erictune · December 13, 2016 18:59
diff --git a/gistfile1.txt b/gistfile1.txt
 The `--anonymous-auth=` flag is new in 1.5.  It is an option on `kube-apiserver`, `federations-apiserver` and `kubelet`.
 When it is set to `true`, users who are not authenticated using another means are authenticated as user `system:anonymous`. 


 This flag is true by default in 1.5.0.  For certain common configurations, true is safe.  However, for other configurations
 it is not safe, and in some cases, upgrading to 1.5.0 may result in any user on your network being able to access some or all
 of the API.  This is mentioned in the release notes.  However, in version 1.5.1 we changed the default to `false`.

 The purpose is to allow for certain api endpoints on the apiserver to be accessible to unauthenticated
 users.  For example, a client might need to determine the server's version by accessing the `/version` endpoint before
 sending authentication information.

 When used with the recommended authorization modes and configuration, this flag is safe.  In particular:
 - using `--authorization-mode=ABAC` with the provided example ABAC file in [https://github.com/kubernetes/kubernetes/blob/master/cluster/saltbase/salt/kube-apiserver/abac-authz-policy.jsonl]
  then this flag is safe.
 - using `--authorization-mode=RBAC` with only the default ("bootstrap") roles, the `--anonymous-auth=true` mode is safe.

 However, other configurations need to be audited before setting the flag to true.  The following comments are
 about when `--anonymous-auth=true`
 - using  `--authorization-mode=ABAC` with `user: "*"` or `group: "*"` rules will allow anonymous users access to the resources
  covered by these rules.  For example, in our [ABAC examples](https://github.com/kubernetes/kubernetes/blob/master/pkg/auth/authorizer/abac/example_policy_file.jsonl), rule 5
  allows unauthenticated users to access endpoints such as `/version`, which is typically safe since these endpoints are readonly and don't reveal sensitive information.
  However, if you had a rule with authorized write access or read access to sensitive data that used a `user: "*"` or `group: "*"` then you 
  should replace that rule with  `group: "system:authenticated"`, which will allow all users except those that are not authenticated.
 - using  `--authorization-mode=ABAC` with ClusterRoleBindings or RoleBindings to user or group "*", then these will now allow anonymous
  access to the bound role.  In some cases, such as the provided `system:discovery` role, this is typically desirable.  However,
  if you have bound all users or groups (using `"*"` in a ClusterRoleBinding or RoleBinding) then you probably want to change those to
  bind group `system:authenticated`.
 - If you are using `--authorization-mode=AllowAll`, which is the default value if you don't specify `--authorization-mode=AllowAll`for 1.5.0 and 1.5.1,
  (and you have set `--anonymous-auth`0 then any user able to connect to the apiserver has complete access to all APIs.
	The `--anonymous-auth=` flag is new in 1.5. It is an option on `kube-apiserver`, `federations-apiserver` and `kubelet`.
	When it is set to `true`, users who are not authenticated using another means are authenticated as user `system:anonymous`.


	This flag is true by default in 1.5.0. For certain common configurations, true is safe. However, for other configurations
	it is not safe, and in some cases, upgrading to 1.5.0 may result in any user on your network being able to access some or all
	of the API. This is mentioned in the release notes. However, in version 1.5.1 we changed the default to `false`.

	The purpose is to allow for certain api endpoints on the apiserver to be accessible to unauthenticated
	users. For example, a client might need to determine the server's version by accessing the `/version` endpoint before
	sending authentication information.

	When used with the recommended authorization modes and configuration, this flag is safe. In particular:
	- using `--authorization-mode=ABAC` with the provided example ABAC file in [https://github.com/kubernetes/kubernetes/blob/master/cluster/saltbase/salt/kube-apiserver/abac-authz-policy.jsonl]
	then this flag is safe.
	- using `--authorization-mode=RBAC` with only the default ("bootstrap") roles, the `--anonymous-auth=true` mode is safe.

	However, other configurations need to be audited before setting the flag to true. The following comments are
	about when `--anonymous-auth=true`
	- using `--authorization-mode=ABAC` with `user: ""` or `group: ""` rules will allow anonymous users access to the resources
	covered by these rules. For example, in our [ABAC examples](https://github.com/kubernetes/kubernetes/blob/master/pkg/auth/authorizer/abac/example_policy_file.jsonl), rule 5
	allows unauthenticated users to access endpoints such as `/version`, which is typically safe since these endpoints are readonly and don't reveal sensitive information.
	However, if you had a rule with authorized write access or read access to sensitive data that used a `user: ""` or `group: ""` then you
	should replace that rule with `group: "system:authenticated"`, which will allow all users except those that are not authenticated.
	- using `--authorization-mode=ABAC` with ClusterRoleBindings or RoleBindings to user or group "*", then these will now allow anonymous
	access to the bound role. In some cases, such as the provided `system:discovery` role, this is typically desirable. However,
	if you have bound all users or groups (using `"*"` in a ClusterRoleBinding or RoleBinding) then you probably want to change those to
	bind group `system:authenticated`.
	- If you are using `--authorization-mode=AllowAll`, which is the default value if you don't specify `--authorization-mode=AllowAll`for 1.5.0 and 1.5.1,
	(and you have set `--anonymous-auth`0 then any user able to connect to the apiserver has complete access to all APIs.