Remove --auth-anonymous if kube_api_anonymous_auth is undefined. (#12353)

Remove --auth-anonymous if kube_api_anonymous_auth in undefined, to avoid compatibility errors with other arguments of the kube-apiserver, such as --authentication-config when anonymous field is configured.
2025-12-13 21:34:40 +03:00 · 2025-07-27 00:20:27 -03:00
parent 96c39ae7fd
commit 5b1334102b
3 changed files with 7 additions and 0 deletions
--- a/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2
+++ b/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2
@@ -109,7 +109,10 @@ apiServer:
    etcd-compaction-interval: "{{ kube_apiserver_etcd_compaction_interval }}"
    default-not-ready-toleration-seconds: "{{ kube_apiserver_pod_eviction_not_ready_timeout_seconds }}"
    default-unreachable-toleration-seconds: "{{ kube_apiserver_pod_eviction_unreachable_timeout_seconds }}"
+{% if kube_api_anonymous_auth is defined %}
+{# TODO: rework once suppport for structured auth lands #}
    anonymous-auth: "{{ kube_api_anonymous_auth }}"
+{% endif %}
 {% if kube_apiserver_use_authorization_config_file %}
    authorization-config: "{{ kube_config_dir }}/apiserver-authorization-config-{{ kube_apiserver_authorization_config_api_version }}.yaml"
 {% else %}
--- a/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2
+++ b/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2
@@ -131,8 +131,11 @@ apiServer:
    value: "{{ kube_apiserver_pod_eviction_not_ready_timeout_seconds }}"
  - name: default-unreachable-toleration-seconds
    value: "{{ kube_apiserver_pod_eviction_unreachable_timeout_seconds }}"
+{% if kube_api_anonymous_auth is defined %}
+{# TODO: rework once suppport for structured auth lands #}
  - name: anonymous-auth
    value: "{{ kube_api_anonymous_auth }}"
+{% endif %}
 {% if kube_apiserver_use_authorization_config_file %}
  - name: authorization-config
    value: "{{ kube_config_dir }}/apiserver-authorization-config-{{ kube_apiserver_authorization_config_api_version }}.yaml"
--- a/roles/kubespray_defaults/defaults/main/main.yml
+++ b/roles/kubespray_defaults/defaults/main/main.yml
@@ -11,6 +11,7 @@ ping_access_ip: true

 # Setting this value to false will fail
 # For details, read this comment https://github.com/kubernetes-sigs/kubespray/pull/11016#issuecomment-2004985001
+# if kube_api_anonymous_auth: "{{ undef() }}", remove --anonymous-auth argument
 kube_api_anonymous_auth: true

 # Default value, but will be set to true automatically if detected