nix: bump to new k8s
diff --git a/nix/cluster-configuration.nix b/nix/cluster-configuration.nix
index 18faca0..86be40d 100644
--- a/nix/cluster-configuration.nix
+++ b/nix/cluster-configuration.nix
@@ -17,6 +17,8 @@
boot.loader.grub.version = 2;
boot.loader.grub.device = node.diskBoot;
+ boot.kernelParams = [ "boot.shell_on_fail" ];
+
time.timeZone = "Europe/Warsaw";
# List packages installed in system profile. To search, run:
@@ -110,25 +112,24 @@
caFile = pki.kube.apiserver.ca;
clusterCidr = "10.10.16.0/20";
- verbose = false;
path = [ pkgs.e2fsprogs ]; # kubelet wants to mkfs.ext4 when mounting pvcs
addons.dns.enable = false;
- etcd = {
- servers = (map (n: "https://${n.fqdn}:2379") nodes);
- caFile = pki.etcd.kube.ca;
- keyFile = pki.etcd.kube.key;
- certFile = pki.etcd.kube.cert;
- };
-
apiserver = rec {
enable = true;
- port = ports.k8sAPIServerPlain;
+ insecurePort = ports.k8sAPIServerPlain;
securePort = ports.k8sAPIServerSecure;
advertiseAddress = "${node.ipAddr}";
+ etcd = {
+ servers = (map (n: "https://${n.fqdn}:2379") nodes);
+ caFile = pki.etcd.kube.ca;
+ keyFile = pki.etcd.kube.key;
+ certFile = pki.etcd.kube.cert;
+ };
+
tlsCertFile = pki.kube.apiserver.cert;
tlsKeyFile = pki.kube.apiserver.key;
@@ -141,6 +142,7 @@
serviceAccountKeyFile = pki.kube.serviceaccounts.key;
+ allowPrivileged = true;
serviceClusterIpRange = "10.10.12.0/24";
runtimeConfig = "api/all,authentication.k8s.io/v1beta1";
authorizationMode = ["Node" "RBAC"];
@@ -160,8 +162,8 @@
controllerManager = {
enable = true;
- address = "0.0.0.0";
- port = ports.k8sControllerManagerPlain;
+ bindAddress = "0.0.0.0";
+ insecurePort = ports.k8sControllerManagerPlain;
leaderElect = true;
serviceAccountKeyFile = pki.kube.serviceaccounts.key;
rootCaFile = pki.kube.ca;
@@ -193,6 +195,7 @@
kubelet = {
enable = true;
unschedulable = false;
+ allowPrivileged = true;
hostname = fqdn;
tlsCertFile = pki.kube.kubelet.cert;
tlsKeyFile = pki.kube.kubelet.key;