mirror of
https://github.com/ilyakooo0/nixpkgs.git
synced 2024-12-27 22:03:54 +03:00
nixos/k8s: Enable Node authorizer and NodeRestriction by default
This commit is contained in:
parent
f63604a598
commit
bf58890a5a
@ -301,8 +301,8 @@ in {
|
||||
Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC/RBAC). See
|
||||
<link xlink:href="http://kubernetes.io/docs/admin/authorization.html"/>
|
||||
'';
|
||||
default = ["RBAC"];
|
||||
type = types.listOf (types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC" "RBAC"]);
|
||||
default = ["RBAC" "Node"];
|
||||
type = types.listOf (types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC" "RBAC" "Node"]);
|
||||
};
|
||||
|
||||
authorizationPolicy = mkOption {
|
||||
@ -344,7 +344,7 @@ in {
|
||||
Kubernetes admission control plugins to use. See
|
||||
<link xlink:href="http://kubernetes.io/docs/admin/admission-controllers/"/>
|
||||
'';
|
||||
default = ["NamespaceLifecycle" "LimitRanger" "ServiceAccount" "ResourceQuota" "DefaultStorageClass" "DefaultTolerationSeconds"];
|
||||
default = ["NamespaceLifecycle" "LimitRanger" "ServiceAccount" "ResourceQuota" "DefaultStorageClass" "DefaultTolerationSeconds" "NodeRestriction"];
|
||||
example = [
|
||||
"NamespaceLifecycle" "NamespaceExists" "LimitRanger"
|
||||
"SecurityContextDeny" "ServiceAccount" "ResourceQuota"
|
||||
|
@ -8,7 +8,7 @@ let
|
||||
mkKubernetesBaseTest =
|
||||
{ name, domain ? "my.zyx", test, machines
|
||||
, pkgs ? import <nixpkgs> { inherit system; }
|
||||
, certs ? import ./certs.nix { inherit pkgs; externalDomain = domain; }
|
||||
, certs ? import ./certs.nix { inherit pkgs; externalDomain = domain; kubelets = attrNames machines; }
|
||||
, extraConfiguration ? null }:
|
||||
let
|
||||
masterName = head (filter (machineName: any (role: role == "master") machines.${machineName}.roles) (attrNames machines));
|
||||
|
@ -2,7 +2,8 @@
|
||||
pkgs ? import <nixpkgs> {},
|
||||
internalDomain ? "cloud.yourdomain.net",
|
||||
externalDomain ? "myawesomecluster.cluster.yourdomain.net",
|
||||
serviceClusterIp ? "10.0.0.1"
|
||||
serviceClusterIp ? "10.0.0.1",
|
||||
kubelets
|
||||
}:
|
||||
let
|
||||
runWithCFSSL = name: cmd:
|
||||
@ -123,9 +124,10 @@ let
|
||||
};
|
||||
|
||||
apiserver-client = {
|
||||
kubelet = createClientCertKey {
|
||||
kubelet = hostname: createClientCertKey {
|
||||
inherit ca;
|
||||
cn = "apiserver-client-kubelet";
|
||||
name = "apiserver-client-kubelet-${hostname}";
|
||||
cn = "system:node:${hostname}.${externalDomain}";
|
||||
groups = ["system:nodes"];
|
||||
};
|
||||
|
||||
@ -175,10 +177,9 @@ in {
|
||||
paths = [
|
||||
(writeCFSSL (noKey ca))
|
||||
(writeCFSSL kubelet)
|
||||
(writeCFSSL apiserver-client.kubelet)
|
||||
(writeCFSSL apiserver-client.kube-proxy)
|
||||
(writeCFSSL etcd-client)
|
||||
];
|
||||
] ++ map (hostname: writeCFSSL (apiserver-client.kubelet hostname)) kubelets;
|
||||
};
|
||||
|
||||
admin = writeCFSSL apiserver-client.admin;
|
||||
|
@ -3,7 +3,7 @@ with import ./base.nix { inherit system; };
|
||||
let
|
||||
domain = "my.zyx";
|
||||
|
||||
certs = import ./certs.nix { externalDomain = domain; };
|
||||
certs = import ./certs.nix { externalDomain = domain; kubelets = [ "machine1" "machine2" ]; };
|
||||
|
||||
redisPod = pkgs.writeText "redis-pod.json" (builtins.toJSON {
|
||||
kind = "Pod";
|
||||
|
@ -29,8 +29,8 @@ let
|
||||
tlsKeyFile = "${certs.worker}/kubelet-key.pem";
|
||||
hostname = "${config.networking.hostName}.${config.networking.domain}";
|
||||
kubeconfig = {
|
||||
certFile = "${certs.worker}/apiserver-client-kubelet.pem";
|
||||
keyFile = "${certs.worker}/apiserver-client-kubelet-key.pem";
|
||||
certFile = "${certs.worker}/apiserver-client-kubelet-${config.networking.hostName}.pem";
|
||||
keyFile = "${certs.worker}/apiserver-client-kubelet-${config.networking.hostName}-key.pem";
|
||||
};
|
||||
};
|
||||
controllerManager = {
|
||||
|
Loading…
Reference in New Issue
Block a user