You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Nov 20, 2021. It is now read-only.
At this time crit follows precedent from kubeadm for enabling anonymous requests. Since crit uses a healthcheck-proxy sidecar to safely expose health checks via a limited role, the API server could potentially just default to anonymous-auth=false.
The one reason why this may not be desired is that it must put the health check on a different port than the API server. So I think some considerations will need to be made as to whether this is a good idea or not.
Something to explore would also be using the sidecar proxy as the API server port and forward all traffic to the internal API server port, while only reverse proxying with the limited role for the /health endpoint.
The text was updated successfully, but these errors were encountered:
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
At this time crit follows precedent from kubeadm for enabling anonymous requests. Since crit uses a healthcheck-proxy sidecar to safely expose health checks via a limited role, the API server could potentially just default to
anonymous-auth=false
.The one reason why this may not be desired is that it must put the health check on a different port than the API server. So I think some considerations will need to be made as to whether this is a good idea or not.
Something to explore would also be using the sidecar proxy as the API server port and forward all traffic to the internal API server port, while only reverse proxying with the limited role for the
/health
endpoint.The text was updated successfully, but these errors were encountered: