pyrox.dev
Merge pull request #33954 from kuznero/pr/kubernetes
kubernetes: 1.7.9 -> 1.9.1
authored by Tim Steinbach and committed by GitHub 87559028 b2f39f97
+2
-2
nixos/modules/services/cluster/kubernetes/dashboard.nix
+2
-2
nixos/modules/services/cluster/kubernetes/dashboard.nix
···
6
6
cfg = config.services.kubernetes.addons.dashboard;
7
7
8
8
name = "gcr.io/google_containers/kubernetes-dashboard-amd64";
9
-
version = "v1.6.3";
9
+
version = "v1.8.2";
10
10
11
11
image = pkgs.dockerTools.pullImage {
12
12
imageName = name;
13
13
imageTag = version;
14
-
sha256 = "1sf54d96nkgic9hir9c6p14gw24ns1k5d5a0r1sg414kjrvic0b4";
14
+
sha256 = "11h0fz3wxp0f10fsyqaxjm7l2qg7xws50dv5iwlck5gb1fjmajad";
15
15
};
16
16
in {
17
17
options.services.kubernetes.addons.dashboard = {
+3
-3
nixos/modules/services/cluster/kubernetes/default.nix
+3
-3
nixos/modules/services/cluster/kubernetes/default.nix
···
301
301
Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC/RBAC). See
302
302
<link xlink:href="http://kubernetes.io/docs/admin/authorization.html"/>
303
303
'';
304
-
default = ["RBAC"];
305
-
type = types.listOf (types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC" "RBAC"]);
304
+
default = ["RBAC" "Node"];
305
+
type = types.listOf (types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC" "RBAC" "Node"]);
306
306
};
307
307
308
308
authorizationPolicy = mkOption {
···
344
344
Kubernetes admission control plugins to use. See
345
345
<link xlink:href="http://kubernetes.io/docs/admin/admission-controllers/"/>
346
346
'';
347
-
default = ["NamespaceLifecycle" "LimitRanger" "ServiceAccount" "ResourceQuota" "DefaultStorageClass" "DefaultTolerationSeconds"];
347
+
default = ["NamespaceLifecycle" "LimitRanger" "ServiceAccount" "ResourceQuota" "DefaultStorageClass" "DefaultTolerationSeconds" "NodeRestriction"];
348
348
example = [
349
349
"NamespaceLifecycle" "NamespaceExists" "LimitRanger"
350
350
"SecurityContextDeny" "ServiceAccount" "ResourceQuota"
+1
-1
nixos/tests/kubernetes/base.nix
+1
-1
nixos/tests/kubernetes/base.nix
···
7
7
mkKubernetesBaseTest =
8
8
{ name, domain ? "my.zyx", test, machines
9
9
, pkgs ? import <nixpkgs> { inherit system; }
10
-
, certs ? import ./certs.nix { inherit pkgs; externalDomain = domain; }
10
+
, certs ? import ./certs.nix { inherit pkgs; externalDomain = domain; kubelets = attrNames machines; }
11
11
, extraConfiguration ? null }:
12
12
let
13
13
masterName = head (filter (machineName: any (role: role == "master") machines.${machineName}.roles) (attrNames machines));
+6
-5
nixos/tests/kubernetes/certs.nix
+6
-5
nixos/tests/kubernetes/certs.nix
···
2
2
pkgs ? import <nixpkgs> {},
3
3
internalDomain ? "cloud.yourdomain.net",
4
4
externalDomain ? "myawesomecluster.cluster.yourdomain.net",
5
-
serviceClusterIp ? "10.0.0.1"
5
+
serviceClusterIp ? "10.0.0.1",
6
+
kubelets
6
7
}:
7
8
let
8
9
runWithCFSSL = name: cmd:
···
123
124
};
124
125
125
126
apiserver-client = {
126
-
kubelet = createClientCertKey {
127
+
kubelet = hostname: createClientCertKey {
127
128
inherit ca;
128
-
cn = "apiserver-client-kubelet";
129
+
name = "apiserver-client-kubelet-${hostname}";
130
+
cn = "system:node:${hostname}.${externalDomain}";
129
131
groups = ["system:nodes"];
130
132
};
131
133
···
175
177
paths = [
176
178
(writeCFSSL (noKey ca))
177
179
(writeCFSSL kubelet)
178
-
(writeCFSSL apiserver-client.kubelet)
179
180
(writeCFSSL apiserver-client.kube-proxy)
180
181
(writeCFSSL etcd-client)
181
-
];
182
+
] ++ map (hostname: writeCFSSL (apiserver-client.kubelet hostname)) kubelets;
182
183
};
183
184
184
185
admin = writeCFSSL apiserver-client.admin;
+1
-1
nixos/tests/kubernetes/dns.nix
+1
-1
nixos/tests/kubernetes/dns.nix
+2
-2
nixos/tests/kubernetes/kubernetes-common.nix
+2
-2
nixos/tests/kubernetes/kubernetes-common.nix
···
29
29
tlsKeyFile = "${certs.worker}/kubelet-key.pem";
30
30
hostname = "${config.networking.hostName}.${config.networking.domain}";
31
31
kubeconfig = {
32
-
certFile = "${certs.worker}/apiserver-client-kubelet.pem";
33
-
keyFile = "${certs.worker}/apiserver-client-kubelet-key.pem";
32
+
certFile = "${certs.worker}/apiserver-client-kubelet-${config.networking.hostName}.pem";
33
+
keyFile = "${certs.worker}/apiserver-client-kubelet-${config.networking.hostName}-key.pem";
34
34
};
35
35
};
36
36
controllerManager = {
+2
-2
pkgs/applications/networking/cluster/kubecfg/default.nix
+2
-2
pkgs/applications/networking/cluster/kubecfg/default.nix
···
1
1
{ lib, buildGoPackage, fetchFromGitHub, ... }:
2
2
3
-
let version = "0.5.0"; in
3
+
let version = "0.6.0"; in
4
4
5
5
buildGoPackage {
6
6
name = "kubecfg-${version}";
···
9
9
owner = "ksonnet";
10
10
repo = "kubecfg";
11
11
rev = "v${version}";
12
-
sha256 = "1s8w133p8qkj3dr73jimajm9ddp678lw9k9symj8rjw5p35igr93";
12
+
sha256 = "12kv1p707kdxjx5l8rcikd1gjwp5xjxdmmyvlpnvyagrphgrwpsf";
13
13
};
14
14
15
15
goPackagePath = "github.com/ksonnet/kubecfg";
+2
-4
pkgs/applications/networking/cluster/kubernetes/default.nix
+2
-4
pkgs/applications/networking/cluster/kubernetes/default.nix
···
8
8
"cmd/kube-controller-manager"
9
9
"cmd/kube-proxy"
10
10
"plugin/cmd/kube-scheduler"
11
-
"federation/cmd/federation-apiserver"
12
-
"federation/cmd/federation-controller-manager"
13
11
"test/e2e/e2e.test"
14
12
]
15
13
}:
···
18
16
19
17
stdenv.mkDerivation rec {
20
18
name = "kubernetes-${version}";
21
-
version = "1.7.9";
19
+
version = "1.9.1";
22
20
23
21
src = fetchFromGitHub {
24
22
owner = "kubernetes";
25
23
repo = "kubernetes";
26
24
rev = "v${version}";
27
-
sha256 = "0lxagvv8mysw6n0vp5vsccl87b628dgsjrf298dx2dqx7wn7zjgi";
25
+
sha256 = "1dmq2g138h7fsswmq4l47b44gsl9anmm3ywqyi7y48f1rkvc11mk";
28
26
};
29
27
30
28
buildInputs = [ removeReferencesTo makeWrapper which go rsync go-bindata ];