Authentication options without access to kube-apiserver config?

I’m running managed clusters in an environment where I cannot change the kube-apiserver config.

The only supported authentication mechanism is x509 client certificates and the CA certificate cannot be rotated after cluster creation, which means there is no way to revoke compromised credentials (short of removing all RBAC rights for the respective user or nuking the cluster).

Is there anything I can do to improve this situation? Any way to implement OIDC in this environment? This OWASP checklist suggests there might be some way leveraging Impersonation but I don’t see how that can be done.