diff options
| author | Jaka Hudoklin <jakahudoklin@gmail.com> | 2017-09-01 12:20:10 +0200 |
|---|---|---|
| committer | Robin Gloster <mail@glob.in> | 2017-09-24 11:44:25 +0200 |
| commit | 9d97c92d68445aab986916c7214c28f824264cd9 (patch) | |
| tree | c3ddea39465c28a5a074c9559fd7493a9245cce8 /nixos | |
| parent | 7c893623d4f8f540c88a089e5579a813280ff511 (diff) | |
kubernetes module: webhook authorization for kubelet
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/cluster/kubernetes/default.nix | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/nixos/modules/services/cluster/kubernetes/default.nix b/nixos/modules/services/cluster/kubernetes/default.nix index 4ab458b78f46e..3ebd2a086fd0d 100644 --- a/nixos/modules/services/cluster/kubernetes/default.nix +++ b/nixos/modules/services/cluster/kubernetes/default.nix @@ -334,7 +334,7 @@ in { Api runtime configuration. See <link xlink:href="http://kubernetes.io/docs/admin/cluster-management.html"/> ''; - default = ""; + default = "authentication.k8s.io/v1beta1=true"; example = "api/all=false,api/v1=true"; type = types.str; }; @@ -535,6 +535,12 @@ in { type = types.nullOr types.path; }; + clientCaFile = mkOption { + description = "Kubernetes apiserver CA file for client authentication."; + default = cfg.caFile; + type = types.nullOr types.path; + }; + healthz = { bind = mkOption { description = "Kubernetes kubelet healthz listening address."; @@ -794,6 +800,11 @@ in { "--tls-cert-file=${cfg.kubelet.tlsCertFile}"} \ ${optionalString (cfg.kubelet.tlsKeyFile != null) "--tls-private-key-file=${cfg.kubelet.tlsKeyFile}"} \ + ${optionalString (cfg.kubelet.clientCaFile != null) + "--client-ca-file=${cfg.kubelet.clientCaFile}"} \ + --authentication-token-webhook \ + --authentication-token-webhook-cache-ttl="10s" \ + --authorization-mode=Webhook \ --healthz-bind-address=${cfg.kubelet.healthz.bind} \ --healthz-port=${toString cfg.kubelet.healthz.port} \ --hostname-override=${cfg.kubelet.hostname} \ |