From bd0d9343ec87dae16c5b83b800de6a80e565581f Mon Sep 17 00:00:00 2001
From: Roman Kuznetsov <roman@kuznero.com>
Date: Tue, 16 Jan 2018 17:08:34 +0100
Subject: [PATCH 1/3] kubernetes: 1.7.9 -> 1.9.1

---
 pkgs/applications/networking/cluster/kubecfg/default.nix    | 4 ++--
 pkgs/applications/networking/cluster/kubernetes/default.nix | 6 ++----
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/pkgs/applications/networking/cluster/kubecfg/default.nix b/pkgs/applications/networking/cluster/kubecfg/default.nix
index 7f17bd57c194..73a28325f52d 100644
--- a/pkgs/applications/networking/cluster/kubecfg/default.nix
+++ b/pkgs/applications/networking/cluster/kubecfg/default.nix
@@ -1,6 +1,6 @@
 { lib, buildGoPackage, fetchFromGitHub, ... }:
 
-let version = "0.5.0"; in
+let version = "0.6.0"; in
 
 buildGoPackage {
   name = "kubecfg-${version}";
@@ -9,7 +9,7 @@ buildGoPackage {
     owner = "ksonnet";
     repo = "kubecfg";
     rev = "v${version}";
-    sha256 = "1s8w133p8qkj3dr73jimajm9ddp678lw9k9symj8rjw5p35igr93";
+    sha256 = "12kv1p707kdxjx5l8rcikd1gjwp5xjxdmmyvlpnvyagrphgrwpsf";
   };
 
   goPackagePath = "github.com/ksonnet/kubecfg";
diff --git a/pkgs/applications/networking/cluster/kubernetes/default.nix b/pkgs/applications/networking/cluster/kubernetes/default.nix
index e8686ade5900..e2f431e2a5e5 100644
--- a/pkgs/applications/networking/cluster/kubernetes/default.nix
+++ b/pkgs/applications/networking/cluster/kubernetes/default.nix
@@ -8,8 +8,6 @@
     "cmd/kube-controller-manager"
     "cmd/kube-proxy"
     "plugin/cmd/kube-scheduler"
-    "federation/cmd/federation-apiserver"
-    "federation/cmd/federation-controller-manager"
     "test/e2e/e2e.test"
   ]
 }:
@@ -18,13 +16,13 @@ with lib;
 
 stdenv.mkDerivation rec {
   name = "kubernetes-${version}";
-  version = "1.7.9";
+  version = "1.9.1";
 
   src = fetchFromGitHub {
     owner = "kubernetes";
     repo = "kubernetes";
     rev = "v${version}";
-    sha256 = "0lxagvv8mysw6n0vp5vsccl87b628dgsjrf298dx2dqx7wn7zjgi";
+    sha256 = "1dmq2g138h7fsswmq4l47b44gsl9anmm3ywqyi7y48f1rkvc11mk";
   };
 
   buildInputs = [ removeReferencesTo makeWrapper which go rsync go-bindata ];

From f63604a598e9720ba82ee10686773a56e2f33d7d Mon Sep 17 00:00:00 2001
From: Roman Kuznetsov <roman@kuznero.com>
Date: Wed, 17 Jan 2018 09:01:32 +0100
Subject: [PATCH 2/3] kubernetes-dashboard (module): 1.6.3 -> 1.8.2

---
 nixos/modules/services/cluster/kubernetes/dashboard.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/services/cluster/kubernetes/dashboard.nix b/nixos/modules/services/cluster/kubernetes/dashboard.nix
index 75d71fccfda4..e331889b9dd5 100644
--- a/nixos/modules/services/cluster/kubernetes/dashboard.nix
+++ b/nixos/modules/services/cluster/kubernetes/dashboard.nix
@@ -6,12 +6,12 @@ let
   cfg = config.services.kubernetes.addons.dashboard;
 
   name = "gcr.io/google_containers/kubernetes-dashboard-amd64";
-	version = "v1.6.3";
+	version = "v1.8.2";
 
   image = pkgs.dockerTools.pullImage {
     imageName = name;
     imageTag = version;
-    sha256 = "1sf54d96nkgic9hir9c6p14gw24ns1k5d5a0r1sg414kjrvic0b4";
+    sha256 = "11h0fz3wxp0f10fsyqaxjm7l2qg7xws50dv5iwlck5gb1fjmajad";
   };
 in {
   options.services.kubernetes.addons.dashboard = {

From bf58890a5ae74ed64983f15f61e6aa8e7ccbe515 Mon Sep 17 00:00:00 2001
From: Sarah Brofeldt <sbrofeldt@gmail.com>
Date: Sun, 4 Feb 2018 21:23:36 +0100
Subject: [PATCH 3/3] nixos/k8s: Enable Node authorizer and NodeRestriction by
 default

---
 nixos/modules/services/cluster/kubernetes/default.nix |  6 +++---
 nixos/tests/kubernetes/base.nix                       |  2 +-
 nixos/tests/kubernetes/certs.nix                      | 11 ++++++-----
 nixos/tests/kubernetes/dns.nix                        |  2 +-
 nixos/tests/kubernetes/kubernetes-common.nix          |  4 ++--
 5 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/nixos/modules/services/cluster/kubernetes/default.nix b/nixos/modules/services/cluster/kubernetes/default.nix
index 077953e4d4f8..4a2c6f0833eb 100644
--- a/nixos/modules/services/cluster/kubernetes/default.nix
+++ b/nixos/modules/services/cluster/kubernetes/default.nix
@@ -301,8 +301,8 @@ in {
           Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC/RBAC). See
           <link xlink:href="http://kubernetes.io/docs/admin/authorization.html"/>
         '';
-        default = ["RBAC"];
-        type = types.listOf (types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC" "RBAC"]);
+        default = ["RBAC" "Node"];
+        type = types.listOf (types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC" "RBAC" "Node"]);
       };
 
       authorizationPolicy = mkOption {
@@ -344,7 +344,7 @@ in {
           Kubernetes admission control plugins to use. See
           <link xlink:href="http://kubernetes.io/docs/admin/admission-controllers/"/>
         '';
-        default = ["NamespaceLifecycle" "LimitRanger" "ServiceAccount" "ResourceQuota" "DefaultStorageClass" "DefaultTolerationSeconds"];
+        default = ["NamespaceLifecycle" "LimitRanger" "ServiceAccount" "ResourceQuota" "DefaultStorageClass" "DefaultTolerationSeconds" "NodeRestriction"];
         example = [
           "NamespaceLifecycle" "NamespaceExists" "LimitRanger"
           "SecurityContextDeny" "ServiceAccount" "ResourceQuota"
diff --git a/nixos/tests/kubernetes/base.nix b/nixos/tests/kubernetes/base.nix
index acf2e0250819..282391a496c2 100644
--- a/nixos/tests/kubernetes/base.nix
+++ b/nixos/tests/kubernetes/base.nix
@@ -8,7 +8,7 @@ let
   mkKubernetesBaseTest =
     { name, domain ? "my.zyx", test, machines
     , pkgs ? import <nixpkgs> { inherit system; }
-    , certs ? import ./certs.nix { inherit pkgs; externalDomain = domain; }
+    , certs ? import ./certs.nix { inherit pkgs; externalDomain = domain; kubelets = attrNames machines; }
     , extraConfiguration ? null }:
     let
       masterName = head (filter (machineName: any (role: role == "master") machines.${machineName}.roles) (attrNames machines));
diff --git a/nixos/tests/kubernetes/certs.nix b/nixos/tests/kubernetes/certs.nix
index f108e35b98cd..d3eff910c467 100644
--- a/nixos/tests/kubernetes/certs.nix
+++ b/nixos/tests/kubernetes/certs.nix
@@ -2,7 +2,8 @@
   pkgs ? import <nixpkgs> {},
   internalDomain ? "cloud.yourdomain.net",
   externalDomain ? "myawesomecluster.cluster.yourdomain.net",
-  serviceClusterIp ? "10.0.0.1"
+  serviceClusterIp ? "10.0.0.1",
+  kubelets
 }:
 let
   runWithCFSSL = name: cmd:
@@ -123,9 +124,10 @@ let
   };
 
   apiserver-client = {
-    kubelet = createClientCertKey {
+    kubelet = hostname: createClientCertKey {
       inherit ca;
-      cn = "apiserver-client-kubelet";
+      name = "apiserver-client-kubelet-${hostname}";
+      cn = "system:node:${hostname}.${externalDomain}";
       groups = ["system:nodes"];
     };
 
@@ -175,10 +177,9 @@ in {
     paths = [
       (writeCFSSL (noKey ca))
       (writeCFSSL kubelet)
-      (writeCFSSL apiserver-client.kubelet)
       (writeCFSSL apiserver-client.kube-proxy)
       (writeCFSSL etcd-client)
-    ];
+    ] ++ map (hostname: writeCFSSL (apiserver-client.kubelet hostname)) kubelets;
   };
 
   admin = writeCFSSL apiserver-client.admin;
diff --git a/nixos/tests/kubernetes/dns.nix b/nixos/tests/kubernetes/dns.nix
index 74d98dabec8d..8c488d271bcd 100644
--- a/nixos/tests/kubernetes/dns.nix
+++ b/nixos/tests/kubernetes/dns.nix
@@ -3,7 +3,7 @@ with import ./base.nix { inherit system; };
 let
   domain = "my.zyx";
 
-  certs = import ./certs.nix { externalDomain = domain; };
+  certs = import ./certs.nix { externalDomain = domain; kubelets = [ "machine1" "machine2" ]; };
 
   redisPod = pkgs.writeText "redis-pod.json" (builtins.toJSON {
     kind = "Pod";
diff --git a/nixos/tests/kubernetes/kubernetes-common.nix b/nixos/tests/kubernetes/kubernetes-common.nix
index 00a5c9aba4e3..ddf427e1b01a 100644
--- a/nixos/tests/kubernetes/kubernetes-common.nix
+++ b/nixos/tests/kubernetes/kubernetes-common.nix
@@ -29,8 +29,8 @@ let
       tlsKeyFile = "${certs.worker}/kubelet-key.pem";
       hostname = "${config.networking.hostName}.${config.networking.domain}";
       kubeconfig = {
-        certFile = "${certs.worker}/apiserver-client-kubelet.pem";
-        keyFile = "${certs.worker}/apiserver-client-kubelet-key.pem";
+        certFile = "${certs.worker}/apiserver-client-kubelet-${config.networking.hostName}.pem";
+        keyFile = "${certs.worker}/apiserver-client-kubelet-${config.networking.hostName}-key.pem";
       };
     };
     controllerManager = {