@@ -66,6 +66,59 @@ All values are opaque to the authentication system and only hold significance
6666when interpreted by an [ authorizer] ( /docs/reference/access-authn-authz/authorization/ ) .
6767{{< /note >}}
6868
69+ ## Anonymous requests
70+
71+ When enabled, requests that are not rejected by other configured authentication methods are
72+ treated as anonymous requests, and given a username of ` system:anonymous ` and a group of
73+ ` system:unauthenticated ` .
74+
75+ For example, on a server with token authentication configured, and anonymous access enabled,
76+ a request providing an invalid bearer token would receive a ` 401 Unauthorized ` error.
77+ A request providing no bearer token would be treated as an anonymous request.
78+
79+ Anonymous access is enabled by default if an
80+ [ authorization mode] ( /docs/reference/access-authn-authz/authorization/#authorization-modules )
81+ other than ` AlwaysAllow ` is used; you can disable it by passing the ` --anonymous-auth=false `
82+ command line option to the API server.
83+ The built-in ABAC and RBAC authorizers require explicit authorization of the
84+ ` system:anonymous ` user or the ` system:unauthenticated ` group; if you have legacy policy rules
85+ (from Kubernetes version 1.5 or earlier), those legacy rules
86+ that grant access to the ` * ` user or ` * ` group do not automatically allow access to anonymous users.
87+
88+ ### Anonymous authenticator configuration
89+
90+ {{< feature-state feature_gate_name="AnonymousAuthConfigurableEndpoints" >}}
91+
92+ The ` AuthenticationConfiguration ` can be used to configure the anonymous
93+ authenticator. If you set the anonymous field in the ` AuthenticationConfiguration `
94+ file then you cannot set the ` --anonymous-auth ` command line option.
95+
96+ The main advantage of configuring anonymous authenticator using the authentication
97+ configuration file is that in addition to enabling and disabling anonymous authentication
98+ you can also configure which endpoints support anonymous authentication.
99+
100+ A sample authentication configuration file is below:
101+
102+ {{< highlight yaml "linenos=false,hl_lines=2-5" >}}
103+ ---
104+ #
105+ # CAUTION: this is an example configuration.
106+ # Do not use this as-is for your own cluster!
107+ #
108+ apiVersion: apiserver.config.k8s.io/v1
109+ kind: AuthenticationConfiguration
110+ anonymous:
111+ enabled: true
112+ conditions:
113+ - path: /livez
114+ - path: /readyz
115+ - path: /healthz
116+ {{< /highlight >}}
117+
118+ In the configuration above, only the ` /livez ` , ` /readyz ` and ` /healthz ` endpoints
119+ are reachable by anonymous requests. Any other endpoints will not be reachable
120+ anonymously, even if your authorization configuration would allow it.
121+
69122## Authentication methods
70123
71124You can enable multiple authentication methods at once. You should usually use at least two methods:
@@ -1144,59 +1197,6 @@ For other circumstances, and especially where very prompt token rotation is
11441197important, the Kubernetes project recommends using a
11451198[webhook token authenticator](#webhook-token-authentication) instead of this mechanism.
11461199
1147- # # Anonymous requests
1148-
1149- When enabled, requests that are not rejected by other configured authentication methods are
1150- treated as anonymous requests, and given a username of `system:anonymous` and a group of
1151- ` system:unauthenticated` .
1152-
1153- For example, on a server with token authentication configured, and anonymous access enabled,
1154- a request providing an invalid bearer token would receive a `401 Unauthorized` error.
1155- A request providing no bearer token would be treated as an anonymous request.
1156-
1157- In 1.5.1-1.5.x, anonymous access is disabled by default, and can be enabled by
1158- passing the `--anonymous-auth=true` option to the API server.
1159-
1160- In 1.6+, anonymous access is enabled by default if an authorization mode other than `AlwaysAllow`
1161- is used, and can be disabled by passing the `--anonymous-auth=false` option to the API server.
1162- Starting in 1.6, the ABAC and RBAC authorizers require explicit authorization of the
1163- ` system:anonymous` user or the `system:unauthenticated` group, so legacy policy rules
1164- that grant access to the `*` user or `*` group do not include anonymous users.
1165-
1166- # ## Anonymous Authenticator Configuration
1167-
1168- {{< feature-state feature_gate_name="AnonymousAuthConfigurableEndpoints" >}}
1169-
1170- The `AuthenticationConfiguration` can be used to configure the anonymous
1171- authenticator. If you set the anonymous field in the `AuthenticationConfiguration`
1172- file then you cannot set the `--anonymous-auth` flag.
1173-
1174- The main advantage of configuring anonymous authenticator using the authentication
1175- configuration file is that in addition to enabling and disabling anonymous authentication
1176- you can also configure which endpoints support anonymous authentication.
1177-
1178- A sample authentication configuration file is below :
1179-
1180- ` ` ` yaml
1181- ---
1182- #
1183- # CAUTION: this is an example configuration.
1184- # Do not use this for your own cluster!
1185- #
1186- apiVersion: apiserver.config.k8s.io/v1
1187- kind: AuthenticationConfiguration
1188- anonymous:
1189- enabled: true
1190- conditions:
1191- - path: /livez
1192- - path: /readyz
1193- - path: /healthz
1194- ` ` `
1195-
1196- In the configuration above only the `/livez`, `/readyz` and `/healthz` endpoints
1197- are reachable by anonymous requests. Any other endpoints will not be reachable
1198- even if it is allowed by RBAC configuration.
1199-
12001200# # User impersonation
12011201
12021202A user can act as another user through impersonation headers. These let requests
0 commit comments