Copy well-known users from apiserver

This should eliminate the dependency on k8s.io/apiserver

go.mod

@@ -6,8 +6,6 @@ go 1.12
 //replace k8s.io/kubernetes => k8s.io/kubernetes v1.15.3
 //replace k8s.io/api => k8s.io/api kubernetes-1.15.3
 //replace k8s.io/apimachinery => k8s.io/apimachinery kubernetes-1.15.3
-//replace k8s.io/apiserver => k8s.io/apiserver kubernetes-1.15.3
-//replace k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver kubernetes-1.15.3
 //replace k8s.io/client-go => k8s.io/client-go kubernetes-1.15.3
 //replace k8s.io/cloud-provider => k8s.io/cloud-provider kubernetes-1.15.3
 //replace k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers kubernetes-1.15.3
@@ -18,15 +16,13 @@ replace k8s.io/api => k8s.io/api v0.0.0-20190819141258-3544db3b9e44
 
 replace k8s.io/apimachinery => k8s.io/apimachinery v0.0.0-20190817020851-f2f3a405f61d
 
-replace k8s.io/apiserver => k8s.io/apiserver v0.0.0-20190819142446-92cc630367d0
-
-replace k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.0.0-20190819143637-0dbe462fe92d
-
 replace k8s.io/client-go => k8s.io/client-go v0.0.0-20190819141724-e14f31a72a77
 
 replace k8s.io/cloud-provider => k8s.io/cloud-provider v0.0.0-20190819145148-d91c85d212d5
 
 // Dependencies we don't really need, except that kubernetes specifies them as v0.0.0 which confuses go.mod
+//replace k8s.io/apiserver => k8s.io/apiserver kubernetes-1.15.3
+//replace k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver kubernetes-1.15.3
 //replace k8s.io/kube-scheduler => k8s.io/kube-scheduler kubernetes-1.15.3
 //replace k8s.io/kube-proxy => k8s.io/kube-proxy kubernetes-1.15.3
 //replace k8s.io/cri-api => k8s.io/cri-api kubernetes-1.15.3
@@ -42,6 +38,10 @@ replace k8s.io/cloud-provider => k8s.io/cloud-provider v0.0.0-20190819145148-d91
 //replace k8s.io/kube-controller-manager => k8s.io/kube-controller-manager kubernetes-1.15.3
 //replace k8s.io/code-generator => k8s.io/code-generator kubernetes-1.15.3
 
+replace k8s.io/apiserver => k8s.io/apiserver v0.0.0-20190819142446-92cc630367d0
+
+replace k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.0.0-20190819143637-0dbe462fe92d
+
 replace k8s.io/kubelet => k8s.io/kubelet v0.0.0-20190819144524-827174bad5e8
 
 replace k8s.io/cli-runtime => k8s.io/cli-runtime v0.0.0-20190819144027-541433d7ce35
@@ -128,7 +128,6 @@ require (
 	gopkg.in/yaml.v2 v2.2.2
 	k8s.io/api v0.0.0
 	k8s.io/apimachinery v0.0.0
-	k8s.io/apiserver v0.0.0
 	k8s.io/cli-runtime v0.0.0
 	k8s.io/client-go v0.0.0
 	k8s.io/helm v2.9.0+incompatible

hack/.packages

@@ -110,6 +110,7 @@ k8s.io/kops/pkg/model/vspheremodel
 k8s.io/kops/pkg/pki
 k8s.io/kops/pkg/pkiutil
 k8s.io/kops/pkg/pretty
+k8s.io/kops/pkg/rbac
 k8s.io/kops/pkg/resources
 k8s.io/kops/pkg/resources/ali
 k8s.io/kops/pkg/resources/aws

nodeup/pkg/model/BUILD.bazel

@@ -52,6 +52,7 @@ go_library(
         "//pkg/kubemanifest:go_default_library",
         "//pkg/pki:go_default_library",
         "//pkg/pkiutil:go_default_library",
+        "//pkg/rbac:go_default_library",
         "//pkg/systemd:go_default_library",
         "//pkg/tokens:go_default_library",
         "//pkg/try:go_default_library",
@@ -71,7 +72,6 @@ go_library(
         "//vendor/k8s.io/apimachinery/pkg/api/resource:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library",
         "//vendor/k8s.io/client-go/util/cert:go_default_library",
         "//vendor/k8s.io/klog:go_default_library",
         "//vendor/k8s.io/kubernetes/pkg/util/mount:go_default_library",

nodeup/pkg/model/kubelet.go

@@ -27,15 +27,14 @@ import (
 
 	"github.com/aws/aws-sdk-go/aws/ec2metadata"
 	"github.com/aws/aws-sdk-go/aws/session"
-	"k8s.io/klog"
 
 	v1 "k8s.io/api/core/v1"
-	"k8s.io/apiserver/pkg/authentication/user"
-
+	"k8s.io/klog"
 	"k8s.io/kops/nodeup/pkg/distros"
 	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/pkg/flagbuilder"
 	"k8s.io/kops/pkg/pki"
+	"k8s.io/kops/pkg/rbac"
 	"k8s.io/kops/pkg/systemd"
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/cloudup/awsup"
@@ -644,7 +643,7 @@ func (b *KubeletBuilder) buildMasterKubeletKubeconfig() (*nodetasks.File, error)
 
 	template.Subject = pkix.Name{
 		CommonName:   fmt.Sprintf("system:node:%s", nodeName),
-		Organization: []string{user.NodesGroup},
+		Organization: []string{rbac.NodesGroup},
 	}
 
 	// https://tools.ietf.org/html/rfc5280#section-4.2.1.3

pkg/model/BUILD.bazel

@@ -31,6 +31,7 @@ go_library(
         "//pkg/model/iam:go_default_library",
         "//pkg/model/resources:go_default_library",
         "//pkg/pki:go_default_library",
+        "//pkg/rbac:go_default_library",
         "//pkg/tokens:go_default_library",
         "//upup/pkg/fi:go_default_library",
         "//upup/pkg/fi/cloudup/alitasks:go_default_library",
@@ -48,7 +49,6 @@ go_library(
         "//vendor/github.com/ghodss/yaml:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/util/net:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library",
         "//vendor/k8s.io/klog:go_default_library",
         "//vendor/k8s.io/legacy-cloud-providers/aws:go_default_library",
     ],

pkg/model/pki.go

@@ -20,12 +20,11 @@ import (
 	"fmt"
 	"strings"
 
+	"k8s.io/kops/pkg/rbac"
 	"k8s.io/kops/pkg/tokens"
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/fitasks"
 	"k8s.io/kops/util/pkg/vfs"
-
-	"k8s.io/apiserver/pkg/authentication/user"
 )
 
 // PKIModelBuilder configures PKI keypairs, as well as tokens
@@ -60,7 +59,7 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
 			c.AddTask(&fitasks.Keypair{
 				Name:      fi.String("kubelet"),
 				Lifecycle: b.Lifecycle,
-				Subject:   "o=" + user.NodesGroup + ",cn=kubelet",
+				Subject:   "o=" + rbac.NodesGroup + ",cn=kubelet",
 				Type:      "client",
 				Signer:    defaultCA,
 				Format:    format,
@@ -84,7 +83,7 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
 		t := &fitasks.Keypair{
 			Name:      fi.String("kube-scheduler"),
 			Lifecycle: b.Lifecycle,
-			Subject:   "cn=" + user.KubeScheduler,
+			Subject:   "cn=" + rbac.KubeScheduler,
 			Type:      "client",
 			Signer:    defaultCA,
 			Format:    format,
@@ -96,7 +95,7 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
 		t := &fitasks.Keypair{
 			Name:      fi.String("kube-proxy"),
 			Lifecycle: b.Lifecycle,
-			Subject:   "cn=" + user.KubeProxy,
+			Subject:   "cn=" + rbac.KubeProxy,
 			Type:      "client",
 			Signer:    defaultCA,
 			Format:    format,
@@ -108,7 +107,7 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
 		t := &fitasks.Keypair{
 			Name:      fi.String("kube-controller-manager"),
 			Lifecycle: b.Lifecycle,
-			Subject:   "cn=" + user.KubeControllerManager,
+			Subject:   "cn=" + rbac.KubeControllerManager,
 			Type:      "client",
 			Signer:    defaultCA,
 			Format:    format,
@@ -203,7 +202,7 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
 		t := &fitasks.Keypair{
 			Name:      fi.String("kubecfg"),
 			Lifecycle: b.Lifecycle,
-			Subject:   "o=" + user.SystemPrivilegedGroup + ",cn=kubecfg",
+			Subject:   "o=" + rbac.SystemPrivilegedGroup + ",cn=kubecfg",
 			Type:      "client",
 			Signer:    defaultCA,
 			Format:    format,
@@ -250,7 +249,7 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
 		t := &fitasks.Keypair{
 			Name:      fi.String("kops"),
 			Lifecycle: b.Lifecycle,
-			Subject:   "o=" + user.SystemPrivilegedGroup + ",cn=kops",
+			Subject:   "o=" + rbac.SystemPrivilegedGroup + ",cn=kops",
 			Type:      "client",
 			Signer:    defaultCA,
 			Format:    format,

pkg/rbac/BUILD.bazel

@@ -0,0 +1,8 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+go_library(
+    name = "go_default_library",
+    srcs = ["wellknown.go"],
+    importpath = "k8s.io/kops/pkg/rbac",
+    visibility = ["//visibility:public"],
+)

pkg/rbac/wellknown.go

@@ -0,0 +1,34 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rbac
+
+// well-known user and group names
+// Copied from k8s.io/apiserver; we don't want to depend on that any more
+const (
+	SystemPrivilegedGroup = "system:masters"
+	NodesGroup            = "system:nodes"
+	AllUnauthenticated    = "system:unauthenticated"
+	AllAuthenticated      = "system:authenticated"
+
+	Anonymous     = "system:anonymous"
+	APIServerUser = "system:apiserver"
+
+	// core kubernetes process identities
+	KubeProxy             = "system:kube-proxy"
+	KubeControllerManager = "system:kube-controller-manager"
+	KubeScheduler         = "system:kube-scheduler"
+)