Merge pull request #40430 from deads2k/generic-28-factory

Automatic merge from submit-queue move genericapiserver authenticator and authorizer factories straight move to `apiserver`
2025-07-27 13:37:30 +00:00 · 2017-01-26 07:37:43 -08:00 · 2017-01-26 07:37:43 -08:00 · ff67d8218e
commit ff67d8218e
parent 122bf004bf 0d8e6b8500
27 changed files with 103 additions and 149 deletions
--- a/cmd/kubelet/app/BUILD
+++ b/cmd/kubelet/app/BUILD
@ -54,8 +54,6 @@ go_library(
        "//pkg/credentialprovider/azure:go_default_library",
        "//pkg/credentialprovider/gcp:go_default_library",
        "//pkg/features:go_default_library",
        "//pkg/genericapiserver/authenticator:go_default_library",
        "//pkg/genericapiserver/authorizer:go_default_library",
        "//pkg/kubelet:go_default_library",
        "//pkg/kubelet/cadvisor:go_default_library",
        "//pkg/kubelet/cm:go_default_library",
@ -109,7 +107,9 @@ go_library(
        "//vendor:k8s.io/apimachinery/pkg/util/runtime",
        "//vendor:k8s.io/apimachinery/pkg/util/wait",
        "//vendor:k8s.io/apiserver/pkg/authentication/authenticator",
        "//vendor:k8s.io/apiserver/pkg/authentication/authenticatorfactory",
        "//vendor:k8s.io/apiserver/pkg/authorization/authorizer",
        "//vendor:k8s.io/apiserver/pkg/authorization/authorizerfactory",
        "//vendor:k8s.io/apiserver/pkg/server/healthz",
        "//vendor:k8s.io/apiserver/pkg/util/feature",
        "//vendor:k8s.io/client-go/kubernetes",
--- a/cmd/kubelet/app/auth.go
+++ b/cmd/kubelet/app/auth.go
@ -21,17 +21,16 @@ import (
 	"fmt"
 	"reflect"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/authenticatorfactory"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	"k8s.io/apiserver/pkg/authorization/authorizerfactory"
 	clientset "k8s.io/client-go/kubernetes"
 	authenticationclient "k8s.io/client-go/kubernetes/typed/authentication/v1beta1"
 	authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1beta1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/kubernetes/pkg/apis/componentconfig"
 	apiserverauthenticator "k8s.io/kubernetes/pkg/genericapiserver/authenticator"
 	alwaysallowauthorizer "k8s.io/kubernetes/pkg/genericapiserver/authorizer"
 	apiserverauthorizer "k8s.io/kubernetes/pkg/genericapiserver/authorizer"
 	"k8s.io/kubernetes/pkg/kubelet/server"
 )
@ -62,7 +61,7 @@ func buildAuth(nodeName types.NodeName, client clientset.Interface, config compo
 }
 func buildAuthn(client authenticationclient.TokenReviewInterface, authn componentconfig.KubeletAuthentication) (authenticator.Request, error) {
-	authenticatorConfig := apiserverauthenticator.DelegatingAuthenticatorConfig{
+	authenticatorConfig := authenticatorfactory.DelegatingAuthenticatorConfig{
 		Anonymous:    authn.Anonymous.Enabled,
 		CacheTTL:     authn.Webhook.CacheTTL.Duration,
 		ClientCAFile: authn.X509.ClientCAFile,
@ -82,13 +81,13 @@ func buildAuthn(client authenticationclient.TokenReviewInterface, authn componen
 func buildAuthz(client authorizationclient.SubjectAccessReviewInterface, authz componentconfig.KubeletAuthorization) (authorizer.Authorizer, error) {
 	switch authz.Mode {
 	case componentconfig.KubeletAuthorizationModeAlwaysAllow:
-		return alwaysallowauthorizer.NewAlwaysAllowAuthorizer(), nil
+		return authorizerfactory.NewAlwaysAllowAuthorizer(), nil
 	case componentconfig.KubeletAuthorizationModeWebhook:
 		if client == nil {
 			return nil, errors.New("no client provided, cannot use webhook authorization")
 		}
-		authorizerConfig := apiserverauthorizer.DelegatingAuthorizerConfig{
+		authorizerConfig := authorizerfactory.DelegatingAuthorizerConfig{
 			SubjectAccessReviewClient: client,
 			AllowCacheTTL:             authz.Webhook.CacheAuthorizedTTL.Duration,
 			DenyCacheTTL:              authz.Webhook.CacheUnauthorizedTTL.Duration,
--- a/examples/apiserver/BUILD
+++ b/examples/apiserver/BUILD
@ -16,7 +16,6 @@ go_library(
        "//cmd/libs/go2idl/client-gen/test_apis/testgroup/v1:go_default_library",
        "//examples/apiserver/rest:go_default_library",
        "//pkg/api:go_default_library",
        "//pkg/genericapiserver/authorizer:go_default_library",
        "//pkg/genericapiserver/registry/generic:go_default_library",
        "//pkg/genericapiserver/registry/rest:go_default_library",
        "//pkg/genericapiserver/server:go_default_library",
@ -26,6 +25,7 @@ go_library(
        "//vendor:github.com/golang/glog",
        "//vendor:k8s.io/apimachinery/pkg/runtime/schema",
        "//vendor:k8s.io/apimachinery/pkg/util/errors",
        "//vendor:k8s.io/apiserver/pkg/authorization/authorizerfactory",
    ],
 )
--- a/examples/apiserver/apiserver.go
+++ b/examples/apiserver/apiserver.go
@ -21,10 +21,10 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apiserver/pkg/authorization/authorizerfactory"
 	"k8s.io/kubernetes/cmd/libs/go2idl/client-gen/test_apis/testgroup/v1"
 	testgroupetcd "k8s.io/kubernetes/examples/apiserver/rest"
 	"k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/genericapiserver/authorizer"
 	"k8s.io/kubernetes/pkg/genericapiserver/registry/generic"
 	"k8s.io/kubernetes/pkg/genericapiserver/registry/rest"
 	genericapiserver "k8s.io/kubernetes/pkg/genericapiserver/server"
@ -113,7 +113,7 @@ func (serverOptions *ServerRunOptions) Run(stopCh <-chan struct{}) error {
 		return fmt.Errorf("failed to configure authentication: %s", err)
 	}
-	config.Authorizer = authorizer.NewAlwaysAllowAuthorizer()
+	config.Authorizer = authorizerfactory.NewAlwaysAllowAuthorizer()
 	config.SwaggerConfig = genericapiserver.DefaultSwaggerConfig()
 	s, err := config.Complete().New()
--- a/pkg/genericapiserver/BUILD
+++ b/pkg/genericapiserver/BUILD
@ -24,8 +24,6 @@ filegroup(
    name = "all-srcs",
    srcs = [
        ":package-srcs",
        "//pkg/genericapiserver/authenticator:all-srcs",
        "//pkg/genericapiserver/authorizer:all-srcs",
        "//pkg/genericapiserver/endpoints:all-srcs",
        "//pkg/genericapiserver/registry:all-srcs",
        "//pkg/genericapiserver/server:all-srcs",
--- a/pkg/genericapiserver/authenticator/BUILD
+++ b/pkg/genericapiserver/authenticator/BUILD
@ -1,46 +0,0 @@
 package(default_visibility = ["//visibility:public"])
 licenses(["notice"])
 load(
    "@io_bazel_rules_go//go:def.bzl",
    "go_library",
 )
 go_library(
    name = "go_default_library",
    srcs = [
        "delegating.go",
        "loopback.go",
        "requestheader.go",
    ],
    tags = ["automanaged"],
    deps = [
        "//vendor:github.com/go-openapi/spec",
        "//vendor:k8s.io/apiserver/pkg/authentication/authenticator",
        "//vendor:k8s.io/apiserver/pkg/authentication/group",
        "//vendor:k8s.io/apiserver/pkg/authentication/request/anonymous",
        "//vendor:k8s.io/apiserver/pkg/authentication/request/bearertoken",
        "//vendor:k8s.io/apiserver/pkg/authentication/request/headerrequest",
        "//vendor:k8s.io/apiserver/pkg/authentication/request/union",
        "//vendor:k8s.io/apiserver/pkg/authentication/request/x509",
        "//vendor:k8s.io/apiserver/pkg/authentication/token/tokenfile",
        "//vendor:k8s.io/apiserver/pkg/authentication/user",
        "//vendor:k8s.io/apiserver/plugin/pkg/authenticator/token/webhook",
        "//vendor:k8s.io/client-go/kubernetes/typed/authentication/v1beta1",
        "//vendor:k8s.io/client-go/util/cert",
    ],
 )
 filegroup(
    name = "package-srcs",
    srcs = glob(["**"]),
    tags = ["automanaged"],
    visibility = ["//visibility:private"],
 )
 filegroup(
    name = "all-srcs",
    srcs = [":package-srcs"],
    tags = ["automanaged"],
 )
--- a/pkg/genericapiserver/authorizer/BUILD
+++ b/pkg/genericapiserver/authorizer/BUILD
@ -1,47 +0,0 @@
 package(default_visibility = ["//visibility:public"])
 licenses(["notice"])
 load(
    "@io_bazel_rules_go//go:def.bzl",
    "go_library",
    "go_test",
 )
 go_test(
    name = "go_default_test",
    srcs = ["authz_test.go"],
    library = ":go_default_library",
    tags = ["automanaged"],
    deps = [
        "//vendor:k8s.io/apiserver/pkg/authentication/user",
        "//vendor:k8s.io/apiserver/pkg/authorization/authorizer",
    ],
 )
 go_library(
    name = "go_default_library",
    srcs = [
        "builtin.go",
        "delegating.go",
    ],
    tags = ["automanaged"],
    deps = [
        "//vendor:k8s.io/apiserver/pkg/authorization/authorizer",
        "//vendor:k8s.io/apiserver/plugin/pkg/authorizer/webhook",
        "//vendor:k8s.io/client-go/kubernetes/typed/authorization/v1beta1",
    ],
 )
 filegroup(
    name = "package-srcs",
    srcs = glob(["**"]),
    tags = ["automanaged"],
    visibility = ["//visibility:private"],
 )
 filegroup(
    name = "all-srcs",
    srcs = [":package-srcs"],
    tags = ["automanaged"],
 )
--- a/pkg/genericapiserver/server/BUILD
+++ b/pkg/genericapiserver/server/BUILD
@ -67,8 +67,6 @@ go_library(
    tags = ["automanaged"],
    deps = [
        "//pkg/api:go_default_library",
        "//pkg/genericapiserver/authenticator:go_default_library",
        "//pkg/genericapiserver/authorizer:go_default_library",
        "//pkg/genericapiserver/endpoints:go_default_library",
        "//pkg/genericapiserver/endpoints/filters:go_default_library",
        "//pkg/genericapiserver/endpoints/openapi:go_default_library",
@ -99,9 +97,11 @@ go_library(
        "//vendor:k8s.io/apimachinery/pkg/version",
        "//vendor:k8s.io/apiserver/pkg/admission",
        "//vendor:k8s.io/apiserver/pkg/authentication/authenticator",
        "//vendor:k8s.io/apiserver/pkg/authentication/authenticatorfactory",
        "//vendor:k8s.io/apiserver/pkg/authentication/request/union",
        "//vendor:k8s.io/apiserver/pkg/authentication/user",
        "//vendor:k8s.io/apiserver/pkg/authorization/authorizer",
        "//vendor:k8s.io/apiserver/pkg/authorization/authorizerfactory",
        "//vendor:k8s.io/apiserver/pkg/authorization/union",
        "//vendor:k8s.io/apiserver/pkg/endpoints/request",
        "//vendor:k8s.io/apiserver/pkg/server/healthz",
--- a/pkg/genericapiserver/server/config.go
+++ b/pkg/genericapiserver/server/config.go
@ -43,17 +43,17 @@ import (
 	"k8s.io/apimachinery/pkg/version"
 	"k8s.io/apiserver/pkg/admission"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/authenticatorfactory"
 	authenticatorunion "k8s.io/apiserver/pkg/authentication/request/union"
 	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	"k8s.io/apiserver/pkg/authorization/authorizerfactory"
 	authorizerunion "k8s.io/apiserver/pkg/authorization/union"
 	apirequest "k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/apiserver/pkg/server/healthz"
 	restclient "k8s.io/client-go/rest"
 	certutil "k8s.io/client-go/util/cert"
 	"k8s.io/kubernetes/pkg/api"
 	genericauthenticator "k8s.io/kubernetes/pkg/genericapiserver/authenticator"
 	genericauthorizer "k8s.io/kubernetes/pkg/genericapiserver/authorizer"
 	genericapifilters "k8s.io/kubernetes/pkg/genericapiserver/endpoints/filters"
 	apiopenapi "k8s.io/kubernetes/pkg/genericapiserver/endpoints/openapi"
 	genericfilters "k8s.io/kubernetes/pkg/genericapiserver/server/filters"
@ -480,10 +480,10 @@ func (c *Config) Complete() completedConfig {
 			Groups: []string{user.SystemPrivilegedGroup},
 		}
-		tokenAuthenticator := genericauthenticator.NewAuthenticatorFromTokens(tokens)
+		tokenAuthenticator := authenticatorfactory.NewFromTokens(tokens)
 		c.Authenticator = authenticatorunion.New(tokenAuthenticator, c.Authenticator)
-		tokenAuthorizer := genericauthorizer.NewPrivilegedGroups(user.SystemPrivilegedGroup)
+		tokenAuthorizer := authorizerfactory.NewPrivilegedGroups(user.SystemPrivilegedGroup)
 		c.Authorizer = authorizerunion.New(tokenAuthorizer, c.Authorizer)
 	}
--- a/pkg/genericapiserver/server/options/BUILD
+++ b/pkg/genericapiserver/server/options/BUILD
@ -21,8 +21,6 @@ go_library(
    deps = [
        "//pkg/api:go_default_library",
        "//pkg/features:go_default_library",
        "//pkg/genericapiserver/authenticator:go_default_library",
        "//pkg/genericapiserver/authorizer:go_default_library",
        "//pkg/storage/storagebackend:go_default_library",
        "//vendor:github.com/golang/glog",
        "//vendor:github.com/spf13/pflag",
@ -30,6 +28,8 @@ go_library(
        "//vendor:k8s.io/apimachinery/pkg/runtime/schema",
        "//vendor:k8s.io/apimachinery/pkg/util/net",
        "//vendor:k8s.io/apiserver/pkg/admission",
        "//vendor:k8s.io/apiserver/pkg/authentication/authenticatorfactory",
        "//vendor:k8s.io/apiserver/pkg/authorization/authorizerfactory",
        "//vendor:k8s.io/apiserver/pkg/util/feature",
        "//vendor:k8s.io/apiserver/pkg/util/flag",
        "//vendor:k8s.io/client-go/kubernetes/typed/authentication/v1beta1",
--- a/pkg/genericapiserver/server/options/authentication.go
+++ b/pkg/genericapiserver/server/options/authentication.go
@ -21,10 +21,10 @@ import (
 	"github.com/spf13/pflag"
 	"k8s.io/apiserver/pkg/authentication/authenticatorfactory"
 	authenticationclient "k8s.io/client-go/kubernetes/typed/authentication/v1beta1"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
 	"k8s.io/kubernetes/pkg/genericapiserver/authenticator"
 )
 type RequestHeaderAuthenticationOptions struct {
@ -57,12 +57,12 @@ func (s *RequestHeaderAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
 // ToAuthenticationRequestHeaderConfig returns a RequestHeaderConfig config object for these options
 // if necessary, nil otherwise.
-func (s *RequestHeaderAuthenticationOptions) ToAuthenticationRequestHeaderConfig() *authenticator.RequestHeaderConfig {
+func (s *RequestHeaderAuthenticationOptions) ToAuthenticationRequestHeaderConfig() *authenticatorfactory.RequestHeaderConfig {
 	if len(s.UsernameHeaders) == 0 {
 		return nil
 	}
-	return &authenticator.RequestHeaderConfig{
+	return &authenticatorfactory.RequestHeaderConfig{
 		UsernameHeaders:     s.UsernameHeaders,
 		GroupHeaders:        s.GroupHeaders,
 		ExtraHeaderPrefixes: s.ExtraHeaderPrefixes,
@ -128,13 +128,13 @@ func (s *DelegatingAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
 	s.RequestHeader.AddFlags(fs)
 }
-func (s *DelegatingAuthenticationOptions) ToAuthenticationConfig() (authenticator.DelegatingAuthenticatorConfig, error) {
+func (s *DelegatingAuthenticationOptions) ToAuthenticationConfig() (authenticatorfactory.DelegatingAuthenticatorConfig, error) {
 	tokenClient, err := s.newTokenAccessReview()
 	if err != nil {
-		return authenticator.DelegatingAuthenticatorConfig{}, err
+		return authenticatorfactory.DelegatingAuthenticatorConfig{}, err
 	}
-	ret := authenticator.DelegatingAuthenticatorConfig{
+	ret := authenticatorfactory.DelegatingAuthenticatorConfig{
 		Anonymous:               true,
 		TokenAccessReviewClient: tokenClient,
 		CacheTTL:                s.CacheTTL,
--- a/pkg/genericapiserver/server/options/authorization.go
+++ b/pkg/genericapiserver/server/options/authorization.go
@ -21,10 +21,10 @@ import (
 	"github.com/spf13/pflag"
 	"k8s.io/apiserver/pkg/authorization/authorizerfactory"
 	authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1beta1"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
 	"k8s.io/kubernetes/pkg/genericapiserver/authorizer"
 )
 // DelegatingAuthorizationOptions provides an easy way for composing API servers to delegate their authorization to
@ -69,13 +69,13 @@ func (s *DelegatingAuthorizationOptions) AddFlags(fs *pflag.FlagSet) {
 		"The duration to cache 'unauthorized' responses from the webhook authorizer.")
 }
-func (s *DelegatingAuthorizationOptions) ToAuthorizationConfig() (authorizer.DelegatingAuthorizerConfig, error) {
+func (s *DelegatingAuthorizationOptions) ToAuthorizationConfig() (authorizerfactory.DelegatingAuthorizerConfig, error) {
 	sarClient, err := s.newSubjectAccessReview()
 	if err != nil {
-		return authorizer.DelegatingAuthorizerConfig{}, err
+		return authorizerfactory.DelegatingAuthorizerConfig{}, err
 	}
-	ret := authorizer.DelegatingAuthorizerConfig{
+	ret := authorizerfactory.DelegatingAuthorizerConfig{
 		SubjectAccessReviewClient: sarClient,
 		AllowCacheTTL:             s.AllowCacheTTL,
 		DenyCacheTTL:              s.DenyCacheTTL,
--- a/pkg/kubeapiserver/authenticator/BUILD
+++ b/pkg/kubeapiserver/authenticator/BUILD
@ -12,10 +12,10 @@ go_library(
    srcs = ["config.go"],
    tags = ["automanaged"],
    deps = [
        "//pkg/genericapiserver/authenticator:go_default_library",
        "//pkg/serviceaccount:go_default_library",
        "//vendor:github.com/go-openapi/spec",
        "//vendor:k8s.io/apiserver/pkg/authentication/authenticator",
        "//vendor:k8s.io/apiserver/pkg/authentication/authenticatorfactory",
        "//vendor:k8s.io/apiserver/pkg/authentication/group",
        "//vendor:k8s.io/apiserver/pkg/authentication/request/anonymous",
        "//vendor:k8s.io/apiserver/pkg/authentication/request/bearertoken",
--- a/pkg/kubeapiserver/authenticator/config.go
+++ b/pkg/kubeapiserver/authenticator/config.go
@ -22,6 +22,7 @@ import (
 	"github.com/go-openapi/spec"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/authenticatorfactory"
 	"k8s.io/apiserver/pkg/authentication/group"
 	"k8s.io/apiserver/pkg/authentication/request/anonymous"
 	"k8s.io/apiserver/pkg/authentication/request/bearertoken"
@ -37,7 +38,6 @@ import (
 	"k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"
 	"k8s.io/apiserver/plugin/pkg/authenticator/token/webhook"
 	certutil "k8s.io/client-go/util/cert"
 	genericauthenticator "k8s.io/kubernetes/pkg/genericapiserver/authenticator"
 	"k8s.io/kubernetes/pkg/serviceaccount"
 	// Initialize all known client auth plugins.
@ -63,7 +63,7 @@ type AuthenticatorConfig struct {
 	WebhookTokenAuthnConfigFile string
 	WebhookTokenAuthnCacheTTL   time.Duration
-	RequestHeaderConfig *genericauthenticator.RequestHeaderConfig
+	RequestHeaderConfig *authenticatorfactory.RequestHeaderConfig
 	// TODO, this is the only non-serializable part of the entire config.  Factor it out into a clientconfig
 	ServiceAccountTokenGetter serviceaccount.ServiceAccountTokenGetter
--- a/pkg/kubeapiserver/authorizer/BUILD
+++ b/pkg/kubeapiserver/authorizer/BUILD
@ -25,9 +25,9 @@ go_library(
    deps = [
        "//pkg/auth/authorizer/abac:go_default_library",
        "//pkg/controller/informers:go_default_library",
        "//pkg/genericapiserver/authorizer:go_default_library",
        "//plugin/pkg/auth/authorizer/rbac:go_default_library",
        "//vendor:k8s.io/apiserver/pkg/authorization/authorizer",
        "//vendor:k8s.io/apiserver/pkg/authorization/authorizerfactory",
        "//vendor:k8s.io/apiserver/pkg/authorization/union",
        "//vendor:k8s.io/apiserver/plugin/pkg/authorizer/webhook",
    ],
--- a/pkg/kubeapiserver/authorizer/config.go
+++ b/pkg/kubeapiserver/authorizer/config.go
@ -22,11 +22,11 @@ import (
 	"time"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	"k8s.io/apiserver/pkg/authorization/authorizerfactory"
 	"k8s.io/apiserver/pkg/authorization/union"
 	"k8s.io/apiserver/plugin/pkg/authorizer/webhook"
 	"k8s.io/kubernetes/pkg/auth/authorizer/abac"
 	"k8s.io/kubernetes/pkg/controller/informers"
 	genericauthorizer "k8s.io/kubernetes/pkg/genericapiserver/authorizer"
 	"k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac"
 )
@ -80,9 +80,9 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, error) {
 		// Keep cases in sync with constant list above.
 		switch authorizationMode {
 		case ModeAlwaysAllow:
-			authorizers = append(authorizers, genericauthorizer.NewAlwaysAllowAuthorizer())
+			authorizers = append(authorizers, authorizerfactory.NewAlwaysAllowAuthorizer())
 		case ModeAlwaysDeny:
-			authorizers = append(authorizers, genericauthorizer.NewAlwaysDenyAuthorizer())
+			authorizers = append(authorizers, authorizerfactory.NewAlwaysDenyAuthorizer())
 		case ModeABAC:
 			if config.PolicyFile == "" {
 				return nil, errors.New("ABAC's authorization policy file not passed")
--- a/staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/delegating.go
+++ b/staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/delegating.go
@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
-package authenticator
+package authenticatorfactory
 import (
 	"errors"
--- a/staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/loopback.go
+++ b/staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/loopback.go
@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
-package authenticator
+package authenticatorfactory
 import (
 	"k8s.io/apiserver/pkg/authentication/authenticator"
@ -23,7 +23,7 @@ import (
 	"k8s.io/apiserver/pkg/authentication/user"
 )
-// newAuthenticatorFromToken returns an authenticator.Request or an error
+// NewFromTokens returns an authenticator.Request or an error
-func NewAuthenticatorFromTokens(tokens map[string]*user.DefaultInfo) authenticator.Request {
+func NewFromTokens(tokens map[string]*user.DefaultInfo) authenticator.Request {
 	return bearertoken.New(tokenfile.New(tokens))
 }
--- a/staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/requestheader.go
+++ b/staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/requestheader.go
@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
-package authenticator
+package authenticatorfactory
 type RequestHeaderConfig struct {
 	// UsernameHeaders are the headers to check (in order, case-insensitively) for an identity. The first header with a value wins.
--- a/staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory/OWNERS
+++ b/staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory/OWNERS
--- a/staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory/authz_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory/authz_test.go
@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
-package authorizer
+package authorizerfactory
 import (
 	"testing"
--- a/staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory/builtin.go
+++ b/staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory/builtin.go
@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
-package authorizer
+package authorizerfactory
 import (
 	"errors"
--- a/staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory/delegating.go
+++ b/staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory/delegating.go
@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
-package authorizer
+package authorizerfactory
 import (
 	"time"
--- a/test/integration/auth/auth_test.go
+++ b/test/integration/auth/auth_test.go
@ -43,6 +43,7 @@ import (
 	"k8s.io/apiserver/pkg/authentication/serviceaccount"
 	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	"k8s.io/apiserver/pkg/authorization/authorizerfactory"
 	"k8s.io/apiserver/plugin/pkg/authenticator/token/tokentest"
 	"k8s.io/apiserver/plugin/pkg/authenticator/token/webhook"
 	"k8s.io/client-go/tools/clientcmd/api/v1"
@ -52,7 +53,6 @@ import (
 	"k8s.io/kubernetes/pkg/apis/autoscaling"
 	"k8s.io/kubernetes/pkg/apis/extensions"
 	"k8s.io/kubernetes/pkg/auth/authorizer/abac"
 	apiserverauthorizer "k8s.io/kubernetes/pkg/genericapiserver/authorizer"
 	"k8s.io/kubernetes/plugin/pkg/admission/admit"
 	"k8s.io/kubernetes/test/integration"
 	"k8s.io/kubernetes/test/integration/framework"
@ -502,7 +502,7 @@ func getPreviousResourceVersionKey(url, id string) string {
 func TestAuthModeAlwaysDeny(t *testing.T) {
 	// Set up a master
 	masterConfig := framework.NewIntegrationTestMasterConfig()
-	masterConfig.GenericConfig.Authorizer = apiserverauthorizer.NewAlwaysDenyAuthorizer()
+	masterConfig.GenericConfig.Authorizer = authorizerfactory.NewAlwaysDenyAuthorizer()
 	_, s := framework.RunAMaster(masterConfig)
 	defer s.Close()
--- a/test/integration/framework/BUILD
+++ b/test/integration/framework/BUILD
@ -35,8 +35,6 @@ go_library(
        "//pkg/controller:go_default_library",
        "//pkg/controller/replication:go_default_library",
        "//pkg/generated/openapi:go_default_library",
        "//pkg/genericapiserver/authenticator:go_default_library",
        "//pkg/genericapiserver/authorizer:go_default_library",
        "//pkg/genericapiserver/server:go_default_library",
        "//pkg/kubectl:go_default_library",
        "//pkg/kubelet/client:go_default_library",
@ -57,9 +55,11 @@ go_library(
        "//vendor:k8s.io/apimachinery/pkg/util/wait",
        "//vendor:k8s.io/apimachinery/pkg/watch",
        "//vendor:k8s.io/apiserver/pkg/authentication/authenticator",
        "//vendor:k8s.io/apiserver/pkg/authentication/authenticatorfactory",
        "//vendor:k8s.io/apiserver/pkg/authentication/request/union",
        "//vendor:k8s.io/apiserver/pkg/authentication/user",
        "//vendor:k8s.io/apiserver/pkg/authorization/authorizer",
        "//vendor:k8s.io/apiserver/pkg/authorization/authorizerfactory",
        "//vendor:k8s.io/apiserver/pkg/authorization/union",
        "//vendor:k8s.io/client-go/rest",
    ],
--- a/test/integration/framework/master_utils.go
+++ b/test/integration/framework/master_utils.go
@ -33,9 +33,11 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apimachinery/pkg/watch"
 	authauthenticator "k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/authenticatorfactory"
 	authenticatorunion "k8s.io/apiserver/pkg/authentication/request/union"
 	"k8s.io/apiserver/pkg/authentication/user"
 	authauthorizer "k8s.io/apiserver/pkg/authorization/authorizer"
 	"k8s.io/apiserver/pkg/authorization/authorizerfactory"
 	authorizerunion "k8s.io/apiserver/pkg/authorization/union"
 	restclient "k8s.io/client-go/rest"
 	"k8s.io/kubernetes/pkg/api"
@ -56,8 +58,6 @@ import (
 	"k8s.io/kubernetes/pkg/controller"
 	replicationcontroller "k8s.io/kubernetes/pkg/controller/replication"
 	"k8s.io/kubernetes/pkg/generated/openapi"
 	"k8s.io/kubernetes/pkg/genericapiserver/authenticator"
 	"k8s.io/kubernetes/pkg/genericapiserver/authorizer"
 	genericapiserver "k8s.io/kubernetes/pkg/genericapiserver/server"
 	"k8s.io/kubernetes/pkg/kubectl"
 	kubeletclient "k8s.io/kubernetes/pkg/kubelet/client"
@ -214,7 +214,7 @@ func startMasterOrDie(masterConfig *master.Config, incomingServer *httptest.Serv
 		Groups: []string{user.SystemPrivilegedGroup},
 	}
-	tokenAuthenticator := authenticator.NewAuthenticatorFromTokens(tokens)
+	tokenAuthenticator := authenticatorfactory.NewFromTokens(tokens)
 	if masterConfig.GenericConfig.Authenticator == nil {
 		masterConfig.GenericConfig.Authenticator = authenticatorunion.New(tokenAuthenticator, authauthenticator.RequestFunc(alwaysEmpty))
 	} else {
@ -222,7 +222,7 @@ func startMasterOrDie(masterConfig *master.Config, incomingServer *httptest.Serv
 	}
 	if masterConfig.GenericConfig.Authorizer != nil {
-		tokenAuthorizer := authorizer.NewPrivilegedGroups(user.SystemPrivilegedGroup)
+		tokenAuthorizer := authorizerfactory.NewPrivilegedGroups(user.SystemPrivilegedGroup)
 		masterConfig.GenericConfig.Authorizer = authorizerunion.New(tokenAuthorizer, masterConfig.GenericConfig.Authorizer)
 	} else {
 		masterConfig.GenericConfig.Authorizer = alwaysAllow{}
@ -357,7 +357,7 @@ func NewMasterConfig() *master.Config {
 	genericConfig := genericapiserver.NewConfig()
 	kubeVersion := version.Get()
 	genericConfig.Version = &kubeVersion
-	genericConfig.Authorizer = authorizer.NewAlwaysAllowAuthorizer()
+	genericConfig.Authorizer = authorizerfactory.NewAlwaysAllowAuthorizer()
 	genericConfig.AdmissionControl = admit.NewAlwaysAdmit()
 	genericConfig.EnableMetrics = true
--- a/vendor/BUILD
+++ b/vendor/BUILD
@ -14045,3 +14045,53 @@ go_library(
    srcs = ["k8s.io/apiserver/pkg/util/trie/trie.go"],
    tags = ["automanaged"],
 )
 go_library(
    name = "k8s.io/apiserver/pkg/authentication/authenticatorfactory",
    srcs = [
        "k8s.io/apiserver/pkg/authentication/authenticatorfactory/delegating.go",
        "k8s.io/apiserver/pkg/authentication/authenticatorfactory/loopback.go",
        "k8s.io/apiserver/pkg/authentication/authenticatorfactory/requestheader.go",
    ],
    tags = ["automanaged"],
    deps = [
        "//vendor:github.com/go-openapi/spec",
        "//vendor:k8s.io/apiserver/pkg/authentication/authenticator",
        "//vendor:k8s.io/apiserver/pkg/authentication/group",
        "//vendor:k8s.io/apiserver/pkg/authentication/request/anonymous",
        "//vendor:k8s.io/apiserver/pkg/authentication/request/bearertoken",
        "//vendor:k8s.io/apiserver/pkg/authentication/request/headerrequest",
        "//vendor:k8s.io/apiserver/pkg/authentication/request/union",
        "//vendor:k8s.io/apiserver/pkg/authentication/request/x509",
        "//vendor:k8s.io/apiserver/pkg/authentication/token/tokenfile",
        "//vendor:k8s.io/apiserver/pkg/authentication/user",
        "//vendor:k8s.io/apiserver/plugin/pkg/authenticator/token/webhook",
        "//vendor:k8s.io/client-go/kubernetes/typed/authentication/v1beta1",
        "//vendor:k8s.io/client-go/util/cert",
    ],
 )
 go_test(
    name = "k8s.io/apiserver/pkg/authorization/authorizerfactory_test",
    srcs = ["k8s.io/apiserver/pkg/authorization/authorizerfactory/authz_test.go"],
    library = ":k8s.io/apiserver/pkg/authorization/authorizerfactory",
    tags = ["automanaged"],
    deps = [
        "//vendor:k8s.io/apiserver/pkg/authentication/user",
        "//vendor:k8s.io/apiserver/pkg/authorization/authorizer",
    ],
 )
 go_library(
    name = "k8s.io/apiserver/pkg/authorization/authorizerfactory",
    srcs = [
        "k8s.io/apiserver/pkg/authorization/authorizerfactory/builtin.go",
        "k8s.io/apiserver/pkg/authorization/authorizerfactory/delegating.go",
    ],
    tags = ["automanaged"],
    deps = [
        "//vendor:k8s.io/apiserver/pkg/authorization/authorizer",
        "//vendor:k8s.io/apiserver/plugin/pkg/authorizer/webhook",
        "//vendor:k8s.io/client-go/kubernetes/typed/authorization/v1beta1",
    ],
 )