Fix inconsistent handling of admission plugin list (#9407)

* Fix inconsistent handling of admission plugin list

* Adjust hardening doc with the normalized admission plugin list

* Add pre-check for admission plugins format change

* Ignore checking admission plugins value when variable is not defined

roles/kubernetes/control-plane/tasks/kubeadm-setup.yml

@@ -106,7 +106,7 @@
   when:
     - kube_apiserver_admission_control_config_file
     - item in kube_apiserver_admission_plugins_needs_configuration
-  loop: "{{ kube_apiserver_enable_admission_plugins[0].split(',') }}"
+  loop: "{{ kube_apiserver_enable_admission_plugins }}"
 
 - name: kubeadm | Check if apiserver.crt contains all needed SANs
   shell: |

roles/kubernetes/control-plane/templates/admission-controls.yaml.j2

@@ -1,7 +1,7 @@
 apiVersion: apiserver.config.k8s.io/v1
 kind: AdmissionConfiguration
 plugins:
-{% for plugin in kube_apiserver_enable_admission_plugins[0].split(',') %}
+{% for plugin in kube_apiserver_enable_admission_plugins %}
 {% if plugin in kube_apiserver_admission_plugins_needs_configuration %}
 - name: {{ plugin }}
   path: {{ kube_config_dir }}/{{ plugin|lower }}.yaml

roles/kubernetes/preinstall/tasks/0020-verify-settings.yml

@@ -305,3 +305,11 @@
   when:
     - kube_external_ca_mode
     - not ignore_assert_errors
+
+- name: Stop if using deprecated comma separated list for admission plugins
+  assert:
+    that: "',' not in kube_apiserver_enable_admission_plugins[0]"
+    msg: "Comma-separated list for kube_apiserver_enable_admission_plugins is now deprecated, use separate list items for each plugin."
+  when:
+    - kube_apiserver_enable_admission_plugins is defined
+    - kube_apiserver_enable_admission_plugins | length > 0