nixos/k8s: Enable Node authorizer and NodeRestriction by default

nixos/modules/services/cluster/kubernetes/default.nix

@@ -301,8 +301,8 @@ in {
           Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC/RBAC). See
           <link xlink:href="http://kubernetes.io/docs/admin/authorization.html"/>
         '';
-        default = ["RBAC"];
-        type = types.listOf (types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC" "RBAC"]);
+        default = ["RBAC" "Node"];
+        type = types.listOf (types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC" "RBAC" "Node"]);
       };
 
       authorizationPolicy = mkOption {
@@ -344,7 +344,7 @@ in {
           Kubernetes admission control plugins to use. See
           <link xlink:href="http://kubernetes.io/docs/admin/admission-controllers/"/>
         '';
-        default = ["NamespaceLifecycle" "LimitRanger" "ServiceAccount" "ResourceQuota" "DefaultStorageClass" "DefaultTolerationSeconds"];
+        default = ["NamespaceLifecycle" "LimitRanger" "ServiceAccount" "ResourceQuota" "DefaultStorageClass" "DefaultTolerationSeconds" "NodeRestriction"];
         example = [
           "NamespaceLifecycle" "NamespaceExists" "LimitRanger"
           "SecurityContextDeny" "ServiceAccount" "ResourceQuota"

nixos/tests/kubernetes/base.nix

@@ -8,7 +8,7 @@ let
   mkKubernetesBaseTest =
     { name, domain ? "my.zyx", test, machines
     , pkgs ? import <nixpkgs> { inherit system; }
-    , certs ? import ./certs.nix { inherit pkgs; externalDomain = domain; }
+    , certs ? import ./certs.nix { inherit pkgs; externalDomain = domain; kubelets = attrNames machines; }
     , extraConfiguration ? null }:
     let
       masterName = head (filter (machineName: any (role: role == "master") machines.${machineName}.roles) (attrNames machines));

nixos/tests/kubernetes/certs.nix

@@ -2,7 +2,8 @@
   pkgs ? import <nixpkgs> {},
   internalDomain ? "cloud.yourdomain.net",
   externalDomain ? "myawesomecluster.cluster.yourdomain.net",
-  serviceClusterIp ? "10.0.0.1"
+  serviceClusterIp ? "10.0.0.1",
+  kubelets
 }:
 let
   runWithCFSSL = name: cmd:
@@ -123,9 +124,10 @@ let
   };
 
   apiserver-client = {
-    kubelet = createClientCertKey {
+    kubelet = hostname: createClientCertKey {
       inherit ca;
-      cn = "apiserver-client-kubelet";
+      name = "apiserver-client-kubelet-${hostname}";
+      cn = "system:node:${hostname}.${externalDomain}";
       groups = ["system:nodes"];
     };
 
@@ -175,10 +177,9 @@ in {
     paths = [
       (writeCFSSL (noKey ca))
       (writeCFSSL kubelet)
-      (writeCFSSL apiserver-client.kubelet)
       (writeCFSSL apiserver-client.kube-proxy)
       (writeCFSSL etcd-client)
-    ];
+    ] ++ map (hostname: writeCFSSL (apiserver-client.kubelet hostname)) kubelets;
   };
 
   admin = writeCFSSL apiserver-client.admin;

nixos/tests/kubernetes/dns.nix

@@ -3,7 +3,7 @@ with import ./base.nix { inherit system; };
 let
   domain = "my.zyx";
 
-  certs = import ./certs.nix { externalDomain = domain; };
+  certs = import ./certs.nix { externalDomain = domain; kubelets = [ "machine1" "machine2" ]; };
 
   redisPod = pkgs.writeText "redis-pod.json" (builtins.toJSON {
     kind = "Pod";

nixos/tests/kubernetes/kubernetes-common.nix

@@ -29,8 +29,8 @@ let
       tlsKeyFile = "${certs.worker}/kubelet-key.pem";
       hostname = "${config.networking.hostName}.${config.networking.domain}";
       kubeconfig = {
-        certFile = "${certs.worker}/apiserver-client-kubelet.pem";
-        keyFile = "${certs.worker}/apiserver-client-kubelet-key.pem";
+        certFile = "${certs.worker}/apiserver-client-kubelet-${config.networking.hostName}.pem";
+        keyFile = "${certs.worker}/apiserver-client-kubelet-${config.networking.hostName}-key.pem";
       };
     };
     controllerManager = {