diff options
author | Johan Thomsen <jth@dbc.dk> | 2018-06-18 13:05:01 +0200 |
---|---|---|
committer | Robin Gloster <mail@glob.in> | 2018-06-19 22:28:00 +0200 |
commit | f9ad1cae78b5fc27a5bf2f17b3f9ebf7b239b3ca (patch) | |
tree | 91a366508a4da75b90865f726ef0e1e235af10ae /nixos/doc/manual | |
parent | dc6484e366021b515207a61fc1517359be872bca (diff) | |
download | nixlib-f9ad1cae78b5fc27a5bf2f17b3f9ebf7b239b3ca.tar nixlib-f9ad1cae78b5fc27a5bf2f17b3f9ebf7b239b3ca.tar.gz nixlib-f9ad1cae78b5fc27a5bf2f17b3f9ebf7b239b3ca.tar.bz2 nixlib-f9ad1cae78b5fc27a5bf2f17b3f9ebf7b239b3ca.tar.lz nixlib-f9ad1cae78b5fc27a5bf2f17b3f9ebf7b239b3ca.tar.xz nixlib-f9ad1cae78b5fc27a5bf2f17b3f9ebf7b239b3ca.tar.zst nixlib-f9ad1cae78b5fc27a5bf2f17b3f9ebf7b239b3ca.zip |
nixos/kubernetes: dashboard lockdown
Kubernetes dashboard currently has cluster admin permissions, which is not recommended. - Renamed option "services.kubernetes.addons.dashboard.enableRBAC" to "services.kubernetes.addons.dashboard.rbac.enable" - Added option "services.kubernetes.addons.dashboard.rbac.clusterAdmin", default = false. - Setting recommended minimal permissions for the dashboard in accordance with https://github.com/kubernetes/dashboard/wiki/Installation - Updated release note for 18.09.
Diffstat (limited to 'nixos/doc/manual')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-1809.xml | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/nixos/doc/manual/release-notes/rl-1809.xml b/nixos/doc/manual/release-notes/rl-1809.xml index f57fd75c782d..d3062b3ea323 100644 --- a/nixos/doc/manual/release-notes/rl-1809.xml +++ b/nixos/doc/manual/release-notes/rl-1809.xml @@ -306,6 +306,22 @@ inherit (pkgs.nixos { was not used and thus has been removed. </para> </listitem> + <listitem> + <para> + The option <varname>services.kubernetes.addons.dashboard.enableRBAC</varname> + was renamed to <varname>services.kubernetes.addons.dashboard.rbac.enable</varname>. + </para> + </listitem> + <listitem> + <para> + The Kubernetes Dashboard now has only minimal RBAC permissions by default. + If dashboard cluster-admin rights are desired, + set <varname>services.kubernetes.addons.dashboard.rbac.clusterAdmin</varname> to true. + On existing clusters, in order for the revocation of privileges to take effect, + the current ClusterRoleBinding for kubernetes-dashboard must be manually removed: + <literal>kubectl delete clusterrolebinding kubernetes-dashboard</literal> + </para> + </listitem> </itemizedlist> </section> </section> |