kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #46988 from vinayakankugoyal/kep4633 

KEP-4633: Add documentation for Configurable Endpoints for Anonymous Auth.
This commit is contained in:
Kubernetes Prow Robot 2024-07-23 19:54:11 -07:00 committed by GitHub
parent 22b1bd067f 4b2940eb26
commit a77fcc771b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 49 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
content/en/docs/reference/access-authn-authz/authentication.md
View File

@ -1082,6 +1082,41 @@ Starting in 1.6, the ABAC and RBAC authorizers require explicit authorization of
`system:anonymous` user or the `system:unauthenticated` group, so legacy policy rules `system:anonymous` user or the `system:unauthenticated` group, so legacy policy rules
that grant access to the `*` user or `*` group do not include anonymous users. that grant access to the `*` user or `*` group do not include anonymous users.
### Anonymous Authenticator Configuration
{{< feature-state feature_gate_name="AnonymousAuthConfigurableEndpoints" >}}
The `AuthenticationConfiguration` can be used to configure the anonymous
authenticator. To enable configuring anonymous auth via the config file you need
enable the `AnonymousAuthConfigurableEndpoints` feature gate. When this feature
gate is enabled you cannot set the `--anonymous-auth` flag.
The main advantage of configuring anonymous authenticator using the authentication
configuration file is that in addition to enabling and disabling anonymous authentication
you can also configure which endpoints support anonymous authentication.
A sample authentication configuration file is below:
```yaml
---
#
# CAUTION: this is an example configuration.
# Do not use this for your own cluster!
#
apiVersion: apiserver.config.k8s.io/v1beta1
kind: AuthenticationConfiguration
anonymous:
enabled: true
conditions:
- path: /livez
- path: /readyz
- path: /healthz
```
In the configuration above only the `/livez`, `/readyz` and `/healthz` endpoints
are reachable by anonymous requests. Any other endpoints will not be reachable
even if it is allowed by RBAC configuration.
## User impersonation ## User impersonation
A user can act as another user through impersonation headers. These let requests A user can act as another user through impersonation headers. These let requests

14
content/en/docs/reference/command-line-tools-reference/feature-gates/anonymous-auth-configurable-endpoints.md Normal file
View File

@ -0,0 +1,14 @@
---
title: AnonymousAuthConfigurableEndpoints
content_type: feature_gate
_build:
list: never
render: false
stages:
- stage: alpha
defaultValue: false
fromVersion: "1.31"
---
Enable [configurable endpoints for anonymous auth](/docs/reference/access-authn-authz/authentication/#anonymous-authenticator-onfiguration)
for the API server.