Remove --auth-anonymous if kube_api_anonymous_auth is undefined.

psychomantys · psychomantys · commit 3c5d2f02d386 · 2025-07-08T01:18:59.000-03:00
Remove --auth-anonymous if kube_api_anonymous_auth in undefined, to avoid
compatibility errors with other arguments of the kube-apiserver, such as
--authentication-config when anonymous field is configured.
diff --git a/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2 b/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2
@@ -109,7 +109,10 @@ apiServer:
     etcd-compaction-interval: "{{ kube_apiserver_etcd_compaction_interval }}"
     default-not-ready-toleration-seconds: "{{ kube_apiserver_pod_eviction_not_ready_timeout_seconds }}"
     default-unreachable-toleration-seconds: "{{ kube_apiserver_pod_eviction_unreachable_timeout_seconds }}"
+{% if kube_api_anonymous_auth is defined %}
+{# TODO: rework once suppport for structured auth lands #}
     anonymous-auth: "{{ kube_api_anonymous_auth }}"
+{% endif %}
 {% if kube_apiserver_use_authorization_config_file %}
     authorization-config: "{{ kube_config_dir }}/apiserver-authorization-config-{{ kube_apiserver_authorization_config_api_version }}.yaml"
 {% else %}
diff --git a/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2 b/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2
@@ -131,8 +131,11 @@ apiServer:
     value: "{{ kube_apiserver_pod_eviction_not_ready_timeout_seconds }}"
   - name: default-unreachable-toleration-seconds
     value: "{{ kube_apiserver_pod_eviction_unreachable_timeout_seconds }}"
+{% if kube_api_anonymous_auth is defined %}
+{# TODO: rework once suppport for structured auth lands #}
   - name: anonymous-auth
     value: "{{ kube_api_anonymous_auth }}"
+{% endif %}
 {% if kube_apiserver_use_authorization_config_file %}
   - name: authorization-config
     value: "{{ kube_config_dir }}/apiserver-authorization-config-{{ kube_apiserver_authorization_config_api_version }}.yaml"
diff --git a/roles/kubespray_defaults/defaults/main/main.yml b/roles/kubespray_defaults/defaults/main/main.yml
@@ -11,6 +11,7 @@ ping_access_ip: true
 
 # Setting this value to false will fail
 # For details, read this comment https://github.com/kubernetes-sigs/kubespray/pull/11016#issuecomment-2004985001
+# if kube_api_anonymous_auth: "{{ undef() }}", remove --anonymous-auth argument
 kube_api_anonymous_auth: true
 
 # Default value, but will be set to true automatically if detected
