add controllers

change kiali mux to go-restful

add knative

vendor/k8s.io/apiserver/pkg/authentication/authenticator/audagnostic.go

@@ -0,0 +1,90 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package authenticator
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+)
+
+func authenticate(ctx context.Context, implicitAuds Audiences, authenticate func() (*Response, bool, error)) (*Response, bool, error) {
+	targetAuds, ok := AudiencesFrom(ctx)
+	// We can remove this once api audiences is never empty. That will probably
+	// be N releases after TokenRequest is GA.
+	if !ok {
+		return authenticate()
+	}
+	auds := implicitAuds.Intersect(targetAuds)
+	if len(auds) == 0 {
+		return nil, false, nil
+	}
+	resp, ok, err := authenticate()
+	if err != nil || !ok {
+		return nil, false, err
+	}
+	if len(resp.Audiences) > 0 {
+		// maybe the authenticator was audience aware after all.
+		return nil, false, fmt.Errorf("audience agnostic authenticator wrapped an authenticator that returned audiences: %q", resp.Audiences)
+	}
+	resp.Audiences = auds
+	return resp, true, nil
+}
+
+type audAgnosticRequestAuthenticator struct {
+	implicit Audiences
+	delegate Request
+}
+
+var _ = Request(&audAgnosticRequestAuthenticator{})
+
+func (a *audAgnosticRequestAuthenticator) AuthenticateRequest(req *http.Request) (*Response, bool, error) {
+	return authenticate(req.Context(), a.implicit, func() (*Response, bool, error) {
+		return a.delegate.AuthenticateRequest(req)
+	})
+}
+
+// WrapAudienceAgnosticRequest wraps an audience agnostic request authenticator
+// to restrict its accepted audiences to a set of implicit audiences.
+func WrapAudienceAgnosticRequest(implicit Audiences, delegate Request) Request {
+	return &audAgnosticRequestAuthenticator{
+		implicit: implicit,
+		delegate: delegate,
+	}
+}
+
+type audAgnosticTokenAuthenticator struct {
+	implicit Audiences
+	delegate Token
+}
+
+var _ = Token(&audAgnosticTokenAuthenticator{})
+
+func (a *audAgnosticTokenAuthenticator) AuthenticateToken(ctx context.Context, tok string) (*Response, bool, error) {
+	return authenticate(ctx, a.implicit, func() (*Response, bool, error) {
+		return a.delegate.AuthenticateToken(ctx, tok)
+	})
+}
+
+// WrapAudienceAgnosticToken wraps an audience agnostic token authenticator to
+// restrict its accepted audiences to a set of implicit audiences.
+func WrapAudienceAgnosticToken(implicit Audiences, delegate Token) Token {
+	return &audAgnosticTokenAuthenticator{
+		implicit: implicit,
+		delegate: delegate,
+	}
+}

vendor/k8s.io/apiserver/pkg/authentication/authenticator/audiences.go

@@ -0,0 +1,63 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package authenticator
+
+import "context"
+
+// Audiences is a container for the Audiences of a token.
+type Audiences []string
+
+// The key type is unexported to prevent collisions
+type key int
+
+const (
+	// audiencesKey is the context key for request audiences.
+	audiencesKey key = iota
+)
+
+// WithAudiences returns a context that stores a request's expected audiences.
+func WithAudiences(ctx context.Context, auds Audiences) context.Context {
+	return context.WithValue(ctx, audiencesKey, auds)
+}
+
+// AudiencesFrom returns a request's expected audiences stored in the request context.
+func AudiencesFrom(ctx context.Context) (Audiences, bool) {
+	auds, ok := ctx.Value(audiencesKey).(Audiences)
+	return auds, ok
+}
+
+// Has checks if Audiences contains a specific audiences.
+func (a Audiences) Has(taud string) bool {
+	for _, aud := range a {
+		if aud == taud {
+			return true
+		}
+	}
+	return false
+}
+
+// Intersect intersects Audiences with a target Audiences and returns all
+// elements in both.
+func (a Audiences) Intersect(tauds Audiences) Audiences {
+	selected := Audiences{}
+	for _, taud := range tauds {
+		if a.Has(taud) {
+			selected = append(selected, taud)
+		}
+	}
+	return selected
+}

vendor/k8s.io/apiserver/pkg/authentication/authenticator/interfaces.go

@@ -0,0 +1,80 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package authenticator
+
+import (
+	"context"
+	"net/http"
+
+	"k8s.io/apiserver/pkg/authentication/user"
+)
+
+// Token checks a string value against a backing authentication store and
+// returns a Response or an error if the token could not be checked.
+type Token interface {
+	AuthenticateToken(ctx context.Context, token string) (*Response, bool, error)
+}
+
+// Request attempts to extract authentication information from a request and
+// returns a Response or an error if the request could not be checked.
+type Request interface {
+	AuthenticateRequest(req *http.Request) (*Response, bool, error)
+}
+
+// Password checks a username and password against a backing authentication
+// store and returns a Response or an error if the password could not be
+// checked.
+type Password interface {
+	AuthenticatePassword(ctx context.Context, user, password string) (*Response, bool, error)
+}
+
+// TokenFunc is a function that implements the Token interface.
+type TokenFunc func(ctx context.Context, token string) (*Response, bool, error)
+
+// AuthenticateToken implements authenticator.Token.
+func (f TokenFunc) AuthenticateToken(ctx context.Context, token string) (*Response, bool, error) {
+	return f(ctx, token)
+}
+
+// RequestFunc is a function that implements the Request interface.
+type RequestFunc func(req *http.Request) (*Response, bool, error)
+
+// AuthenticateRequest implements authenticator.Request.
+func (f RequestFunc) AuthenticateRequest(req *http.Request) (*Response, bool, error) {
+	return f(req)
+}
+
+// PasswordFunc is a function that implements the Password interface.
+type PasswordFunc func(ctx context.Context, user, password string) (*Response, bool, error)
+
+// AuthenticatePassword implements authenticator.Password.
+func (f PasswordFunc) AuthenticatePassword(ctx context.Context, user, password string) (*Response, bool, error) {
+	return f(ctx, user, password)
+}
+
+// Response is the struct returned by authenticator interfaces upon successful
+// authentication. It contains information about whether the authenticator
+// authenticated the request, information about the context of the
+// authentication, and information about the authenticated user.
+type Response struct {
+	// Audiences is the set of audiences the authenticator was able to validate
+	// the token against. If the authenticator is not audience aware, this field
+	// will be empty.
+	Audiences Audiences
+	// User is the UserInfo associated with the authentication context.
+	User user.Info
+}

vendor/k8s.io/apiserver/pkg/authentication/serviceaccount/util.go

@@ -0,0 +1,73 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package serviceaccount
+
+import (
+	"fmt"
+	"strings"
+
+	apimachineryvalidation "k8s.io/apimachinery/pkg/api/validation"
+)
+
+const (
+	ServiceAccountUsernamePrefix    = "system:serviceaccount:"
+	ServiceAccountUsernameSeparator = ":"
+	ServiceAccountGroupPrefix       = "system:serviceaccounts:"
+	AllServiceAccountsGroup         = "system:serviceaccounts"
+)
+
+// MakeUsername generates a username from the given namespace and ServiceAccount name.
+// The resulting username can be passed to SplitUsername to extract the original namespace and ServiceAccount name.
+func MakeUsername(namespace, name string) string {
+	return ServiceAccountUsernamePrefix + namespace + ServiceAccountUsernameSeparator + name
+}
+
+var invalidUsernameErr = fmt.Errorf("Username must be in the form %s", MakeUsername("namespace", "name"))
+
+// SplitUsername returns the namespace and ServiceAccount name embedded in the given username,
+// or an error if the username is not a valid name produced by MakeUsername
+func SplitUsername(username string) (string, string, error) {
+	if !strings.HasPrefix(username, ServiceAccountUsernamePrefix) {
+		return "", "", invalidUsernameErr
+	}
+	trimmed := strings.TrimPrefix(username, ServiceAccountUsernamePrefix)
+	parts := strings.Split(trimmed, ServiceAccountUsernameSeparator)
+	if len(parts) != 2 {
+		return "", "", invalidUsernameErr
+	}
+	namespace, name := parts[0], parts[1]
+	if len(apimachineryvalidation.ValidateNamespaceName(namespace, false)) != 0 {
+		return "", "", invalidUsernameErr
+	}
+	if len(apimachineryvalidation.ValidateServiceAccountName(name, false)) != 0 {
+		return "", "", invalidUsernameErr
+	}
+	return namespace, name, nil
+}
+
+// MakeGroupNames generates service account group names for the given namespace
+func MakeGroupNames(namespace string) []string {
+	return []string{
+		AllServiceAccountsGroup,
+		MakeNamespaceGroupName(namespace),
+	}
+}
+
+// MakeNamespaceGroupName returns the name of the group all service accounts in the namespace are included in
+func MakeNamespaceGroupName(namespace string) string {
+	return ServiceAccountGroupPrefix + namespace
+}

vendor/k8s.io/apiserver/pkg/authentication/user/doc.go

@@ -16,4 +16,4 @@ limitations under the License.
 
 // Package user contains utilities for dealing with simple user exchange in the auth
 // packages. The user.Info interface defines an interface for exchanging that info.
-package user // import "k8s.io/apiserver/pkg/authentication/user"
+package user

vendor/k8s.io/apiserver/pkg/authorization/authorizer/interfaces.go

@@ -56,7 +56,7 @@ type Attributes interface {
 	GetAPIVersion() string
 
 	// IsResourceRequest returns true for requests to API resources, like /api/v1/nodes,
-	// and false for non-resource endpoints like /api, /healthz
+	// and false for non-resource endpoints like /api, /healthz, and /swaggerapi
 	IsResourceRequest() bool
 
 	// GetPath returns the path of the request

vendor/k8s.io/apiserver/pkg/features/kube_features.go

@@ -0,0 +1,109 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package features
+
+import (
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+)
+
+const (
+	// Every feature gate should add method here following this template:
+	//
+	// // owner: @username
+	// // alpha: v1.4
+	// MyFeature() bool
+
+	// owner: @tallclair
+	// alpha: v1.5
+	// beta: v1.6
+	//
+	// StreamingProxyRedirects controls whether the apiserver should intercept (and follow)
+	// redirects from the backend (Kubelet) for streaming requests (exec/attach/port-forward).
+	StreamingProxyRedirects utilfeature.Feature = "StreamingProxyRedirects"
+
+	// owner: @tallclair
+	// alpha: v1.10
+	//
+	// ValidateProxyRedirects controls whether the apiserver should validate that redirects are only
+	// followed to the same host. Only used if StreamingProxyRedirects is enabled.
+	ValidateProxyRedirects utilfeature.Feature = "ValidateProxyRedirects"
+
+	// owner: @tallclair
+	// alpha: v1.7
+	// beta: v1.8
+	// GA: v1.12
+	//
+	// AdvancedAuditing enables a much more general API auditing pipeline, which includes support for
+	// pluggable output backends and an audit policy specifying how different requests should be
+	// audited.
+	AdvancedAuditing utilfeature.Feature = "AdvancedAuditing"
+
+	// owner: @pbarker
+	// alpha: v1.13
+	//
+	// DynamicAuditing enables configuration of audit policy and webhook backends through an
+	// AuditSink API object.
+	DynamicAuditing utilfeature.Feature = "DynamicAuditing"
+
+	// owner: @ilackams
+	// alpha: v1.7
+	//
+	// Enables compression of REST responses (GET and LIST only)
+	APIResponseCompression utilfeature.Feature = "APIResponseCompression"
+
+	// owner: @smarterclayton
+	// alpha: v1.7
+	//
+	// Allow asynchronous coordination of object creation.
+	// Auto-enabled by the Initializers admission plugin.
+	Initializers utilfeature.Feature = "Initializers"
+
+	// owner: @smarterclayton
+	// alpha: v1.8
+	// beta: v1.9
+	//
+	// Allow API clients to retrieve resource lists in chunks rather than
+	// all at once.
+	APIListChunking utilfeature.Feature = "APIListChunking"
+
+	// owner: @apelisse
+	// alpha: v1.12
+	// beta: v1.13
+	//
+	// Allow requests to be processed but not stored, so that
+	// validation, merging, mutation can be tested without
+	// committing.
+	DryRun utilfeature.Feature = "DryRun"
+)
+
+func init() {
+	utilfeature.DefaultFeatureGate.Add(defaultKubernetesFeatureGates)
+}
+
+// defaultKubernetesFeatureGates consists of all known Kubernetes-specific feature keys.
+// To add a new feature, define a key for it above and add it here. The features will be
+// available throughout Kubernetes binaries.
+var defaultKubernetesFeatureGates = map[utilfeature.Feature]utilfeature.FeatureSpec{
+	StreamingProxyRedirects: {Default: true, PreRelease: utilfeature.Beta},
+	ValidateProxyRedirects:  {Default: false, PreRelease: utilfeature.Alpha},
+	AdvancedAuditing:        {Default: true, PreRelease: utilfeature.GA},
+	DynamicAuditing:         {Default: false, PreRelease: utilfeature.Alpha},
+	APIResponseCompression:  {Default: false, PreRelease: utilfeature.Alpha},
+	Initializers:            {Default: false, PreRelease: utilfeature.Alpha},
+	APIListChunking:         {Default: true, PreRelease: utilfeature.Beta},
+	DryRun:                  {Default: true, PreRelease: utilfeature.Beta},
+}

vendor/k8s.io/apiserver/pkg/util/feature/feature_gate.go

@@ -0,0 +1,323 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package feature
+
+import (
+	"fmt"
+	"sort"
+	"strconv"
+	"strings"
+	"sync"
+	"sync/atomic"
+
+	"github.com/spf13/pflag"
+	"k8s.io/klog"
+)
+
+type Feature string
+
+const (
+	flagName = "feature-gates"
+
+	// allAlphaGate is a global toggle for alpha features. Per-feature key
+	// values override the default set by allAlphaGate. Examples:
+	//   AllAlpha=false,NewFeature=true  will result in newFeature=true
+	//   AllAlpha=true,NewFeature=false  will result in newFeature=false
+	allAlphaGate Feature = "AllAlpha"
+)
+
+var (
+	// The generic features.
+	defaultFeatures = map[Feature]FeatureSpec{
+		allAlphaGate: {Default: false, PreRelease: Alpha},
+	}
+
+	// Special handling for a few gates.
+	specialFeatures = map[Feature]func(known map[Feature]FeatureSpec, enabled map[Feature]bool, val bool){
+		allAlphaGate: setUnsetAlphaGates,
+	}
+
+	// DefaultFeatureGate is a shared global FeatureGate.
+	DefaultFeatureGate FeatureGate = NewFeatureGate()
+)
+
+type FeatureSpec struct {
+	Default    bool
+	PreRelease prerelease
+}
+
+type prerelease string
+
+const (
+	// Values for PreRelease.
+	Alpha = prerelease("ALPHA")
+	Beta  = prerelease("BETA")
+	GA    = prerelease("")
+
+	// Deprecated
+	Deprecated = prerelease("DEPRECATED")
+)
+
+// FeatureGate parses and stores flag gates for known features from
+// a string like feature1=true,feature2=false,...
+type FeatureGate interface {
+	// AddFlag adds a flag for setting global feature gates to the specified FlagSet.
+	AddFlag(fs *pflag.FlagSet)
+	// Set parses and stores flag gates for known features
+	// from a string like feature1=true,feature2=false,...
+	Set(value string) error
+	// SetFromMap stores flag gates for known features from a map[string]bool or returns an error
+	SetFromMap(m map[string]bool) error
+	// Enabled returns true if the key is enabled.
+	Enabled(key Feature) bool
+	// Add adds features to the featureGate.
+	Add(features map[Feature]FeatureSpec) error
+	// KnownFeatures returns a slice of strings describing the FeatureGate's known features.
+	KnownFeatures() []string
+	// DeepCopy returns a deep copy of the FeatureGate object, such that gates can be
+	// set on the copy without mutating the original. This is useful for validating
+	// config against potential feature gate changes before committing those changes.
+	DeepCopy() FeatureGate
+}
+
+// featureGate implements FeatureGate as well as pflag.Value for flag parsing.
+type featureGate struct {
+	special map[Feature]func(map[Feature]FeatureSpec, map[Feature]bool, bool)
+
+	// lock guards writes to known, enabled, and reads/writes of closed
+	lock sync.Mutex
+	// known holds a map[Feature]FeatureSpec
+	known *atomic.Value
+	// enabled holds a map[Feature]bool
+	enabled *atomic.Value
+	// closed is set to true when AddFlag is called, and prevents subsequent calls to Add
+	closed bool
+}
+
+func setUnsetAlphaGates(known map[Feature]FeatureSpec, enabled map[Feature]bool, val bool) {
+	for k, v := range known {
+		if v.PreRelease == Alpha {
+			if _, found := enabled[k]; !found {
+				enabled[k] = val
+			}
+		}
+	}
+}
+
+// Set, String, and Type implement pflag.Value
+var _ pflag.Value = &featureGate{}
+
+func NewFeatureGate() *featureGate {
+	known := map[Feature]FeatureSpec{}
+	for k, v := range defaultFeatures {
+		known[k] = v
+	}
+
+	knownValue := &atomic.Value{}
+	knownValue.Store(known)
+
+	enabled := map[Feature]bool{}
+	enabledValue := &atomic.Value{}
+	enabledValue.Store(enabled)
+
+	f := &featureGate{
+		known:   knownValue,
+		special: specialFeatures,
+		enabled: enabledValue,
+	}
+	return f
+}
+
+// Set parses a string of the form "key1=value1,key2=value2,..." into a
+// map[string]bool of known keys or returns an error.
+func (f *featureGate) Set(value string) error {
+	m := make(map[string]bool)
+	for _, s := range strings.Split(value, ",") {
+		if len(s) == 0 {
+			continue
+		}
+		arr := strings.SplitN(s, "=", 2)
+		k := strings.TrimSpace(arr[0])
+		if len(arr) != 2 {
+			return fmt.Errorf("missing bool value for %s", k)
+		}
+		v := strings.TrimSpace(arr[1])
+		boolValue, err := strconv.ParseBool(v)
+		if err != nil {
+			return fmt.Errorf("invalid value of %s=%s, err: %v", k, v, err)
+		}
+		m[k] = boolValue
+	}
+	return f.SetFromMap(m)
+}
+
+// SetFromMap stores flag gates for known features from a map[string]bool or returns an error
+func (f *featureGate) SetFromMap(m map[string]bool) error {
+	f.lock.Lock()
+	defer f.lock.Unlock()
+
+	// Copy existing state
+	known := map[Feature]FeatureSpec{}
+	for k, v := range f.known.Load().(map[Feature]FeatureSpec) {
+		known[k] = v
+	}
+	enabled := map[Feature]bool{}
+	for k, v := range f.enabled.Load().(map[Feature]bool) {
+		enabled[k] = v
+	}
+
+	for k, v := range m {
+		k := Feature(k)
+		featureSpec, ok := known[k]
+		if !ok {
+			return fmt.Errorf("unrecognized feature gate: %s", k)
+		}
+		enabled[k] = v
+		// Handle "special" features like "all alpha gates"
+		if fn, found := f.special[k]; found {
+			fn(known, enabled, v)
+		}
+
+		if featureSpec.PreRelease == Deprecated {
+			klog.Warningf("Setting deprecated feature gate %s=%t. It will be removed in a future release.", k, v)
+		} else if featureSpec.PreRelease == GA {
+			klog.Warningf("Setting GA feature gate %s=%t. It will be removed in a future release.", k, v)
+		}
+	}
+
+	// Persist changes
+	f.known.Store(known)
+	f.enabled.Store(enabled)
+
+	klog.V(1).Infof("feature gates: %v", f.enabled)
+	return nil
+}
+
+// String returns a string containing all enabled feature gates, formatted as "key1=value1,key2=value2,...".
+func (f *featureGate) String() string {
+	pairs := []string{}
+	for k, v := range f.enabled.Load().(map[Feature]bool) {
+		pairs = append(pairs, fmt.Sprintf("%s=%t", k, v))
+	}
+	sort.Strings(pairs)
+	return strings.Join(pairs, ",")
+}
+
+func (f *featureGate) Type() string {
+	return "mapStringBool"
+}
+
+// Add adds features to the featureGate.
+func (f *featureGate) Add(features map[Feature]FeatureSpec) error {
+	f.lock.Lock()
+	defer f.lock.Unlock()
+
+	if f.closed {
+		return fmt.Errorf("cannot add a feature gate after adding it to the flag set")
+	}
+
+	// Copy existing state
+	known := map[Feature]FeatureSpec{}
+	for k, v := range f.known.Load().(map[Feature]FeatureSpec) {
+		known[k] = v
+	}
+
+	for name, spec := range features {
+		if existingSpec, found := known[name]; found {
+			if existingSpec == spec {
+				continue
+			}
+			return fmt.Errorf("feature gate %q with different spec already exists: %v", name, existingSpec)
+		}
+
+		known[name] = spec
+	}
+
+	// Persist updated state
+	f.known.Store(known)
+
+	return nil
+}
+
+// Enabled returns true if the key is enabled.
+func (f *featureGate) Enabled(key Feature) bool {
+	if v, ok := f.enabled.Load().(map[Feature]bool)[key]; ok {
+		return v
+	}
+	return f.known.Load().(map[Feature]FeatureSpec)[key].Default
+}
+
+// AddFlag adds a flag for setting global feature gates to the specified FlagSet.
+func (f *featureGate) AddFlag(fs *pflag.FlagSet) {
+	f.lock.Lock()
+	// TODO(mtaufen): Shouldn't we just close it on the first Set/SetFromMap instead?
+	// Not all components expose a feature gates flag using this AddFlag method, and
+	// in the future, all components will completely stop exposing a feature gates flag,
+	// in favor of componentconfig.
+	f.closed = true
+	f.lock.Unlock()
+
+	known := f.KnownFeatures()
+	fs.Var(f, flagName, ""+
+		"A set of key=value pairs that describe feature gates for alpha/experimental features. "+
+		"Options are:\n"+strings.Join(known, "\n"))
+}
+
+// KnownFeatures returns a slice of strings describing the FeatureGate's known features.
+// Deprecated and GA features are hidden from the list.
+func (f *featureGate) KnownFeatures() []string {
+	var known []string
+	for k, v := range f.known.Load().(map[Feature]FeatureSpec) {
+		if v.PreRelease == GA || v.PreRelease == Deprecated {
+			continue
+		}
+		known = append(known, fmt.Sprintf("%s=true|false (%s - default=%t)", k, v.PreRelease, v.Default))
+	}
+	sort.Strings(known)
+	return known
+}
+
+// DeepCopy returns a deep copy of the FeatureGate object, such that gates can be
+// set on the copy without mutating the original. This is useful for validating
+// config against potential feature gate changes before committing those changes.
+func (f *featureGate) DeepCopy() FeatureGate {
+	// Copy existing state.
+	known := map[Feature]FeatureSpec{}
+	for k, v := range f.known.Load().(map[Feature]FeatureSpec) {
+		known[k] = v
+	}
+	enabled := map[Feature]bool{}
+	for k, v := range f.enabled.Load().(map[Feature]bool) {
+		enabled[k] = v
+	}
+
+	// Store copied state in new atomics.
+	knownValue := &atomic.Value{}
+	knownValue.Store(known)
+	enabledValue := &atomic.Value{}
+	enabledValue.Store(enabled)
+
+	// Construct a new featureGate around the copied state.
+	// Note that specialFeatures is treated as immutable by convention,
+	// and we maintain the value of f.closed across the copy.
+	return &featureGate{
+		special: specialFeatures,
+		known:   knownValue,
+		enabled: enabledValue,
+		closed:  f.closed,
+	}
+}