hmmm... Maybe the trick is to provide a full kubeconfig file contents so that the user can't change them and then provide a way for an individual user to override how they authenticate (e.g. if they need a proxy) so they can replace just the
user
part of the config?
Seems ugly but should work...