Merge pull request #49045 from ericchiang/remove-anytoken-authenticator-option

Automatic merge from submit-queue (batch tested with PRs 49058, 49072, 49137, 49182, 49045)

*: remove --insecure-allow-any-token option

~Since the authenticator is still used in e2e tests, don't remove
the actual package. Maybe a follow up?~

edit: e2e and integration tests have been switched over to the tokenfile
authenticator instead.

```release-note
The --insecure-allow-any-token flag has been removed from kube-apiserver. Users of the flag should use impersonation headers instead for debugging.
```

closes #49031

cc @kubernetes/sig-auth-pr-reviews

hack/make-rules/test-cmd-util.sh

@@ -4133,8 +4133,9 @@ runTests() {
     -s "http://127.0.0.1:${API_PORT}"
   )
 
+  # token defined in hack/testdata/auth-tokens.csv
   kube_flags_with_token=(
-    -s "https://127.0.0.1:${SECURE_API_PORT}" --token=admin/system:masters --insecure-skip-tls-verify=true
+    -s "https://127.0.0.1:${SECURE_API_PORT}" --token=admin-token --insecure-skip-tls-verify=true
   )
 
   if [[ -z "${ALLOW_SKEW:-}" ]]; then

hack/make-rules/test-cmd.sh

@@ -51,7 +51,7 @@ function run_kube_apiserver() {
     --storage-media-type="${KUBE_TEST_API_STORAGE_TYPE-}" \
     --cert-dir="${TMPDIR:-/tmp/}" \
     --service-cluster-ip-range="10.0.0.0/24" \
-    --insecure-allow-any-token 1>&2 &
+    --token-auth-file=hack/testdata/auth-tokens.csv 1>&2 &
   APISERVER_PID=$!
 
   kube::util::wait_for_url "http://127.0.0.1:${API_PORT}/healthz" "apiserver"

hack/make-rules/test-federation-cmd.sh

@@ -43,7 +43,7 @@ function run_federation_apiserver() {
     --etcd-servers="http://${ETCD_HOST}:${ETCD_PORT}" \
     --storage-media-type="${KUBE_TEST_API_STORAGE_TYPE-}" \
     --cert-dir="${TMPDIR:-/tmp/}" \
-    --insecure-allow-any-token 1>&2 &
+    --token-auth-file=hack/testdata/auth-tokens.csv 1>&2 &
   APISERVER_PID=$!
 
   kube::util::wait_for_url "http://127.0.0.1:${API_PORT}/healthz" "apiserver"