nixpkgs/nixos/modules/services/cluster/kubernetes/flannel.nix

{
  config,
  lib,
  pkgs,
  ...
}:
let
  top = config.services.kubernetes;
  cfg = top.flannel;

  # we want flannel to use kubernetes itself as configuration backend, not direct etcd
  storageBackend = "kubernetes";
in
{
  ###### interface
  options.services.kubernetes.flannel = {
    enable = lib.mkEnableOption "flannel networking";

    openFirewallPorts = lib.mkOption {
      description = ''Whether to open the Flannel UDP ports in the firewall on all interfaces.'';
      type = lib.types.bool;
      default = true;
    };
  };

  ###### implementation
  config = lib.mkIf cfg.enable {
    services.flannel = {

      enable = lib.mkDefault true;
      network = lib.mkDefault top.clusterCidr;
      inherit storageBackend;
      nodeName = config.services.kubernetes.kubelet.hostname;
    };

    services.kubernetes.kubelet = {
      cni.config = lib.mkDefault [
        {
          name = "mynet";
          type = "flannel";
          cniVersion = "0.3.1";
          delegate = {
            isDefaultGateway = true;
            bridge = "mynet";
          };
        }
      ];
    };

    networking = {
      firewall.allowedUDPPorts = lib.mkIf cfg.openFirewallPorts [
        8285 # flannel udp
        8472 # flannel vxlan
      ];
      dhcpcd.denyInterfaces = [
        "mynet*"
        "flannel*"
      ];
    };

    services.kubernetes.pki.certs = {
      flannelClient = top.lib.mkCert {
        name = "flannel-client";
        CN = "flannel-client";
        action = "systemctl restart flannel.service";
      };
    };

    # give flannel some kubernetes rbac permissions if applicable
    services.kubernetes.addonManager.bootstrapAddons =
      lib.mkIf ((storageBackend == "kubernetes") && (lib.elem "RBAC" top.apiserver.authorizationMode))
        {

          flannel-cr = {
            apiVersion = "rbac.authorization.k8s.io/v1";
            kind = "ClusterRole";
            metadata = {
              name = "flannel";
            };
            rules = [
              {
                apiGroups = [ "" ];
                resources = [ "pods" ];
                verbs = [ "get" ];
              }
              {
                apiGroups = [ "" ];
                resources = [ "nodes" ];
                verbs = [
                  "list"
                  "watch"
                ];
              }
              {
                apiGroups = [ "" ];
                resources = [ "nodes/status" ];
                verbs = [ "patch" ];
              }
            ];
          };

          flannel-crb = {
            apiVersion = "rbac.authorization.k8s.io/v1";
            kind = "ClusterRoleBinding";
            metadata = {
              name = "flannel";
            };
            roleRef = {
              apiGroup = "rbac.authorization.k8s.io";
              kind = "ClusterRole";
              name = "flannel";
            };
            subjects = [
              {
                kind = "User";
                name = "flannel-client";
              }
            ];
          };

        };
  };

  meta.buildDocsInSandbox = false;
}
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH 2024-12-10 20:26:33 +01:00			`{`
			`config,`
			`lib,`
			`pkgs,`
			`...`
			`}:`
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI 2018-07-22 13:14:20 +02:00			`let`
			`top = config.services.kubernetes;`
			`cfg = top.flannel;`

nixos/kubernetes: let flannel use kubernetes as storage backend + isolate etcd on the master node by letting it listen only on loopback + enabling kubelet on master and taint master with NoSchedule The reason for the latter is that flannel requires all nodes to be "registered" in the cluster in order to setup the cluster network. This means that the kubelet is needed even at nodes on which we don't plan to schedule anything. 2019-02-12 16:48:23 +01:00			`# we want flannel to use kubernetes itself as configuration backend, not direct etcd`
			`storageBackend = "kubernetes";`
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI 2018-07-22 13:14:20 +02:00			`in`
			`{`
			`###### interface`
			`options.services.kubernetes.flannel = {`
nixos/services.kubernetes.flannel: remove `with lib;` 2024-08-27 20:42:53 +02:00			`enable = lib.mkEnableOption "flannel networking";`
kubernetes: don't always open flannel fw ports 2023-12-02 09:42:51 +00:00
nixos/services.kubernetes.flannel: remove `with lib;` 2024-08-27 20:42:53 +02:00			`openFirewallPorts = lib.mkOption {`
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH 2024-12-10 20:26:33 +01:00			`description = ''Whether to open the Flannel UDP ports in the firewall on all interfaces.'';`
nixos/services.kubernetes.flannel: remove `with lib;` 2024-08-27 20:42:53 +02:00			`type = lib.types.bool;`
kubernetes: don't always open flannel fw ports 2023-12-02 09:42:51 +00:00			`default = true;`
			`};`
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI 2018-07-22 13:14:20 +02:00			`};`

			`###### implementation`
nixos/services.kubernetes.flannel: remove `with lib;` 2024-08-27 20:42:53 +02:00			`config = lib.mkIf cfg.enable {`
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI 2018-07-22 13:14:20 +02:00			`services.flannel = {`

nixos/services.kubernetes.flannel: remove `with lib;` 2024-08-27 20:42:53 +02:00			`enable = lib.mkDefault true;`
			`network = lib.mkDefault top.clusterCidr;`
Revert "Merge pull request #56789 from mayflower/upstream-k8s-refactor" This reverts commit 7dc6e77bc2a03e660cab2c4cbf52f235bc52683e, reversing changes made to bce47ea9d5fa962736ddd4a254a27a5fd2cdee9a. Motivation for the revert in #67563 2019-08-24 12:52:32 +02:00			`inherit storageBackend;`
			`nodeName = config.services.kubernetes.kubelet.hostname;`
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI 2018-07-22 13:14:20 +02:00			`};`

			`services.kubernetes.kubelet = {`
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH 2024-12-10 20:26:33 +01:00			`cni.config = lib.mkDefault [`
			`{`
			`name = "mynet";`
			`type = "flannel";`
			`cniVersion = "0.3.1";`
			`delegate = {`
			`isDefaultGateway = true;`
			`bridge = "mynet";`
			`};`
			`}`
			`];`
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI 2018-07-22 13:14:20 +02:00			`};`

			`networking = {`
nixos/services.kubernetes.flannel: remove `with lib;` 2024-08-27 20:42:53 +02:00			`firewall.allowedUDPPorts = lib.mkIf cfg.openFirewallPorts [`
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH 2024-12-10 20:26:33 +01:00			`8285 # flannel udp`
			`8472 # flannel vxlan`
			`];`
			`dhcpcd.denyInterfaces = [`
			`"mynet*"`
			`"flannel*"`
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI 2018-07-22 13:14:20 +02:00			`];`
			`};`

			`services.kubernetes.pki.certs = {`
nixos/kubernetes: let flannel use kubernetes as storage backend + isolate etcd on the master node by letting it listen only on loopback + enabling kubelet on master and taint master with NoSchedule The reason for the latter is that flannel requires all nodes to be "registered" in the cluster in order to setup the cluster network. This means that the kubelet is needed even at nodes on which we don't plan to schedule anything. 2019-02-12 16:48:23 +01:00			`flannelClient = top.lib.mkCert {`
			`name = "flannel-client";`
			`CN = "flannel-client";`
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI 2018-07-22 13:14:20 +02:00			`action = "systemctl restart flannel.service";`
			`};`
			`};`
nixos/kubernetes: let flannel use kubernetes as storage backend + isolate etcd on the master node by letting it listen only on loopback + enabling kubelet on master and taint master with NoSchedule The reason for the latter is that flannel requires all nodes to be "registered" in the cluster in order to setup the cluster network. This means that the kubelet is needed even at nodes on which we don't plan to schedule anything. 2019-02-12 16:48:23 +01:00
nixos: fix typos 2023-05-19 22:11:38 -04:00			`# give flannel some kubernetes rbac permissions if applicable`
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH 2024-12-10 20:26:33 +01:00			`services.kubernetes.addonManager.bootstrapAddons =`
			`lib.mkIf ((storageBackend == "kubernetes") && (lib.elem "RBAC" top.apiserver.authorizationMode))`
nixos/kubernetes: Address review: Move bootstrapping addons into own service 2019-03-06 16:44:38 +01:00			`{`
nixos/kubernetes: let flannel use kubernetes as storage backend + isolate etcd on the master node by letting it listen only on loopback + enabling kubelet on master and taint master with NoSchedule The reason for the latter is that flannel requires all nodes to be "registered" in the cluster in order to setup the cluster network. This means that the kubelet is needed even at nodes on which we don't plan to schedule anything. 2019-02-12 16:48:23 +01:00
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH 2024-12-10 20:26:33 +01:00			`flannel-cr = {`
			`apiVersion = "rbac.authorization.k8s.io/v1";`
			`kind = "ClusterRole";`
			`metadata = {`
			`name = "flannel";`
			`};`
			`rules = [`
			`{`
			`apiGroups = [ "" ];`
			`resources = [ "pods" ];`
			`verbs = [ "get" ];`
			`}`
			`{`
			`apiGroups = [ "" ];`
			`resources = [ "nodes" ];`
			`verbs = [`
			`"list"`
			`"watch"`
			`];`
			`}`
			`{`
			`apiGroups = [ "" ];`
			`resources = [ "nodes/status" ];`
			`verbs = [ "patch" ];`
			`}`
			`];`
			`};`
Revert "Merge pull request #56789 from mayflower/upstream-k8s-refactor" This reverts commit 7dc6e77bc2a03e660cab2c4cbf52f235bc52683e, reversing changes made to bce47ea9d5fa962736ddd4a254a27a5fd2cdee9a. Motivation for the revert in #67563 2019-08-24 12:52:32 +02:00
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH 2024-12-10 20:26:33 +01:00			`flannel-crb = {`
			`apiVersion = "rbac.authorization.k8s.io/v1";`
			`kind = "ClusterRoleBinding";`
			`metadata = {`
			`name = "flannel";`
			`};`
			`roleRef = {`
			`apiGroup = "rbac.authorization.k8s.io";`
			`kind = "ClusterRole";`
			`name = "flannel";`
			`};`
			`subjects = [`
			`{`
			`kind = "User";`
			`name = "flannel-client";`
			`}`
			`];`
			`};`

			`};`
nixos/kubernetes: Address review: Move bootstrapping addons into own service 2019-03-06 16:44:38 +01:00			`};`
nixos/kubernetes: move all k8s docs out of the sandbox otherwise the manual won't build. ideally they'll move back into the sandbox at some point, but we're obviously not qualified to put them there. 2022-01-08 07:10:25 +01:00
			`meta.buildDocsInSandbox = false;`
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI 2018-07-22 13:14:20 +02:00			`}`