Add flag to disable Basic Auth.

[fernandocarletti]

This is an excerpt from @valdisrigdon's PR #4799, Since the source branch was removed and the work in the PR appears to be stopped. It adds a flag to remove the basic authentication as requested on #290.

[k8s-ci-robot]

Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA.

It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.

---

• If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
• If you signed the CLA as a corporation, please sign in with your organization's credentials at https://identity.linuxfoundation.org/projects/cncf to be authorized.
• If you have done the above and are still having issues with the CLA being reported as unsigned, please email the CNCF helpdesk: [email protected]

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[fernandocarletti]

/retest

[k8s-ci-robot]

@fernandocarletti: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

In response to this:

/retest

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[fernandocarletti]

/assign @justinsb

[mikesplain]

/ok-to-test

[chrisz100]

I’ve been waiting for this, thanks!

/lgtm

[fernandocarletti]

@justinsb & @chrisz100 I just rebased it to fix the conflicts. Shall we merge it?

[chrisz100]

Good to go from my POV. Unsure if we shouldn't wait for after 1.11 is stable?
@mikesplain what do you think?

/lgtm

[chrisz100]

/area security

[fernandocarletti]

Just my two cents here, the original PR (#4799) was already set to the 1.10 milestone, but due to the abandonment, it wasn't released. Also, RBAC is enabled by default, so I don't think there is anything risky in here, specially when the flag is just to disable it, so by default Basic Auth is still enabled.

[chrisz100]

It’s more about the risk of this breaking the application or introducing more bugs. But it’s fine to make 1.11 from my side.

[justinsb]

I'm a little uneasy to introduce a flag that deviates from the kubernetes flags, but we can do it and eventually it will just be the default. (And because these options map to kubernetes flags, which are themselves frequently deprecated / changing, these are considered "power options" anyway)

So: It does make things more secure, and while I'd like to make it the default, this is a good first step. And by creating the flag, we minimize the risk of breaking anyone.

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: chrisz100, fernandocarletti, justinsb

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [justinsb]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment