commit b25d1559766836bf106ae48ae8607b00d1da5495 · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

kubernetes module: default auth mode to only RBAC

authored by Jaka Hudoklin and committed by Robin Gloster 8 years ago b25d1559 c2622910

+2 -83

1 changed file

expand all

unified split

nixos

modules

services

cluster

kubernetes

default.nix

+2 -83

nixos/modules/services/cluster/kubernetes/default.nix

··· 115 116 taints = concatMapStringsSep "," (v: "${v.key}=${v.value}:${v.effect}") (mapAttrsToList (n: v: v) cfg.kubelet.taints); 117 118 - defaultAuthorizationPolicy = (optionals (any (el: el == "ABAC") cfg.apiserver.authorizationMode) [ 119 - { 120 - apiVersion = "abac.authorization.kubernetes.io/v1beta1"; 121 - kind = "Policy"; 122 - spec = { 123 - user = "kubecfg"; 124 - namespace = "*"; 125 - resource = "*"; 126 - apiGroup = "*"; 127 - nonResourcePath = "*"; 128 - }; 129 - } 130 - { 131 - apiVersion = "abac.authorization.kubernetes.io/v1beta1"; 132 - kind = "Policy"; 133 - spec = { 134 - user = "kubelet"; 135 - namespace = "*"; 136 - resource = "*"; 137 - apiGroup = "*"; 138 - nonResourcePath = "*"; 139 - }; 140 - } 141 - { 142 - apiVersion = "abac.authorization.kubernetes.io/v1beta1"; 143 - kind = "Policy"; 144 - spec = { 145 - user = "kube-worker"; 146 - namespace = "*"; 147 - resource = "*"; 148 - apiGroup = "*"; 149 - nonResourcePath = "*"; 150 - }; 151 - } 152 - { 153 - apiVersion = "abac.authorization.kubernetes.io/v1beta1"; 154 - kind = "Policy"; 155 - spec = { 156 - user = "kube_proxy"; 157 - namespace = "*"; 158 - resource = "*"; 159 - apiGroup = "*"; 160 - nonResourcePath = "*"; 161 - }; 162 - } 163 - { 164 - apiVersion = "abac.authorization.kubernetes.io/v1beta1"; 165 - kind = "Policy"; 166 - spec = { 167 - user = "client"; 168 - namespace = "*"; 169 - resource = "*"; 170 - apiGroup = "*"; 171 - nonResourcePath = "*"; 172 - }; 173 - } 174 - ]) ++ (optionals (all (el: el != "RBAC") cfg.apiserver.authorizationMode) [ 175 - { 176 - apiVersion = "abac.authorization.kubernetes.io/v1beta1"; 177 - kind = "Policy"; 178 - spec = { 179 - user = "admin"; 180 - namespace = "*"; 181 - resource = "*"; 182 - apiGroup = "*"; 183 - nonResourcePath = "*"; 184 - }; 185 - } 186 - { 187 - apiVersion = "abac.authorization.kubernetes.io/v1beta1"; 188 - kind = "Policy"; 189 - spec = { 190 - group = "system:serviceaccounts"; 191 - namespace = "*"; 192 - resource = "*"; 193 - apiGroup = "*"; 194 - nonResourcePath = "*"; 195 - }; 196 - } 197 - ]); 198 - 199 # needed for flannel to pass options to docker 200 mkDockerOpts = pkgs.runCommand "mk-docker-opts" { 201 buildInputs = [ pkgs.makeWrapper ]; ··· 370 Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC/RBAC). See 371 <link xlink:href="http://kubernetes.io/docs/admin/authorization.html"/> 372 ''; 373 - default = ["ABAC" "RBAC"]; 374 type = types.listOf (types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC" "RBAC"]); 375 }; 376 ··· 379 Kubernetes apiserver authorization policy file. See 380 <link xlink:href="http://kubernetes.io/v1.0/docs/admin/authorization.html"/> 381 ''; 382 - default = defaultAuthorizationPolicy; 383 type = types.listOf types.attrs; 384 }; 385

··· 115 116 taints = concatMapStringsSep "," (v: "${v.key}=${v.value}:${v.effect}") (mapAttrsToList (n: v: v) cfg.kubelet.taints); 117 118 # needed for flannel to pass options to docker 119 mkDockerOpts = pkgs.runCommand "mk-docker-opts" { 120 buildInputs = [ pkgs.makeWrapper ]; ··· 289 Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC/RBAC). See 290 <link xlink:href="http://kubernetes.io/docs/admin/authorization.html"/> 291 ''; 292 + default = ["RBAC"]; 293 type = types.listOf (types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC" "RBAC"]); 294 }; 295 ··· 298 Kubernetes apiserver authorization policy file. See 299 <link xlink:href="http://kubernetes.io/v1.0/docs/admin/authorization.html"/> 300 ''; 301 + default = []; 302 type = types.listOf types.attrs; 303 }; 304