Ensure correct AuthorizationConfiguration API version during upgrades (#12058)

* Ensure correct `AuthorizationConfiguration` API version during upgrades Fixes an issue where the wrong AuthorizationConfiguration API version could be used by kube-apiserver prematurely during upgrades. The `kubernets/control-plane` role writes configuration for the target version before control plane pods are upgraded. However, since the `AuthorizationConfiguration` file is reconciled continuously, this leads to a race condition where a new configuration version can be reconciled before kube-apiserver is upgraded to the compatible version. This solution ensures the correct configuration is available throughout the process by writing each api version to a different file path. Unused file versions are cleaned up post-upgrade for better hygiene. * Avoid from_json in cleanup task
2025-12-15 22:34:21 +03:00 · 2025-03-21 10:48:31 -05:00
parent bab6a9bf64
commit d5a5e6a93c
4 changed files with 16 additions and 8 deletions
--- a/roles/kubespray-defaults/defaults/main/main.yml
+++ b/roles/kubespray-defaults/defaults/main/main.yml
@@ -506,6 +506,7 @@ authorization_modes: ['Node', 'RBAC']
 ## Examples: https://kubernetes.io/blog/2024/04/26/multi-webhook-and-modular-authorization-made-much-easier/
 ## KEP: https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3221-structured-authorization-configuration
 kube_apiserver_use_authorization_config_file: false
+kube_apiserver_authorization_config_api_version: "{{ 'v1alpha1' if kube_version is version('1.30.0', '<') else 'v1beta1' if kube_version is version('1.32.0', '<') else 'v1' }}"
 kube_apiserver_authorization_config_authorizers:
 - type: Node
  name: node