Make default for --anonymous-auth be false.

[erictune]

Changes the default value of the "anonymous-auth" flag to a safer default value of false. This affects kube apiserver and federation apiserver. See https://groups.google.com/forum/#!topic/kubernetes-announce/iclRj-6Nfsg for more details. 

[k8s-reviewable]

This change is 

[erictune]

I'm not 100% sure this is the fix we want, but I am sending it so that we can talk about it and test it.

[k8s-github-robot]

This PR is not for the master branch but does not have the cherrypick-approved label. Adding the do-not-merge label.

[erictune]

@saad-ali don't kick off after merging this. Still checking if federation change practical

[k8s-github-robot]

This PR is not for the master branch but does not have the cherrypick-approved label. Adding the do-not-merge label.

[luxas]

seems like a typo or something

[deads2k]

@erictune it would be nice to fix the typo, but if @saad-ali is in a big hurry, I wouldn't block on it.

[luxas]

Nope, absolutely not needed for the v1.5.1 cut

[deads2k]

It's a shame, but I'm ok with it for 1.5.

At some point we need to rip off the bandaid, but it doesn't have to be now. lgtm

[saad-ali]

@erictune Can you add a release note please in the original post

[saad-ali]

@saad-ali don't kick off after merging this. Still checking if federation change practical

Ack, @erictune. Will wait for your go ahead before proceeding with merge.

[erictune]

Ok to merge. @mahudustancs showed me that this covers federation too

[saad-ali]

Awesome merging

[saad-ali]

All checks are green:

@k8s-ci-robot  Jenkins CRI GCE Node e2e — Build succeeded.
Details@k8s-ci-robot  Jenkins GCE Node e2e — Build succeeded.
Details@k8s-ci-robot  Jenkins GCE e2e — Build succeeded.
Details@k8s-ci-robot  Jenkins GCE etcd3 e2e — Build succeeded.
Details@k8s-ci-robot  Jenkins GCI GCE e2e — Build succeeded.
Details@k8s-ci-robot  Jenkins GCI GKE smoke e2e — Build succeeded.
Details@k8s-ci-robot  Jenkins GKE smoke e2e — Build succeeded.
Details@k8s-ci-robot  Jenkins Kubemark GCE e2e — Build succeeded.
Details@k8s-ci-robot  Jenkins unit/integration — Build succeeded.
Details@k8s-ci-robot  Jenkins verification — Build succeeded.
Details@thelinuxfoundation  cla/linuxfoundation — erictune authorized

Manually merging for v1.5.1

[saad-ali]

Let's make sure this gets merged back to master at some point

[saad-ali]

Let's make sure this gets merged back to master at some point

@deads2k, @erictune is out, could you make sure this PR #38717 and #38898 are cherr-picked back to the master branch?

[deads2k]

@deads2k, @erictune is out, could you make sure this PR #38717 and #38898 are cherr-picked back to the master branch?

@saad-ali @liggitt I think we want to try to switch the default again in 1.6. If we update the abac user star evaluation, eliminate the rbac user star (no need for it and its alpha), and use my default stomping pull I think we have a reasonable shot.

[liggitt]

#38968 makes ABAC safe with anonymous auth enabled

[liggitt]

#38981 removes special handling of * for RBAC bindings

[saad-ali]

@saad-ali @liggitt I think we want to try to switch the default again in 1.6. If we update the abac user star evaluation, eliminate the rbac user star (no need for it and its alpha), and use my default stomping pull I think we have a reasonable shot.

Ack. Feel free to correct me, as I'm completely out of my depth here, but wasn't the concern with this that the default authorization was AllowAll which when combined with the new default authentication scheme permitting anonymous access was dangerous. If that's the case, modifying the ABAC and RBAC wouldn't fix AllowAll, right? Just want to make sure we don't have to repeat the same song and dance for 1.6. Thank you both for being on this.

[liggitt]

#38706 is open to address the anonymous+AlwaysAllow combination

there were secondary concerns with legacy RBAC/ABAC policies matching anonymous users unintentionally

[saad-ali]

Perfect, thanks @liggitt