*: remove --insecure-allow-any-token option

e2e and integration tests have been switched over to the tokenfile authenticator instead. ```release-note The --insecure-allow-any-token flag has been removed from kube-apiserver. Users of the flag should use impersonation headers instead for debugging. ```
2025-09-09 13:12:20 +00:00 · 2017-07-17 15:59:15 -07:00
parent ebf24c14a9
commit e2f2ab67f2
16 changed files with 55 additions and 212 deletions
--- a/hack/local-up-cluster.sh
+++ b/hack/local-up-cluster.sh
@@ -76,7 +76,6 @@ ENABLE_CLUSTER_DASHBOARD=${KUBE_ENABLE_CLUSTER_DASHBOARD:-false}
 ENABLE_APISERVER_BASIC_AUDIT=${ENABLE_APISERVER_BASIC_AUDIT:-false}

 # RBAC Mode options
-ALLOW_ANY_TOKEN=${ALLOW_ANY_TOKEN:-false}
 ENABLE_RBAC=${ENABLE_RBAC:-false}
 AUTHORIZATION_MODE=${AUTHORIZATION_MODE:-""}
 KUBECONFIG_TOKEN=${KUBECONFIG_TOKEN:-""}
@@ -434,11 +433,6 @@ function start_apiserver {
      swagger_arg="--enable-swagger-ui=true "
    fi

-    anytoken_arg=""
-    if [[ "${ALLOW_ANY_TOKEN}" = true ]]; then
-      anytoken_arg="--insecure-allow-any-token "
-      KUBECONFIG_TOKEN="${KUBECONFIG_TOKEN:-system:admin/system:masters}"
-    fi
    authorizer_arg=""
    if [[ "${ENABLE_RBAC}" = true ]]; then
      authorizer_arg="--authorization-mode=RBAC "
@@ -498,7 +492,7 @@ function start_apiserver {


    APISERVER_LOG=${LOG_DIR}/kube-apiserver.log
-    ${CONTROLPLANE_SUDO} "${GO_OUT}/hyperkube" apiserver ${swagger_arg} ${audit_arg} ${anytoken_arg} ${authorizer_arg} ${priv_arg} ${runtime_config}\
+    ${CONTROLPLANE_SUDO} "${GO_OUT}/hyperkube" apiserver ${swagger_arg} ${audit_arg} ${authorizer_arg} ${priv_arg} ${runtime_config}\
      ${advertise_address} \
      --v=${LOG_LEVEL} \
      --vmodule="${LOG_SPEC}" \
@@ -548,17 +542,7 @@ function start_apiserver {
    kube::util::write_client_kubeconfig "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "${ROOT_CA_FILE}" "${API_HOST}" "${API_SECURE_PORT}" scheduler

    if [[ -z "${AUTH_ARGS}" ]]; then
-        if [[ "${ALLOW_ANY_TOKEN}" = true ]]; then
-            # use token authentication
-            if [[ -n "${KUBECONFIG_TOKEN}" ]]; then
-                AUTH_ARGS="--token=${KUBECONFIG_TOKEN}"
-            else
-                AUTH_ARGS="--token=system:admin/system:masters"
-            fi
-        else
-            # default to the admin client cert/key
-            AUTH_ARGS="--client-key=${CERT_DIR}/client-admin.key --client-certificate=${CERT_DIR}/client-admin.crt"
-        fi
+        AUTH_ARGS="--client-key=${CERT_DIR}/client-admin.key --client-certificate=${CERT_DIR}/client-admin.crt"
    fi

    ${CONTROLPLANE_SUDO} cp "${CERT_DIR}/admin.kubeconfig" "${CERT_DIR}/admin-kube-aggregator.kubeconfig"