-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KEP-4633: Only allow anonymous auth for configured endpoints. #124917
base: master
Are you sure you want to change the base?
Conversation
Testing Notes:
$ kind build node-image .
I updated the kube-apiserver container with the argument --anonymous-auth-health-only=true
as expected it fails.
anonymous request to readyz succeeded (public-info-viewer clusterrolebinding works)
|
/cc @liggitt |
Testing Notes 2: Instead of docker execing and changing the kube-apiserver manifest I can just create a new kind cluster and use the kind cluster config to set extra args and feature-gates on the cluster. I used the following kind cluster config. kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
featureGates:
"HealthOnlyAnonymousAuth": true
nodes:
- role: control-plane
kubeadmConfigPatches:
- |
kind: ClusterConfiguration
apiServer:
extraArgs:
anonymous-auth-health-only: "true" |
/triage accepted |
This PR may require API review. If so, when the changes are ready, complete the pre-review checklist and request an API review. Status of requested reviews is tracked in the API Review project. |
dbb03fa
to
ebb03dc
Compare
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: vinayakankugoyal The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Signed-off-by: Vinayak Goyal <vinaygo@google.com>
Testing note 3: After reworking the KEP a bit here is the new kubeadm config required to use this feature. kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
featureGates:
# any feature gate can be enabled here with "Name": true
# or disabled here with "Name": false
# not all feature gates are tested, however
"AnonymousAuthConfigurableEndpoints": true
"StructuredAuthenticationConfiguration": true
nodes:
- role: control-plane
extraMounts:
- hostPath: /usr/local/google/home/vinaygo/go/src/k8s.io/kubernetes/authconfig.yaml
containerPath: /etc/kubernetes/pki/authconfig.yaml
kubeadmConfigPatches:
- |
kind: ClusterConfiguration
apiServer:
extraArgs:
authentication-config: /etc/kubernetes/pki/authconfig.yaml and here is how you need to setup the auth config file apiVersion: apiserver.config.k8s.io/v1alpha1
kind: AuthenticationConfiguration
anonymous:
enabled: true
restrictToPaths:
- /livez
- /readyz
- /healthz |
@vinayakankugoyal: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
What type of PR is this?
/kind feature
What this PR does / why we need it:
This PR adds the functionality of kubernetes/enhancements#4633 behind a feature gate. When the feature gate is enabled this PR allows a restricted anonymous auth mode that only allows a set of configured endpoints to be reached anonymously.
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: