diff options
Diffstat (limited to 'nixos/tests/kubernetes/rbac.nix')
-rw-r--r-- | nixos/tests/kubernetes/rbac.nix | 78 |
1 files changed, 10 insertions, 68 deletions
diff --git a/nixos/tests/kubernetes/rbac.nix b/nixos/tests/kubernetes/rbac.nix index 6388fe7ceb95..dfb55e7e0580 100644 --- a/nixos/tests/kubernetes/rbac.nix +++ b/nixos/tests/kubernetes/rbac.nix @@ -39,16 +39,16 @@ let }); roRole = pkgs.writeText "ro-role.json" (builtins.toJSON { - "apiVersion" = "rbac.authorization.k8s.io/v1beta1"; - "kind" = "Role"; - "metadata" = { - "name" = "pod-reader"; - "namespace" = "default"; + apiVersion = "rbac.authorization.k8s.io/v1beta1"; + kind = "Role"; + metadata = { + name = "pod-reader"; + namespace = "default"; }; - "rules" = [{ - "apiGroups" = [""]; - "resources" = ["pods"]; - "verbs" = ["get" "list" "watch"]; + rules = [{ + apiGroups = [""]; + resources = ["pods"]; + verbs = ["get" "list" "watch"]; }]; }); @@ -110,7 +110,7 @@ let ''; in makeTest { - name = "kubernetes-multinode-rbac"; + name = "kubernetes-rbac"; nodes = { master = @@ -121,64 +121,6 @@ in makeTest { virtualisation.diskSize = 4096; networking.interfaces.eth1.ip4 = mkForce [{address = servers.master; prefixLength = 24;}]; networking.primaryIPAddress = mkForce servers.master; - services.kubernetes.apiserver.authorizationMode = mkForce ["ABAC" "RBAC"]; - services.kubernetes.apiserver.authorizationPolicy = mkForce [ - { - apiVersion = "abac.authorization.kubernetes.io/v1beta1"; - kind = "Policy"; - spec = { - user = "kubecfg"; - namespace = "*"; - resource = "*"; - apiGroup = "*"; - nonResourcePath = "*"; - }; - } - { - apiVersion = "abac.authorization.kubernetes.io/v1beta1"; - kind = "Policy"; - spec = { - user = "kubelet"; - namespace = "*"; - resource = "*"; - apiGroup = "*"; - nonResourcePath = "*"; - }; - } - { - apiVersion = "abac.authorization.kubernetes.io/v1beta1"; - kind = "Policy"; - spec = { - user = "kube-worker"; - namespace = "*"; - resource = "*"; - apiGroup = "*"; - nonResourcePath = "*"; - }; - } - { - apiVersion = "abac.authorization.kubernetes.io/v1beta1"; - kind = "Policy"; - spec = { - user = "kube_proxy"; - namespace = "*"; - resource = "*"; - apiGroup = "*"; - nonResourcePath = "*"; - }; - } - { - apiVersion = "abac.authorization.kubernetes.io/v1beta1"; - kind = "Policy"; - spec = { - user = "client"; - namespace = "*"; - resource = "*"; - apiGroup = "*"; - nonResourcePath = "*"; - }; - } - ]; } (import ./kubernetes-common.nix { inherit pkgs config certs servers; }) (import ./kubernetes-master.nix { inherit pkgs config certs; }) |