From bc967536caf0a0aae38316a58c8407c8aa68e5a5 Mon Sep 17 00:00:00 2001
From: Anders Eknert <anders@eknert.com>
Date: Tue, 30 Jul 2019 16:00:58 +0200
Subject: [PATCH 1/2] Add mappings for Webhook authorization mode.

---
 pkg/apis/kops/componentconfig.go              |  6 ++++
 pkg/apis/kops/v1alpha1/componentconfig.go     |  6 ++++
 .../kops/v1alpha1/zz_generated.conversion.go  |  6 ++++
 .../kops/v1alpha1/zz_generated.deepcopy.go    | 27 +++++++++++++++++
 pkg/apis/kops/v1alpha2/componentconfig.go     |  6 ++++
 .../kops/v1alpha2/zz_generated.conversion.go  |  6 ++++
 .../kops/v1alpha2/zz_generated.deepcopy.go    | 27 +++++++++++++++++
 pkg/apis/kops/validation/validation.go        |  7 +++++
 pkg/apis/kops/validation/validation_test.go   | 29 +++++++++++++++++++
 pkg/apis/kops/zz_generated.deepcopy.go        | 27 +++++++++++++++++
 pkg/flagbuilder/buildflags_test.go            | 18 ++++++++++++
 11 files changed, 165 insertions(+)

diff --git a/pkg/apis/kops/componentconfig.go b/pkg/apis/kops/componentconfig.go
index 1c960cbf3798c..6e5041f839648 100644
--- a/pkg/apis/kops/componentconfig.go
+++ b/pkg/apis/kops/componentconfig.go
@@ -385,6 +385,12 @@ type KubeAPIServerConfig struct {
 	AuthenticationTokenWebhookCacheTTL *metav1.Duration `json:"authenticationTokenWebhookCacheTtl,omitempty" flag:"authentication-token-webhook-cache-ttl"`
 	// AuthorizationMode is the authorization mode the kubeapi is running in
 	AuthorizationMode *string `json:"authorizationMode,omitempty" flag:"authorization-mode"`
+	// File with webhook configuration for authorization in kubeconfig format. The API server will query the remote service to determine whether to authorize the request.
+	AuthorizationWebhookConfigFile *string `json:"authorizationWebhookConfigFile,omitempty" flag:"authorization-webhook-config-file"`
+	// The duration to cache authorized responses from the webhook token authorizer. Default is 5m. (default 5m0s)
+	AuthorizationWebhookCacheAuthorizedTTL *metav1.Duration `json:"authorizationWebhookCacheAuthorizedTtl,omitempty" flag:"authorization-webhook-cache-authorized-ttl"`
+	// The duration to cache authorized responses from the webhook token authorizer. Default is 30s. (default 30s)
+	AuthorizationWebhookCacheUnauthorizedTTL *metav1.Duration `json:"authorizationWebhookCacheUnauthorizedTtl,omitempty" flag:"authorization-webhook-cache-unauthorized-ttl"`
 	// AuthorizationRBACSuperUser is the name of the superuser for default rbac
 	AuthorizationRBACSuperUser *string `json:"authorizationRbacSuperUser,omitempty" flag:"authorization-rbac-super-user"`
 	// ExperimentalEncryptionProviderConfig enables encryption at rest for secrets.
diff --git a/pkg/apis/kops/v1alpha1/componentconfig.go b/pkg/apis/kops/v1alpha1/componentconfig.go
index 59cd1f5dca8b2..aa2f31af420ec 100644
--- a/pkg/apis/kops/v1alpha1/componentconfig.go
+++ b/pkg/apis/kops/v1alpha1/componentconfig.go
@@ -385,6 +385,12 @@ type KubeAPIServerConfig struct {
 	AuthenticationTokenWebhookCacheTTL *metav1.Duration `json:"authenticationTokenWebhookCacheTtl,omitempty" flag:"authentication-token-webhook-cache-ttl"`
 	// AuthorizationMode is the authorization mode the kubeapi is running in
 	AuthorizationMode *string `json:"authorizationMode,omitempty" flag:"authorization-mode"`
+	// File with webhook configuration for authorization in kubeconfig format. The API server will query the remote service to determine whether to authorize the request.
+	AuthorizationWebhookConfigFile *string `json:"authorizationWebhookConfigFile,omitempty" flag:"authorization-webhook-config-file"`
+	// The duration to cache authorized responses from the webhook token authorizer. Default is 5m. (default 5m0s)
+	AuthorizationWebhookCacheAuthorizedTTL *metav1.Duration `json:"authorizationWebhookCacheAuthorizedTtl,omitempty" flag:"authorization-webhook-cache-authorized-ttl"`
+	// The duration to cache authorized responses from the webhook token authorizer. Default is 30s. (default 30s)
+	AuthorizationWebhookCacheUnauthorizedTTL *metav1.Duration `json:"authorizationWebhookCacheUnauthorizedTtl,omitempty" flag:"authorization-webhook-cache-unauthorized-ttl"`
 	// AuthorizationRBACSuperUser is the name of the superuser for default rbac
 	AuthorizationRBACSuperUser *string `json:"authorizationRbacSuperUser,omitempty" flag:"authorization-rbac-super-user"`
 	// ExperimentalEncryptionProviderConfig enables encryption at rest for secrets.
diff --git a/pkg/apis/kops/v1alpha1/zz_generated.conversion.go b/pkg/apis/kops/v1alpha1/zz_generated.conversion.go
index 2a53ef1626f48..bad15722921a2 100644
--- a/pkg/apis/kops/v1alpha1/zz_generated.conversion.go
+++ b/pkg/apis/kops/v1alpha1/zz_generated.conversion.go
@@ -3017,6 +3017,9 @@ func autoConvert_v1alpha1_KubeAPIServerConfig_To_kops_KubeAPIServerConfig(in *Ku
 	out.AuthenticationTokenWebhookConfigFile = in.AuthenticationTokenWebhookConfigFile
 	out.AuthenticationTokenWebhookCacheTTL = in.AuthenticationTokenWebhookCacheTTL
 	out.AuthorizationMode = in.AuthorizationMode
+	out.AuthorizationWebhookConfigFile = in.AuthorizationWebhookConfigFile
+	out.AuthorizationWebhookCacheAuthorizedTTL = in.AuthorizationWebhookCacheAuthorizedTTL
+	out.AuthorizationWebhookCacheUnauthorizedTTL = in.AuthorizationWebhookCacheUnauthorizedTTL
 	out.AuthorizationRBACSuperUser = in.AuthorizationRBACSuperUser
 	out.ExperimentalEncryptionProviderConfig = in.ExperimentalEncryptionProviderConfig
 	out.RequestheaderUsernameHeaders = in.RequestheaderUsernameHeaders
@@ -3108,6 +3111,9 @@ func autoConvert_kops_KubeAPIServerConfig_To_v1alpha1_KubeAPIServerConfig(in *ko
 	out.AuthenticationTokenWebhookConfigFile = in.AuthenticationTokenWebhookConfigFile
 	out.AuthenticationTokenWebhookCacheTTL = in.AuthenticationTokenWebhookCacheTTL
 	out.AuthorizationMode = in.AuthorizationMode
+	out.AuthorizationWebhookConfigFile = in.AuthorizationWebhookConfigFile
+	out.AuthorizationWebhookCacheAuthorizedTTL = in.AuthorizationWebhookCacheAuthorizedTTL
+	out.AuthorizationWebhookCacheUnauthorizedTTL = in.AuthorizationWebhookCacheUnauthorizedTTL
 	out.AuthorizationRBACSuperUser = in.AuthorizationRBACSuperUser
 	out.ExperimentalEncryptionProviderConfig = in.ExperimentalEncryptionProviderConfig
 	out.RequestheaderUsernameHeaders = in.RequestheaderUsernameHeaders
diff --git a/pkg/apis/kops/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/kops/v1alpha1/zz_generated.deepcopy.go
index 6e42d1e008cc5..c40b7bd0f08ba 100644
--- a/pkg/apis/kops/v1alpha1/zz_generated.deepcopy.go
+++ b/pkg/apis/kops/v1alpha1/zz_generated.deepcopy.go
@@ -1820,6 +1820,33 @@ func (in *KubeAPIServerConfig) DeepCopyInto(out *KubeAPIServerConfig) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.AuthorizationWebhookConfigFile != nil {
+		in, out := &in.AuthorizationWebhookConfigFile, &out.AuthorizationWebhookConfigFile
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(string)
+			**out = **in
+		}
+	}
+	if in.AuthorizationWebhookCacheAuthorizedTTL != nil {
+		in, out := &in.AuthorizationWebhookCacheAuthorizedTTL, &out.AuthorizationWebhookCacheAuthorizedTTL
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(v1.Duration)
+			**out = **in
+		}
+	}
+	if in.AuthorizationWebhookCacheUnauthorizedTTL != nil {
+		in, out := &in.AuthorizationWebhookCacheUnauthorizedTTL, &out.AuthorizationWebhookCacheUnauthorizedTTL
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(v1.Duration)
+			**out = **in
+		}
+	}
 	if in.AuthorizationRBACSuperUser != nil {
 		in, out := &in.AuthorizationRBACSuperUser, &out.AuthorizationRBACSuperUser
 		*out = new(string)
diff --git a/pkg/apis/kops/v1alpha2/componentconfig.go b/pkg/apis/kops/v1alpha2/componentconfig.go
index 203b7916b3845..8b27e1e487639 100644
--- a/pkg/apis/kops/v1alpha2/componentconfig.go
+++ b/pkg/apis/kops/v1alpha2/componentconfig.go
@@ -385,6 +385,12 @@ type KubeAPIServerConfig struct {
 	AuthenticationTokenWebhookCacheTTL *metav1.Duration `json:"authenticationTokenWebhookCacheTtl,omitempty" flag:"authentication-token-webhook-cache-ttl"`
 	// AuthorizationMode is the authorization mode the kubeapi is running in
 	AuthorizationMode *string `json:"authorizationMode,omitempty" flag:"authorization-mode"`
+	// File with webhook configuration for authorization in kubeconfig format. The API server will query the remote service to determine whether to authorize the request.
+	AuthorizationWebhookConfigFile *string `json:"authorizationWebhookConfigFile,omitempty" flag:"authorization-webhook-config-file"`
+	// The duration to cache authorized responses from the webhook token authorizer. Default is 5m. (default 5m0s)
+	AuthorizationWebhookCacheAuthorizedTTL *metav1.Duration `json:"authorizationWebhookCacheAuthorizedTtl,omitempty" flag:"authorization-webhook-cache-authorized-ttl"`
+	// The duration to cache authorized responses from the webhook token authorizer. Default is 30s. (default 30s)
+	AuthorizationWebhookCacheUnauthorizedTTL *metav1.Duration `json:"authorizationWebhookCacheUnauthorizedTtl,omitempty" flag:"authorization-webhook-cache-unauthorized-ttl"`
 	// AuthorizationRBACSuperUser is the name of the superuser for default rbac
 	AuthorizationRBACSuperUser *string `json:"authorizationRbacSuperUser,omitempty" flag:"authorization-rbac-super-user"`
 	// ExperimentalEncryptionProviderConfig enables encryption at rest for secrets.
diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
index 6bb23a1285b2d..3733ef63375b1 100644
--- a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
+++ b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
@@ -3287,6 +3287,9 @@ func autoConvert_v1alpha2_KubeAPIServerConfig_To_kops_KubeAPIServerConfig(in *Ku
 	out.AuthenticationTokenWebhookConfigFile = in.AuthenticationTokenWebhookConfigFile
 	out.AuthenticationTokenWebhookCacheTTL = in.AuthenticationTokenWebhookCacheTTL
 	out.AuthorizationMode = in.AuthorizationMode
+	out.AuthorizationWebhookConfigFile = in.AuthorizationWebhookConfigFile
+	out.AuthorizationWebhookCacheAuthorizedTTL = in.AuthorizationWebhookCacheAuthorizedTTL
+	out.AuthorizationWebhookCacheUnauthorizedTTL = in.AuthorizationWebhookCacheUnauthorizedTTL
 	out.AuthorizationRBACSuperUser = in.AuthorizationRBACSuperUser
 	out.ExperimentalEncryptionProviderConfig = in.ExperimentalEncryptionProviderConfig
 	out.RequestheaderUsernameHeaders = in.RequestheaderUsernameHeaders
@@ -3378,6 +3381,9 @@ func autoConvert_kops_KubeAPIServerConfig_To_v1alpha2_KubeAPIServerConfig(in *ko
 	out.AuthenticationTokenWebhookConfigFile = in.AuthenticationTokenWebhookConfigFile
 	out.AuthenticationTokenWebhookCacheTTL = in.AuthenticationTokenWebhookCacheTTL
 	out.AuthorizationMode = in.AuthorizationMode
+	out.AuthorizationWebhookConfigFile = in.AuthorizationWebhookConfigFile
+	out.AuthorizationWebhookCacheAuthorizedTTL = in.AuthorizationWebhookCacheAuthorizedTTL
+	out.AuthorizationWebhookCacheUnauthorizedTTL = in.AuthorizationWebhookCacheUnauthorizedTTL
 	out.AuthorizationRBACSuperUser = in.AuthorizationRBACSuperUser
 	out.ExperimentalEncryptionProviderConfig = in.ExperimentalEncryptionProviderConfig
 	out.RequestheaderUsernameHeaders = in.RequestheaderUsernameHeaders
diff --git a/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go b/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go
index d9f40592279b1..a569d9d549711 100644
--- a/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go
+++ b/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go
@@ -1891,6 +1891,33 @@ func (in *KubeAPIServerConfig) DeepCopyInto(out *KubeAPIServerConfig) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.AuthorizationWebhookConfigFile != nil {
+		in, out := &in.AuthorizationWebhookConfigFile, &out.AuthorizationWebhookConfigFile
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(string)
+			**out = **in
+		}
+	}
+	if in.AuthorizationWebhookCacheAuthorizedTTL != nil {
+		in, out := &in.AuthorizationWebhookCacheAuthorizedTTL, &out.AuthorizationWebhookCacheAuthorizedTTL
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(v1.Duration)
+			**out = **in
+		}
+	}
+	if in.AuthorizationWebhookCacheUnauthorizedTTL != nil {
+		in, out := &in.AuthorizationWebhookCacheUnauthorizedTTL, &out.AuthorizationWebhookCacheUnauthorizedTTL
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(v1.Duration)
+			**out = **in
+		}
+	}
 	if in.AuthorizationRBACSuperUser != nil {
 		in, out := &in.AuthorizationRBACSuperUser, &out.AuthorizationRBACSuperUser
 		*out = new(string)
diff --git a/pkg/apis/kops/validation/validation.go b/pkg/apis/kops/validation/validation.go
index 947cc2d2161c4..7d0fa2614fd29 100644
--- a/pkg/apis/kops/validation/validation.go
+++ b/pkg/apis/kops/validation/validation.go
@@ -266,6 +266,13 @@ func validateKubeAPIServer(v *kops.KubeAPIServerConfig, fldPath *field.Path) fie
 		}
 	}
 
+	if v.AuthorizationMode != nil && strings.Contains(*v.AuthorizationMode, "Webhook") {
+		if v.AuthorizationWebhookConfigFile == nil {
+			flds := [2]*string{v.AuthorizationMode, v.AuthorizationWebhookConfigFile}
+			allErrs = append(allErrs, field.Invalid(fldPath, flds, "Authorization mode Webhook requires AuthorizationWebhookConfigFile to be specified"))
+		}
+	}
+
 	return allErrs
 }
 
diff --git a/pkg/apis/kops/validation/validation_test.go b/pkg/apis/kops/validation/validation_test.go
index cb36003a3dcc0..2b45495864f4d 100644
--- a/pkg/apis/kops/validation/validation_test.go
+++ b/pkg/apis/kops/validation/validation_test.go
@@ -146,10 +146,12 @@ func TestValidateSubnets(t *testing.T) {
 
 func TestValidateKubeAPIServer(t *testing.T) {
 	str := "foobar"
+	authzMode := "RBAC,Webhook"
 
 	grid := []struct {
 		Input          kops.KubeAPIServerConfig
 		ExpectedErrors []string
+		ExpectedDetail string
 	}{
 		{
 			Input: kops.KubeAPIServerConfig{
@@ -158,6 +160,7 @@ func TestValidateKubeAPIServer(t *testing.T) {
 			ExpectedErrors: []string{
 				"Invalid value::KubeAPIServer",
 			},
+			ExpectedDetail: "ProxyClientCertFile and ProxyClientKeyFile must both be specified (or not all)",
 		},
 		{
 			Input: kops.KubeAPIServerConfig{
@@ -166,6 +169,7 @@ func TestValidateKubeAPIServer(t *testing.T) {
 			ExpectedErrors: []string{
 				"Invalid value::KubeAPIServer",
 			},
+			ExpectedDetail: "ProxyClientCertFile and ProxyClientKeyFile must both be specified (or not all)",
 		},
 		{
 			Input: kops.KubeAPIServerConfig{
@@ -175,11 +179,36 @@ func TestValidateKubeAPIServer(t *testing.T) {
 				"Invalid value::KubeAPIServer",
 			},
 		},
+		{
+			Input: kops.KubeAPIServerConfig{
+				AuthorizationMode: &authzMode,
+			},
+			ExpectedErrors: []string{
+				"Invalid value::KubeAPIServer",
+			},
+			ExpectedDetail: "Authorization mode Webhook requires AuthorizationWebhookConfigFile to be specified",
+		},
 	}
 	for _, g := range grid {
 		errs := validateKubeAPIServer(&g.Input, field.NewPath("KubeAPIServer"))
 
 		testErrors(t, g.Input, errs, g.ExpectedErrors)
+
+		if g.ExpectedDetail != "" {
+			found := false
+			for _, err := range errs {
+				if err.Detail == g.ExpectedDetail {
+					found = true
+				}
+			}
+			if !found {
+				for _, err := range errs {
+					t.Logf("found detail: %q", err.Detail)
+				}
+
+				t.Errorf("did not find expected error %q", g.ExpectedDetail)
+			}
+		}
 	}
 }
 
diff --git a/pkg/apis/kops/zz_generated.deepcopy.go b/pkg/apis/kops/zz_generated.deepcopy.go
index 9cb79c66365c3..da5857623886e 100644
--- a/pkg/apis/kops/zz_generated.deepcopy.go
+++ b/pkg/apis/kops/zz_generated.deepcopy.go
@@ -2073,6 +2073,33 @@ func (in *KubeAPIServerConfig) DeepCopyInto(out *KubeAPIServerConfig) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.AuthorizationWebhookConfigFile != nil {
+		in, out := &in.AuthorizationWebhookConfigFile, &out.AuthorizationWebhookConfigFile
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(string)
+			**out = **in
+		}
+	}
+	if in.AuthorizationWebhookCacheAuthorizedTTL != nil {
+		in, out := &in.AuthorizationWebhookCacheAuthorizedTTL, &out.AuthorizationWebhookCacheAuthorizedTTL
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(v1.Duration)
+			**out = **in
+		}
+	}
+	if in.AuthorizationWebhookCacheUnauthorizedTTL != nil {
+		in, out := &in.AuthorizationWebhookCacheUnauthorizedTTL, &out.AuthorizationWebhookCacheUnauthorizedTTL
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(v1.Duration)
+			**out = **in
+		}
+	}
 	if in.AuthorizationRBACSuperUser != nil {
 		in, out := &in.AuthorizationRBACSuperUser, &out.AuthorizationRBACSuperUser
 		*out = new(string)
diff --git a/pkg/flagbuilder/buildflags_test.go b/pkg/flagbuilder/buildflags_test.go
index 3b5458344367e..3ecc659ba0f01 100644
--- a/pkg/flagbuilder/buildflags_test.go
+++ b/pkg/flagbuilder/buildflags_test.go
@@ -196,6 +196,24 @@ func TestBuildAPIServerFlags(t *testing.T) {
 			},
 			Expected: "--audit-webhook-batch-max-size=1000 --insecure-port=0 --secure-port=0",
 		},
+		{
+			Config: &kops.KubeAPIServerConfig{
+				AuthorizationWebhookConfigFile: fi.String("/authorization.yaml"),
+			},
+			Expected: "--authorization-webhook-config-file=/authorization.yaml --insecure-port=0 --secure-port=0",
+		},
+		{
+			Config: &kops.KubeAPIServerConfig{
+				AuthorizationWebhookCacheAuthorizedTTL: &metav1.Duration{Duration: 100 * time.Second},
+			},
+			Expected: "--authorization-webhook-cache-authorized-ttl=1m40s --insecure-port=0 --secure-port=0",
+		},
+		{
+			Config: &kops.KubeAPIServerConfig{
+				AuthorizationWebhookCacheUnauthorizedTTL: &metav1.Duration{Duration: 10 * time.Second},
+			},
+			Expected: "--authorization-webhook-cache-unauthorized-ttl=10s --insecure-port=0 --secure-port=0",
+		},
 	}
 
 	for _, test := range grid {

From c167a84932bfbc4e7e4594caef81e8944c6c5185 Mon Sep 17 00:00:00 2001
From: Anders Eknert <anders.eknert@bisnode.com>
Date: Wed, 31 Jul 2019 17:07:16 +0200
Subject: [PATCH 2/2] Update generated files

---
 .../kops/v1alpha1/zz_generated.deepcopy.go    | 24 +++++--------------
 .../kops/v1alpha2/zz_generated.deepcopy.go    | 24 +++++--------------
 pkg/apis/kops/zz_generated.deepcopy.go        | 24 +++++--------------
 3 files changed, 18 insertions(+), 54 deletions(-)

diff --git a/pkg/apis/kops/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/kops/v1alpha1/zz_generated.deepcopy.go
index c40b7bd0f08ba..f98b558196989 100644
--- a/pkg/apis/kops/v1alpha1/zz_generated.deepcopy.go
+++ b/pkg/apis/kops/v1alpha1/zz_generated.deepcopy.go
@@ -1822,30 +1822,18 @@ func (in *KubeAPIServerConfig) DeepCopyInto(out *KubeAPIServerConfig) {
 	}
 	if in.AuthorizationWebhookConfigFile != nil {
 		in, out := &in.AuthorizationWebhookConfigFile, &out.AuthorizationWebhookConfigFile
-		if *in == nil {
-			*out = nil
-		} else {
-			*out = new(string)
-			**out = **in
-		}
+		*out = new(string)
+		**out = **in
 	}
 	if in.AuthorizationWebhookCacheAuthorizedTTL != nil {
 		in, out := &in.AuthorizationWebhookCacheAuthorizedTTL, &out.AuthorizationWebhookCacheAuthorizedTTL
-		if *in == nil {
-			*out = nil
-		} else {
-			*out = new(v1.Duration)
-			**out = **in
-		}
+		*out = new(v1.Duration)
+		**out = **in
 	}
 	if in.AuthorizationWebhookCacheUnauthorizedTTL != nil {
 		in, out := &in.AuthorizationWebhookCacheUnauthorizedTTL, &out.AuthorizationWebhookCacheUnauthorizedTTL
-		if *in == nil {
-			*out = nil
-		} else {
-			*out = new(v1.Duration)
-			**out = **in
-		}
+		*out = new(v1.Duration)
+		**out = **in
 	}
 	if in.AuthorizationRBACSuperUser != nil {
 		in, out := &in.AuthorizationRBACSuperUser, &out.AuthorizationRBACSuperUser
diff --git a/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go b/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go
index a569d9d549711..5a219afd27a63 100644
--- a/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go
+++ b/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go
@@ -1893,30 +1893,18 @@ func (in *KubeAPIServerConfig) DeepCopyInto(out *KubeAPIServerConfig) {
 	}
 	if in.AuthorizationWebhookConfigFile != nil {
 		in, out := &in.AuthorizationWebhookConfigFile, &out.AuthorizationWebhookConfigFile
-		if *in == nil {
-			*out = nil
-		} else {
-			*out = new(string)
-			**out = **in
-		}
+		*out = new(string)
+		**out = **in
 	}
 	if in.AuthorizationWebhookCacheAuthorizedTTL != nil {
 		in, out := &in.AuthorizationWebhookCacheAuthorizedTTL, &out.AuthorizationWebhookCacheAuthorizedTTL
-		if *in == nil {
-			*out = nil
-		} else {
-			*out = new(v1.Duration)
-			**out = **in
-		}
+		*out = new(v1.Duration)
+		**out = **in
 	}
 	if in.AuthorizationWebhookCacheUnauthorizedTTL != nil {
 		in, out := &in.AuthorizationWebhookCacheUnauthorizedTTL, &out.AuthorizationWebhookCacheUnauthorizedTTL
-		if *in == nil {
-			*out = nil
-		} else {
-			*out = new(v1.Duration)
-			**out = **in
-		}
+		*out = new(v1.Duration)
+		**out = **in
 	}
 	if in.AuthorizationRBACSuperUser != nil {
 		in, out := &in.AuthorizationRBACSuperUser, &out.AuthorizationRBACSuperUser
diff --git a/pkg/apis/kops/zz_generated.deepcopy.go b/pkg/apis/kops/zz_generated.deepcopy.go
index da5857623886e..62da0f2284730 100644
--- a/pkg/apis/kops/zz_generated.deepcopy.go
+++ b/pkg/apis/kops/zz_generated.deepcopy.go
@@ -2075,30 +2075,18 @@ func (in *KubeAPIServerConfig) DeepCopyInto(out *KubeAPIServerConfig) {
 	}
 	if in.AuthorizationWebhookConfigFile != nil {
 		in, out := &in.AuthorizationWebhookConfigFile, &out.AuthorizationWebhookConfigFile
-		if *in == nil {
-			*out = nil
-		} else {
-			*out = new(string)
-			**out = **in
-		}
+		*out = new(string)
+		**out = **in
 	}
 	if in.AuthorizationWebhookCacheAuthorizedTTL != nil {
 		in, out := &in.AuthorizationWebhookCacheAuthorizedTTL, &out.AuthorizationWebhookCacheAuthorizedTTL
-		if *in == nil {
-			*out = nil
-		} else {
-			*out = new(v1.Duration)
-			**out = **in
-		}
+		*out = new(v1.Duration)
+		**out = **in
 	}
 	if in.AuthorizationWebhookCacheUnauthorizedTTL != nil {
 		in, out := &in.AuthorizationWebhookCacheUnauthorizedTTL, &out.AuthorizationWebhookCacheUnauthorizedTTL
-		if *in == nil {
-			*out = nil
-		} else {
-			*out = new(v1.Duration)
-			**out = **in
-		}
+		*out = new(v1.Duration)
+		**out = **in
 	}
 	if in.AuthorizationRBACSuperUser != nil {
 		in, out := &in.AuthorizationRBACSuperUser, &out.AuthorizationRBACSuperUser