diff options
author | Sarah Brofeldt <sbrofeldt@gmail.com> | 2018-02-04 21:23:36 +0100 |
---|---|---|
committer | Sarah Brofeldt <sbrofeldt@gmail.com> | 2018-02-04 21:23:36 +0100 |
commit | bf58890a5ae74ed64983f15f61e6aa8e7ccbe515 (patch) | |
tree | fdb26ee638205de0b56dfcc2ca22fea20217d6de /nixos/modules/services/cluster/kubernetes | |
parent | f63604a598e9720ba82ee10686773a56e2f33d7d (diff) | |
download | nixlib-bf58890a5ae74ed64983f15f61e6aa8e7ccbe515.tar nixlib-bf58890a5ae74ed64983f15f61e6aa8e7ccbe515.tar.gz nixlib-bf58890a5ae74ed64983f15f61e6aa8e7ccbe515.tar.bz2 nixlib-bf58890a5ae74ed64983f15f61e6aa8e7ccbe515.tar.lz nixlib-bf58890a5ae74ed64983f15f61e6aa8e7ccbe515.tar.xz nixlib-bf58890a5ae74ed64983f15f61e6aa8e7ccbe515.tar.zst nixlib-bf58890a5ae74ed64983f15f61e6aa8e7ccbe515.zip |
nixos/k8s: Enable Node authorizer and NodeRestriction by default
Diffstat (limited to 'nixos/modules/services/cluster/kubernetes')
-rw-r--r-- | nixos/modules/services/cluster/kubernetes/default.nix | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/nixos/modules/services/cluster/kubernetes/default.nix b/nixos/modules/services/cluster/kubernetes/default.nix index 077953e4d4f8..4a2c6f0833eb 100644 --- a/nixos/modules/services/cluster/kubernetes/default.nix +++ b/nixos/modules/services/cluster/kubernetes/default.nix @@ -301,8 +301,8 @@ in { Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC/RBAC). See <link xlink:href="http://kubernetes.io/docs/admin/authorization.html"/> ''; - default = ["RBAC"]; - type = types.listOf (types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC" "RBAC"]); + default = ["RBAC" "Node"]; + type = types.listOf (types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC" "RBAC" "Node"]); }; authorizationPolicy = mkOption { @@ -344,7 +344,7 @@ in { Kubernetes admission control plugins to use. See <link xlink:href="http://kubernetes.io/docs/admin/admission-controllers/"/> ''; - default = ["NamespaceLifecycle" "LimitRanger" "ServiceAccount" "ResourceQuota" "DefaultStorageClass" "DefaultTolerationSeconds"]; + default = ["NamespaceLifecycle" "LimitRanger" "ServiceAccount" "ResourceQuota" "DefaultStorageClass" "DefaultTolerationSeconds" "NodeRestriction"]; example = [ "NamespaceLifecycle" "NamespaceExists" "LimitRanger" "SecurityContextDeny" "ServiceAccount" "ResourceQuota" |