public
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add missing k8s Webhook authorization mode

This commit is contained in:
Thomas Kim Pham 2018-06-18 14:14:55 +02:00 committed by Robin Gloster
parent f9ad1cae78
commit 1d07b0edac
1 changed files with 14 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
nixos/modules/services/cluster/kubernetes/default.nix
View File

@ -332,11 +332,11 @@ in {
authorizationMode = mkOption {
description = ''
Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC/RBAC). See
Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC/Webhook/RBAC/Node). See
<link xlink:href="https://kubernetes.io/docs/reference/access-authn-authz/authorization/"/>
'';
default = ["RBAC" "Node"];
type = types.listOf (types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC" "RBAC" "Node"]);
type = types.listOf (types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC" "Webhook" "RBAC" "Node"]);
};
authorizationPolicy = mkOption {
@ -348,6 +348,15 @@ in {
type = types.listOf types.attrs;
};
webhookConfig = mkOption {
description = ''
Kubernetes apiserver Webhook config file. It uses the kubeconfig file format.
See <link xlink:href="https://kubernetes.io/docs/reference/access-authn-authz/webhook/"/>
'';
default = null;
type = types.nullOr types.path;
};
allowPrivileged = mkOption {
description = "Whether to allow privileged containers on Kubernetes.";
default = true;
@ -943,6 +952,9 @@ in {
(concatMapStringsSep "\n" (l: builtins.toJSON l) cfg.apiserver.authorizationPolicy)
}"
} \
${optionalString (elem "Webhook" cfg.apiserver.authorizationMode)
"--authorization-webhook-config-file=${cfg.apiserver.webhookConfig}"
} \
--secure-port=${toString cfg.apiserver.securePort} \
--service-cluster-ip-range=${cfg.apiserver.serviceClusterIpRange} \
${optionalString (cfg.apiserver.runtimeConfig != "")