Remove access to cluster from anonymous users (#11016)

* feat: add user facing variable with default * feat: remove rolebinding to anonymous users after init and upgrade * feat: use file discovery for secondary control plane nodes * feat: use file discovery for nodes * fix: do not fail if rolebinding does not exist * docs: add warning about kube_api_anonymous_auth * style: improve readability of delegate_to parameter * refactor: rename discovery kubeconfig file * test: enable new variable in hardening and upgrade test cases * docs: add option to config parameters * test: multiple instances and upgrade
2025-12-14 13:54:37 +03:00 · 2024-04-03 08:54:12 +02:00
parent fdf5988ea8
commit c6fcbf6ee0
14 changed files with 85 additions and 1 deletions
--- a/tests/files/packet_debian11-calico-upgrade.yml
+++ b/tests/files/packet_debian11-calico-upgrade.yml
@@ -11,3 +11,6 @@ calico_network_backend: bird

 # Needed to bypass deprecation check
 ignore_assert_errors: true
+
+# Remove anonymous access to cluster
+remove_anonymous_access: true
--- a/tests/files/packet_ubuntu20-calico-all-in-one-hardening.yml
+++ b/tests/files/packet_ubuntu20-calico-all-in-one-hardening.yml
@@ -104,3 +104,6 @@ kube_cert_group: root
 # kube-system namespace is exempted by default
 kube_pod_security_use_default: true
 kube_pod_security_default_enforce: restricted
+
+# Remove anonymous access to cluster
+remove_anonymous_access: true
--- a/tests/files/packet_ubuntu20-calico-etcd-kubeadm.yml
+++ b/tests/files/packet_ubuntu20-calico-etcd-kubeadm.yml
@@ -9,3 +9,6 @@ etcd_deployment_type: kubeadm
 # Currently ipvs not available on KVM: https://packages.ubuntu.com/search?suite=focal&arch=amd64&mode=exactfilename&searchon=contents&keywords=ip_vs_sh.ko
 kube_proxy_mode: iptables
 enable_nodelocaldns: False
+
+# Remove anonymous access to cluster
+remove_anonymous_access: true