In eip_controlplane_reconciliation : GET /healthz check unauthenticated OR authenticated

[hh]

Currently we only perform an unauthenticated check here:

cloud-provider-equinix-metal/metal/eip_controlplane_reconciliation.go

Line 250 in 3fb9b35

req, err := http.NewRequest("GET", healthCheckAddress, nil)

While the default for upstream kubernetes allows anonymous.

See https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/

--anonymous-auth     Default: true
Enables anonymous requests to the secure port of the API server. Requests that are not rejected by another authentication method are treated as anonymous requests. Anonymous requests have a username of system:anonymous, and a group name of system:unauthenticated.

Talos and possibly other Kubernetes distribution disable unauthenticated access to the Kubernetes API.

• v1.1.0-beta.2 siderolabs/talos#5732
• https://docs.datadoghq.com/security/default_rules/cis-kubernetes-1.5.1-4.2.1/

I suggest trying an unauthenticated request first, and if that fails, try authenticated with the credentials available to the CCM pod.

[hh]

We fixed this previously by adding the following:

https://github.com/sharingio/infra/blob/main/terraform/equinix-metal-talos-cluster/main.tf#L161-L164

cluster:
    apiServer:
        extraArgs:
            anonymous-auth: true

[hh]

This should probably get documented somewhere in the Equinix + Talos deployment pages, I'll see what I can find.