Hello,
I’m trying to secure my home lab by disabling anonymous-auth.
I’m setting this flag on the kube-api server.
But after setting the flag, non of the probes work because they get a 401 returned. (Expected)
How do I properly configure my cluster so I have better security and a healthy API server.
Looking forward to the replies!
Kind regards,
Goat
First of all, how are you installing your cluster? Normally kubeadm will create a “superuser” kubeadm file at /etc/kubernetes/admin.conf on the controlplane node, and if you use that, you can get rid of the --anonymous-auth flag, which you really should not be using, well, pretty much ever.
Thanks for reaching out.
I’ve created a cluster via Kubeadm.
I did that because I got stuck on a question on the CKS exam.
So, I wanted to reproduce and throubleshoot where I went wrong.
I need to set --anonymous-auth to false and keep it from breaking the cluster.
I’ve tried to use roles, serviceaccounts, tokens and mTLS but it seems that nothing what I think off resolves the issue and gets the kube-api server back healthy.
Removing the flag would default to “true” and thus enable anonymous-auth.
Generally speaking the place to set this is actually in /var/lib/kubelet/config.conf, to the best of my knowledge. I’m trying to find a reference showing that setting --anonymous-auth=false as a best practice, and I’m not finding that in the docs. trivy config does not flag this either. I’ll check with a colleague to see if he thinks differently, but do note that in our labs, we don’t do this either.