public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

kubernetes module: default auth mode to only RBAC

Browse Source
This commit is contained in:
Jaka Hudoklin 2017-05-30 13:11:39 +02:00 committed by Robin Gloster
parent c2622910ab
commit b25d155976
1 changed files with 2 additions and 83 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

85
nixos/modules/services/cluster/kubernetes/default.nix
View File

@ -115,87 +115,6 @@ let
taints = concatMapStringsSep "," (v: "${v.key}=${v.value}:${v.effect}") (mapAttrsToList (n: v: v) cfg.kubelet.taints); taints = concatMapStringsSep "," (v: "${v.key}=${v.value}:${v.effect}") (mapAttrsToList (n: v: v) cfg.kubelet.taints);
defaultAuthorizationPolicy = (optionals (any (el: el == "ABAC") cfg.apiserver.authorizationMode) [
{
apiVersion = "abac.authorization.kubernetes.io/v1beta1";
kind = "Policy";
spec = {
user = "kubecfg";
namespace = "*";
resource = "*";
apiGroup = "*";
nonResourcePath = "*";
};
}
{
apiVersion = "abac.authorization.kubernetes.io/v1beta1";
kind = "Policy";
spec = {
user = "kubelet";
namespace = "*";
resource = "*";
apiGroup = "*";
nonResourcePath = "*";
};
}
{
apiVersion = "abac.authorization.kubernetes.io/v1beta1";
kind = "Policy";
spec = {
user = "kube-worker";
namespace = "*";
resource = "*";
apiGroup = "*";
nonResourcePath = "*";
};
}
{
apiVersion = "abac.authorization.kubernetes.io/v1beta1";
kind = "Policy";
spec = {
user = "kube_proxy";
namespace = "*";
resource = "*";
apiGroup = "*";
nonResourcePath = "*";
};
}
{
apiVersion = "abac.authorization.kubernetes.io/v1beta1";
kind = "Policy";
spec = {
user = "client";
namespace = "*";
resource = "*";
apiGroup = "*";
nonResourcePath = "*";
};
}
]) ++ (optionals (all (el: el != "RBAC") cfg.apiserver.authorizationMode) [
{
apiVersion = "abac.authorization.kubernetes.io/v1beta1";
kind = "Policy";
spec = {
user = "admin";
namespace = "*";
resource = "*";
apiGroup = "*";
nonResourcePath = "*";
};
}
{
apiVersion = "abac.authorization.kubernetes.io/v1beta1";
kind = "Policy";
spec = {
group = "system:serviceaccounts";
namespace = "*";
resource = "*";
apiGroup = "*";
nonResourcePath = "*";
};
}
]);
# needed for flannel to pass options to docker # needed for flannel to pass options to docker
mkDockerOpts = pkgs.runCommand "mk-docker-opts" { mkDockerOpts = pkgs.runCommand "mk-docker-opts" {
buildInputs = [ pkgs.makeWrapper ]; buildInputs = [ pkgs.makeWrapper ];
@ -370,7 +289,7 @@ in {
Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC/RBAC). See Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC/RBAC). See
<link xlink:href="http://kubernetes.io/docs/admin/authorization.html"/> <link xlink:href="http://kubernetes.io/docs/admin/authorization.html"/>
''; '';
default = ["ABAC" "RBAC"]; default = ["RBAC"];
type = types.listOf (types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC" "RBAC"]); type = types.listOf (types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC" "RBAC"]);
}; };
@ -379,7 +298,7 @@ in {
Kubernetes apiserver authorization policy file. See Kubernetes apiserver authorization policy file. See
<link xlink:href="http://kubernetes.io/v1.0/docs/admin/authorization.html"/> <link xlink:href="http://kubernetes.io/v1.0/docs/admin/authorization.html"/>
''; '';
default = defaultAuthorizationPolicy; default = [];
type = types.listOf types.attrs; type = types.listOf types.attrs;
}; };