From eaa739bd59d801550e3993f70894be4b0a573b07 Mon Sep 17 00:00:00 2001
From: Clayton Coleman <ccoleman@redhat.com>
Date: Wed, 25 Apr 2018 18:17:14 -0400
Subject: [PATCH] Limit access to core/api/v1 inside of client-go

---
 cmd/importverifier/importverifier.go |  8 +++++++-
 hack/import-restrictions.yaml        | 22 ++++++++++++++++++++++
 2 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/cmd/importverifier/importverifier.go b/cmd/importverifier/importverifier.go
index 584a74bdb33..ee3f07c7bb0 100644
--- a/cmd/importverifier/importverifier.go
+++ b/cmd/importverifier/importverifier.go
@@ -57,6 +57,8 @@ type ImportRestriction struct {
 	// given as paths that would be used in a Go
 	// import statement
 	AllowedImports []string `yaml:"allowedImports"`
+	// ExcludeTests will skip checking test dependencies.
+	ExcludeTests bool `yaml:"excludeTests"`
 }
 
 // ForbiddenImportsFor determines all of the forbidden
@@ -120,7 +122,11 @@ func isPathUnder(base, path string) (bool, error) {
 // and returns a deduplicated list of them
 func (i *ImportRestriction) forbiddenImportsFor(pkg Package) []string {
 	forbiddenImportSet := map[string]struct{}{}
-	for _, imp := range append(pkg.Imports, append(pkg.TestImports, pkg.XTestImports...)...) {
+	imports := pkg.Imports
+	if !i.ExcludeTests {
+		imports = append(imports, append(pkg.TestImports, pkg.XTestImports...)...)
+	}
+	for _, imp := range imports {
 		path := extractVendorPath(imp)
 		if i.isForbidden(path) {
 			forbiddenImportSet[path] = struct{}{}
diff --git a/hack/import-restrictions.yaml b/hack/import-restrictions.yaml
index 7294a8c3624..939bc4e4c74 100644
--- a/hack/import-restrictions.yaml
+++ b/hack/import-restrictions.yaml
@@ -45,6 +45,28 @@
   - k8s.io/apimachinery
   - k8s.io/client-go
 
+# prevent core machinery from taking explicit v1 references unless
+# necessary
+- baseImportPath: "./vendor/k8s.io/client-go/rest/"
+  excludeTests: true
+  allowedImports:
+  - k8s.io/apimachinery
+  - k8s.io/client-go
+- baseImportPath: "./vendor/k8s.io/client-go/tools/"
+  excludeTests: true
+  ignoredSubTrees:
+  - "./vendor/k8s.io/client-go/tools/bootstrap/token/api"
+  - "./vendor/k8s.io/client-go/tools/cache/testing"
+  - "./vendor/k8s.io/client-go/tools/leaderelection/resourcelock"
+  - "./vendor/k8s.io/client-go/tools/portforward"
+  - "./vendor/k8s.io/client-go/tools/record"
+  - "./vendor/k8s.io/client-go/tools/reference"
+  - "./vendor/k8s.io/client-go/tools/remotecommand"
+  allowedImports:
+  - k8s.io/apimachinery
+  - k8s.io/client-go
+
+
 - baseImportPath: "./vendor/k8s.io/apiserver/"
   allowedImports:
   - k8s.io/api