unauthenticated requests is not denied, neither api-server fail to run with anonymous-auth=false and AuthenticationConfiguration.Anonymous is non-nil in api-server

[CindyLixinli]

test env:
kubernetes version: 1.32.2

when i was trying the function of https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/4633-anonymous-auth-configurable-endpoints with following setup.

set anonymous-auth=false in apiserver.

    - --anonymous-auth=false
    - --authentication-config=/etc/kubernetes/auth-config/anonymous-authenticator.yaml

while enable Anonymous Auth in the AuthenticationConfiguration.

apiVersion: apiserver.config.k8s.io/v1alpha1
kind: AuthenticationConfiguration
anonymous:
  enabled: true

with "anonymous-auth=false" and AuthenticationConfiguration, i would expect api-server fail to start, or at least unauthenticated requests will be denied, but in this case, i observed api-server is running up and i could get response with anonymouse user.

#curl -sSfLk https://10.200.112.31:6443/livez
ok

it's inconsistent with below description in the documentation:

If AuthenticationConfiguration.Anonymous is non-nil and --anonymous-auth flag is set then kube-apiserver should fail to start with an appropriate error guiding the user to either use --anonymous-auth or use AuthenticationConfiguration.Anonymous.

[kikisdeliveryservice]

Hi @CindyLixinli !

I recommend reaching out to sig-auth directly about your issue either in their mailing list, meeting or slack channel. The k/enhancements repo is generally not monitored for bugs.

Please see the following link for further contact information: https://github.com/kubernetes/community/blob/master/sig-auth/README.md

[enj]

/assign vinayakankugoyal

@vinayakankugoyal PTAL

[vinayakankugoyal]

I am not able to reproduce this via kind at head.

I created a kind cluster using the following kind cluster config.

kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
featureGates:
  # any feature gate can be enabled here with "Name": true
  # or disabled here with "Name": false
  # not all feature gates are tested, however
  "AnonymousAuthConfigurableEndpoints": true
  "StructuredAuthenticationConfiguration": true
nodes:
- role: control-plane
  extraMounts:
  - hostPath: /usr/local/google/home/vinaygo/go/src/k8s.io/kubernetes/authconfig.yaml
    containerPath: /etc/kubernetes/pki/authconfig.yaml
  kubeadmConfigPatches:
  - |
    kind: ClusterConfiguration
    apiServer:
        extraArgs:
          authentication-config: /etc/kubernetes/pki/authconfig.yaml
          anonymous-auth: "false"

The authconfig.yaml is

apiVersion: apiserver.config.k8s.io/v1alpha1
kind: AuthenticationConfiguration
anonymous:
  enabled: true

With this config kube-apiserver fails to comeup with

E0220 17:40:54.594122       1 run.go:72] "command failed" err="anonymous: Forbidden: --anonynous-auth flag cannot be set when anonymous field is configured in authentication configuration file"

[liggitt]

@vinayakankugoyal are you able to reproduce on 1.32?

@CindyLixinli are you sure the manifest and configuration are both being used by the currently running apiserver process? do you have log outputs of the process showing the explicit anonymous flag value and the authentication config value?