fix: disable webhook authz and clean stale kubelet configs

- Add authorization.mode: AlwaysAllow to KubeletConfiguration
- Remove stale kubelet config.yaml before unmasking in all kubeadm scripts
- This prevents 'no client provided, cannot use webhook authorization' error

nixos/kubeadm/modules/k8s-common.nix

@@ -141,6 +141,8 @@ in
         --leaderElection \
         > /etc/kubernetes/manifests/kube-vip.yaml
 
+      rm -f /var/lib/kubelet/config.yaml /var/lib/kubelet/kubeadm-flags.env
+
       systemctl unmask kubelet || true
       systemctl stop kubelet || true
       systemctl reset-failed kubelet || true
@@ -178,6 +180,8 @@ in
       authentication:
         webhook:
           enabled: false
+      authorization:
+        mode: AlwaysAllow
       KUBEADMCONFIG
 
       sed -i "s|KUBEADM_ENDPOINT|$vip:6443|g" /tmp/kubeadm/init-config.yaml
@@ -243,6 +247,8 @@ in
         --leaderElection \
         > /etc/kubernetes/manifests/kube-vip.yaml
 
+      rm -f /var/lib/kubelet/config.yaml /var/lib/kubelet/kubeadm-flags.env
+
       systemctl unmask kubelet || true
       systemctl stop kubelet || true
       systemctl reset-failed kubelet || true
@@ -258,6 +264,8 @@ in
         exit 1
       fi
 
+      rm -f /var/lib/kubelet/config.yaml /var/lib/kubelet/kubeadm-flags.env
+
       systemctl unmask kubelet || true
       systemctl stop kubelet || true
       systemctl reset-failed kubelet || true