Allow anonymous API server access, decorate authenticated users with system:authenticated group

[liggitt]

When writing authorization policy, it is often necessary to allow certain actions to any authenticated user. For example, creating a service or configmap, and granting read access to all users

It is also frequently necessary to allow actions to any unauthenticated user. For example, fetching discovery APIs might be part of an authentication process, and therefore need to be able to be read without access to authentication credentials.

This PR:

• Adds an option to allow anonymous requests to the secured API port. If enabled, requests to the secure port that are not rejected by other configured authentication methods are treated as anonymous requests, and given a username of system:anonymous and a group of system:unauthenticated. Note: this should only be used with an --authorization-mode other than AlwaysAllow
• Decorates user.Info returned from configured authenticators with the group system:authenticated.

This is related to defining a default set of roles and bindings for RBAC (kubernetes/enhancements#2). The bootstrap policy should allow all users (anonymous or authenticated) to request the discovery APIs.

kube-apiserver learned the '--anonymous-auth' flag, which defaults to true. When enabled, requests to the secure port that are not rejected by other configured authentication methods are treated as anonymous requests, and given a username of 'system:anonymous' and a group of 'system:unauthenticated'. 

Authenticated users are decorated with a 'system:authenticated' group.

NOTE: anonymous access is enabled by default. If you rely on authentication alone to authorize access, change to use an authorization mode other than AlwaysAllow, or or set '--anonymous-auth=false'.

c.f. #29177 (comment)

This change is

[liggitt]

cc @kubernetes/sig-auth

[deads2k]

lgtm

[deads2k]

lgtm

You'll want a doc pull too.

[liggitt]

@k8s-bot test this please issue #32377

[rmmh]

@k8s-bot gke test this issue #32431

[liggitt]

@cjcullen I can't tell if the gke smoke test failures are flakes, or related to the system:authenticated group being sent to the authorizer. Do you know what the GKE webhook authorizer would do with that?

[zhouhaibing089]

Very useful, thanks!

[erictune]

Let's make this flag be called "forbid-anonymous-auth", and default to false.

That is because we expect most people to enable it going forward, and we don't want a flag that is expected to be required to be specified.

The release note can have a warning that: people who are relying on authentication alone to authorize access should add authorization or set --forbid-anonymous-auth.

[liggitt]

I'd like to avoid a negative in the flag name if possible. Just updated the default to true.

[erictune]

Please change flag default. Other than that, LGTM.

[cjcullen]

@k8s-bot gke test this issue: #IGNORE

[cjcullen]

(kicking the GKE tests to confirm that the unknown user thing is fixed).

[liggitt]

Tracked down the GKE failure to SubjectAccessReview serializing groups as group (#32709). The GKE webhook didn't expect that field, and returned an error.

[k8s-bot]

GCE e2e build/test passed for commit c3f37a1345b1d3af5a45a73ceaf561f6b1374cac.

• Test Results
• Build Log
• Test Artifacts
• Internal Jenkins Results

[k8s-ci-robot]

Jenkins GCI Kubemark GCE e2e failed for commit 5599ca3. Full PR test history.

The magic incantation to run this job again is @k8s-bot kubemark gci e2e test this. Please help us cut down flakes by linking to an open flake issue when you hit one in your PR.

[k8s-ci-robot]

Jenkins GCI GKE smoke e2e failed for commit 5599ca3. Full PR test history.

The magic incantation to run this job again is @k8s-bot gci gke e2e test this. Please help us cut down flakes by linking to an open flake issue when you hit one in your PR.

[k8s-ci-robot]

Jenkins GCI GCE e2e failed for commit 5599ca3. Full PR test history.

The magic incantation to run this job again is @k8s-bot gci gce e2e test this. Please help us cut down flakes by linking to an open flake issue when you hit one in your PR.

[liggitt]

flag default, help text, and release note updated, GKE smoke test passing

[liggitt]

doc PR at kubernetes/website#1342

[deads2k]

@liggitt can you confirm that this: https://k8s-gubernator.appspot.com/build/kubernetes-jenkins/pr-logs/pull/32386/kubernetes-pull-build-test-gci-e2e-gce/188/ is a flake, not a result of this change?

[deads2k]

@liggitt once you've confirmed, this lgtm.

[liggitt]

@k8s-bot gci gce e2e test this
@k8s-bot gci gke e2e test this
@k8s-bot kubemark gci e2e test this

[k8s-github-robot]

@k8s-bot test this [submit-queue is verifying that this PR is safe to merge]

[k8s-github-robot]

Automatic merge from submit-queue