Only allow anonymous auth for configured endpoints.

[vinayakankugoyal]

Enhancement Description

Allow users to specify which endpoints are allowed for anonymous requests. This allows the admin to only allow access to health endpoints like healthz, livez and readyz anonymously while making sure other cluster endpoints or resources cannot be access anonymously even if a user misconfigures RBAC.

• One-line enhancement description (can be used as a release note): Only allow anonymous auth for health endpoints.

• Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/4633-anonymous-auth-configurable-endpoints/README.md

• Discussion Link: https://docs.google.com/document/d/1woLGRoONE3EBVx-wTb4pvp4CI7tmLZ6lS26VTbosLKM/edit#bookmark=id.ehlt47tezzsk

• Primary contact (assignee): @vinayakankugoyal

• Responsible SIGs: sig-auth

• Enhancement target (which target equals to which milestone):

  • Alpha release target (x.y): 1.31
  • Beta release target (x.y): 1.32
  • Stable release target (x.y): 1.34

• Alpha

  • KEP (k/enhancements) update PR(s):
    • KEP-4633: Only allow anonymous auth for configured endpoints #4634
  • Code (k/k) update PR(s):
    • KEP-4633: Only allow anonymous auth for configured endpoints. kubernetes#124917
    • Fix typo in error message for anonymous field in AuthenticationConfig… kubernetes#125986
    • KEP-4633: Add intgration tests for Anonymous Auth Configurable Endpoints kubernetes#125967
  • Docs (k/website) update PR(s):
    • KEP-4633: Add documentation for Configurable Endpoints for Anonymous Auth. website#46988

• Beta

  • KEP (k/enhancements) update PR(s):
    • KEP-4633: Graduate to BETA. #4798
  • Code (k/k) update PR(s):
    • KEP-4633: Graduate to BETA. kubernetes#127009
  • Docs (k/website) update(s):
    • KEP-4633: Graduate to BETA. website#47787

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

[vinayakankugoyal]

/sig auth

[vinayakankugoyal]

/cc @liggitt @destijl

[vinayakankugoyal]

/milestone v1.31

[k8s-ci-robot]

@vinayakankugoyal: You must be a member of the kubernetes/milestone-maintainers GitHub team to set the milestone. If you believe you should be able to issue the /milestone command, please contact your Milestone Maintainers Team and have them propose you as an additional delegate for this responsibility.

In response to this:

/milestone v1.31

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[liggitt]

/milestone v1.31
/label lead-opted-in

[vinayakankugoyal]

PRR Approver

/assign @jpbetz

[sftim]

/retitle Only allow anonymous auth for health endpoints

[prianna]

Hello @vinayakankugoyal 👋, Enhancements team here.

Just checking in as we approach enhancements freeze on 02:00 UTC Friday 14th June 2024 / 19:00 PDT Thursday 13th June 2024.

This enhancement is targeting stage alpha for v1.31 (correct me, if otherwise)

Here's where this enhancement currently stands:

• KEP readme using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable for latest-milestone: v1.31. KEPs targeting stable will need to be marked as implemented after code PRs are merged and the feature gates are removed.
• KEP readme has up-to-date graduation criteria
• KEP has a production readiness review that has been completed and merged into k/enhancements. (For more information on the PRR process, check here). If your production readiness review is not completed yet, please make sure to fill the production readiness questionnaire in your KEP by the PRR Freeze deadline of Thursday 6th June 2024 so that the PRR team has enough time to review your KEP.

For this KEP, it looks like we still need to do the following:

• Merge KEP-4633: Only allow anonymous auth for configured endpoints #4634 before the enhancement freeze date and update KEP status to implementable, looks like we need review from one more approver.

The status of this enhancement is marked as at risk for enhancement freeze. Please keep the issue description up-to-date with appropriate stages as well.

If you anticipate missing enhancements freeze, you can file an exception request in advance. Thank you!

[vinayakankugoyal]

Hi @prianna - thanks a lot for the heads up. We were granted the PRR approval #4634 (comment) and the reviewers have agreed that we can set the status to implementable. I am expecting this to be merged this week.

[vinayakankugoyal]

@prianna - The KEP was merged as implementable in milestone 1.31 with a PRR approval. Are we all good on the KEP freeze front?

[MaryamTavakkoli]

Hello @jpbetz @liggitt @vinayakankugoyal 👋, 1.31 Docs Shadow here.
Does this enhancement work planned for 1.31 require any new docs or modifications to existing docs?
If so, please follow the steps here to open a PR against the dev-1.31 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thursday, June 27, 2024, 18:00 PDT.
Also, take a look at Documenting for a release to get yourself familiarised with the docs requirement for the release.
Thank you!

[vinayakankugoyal]

Thanks @prianna! kubernetes/kubernetes#125967 is the only remaining action item for this KEP. I am just waiting for someone from sig-auth to Approve.

Other than that the docs PR kubernetes/website#46988 is also waiting for review and approval.

[prianna]

Looks like this was merged. With the merge of kubernetes/kubernetes#125967 as per the issue, this enhancement is now marked as tracked for code freeze for the 1.31 Code Freeze!

[liggitt]

opting in for beta for 1.32

[shecodesmagic]

Hello @vinayakankugoyal 👋, Enhancements team here.

Just checking in as we approach enhancements freeze on 02:00 UTC Friday 11th October 2024 / 19:00 PDT Thursday 10th October 2024.

This enhancement is targeting for stage beta for v.132 (correct me, if otherwise)

Here’s where this enhancement currently stands:

• KEP readme using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable for latest-milestone: 1.32. KEPs targeting stable will need to be marked as implemented after code PRs are merged and the feature gates are removed.
• KEP readme has up-to-date graduation criteria.
• KEP has a production readiness review that has been completed and merged into k/enhancements. (For more information on the PRR process, check here).

Please consider asnwering What are other known failure modes? in Troubleshooting section of the KEP readme.

With all the KEP requirements in place and merged into k/enhancements, this enhancement is all good for the upcoming enhancements freeze. 🚀

The status of this enhancement is marked as tracked for enhancement freeze. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

[spurin]

Hi @vinayakankugoyal 👋, I'm James Spurin, a 1.32 Docs Shadow. Great to meet you.

Does this enhancement work planned for 1.32 require any new docs or modifications to the existing docs?

If so, please follows the steps here to open a PR against dev-1.32 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thursday October 24th 2024 18:00 PDT.

Also, take a look at Documenting for a release to familiarise with the docs requirement for the release.

Thank you!

[mbianchidev]

Hey @vinayakankugoyal 👋 from the v1.32 Communications Team!

We'd love for you to consider writing a feature blog about your enhancement.
Some reasons why you might want to write a blog for this feature include (but are not limited to) if this introduces breaking changes, is important to our users, or has been in progress for a long time and it is graduating.

To opt-in, let us know by opening a Feature Blog placeholder PR against the website repository by 30th Oct 2024. For more information about writing a blog see the blog contribution guidelines.

Note: In your placeholder PR, use XX characters for the blog date in the front matter and file name. We will work with you on updating the PR with the publication date once we finalize the blog schedule.

[vinayakankugoyal]

@spurin - the docs PR is already opened since 2024-09-04. I am still waiting for review on that. Thanks!
kubernetes/website#47787

[spurin]

Thanks for confirming @vinayakankugoyal.

@sftim, it appears that @vinayakankugoyal has attempted to address the feedback that you provided. Do you have any cycles to review these changes and move this along please? 🙏

Also tagging @dipesh-rawat and @drewhagen, listed as reviewers for PR #47787.

[mbianchidev]

Hey @vinayakankugoyal 👋 from the v1.32 Communications Team!

We'd love for you to consider writing a feature blog about your enhancement. Some reasons why you might want to write a blog for this feature include (but are not limited to) if this introduces breaking changes, is important to our users, or has been in progress for a long time and it is graduating.

To opt-in, let us know by opening a Feature Blog placeholder PR against the website repository by 30th Oct 2024. For more information about writing a blog see the blog contribution guidelines.

Note: In your placeholder PR, use XX characters for the blog date in the front matter and file name. We will work with you on updating the PR with the publication date once we finalize the blog schedule.

Just a reminder since the blog opt-in deadline is close!

[shecodesmagic]

Hello @vinayakankugoyal 👋, Enhancements team here (again 😁 )

With all the implementation(code related) PRs merged as per the issue description:

• KEP-4633: Graduate to BETA. kubernetes#127009

This enhancement is now marked as tracked for code freeze for the v1.32 Code Freeze!

Please note that KEPs targeting stable need to have the status field marked as implemented in the kep.yaml file after code PRs are merged and the feature gates are removed.

[dipesh-rawat]

Hello 👋, 1.33 Enhancements Lead here.

I’m closing milestone 1.32 now. If you'd like to work on this enhancement in v1.33, please have the SIG lead opt-in by adding the lead-opted-in label, which ensures it gets added to the tracking board. Also, please set the milestone to v1.33 using /milestone v1.33.
Thanks!

/remove-label lead-opted-in
/milestone clear

[liggitt]

This is staying in beta with no changes in 1.33