Dean H:
Is is possible to allow for completely unauthenticated requests to my dev environment? Currently I’m getting 401 even though the only authorization mode is AlwaysAllow:
root@cks-master:~# k get pods -n kube-system -l component=kube-apiserver -o yaml | grep -C3 authorization-mode
- kube-apiserver
- --advertise-address=10.0.1.203
- --allow-privileged=true
- --authorization-mode=AlwaysAllow
- --client-ca-file=/etc/kubernetes/pki/ca.crt
- --enable-admission-plugins=NodeRestriction
- --enable-bootstrap-token-auth=true
root@cks-master:~# curl <https://localhost:6443/apis> -k
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "Unauthorized",
"reason": "Unauthorized",
"code": 401
}
I’ve also altered the kubelet.conf file:
root@cks-master:/etc/kubernetes/manifests# cat /var/lib/kubelet/config.yaml | grep anonymous -A 5 -B 5
apiVersion: <http://kubelet.config.k8s.io/v1beta1|kubelet.config.k8s.io/v1beta1>
authentication:
anonymous:
enabled: true
cgroupDriver: systemd
clusterDNS:
- 10.96.0.10
clusterDomain: cluster.local
wahlberg:
Kubelet.conf settings are for authenticating the user against kubelet.
wahlberg:
That wont affect authentication to kube-apiserver.
wahlberg:
I tested this by setting anonymous-auth and authorization-mode to true and somehow anonymous requests are still failing with “unauthorized message”. But any other user (ie default service account with its token) can query the API for anything and gets authenticated and authorized. It must be something with anonymous user that it still is limited even when you enable authorization-mode=alwaysallow in kube-api. The only other option I can think of is disabling https on kube-api which I am sure would work. But curious why it did not work for anonymous requests when I enabled anonymous-auth and authorization mode to alwaysallow in kube-api.
wahlberg:
@Mumshad Mannambeth @Vijin Palazhi can you please comment ?
Mumshad Mannambeth:
@wahlberg Correct. @Dean H you have only disabled Authorization. Authentication is still required.
Mumshad Mannambeth:
What is --anonymous-auth set to on the kubeapi-server?
wahlberg:
In my lab both --anonymous-auth is set to true and --authorization-modeis AlwaysAllow and when I do curl <https://localhost:6443/version> -k I still get failure unauthorized message. If I revert authorization mode back to Node,RBAC then the same API call works with a proper response.
wahlberg:
It seems like even when authorization mode is set to AlwaysAllow it does not apply to anonymous requests. As if kube-apiserver does NOT authorize anonymous requests even when the authorization mode is AlwaysAllow.