From 9d97c92d68445aab986916c7214c28f824264cd9 Mon Sep 17 00:00:00 2001 From: Jaka Hudoklin Date: Fri, 1 Sep 2017 12:20:10 +0200 Subject: [PATCH] kubernetes module: webhook authorization for kubelet --- .../modules/services/cluster/kubernetes/default.nix | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/nixos/modules/services/cluster/kubernetes/default.nix b/nixos/modules/services/cluster/kubernetes/default.nix index 4ab458b78f46..3ebd2a086fd0 100644 --- a/nixos/modules/services/cluster/kubernetes/default.nix +++ b/nixos/modules/services/cluster/kubernetes/default.nix @@ -334,7 +334,7 @@ in { Api runtime configuration. See ''; - default = ""; + default = "authentication.k8s.io/v1beta1=true"; example = "api/all=false,api/v1=true"; type = types.str; }; @@ -535,6 +535,12 @@ in { type = types.nullOr types.path; }; + clientCaFile = mkOption { + description = "Kubernetes apiserver CA file for client authentication."; + default = cfg.caFile; + type = types.nullOr types.path; + }; + healthz = { bind = mkOption { description = "Kubernetes kubelet healthz listening address."; @@ -794,6 +800,11 @@ in { "--tls-cert-file=${cfg.kubelet.tlsCertFile}"} \ ${optionalString (cfg.kubelet.tlsKeyFile != null) "--tls-private-key-file=${cfg.kubelet.tlsKeyFile}"} \ + ${optionalString (cfg.kubelet.clientCaFile != null) + "--client-ca-file=${cfg.kubelet.clientCaFile}"} \ + --authentication-token-webhook \ + --authentication-token-webhook-cache-ttl="10s" \ + --authorization-mode=Webhook \ --healthz-bind-address=${cfg.kubelet.healthz.bind} \ --healthz-port=${toString cfg.kubelet.healthz.port} \ --hostname-override=${cfg.kubelet.hostname} \