diff --git a/nixos/modules/services/cluster/kubernetes/default.nix b/nixos/modules/services/cluster/kubernetes/default.nix
index 20f2308508c..5e87ae88f5a 100644
--- a/nixos/modules/services/cluster/kubernetes/default.nix
+++ b/nixos/modules/services/cluster/kubernetes/default.nix
@@ -332,11 +332,11 @@ in {
authorizationMode = mkOption {
description = ''
- Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC/RBAC). See
+ Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC/Webhook/RBAC/Node). See
'';
default = ["RBAC" "Node"];
- type = types.listOf (types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC" "RBAC" "Node"]);
+ type = types.listOf (types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC" "Webhook" "RBAC" "Node"]);
};
authorizationPolicy = mkOption {
@@ -348,6 +348,15 @@ in {
type = types.listOf types.attrs;
};
+ webhookConfig = mkOption {
+ description = ''
+ Kubernetes apiserver Webhook config file. It uses the kubeconfig file format.
+ See
+ '';
+ default = null;
+ type = types.nullOr types.path;
+ };
+
allowPrivileged = mkOption {
description = "Whether to allow privileged containers on Kubernetes.";
default = true;
@@ -943,6 +952,9 @@ in {
(concatMapStringsSep "\n" (l: builtins.toJSON l) cfg.apiserver.authorizationPolicy)
}"
} \
+ ${optionalString (elem "Webhook" cfg.apiserver.authorizationMode)
+ "--authorization-webhook-config-file=${cfg.apiserver.webhookConfig}"
+ } \
--secure-port=${toString cfg.apiserver.securePort} \
--service-cluster-ip-range=${cfg.apiserver.serviceClusterIpRange} \
${optionalString (cfg.apiserver.runtimeConfig != "")