2018-07-22 13:14:20 +02:00
|
|
|
{
|
|
|
|
|
config,
|
|
|
|
|
lib,
|
|
|
|
|
pkgs,
|
|
|
|
|
...
|
|
|
|
|
}:
|
|
|
|
|
let
|
|
|
|
|
top = config.services.kubernetes;
|
|
|
|
|
cfg = top.flannel;
|
|
|
|
|
|
2019-02-12 16:48:23 +01:00
|
|
|
# we want flannel to use kubernetes itself as configuration backend, not direct etcd
|
|
|
|
|
storageBackend = "kubernetes";
|
2018-07-22 13:14:20 +02:00
|
|
|
in
|
|
|
|
|
{
|
|
|
|
|
###### interface
|
|
|
|
|
options.services.kubernetes.flannel = {
|
2024-08-27 20:42:53 +02:00
|
|
|
enable = lib.mkEnableOption "flannel networking";
|
2023-12-02 09:42:51 +00:00
|
|
|
|
2024-08-27 20:42:53 +02:00
|
|
|
openFirewallPorts = lib.mkOption {
|
2023-12-02 09:42:51 +00:00
|
|
|
description = ''Whether to open the Flannel UDP ports in the firewall on all interfaces.'';
|
2024-08-27 20:42:53 +02:00
|
|
|
type = lib.types.bool;
|
2023-12-02 09:42:51 +00:00
|
|
|
default = true;
|
|
|
|
|
};
|
2018-07-22 13:14:20 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
###### implementation
|
2024-08-27 20:42:53 +02:00
|
|
|
config = lib.mkIf cfg.enable {
|
2018-07-22 13:14:20 +02:00
|
|
|
services.flannel = {
|
|
|
|
|
|
2024-08-27 20:42:53 +02:00
|
|
|
enable = lib.mkDefault true;
|
|
|
|
|
network = lib.mkDefault top.clusterCidr;
|
2019-08-24 12:52:32 +02:00
|
|
|
inherit storageBackend;
|
|
|
|
|
nodeName = config.services.kubernetes.kubelet.hostname;
|
2018-07-22 13:14:20 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
services.kubernetes.kubelet = {
|
2024-08-27 20:42:53 +02:00
|
|
|
cni.config = lib.mkDefault [
|
|
|
|
|
{
|
2018-07-22 13:14:20 +02:00
|
|
|
name = "mynet";
|
|
|
|
|
type = "flannel";
|
2019-11-15 05:58:35 +01:00
|
|
|
cniVersion = "0.3.1";
|
2018-07-22 13:14:20 +02:00
|
|
|
delegate = {
|
|
|
|
|
isDefaultGateway = true;
|
2021-02-25 16:00:59 +01:00
|
|
|
bridge = "mynet";
|
2018-07-22 13:14:20 +02:00
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
networking = {
|
2024-08-27 20:42:53 +02:00
|
|
|
firewall.allowedUDPPorts = lib.mkIf cfg.openFirewallPorts [
|
2018-07-22 13:14:20 +02:00
|
|
|
8285 # flannel udp
|
|
|
|
|
8472 # flannel vxlan
|
2024-12-10 20:26:33 +01:00
|
|
|
];
|
2021-02-25 16:00:59 +01:00
|
|
|
dhcpcd.denyInterfaces = [
|
2024-12-10 20:26:33 +01:00
|
|
|
"mynet*"
|
2021-02-25 16:00:59 +01:00
|
|
|
"flannel*"
|
2018-07-22 13:14:20 +02:00
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
services.kubernetes.pki.certs = {
|
2019-02-12 16:48:23 +01:00
|
|
|
flannelClient = top.lib.mkCert {
|
|
|
|
|
name = "flannel-client";
|
|
|
|
|
CN = "flannel-client";
|
2018-07-22 13:14:20 +02:00
|
|
|
action = "systemctl restart flannel.service";
|
|
|
|
|
};
|
|
|
|
|
};
|
2019-02-12 16:48:23 +01:00
|
|
|
|
2023-05-19 22:11:38 -04:00
|
|
|
# give flannel some kubernetes rbac permissions if applicable
|
2024-08-27 20:42:53 +02:00
|
|
|
services.kubernetes.addonManager.bootstrapAddons =
|
|
|
|
|
lib.mkIf ((storageBackend == "kubernetes") && (lib.elem "RBAC" top.apiserver.authorizationMode))
|
2019-03-06 16:44:38 +01:00
|
|
|
{
|
2019-02-12 16:48:23 +01:00
|
|
|
|
2019-03-06 16:44:38 +01:00
|
|
|
flannel-cr = {
|
2021-08-13 17:42:27 +01:00
|
|
|
apiVersion = "rbac.authorization.k8s.io/v1";
|
2019-03-06 16:44:38 +01:00
|
|
|
kind = "ClusterRole";
|
|
|
|
|
metadata = {
|
|
|
|
|
name = "flannel";
|
|
|
|
|
};
|
|
|
|
|
rules = [
|
2024-12-10 20:26:33 +01:00
|
|
|
{
|
2019-03-06 16:44:38 +01:00
|
|
|
apiGroups = [ "" ];
|
|
|
|
|
resources = [ "pods" ];
|
|
|
|
|
verbs = [ "get" ];
|
2024-12-10 20:26:33 +01:00
|
|
|
}
|
|
|
|
|
{
|
2019-03-06 16:44:38 +01:00
|
|
|
apiGroups = [ "" ];
|
|
|
|
|
resources = [ "nodes" ];
|
|
|
|
|
verbs = [
|
2024-12-10 20:26:33 +01:00
|
|
|
"list"
|
|
|
|
|
"watch"
|
|
|
|
|
];
|
|
|
|
|
}
|
2019-03-06 16:44:38 +01:00
|
|
|
{
|
|
|
|
|
apiGroups = [ "" ];
|
|
|
|
|
resources = [ "nodes/status" ];
|
|
|
|
|
verbs = [ "patch" ];
|
|
|
|
|
}
|
|
|
|
|
];
|
2019-03-01 08:44:45 +01:00
|
|
|
};
|
2019-08-24 12:52:32 +02:00
|
|
|
|
2019-03-06 16:44:38 +01:00
|
|
|
flannel-crb = {
|
2021-08-13 17:42:27 +01:00
|
|
|
apiVersion = "rbac.authorization.k8s.io/v1";
|
2019-03-06 16:44:38 +01:00
|
|
|
kind = "ClusterRoleBinding";
|
|
|
|
|
metadata = {
|
|
|
|
|
name = "flannel";
|
2019-02-12 16:48:23 +01:00
|
|
|
};
|
2019-03-06 16:44:38 +01:00
|
|
|
roleRef = {
|
|
|
|
|
apiGroup = "rbac.authorization.k8s.io";
|
|
|
|
|
kind = "ClusterRole";
|
|
|
|
|
name = "flannel";
|
2024-12-10 20:26:33 +01:00
|
|
|
};
|
|
|
|
|
subjects = [
|
|
|
|
|
{
|
2019-03-06 16:44:38 +01:00
|
|
|
kind = "User";
|
2019-02-12 16:48:23 +01:00
|
|
|
name = "flannel-client";
|
2024-12-10 20:26:33 +01:00
|
|
|
}
|
|
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
};
|
2019-03-06 16:44:38 +01:00
|
|
|
};
|
2022-01-08 07:10:25 +01:00
|
|
|
|
|
|
|
|
meta.buildDocsInSandbox = false;
|
2018-07-22 13:14:20 +02:00
|
|
|
}
|
