Disable anonymous-auth by default

[ChrisRx]

At this time crit follows precedent from kubeadm for enabling anonymous requests. Since crit uses a healthcheck-proxy sidecar to safely expose health checks via a limited role, the API server could potentially just default to anonymous-auth=false.

The one reason why this may not be desired is that it must put the health check on a different port than the API server. So I think some considerations will need to be made as to whether this is a good idea or not.

Something to explore would also be using the sidecar proxy as the API server port and forward all traffic to the internal API server port, while only reverse proxying with the limited role for the /health endpoint.