mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-02-19 17:39:34 +00:00
Merge pull request #33954 from kuznero/pr/kubernetes
kubernetes: 1.7.9 -> 1.9.1
This commit is contained in:
commit
87559028ef
nixos
modules/services/cluster/kubernetes
tests/kubernetes
pkgs/applications/networking/cluster
|
@ -6,12 +6,12 @@ let
|
||||||
cfg = config.services.kubernetes.addons.dashboard;
|
cfg = config.services.kubernetes.addons.dashboard;
|
||||||
|
|
||||||
name = "gcr.io/google_containers/kubernetes-dashboard-amd64";
|
name = "gcr.io/google_containers/kubernetes-dashboard-amd64";
|
||||||
version = "v1.6.3";
|
version = "v1.8.2";
|
||||||
|
|
||||||
image = pkgs.dockerTools.pullImage {
|
image = pkgs.dockerTools.pullImage {
|
||||||
imageName = name;
|
imageName = name;
|
||||||
imageTag = version;
|
imageTag = version;
|
||||||
sha256 = "1sf54d96nkgic9hir9c6p14gw24ns1k5d5a0r1sg414kjrvic0b4";
|
sha256 = "11h0fz3wxp0f10fsyqaxjm7l2qg7xws50dv5iwlck5gb1fjmajad";
|
||||||
};
|
};
|
||||||
in {
|
in {
|
||||||
options.services.kubernetes.addons.dashboard = {
|
options.services.kubernetes.addons.dashboard = {
|
||||||
|
|
|
@ -301,8 +301,8 @@ in {
|
||||||
Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC/RBAC). See
|
Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC/RBAC). See
|
||||||
<link xlink:href="http://kubernetes.io/docs/admin/authorization.html"/>
|
<link xlink:href="http://kubernetes.io/docs/admin/authorization.html"/>
|
||||||
'';
|
'';
|
||||||
default = ["RBAC"];
|
default = ["RBAC" "Node"];
|
||||||
type = types.listOf (types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC" "RBAC"]);
|
type = types.listOf (types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC" "RBAC" "Node"]);
|
||||||
};
|
};
|
||||||
|
|
||||||
authorizationPolicy = mkOption {
|
authorizationPolicy = mkOption {
|
||||||
|
@ -344,7 +344,7 @@ in {
|
||||||
Kubernetes admission control plugins to use. See
|
Kubernetes admission control plugins to use. See
|
||||||
<link xlink:href="http://kubernetes.io/docs/admin/admission-controllers/"/>
|
<link xlink:href="http://kubernetes.io/docs/admin/admission-controllers/"/>
|
||||||
'';
|
'';
|
||||||
default = ["NamespaceLifecycle" "LimitRanger" "ServiceAccount" "ResourceQuota" "DefaultStorageClass" "DefaultTolerationSeconds"];
|
default = ["NamespaceLifecycle" "LimitRanger" "ServiceAccount" "ResourceQuota" "DefaultStorageClass" "DefaultTolerationSeconds" "NodeRestriction"];
|
||||||
example = [
|
example = [
|
||||||
"NamespaceLifecycle" "NamespaceExists" "LimitRanger"
|
"NamespaceLifecycle" "NamespaceExists" "LimitRanger"
|
||||||
"SecurityContextDeny" "ServiceAccount" "ResourceQuota"
|
"SecurityContextDeny" "ServiceAccount" "ResourceQuota"
|
||||||
|
|
|
@ -7,7 +7,7 @@ let
|
||||||
mkKubernetesBaseTest =
|
mkKubernetesBaseTest =
|
||||||
{ name, domain ? "my.zyx", test, machines
|
{ name, domain ? "my.zyx", test, machines
|
||||||
, pkgs ? import <nixpkgs> { inherit system; }
|
, pkgs ? import <nixpkgs> { inherit system; }
|
||||||
, certs ? import ./certs.nix { inherit pkgs; externalDomain = domain; }
|
, certs ? import ./certs.nix { inherit pkgs; externalDomain = domain; kubelets = attrNames machines; }
|
||||||
, extraConfiguration ? null }:
|
, extraConfiguration ? null }:
|
||||||
let
|
let
|
||||||
masterName = head (filter (machineName: any (role: role == "master") machines.${machineName}.roles) (attrNames machines));
|
masterName = head (filter (machineName: any (role: role == "master") machines.${machineName}.roles) (attrNames machines));
|
||||||
|
|
|
@ -2,7 +2,8 @@
|
||||||
pkgs ? import <nixpkgs> {},
|
pkgs ? import <nixpkgs> {},
|
||||||
internalDomain ? "cloud.yourdomain.net",
|
internalDomain ? "cloud.yourdomain.net",
|
||||||
externalDomain ? "myawesomecluster.cluster.yourdomain.net",
|
externalDomain ? "myawesomecluster.cluster.yourdomain.net",
|
||||||
serviceClusterIp ? "10.0.0.1"
|
serviceClusterIp ? "10.0.0.1",
|
||||||
|
kubelets
|
||||||
}:
|
}:
|
||||||
let
|
let
|
||||||
runWithCFSSL = name: cmd:
|
runWithCFSSL = name: cmd:
|
||||||
|
@ -123,9 +124,10 @@ let
|
||||||
};
|
};
|
||||||
|
|
||||||
apiserver-client = {
|
apiserver-client = {
|
||||||
kubelet = createClientCertKey {
|
kubelet = hostname: createClientCertKey {
|
||||||
inherit ca;
|
inherit ca;
|
||||||
cn = "apiserver-client-kubelet";
|
name = "apiserver-client-kubelet-${hostname}";
|
||||||
|
cn = "system:node:${hostname}.${externalDomain}";
|
||||||
groups = ["system:nodes"];
|
groups = ["system:nodes"];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -175,10 +177,9 @@ in {
|
||||||
paths = [
|
paths = [
|
||||||
(writeCFSSL (noKey ca))
|
(writeCFSSL (noKey ca))
|
||||||
(writeCFSSL kubelet)
|
(writeCFSSL kubelet)
|
||||||
(writeCFSSL apiserver-client.kubelet)
|
|
||||||
(writeCFSSL apiserver-client.kube-proxy)
|
(writeCFSSL apiserver-client.kube-proxy)
|
||||||
(writeCFSSL etcd-client)
|
(writeCFSSL etcd-client)
|
||||||
];
|
] ++ map (hostname: writeCFSSL (apiserver-client.kubelet hostname)) kubelets;
|
||||||
};
|
};
|
||||||
|
|
||||||
admin = writeCFSSL apiserver-client.admin;
|
admin = writeCFSSL apiserver-client.admin;
|
||||||
|
|
|
@ -3,7 +3,7 @@ with import ./base.nix { inherit system; };
|
||||||
let
|
let
|
||||||
domain = "my.zyx";
|
domain = "my.zyx";
|
||||||
|
|
||||||
certs = import ./certs.nix { externalDomain = domain; };
|
certs = import ./certs.nix { externalDomain = domain; kubelets = [ "machine1" "machine2" ]; };
|
||||||
|
|
||||||
redisPod = pkgs.writeText "redis-pod.json" (builtins.toJSON {
|
redisPod = pkgs.writeText "redis-pod.json" (builtins.toJSON {
|
||||||
kind = "Pod";
|
kind = "Pod";
|
||||||
|
|
|
@ -29,8 +29,8 @@ let
|
||||||
tlsKeyFile = "${certs.worker}/kubelet-key.pem";
|
tlsKeyFile = "${certs.worker}/kubelet-key.pem";
|
||||||
hostname = "${config.networking.hostName}.${config.networking.domain}";
|
hostname = "${config.networking.hostName}.${config.networking.domain}";
|
||||||
kubeconfig = {
|
kubeconfig = {
|
||||||
certFile = "${certs.worker}/apiserver-client-kubelet.pem";
|
certFile = "${certs.worker}/apiserver-client-kubelet-${config.networking.hostName}.pem";
|
||||||
keyFile = "${certs.worker}/apiserver-client-kubelet-key.pem";
|
keyFile = "${certs.worker}/apiserver-client-kubelet-${config.networking.hostName}-key.pem";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
controllerManager = {
|
controllerManager = {
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
{ lib, buildGoPackage, fetchFromGitHub, ... }:
|
{ lib, buildGoPackage, fetchFromGitHub, ... }:
|
||||||
|
|
||||||
let version = "0.5.0"; in
|
let version = "0.6.0"; in
|
||||||
|
|
||||||
buildGoPackage {
|
buildGoPackage {
|
||||||
name = "kubecfg-${version}";
|
name = "kubecfg-${version}";
|
||||||
|
@ -9,7 +9,7 @@ buildGoPackage {
|
||||||
owner = "ksonnet";
|
owner = "ksonnet";
|
||||||
repo = "kubecfg";
|
repo = "kubecfg";
|
||||||
rev = "v${version}";
|
rev = "v${version}";
|
||||||
sha256 = "1s8w133p8qkj3dr73jimajm9ddp678lw9k9symj8rjw5p35igr93";
|
sha256 = "12kv1p707kdxjx5l8rcikd1gjwp5xjxdmmyvlpnvyagrphgrwpsf";
|
||||||
};
|
};
|
||||||
|
|
||||||
goPackagePath = "github.com/ksonnet/kubecfg";
|
goPackagePath = "github.com/ksonnet/kubecfg";
|
||||||
|
|
|
@ -8,8 +8,6 @@
|
||||||
"cmd/kube-controller-manager"
|
"cmd/kube-controller-manager"
|
||||||
"cmd/kube-proxy"
|
"cmd/kube-proxy"
|
||||||
"plugin/cmd/kube-scheduler"
|
"plugin/cmd/kube-scheduler"
|
||||||
"federation/cmd/federation-apiserver"
|
|
||||||
"federation/cmd/federation-controller-manager"
|
|
||||||
"test/e2e/e2e.test"
|
"test/e2e/e2e.test"
|
||||||
]
|
]
|
||||||
}:
|
}:
|
||||||
|
@ -18,13 +16,13 @@ with lib;
|
||||||
|
|
||||||
stdenv.mkDerivation rec {
|
stdenv.mkDerivation rec {
|
||||||
name = "kubernetes-${version}";
|
name = "kubernetes-${version}";
|
||||||
version = "1.7.9";
|
version = "1.9.1";
|
||||||
|
|
||||||
src = fetchFromGitHub {
|
src = fetchFromGitHub {
|
||||||
owner = "kubernetes";
|
owner = "kubernetes";
|
||||||
repo = "kubernetes";
|
repo = "kubernetes";
|
||||||
rev = "v${version}";
|
rev = "v${version}";
|
||||||
sha256 = "0lxagvv8mysw6n0vp5vsccl87b628dgsjrf298dx2dqx7wn7zjgi";
|
sha256 = "1dmq2g138h7fsswmq4l47b44gsl9anmm3ywqyi7y48f1rkvc11mk";
|
||||||
};
|
};
|
||||||
|
|
||||||
buildInputs = [ removeReferencesTo makeWrapper which go rsync go-bindata ];
|
buildInputs = [ removeReferencesTo makeWrapper which go rsync go-bindata ];
|
||||||
|
|
Loading…
Reference in a new issue