Automatic merge from submit-queue (batch tested with PRs 41505, 41484, 41544, 41514, 41022)
add front proxy to kubeadm created kube-apiservers
The front proxy authenticator configuration has been in a release or two. It allows a front proxy (secured by mutual TLS auth) to provide user information for a request. The kube-aggregator uses this to securely terminate authentication (has to terminate TLS and thus client-certs) and communicate user info to backing API servers.
Since the kube-apiserver always verifies the front-proxy via a client certificate, this isn't open for abuse unless you already have access to either the signing key or client cert which kubeadm creates locally. If you got there, you already owned the box. Therefore, this adds the authenticator unconditionally.
@luxas Are there e2e tests for `kubeadm`?
@liggitt @kubernetes/sig-auth-misc
30ce5d7244