diff --git a/nixos/modules/services/cluster/kubernetes/dashboard.nix b/nixos/modules/services/cluster/kubernetes/dashboard.nix
index 75d71fccfda..e331889b9dd 100644
--- a/nixos/modules/services/cluster/kubernetes/dashboard.nix
+++ b/nixos/modules/services/cluster/kubernetes/dashboard.nix
@@ -6,12 +6,12 @@ let
cfg = config.services.kubernetes.addons.dashboard;
name = "gcr.io/google_containers/kubernetes-dashboard-amd64";
- version = "v1.6.3";
+ version = "v1.8.2";
image = pkgs.dockerTools.pullImage {
imageName = name;
imageTag = version;
- sha256 = "1sf54d96nkgic9hir9c6p14gw24ns1k5d5a0r1sg414kjrvic0b4";
+ sha256 = "11h0fz3wxp0f10fsyqaxjm7l2qg7xws50dv5iwlck5gb1fjmajad";
};
in {
options.services.kubernetes.addons.dashboard = {
diff --git a/nixos/modules/services/cluster/kubernetes/default.nix b/nixos/modules/services/cluster/kubernetes/default.nix
index 077953e4d4f..4a2c6f0833e 100644
--- a/nixos/modules/services/cluster/kubernetes/default.nix
+++ b/nixos/modules/services/cluster/kubernetes/default.nix
@@ -301,8 +301,8 @@ in {
Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC/RBAC). See
'';
- default = ["RBAC"];
- type = types.listOf (types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC" "RBAC"]);
+ default = ["RBAC" "Node"];
+ type = types.listOf (types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC" "RBAC" "Node"]);
};
authorizationPolicy = mkOption {
@@ -344,7 +344,7 @@ in {
Kubernetes admission control plugins to use. See
'';
- default = ["NamespaceLifecycle" "LimitRanger" "ServiceAccount" "ResourceQuota" "DefaultStorageClass" "DefaultTolerationSeconds"];
+ default = ["NamespaceLifecycle" "LimitRanger" "ServiceAccount" "ResourceQuota" "DefaultStorageClass" "DefaultTolerationSeconds" "NodeRestriction"];
example = [
"NamespaceLifecycle" "NamespaceExists" "LimitRanger"
"SecurityContextDeny" "ServiceAccount" "ResourceQuota"
diff --git a/nixos/tests/kubernetes/base.nix b/nixos/tests/kubernetes/base.nix
index f3b930b630b..27b99aacab7 100644
--- a/nixos/tests/kubernetes/base.nix
+++ b/nixos/tests/kubernetes/base.nix
@@ -7,7 +7,7 @@ let
mkKubernetesBaseTest =
{ name, domain ? "my.zyx", test, machines
, pkgs ? import { inherit system; }
- , certs ? import ./certs.nix { inherit pkgs; externalDomain = domain; }
+ , certs ? import ./certs.nix { inherit pkgs; externalDomain = domain; kubelets = attrNames machines; }
, extraConfiguration ? null }:
let
masterName = head (filter (machineName: any (role: role == "master") machines.${machineName}.roles) (attrNames machines));
diff --git a/nixos/tests/kubernetes/certs.nix b/nixos/tests/kubernetes/certs.nix
index f108e35b98c..d3eff910c46 100644
--- a/nixos/tests/kubernetes/certs.nix
+++ b/nixos/tests/kubernetes/certs.nix
@@ -2,7 +2,8 @@
pkgs ? import {},
internalDomain ? "cloud.yourdomain.net",
externalDomain ? "myawesomecluster.cluster.yourdomain.net",
- serviceClusterIp ? "10.0.0.1"
+ serviceClusterIp ? "10.0.0.1",
+ kubelets
}:
let
runWithCFSSL = name: cmd:
@@ -123,9 +124,10 @@ let
};
apiserver-client = {
- kubelet = createClientCertKey {
+ kubelet = hostname: createClientCertKey {
inherit ca;
- cn = "apiserver-client-kubelet";
+ name = "apiserver-client-kubelet-${hostname}";
+ cn = "system:node:${hostname}.${externalDomain}";
groups = ["system:nodes"];
};
@@ -175,10 +177,9 @@ in {
paths = [
(writeCFSSL (noKey ca))
(writeCFSSL kubelet)
- (writeCFSSL apiserver-client.kubelet)
(writeCFSSL apiserver-client.kube-proxy)
(writeCFSSL etcd-client)
- ];
+ ] ++ map (hostname: writeCFSSL (apiserver-client.kubelet hostname)) kubelets;
};
admin = writeCFSSL apiserver-client.admin;
diff --git a/nixos/tests/kubernetes/dns.nix b/nixos/tests/kubernetes/dns.nix
index 74d98dabec8..8c488d271bc 100644
--- a/nixos/tests/kubernetes/dns.nix
+++ b/nixos/tests/kubernetes/dns.nix
@@ -3,7 +3,7 @@ with import ./base.nix { inherit system; };
let
domain = "my.zyx";
- certs = import ./certs.nix { externalDomain = domain; };
+ certs = import ./certs.nix { externalDomain = domain; kubelets = [ "machine1" "machine2" ]; };
redisPod = pkgs.writeText "redis-pod.json" (builtins.toJSON {
kind = "Pod";
diff --git a/nixos/tests/kubernetes/kubernetes-common.nix b/nixos/tests/kubernetes/kubernetes-common.nix
index 00a5c9aba4e..ddf427e1b01 100644
--- a/nixos/tests/kubernetes/kubernetes-common.nix
+++ b/nixos/tests/kubernetes/kubernetes-common.nix
@@ -29,8 +29,8 @@ let
tlsKeyFile = "${certs.worker}/kubelet-key.pem";
hostname = "${config.networking.hostName}.${config.networking.domain}";
kubeconfig = {
- certFile = "${certs.worker}/apiserver-client-kubelet.pem";
- keyFile = "${certs.worker}/apiserver-client-kubelet-key.pem";
+ certFile = "${certs.worker}/apiserver-client-kubelet-${config.networking.hostName}.pem";
+ keyFile = "${certs.worker}/apiserver-client-kubelet-${config.networking.hostName}-key.pem";
};
};
controllerManager = {
diff --git a/pkgs/applications/networking/cluster/kubecfg/default.nix b/pkgs/applications/networking/cluster/kubecfg/default.nix
index 7f17bd57c19..73a28325f52 100644
--- a/pkgs/applications/networking/cluster/kubecfg/default.nix
+++ b/pkgs/applications/networking/cluster/kubecfg/default.nix
@@ -1,6 +1,6 @@
{ lib, buildGoPackage, fetchFromGitHub, ... }:
-let version = "0.5.0"; in
+let version = "0.6.0"; in
buildGoPackage {
name = "kubecfg-${version}";
@@ -9,7 +9,7 @@ buildGoPackage {
owner = "ksonnet";
repo = "kubecfg";
rev = "v${version}";
- sha256 = "1s8w133p8qkj3dr73jimajm9ddp678lw9k9symj8rjw5p35igr93";
+ sha256 = "12kv1p707kdxjx5l8rcikd1gjwp5xjxdmmyvlpnvyagrphgrwpsf";
};
goPackagePath = "github.com/ksonnet/kubecfg";
diff --git a/pkgs/applications/networking/cluster/kubernetes/default.nix b/pkgs/applications/networking/cluster/kubernetes/default.nix
index e8686ade590..e2f431e2a5e 100644
--- a/pkgs/applications/networking/cluster/kubernetes/default.nix
+++ b/pkgs/applications/networking/cluster/kubernetes/default.nix
@@ -8,8 +8,6 @@
"cmd/kube-controller-manager"
"cmd/kube-proxy"
"plugin/cmd/kube-scheduler"
- "federation/cmd/federation-apiserver"
- "federation/cmd/federation-controller-manager"
"test/e2e/e2e.test"
]
}:
@@ -18,13 +16,13 @@ with lib;
stdenv.mkDerivation rec {
name = "kubernetes-${version}";
- version = "1.7.9";
+ version = "1.9.1";
src = fetchFromGitHub {
owner = "kubernetes";
repo = "kubernetes";
rev = "v${version}";
- sha256 = "0lxagvv8mysw6n0vp5vsccl87b628dgsjrf298dx2dqx7wn7zjgi";
+ sha256 = "1dmq2g138h7fsswmq4l47b44gsl9anmm3ywqyi7y48f1rkvc11mk";
};
buildInputs = [ removeReferencesTo makeWrapper which go rsync go-bindata ];