From c03a912e5490f5d195a9b5e0efb645a41e78fc20 Mon Sep 17 00:00:00 2001
From: Qiming Teng <tengqm@outlook.com>
Date: Tue, 25 Jun 2024 15:35:25 +0800
Subject: [PATCH 1/2] [zh-cn] Fix indentation in sample policy

---
 .../services-networking/network-policies.md        | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/content/zh-cn/docs/concepts/services-networking/network-policies.md b/content/zh-cn/docs/concepts/services-networking/network-policies.md
index eb441af8a8..278e7ecd03 100644
--- a/content/zh-cn/docs/concepts/services-networking/network-policies.md
+++ b/content/zh-cn/docs/concepts/services-networking/network-policies.md
@@ -609,14 +609,14 @@ spec:
     matchLabels:
       app: myapp
   policyTypes:
-  - Egress
+    - Egress
   egress:
-   - to:
-     - namespaceSelector:
-       matchExpressions:
-       - key: namespace
-         operator: In
-         values: ["frontend", "backend"]
+    - to:
+      - namespaceSelector:
+          matchExpressions:
+            - key: namespace
+              operator: In
+              values: ["frontend", "backend"]
 ```
 
 {{< note >}}

From 4b2940eb26d42ac0ef1b267eb9b373156eb83f76 Mon Sep 17 00:00:00 2001
From: Vinayak Goyal <vinaygo@google.com>
Date: Wed, 26 Jun 2024 21:32:55 +0000
Subject: [PATCH 2/2] KEP-4633: Add documentation for Configurable Endpoints
 for Anonymous Auth.

Signed-off-by: Vinayak Goyal <vinaygo@google.com>
---
 .../access-authn-authz/authentication.md      | 35 +++++++++++++++++++
 .../anonymous-auth-configurable-endpoints.md  | 14 ++++++++
 .../services-networking/network-policies.md   | 14 ++++----
 3 files changed, 56 insertions(+), 7 deletions(-)
 create mode 100644 content/en/docs/reference/command-line-tools-reference/feature-gates/anonymous-auth-configurable-endpoints.md

diff --git a/content/en/docs/reference/access-authn-authz/authentication.md b/content/en/docs/reference/access-authn-authz/authentication.md
index 342d7502d9..f6371199b4 100644
--- a/content/en/docs/reference/access-authn-authz/authentication.md
+++ b/content/en/docs/reference/access-authn-authz/authentication.md
@@ -1082,6 +1082,41 @@ Starting in 1.6, the ABAC and RBAC authorizers require explicit authorization of
 `system:anonymous` user or the `system:unauthenticated` group, so legacy policy rules
 that grant access to the `*` user or `*` group do not include anonymous users.
 
+### Anonymous Authenticator Configuration
+
+{{< feature-state feature_gate_name="AnonymousAuthConfigurableEndpoints" >}}
+
+The `AuthenticationConfiguration` can be used to configure the anonymous
+authenticator. To enable configuring anonymous auth via the config file you need
+enable the `AnonymousAuthConfigurableEndpoints` feature gate. When this feature
+gate is enabled you cannot set the `--anonymous-auth` flag.
+
+The main advantage of configuring anonymous authenticator using the authentication
+configuration file is that in addition to enabling and disabling anonymous authentication
+you can also configure which endpoints support anonymous authentication.
+
+A sample authentication configuration file is below:
+
+```yaml
+---
+#
+# CAUTION: this is an example configuration.
+#          Do not use this for your own cluster!
+#
+apiVersion: apiserver.config.k8s.io/v1beta1
+kind: AuthenticationConfiguration
+anonymous:
+  enabled: true
+  conditions:
+  - path: /livez
+  - path: /readyz
+  - path: /healthz
+```
+
+In the configuration above only the `/livez`, `/readyz` and `/healthz` endpoints
+are reachable by anonymous requests. Any other endpoints will not be reachable
+even if it is allowed by RBAC configuration.
+
 ## User impersonation
 
 A user can act as another user through impersonation headers. These let requests
diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates/anonymous-auth-configurable-endpoints.md b/content/en/docs/reference/command-line-tools-reference/feature-gates/anonymous-auth-configurable-endpoints.md
new file mode 100644
index 0000000000..38538a15d2
--- /dev/null
+++ b/content/en/docs/reference/command-line-tools-reference/feature-gates/anonymous-auth-configurable-endpoints.md
@@ -0,0 +1,14 @@
+---
+title: AnonymousAuthConfigurableEndpoints
+content_type: feature_gate
+_build:
+  list: never
+  render: false
+
+stages:
+  - stage: alpha 
+    defaultValue: false
+    fromVersion: "1.31"
+---
+Enable [configurable endpoints for anonymous auth](/docs/reference/access-authn-authz/authentication/#anonymous-authenticator-onfiguration) 
+for the API server.
diff --git a/content/zh-cn/docs/concepts/services-networking/network-policies.md b/content/zh-cn/docs/concepts/services-networking/network-policies.md
index 278e7ecd03..eb441af8a8 100644
--- a/content/zh-cn/docs/concepts/services-networking/network-policies.md
+++ b/content/zh-cn/docs/concepts/services-networking/network-policies.md
@@ -609,14 +609,14 @@ spec:
     matchLabels:
       app: myapp
   policyTypes:
-    - Egress
+  - Egress
   egress:
-    - to:
-      - namespaceSelector:
-          matchExpressions:
-            - key: namespace
-              operator: In
-              values: ["frontend", "backend"]
+   - to:
+     - namespaceSelector:
+       matchExpressions:
+       - key: namespace
+         operator: In
+         values: ["frontend", "backend"]
 ```
 
 {{< note >}}