Support --anonymous-auth Flag in kube-apiserver to fully disable Anonymous Authentication

[5th0]

Background
We attempted to harden API access for Tenant Control Planes by setting the --anonymous-auth=false flag to the kube-apiserver.
However, the TCP deployment fails due to unauthorized health probes:
Startup probe failed: HTTP probe failed with statuscode: 401

Since Kubernetes v1.32, it is possible to selectively enable anonymous authentication for specific API paths, as described in the official documentation:
https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-authenticator-configuration

We would like this functionality to be fully supported and configurable within Tenant Control Plane environments as well.

Proposal

• Enable explicit support in tenant control planes for disabling anonymous authentication cluster-wide.
• Ensure compatibility with fine-grained configuration of anonymous access by allowing specific paths (e.g., /healthz, /readyz) to remain anonymously accessible.
• Guarantee that internal components respect this configuration and do not rely implicitly on anonymous access.

Benefits
This approach preserves flexibility and maintains backward compatibility for workloads that rely on anonymous access to health or metrics endpoints, while improving the overall security posture.