			// When unset, it is later derived from ExternalHost.
-			if s.ServiceAccounts.JWKSURI != "" {
+			if o.ServiceAccounts.JWKSURI != "" {
-				if u, err := url.Parse(s.ServiceAccounts.JWKSURI); err != nil {
+				if u, err := url.Parse(o.ServiceAccounts.JWKSURI); err != nil {
 					allErrors = append(allErrors, fmt.Errorf("service-account-jwks-uri must be a valid URL: %v", err))
 				} else if u.Scheme != "https" {
 					allErrors = append(allErrors, fmt.Errorf("service-account-jwks-uri requires https scheme, parsed as: %v", u.String()))
 				}
 			}
-		} else if len(s.ServiceAccounts.JWKSURI) > 0 {
+		} else if len(o.ServiceAccounts.JWKSURI) > 0 {
 			allErrors = append(allErrors, fmt.Errorf("service-account-jwks-uri may only be set when the ServiceAccountIssuerDiscovery feature gate is enabled"))
 		}
 	}
@@ -224,88 +224,88 @@ func (s *BuiltInAuthenticationOptions) Validate() []error {
 }
 // AddFlags returns flags of authentication for a API Server
-func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
+func (o *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
-	fs.StringSliceVar(&s.APIAudiences, "api-audiences", s.APIAudiences, ""+
+	fs.StringSliceVar(&o.APIAudiences, "api-audiences", o.APIAudiences, ""+
 		"Identifiers of the API. The service account token authenticator will validate that "+
 		"tokens used against the API are bound to at least one of these audiences. If the "+
 		"--service-account-issuer flag is configured and this flag is not, this field "+
 		"defaults to a single element list containing the issuer URL.")
-	if s.Anonymous != nil {
+	if o.Anonymous != nil {
-		fs.BoolVar(&s.Anonymous.Allow, "anonymous-auth", s.Anonymous.Allow, ""+
+		fs.BoolVar(&o.Anonymous.Allow, "anonymous-auth", o.Anonymous.Allow, ""+
 			"Enables anonymous requests to the secure port of the API server. "+
 			"Requests that are not rejected by another authentication method are treated as anonymous requests. "+
 			"Anonymous requests have a username of system:anonymous, and a group name of system:unauthenticated.")
 	}
-	if s.BootstrapToken != nil {
+	if o.BootstrapToken != nil {
-		fs.BoolVar(&s.BootstrapToken.Enable, "enable-bootstrap-token-auth", s.BootstrapToken.Enable, ""+
+		fs.BoolVar(&o.BootstrapToken.Enable, "enable-bootstrap-token-auth", o.BootstrapToken.Enable, ""+
 			"Enable to allow secrets of type 'bootstrap.kubernetes.io/token' in the 'kube-system' "+
 			"namespace to be used for TLS bootstrapping authentication.")
 	}
-	if s.ClientCert != nil {
+	if o.ClientCert != nil {
-		s.ClientCert.AddFlags(fs)
+		o.ClientCert.AddFlags(fs)
 	}
-	if s.OIDC != nil {
+	if o.OIDC != nil {
-		fs.StringVar(&s.OIDC.IssuerURL, "oidc-issuer-url", s.OIDC.IssuerURL, ""+
+		fs.StringVar(&o.OIDC.IssuerURL, "oidc-issuer-url", o.OIDC.IssuerURL, ""+
 			"The URL of the OpenID issuer, only HTTPS scheme will be accepted. "+
 			"If set, it will be used to verify the OIDC JSON Web Token (JWT).")
-		fs.StringVar(&s.OIDC.ClientID, "oidc-client-id", s.OIDC.ClientID,
+		fs.StringVar(&o.OIDC.ClientID, "oidc-client-id", o.OIDC.ClientID,
 			"The client ID for the OpenID Connect client, must be set if oidc-issuer-url is set.")
-		fs.StringVar(&s.OIDC.CAFile, "oidc-ca-file", s.OIDC.CAFile, ""+
+		fs.StringVar(&o.OIDC.CAFile, "oidc-ca-file", o.OIDC.CAFile, ""+
-			"If set, the OpenID server's certificate will be verified by one of the authorities "+
+			"If set, the OpenID server'o certificate will be verified by one of the authorities "+
-			"in the oidc-ca-file, otherwise the host's root CA set will be used.")
+			"in the oidc-ca-file, otherwise the host'o root CA set will be used.")
-		fs.StringVar(&s.OIDC.UsernameClaim, "oidc-username-claim", "sub", ""+
+		fs.StringVar(&o.OIDC.UsernameClaim, "oidc-username-claim", "sub", ""+
 			"The OpenID claim to use as the user name. Note that claims other than the default ('sub') "+
 			"is not guaranteed to be unique and immutable. This flag is experimental, please see "+
 			"the authentication documentation for further details.")
-		fs.StringVar(&s.OIDC.UsernamePrefix, "oidc-username-prefix", "", ""+
+		fs.StringVar(&o.OIDC.UsernamePrefix, "oidc-username-prefix", "", ""+
 			"If provided, all usernames will be prefixed with this value. If not provided, "+
 			"username claims other than 'email' are prefixed by the issuer URL to avoid "+
 			"clashes. To skip any prefixing, provide the value '-'.")
-		fs.StringVar(&s.OIDC.GroupsClaim, "oidc-groups-claim", "", ""+
+		fs.StringVar(&o.OIDC.GroupsClaim, "oidc-groups-claim", "", ""+
 			"If provided, the name of a custom OpenID Connect claim for specifying user groups. "+
 			"The claim value is expected to be a string or array of strings. This flag is experimental, "+
 			"please see the authentication documentation for further details.")
-		fs.StringVar(&s.OIDC.GroupsPrefix, "oidc-groups-prefix", "", ""+
+		fs.StringVar(&o.OIDC.GroupsPrefix, "oidc-groups-prefix", "", ""+
 			"If provided, all groups will be prefixed with this value to prevent conflicts with "+
 			"other authentication strategies.")
-		fs.StringSliceVar(&s.OIDC.SigningAlgs, "oidc-signing-algs", []string{"RS256"}, ""+
+		fs.StringSliceVar(&o.OIDC.SigningAlgs, "oidc-signing-algs", []string{"RS256"}, ""+
 			"Comma-separated list of allowed JOSE asymmetric signing algorithms. JWTs with a "+
 			"'alg' header value not in this list will be rejected. "+
 			"Values are defined by RFC 7518 https://tools.ietf.org/html/rfc7518#section-3.1.")
-		fs.Var(cliflag.NewMapStringStringNoSplit(&s.OIDC.RequiredClaims), "oidc-required-claim", ""+
+		fs.Var(cliflag.NewMapStringStringNoSplit(&o.OIDC.RequiredClaims), "oidc-required-claim", ""+
 			"A key=value pair that describes a required claim in the ID Token. "+
 			"If set, the claim is verified to be present in the ID Token with a matching value. "+
 			"Repeat this flag to specify multiple claims.")
 	}
-	if s.RequestHeader != nil {
+	if o.RequestHeader != nil {
-		s.RequestHeader.AddFlags(fs)
+		o.RequestHeader.AddFlags(fs)
 	}
-	if s.ServiceAccounts != nil {
+	if o.ServiceAccounts != nil {
-		fs.StringArrayVar(&s.ServiceAccounts.KeyFiles, "service-account-key-file", s.ServiceAccounts.KeyFiles, ""+
+		fs.StringArrayVar(&o.ServiceAccounts.KeyFiles, "service-account-key-file", o.ServiceAccounts.KeyFiles, ""+
 			"File containing PEM-encoded x509 RSA or ECDSA private or public keys, used to verify "+
 			"ServiceAccount tokens. The specified file can contain multiple keys, and the flag can "+
 			"be specified multiple times with different files. If unspecified, "+
 			"--tls-private-key-file is used. Must be specified when "+
 			"--service-account-signing-key is provided")
-		fs.BoolVar(&s.ServiceAccounts.Lookup, "service-account-lookup", s.ServiceAccounts.Lookup,
+		fs.BoolVar(&o.ServiceAccounts.Lookup, "service-account-lookup", o.ServiceAccounts.Lookup,
 			"If true, validate ServiceAccount tokens exist in etcd as part of authentication.")
-		fs.StringVar(&s.ServiceAccounts.Issuer, "service-account-issuer", s.ServiceAccounts.Issuer, ""+
+		fs.StringVar(&o.ServiceAccounts.Issuer, "service-account-issuer", o.ServiceAccounts.Issuer, ""+
 			"Identifier of the service account token issuer. The issuer will assert this identifier "+
 			"in \"iss\" claim of issued tokens. This value is a string or URI. If this option is not "+
 			"a valid URI per the OpenID Discovery 1.0 spec, the ServiceAccountIssuerDiscovery feature "+
@@ -315,117 +315,117 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
 			"recommended that this URL be capable of serving OpenID discovery documents at "+
 			"`{service-account-issuer}/.well-known/openid-configuration`.")
-		fs.StringVar(&s.ServiceAccounts.JWKSURI, "service-account-jwks-uri", s.ServiceAccounts.JWKSURI, ""+
+		fs.StringVar(&o.ServiceAccounts.JWKSURI, "service-account-jwks-uri", o.ServiceAccounts.JWKSURI, ""+
 			"Overrides the URI for the JSON Web Key Set in the discovery doc served at "+
 			"/.well-known/openid-configuration. This flag is useful if the discovery doc"+
 			"and key set are served to relying parties from a URL other than the "+
-			"API server's external (as auto-detected or overridden with external-hostname). "+
+			"API server'o external (as auto-detected or overridden with external-hostname). "+
 			"Only valid if the ServiceAccountIssuerDiscovery feature gate is enabled.")
 		// Deprecated in 1.13
-		fs.StringSliceVar(&s.APIAudiences, "service-account-api-audiences", s.APIAudiences, ""+
+		fs.StringSliceVar(&o.APIAudiences, "service-account-api-audiences", o.APIAudiences, ""+
 			"Identifiers of the API. The service account token authenticator will validate that "+
 			"tokens used against the API are bound to at least one of these audiences.")
 		fs.MarkDeprecated("service-account-api-audiences", "Use --api-audiences")
-		fs.DurationVar(&s.ServiceAccounts.MaxExpiration, "service-account-max-token-expiration", s.ServiceAccounts.MaxExpiration, ""+
+		fs.DurationVar(&o.ServiceAccounts.MaxExpiration, "service-account-max-token-expiration", o.ServiceAccounts.MaxExpiration, ""+
 			"The maximum validity duration of a token created by the service account token issuer. If an otherwise valid "+
 			"TokenRequest with a validity duration larger than this value is requested, a token will be issued with a validity duration of this value.")
-		fs.BoolVar(&s.ServiceAccounts.ExtendExpiration, "service-account-extend-token-expiration", s.ServiceAccounts.ExtendExpiration, ""+
+		fs.BoolVar(&o.ServiceAccounts.ExtendExpiration, "service-account-extend-token-expiration", o.ServiceAccounts.ExtendExpiration, ""+
 			"Turns on projected service account expiration extension during token generation, "+
 			"which helps safe transition from legacy token to bound service account token feature. "+
 			"If this flag is enabled, admission injected tokens would be extended up to 1 year to "+
 			"prevent unexpected failure during transition, ignoring value of service-account-max-token-expiration.")
 	}
-	if s.TokenFile != nil {
+	if o.TokenFile != nil {
-		fs.StringVar(&s.TokenFile.TokenFile, "token-auth-file", s.TokenFile.TokenFile, ""+
+		fs.StringVar(&o.TokenFile.TokenFile, "token-auth-file", o.TokenFile.TokenFile, ""+
 			"If set, the file that will be used to secure the secure port of the API server "+
 			"via token authentication.")
 	}
-	if s.WebHook != nil {
+	if o.WebHook != nil {
-		fs.StringVar(&s.WebHook.ConfigFile, "authentication-token-webhook-config-file", s.WebHook.ConfigFile, ""+
+		fs.StringVar(&o.WebHook.ConfigFile, "authentication-token-webhook-config-file", o.WebHook.ConfigFile, ""+
 			"File with webhook configuration for token authentication in kubeconfig format. "+
 			"The API server will query the remote service to determine authentication for bearer tokens.")
-		fs.StringVar(&s.WebHook.Version, "authentication-token-webhook-version", s.WebHook.Version, ""+
+		fs.StringVar(&o.WebHook.Version, "authentication-token-webhook-version", o.WebHook.Version, ""+
 			"The API version of the authentication.k8s.io TokenReview to send to and expect from the webhook.")
-		fs.DurationVar(&s.WebHook.CacheTTL, "authentication-token-webhook-cache-ttl", s.WebHook.CacheTTL,
+		fs.DurationVar(&o.WebHook.CacheTTL, "authentication-token-webhook-cache-ttl", o.WebHook.CacheTTL,
 			"The duration to cache responses from the webhook token authenticator.")
 	}
 }
 // ToAuthenticationConfig convert BuiltInAuthenticationOptions to kubeauthenticator.Config
-func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() (kubeauthenticator.Config, error) {
+func (o *BuiltInAuthenticationOptions) ToAuthenticationConfig() (kubeauthenticator.Config, error) {
 	ret := kubeauthenticator.Config{
-		TokenSuccessCacheTTL: s.TokenSuccessCacheTTL,
+		TokenSuccessCacheTTL: o.TokenSuccessCacheTTL,
-		TokenFailureCacheTTL: s.TokenFailureCacheTTL,
+		TokenFailureCacheTTL: o.TokenFailureCacheTTL,
 	}
-	if s.Anonymous != nil {
+	if o.Anonymous != nil {
-		ret.Anonymous = s.Anonymous.Allow
+		ret.Anonymous = o.Anonymous.Allow
 	}
-	if s.BootstrapToken != nil {
+	if o.BootstrapToken != nil {
-		ret.BootstrapToken = s.BootstrapToken.Enable
+		ret.BootstrapToken = o.BootstrapToken.Enable
 	}
-	if s.ClientCert != nil {
+	if o.ClientCert != nil {
 		var err error
-		ret.ClientCAContentProvider, err = s.ClientCert.GetClientCAContentProvider()
+		ret.ClientCAContentProvider, err = o.ClientCert.GetClientCAContentProvider()
 		if err != nil {
 			return kubeauthenticator.Config{}, err
 		}
 	}
-	if s.OIDC != nil {
+	if o.OIDC != nil {
-		ret.OIDCCAFile = s.OIDC.CAFile
+		ret.OIDCCAFile = o.OIDC.CAFile
-		ret.OIDCClientID = s.OIDC.ClientID
+		ret.OIDCClientID = o.OIDC.ClientID
-		ret.OIDCGroupsClaim = s.OIDC.GroupsClaim
+		ret.OIDCGroupsClaim = o.OIDC.GroupsClaim
-		ret.OIDCGroupsPrefix = s.OIDC.GroupsPrefix
+		ret.OIDCGroupsPrefix = o.OIDC.GroupsPrefix
-		ret.OIDCIssuerURL = s.OIDC.IssuerURL
+		ret.OIDCIssuerURL = o.OIDC.IssuerURL
-		ret.OIDCUsernameClaim = s.OIDC.UsernameClaim
+		ret.OIDCUsernameClaim = o.OIDC.UsernameClaim
-		ret.OIDCUsernamePrefix = s.OIDC.UsernamePrefix
+		ret.OIDCUsernamePrefix = o.OIDC.UsernamePrefix
-		ret.OIDCSigningAlgs = s.OIDC.SigningAlgs
+		ret.OIDCSigningAlgs = o.OIDC.SigningAlgs
-		ret.OIDCRequiredClaims = s.OIDC.RequiredClaims
+		ret.OIDCRequiredClaims = o.OIDC.RequiredClaims
 	}
-	if s.RequestHeader != nil {
+	if o.RequestHeader != nil {
 		var err error
-		ret.RequestHeaderConfig, err = s.RequestHeader.ToAuthenticationRequestHeaderConfig()
+		ret.RequestHeaderConfig, err = o.RequestHeader.ToAuthenticationRequestHeaderConfig()
 		if err != nil {
 			return kubeauthenticator.Config{}, err
 		}
 	}
-	ret.APIAudiences = s.APIAudiences
+	ret.APIAudiences = o.APIAudiences
-	if s.ServiceAccounts != nil {
+	if o.ServiceAccounts != nil {
-		if s.ServiceAccounts.Issuer != "" && len(s.APIAudiences) == 0 {
+		if o.ServiceAccounts.Issuer != "" && len(o.APIAudiences) == 0 {
-			ret.APIAudiences = authenticator.Audiences{s.ServiceAccounts.Issuer}
+			ret.APIAudiences = authenticator.Audiences{o.ServiceAccounts.Issuer}
 		}
-		ret.ServiceAccountKeyFiles = s.ServiceAccounts.KeyFiles
+		ret.ServiceAccountKeyFiles = o.ServiceAccounts.KeyFiles
-		ret.ServiceAccountIssuer = s.ServiceAccounts.Issuer
+		ret.ServiceAccountIssuer = o.ServiceAccounts.Issuer
-		ret.ServiceAccountLookup = s.ServiceAccounts.Lookup
+		ret.ServiceAccountLookup = o.ServiceAccounts.Lookup
 	}
-	if s.TokenFile != nil {
+	if o.TokenFile != nil {
-		ret.TokenAuthFile = s.TokenFile.TokenFile
+		ret.TokenAuthFile = o.TokenFile.TokenFile
 	}
-	if s.WebHook != nil {
+	if o.WebHook != nil {
-		ret.WebhookTokenAuthnConfigFile = s.WebHook.ConfigFile
+		ret.WebhookTokenAuthnConfigFile = o.WebHook.ConfigFile
-		ret.WebhookTokenAuthnVersion = s.WebHook.Version
+		ret.WebhookTokenAuthnVersion = o.WebHook.Version
-		ret.WebhookTokenAuthnCacheTTL = s.WebHook.CacheTTL
+		ret.WebhookTokenAuthnCacheTTL = o.WebHook.CacheTTL
-		if len(s.WebHook.ConfigFile) > 0 && s.WebHook.CacheTTL > 0 {
+		if len(o.WebHook.ConfigFile) > 0 && o.WebHook.CacheTTL > 0 {
-			if s.TokenSuccessCacheTTL > 0 && s.WebHook.CacheTTL < s.TokenSuccessCacheTTL {
+			if o.TokenSuccessCacheTTL > 0 && o.WebHook.CacheTTL < o.TokenSuccessCacheTTL {
-				klog.Warningf("the webhook cache ttl of %s is shorter than the overall cache ttl of %s for successful token authentication attempts.", s.WebHook.CacheTTL, s.TokenSuccessCacheTTL)
+				klog.Warningf("the webhook cache ttl of %o is shorter than the overall cache ttl of %o for successful token authentication attempts.", o.WebHook.CacheTTL, o.TokenSuccessCacheTTL)
 			}
-			if s.TokenFailureCacheTTL > 0 && s.WebHook.CacheTTL < s.TokenFailureCacheTTL {
+			if o.TokenFailureCacheTTL > 0 && o.WebHook.CacheTTL < o.TokenFailureCacheTTL {
-				klog.Warningf("the webhook cache ttl of %s is shorter than the overall cache ttl of %s for failed token authentication attempts.", s.WebHook.CacheTTL, s.TokenFailureCacheTTL)
+				klog.Warningf("the webhook cache ttl of %o is shorter than the overall cache ttl of %o for failed token authentication attempts.", o.WebHook.CacheTTL, o.TokenFailureCacheTTL)
 			}
 		}
 	}
@@ -434,8 +434,8 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() (kubeauthenticat
 }
 // ApplyTo requires already applied OpenAPIConfig and EgressSelector if present.
-func (s *BuiltInAuthenticationOptions) ApplyTo(authInfo *genericapiserver.AuthenticationInfo, secureServing *genericapiserver.SecureServingInfo, egressSelector *egressselector.EgressSelector, openAPIConfig *openapicommon.Config, extclient kubernetes.Interface, versionedInformer informers.SharedInformerFactory) error {
+func (o *BuiltInAuthenticationOptions) ApplyTo(authInfo *genericapiserver.AuthenticationInfo, secureServing *genericapiserver.SecureServingInfo, egressSelector *egressselector.EgressSelector, openAPIConfig *openapicommon.Config, extclient kubernetes.Interface, versionedInformer informers.SharedInformerFactory) error {
-	if s == nil {
+	if o == nil {
 		return nil
 	}
@@ -443,7 +443,7 @@ func (s *BuiltInAuthenticationOptions) ApplyTo(authInfo *genericapiserver.Authen
 		return errors.New("uninitialized OpenAPIConfig")
 	}
-	authenticatorConfig, err := s.ToAuthenticationConfig()
+	authenticatorConfig, err := o.ToAuthenticationConfig()
 	if err != nil {
 		return err
 	}
@@ -459,12 +459,12 @@ func (s *BuiltInAuthenticationOptions) ApplyTo(authInfo *genericapiserver.Authen
 		}
 	}
-	authInfo.APIAudiences = s.APIAudiences
+	authInfo.APIAudiences = o.APIAudiences
-	if s.ServiceAccounts != nil && s.ServiceAccounts.Issuer != "" && len(s.APIAudiences) == 0 {
+	if o.ServiceAccounts != nil && o.ServiceAccounts.Issuer != "" && len(o.APIAudiences) == 0 {
-		authInfo.APIAudiences = authenticator.Audiences{s.ServiceAccounts.Issuer}
+		authInfo.APIAudiences = authenticator.Audiences{o.ServiceAccounts.Issuer}
 	}
-	if s.ServiceAccounts.Lookup || utilfeature.DefaultFeatureGate.Enabled(features.TokenRequest) {
+	if o.ServiceAccounts.Lookup || utilfeature.DefaultFeatureGate.Enabled(features.TokenRequest) {
 		authenticatorConfig.ServiceAccountTokenGetter = serviceaccountcontroller.NewGetterFromClient(
 			extclient,
 			versionedInformer.Core().V1().Secrets().Lister(),
@@ -493,15 +493,15 @@ func (s *BuiltInAuthenticationOptions) ApplyTo(authInfo *genericapiserver.Authen
 }
 // ApplyAuthorization will conditionally modify the authentication options based on the authorization options
-func (s *BuiltInAuthenticationOptions) ApplyAuthorization(authorization *BuiltInAuthorizationOptions) {
+func (o *BuiltInAuthenticationOptions) ApplyAuthorization(authorization *BuiltInAuthorizationOptions) {
-	if s == nil || authorization == nil || s.Anonymous == nil {
+	if o == nil || authorization == nil || o.Anonymous == nil {
 		return
 	}
 	// authorization ModeAlwaysAllow cannot be combined with AnonymousAuth.
 	// in such a case the AnonymousAuth is stomped to false and you get a message
-	if s.Anonymous.Allow && sets.NewString(authorization.Modes...).Has(authzmodes.ModeAlwaysAllow) {
+	if o.Anonymous.Allow && sets.NewString(authorization.Modes...).Has(authzmodes.ModeAlwaysAllow) {
 		klog.Warningf("AnonymousAuth is not allowed with the AlwaysAllow authorizer. Resetting AnonymousAuth to false. You should use a different authorizer")
-		s.Anonymous.Allow = false
+		o.Anonymous.Allow = false
 	}
 }
--- a/pkg/kubeapiserver/options/cloudprovider.go
+++ b/pkg/kubeapiserver/options/cloudprovider.go
@@ -26,7 +26,7 @@ type CloudProviderOptions struct {
 	CloudProvider   string
 }
-// NewCloudProviderOptions create a default CloudProviderOptions
+// NewCloudProviderOptions creates a default CloudProviderOptions
 func NewCloudProviderOptions() *CloudProviderOptions {
 	return &CloudProviderOptions{}
 }