646b892680
Some checks failed
Periodic Merges (6h) / master → staging-nixos (push) Failing after 12m50s
Periodic Merges (6h) / master → staging-next (push) Failing after 12m54s
Periodic Merges (24h) / merge-base(master,staging) → haskell-updates (push) Failing after 11m54s
Periodic Merges (6h) / staging-next → staging (push) Failing after 12m13s
Periodic Merges (24h) / staging-next-25.05 → staging-25.05 (push) Failing after 13m24s
Periodic Merges (24h) / release-25.05 → staging-next-25.05 (push) Failing after 14m28s
127 lines
3.1 KiB
Nix
127 lines
3.1 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
let
|
|
top = config.services.kubernetes;
|
|
cfg = top.flannel;
|
|
|
|
# we want flannel to use kubernetes itself as configuration backend, not direct etcd
|
|
storageBackend = "kubernetes";
|
|
in
|
|
{
|
|
###### interface
|
|
options.services.kubernetes.flannel = {
|
|
enable = lib.mkEnableOption "flannel networking";
|
|
|
|
openFirewallPorts = lib.mkOption {
|
|
description = ''Whether to open the Flannel UDP ports in the firewall on all interfaces.'';
|
|
type = lib.types.bool;
|
|
default = true;
|
|
};
|
|
};
|
|
|
|
###### implementation
|
|
config = lib.mkIf cfg.enable {
|
|
services.flannel = {
|
|
|
|
enable = lib.mkDefault true;
|
|
network = lib.mkDefault top.clusterCidr;
|
|
inherit storageBackend;
|
|
nodeName = config.services.kubernetes.kubelet.hostname;
|
|
};
|
|
|
|
services.kubernetes.kubelet = {
|
|
cni.config = lib.mkDefault [
|
|
{
|
|
name = "mynet";
|
|
type = "flannel";
|
|
cniVersion = "0.3.1";
|
|
delegate = {
|
|
isDefaultGateway = true;
|
|
hairpinMode = true;
|
|
bridge = "mynet";
|
|
};
|
|
}
|
|
];
|
|
};
|
|
|
|
networking = {
|
|
firewall.allowedUDPPorts = lib.mkIf cfg.openFirewallPorts [
|
|
8285 # flannel udp
|
|
8472 # flannel vxlan
|
|
];
|
|
dhcpcd.denyInterfaces = [
|
|
"mynet*"
|
|
"flannel*"
|
|
];
|
|
};
|
|
|
|
services.kubernetes.pki.certs = {
|
|
flannelClient = top.lib.mkCert {
|
|
name = "flannel-client";
|
|
CN = "flannel-client";
|
|
action = "systemctl restart flannel.service";
|
|
};
|
|
};
|
|
|
|
# give flannel some kubernetes rbac permissions if applicable
|
|
services.kubernetes.addonManager.bootstrapAddons =
|
|
lib.mkIf ((storageBackend == "kubernetes") && (lib.elem "RBAC" top.apiserver.authorizationMode))
|
|
{
|
|
|
|
flannel-cr = {
|
|
apiVersion = "rbac.authorization.k8s.io/v1";
|
|
kind = "ClusterRole";
|
|
metadata = {
|
|
name = "flannel";
|
|
};
|
|
rules = [
|
|
{
|
|
apiGroups = [ "" ];
|
|
resources = [ "pods" ];
|
|
verbs = [ "get" ];
|
|
}
|
|
{
|
|
apiGroups = [ "" ];
|
|
resources = [ "nodes" ];
|
|
verbs = [
|
|
"list"
|
|
"watch"
|
|
];
|
|
}
|
|
{
|
|
apiGroups = [ "" ];
|
|
resources = [ "nodes/status" ];
|
|
verbs = [ "patch" ];
|
|
}
|
|
];
|
|
};
|
|
|
|
flannel-crb = {
|
|
apiVersion = "rbac.authorization.k8s.io/v1";
|
|
kind = "ClusterRoleBinding";
|
|
metadata = {
|
|
name = "flannel";
|
|
};
|
|
roleRef = {
|
|
apiGroup = "rbac.authorization.k8s.io";
|
|
kind = "ClusterRole";
|
|
name = "flannel";
|
|
};
|
|
subjects = [
|
|
{
|
|
kind = "User";
|
|
name = "flannel-client";
|
|
}
|
|
];
|
|
};
|
|
|
|
};
|
|
};
|
|
|
|
meta.buildDocsInSandbox = false;
|
|
}
|