From bf3c6aeed126cec244b8c7357ffb6b8ea309c81b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20Kr=C3=BCger?= <ak@patientsky.com>
Date: Tue, 7 May 2019 21:52:34 +0200
Subject: [PATCH] Add kube anon auth settings to kubeadm config templates
 (#4713)

* Disable kube_api_anonymous_auth by default to secure the setup

* Disable metrics-server in addons. Health endpoint is slow and unstable

* Fix anonymous-auth missing in configuration

* Cleanup a bit

* Fix kube anon auth
---
 .../master/templates/kubeadm-config.v1alpha3.yaml.j2           | 3 +++
 .../kubernetes/master/templates/kubeadm-config.v1beta1.yaml.j2 | 3 +++
 tests/testcases/030_check-network.yml                          | 3 ---
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/roles/kubernetes/master/templates/kubeadm-config.v1alpha3.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.v1alpha3.yaml.j2
index 9a9947a70..686f7656a 100644
--- a/roles/kubernetes/master/templates/kubeadm-config.v1alpha3.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.v1alpha3.yaml.j2
@@ -50,6 +50,9 @@ certificatesDir: {{ kube_cert_dir }}
 imageRepository: {{ kube_image_repo }}
 unifiedControlPlaneImage: ""
 apiServerExtraArgs:
+{% if kube_api_anonymous_auth is defined and kube_version is version('v1.5', '>=')  %}
+  anonymous-auth: "{{ kube_api_anonymous_auth }}"
+{% endif %}
   authorization-mode: {{ authorization_modes | join(',') }}
   bind-address: {{ kube_apiserver_bind_address }}
 {% if kube_apiserver_insecure_port|string != "0" %}
diff --git a/roles/kubernetes/master/templates/kubeadm-config.v1beta1.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.v1beta1.yaml.j2
index 09b546c2c..acf93f70b 100644
--- a/roles/kubernetes/master/templates/kubeadm-config.v1beta1.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.v1beta1.yaml.j2
@@ -47,6 +47,9 @@ imageRepository: {{ kube_image_repo }}
 useHyperKubeImage: false
 apiServer:
   extraArgs:
+{% if kube_api_anonymous_auth is defined and kube_version is version('v1.5', '>=')  %}
+    anonymous-auth: "{{ kube_api_anonymous_auth }}"
+{% endif %}
     authorization-mode: {{ authorization_modes | join(',') }}
     bind-address: {{ kube_apiserver_bind_address }}
 {% if kube_apiserver_insecure_port|string != "0" %}
diff --git a/tests/testcases/030_check-network.yml b/tests/testcases/030_check-network.yml
index a88df1052..c9d0f8c43 100644
--- a/tests/testcases/030_check-network.yml
+++ b/tests/testcases/030_check-network.yml
@@ -90,6 +90,3 @@
     with_nested:
     - "{{ pod_names }}"
     - "{{ pod_ips }}"
-
-  - name: Delete test namespace
-    shell: "{{ bin_dir }}/kubectl delete namespace test"