The auth bypass config is disabled by default so we can remove it in production. The value in the K8s manifest is also incorrect, it should be AUTH_BYPASS_EXTERNAL, not BYPASS_EXTERNAL_AUTH (see code).
AUTH_BYPASS_EXTERNAL
BYPASS_EXTERNAL_AUTH