Authorization Mode Order in kube-apiserver Configuration

[Nauno33]

Bug Report

Expected Behavior:
I expect the authorization-mode to be set in the exact order as specified: Node,Webhook,RBAC.

Actual Behavior:
The authorization-mode changes order after reboot.

Description

I am trying to configure the authorization-mode in kube-apiserver to prioritize the Webhook authorization mode before RBAC. Here are the steps I followed:
I set the following extra args in my Machineconfiguration:

authorization-mode: Node,Webhook,RBAC  
authorization-webhook-version: v1  
authorization-webhook-config-file: /system/config/kubernetes/kube-apiserver/authorization-config.yaml  

I am using an external Webhook, which is a pod running Open Policy Agent (OPA) within the cluster.
After rebooting, I noticed that the authorization-mode order is altered as follows:

authorization-mode: Node,RBAC,Webhook  

The order is not as I configured it.

Steps to Reproduce:

Configure extraArgs for kube-apiserver as follows:

    authorization-mode: Node,Webhook,RBAC  
    authorization-webhook-version: v1  
    authorization-webhook-config-file: /system/config/kubernetes/kube-apiserver/authorization-config.yaml  

Reboot the node.
Check the effective authorization-mode in the kube-apiserver configuration.

Questions:

Is there a way to ensure the authorization-mode order is respected as configured?

Thank you for your help!

Environment

• Talos version: [1.9.1]
• Kubernetes version: [1.32.0]
• Platform: vmware