diff options
author | Thomas Kim Pham <thomas.pham@ithings.ch> | 2018-06-18 14:14:55 +0200 |
---|---|---|
committer | Robin Gloster <mail@glob.in> | 2018-06-19 22:33:57 +0200 |
commit | 1d07b0edac30d0eaa7c0f92a1e0b5ed5a22820ea (patch) | |
tree | 533fb01ccbd598862ebcf849868b34a62ed8255b /nixos | |
parent | f9ad1cae78b5fc27a5bf2f17b3f9ebf7b239b3ca (diff) |
add missing k8s Webhook authorization mode
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/cluster/kubernetes/default.nix | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/nixos/modules/services/cluster/kubernetes/default.nix b/nixos/modules/services/cluster/kubernetes/default.nix index 20f2308508c62..5e87ae88f5a88 100644 --- a/nixos/modules/services/cluster/kubernetes/default.nix +++ b/nixos/modules/services/cluster/kubernetes/default.nix @@ -332,11 +332,11 @@ in { authorizationMode = mkOption { description = '' - Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC/RBAC). See + Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC/Webhook/RBAC/Node). See <link xlink:href="https://kubernetes.io/docs/reference/access-authn-authz/authorization/"/> ''; default = ["RBAC" "Node"]; - type = types.listOf (types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC" "RBAC" "Node"]); + type = types.listOf (types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC" "Webhook" "RBAC" "Node"]); }; authorizationPolicy = mkOption { @@ -348,6 +348,15 @@ in { type = types.listOf types.attrs; }; + webhookConfig = mkOption { + description = '' + Kubernetes apiserver Webhook config file. It uses the kubeconfig file format. + See <link xlink:href="https://kubernetes.io/docs/reference/access-authn-authz/webhook/"/> + ''; + default = null; + type = types.nullOr types.path; + }; + allowPrivileged = mkOption { description = "Whether to allow privileged containers on Kubernetes."; default = true; @@ -943,6 +952,9 @@ in { (concatMapStringsSep "\n" (l: builtins.toJSON l) cfg.apiserver.authorizationPolicy) }" } \ + ${optionalString (elem "Webhook" cfg.apiserver.authorizationMode) + "--authorization-webhook-config-file=${cfg.apiserver.webhookConfig}" + } \ --secure-port=${toString cfg.apiserver.securePort} \ --service-cluster-ip-range=${cfg.apiserver.serviceClusterIpRange} \ ${optionalString (cfg.apiserver.runtimeConfig != "") |