nixos/kubernetes: dashboard lockdown
Kubernetes dashboard currently has cluster admin permissions, which is not recommended. - Renamed option "services.kubernetes.addons.dashboard.enableRBAC" to "services.kubernetes.addons.dashboard.rbac.enable" - Added option "services.kubernetes.addons.dashboard.rbac.clusterAdmin", default = false. - Setting recommended minimal permissions for the dashboard in accordance with https://github.com/kubernetes/dashboard/wiki/Installation - Updated release note for 18.09.
This commit is contained in:
parent
dc6484e366
commit
f9ad1cae78
|
@ -306,6 +306,22 @@ inherit (pkgs.nixos {
|
||||||
was not used and thus has been removed.
|
was not used and thus has been removed.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
The option <varname>services.kubernetes.addons.dashboard.enableRBAC</varname>
|
||||||
|
was renamed to <varname>services.kubernetes.addons.dashboard.rbac.enable</varname>.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
The Kubernetes Dashboard now has only minimal RBAC permissions by default.
|
||||||
|
If dashboard cluster-admin rights are desired,
|
||||||
|
set <varname>services.kubernetes.addons.dashboard.rbac.clusterAdmin</varname> to true.
|
||||||
|
On existing clusters, in order for the revocation of privileges to take effect,
|
||||||
|
the current ClusterRoleBinding for kubernetes-dashboard must be manually removed:
|
||||||
|
<literal>kubectl delete clusterrolebinding kubernetes-dashboard</literal>
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
|
|
|
@ -34,6 +34,7 @@ with lib;
|
||||||
(mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "admissionControl" ] [ "services" "kubernetes" "apiserver" "enableAdmissionPlugins" ])
|
(mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "admissionControl" ] [ "services" "kubernetes" "apiserver" "enableAdmissionPlugins" ])
|
||||||
(mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "address" ] ["services" "kubernetes" "apiserver" "bindAddress"])
|
(mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "address" ] ["services" "kubernetes" "apiserver" "bindAddress"])
|
||||||
(mkRemovedOptionModule [ "services" "kubernetes" "apiserver" "publicAddress" ] "")
|
(mkRemovedOptionModule [ "services" "kubernetes" "apiserver" "publicAddress" ] "")
|
||||||
|
(mkRenamedOptionModule [ "services" "kubernetes" "addons" "dashboard" "enableRBAC" ] [ "services" "kubernetes" "addons" "dashboard" "rbac" "enable" ])
|
||||||
(mkRenamedOptionModule [ "services" "logstash" "address" ] [ "services" "logstash" "listenAddress" ])
|
(mkRenamedOptionModule [ "services" "logstash" "address" ] [ "services" "logstash" "listenAddress" ])
|
||||||
(mkRenamedOptionModule [ "services" "mpd" "network" "host" ] [ "services" "mpd" "network" "listenAddress" ])
|
(mkRenamedOptionModule [ "services" "mpd" "network" "host" ] [ "services" "mpd" "network" "listenAddress" ])
|
||||||
(mkRenamedOptionModule [ "services" "neo4j" "host" ] [ "services" "neo4j" "listenAddress" ])
|
(mkRenamedOptionModule [ "services" "neo4j" "host" ] [ "services" "neo4j" "listenAddress" ])
|
||||||
|
|
|
@ -8,12 +8,27 @@ in {
|
||||||
options.services.kubernetes.addons.dashboard = {
|
options.services.kubernetes.addons.dashboard = {
|
||||||
enable = mkEnableOption "kubernetes dashboard addon";
|
enable = mkEnableOption "kubernetes dashboard addon";
|
||||||
|
|
||||||
enableRBAC = mkOption {
|
rbac = mkOption {
|
||||||
|
description = "Role-based access control (RBAC) options";
|
||||||
|
type = types.submodule {
|
||||||
|
|
||||||
|
options = {
|
||||||
|
enable = mkOption {
|
||||||
description = "Whether to enable role based access control is enabled for kubernetes dashboard";
|
description = "Whether to enable role based access control is enabled for kubernetes dashboard";
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
default = elem "RBAC" config.services.kubernetes.apiserver.authorizationMode;
|
default = elem "RBAC" config.services.kubernetes.apiserver.authorizationMode;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
clusterAdmin = mkOption {
|
||||||
|
description = "Whether to assign cluster admin rights to the kubernetes dashboard";
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
};
|
||||||
|
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
version = mkOption {
|
version = mkOption {
|
||||||
description = "Which version of the kubernetes dashboard to deploy";
|
description = "Which version of the kubernetes dashboard to deploy";
|
||||||
type = types.str;
|
type = types.str;
|
||||||
|
@ -202,29 +217,106 @@ in {
|
||||||
namespace = "kube-system";
|
namespace = "kube-system";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
} // (optionalAttrs cfg.enableRBAC {
|
} // (optionalAttrs cfg.rbac.enable
|
||||||
kubernetes-dashboard-crb = {
|
(let
|
||||||
apiVersion = "rbac.authorization.k8s.io/v1";
|
subjects = [{
|
||||||
kind = "ClusterRoleBinding";
|
kind = "ServiceAccount";
|
||||||
metadata = {
|
|
||||||
name = "kubernetes-dashboard";
|
name = "kubernetes-dashboard";
|
||||||
|
namespace = "kube-system";
|
||||||
|
}];
|
||||||
labels = {
|
labels = {
|
||||||
k8s-app = "kubernetes-dashboard";
|
k8s-app = "kubernetes-dashboard";
|
||||||
k8s-addon = "kubernetes-dashboard.addons.k8s.io";
|
k8s-addon = "kubernetes-dashboard.addons.k8s.io";
|
||||||
"addonmanager.kubernetes.io/mode" = "Reconcile";
|
"addonmanager.kubernetes.io/mode" = "Reconcile";
|
||||||
};
|
};
|
||||||
|
in
|
||||||
|
(if cfg.rbac.clusterAdmin then {
|
||||||
|
kubernetes-dashboard-crb = {
|
||||||
|
apiVersion = "rbac.authorization.k8s.io/v1";
|
||||||
|
kind = "ClusterRoleBinding";
|
||||||
|
metadata = {
|
||||||
|
name = "kubernetes-dashboard";
|
||||||
|
inherit labels;
|
||||||
};
|
};
|
||||||
roleRef = {
|
roleRef = {
|
||||||
apiGroup = "rbac.authorization.k8s.io";
|
apiGroup = "rbac.authorization.k8s.io";
|
||||||
kind = "ClusterRole";
|
kind = "ClusterRole";
|
||||||
name = "cluster-admin";
|
name = "cluster-admin";
|
||||||
};
|
};
|
||||||
subjects = [{
|
inherit subjects;
|
||||||
kind = "ServiceAccount";
|
|
||||||
name = "kubernetes-dashboard";
|
|
||||||
namespace = "kube-system";
|
|
||||||
}];
|
|
||||||
};
|
};
|
||||||
});
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
# Upstream role- and rolebinding as per:
|
||||||
|
# https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/alternative/kubernetes-dashboard.yaml
|
||||||
|
kubernetes-dashboard-role = {
|
||||||
|
apiVersion = "rbac.authorization.k8s.io/v1";
|
||||||
|
kind = "Role";
|
||||||
|
metadata = {
|
||||||
|
name = "kubernetes-dashboard-minimal";
|
||||||
|
namespace = "kube-system";
|
||||||
|
inherit labels;
|
||||||
|
};
|
||||||
|
rules = [
|
||||||
|
# Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
|
||||||
|
{
|
||||||
|
apiGroups = [""];
|
||||||
|
resources = ["secrets"];
|
||||||
|
verbs = ["create"];
|
||||||
|
}
|
||||||
|
# Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
|
||||||
|
{
|
||||||
|
apiGroups = [""];
|
||||||
|
resources = ["configmaps"];
|
||||||
|
verbs = ["create"];
|
||||||
|
}
|
||||||
|
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
|
||||||
|
{
|
||||||
|
apiGroups = [""];
|
||||||
|
resources = ["secrets"];
|
||||||
|
resourceNames = ["kubernetes-dashboard-key-holder"];
|
||||||
|
verbs = ["get" "update" "delete"];
|
||||||
|
}
|
||||||
|
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
|
||||||
|
{
|
||||||
|
apiGroups = [""];
|
||||||
|
resources = ["configmaps"];
|
||||||
|
resourceNames = ["kubernetes-dashboard-settings"];
|
||||||
|
verbs = ["get" "update"];
|
||||||
|
}
|
||||||
|
# Allow Dashboard to get metrics from heapster.
|
||||||
|
{
|
||||||
|
apiGroups = [""];
|
||||||
|
resources = ["services"];
|
||||||
|
resourceNames = ["heapster"];
|
||||||
|
verbs = ["proxy"];
|
||||||
|
}
|
||||||
|
{
|
||||||
|
apiGroups = [""];
|
||||||
|
resources = ["services/proxy"];
|
||||||
|
resourceNames = ["heapster" "http:heapster:" "https:heapster:"];
|
||||||
|
verbs = ["get"];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
kubernetes-dashboard-rb = {
|
||||||
|
apiVersion = "rbac.authorization.k8s.io/v1";
|
||||||
|
kind = "RoleBinding";
|
||||||
|
metadata = {
|
||||||
|
name = "kubernetes-dashboard-minimal";
|
||||||
|
namespace = "kube-system";
|
||||||
|
inherit labels;
|
||||||
|
};
|
||||||
|
roleRef = {
|
||||||
|
apiGroup = "rbac.authorization.k8s.io";
|
||||||
|
kind = "Role";
|
||||||
|
name = "kubernetes-dashboard-minimal";
|
||||||
|
};
|
||||||
|
inherit subjects;
|
||||||
|
};
|
||||||
|
})
|
||||||
|
));
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue