kubernetes-sigs · k8s-ci-robot · Sep 11, 2020 · Sep 10, 2020
diff --git a/docs/getting-started.md b/docs/getting-started.md
@@ -95,7 +95,7 @@ the Kubernetes [documentation](https://kubernetes.io/docs/tasks/access-applicati
 
 Supported version is kubernetes-dashboard v2.0.x :
 
-- Login options are : token/kubeconfig by default, basic can be enabled with `kube_basic_auth: true` inventory variable - not recommended because this requires ABAC api-server which is not tested by kubespray team
+- Login option : token/kubeconfig by default
 - Deployed by default in "kube-system" namespace, can be overridden with `dashboard_namespace: kubernetes-dashboard` in inventory,
 - Only serves over https
 

diff --git a/docs/vars.md b/docs/vars.md
@@ -209,11 +209,3 @@ in the form of dicts of key-value pairs of configuration parameters that will be
 
 * *helm_version* - Defaults to v3.x, set to a v2 version (e.g. `v2.16.1` ) to install Helm 2.x (will install Tiller!).
 Picking v3 for an existing cluster running Tiller will leave it alone. In that case you will have to remove Tiller manually afterwards.
-
-## User accounts
-
-The variable `kube_basic_auth` is false by default, but if set to true, a user with admin rights is created, named `kube`.
-The password can be viewed after deployment by looking at the file
-`{{ credentials_dir }}/kube_user.creds` (`credentials_dir` is set to `{{ inventory_dir }}/credentials` by default). This contains a randomly generated
-password. If you wish to set your own password, just precreate/modify this
-file yourself or change `kube_api_pwd` var.
diff --git a/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml b/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
@@ -14,9 +14,6 @@ kube_cert_dir: "{{ kube_config_dir }}/ssl"
 # This is where all of the bearer tokens will be stored
 kube_token_dir: "{{ kube_config_dir }}/tokens"
 
-# This is where to save basic auth file
-kube_users_dir: "{{ kube_config_dir }}/users"
-
 kube_api_anonymous_auth: true
 
 ## Change this to use another Kubernetes version, e.g. a current beta release
@@ -41,19 +38,8 @@ kube_log_level: 2
 # Directory where credentials will be stored
 credentials_dir: "{{ inventory_dir }}/credentials"
 
-# Users to create for basic auth in Kubernetes API via HTTP
-# Optionally add groups for user
-kube_api_pwd: "{{ lookup('password', credentials_dir + '/kube_user.creds length=15 chars=ascii_letters,digits') }}"
-kube_users:
-  kube:
-    pass: "{{kube_api_pwd}}"
-    role: admin
-    groups:
-      - system:masters
-
-## It is possible to activate / deactivate selected authentication methods (basic auth, static token auth)
+## It is possible to activate / deactivate selected authentication methods (oidc, static token auth)
 # kube_oidc_auth: false
-# kube_basic_auth: false
 # kube_token_auth: false
 
 

diff --git a/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 b/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2
@@ -189,7 +189,7 @@ spec:
 {% if dashboard_skip_login %}
             - --enable-skip-login
 {% endif %}
-            - --authentication-mode=token{% if kube_basic_auth|default(false) %},basic{% endif %}
+            - --authentication-mode=token
             # Uncomment the following line to manually specify Kubernetes API server Host
             # If not specified, Dashboard will attempt to auto discover the API server and connect
             # to it. Uncomment only if the default does not work.

diff --git a/roles/kubernetes/master/defaults/main/main.yml b/roles/kubernetes/master/defaults/main/main.yml
@@ -95,7 +95,6 @@ kube_apiserver_disable_admission_plugins: []
 kube_api_runtime_config: []
 
 ## Enable/Disable Kube API Server Authentication Methods
-kube_basic_auth: false
 kube_token_auth: false
 kube_oidc_auth: false
 kube_webhook_token_auth: false

diff --git a/roles/kubernetes/master/tasks/main.yml b/roles/kubernetes/master/tasks/main.yml
@@ -3,10 +3,6 @@
   tags:
     - k8s-pre-upgrade
 
-- import_tasks: users-file.yml
-  when:
-    - kube_basic_auth|default(true)
-
 - name: Create webhook token auth config
   template:
     src: webhook-token-auth-config.yaml.j2

diff --git a/roles/kubernetes/master/tasks/users-file.yml b/roles/kubernetes/master/tasks/users-file.yml
diff --git a/roles/kubernetes/master/templates/known_users.csv.j2 b/roles/kubernetes/master/templates/known_users.csv.j2
diff --git a/roles/kubernetes/master/templates/kubeadm-config.v1beta2.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.v1beta2.yaml.j2
@@ -126,9 +126,6 @@ apiServer:
     profiling: "{{ kube_profiling }}"
     request-timeout: "{{ kube_apiserver_request_timeout }}"
     enable-aggregator-routing: "{{ kube_api_aggregator_routing }}"
-{% if kube_basic_auth|default(true) %}
-    basic-auth-file: {{ kube_users_dir }}/known_users.csv
-{% endif %}
 {% if kube_token_auth|default(true) %}
     token-auth-file: {{ kube_token_dir }}/known_tokens.csv
 {% endif %}
@@ -202,18 +199,13 @@ apiServer:
 {% if kubelet_rotate_server_certificates %}
     kubelet-certificate-authority: {{ kube_cert_dir }}/ca.crt
 {% endif %}
-{% if kubernetes_audit or kube_basic_auth|default(true) or kube_token_auth|default(true) or kube_webhook_token_auth|default(false) or ( cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] ) or apiserver_extra_volumes or ssl_ca_dirs|length %}
+{% if kubernetes_audit or kube_token_auth|default(true) or kube_webhook_token_auth|default(false) or ( cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] ) or apiserver_extra_volumes or ssl_ca_dirs|length %}
   extraVolumes:
 {% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] %}
   - name: cloud-config
     hostPath: {{ kube_config_dir }}/cloud_config
     mountPath: {{ kube_config_dir }}/cloud_config
 {% endif %}
-{% if kube_basic_auth|default(true) %}
-  - name: basic-auth-config
-    hostPath: {{ kube_users_dir }}
-    mountPath: {{ kube_users_dir }}
-{% endif %}
 {% if kube_token_auth|default(true) %}
   - name: token-auth-config
     hostPath: {{ kube_token_dir }}

diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
@@ -133,24 +133,13 @@ kube_cert_compat_dir: "/etc/kubernetes/pki"
 # This is where all of the bearer tokens will be stored
 kube_token_dir: "{{ kube_config_dir }}/tokens"
 
-# This is where to save basic auth file
-kube_users_dir: "{{ kube_config_dir }}/users"
-
-
 # This is the group that the cert creation scripts chgrp the
 # cert files to. Not really changeable...
 kube_cert_group: kube-cert
 
 # Cluster Loglevel configuration
 kube_log_level: 2
 
-# Users to create for basic auth in Kubernetes API via HTTP
-kube_api_pwd: "changeme"
-kube_users:
-  kube:
-    pass: "{{kube_api_pwd}}"
-    role: admin
-
 # Choose network plugin (cilium, calico, weave or flannel)
 # Can also be set to 'cloud', which lets the cloud provider setup appropriate routing
 kube_network_plugin: calico

diff --git a/tests/files/packet_centos7-flannel-containerd-addons-ha.yml b/tests/files/packet_centos7-flannel-containerd-addons-ha.yml
@@ -23,7 +23,6 @@ cert_manager_enabled: true
 metrics_server_enabled: false
 metrics_server_kubelet_insecure_tls: true
 kube_token_auth: true
-kube_basic_auth: true
 enable_nodelocaldns: false
 kubelet_rotate_server_certificates: true
 

diff --git a/tests/files/packet_ubuntu18-flannel-containerd-ha-once.yml b/tests/files/packet_ubuntu18-flannel-containerd-ha-once.yml
@@ -24,5 +24,4 @@ cert_manager_enabled: true
 metrics_server_enabled: false
 metrics_server_kubelet_insecure_tls: true
 kube_token_auth: true
-kube_basic_auth: true
 enable_nodelocaldns: false
diff --git a/tests/files/packet_ubuntu18-flannel-containerd-ha.yml b/tests/files/packet_ubuntu18-flannel-containerd-ha.yml
@@ -24,5 +24,4 @@ cert_manager_enabled: true
 metrics_server_enabled: false
 metrics_server_kubelet_insecure_tls: true
 kube_token_auth: true
-kube_basic_auth: true
 enable_nodelocaldns: false