Merge pull request #1080 from VincentS/Granular_Auth_Control

Granular authentication Control

roles/kubernetes/master/defaults/main.yml

@@ -33,9 +33,15 @@ kube_apiserver_cpu_limit: 800m
 kube_apiserver_memory_requests: 256M
 kube_apiserver_cpu_requests: 300m
 
+
+## Enable/Disable Kube API Server Authentication Methods
+kube_basic_auth: true
+kube_token_auth: true
+kube_oidc_auth: false
+
 ## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/
 ## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...)
-kube_oidc_auth: false
+
 #kube_oidc_url: https:// ...
 # kube_oidc_client_id: kubernetes
 ## Optional settings for OIDC

roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2

@@ -34,10 +34,14 @@ spec:
     - --service-cluster-ip-range={{ kube_service_addresses }}
     - --service-node-port-range={{ kube_apiserver_node_port_range }}
     - --client-ca-file={{ kube_cert_dir }}/ca.pem
+{% if kube_basic_auth|default(true) %}
     - --basic-auth-file={{ kube_users_dir }}/known_users.csv
+{% endif %}
     - --tls-cert-file={{ kube_cert_dir }}/apiserver.pem
     - --tls-private-key-file={{ kube_cert_dir }}/apiserver-key.pem
+{% if kube_token_auth|default(true) %}
     - --token-auth-file={{ kube_token_dir }}/known_tokens.csv
+{% endif %}
     - --service-account-key-file={{ kube_cert_dir }}/apiserver-key.pem
 {% if kube_oidc_auth|default(false) and kube_oidc_url is defined and kube_oidc_client_id is defined %}
     - --oidc-issuer-url={{ kube_oidc_url }}