public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add missing k8s Webhook authorization mode

Browse Source
This commit is contained in:
Thomas Kim Pham 2018-06-18 14:14:55 +02:00 committed by Robin Gloster
parent f9ad1cae78
commit 1d07b0edac
1 changed files with 14 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
nixos/modules/services/cluster/kubernetes/default.nix
View File

@ -332,11 +332,11 @@ in {
authorizationMode = mkOption { authorizationMode = mkOption {
description = '' description = ''
Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC/RBAC). See Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC/Webhook/RBAC/Node). See
<link xlink:href="https://kubernetes.io/docs/reference/access-authn-authz/authorization/"/> <link xlink:href="https://kubernetes.io/docs/reference/access-authn-authz/authorization/"/>
''; '';
default = ["RBAC" "Node"]; default = ["RBAC" "Node"];
type = types.listOf (types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC" "RBAC" "Node"]); type = types.listOf (types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC" "Webhook" "RBAC" "Node"]);
}; };
authorizationPolicy = mkOption { authorizationPolicy = mkOption {
@ -348,6 +348,15 @@ in {
type = types.listOf types.attrs; type = types.listOf types.attrs;
}; };
webhookConfig = mkOption {
description = ''
Kubernetes apiserver Webhook config file. It uses the kubeconfig file format.
See <link xlink:href="https://kubernetes.io/docs/reference/access-authn-authz/webhook/"/>
'';
default = null;
type = types.nullOr types.path;
};
allowPrivileged = mkOption { allowPrivileged = mkOption {
description = "Whether to allow privileged containers on Kubernetes."; description = "Whether to allow privileged containers on Kubernetes.";
default = true; default = true;
@ -943,6 +952,9 @@ in {
(concatMapStringsSep "\n" (l: builtins.toJSON l) cfg.apiserver.authorizationPolicy) (concatMapStringsSep "\n" (l: builtins.toJSON l) cfg.apiserver.authorizationPolicy)
}" }"
} \ } \
${optionalString (elem "Webhook" cfg.apiserver.authorizationMode)
"--authorization-webhook-config-file=${cfg.apiserver.webhookConfig}"
} \
--secure-port=${toString cfg.apiserver.securePort} \ --secure-port=${toString cfg.apiserver.securePort} \
--service-cluster-ip-range=${cfg.apiserver.serviceClusterIpRange} \ --service-cluster-ip-range=${cfg.apiserver.serviceClusterIpRange} \
${optionalString (cfg.apiserver.runtimeConfig != "") ${optionalString (cfg.apiserver.runtimeConfig != "")