commit bf58890a5ae74ed64983f15f61e6aa8e7ccbe515 · pyrox.dev/nixpkgs

+3 -3

nixos/modules/services/cluster/kubernetes/default.nix

···

       301
        
                 Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC/RBAC). See

     

       302
        
                 <link xlink:href="http://kubernetes.io/docs/admin/authorization.html"/>

     

       303
        
               '';

     

       304
       -
               default = ["RBAC"];

     

       305
       -
               type = types.listOf (types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC" "RBAC"]);

     

       306
        
             };

     

       307
        
       

     

       308
        
             authorizationPolicy = mkOption {

     
···

       344
        
                 Kubernetes admission control plugins to use. See

     

       345
        
                 <link xlink:href="http://kubernetes.io/docs/admin/admission-controllers/"/>

     

       346
        
               '';

     

       347
       -
               default = ["NamespaceLifecycle" "LimitRanger" "ServiceAccount" "ResourceQuota" "DefaultStorageClass" "DefaultTolerationSeconds"];

     

       348
        
               example = [

     

       349
        
                 "NamespaceLifecycle" "NamespaceExists" "LimitRanger"

     

       350
        
                 "SecurityContextDeny" "ServiceAccount" "ResourceQuota"

···

       301
        
                 Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC/RBAC). See

     

       302
        
                 <link xlink:href="http://kubernetes.io/docs/admin/authorization.html"/>

     

       303
        
               '';

     

       304
       +
               default = ["RBAC" "Node"];

     

       305
       +
               type = types.listOf (types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC" "RBAC" "Node"]);

     

       306
        
             };

     

       307
        
       

     

       308
        
             authorizationPolicy = mkOption {

     
···

       344
        
                 Kubernetes admission control plugins to use. See

     

       345
        
                 <link xlink:href="http://kubernetes.io/docs/admin/admission-controllers/"/>

     

       346
        
               '';

     

       347
       +
               default = ["NamespaceLifecycle" "LimitRanger" "ServiceAccount" "ResourceQuota" "DefaultStorageClass" "DefaultTolerationSeconds" "NodeRestriction"];

     

       348
        
               example = [

     

       349
        
                 "NamespaceLifecycle" "NamespaceExists" "LimitRanger"

     

       350
        
                 "SecurityContextDeny" "ServiceAccount" "ResourceQuota"

+1 -1

nixos/tests/kubernetes/base.nix

···

       8
        
         mkKubernetesBaseTest =

     

       9
        
           { name, domain ? "my.zyx", test, machines

     

       10
        
           , pkgs ? import <nixpkgs> { inherit system; }

     

       11
       -
           , certs ? import ./certs.nix { inherit pkgs; externalDomain = domain; }

     

       12
        
           , extraConfiguration ? null }:

     

       13
        
           let

     

       14
        
             masterName = head (filter (machineName: any (role: role == "master") machines.${machineName}.roles) (attrNames machines));

···

       8
        
         mkKubernetesBaseTest =

     

       9
        
           { name, domain ? "my.zyx", test, machines

     

       10
        
           , pkgs ? import <nixpkgs> { inherit system; }

     

       11
       +
           , certs ? import ./certs.nix { inherit pkgs; externalDomain = domain; kubelets = attrNames machines; }

     

       12
        
           , extraConfiguration ? null }:

     

       13
        
           let

     

       14
        
             masterName = head (filter (machineName: any (role: role == "master") machines.${machineName}.roles) (attrNames machines));

+6 -5

nixos/tests/kubernetes/certs.nix

···

       2
        
         pkgs ? import <nixpkgs> {},

     

       3
        
         internalDomain ? "cloud.yourdomain.net",

     

       4
        
         externalDomain ? "myawesomecluster.cluster.yourdomain.net",

     

       5
       -
         serviceClusterIp ? "10.0.0.1"

     

       0
        
       
     

       6
        
       }:

     

       7
        
       let

     

       8
        
         runWithCFSSL = name: cmd:

     
···

       123
        
         };

     

       124
        
       

     

       125
        
         apiserver-client = {

     

       126
       -
           kubelet = createClientCertKey {

     

       127
        
             inherit ca;

     

       128
       -
             cn = "apiserver-client-kubelet";

     

       0
        
       
     

       129
        
             groups = ["system:nodes"];

     

       130
        
           };

     

       131
        
       

     
···

       175
        
           paths = [

     

       176
        
             (writeCFSSL (noKey ca))

     

       177
        
             (writeCFSSL kubelet)

     

       178
       -
             (writeCFSSL apiserver-client.kubelet)

     

       179
        
             (writeCFSSL apiserver-client.kube-proxy)

     

       180
        
             (writeCFSSL etcd-client)

     

       181
       -
           ];

     

       182
        
         };

     

       183
        
       

     

       184
        
         admin = writeCFSSL apiserver-client.admin;

···

       2
        
         pkgs ? import <nixpkgs> {},

     

       3
        
         internalDomain ? "cloud.yourdomain.net",

     

       4
        
         externalDomain ? "myawesomecluster.cluster.yourdomain.net",

     

       5
       +
         serviceClusterIp ? "10.0.0.1",

     

       6
       +
         kubelets

     

       7
        
       }:

     

       8
        
       let

     

       9
        
         runWithCFSSL = name: cmd:

     
···

       124
        
         };

     

       125
        
       

     

       126
        
         apiserver-client = {

     

       127
       +
           kubelet = hostname: createClientCertKey {

     

       128
        
             inherit ca;

     

       129
       +
             name = "apiserver-client-kubelet-${hostname}";

     

       130
       +
             cn = "system:node:${hostname}.${externalDomain}";

     

       131
        
             groups = ["system:nodes"];

     

       132
        
           };

     

       133
        
       

     
···

       177
        
           paths = [

     

       178
        
             (writeCFSSL (noKey ca))

     

       179
        
             (writeCFSSL kubelet)

     

       0
        
       
     

       180
        
             (writeCFSSL apiserver-client.kube-proxy)

     

       181
        
             (writeCFSSL etcd-client)

     

       182
       +
           ] ++ map (hostname: writeCFSSL (apiserver-client.kubelet hostname)) kubelets;

     

       183
        
         };

     

       184
        
       

     

       185
        
         admin = writeCFSSL apiserver-client.admin;

+1 -1

nixos/tests/kubernetes/dns.nix

···

       3
        
       let

     

       4
        
         domain = "my.zyx";

     

       5
        
       

     

       6
       -
         certs = import ./certs.nix { externalDomain = domain; };

     

       7
        
       

     

       8
        
         redisPod = pkgs.writeText "redis-pod.json" (builtins.toJSON {

     

       9
        
           kind = "Pod";

···

       3
        
       let

     

       4
        
         domain = "my.zyx";

     

       5
        
       

     

       6
       +
         certs = import ./certs.nix { externalDomain = domain; kubelets = [ "machine1" "machine2" ]; };

     

       7
        
       

     

       8
        
         redisPod = pkgs.writeText "redis-pod.json" (builtins.toJSON {

     

       9
        
           kind = "Pod";

+2 -2

nixos/tests/kubernetes/kubernetes-common.nix

···

       29
        
             tlsKeyFile = "${certs.worker}/kubelet-key.pem";

     

       30
        
             hostname = "${config.networking.hostName}.${config.networking.domain}";

     

       31
        
             kubeconfig = {

     

       32
       -
               certFile = "${certs.worker}/apiserver-client-kubelet.pem";

     

       33
       -
               keyFile = "${certs.worker}/apiserver-client-kubelet-key.pem";

     

       34
        
             };

     

       35
        
           };

     

       36
        
           controllerManager = {

···

       29
        
             tlsKeyFile = "${certs.worker}/kubelet-key.pem";

     

       30
        
             hostname = "${config.networking.hostName}.${config.networking.domain}";

     

       31
        
             kubeconfig = {

     

       32
       +
               certFile = "${certs.worker}/apiserver-client-kubelet-${config.networking.hostName}.pem";

     

       33
       +
               keyFile = "${certs.worker}/apiserver-client-kubelet-${config.networking.hostName}-key.pem";

     

       34
        
             };

     

       35
        
           };

     

       36
        
           controllerManager = {