@@ -66,6 +66,59 @@ All values are opaque to the authentication system and only hold significance
6666when interpreted by an [ authorizer] ( /docs/reference/access-authn-authz/authorization/ ) .
6767{{< /note >}}
6868
69+ ## Anonymous requests
70+
71+ When enabled, requests that are not rejected by other configured authentication methods are
72+ treated as anonymous requests, and given a username of ` system:anonymous ` and a group of
73+ ` system:unauthenticated ` .
74+
75+ For example, on a server with token authentication configured, and anonymous access enabled,
76+ a request providing an invalid bearer token would receive a ` 401 Unauthorized ` error.
77+ A request providing no bearer token would be treated as an anonymous request.
78+
79+ Anonymous access is enabled by default if an
80+ [ authorization mode] ( /docs/reference/access-authn-authz/authorization/#authorization-modules )
81+ other than ` AlwaysAllow ` is used; you can disable it by passing the ` --anonymous-auth=false `
82+ command line option to the API server.
83+ The built-in ABAC and RBAC authorizers require explicit authorization of the
84+ ` system:anonymous ` user or the ` system:unauthenticated ` group; if you have legacy policy rules
85+ (from Kubernetes version 1.5 or earlier), those legacy rules
86+ that grant access to the ` * ` user or ` * ` group do not automatically allow access to anonymous users.
87+
88+ ### Anonymous authenticator configuration
89+
90+ {{< feature-state feature_gate_name="AnonymousAuthConfigurableEndpoints" >}}
91+
92+ The ` AuthenticationConfiguration ` can be used to configure the anonymous
93+ authenticator. If you set the anonymous field in the ` AuthenticationConfiguration `
94+ file then you cannot set the ` --anonymous-auth ` command line option.
95+
96+ The main advantage of configuring anonymous authenticator using the authentication
97+ configuration file is that in addition to enabling and disabling anonymous authentication
98+ you can also configure which endpoints support anonymous authentication.
99+
100+ A sample authentication configuration file is below:
101+
102+ {{< highlight yaml "linenos=false,hl_lines=2-5" >}}
103+ ---
104+ #
105+ # CAUTION: this is an example configuration.
106+ # Do not use this as-is for your own cluster!
107+ #
108+ apiVersion: apiserver.config.k8s.io/v1
109+ kind: AuthenticationConfiguration
110+ anonymous:
111+ enabled: true
112+ conditions:
113+ - path: /livez
114+ - path: /readyz
115+ - path: /healthz
116+ {{< /highlight >}}
117+
118+ In the configuration above, only the ` /livez ` , ` /readyz ` and ` /healthz ` endpoints
119+ are reachable by anonymous requests. Any other endpoints will not be reachable
120+ anonymously, even if your authorization configuration would allow it.
121+
69122## Authentication methods
70123
71124You can enable multiple authentication methods at once. You should usually use at least two methods:
@@ -1140,59 +1193,6 @@ For other circumstances, and especially where very prompt token rotation is
11401193important, the Kubernetes project recommends using a
11411194[webhook token authenticator](#webhook-token-authentication) instead of this mechanism.
11421195
1143- # # Anonymous requests
1144-
1145- When enabled, requests that are not rejected by other configured authentication methods are
1146- treated as anonymous requests, and given a username of `system:anonymous` and a group of
1147- ` system:unauthenticated` .
1148-
1149- For example, on a server with token authentication configured, and anonymous access enabled,
1150- a request providing an invalid bearer token would receive a `401 Unauthorized` error.
1151- A request providing no bearer token would be treated as an anonymous request.
1152-
1153- In 1.5.1-1.5.x, anonymous access is disabled by default, and can be enabled by
1154- passing the `--anonymous-auth=true` option to the API server.
1155-
1156- In 1.6+, anonymous access is enabled by default if an authorization mode other than `AlwaysAllow`
1157- is used, and can be disabled by passing the `--anonymous-auth=false` option to the API server.
1158- Starting in 1.6, the ABAC and RBAC authorizers require explicit authorization of the
1159- ` system:anonymous` user or the `system:unauthenticated` group, so legacy policy rules
1160- that grant access to the `*` user or `*` group do not include anonymous users.
1161-
1162- # ## Anonymous Authenticator Configuration
1163-
1164- {{< feature-state feature_gate_name="AnonymousAuthConfigurableEndpoints" >}}
1165-
1166- The `AuthenticationConfiguration` can be used to configure the anonymous
1167- authenticator. If you set the anonymous field in the `AuthenticationConfiguration`
1168- file then you cannot set the `--anonymous-auth` flag.
1169-
1170- The main advantage of configuring anonymous authenticator using the authentication
1171- configuration file is that in addition to enabling and disabling anonymous authentication
1172- you can also configure which endpoints support anonymous authentication.
1173-
1174- A sample authentication configuration file is below :
1175-
1176- ` ` ` yaml
1177- ---
1178- #
1179- # CAUTION: this is an example configuration.
1180- # Do not use this for your own cluster!
1181- #
1182- apiVersion: apiserver.config.k8s.io/v1
1183- kind: AuthenticationConfiguration
1184- anonymous:
1185- enabled: true
1186- conditions:
1187- - path: /livez
1188- - path: /readyz
1189- - path: /healthz
1190- ` ` `
1191-
1192- In the configuration above only the `/livez`, `/readyz` and `/healthz` endpoints
1193- are reachable by anonymous requests. Any other endpoints will not be reachable
1194- even if it is allowed by RBAC configuration.
1195-
11961196# # User impersonation
11971197
11981198A user can act as another user through impersonation headers. These let requests
0 commit comments