diff options
author | Alyssa Ross <hi@alyssa.is> | 2021-04-09 18:28:16 +0000 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2021-04-12 18:46:15 +0000 |
commit | fd2e737e0678ee7d8081baef05b305146a2c0034 (patch) | |
tree | ac3e9b27576a0382335532d126f9a66d486bc638 /nixpkgs/nixos/modules/services/cluster/kubernetes | |
parent | cc207d720b6aa836e256c1ee9842bc739e630a8a (diff) | |
parent | 9e377a6ce42dccd9b624ae4ce8f978dc892ba0e2 (diff) | |
download | nixlib-fd2e737e0678ee7d8081baef05b305146a2c0034.tar nixlib-fd2e737e0678ee7d8081baef05b305146a2c0034.tar.gz nixlib-fd2e737e0678ee7d8081baef05b305146a2c0034.tar.bz2 nixlib-fd2e737e0678ee7d8081baef05b305146a2c0034.tar.lz nixlib-fd2e737e0678ee7d8081baef05b305146a2c0034.tar.xz nixlib-fd2e737e0678ee7d8081baef05b305146a2c0034.tar.zst nixlib-fd2e737e0678ee7d8081baef05b305146a2c0034.zip |
Merge remote-tracking branch 'nixpkgs/nixos-unstable'
Diffstat (limited to 'nixpkgs/nixos/modules/services/cluster/kubernetes')
6 files changed, 100 insertions, 64 deletions
diff --git a/nixpkgs/nixos/modules/services/cluster/kubernetes/addons/dns.nix b/nixpkgs/nixos/modules/services/cluster/kubernetes/addons/dns.nix index f12e866930da..24d86628b211 100644 --- a/nixpkgs/nixos/modules/services/cluster/kubernetes/addons/dns.nix +++ b/nixpkgs/nixos/modules/services/cluster/kubernetes/addons/dns.nix @@ -3,7 +3,7 @@ with lib; let - version = "1.6.4"; + version = "1.7.1"; cfg = config.services.kubernetes.addons.dns; ports = { dns = 10053; @@ -55,9 +55,9 @@ in { type = types.attrs; default = { imageName = "coredns/coredns"; - imageDigest = "sha256:493ee88e1a92abebac67cbd4b5658b4730e0f33512461442d8d9214ea6734a9b"; + imageDigest = "sha256:4a6e0769130686518325b21b0c1d0688b54e7c79244d48e1b15634e98e40c6ef"; finalImageTag = version; - sha256 = "0fm9zdjavpf5hni8g7fkdd3csjbhd7n7py7llxjc66sbii087028"; + sha256 = "02r440xcdsgi137k5lmmvp0z5w5fmk8g9mysq5pnysq1wl8sj6mw"; }; }; }; @@ -156,7 +156,6 @@ in { health :${toString ports.health} kubernetes ${cfg.clusterDomain} in-addr.arpa ip6.arpa { pods insecure - upstream fallthrough in-addr.arpa ip6.arpa } prometheus :${toString ports.metrics} diff --git a/nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix b/nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix index 95bdb4c0d14e..a5b132154766 100644 --- a/nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix +++ b/nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix @@ -238,14 +238,40 @@ in type = int; }; + apiAudiences = mkOption { + description = '' + Kubernetes apiserver ServiceAccount issuer. + ''; + default = "api,https://kubernetes.default.svc"; + type = str; + }; + + serviceAccountIssuer = mkOption { + description = '' + Kubernetes apiserver ServiceAccount issuer. + ''; + default = "https://kubernetes.default.svc"; + type = str; + }; + + serviceAccountSigningKeyFile = mkOption { + description = '' + Path to the file that contains the current private key of the service + account token issuer. The issuer will sign issued ID tokens with this + private key. + ''; + type = path; + }; + serviceAccountKeyFile = mkOption { description = '' - Kubernetes apiserver PEM-encoded x509 RSA private or public key file, - used to verify ServiceAccount tokens. By default tls private key file - is used. + File containing PEM-encoded x509 RSA or ECDSA private or public keys, + used to verify ServiceAccount tokens. The specified file can contain + multiple keys, and the flag can be specified multiple times with + different files. If unspecified, --tls-private-key-file is used. + Must be specified when --service-account-signing-key is provided ''; - default = null; - type = nullOr path; + type = path; }; serviceClusterIpRange = mkOption { @@ -357,8 +383,10 @@ in ${optionalString (cfg.runtimeConfig != "") "--runtime-config=${cfg.runtimeConfig}"} \ --secure-port=${toString cfg.securePort} \ - ${optionalString (cfg.serviceAccountKeyFile!=null) - "--service-account-key-file=${cfg.serviceAccountKeyFile}"} \ + --api-audiences=${toString cfg.apiAudiences} \ + --service-account-issuer=${toString cfg.serviceAccountIssuer} \ + --service-account-signing-key-file=${cfg.serviceAccountSigningKeyFile} \ + --service-account-key-file=${cfg.serviceAccountKeyFile} \ --service-cluster-ip-range=${cfg.serviceClusterIpRange} \ --storage-backend=${cfg.storageBackend} \ ${optionalString (cfg.tlsCertFile != null) diff --git a/nixpkgs/nixos/modules/services/cluster/kubernetes/default.nix b/nixpkgs/nixos/modules/services/cluster/kubernetes/default.nix index 3a11a6513a49..19edc338bba1 100644 --- a/nixpkgs/nixos/modules/services/cluster/kubernetes/default.nix +++ b/nixpkgs/nixos/modules/services/cluster/kubernetes/default.nix @@ -5,6 +5,29 @@ with lib; let cfg = config.services.kubernetes; + defaultContainerdConfigFile = pkgs.writeText "containerd.toml" '' + version = 2 + root = "/var/lib/containerd/daemon" + state = "/var/run/containerd/daemon" + oom_score = 0 + + [grpc] + address = "/var/run/containerd/containerd.sock" + + [plugins."io.containerd.grpc.v1.cri"] + sandbox_image = "pause:latest" + + [plugins."io.containerd.grpc.v1.cri".cni] + bin_dir = "/opt/cni/bin" + max_conf_num = 0 + + [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] + runtime_type = "io.containerd.runc.v2" + + [plugins."io.containerd.grpc.v1.cri".containerd.runtimes."io.containerd.runc.v2".options] + SystemdCgroup = true + ''; + mkKubeConfig = name: conf: pkgs.writeText "${name}-kubeconfig" (builtins.toJSON { apiVersion = "v1"; kind = "Config"; @@ -222,14 +245,9 @@ in { }) (mkIf cfg.kubelet.enable { - virtualisation.docker = { + virtualisation.containerd = { enable = mkDefault true; - - # kubernetes needs access to logs - logDriver = mkDefault "json-file"; - - # iptables must be disabled for kubernetes - extraOptions = "--iptables=false --ip-masq=false"; + configFile = mkDefault defaultContainerdConfigFile; }; }) @@ -269,7 +287,6 @@ in { users.users.kubernetes = { uid = config.ids.uids.kubernetes; description = "Kubernetes user"; - extraGroups = [ "docker" ]; group = "kubernetes"; home = cfg.dataDir; createHome = true; diff --git a/nixpkgs/nixos/modules/services/cluster/kubernetes/flannel.nix b/nixpkgs/nixos/modules/services/cluster/kubernetes/flannel.nix index 548ffed1ddb5..3f55719027f0 100644 --- a/nixpkgs/nixos/modules/services/cluster/kubernetes/flannel.nix +++ b/nixpkgs/nixos/modules/services/cluster/kubernetes/flannel.nix @@ -8,16 +8,6 @@ let # we want flannel to use kubernetes itself as configuration backend, not direct etcd storageBackend = "kubernetes"; - - # needed for flannel to pass options to docker - mkDockerOpts = pkgs.runCommand "mk-docker-opts" { - buildInputs = [ pkgs.makeWrapper ]; - } '' - mkdir -p $out - - # bashInteractive needed for `compgen` - makeWrapper ${pkgs.bashInteractive}/bin/bash $out/mk-docker-opts --add-flags "${pkgs.kubernetes}/bin/mk-docker-opts.sh" - ''; in { ###### interface @@ -43,43 +33,17 @@ in cniVersion = "0.3.1"; delegate = { isDefaultGateway = true; - bridge = "docker0"; + bridge = "mynet"; }; }]; }; - systemd.services.mk-docker-opts = { - description = "Pre-Docker Actions"; - path = with pkgs; [ gawk gnugrep ]; - script = '' - ${mkDockerOpts}/mk-docker-opts -d /run/flannel/docker - systemctl restart docker - ''; - serviceConfig.Type = "oneshot"; - }; - - systemd.paths.flannel-subnet-env = { - wantedBy = [ "flannel.service" ]; - pathConfig = { - PathModified = "/run/flannel/subnet.env"; - Unit = "mk-docker-opts.service"; - }; - }; - - systemd.services.docker = { - environment.DOCKER_OPTS = "-b none"; - serviceConfig.EnvironmentFile = "-/run/flannel/docker"; - }; - - # read environment variables generated by mk-docker-opts - virtualisation.docker.extraOptions = "$DOCKER_OPTS"; - networking = { firewall.allowedUDPPorts = [ 8285 # flannel udp 8472 # flannel vxlan ]; - dhcpcd.denyInterfaces = [ "docker*" "flannel*" ]; + dhcpcd.denyInterfaces = [ "mynet*" "flannel*" ]; }; services.kubernetes.pki.certs = { diff --git a/nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix b/nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix index 479027f1b270..b5346b1cd44d 100644 --- a/nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix +++ b/nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix @@ -23,7 +23,7 @@ let name = "pause"; tag = "latest"; contents = top.package.pause; - config.Cmd = "/bin/pause"; + config.Cmd = ["/bin/pause"]; }; kubeconfig = top.lib.mkKubeConfig "kubelet" cfg.kubeconfig; @@ -125,6 +125,18 @@ in }; }; + containerRuntime = mkOption { + description = "Which container runtime type to use"; + type = enum ["docker" "remote"]; + default = "remote"; + }; + + containerRuntimeEndpoint = mkOption { + description = "Endpoint at which to find the container runtime api interface/socket"; + type = str; + default = "unix:///var/run/containerd/containerd.sock"; + }; + enable = mkEnableOption "Kubernetes kubelet."; extraOpts = mkOption { @@ -235,18 +247,26 @@ in ###### implementation config = mkMerge [ (mkIf cfg.enable { + + environment.etc."cni/net.d".source = cniConfig; + services.kubernetes.kubelet.seedDockerImages = [infraContainer]; + boot.kernel.sysctl = { + "net.bridge.bridge-nf-call-iptables" = 1; + "net.ipv4.ip_forward" = 1; + "net.bridge.bridge-nf-call-ip6tables" = 1; + }; + systemd.services.kubelet = { description = "Kubernetes Kubelet Service"; wantedBy = [ "kubernetes.target" ]; - after = [ "network.target" "docker.service" "kube-apiserver.service" ]; + after = [ "containerd.service" "network.target" "kube-apiserver.service" ]; path = with pkgs; [ gitMinimal openssh - docker util-linux - iproute + iproute2 ethtool thin-provisioning-tools iptables @@ -254,8 +274,12 @@ in ] ++ lib.optional config.boot.zfs.enabled config.boot.zfs.package ++ top.path; preStart = '' ${concatMapStrings (img: '' - echo "Seeding docker image: ${img}" - docker load <${img} + echo "Seeding container image: ${img}" + ${if (lib.hasSuffix "gz" img) then + ''${pkgs.gzip}/bin/zcat "${img}" | ${pkgs.containerd}/bin/ctr -n k8s.io image import --all-platforms -'' + else + ''${pkgs.coreutils}/bin/cat "${img}" | ${pkgs.containerd}/bin/ctr -n k8s.io image import --all-platforms -'' + } '') cfg.seedDockerImages} rm /opt/cni/bin/* || true @@ -306,6 +330,9 @@ in ${optionalString (cfg.tlsKeyFile != null) "--tls-private-key-file=${cfg.tlsKeyFile}"} \ ${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \ + --container-runtime=${cfg.containerRuntime} \ + --container-runtime-endpoint=${cfg.containerRuntimeEndpoint} \ + --cgroup-driver=systemd \ ${cfg.extraOpts} ''; WorkingDirectory = top.dataDir; @@ -315,7 +342,7 @@ in # Allways include cni plugins services.kubernetes.kubelet.cni.packages = [pkgs.cni-plugins]; - boot.kernelModules = ["br_netfilter"]; + boot.kernelModules = ["br_netfilter" "overlay"]; services.kubernetes.kubelet.hostname = with config.networking; mkDefault (hostName + optionalString (domain != null) ".${domain}"); diff --git a/nixpkgs/nixos/modules/services/cluster/kubernetes/pki.nix b/nixpkgs/nixos/modules/services/cluster/kubernetes/pki.nix index 933ae481e968..8de6a3ba0d80 100644 --- a/nixpkgs/nixos/modules/services/cluster/kubernetes/pki.nix +++ b/nixpkgs/nixos/modules/services/cluster/kubernetes/pki.nix @@ -361,6 +361,7 @@ in tlsCertFile = mkDefault cert; tlsKeyFile = mkDefault key; serviceAccountKeyFile = mkDefault cfg.certs.serviceAccount.cert; + serviceAccountSigningKeyFile = mkDefault cfg.certs.serviceAccount.key; kubeletClientCaFile = mkDefault caCert; kubeletClientCertFile = mkDefault cfg.certs.apiserverKubeletClient.cert; kubeletClientKeyFile = mkDefault cfg.certs.apiserverKubeletClient.key; |