From c061dda31d4839dc67ccbe21e57ef47cdbd7be37 Mon Sep 17 00:00:00 2001
From: MichaelFisher1997 <contact@michaelfisher.tech>
Date: Mon, 2 Mar 2026 17:58:05 +0000
Subject: [PATCH] fix: disable webhook authz and clean stale kubelet configs

- Add authorization.mode: AlwaysAllow to KubeletConfiguration
- Remove stale kubelet config.yaml before unmasking in all kubeadm scripts
- This prevents 'no client provided, cannot use webhook authorization' error
---
 nixos/kubeadm/modules/k8s-common.nix | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/nixos/kubeadm/modules/k8s-common.nix b/nixos/kubeadm/modules/k8s-common.nix
index 4c182d1..77b3ee2 100644
--- a/nixos/kubeadm/modules/k8s-common.nix
+++ b/nixos/kubeadm/modules/k8s-common.nix
@@ -141,6 +141,8 @@ in
         --leaderElection \
         > /etc/kubernetes/manifests/kube-vip.yaml
 
+      rm -f /var/lib/kubelet/config.yaml /var/lib/kubelet/kubeadm-flags.env
+
       systemctl unmask kubelet || true
       systemctl stop kubelet || true
       systemctl reset-failed kubelet || true
@@ -178,6 +180,8 @@ in
       authentication:
         webhook:
           enabled: false
+      authorization:
+        mode: AlwaysAllow
       KUBEADMCONFIG
 
       sed -i "s|KUBEADM_ENDPOINT|$vip:6443|g" /tmp/kubeadm/init-config.yaml
@@ -243,6 +247,8 @@ in
         --leaderElection \
         > /etc/kubernetes/manifests/kube-vip.yaml
 
+      rm -f /var/lib/kubelet/config.yaml /var/lib/kubelet/kubeadm-flags.env
+
       systemctl unmask kubelet || true
       systemctl stop kubelet || true
       systemctl reset-failed kubelet || true
@@ -258,6 +264,8 @@ in
         exit 1
       fi
 
+      rm -f /var/lib/kubelet/config.yaml /var/lib/kubelet/kubeadm-flags.env
+
       systemctl unmask kubelet || true
       systemctl stop kubelet || true
       systemctl reset-failed kubelet || true