pyrox.dev
1{ config, pkgs, lib, ... }:
2
3with lib;
4
5let
6 cfg = config.services.kubernetes.addons.dashboard;
7
8 name = "gcr.io/google_containers/kubernetes-dashboard-amd64";
9 version = "v1.8.2";
10
11 image = pkgs.dockerTools.pullImage {
12 imageName = name;
13 imageTag = version;
14 sha256 = "11h0fz3wxp0f10fsyqaxjm7l2qg7xws50dv5iwlck5gb1fjmajad";
15 };
16in {
17 options.services.kubernetes.addons.dashboard = {
18 enable = mkEnableOption "kubernetes dashboard addon";
19
20 enableRBAC = mkOption {
21 description = "Whether to enable role based access control is enabled for kubernetes dashboard";
22 type = types.bool;
23 default = elem "RBAC" config.services.kubernetes.apiserver.authorizationMode;
24 };
25 };
26
27 config = mkIf cfg.enable {
28 services.kubernetes.kubelet.seedDockerImages = [image];
29
30 services.kubernetes.addonManager.addons = {
31 kubernetes-dashboard-deployment = {
32 kind = "Deployment";
33 apiVersion = "apps/v1beta1";
34 metadata = {
35 labels = {
36 k8s-addon = "kubernetes-dashboard.addons.k8s.io";
37 k8s-app = "kubernetes-dashboard";
38 version = version;
39 "kubernetes.io/cluster-service" = "true";
40 "addonmanager.kubernetes.io/mode" = "Reconcile";
41 };
42 name = "kubernetes-dashboard";
43 namespace = "kube-system";
44 };
45 spec = {
46 replicas = 1;
47 revisionHistoryLimit = 10;
48 selector.matchLabels."k8s-app" = "kubernetes-dashboard";
49 template = {
50 metadata = {
51 labels = {
52 k8s-addon = "kubernetes-dashboard.addons.k8s.io";
53 k8s-app = "kubernetes-dashboard";
54 version = version;
55 "kubernetes.io/cluster-service" = "true";
56 };
57 annotations = {
58 "scheduler.alpha.kubernetes.io/critical-pod" = "";
59 #"scheduler.alpha.kubernetes.io/tolerations" = ''[{"key":"CriticalAddonsOnly", "operator":"Exists"}]'';
60 };
61 };
62 spec = {
63 containers = [{
64 name = "kubernetes-dashboard";
65 image = "${name}:${version}";
66 ports = [{
67 containerPort = 9090;
68 protocol = "TCP";
69 }];
70 resources = {
71 limits = {
72 cpu = "100m";
73 memory = "50Mi";
74 };
75 requests = {
76 cpu = "100m";
77 memory = "50Mi";
78 };
79 };
80 livenessProbe = {
81 httpGet = {
82 path = "/";
83 port = 9090;
84 };
85 initialDelaySeconds = 30;
86 timeoutSeconds = 30;
87 };
88 }];
89 serviceAccountName = "kubernetes-dashboard";
90 tolerations = [{
91 key = "node-role.kubernetes.io/master";
92 effect = "NoSchedule";
93 }];
94 };
95 };
96 };
97 };
98
99 kubernetes-dashboard-svc = {
100 apiVersion = "v1";
101 kind = "Service";
102 metadata = {
103 labels = {
104 k8s-addon = "kubernetes-dashboard.addons.k8s.io";
105 k8s-app = "kubernetes-dashboard";
106 "kubernetes.io/cluster-service" = "true";
107 "kubernetes.io/name" = "KubeDashboard";
108 "addonmanager.kubernetes.io/mode" = "Reconcile";
109 };
110 name = "kubernetes-dashboard";
111 namespace = "kube-system";
112 };
113 spec = {
114 ports = [{
115 port = 80;
116 targetPort = 9090;
117 }];
118 selector.k8s-app = "kubernetes-dashboard";
119 };
120 };
121
122 kubernetes-dashboard-sa = {
123 apiVersion = "v1";
124 kind = "ServiceAccount";
125 metadata = {
126 labels = {
127 k8s-app = "kubernetes-dashboard";
128 k8s-addon = "kubernetes-dashboard.addons.k8s.io";
129 "addonmanager.kubernetes.io/mode" = "Reconcile";
130 };
131 name = "kubernetes-dashboard";
132 namespace = "kube-system";
133 };
134 };
135 } // (optionalAttrs cfg.enableRBAC {
136 kubernetes-dashboard-crb = {
137 apiVersion = "rbac.authorization.k8s.io/v1beta1";
138 kind = "ClusterRoleBinding";
139 metadata = {
140 name = "kubernetes-dashboard";
141 labels = {
142 k8s-app = "kubernetes-dashboard";
143 k8s-addon = "kubernetes-dashboard.addons.k8s.io";
144 "addonmanager.kubernetes.io/mode" = "Reconcile";
145 };
146 };
147 roleRef = {
148 apiGroup = "rbac.authorization.k8s.io";
149 kind = "ClusterRole";
150 name = "cluster-admin";
151 };
152 subjects = [{
153 kind = "ServiceAccount";
154 name = "kubernetes-dashboard";
155 namespace = "kube-system";
156 }];
157 };
158 });
159 };
160}