diff --git a/lib/api/internal/kubernetes.rb b/lib/api/internal/kubernetes.rb
index bab829a609e89ed198eaacb680066c3872f222e2..4db2ee85362e39777357fa475e88ad8c4a8868fa 100644
--- a/lib/api/internal/kubernetes.rb
+++ b/lib/api/internal/kubernetes.rb
@@ -5,6 +5,7 @@ module API
   module Internal
     class Kubernetes < Grape::API::Instance
       before do
+        check_feature_enabled
         authenticate_gitlab_kas_request!
       end
 
@@ -55,7 +56,6 @@ def check_agent_token
       namespace 'internal' do
         namespace 'kubernetes' do
           before do
-            check_feature_enabled
             check_agent_token
           end
 
@@ -96,15 +96,16 @@ def check_agent_token
               gitaly_repository: gitaly_repository(project)
             }
           end
+        end
 
+        namespace 'kubernetes/usage_metrics' do
           desc 'POST usage metrics' do
             detail 'Updates usage metrics for agent'
           end
-          route_setting :authentication, cluster_agent_token_allowed: true
           params do
             requires :gitops_sync_count, type: Integer, desc: 'The count to increment the gitops_sync metric by'
           end
-          post '/usage_metrics' do
+          post '/' do
             gitops_sync_count = params[:gitops_sync_count]
 
             if gitops_sync_count < 0
diff --git a/spec/requests/api/internal/kubernetes_spec.rb b/spec/requests/api/internal/kubernetes_spec.rb
index ae5b6a9c4c6a12edc96d9ee95d95b08cd5165dbe..f669483b5a494b1d598b62cbeb4a1ba4574b628b 100644
--- a/spec/requests/api/internal/kubernetes_spec.rb
+++ b/spec/requests/api/internal/kubernetes_spec.rb
@@ -24,20 +24,6 @@
       end
     end
 
-    context 'authenticated' do
-      it 'returns 403 if Authorization header not sent' do
-        send_request
-
-        expect(response).to have_gitlab_http_status(:forbidden)
-      end
-
-      it 'returns 404 if Authorization is for non-existent agent' do
-        send_request(headers: { 'Authorization' => 'Bearer NONEXISTENT' })
-
-        expect(response).to have_gitlab_http_status(:forbidden)
-      end
-    end
-
     context 'kubernetes_agent_internal_api feature flag disabled' do
       before do
         stub_feature_flags(kubernetes_agent_internal_api: false)
@@ -51,6 +37,20 @@
     end
   end
 
+  shared_examples 'agent authentication' do
+    it 'returns 403 if Authorization header not sent' do
+      send_request
+
+      expect(response).to have_gitlab_http_status(:forbidden)
+    end
+
+    it 'returns 403 if Authorization is for non-existent agent' do
+      send_request(headers: { 'Authorization' => 'Bearer NONEXISTENT' })
+
+      expect(response).to have_gitlab_http_status(:forbidden)
+    end
+  end
+
   describe 'POST /internal/kubernetes/usage_metrics' do
     def send_request(headers: {}, params: {})
       post api('/internal/kubernetes/usage_metrics'), params: params, headers: headers.reverse_merge(jwt_auth_headers)
@@ -93,6 +93,7 @@ def send_request(headers: {}, params: {})
     end
 
     include_examples 'authorization'
+    include_examples 'agent authentication'
 
     context 'an agent is found' do
       let!(:agent_token) { create(:cluster_agent_token) }
@@ -133,6 +134,7 @@ def send_request(headers: {}, params: {})
     end
 
     include_examples 'authorization'
+    include_examples 'agent authentication'
 
     context 'an agent is found' do
       let!(:agent_token) { create(:cluster_agent_token) }