mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-07-14 14:10:33 +03:00
nixos/kubernetes: dashboard lockdown
Kubernetes dashboard currently has cluster admin permissions, which is not recommended. - Renamed option "services.kubernetes.addons.dashboard.enableRBAC" to "services.kubernetes.addons.dashboard.rbac.enable" - Added option "services.kubernetes.addons.dashboard.rbac.clusterAdmin", default = false. - Setting recommended minimal permissions for the dashboard in accordance with https://github.com/kubernetes/dashboard/wiki/Installation - Updated release note for 18.09.
This commit is contained in:
Johan Thomsen
Robin Gloster
parent
dc6484e366
commit
f9ad1cae78
3 changed files with 132 additions and 23 deletions
|
|
@ -8,10 +8,25 @@ in {
|
|||
options.services.kubernetes.addons.dashboard = {
|
||||
enable = mkEnableOption "kubernetes dashboard addon";
|
||||
|
||||
enableRBAC = mkOption {
|
||||
description = "Whether to enable role based access control is enabled for kubernetes dashboard";
|
||||
type = types.bool;
|
||||
default = elem "RBAC" config.services.kubernetes.apiserver.authorizationMode;
|
||||
rbac = mkOption {
|
||||
description = "Role-based access control (RBAC) options";
|
||||
type = types.submodule {
|
||||
|
||||
options = {
|
||||
enable = mkOption {
|
||||
description = "Whether to enable role based access control is enabled for kubernetes dashboard";
|
||||
type = types.bool;
|
||||
default = elem "RBAC" config.services.kubernetes.apiserver.authorizationMode;
|
||||
};
|
||||
|
||||
clusterAdmin = mkOption {
|
||||
description = "Whether to assign cluster admin rights to the kubernetes dashboard";
|
||||
type = types.bool;
|
||||
default = false;
|
||||
};
|
||||
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
version = mkOption {
|
||||
|
|
@ -202,29 +217,106 @@ in {
|
|||
namespace = "kube-system";
|
||||
};
|
||||
};
|
||||
} // (optionalAttrs cfg.enableRBAC {
|
||||
kubernetes-dashboard-crb = {
|
||||
apiVersion = "rbac.authorization.k8s.io/v1";
|
||||
kind = "ClusterRoleBinding";
|
||||
metadata = {
|
||||
name = "kubernetes-dashboard";
|
||||
labels = {
|
||||
k8s-app = "kubernetes-dashboard";
|
||||
k8s-addon = "kubernetes-dashboard.addons.k8s.io";
|
||||
"addonmanager.kubernetes.io/mode" = "Reconcile";
|
||||
};
|
||||
};
|
||||
roleRef = {
|
||||
apiGroup = "rbac.authorization.k8s.io";
|
||||
kind = "ClusterRole";
|
||||
name = "cluster-admin";
|
||||
};
|
||||
} // (optionalAttrs cfg.rbac.enable
|
||||
(let
|
||||
subjects = [{
|
||||
kind = "ServiceAccount";
|
||||
name = "kubernetes-dashboard";
|
||||
namespace = "kube-system";
|
||||
}];
|
||||
};
|
||||
});
|
||||
labels = {
|
||||
k8s-app = "kubernetes-dashboard";
|
||||
k8s-addon = "kubernetes-dashboard.addons.k8s.io";
|
||||
"addonmanager.kubernetes.io/mode" = "Reconcile";
|
||||
};
|
||||
in
|
||||
(if cfg.rbac.clusterAdmin then {
|
||||
kubernetes-dashboard-crb = {
|
||||
apiVersion = "rbac.authorization.k8s.io/v1";
|
||||
kind = "ClusterRoleBinding";
|
||||
metadata = {
|
||||
name = "kubernetes-dashboard";
|
||||
inherit labels;
|
||||
};
|
||||
roleRef = {
|
||||
apiGroup = "rbac.authorization.k8s.io";
|
||||
kind = "ClusterRole";
|
||||
name = "cluster-admin";
|
||||
};
|
||||
inherit subjects;
|
||||
};
|
||||
}
|
||||
else
|
||||
{
|
||||
# Upstream role- and rolebinding as per:
|
||||
# https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/alternative/kubernetes-dashboard.yaml
|
||||
kubernetes-dashboard-role = {
|
||||
apiVersion = "rbac.authorization.k8s.io/v1";
|
||||
kind = "Role";
|
||||
metadata = {
|
||||
name = "kubernetes-dashboard-minimal";
|
||||
namespace = "kube-system";
|
||||
inherit labels;
|
||||
};
|
||||
rules = [
|
||||
# Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
|
||||
{
|
||||
apiGroups = [""];
|
||||
resources = ["secrets"];
|
||||
verbs = ["create"];
|
||||
}
|
||||
# Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
|
||||
{
|
||||
apiGroups = [""];
|
||||
resources = ["configmaps"];
|
||||
verbs = ["create"];
|
||||
}
|
||||
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
|
||||
{
|
||||
apiGroups = [""];
|
||||
resources = ["secrets"];
|
||||
resourceNames = ["kubernetes-dashboard-key-holder"];
|
||||
verbs = ["get" "update" "delete"];
|
||||
}
|
||||
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
|
||||
{
|
||||
apiGroups = [""];
|
||||
resources = ["configmaps"];
|
||||
resourceNames = ["kubernetes-dashboard-settings"];
|
||||
verbs = ["get" "update"];
|
||||
}
|
||||
# Allow Dashboard to get metrics from heapster.
|
||||
{
|
||||
apiGroups = [""];
|
||||
resources = ["services"];
|
||||
resourceNames = ["heapster"];
|
||||
verbs = ["proxy"];
|
||||
}
|
||||
{
|
||||
apiGroups = [""];
|
||||
resources = ["services/proxy"];
|
||||
resourceNames = ["heapster" "http:heapster:" "https:heapster:"];
|
||||
verbs = ["get"];
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
kubernetes-dashboard-rb = {
|
||||
apiVersion = "rbac.authorization.k8s.io/v1";
|
||||
kind = "RoleBinding";
|
||||
metadata = {
|
||||
name = "kubernetes-dashboard-minimal";
|
||||
namespace = "kube-system";
|
||||
inherit labels;
|
||||
};
|
||||
roleRef = {
|
||||
apiGroup = "rbac.authorization.k8s.io";
|
||||
kind = "Role";
|
||||
name = "kubernetes-dashboard-minimal";
|
||||
};
|
||||
inherit subjects;
|
||||
};
|
||||
})
|
||||
));
|
||||
};
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue