Only allow anonymous auth for configured endpoints.

[vinayakankugoyal]

Enhancement Description

Allow users to specify which endpoints are allowed for anonymous requests. This allows the admin to only allow access to health endpoints like healthz, livez and readyz anonymously while making sure other cluster endpoints or resources cannot be access anonymously even if a user misconfigures RBAC.

• One-line enhancement description (can be used as a release note): Only allow anonymous auth for health endpoints.

• Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/4633-anonymous-auth-configurable-endpoints/README.md

• Discussion Link: https://docs.google.com/document/d/1woLGRoONE3EBVx-wTb4pvp4CI7tmLZ6lS26VTbosLKM/edit#bookmark=id.ehlt47tezzsk

• Primary contact (assignee): @vinayakankugoyal

• Responsible SIGs: sig-auth

• Enhancement target (which target equals to which milestone):

  • Alpha release target (x.y): 1.31
  • Beta release target (x.y): 1.32
  • Stable release target (x.y): 1.34

• Alpha

  • KEP (k/enhancements) update PR(s):
    • KEP-4633: Only allow anonymous auth for configured endpoints #4634
  • Code (k/k) update PR(s):
    • KEP-4633: Only allow anonymous auth for configured endpoints. kubernetes#124917
    • Fix typo in error message for anonymous field in AuthenticationConfig… kubernetes#125986
    • KEP-4633: Add intgration tests for Anonymous Auth Configurable Endpoints kubernetes#125967
  • Docs (k/website) update PR(s):
    • KEP-4633: Add documentation for Configurable Endpoints for Anonymous Auth. website#46988

• Beta

  • KEP (k/enhancements) update PR(s):
    • KEP-4633: Graduate to BETA. #4798
  • Code (k/k) update PR(s):
    • KEP-4633: Graduate to BETA. kubernetes#127009
  • Docs (k/website) update(s):
    • KEP-4633: Graduate to BETA. website#47787

• Stable

  • KEP (k/enhancements) update PR(s):
    • KEP-4633: Graduate to Stable. #5279
  • Code (k/k) update PR(s):
    • KEP-4633: Graduate to Stable. kubernetes#131654
  • Docs (k/website) update(s):
    • KEP-4633: Graduate to Stable. website#50838

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

[vinayakankugoyal]

/sig auth

[vinayakankugoyal]

/cc @liggitt @destijl

[vinayakankugoyal]

/milestone v1.31

[k8s-ci-robot]

@vinayakankugoyal: You must be a member of the kubernetes/milestone-maintainers GitHub team to set the milestone. If you believe you should be able to issue the /milestone command, please contact your Milestone Maintainers Team and have them propose you as an additional delegate for this responsibility.

In response to this:

/milestone v1.31

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[liggitt]

/milestone v1.31
/label lead-opted-in