kubernetes module: webhook authorization for kubelet

This commit is contained in:
Jaka Hudoklin 2017-09-01 12:20:10 +02:00 committed by Robin Gloster
parent 7c893623d4
commit 9d97c92d68

View File

@ -334,7 +334,7 @@ in {
Api runtime configuration. See Api runtime configuration. See
<link xlink:href="http://kubernetes.io/docs/admin/cluster-management.html"/> <link xlink:href="http://kubernetes.io/docs/admin/cluster-management.html"/>
''; '';
default = ""; default = "authentication.k8s.io/v1beta1=true";
example = "api/all=false,api/v1=true"; example = "api/all=false,api/v1=true";
type = types.str; type = types.str;
}; };
@ -535,6 +535,12 @@ in {
type = types.nullOr types.path; type = types.nullOr types.path;
}; };
clientCaFile = mkOption {
description = "Kubernetes apiserver CA file for client authentication.";
default = cfg.caFile;
type = types.nullOr types.path;
};
healthz = { healthz = {
bind = mkOption { bind = mkOption {
description = "Kubernetes kubelet healthz listening address."; description = "Kubernetes kubelet healthz listening address.";
@ -794,6 +800,11 @@ in {
"--tls-cert-file=${cfg.kubelet.tlsCertFile}"} \ "--tls-cert-file=${cfg.kubelet.tlsCertFile}"} \
${optionalString (cfg.kubelet.tlsKeyFile != null) ${optionalString (cfg.kubelet.tlsKeyFile != null)
"--tls-private-key-file=${cfg.kubelet.tlsKeyFile}"} \ "--tls-private-key-file=${cfg.kubelet.tlsKeyFile}"} \
${optionalString (cfg.kubelet.clientCaFile != null)
"--client-ca-file=${cfg.kubelet.clientCaFile}"} \
--authentication-token-webhook \
--authentication-token-webhook-cache-ttl="10s" \
--authorization-mode=Webhook \
--healthz-bind-address=${cfg.kubelet.healthz.bind} \ --healthz-bind-address=${cfg.kubelet.healthz.bind} \
--healthz-port=${toString cfg.kubelet.healthz.port} \ --healthz-port=${toString cfg.kubelet.healthz.port} \
--hostname-override=${cfg.kubelet.hostname} \ --hostname-override=${cfg.kubelet.hostname} \