Skip to content

Instantly share code, notes, and snippets.

@erictune
Created December 13, 2016 18:59
Show Gist options
  • Save erictune/9dc7ae4b22505b9a8c20ad9cd03a45cc to your computer and use it in GitHub Desktop.
Save erictune/9dc7ae4b22505b9a8c20ad9cd03a45cc to your computer and use it in GitHub Desktop.
Notes on use of --anonymous-auth
The `--anonymous-auth=` flag is new in 1.5. It is an option on `kube-apiserver`, `federations-apiserver` and `kubelet`.
When it is set to `true`, users who are not authenticated using another means are authenticated as user `system:anonymous`.
This flag is true by default in 1.5.0. For certain common configurations, true is safe. However, for other configurations
it is not safe, and in some cases, upgrading to 1.5.0 may result in any user on your network being able to access some or all
of the API. This is mentioned in the release notes. However, in version 1.5.1 we changed the default to `false`.
The purpose is to allow for certain api endpoints on the apiserver to be accessible to unauthenticated
users. For example, a client might need to determine the server's version by accessing the `/version` endpoint before
sending authentication information.
When used with the recommended authorization modes and configuration, this flag is safe. In particular:
- using `--authorization-mode=ABAC` with the provided example ABAC file in [https://github.com/kubernetes/kubernetes/blob/master/cluster/saltbase/salt/kube-apiserver/abac-authz-policy.jsonl]
then this flag is safe.
- using `--authorization-mode=RBAC` with only the default ("bootstrap") roles, the `--anonymous-auth=true` mode is safe.
However, other configurations need to be audited before setting the flag to true. The following comments are
about when `--anonymous-auth=true`
- using `--authorization-mode=ABAC` with `user: "*"` or `group: "*"` rules will allow anonymous users access to the resources
covered by these rules. For example, in our [ABAC examples](https://github.com/kubernetes/kubernetes/blob/master/pkg/auth/authorizer/abac/example_policy_file.jsonl), rule 5
allows unauthenticated users to access endpoints such as `/version`, which is typically safe since these endpoints are readonly and don't reveal sensitive information.
However, if you had a rule with authorized write access or read access to sensitive data that used a `user: "*"` or `group: "*"` then you
should replace that rule with `group: "system:authenticated"`, which will allow all users except those that are not authenticated.
- using `--authorization-mode=ABAC` with ClusterRoleBindings or RoleBindings to user or group "*", then these will now allow anonymous
access to the bound role. In some cases, such as the provided `system:discovery` role, this is typically desirable. However,
if you have bound all users or groups (using `"*"` in a ClusterRoleBinding or RoleBinding) then you probably want to change those to
bind group `system:authenticated`.
- If you are using `--authorization-mode=AllowAll`, which is the default value if you don't specify `--authorization-mode=AllowAll`for 1.5.0 and 1.5.1,
(and you have set `--anonymous-auth`0 then any user able to connect to the apiserver has complete access to all APIs.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment