Disable k8s-keystone-auth by default
Two reasons to disable it by default:
- OIDC should be the go to way to do RBAC
- It can hammer keystone in case where a kubernetes token is invalid.
Expanding point 2.: If a serviceaccount token gets invalidated for some reason, kube-apiserver passes the token to k8s-keystone-auth which tries auth with keystone. This will result to repeated 401s in keystone in the oder of 1000s per second per cluster.
Ideally, kubernetes tokens should not be passed to k8s-keystone-auth or k8s-keystone-auth should ingore them without sending them to keysone-api. Also, it would be good to understand why these kubernetes serviceaccount token are invalid.