diff options
author | Matej Cotman <cotman.matej@gmail.com> | 2017-05-24 19:05:54 +0200 |
---|---|---|
committer | Robin Gloster <mail@glob.in> | 2017-09-24 11:44:25 +0200 |
commit | 8e14e978c8965db3378c57450d1177c03865554e (patch) | |
tree | e0998b01c92c3a1c960cd976152a92b44ac7fe5c /nixos/tests/kubernetes | |
parent | 7f9d1a7aafc76f506f25c9608a68980161d43d66 (diff) | |
download | nixlib-8e14e978c8965db3378c57450d1177c03865554e.tar nixlib-8e14e978c8965db3378c57450d1177c03865554e.tar.gz nixlib-8e14e978c8965db3378c57450d1177c03865554e.tar.bz2 nixlib-8e14e978c8965db3378c57450d1177c03865554e.tar.lz nixlib-8e14e978c8965db3378c57450d1177c03865554e.tar.xz nixlib-8e14e978c8965db3378c57450d1177c03865554e.tar.zst nixlib-8e14e978c8965db3378c57450d1177c03865554e.zip |
kubernetes: fix minor issues
Diffstat (limited to 'nixos/tests/kubernetes')
-rw-r--r-- | nixos/tests/kubernetes/default.nix | 10 | ||||
-rw-r--r-- | nixos/tests/kubernetes/kubernetes-master.nix | 81 | ||||
-rw-r--r-- | nixos/tests/kubernetes/multinode-kubectl.nix | 8 | ||||
-rw-r--r-- | nixos/tests/kubernetes/rbac.nix | 78 | ||||
-rw-r--r-- | nixos/tests/kubernetes/singlenode-kubectl.nix | 97 |
5 files changed, 15 insertions, 259 deletions
diff --git a/nixos/tests/kubernetes/default.nix b/nixos/tests/kubernetes/default.nix index 6ba4f1904ea7..2b61980349eb 100644 --- a/nixos/tests/kubernetes/default.nix +++ b/nixos/tests/kubernetes/default.nix @@ -1,7 +1,7 @@ -{ }: +{ system ? builtins.currentSystem }: { - kubernetes-singlenode = import ./singlenode.nix {}; - kubernetes-multinode-kubectl = import ./multinode-kubectl.nix {}; - kubernetes-rbac = import ./rbac.nix {}; - kubernetes-dns = import ./dns.nix {}; + kubernetes-singlenode = import ./singlenode.nix { inherit system; }; + kubernetes-multinode-kubectl = import ./multinode-kubectl.nix { inherit system; }; + kubernetes-rbac = import ./rbac.nix { inherit system; }; + kubernetes-dns = import ./dns.nix { inherit system; }; } diff --git a/nixos/tests/kubernetes/kubernetes-master.nix b/nixos/tests/kubernetes/kubernetes-master.nix index b9577fa0964b..15e7e52e4832 100644 --- a/nixos/tests/kubernetes/kubernetes-master.nix +++ b/nixos/tests/kubernetes/kubernetes-master.nix @@ -62,87 +62,6 @@ in portalNet = "10.1.10.0/24"; # --service-cluster-ip-range runtimeConfig = ""; /*extraOpts = "--v=2";*/ - authorizationMode = ["ABAC"]; - authorizationPolicy = [ - { - apiVersion = "abac.authorization.kubernetes.io/v1beta1"; - kind = "Policy"; - spec = { - user = "kubecfg"; - namespace = "*"; - resource = "*"; - apiGroup = "*"; - nonResourcePath = "*"; - }; - } - { - apiVersion = "abac.authorization.kubernetes.io/v1beta1"; - kind = "Policy"; - spec = { - user = "kubelet"; - namespace = "*"; - resource = "*"; - apiGroup = "*"; - nonResourcePath = "*"; - }; - } - { - apiVersion = "abac.authorization.kubernetes.io/v1beta1"; - kind = "Policy"; - spec = { - user = "kube-worker"; - namespace = "*"; - resource = "*"; - apiGroup = "*"; - nonResourcePath = "*"; - }; - } - { - apiVersion = "abac.authorization.kubernetes.io/v1beta1"; - kind = "Policy"; - spec = { - user = "kube_proxy"; - namespace = "*"; - resource = "*"; - apiGroup = "*"; - nonResourcePath = "*"; - }; - } - { - apiVersion = "abac.authorization.kubernetes.io/v1beta1"; - kind = "Policy"; - spec = { - user = "client"; - namespace = "*"; - resource = "*"; - apiGroup = "*"; - nonResourcePath = "*"; - }; - } - { - apiVersion = "abac.authorization.kubernetes.io/v1beta1"; - kind = "Policy"; - spec = { - group = "system:serviceaccounts"; - namespace = "*"; - resource = "*"; - apiGroup = "*"; - nonResourcePath = "*"; - }; - } - { - apiVersion = "abac.authorization.kubernetes.io/v1beta1"; - kind = "Policy"; - spec = { - group = "system:authenticated"; - readonly = true; - namespace = "*"; - resource = "*"; - apiGroup = "*"; - nonResourcePath = "*"; - }; - } - ]; }; }; } diff --git a/nixos/tests/kubernetes/multinode-kubectl.nix b/nixos/tests/kubernetes/multinode-kubectl.nix index 97108163d2cc..4ea4c272b225 100644 --- a/nixos/tests/kubernetes/multinode-kubectl.nix +++ b/nixos/tests/kubernetes/multinode-kubectl.nix @@ -84,9 +84,7 @@ in makeTest { { virtualisation.memorySize = 768; virtualisation.diskSize = 4096; - # networking.hostName = mkForce "master"; networking.interfaces.eth1.ip4 = mkForce [{address = servers.master; prefixLength = 24;}]; - # networking.nat.externalIP = "192.168.1.1"; networking.primaryIPAddress = mkForce servers.master; } (import ./kubernetes-common.nix { inherit pkgs config certs servers; }) @@ -99,9 +97,7 @@ in makeTest { { virtualisation.memorySize = 768; virtualisation.diskSize = 4096; - # networking.hostName = mkForce "one"; networking.interfaces.eth1.ip4 = mkForce [{address = servers.one; prefixLength = 24;}]; - # networking.nat.externalIP = "192.168.1.2"; networking.primaryIPAddress = mkForce servers.one; services.kubernetes.roles = ["node"]; } @@ -114,9 +110,7 @@ in makeTest { { virtualisation.memorySize = 768; virtualisation.diskSize = 4096; - # networking.hostName = mkForce "two"; networking.interfaces.eth1.ip4 = mkForce [{address = servers.two; prefixLength = 24;}]; - # networking.nat.externalIP = "192.168.1.3"; networking.primaryIPAddress = mkForce servers.two; services.kubernetes.roles = ["node"]; } @@ -129,9 +123,7 @@ in makeTest { { virtualisation.memorySize = 768; virtualisation.diskSize = 4096; - # networking.hostName = mkForce "three"; networking.interfaces.eth1.ip4 = mkForce [{address = servers.three; prefixLength = 24;}]; - # networking.nat.externalIP = "192.168.1.4"; networking.primaryIPAddress = mkForce servers.three; services.kubernetes.roles = ["node"]; } diff --git a/nixos/tests/kubernetes/rbac.nix b/nixos/tests/kubernetes/rbac.nix index 6388fe7ceb95..dfb55e7e0580 100644 --- a/nixos/tests/kubernetes/rbac.nix +++ b/nixos/tests/kubernetes/rbac.nix @@ -39,16 +39,16 @@ let }); roRole = pkgs.writeText "ro-role.json" (builtins.toJSON { - "apiVersion" = "rbac.authorization.k8s.io/v1beta1"; - "kind" = "Role"; - "metadata" = { - "name" = "pod-reader"; - "namespace" = "default"; + apiVersion = "rbac.authorization.k8s.io/v1beta1"; + kind = "Role"; + metadata = { + name = "pod-reader"; + namespace = "default"; }; - "rules" = [{ - "apiGroups" = [""]; - "resources" = ["pods"]; - "verbs" = ["get" "list" "watch"]; + rules = [{ + apiGroups = [""]; + resources = ["pods"]; + verbs = ["get" "list" "watch"]; }]; }); @@ -110,7 +110,7 @@ let ''; in makeTest { - name = "kubernetes-multinode-rbac"; + name = "kubernetes-rbac"; nodes = { master = @@ -121,64 +121,6 @@ in makeTest { virtualisation.diskSize = 4096; networking.interfaces.eth1.ip4 = mkForce [{address = servers.master; prefixLength = 24;}]; networking.primaryIPAddress = mkForce servers.master; - services.kubernetes.apiserver.authorizationMode = mkForce ["ABAC" "RBAC"]; - services.kubernetes.apiserver.authorizationPolicy = mkForce [ - { - apiVersion = "abac.authorization.kubernetes.io/v1beta1"; - kind = "Policy"; - spec = { - user = "kubecfg"; - namespace = "*"; - resource = "*"; - apiGroup = "*"; - nonResourcePath = "*"; - }; - } - { - apiVersion = "abac.authorization.kubernetes.io/v1beta1"; - kind = "Policy"; - spec = { - user = "kubelet"; - namespace = "*"; - resource = "*"; - apiGroup = "*"; - nonResourcePath = "*"; - }; - } - { - apiVersion = "abac.authorization.kubernetes.io/v1beta1"; - kind = "Policy"; - spec = { - user = "kube-worker"; - namespace = "*"; - resource = "*"; - apiGroup = "*"; - nonResourcePath = "*"; - }; - } - { - apiVersion = "abac.authorization.kubernetes.io/v1beta1"; - kind = "Policy"; - spec = { - user = "kube_proxy"; - namespace = "*"; - resource = "*"; - apiGroup = "*"; - nonResourcePath = "*"; - }; - } - { - apiVersion = "abac.authorization.kubernetes.io/v1beta1"; - kind = "Policy"; - spec = { - user = "client"; - namespace = "*"; - resource = "*"; - apiGroup = "*"; - nonResourcePath = "*"; - }; - } - ]; } (import ./kubernetes-common.nix { inherit pkgs config certs servers; }) (import ./kubernetes-master.nix { inherit pkgs config certs; }) diff --git a/nixos/tests/kubernetes/singlenode-kubectl.nix b/nixos/tests/kubernetes/singlenode-kubectl.nix deleted file mode 100644 index d3a78a06e430..000000000000 --- a/nixos/tests/kubernetes/singlenode-kubectl.nix +++ /dev/null @@ -1,97 +0,0 @@ -{ system ? builtins.currentSystem }: - -with import ../../lib/testing.nix { inherit system; }; -with import ../../lib/qemu-flags.nix; -with pkgs.lib; - -let - certs = import ./certs.nix { servers = {}; }; - - kubectlPod = pkgs.writeText "kubectl-pod.json" (builtins.toJSON { - kind = "Pod"; - apiVersion = "v1"; - metadata.name = "kubectl"; - metadata.labels.name = "kubectl"; - spec.containers = [{ - name = "kubectl"; - image = "kubectl:latest"; - command = ["${pkgs.busybox}/bin/tail" "-f"]; - imagePullPolicy = "Never"; - tty = true; - }]; - }); - - kubectlImage = pkgs.dockerTools.buildImage { - name = "kubectl"; - tag = "latest"; - contents = [ pkgs.kubernetes pkgs.busybox certs kubeconfig ]; - config.Entrypoint = "${pkgs.busybox}/bin/sh"; - }; - - kubeconfig = pkgs.writeTextDir "kubeconfig.json" (builtins.toJSON { - apiVersion = "v1"; - kind = "Config"; - clusters = [{ - name = "local"; - cluster.certificate-authority = "/ca.pem"; - cluster.server = "https://192.168.1.1:4443/"; - }]; - users = [{ - name = "kubelet"; - user = { - client-certificate = "/admin.crt"; - client-key = "/admin-key.pem"; - }; - }]; - contexts = [{ - context = { - cluster = "local"; - user = "kubelet"; - }; - current-context = "kubelet-context"; - }]; - }); - - test = '' - $kubernetes->execute("docker load < ${kubectlImage}"); - $kubernetes->waitUntilSucceeds("kubectl create -f ${kubectlPod} || kubectl apply -f ${kubectlPod}"); - $kubernetes->waitUntilSucceeds("kubectl get pod kubectl | grep Running"); - - # FIXME: this test fails, for some reason it can not reach host ip address - $kubernetes->succeed("kubectl exec -ti kubectl -- kubectl --kubeconfig=/kubeconfig.json version"); - ''; -in makeTest { - name = "kubernetes-singlenode-kubectl"; - - nodes = { - kubernetes = - { config, pkgs, lib, nodes, ... }: - { - virtualisation.memorySize = 768; - virtualisation.diskSize = 4096; - - programs.bash.enableCompletion = true; - environment.systemPackages = with pkgs; [ netcat bind ]; - - services.kubernetes.roles = ["master" "node"]; - services.kubernetes.apiserver.securePort = 4443; - services.kubernetes.dns.port = 4453; - services.kubernetes.clusterCidr = "10.0.0.0/8"; - virtualisation.docker.extraOptions = "--iptables=false --ip-masq=false -b cbr0"; - - networking.interfaces.eth1.ip4 = mkForce [{address = "192.168.1.1"; prefixLength = 24;}]; - networking.primaryIPAddress = mkForce "192.168.1.1"; - networking.bridges.cbr0.interfaces = []; - networking.interfaces.cbr0 = {}; - - services.dnsmasq.enable = true; - services.dnsmasq.servers = ["/${config.services.kubernetes.dns.domain}/127.0.0.1#4453"]; - }; - }; - - testScript = '' - startAll; - - ${test} - ''; -} |