Stop creating role bindings for system:anonymous

[acurtiz]

What would you like to be added:

Today, there's at least one place in clusterloader2 (xref) in which we create role bindings to system:anonymous.

Can we alter clusterloader2 to stop doing this?

Why is this needed:

Two reasons:

1. Creating bindings to system:anonymous is generally a bad practice, even if in this particular case the role being bound only allows read permissions.
2. Some k8s distros reject such actions by default, thus making it harder to utilize clusterloader2.

[tosi3k]

#3214 addresses this for the piece of code you're mentioning (i.e. scraping Prometheus targets).

The only other piece of code I see that's creating role bindings for system:anonymous is inside a measurement that is collecting pprof profiles from etcd/kube-apiserver/KCM/KS:

perf-tests/clusterloader2/pkg/measurement/common/profile.go

Lines 253 to 262 in 91bf89e

	createClusterRoleBinding := func() error {
	_, err := c.RbacV1().ClusterRoleBindings().Create(context.TODO(), &rbacv1.ClusterRoleBinding{
	ObjectMeta: metav1.ObjectMeta{Name: "anonymous:apiserver-debug-viewer"},
	RoleRef: rbacv1.RoleRef{Kind: "ClusterRole", Name: "apiserver-debug-viewer"},
	Subjects: []rbacv1.Subject{
	{Kind: "User", Name: "system:anonymous"},
	},
	}, metav1.CreateOptions{})
	return err
	}