Implement structured authentication configuration for API server (#13035)

2026-05-07 01:17:39 -02:30 · 2026-04-20 21:55:52 -05:00
parent 19b73f4f83
commit f81842d0ed
4 changed files with 74 additions and 19 deletions
--- a/roles/kubernetes/control-plane/tasks/main.yml
+++ b/roles/kubernetes/control-plane/tasks/main.yml
@@ -18,6 +18,19 @@
    mode: "0640"
  when: kube_webhook_authorization | default(false)

+- name: Create structured AuthenticationConfiguration file
+  copy:
+    content: "{{ authn_config | to_nice_yaml(indent=2, sort_keys=false) }}"
+    dest: "{{ kube_config_dir }}/apiserver-authentication-config-{{ kube_apiserver_authentication_config_api_version }}.yaml"
+    mode: "0640"
+  vars:
+    authn_config:
+      apiVersion: apiserver.config.k8s.io/{{ kube_apiserver_authentication_config_api_version }}
+      kind: AuthenticationConfiguration
+      jwt: "{{ kube_apiserver_authentication_config_jwt }}"
+      anonymous: "{{ kube_apiserver_authentication_config_anonymous }}"
+  when: kube_apiserver_use_authentication_config_file
+
 - name: Create structured AuthorizationConfiguration file
  copy:
    content: "{{ authz_config | to_nice_yaml(indent=2, sort_keys=false) }}"
@@ -99,6 +112,13 @@
  include_tasks: kubeadm-etcd.yml
  when: etcd_deployment_type == "kubeadm"

+- name: Cleanup unused AuthenticationConfiguration file versions
+  file:
+    path: "{{ kube_config_dir }}/apiserver-authentication-config-{{ item }}.yaml"
+    state: absent
+  loop: "{{ ['v1alpha1', 'v1beta1', 'v1'] | reject('equalto', kube_apiserver_authentication_config_api_version) | list }}"
+  when: kube_apiserver_use_authentication_config_file
+
 - name: Cleanup unused AuthorizationConfiguration file versions
  file:
    path: "{{ kube_config_dir }}/apiserver-authorization-config-{{ item }}.yaml"
--- a/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2
+++ b/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2
@@ -131,8 +131,7 @@ apiServer:
    value: "{{ kube_apiserver_pod_eviction_not_ready_timeout_seconds }}"
  - name: default-unreachable-toleration-seconds
    value: "{{ kube_apiserver_pod_eviction_unreachable_timeout_seconds }}"
-{% if kube_api_anonymous_auth is defined %}
-{# TODO: rework once suppport for structured auth lands #}
+{% if kube_api_anonymous_auth is defined and not kube_apiserver_use_authentication_config_file %}
  - name: anonymous-auth
    value: "{{ kube_api_anonymous_auth }}"
 {% endif %}
@@ -181,7 +180,7 @@ apiServer:
  - name: service-account-lookup
    value: "{{ kube_apiserver_service_account_lookup }}"
 {% endif %}
-{% if kube_oidc_auth and kube_oidc_url is defined and kube_oidc_client_id is defined %}
+{% if kube_oidc_auth and kube_oidc_url is defined and kube_oidc_client_id is defined and not kube_apiserver_use_authentication_config_file %}
  - name: oidc-issuer-url
    value: "{{ kube_oidc_url }}"
  - name: oidc-client-id
@@ -207,6 +206,10 @@ apiServer:
    value: "{{ kube_oidc_groups_prefix }}"
 {%   endif %}
 {% endif %}
+{% if kube_apiserver_use_authentication_config_file %}
+  - name: authentication-config
+    value: "{{ kube_config_dir }}/apiserver-authentication-config-{{ kube_apiserver_authentication_config_api_version }}.yaml"
+{% endif %}
 {% if kube_webhook_token_auth %}
  - name: authentication-token-webhook-config-file
    value: "{{ kube_config_dir }}/webhook-token-auth-config.yaml"
@@ -279,7 +282,7 @@ apiServer:
  - name: tracing-config-file
    value: "{{ kube_config_dir }}/tracing/apiserver-tracing.yaml"
 {% endif %}
-{% if kubernetes_audit or kube_token_auth or kube_webhook_token_auth or apiserver_extra_volumes or ssl_ca_dirs | length %}
+{% if kubernetes_audit or kube_token_auth or kube_webhook_token_auth or kube_apiserver_use_authorization_config_file or kube_apiserver_use_authentication_config_file or apiserver_extra_volumes or ssl_ca_dirs | length %}
  extraVolumes:
 {% if kube_token_auth %}
  - name: token-auth-config
@@ -301,6 +304,11 @@ apiServer:
    hostPath: {{ kube_config_dir }}/apiserver-authorization-config-{{ kube_apiserver_authorization_config_api_version }}.yaml
    mountPath: {{ kube_config_dir }}/apiserver-authorization-config-{{ kube_apiserver_authorization_config_api_version }}.yaml
 {% endif %}
+{% if kube_apiserver_use_authentication_config_file %}
+  - name: authentication-config
+    hostPath: {{ kube_config_dir }}/apiserver-authentication-config-{{ kube_apiserver_authentication_config_api_version }}.yaml
+    mountPath: {{ kube_config_dir }}/apiserver-authentication-config-{{ kube_apiserver_authentication_config_api_version }}.yaml
+{% endif %}
 {% if kubernetes_audit or kubernetes_audit_webhook %}
  - name: {{ audit_policy_name }}
    hostPath: {{ audit_policy_hostpath }}