nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-02-22 20:14:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

kubernetes module: authorization improvements

Browse Source
This commit is contained in:
Jaka Hudoklin 2016-12-12 01:27:14 +01:00 committed by Robin Gloster
parent c3cfd92d24
commit 90d5468ad6
1 changed files with 99 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

131
nixos/modules/services/cluster/kubernetes.nix
View File

@ -39,12 +39,9 @@ let
}]; }];
}); });
policyFile = pkgs.writeText "kube-policy"
(concatStringsSep "\n" (map builtins.toJSON cfg.apiserver.authorizationPolicy));
cniConfig = pkgs.buildEnv { cniConfig = pkgs.buildEnv {
name = "kubernetes-cni-config"; name = "kubernetes-cni-config";
paths = imap1 (i: entry: paths = imap (i: entry:
pkgs.writeTextDir "${toString (10+i)}-${entry.type}.conf" (builtins.toJSON entry) pkgs.writeTextDir "${toString (10+i)}-${entry.type}.conf" (builtins.toJSON entry)
) cfg.kubelet.cni.config; ) cfg.kubelet.cni.config;
}; };
@ -205,23 +202,33 @@ in {
type = types.nullOr types.path; type = types.nullOr types.path;
}; };
tokenAuth = mkOption { tokenAuthFile = mkOption {
description = '' description = ''
Kubernetes apiserver token authentication file. See Kubernetes apiserver token authentication file. See
<link xlink:href="http://kubernetes.io/docs/admin/authentication.html"/> <link xlink:href="http://kubernetes.io/docs/admin/authentication.html"/>
''; '';
default = null; default = null;
example = ''token,user,uid,"group1,group2,group3"''; type = types.nullOr types.path;
type = types.nullOr types.lines; };
basicAuthFile = mkOption {
description = ''
Kubernetes apiserver basic authentication file. See
<link xlink:href="http://kubernetes.io/docs/admin/authentication.html"/>
'';
default = pkgs.writeText "users" ''
kubernetes,admin,0
'';
type = types.nullOr types.path;
}; };
authorizationMode = mkOption { authorizationMode = mkOption {
description = '' description = ''
Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC). See Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC/RBAC). See
<link xlink:href="http://kubernetes.io/v1.0/docs/admin/authorization.html"/> <link xlink:href="http://kubernetes.io/docs/admin/authorization.html"/>
''; '';
default = "AlwaysAllow"; default = ["ABAC" "RBAC"];
type = types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC"]; type = types.listOf (types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC" "RBAC"]);
}; };
authorizationPolicy = mkOption { authorizationPolicy = mkOption {
@ -229,21 +236,72 @@ in {
Kubernetes apiserver authorization policy file. See Kubernetes apiserver authorization policy file. See
<link xlink:href="http://kubernetes.io/v1.0/docs/admin/authorization.html"/> <link xlink:href="http://kubernetes.io/v1.0/docs/admin/authorization.html"/>
''; '';
default = []; default = [
example = literalExample '' {
[ apiVersion = "abac.authorization.kubernetes.io/v1beta1";
{user = "admin";} kind = "Policy";
{user = "scheduler"; readonly = true; kind= "pods";} spec = {
{user = "scheduler"; kind = "bindings";} user = "admin";
{user = "kubelet"; readonly = true; kind = "bindings";} namespace = "*";
{user = "kubelet"; kind = "events";} resource = "*";
{user= "alice"; ns = "projectCaribou";} apiGroup = "*";
{user = "bob"; readonly = true; ns = "projectCaribou";} nonResourcePath = "*";
] };
''; }
{
apiVersion = "abac.authorization.kubernetes.io/v1beta1";
kind = "Policy";
spec = {
user = "kubecfg";
namespace = "*";
resource = "*";
apiGroup = "*";
nonResourcePath = "*";
};
}
{
apiVersion = "abac.authorization.kubernetes.io/v1beta1";
kind = "Policy";
spec = {
user = "kubelet";
namespace = "*";
resource = "*";
apiGroup = "*";
nonResourcePath = "*";
};
}
{
apiVersion = "abac.authorization.kubernetes.io/v1beta1";
kind = "Policy";
spec = {
user = "kube";
namespace = "*";
resource = "*";
apiGroup = "*";
nonResourcePath = "*";
};
}
{
apiVersion = "abac.authorization.kubernetes.io/v1beta1";
kind = "Policy";
spec = {
user = "system:serviceaccount:kube-system:default";
namespace = "*";
resource = "*";
apiGroup = "*";
nonResourcePath = "*";
};
}
];
type = types.listOf types.attrs; type = types.listOf types.attrs;
}; };
autorizationRBACSuperAdmin = mkOption {
description = "Role based authorization super admin";
default = "admin";
type = types.str;
};
allowPrivileged = mkOption { allowPrivileged = mkOption {
description = "Whether to allow privileged containers on kubernetes."; description = "Whether to allow privileged containers on kubernetes.";
default = true; default = true;
@ -261,7 +319,7 @@ in {
Api runtime configuration. See Api runtime configuration. See
<link xlink:href="http://kubernetes.io/v1.0/docs/admin/cluster-management.html"/> <link xlink:href="http://kubernetes.io/v1.0/docs/admin/cluster-management.html"/>
''; '';
default = ""; default = "rbac.authorization.k8s.io/v1alpha1";
example = "api/all=false,api/v1=true"; example = "api/all=false,api/v1=true";
type = types.str; type = types.str;
}; };
@ -654,9 +712,11 @@ in {
"--tls-cert-file=${cfg.apiserver.tlsCertFile}"} \ "--tls-cert-file=${cfg.apiserver.tlsCertFile}"} \
${optionalString (cfg.apiserver.tlsKeyFile != null) ${optionalString (cfg.apiserver.tlsKeyFile != null)
"--tls-private-key-file=${cfg.apiserver.tlsKeyFile}"} \ "--tls-private-key-file=${cfg.apiserver.tlsKeyFile}"} \
${optionalString (cfg.apiserver.tokenAuth != null) ${optionalString (cfg.apiserver.tokenAuthFile != null)
"--token-auth-file=${cfg.apiserver.tokenAuth}"} \ "--token-auth-file=${cfg.apiserver.tokenAuthFile}"} \
--kubelet-https=${boolToString cfg.apiserver.kubeletHttps} \ ${optionalString (cfg.apiserver.basicAuthFile != null)
"--basic-auth-file=${cfg.apiserver.basicAuthFile}"} \
--kubelet-https=${if cfg.apiserver.kubeletHttps then "true" else "false"} \
${optionalString (cfg.apiserver.kubeletClientCaFile != null) ${optionalString (cfg.apiserver.kubeletClientCaFile != null)
"--kubelet-certificate-authority=${cfg.apiserver.kubeletClientCaFile}"} \ "--kubelet-certificate-authority=${cfg.apiserver.kubeletClientCaFile}"} \
${optionalString (cfg.apiserver.kubeletClientCertFile != null) ${optionalString (cfg.apiserver.kubeletClientCertFile != null)
@ -665,9 +725,15 @@ in {
"--kubelet-client-key=${cfg.apiserver.kubeletClientKeyFile}"} \ "--kubelet-client-key=${cfg.apiserver.kubeletClientKeyFile}"} \
${optionalString (cfg.apiserver.clientCaFile != null) ${optionalString (cfg.apiserver.clientCaFile != null)
"--client-ca-file=${cfg.apiserver.clientCaFile}"} \ "--client-ca-file=${cfg.apiserver.clientCaFile}"} \
--authorization-mode=${cfg.apiserver.authorizationMode} \ --authorization-mode=${concatStringsSep "," cfg.apiserver.authorizationMode} \
${optionalString (cfg.apiserver.authorizationMode == "ABAC") ${optionalString (elem "ABAC" cfg.apiserver.authorizationMode)
"--authorization-policy-file=${policyFile}"} \ "--authorization-policy-file=${
pkgs.writeText "kube-auth-policy"
(concatMapStringsSep "\n" (l: builtins.toJSON l) cfg.apiserver.authorizationPolicy)
}"
} \
${optionalString (elem "RBAC" cfg.apiserver.authorizationMode)
"--authorization-rbac-super-user=${cfg.apiserver.autorizationRBACSuperAdmin}"} \
--secure-port=${toString cfg.apiserver.securePort} \ --secure-port=${toString cfg.apiserver.securePort} \
--service-cluster-ip-range=${cfg.apiserver.portalNet} \ --service-cluster-ip-range=${cfg.apiserver.portalNet} \
${optionalString (cfg.apiserver.runtimeConfig != "") ${optionalString (cfg.apiserver.runtimeConfig != "")
@ -730,8 +796,9 @@ in {
${if (cfg.controllerManager.serviceAccountKeyFile!=null) ${if (cfg.controllerManager.serviceAccountKeyFile!=null)
then "--service-account-private-key-file=${cfg.controllerManager.serviceAccountKeyFile}" then "--service-account-private-key-file=${cfg.controllerManager.serviceAccountKeyFile}"
else "--service-account-private-key-file=/var/run/kubernetes/apiserver.key"} \ else "--service-account-private-key-file=/var/run/kubernetes/apiserver.key"} \
${optionalString (cfg.controllerManager.rootCaFile!=null) ${if (cfg.controllerManager.rootCaFile!=null)
"--root-ca-file=${cfg.controllerManager.rootCaFile}"} \ then "--root-ca-file=${cfg.controllerManager.rootCaFile}"
else "--root-ca-file=/var/run/kubernetes/apiserver.crt"} \
${optionalString (cfg.controllerManager.clusterCidr!=null) ${optionalString (cfg.controllerManager.clusterCidr!=null)
"--cluster-cidr=${cfg.controllerManager.clusterCidr}"} \ "--cluster-cidr=${cfg.controllerManager.clusterCidr}"} \
--allocate-node-cidrs=true \ --allocate-node-cidrs=true \