OCPBUGS-82036: Restrict anonymous auth to only probe endpoints

[smrtrfszm]

What this PR does / why we need it:

Anonymous authentication on the kube-apiserver is currently globally enabled via --anonymous-auth=true. This unnecessarily exposes the KAS to unauthenticated requests beyond what is needed for health probes.

Instead of globally enabling anonymous auth, use the structured AuthenticationConfiguration to allow anonymous access only to probe endpoints (/healthz, /livez, /livez/ping, /readyz). The --anonymous-auth flag is removed and replaced with --authentication-config, which is now always set.

For this the AnonymousAuthConfigurableEndpoints feature gate is needed, but it was GAd in 1.34.

Which issue(s) this PR fixes:

Fixes #OCPBUGS-82036

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

• New Features

  • Always emit a structured authentication config file that includes an Anonymous block (probe/metadata conditions) and JWT entries when OIDC providers exist; API server now uses this auth config unconditionally.

• Bug Fixes

  • Removed the previous unconditional anonymous-auth flag and consolidated auth config generation to avoid early-return cases.

• Tests

  • Updated and added tests for anonymous-probe behavior, OAuth-disabled cases, and auth config generation.

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

adaptAuthConfig now always constructs and writes an AuthenticationConfiguration (including TypeMeta, an initialized empty JWT slice, and an Anonymous block) regardless of whether HCP authentication or OIDC providers are present. When OIDC providers exist, JWT authenticators are generated per provider and appended; errors return with provider context. anonymousAuthConfig produces the probe/metadata anonymous condition only when integrated OAuth is enabled. The kube-apiserver args no longer include an unconditional anonymous-auth=true and now always include authentication-config=<authConfigVolumePath>/auth.json. Tests were updated to expect the Anonymous block.

Sequence Diagram(s)

sequenceDiagram
    participant HCPController as HostedControlPlane Controller
    participant CM as ConfigMap (auth.json)
    participant KAS as Kube‑APIServer

    HCPController->>HCPController: adaptAuthConfig(hcp)
    alt OIDC providers present
        HCPController->>HCPController: generateJWTForProvider(...) for each provider
        HCPController->>HCPController: append JWT authenticators to authConfig.JWT
    else no OIDC providers
        HCPController->>HCPController: leave authConfig.JWT empty
    end
    HCPController->>HCPController: set authConfig.Anonymous via anonymousAuthConfig(hcp)
    HCPController->>CM: write AuthenticationConfiguration (auth.json)
    KAS->>CM: mount/read authentication-config (auth.json)
    KAS->>KAS: load JWT authenticators and Anonymous conditions
    KAS->>KAS: apply authentication behavior (probe-only anonymous paths as configured)

Loading

🚥 Pre-merge checks | ✅ 8 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 14.29% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	❓ Inconclusive	Custom check targets Ginkgo tests (Describe/It/Eventually blocks), but PR uses standard Go testing with table-driven patterns in auth_test.go and config_test.go. Minor assertion formatting issue found in auth_test.go line 1861.	Clarify if check should evaluate standard Go table-driven tests, or convert tests to Ginkgo framework. Fix auth_test.go line 1861 to use t.Fatalf() instead of t.Fatal() for proper message formatting.

✅ Passed checks (8 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly describes the main change: restricting anonymous authentication to only probe endpoints, which is the primary objective across all modified files.
Stable And Deterministic Test Names	✅ Passed	Modified test files use standard Go testing with t.Run(), not Ginkgo, so the Ginkgo test name check is not applicable.
Microshift Test Compatibility	✅ Passed	The PR does not add new Ginkgo e2e tests; modified files contain standard Go unit tests using testing package, not Ginkgo-style tests.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR does not add any new Ginkgo e2e tests; changes are limited to unit tests in the control-plane-operator package using standard Go testing.
Topology-Aware Scheduling Compatibility	✅ Passed	PR exclusively modifies kube-apiserver authentication configuration arguments and internal type definitions with no impact on pod scheduling or topology assumptions.
Ote Binary Stdout Contract	✅ Passed	The modified files are business logic and unit test code for the Hypershift control-plane-operator's KAS authentication configuration, not OTE test binaries, and contain no process-level entry points or stdout writes.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR modifies only unit tests in auth_test.go and config_test.go using Go's standard testing package, not Ginkgo e2e tests. No new e2e tests with IPv4 assumptions or external connectivity requirements are added.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: smrtrfszm
Once this PR has been reviewed and has the lgtm label, please assign bryan-cox for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 35.71%. Comparing base (80615ba) to head (7983f19).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #8133   +/-   ##
=======================================
  Coverage   35.70%   35.71%           
=======================================
  Files         767      767           
  Lines       93401    93407    +6     
=======================================
+ Hits        33353    33362    +9     
+ Misses      57346    57344    -2     
+ Partials     2702     2701    -1     

Files with missing lines	Coverage Δ
...ator/controllers/hostedcontrolplane/v2/kas/auth.go	84.29% <100.00%> (+1.24%)	⬆️
...or/controllers/hostedcontrolplane/v2/kas/config.go	89.58% <100.00%> (-0.09%)	⬇️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[openshift-ci-robot]

@smrtrfszm: This pull request references Jira Issue OCPBUGS-82036, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

What this PR does / why we need it:

On IBM Cloud hosted clusters, anonymous authentication is currently globally enabled via --anonymous-auth=true. This unnecessarily exposes the KAS to unauthenticated requests beyond what is needed for health probes.

Instead of globally enabling anonymous auth, use the structured AuthenticationConfiguration to allow anonymous access only to probe endpoints (/healthz, /livez, /livez/ping, /readyz). For IBM Cloud, the --anonymous-auth flag is removed and replaced with --authentication-config, which is now also set when OAuth is enabled. New internal types (AnonymousAuthConfig, AnonymousAuthCondition) and PlatformType plumbing through KubeAPIServerConfigParams support this.

For this the AnonymousAuthConfigurableEndpoints feature gate is needed, but it was GAd in 1.34.

Which issue(s) this PR fixes:

Fixes

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@smrtrfszm: This pull request references Jira Issue OCPBUGS-82036, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

What this PR does / why we need it:

On IBM Cloud hosted clusters, anonymous authentication is currently globally enabled via --anonymous-auth=true. This unnecessarily exposes the KAS to unauthenticated requests beyond what is needed for health probes.

Instead of globally enabling anonymous auth, use the structured AuthenticationConfiguration to allow anonymous access only to probe endpoints (/healthz, /livez, /livez/ping, /readyz). For IBM Cloud, the --anonymous-auth flag is removed and replaced with --authentication-config, which is now also set when OAuth is enabled. New internal types (AnonymousAuthConfig, AnonymousAuthCondition) and PlatformType plumbing through KubeAPIServerConfigParams support this.

For this the AnonymousAuthConfigurableEndpoints feature gate is needed, but it was GAd in 1.34.

Which issue(s) this PR fixes:

Fixes #OCPBUGS-82036

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[smrtrfszm]

/jira refresh

[openshift-ci-robot]

@smrtrfszm: This pull request references Jira Issue OCPBUGS-82036, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@control-plane-operator/controllers/hostedcontrolplane/v2/kas/auth.go`:
- Around line 36-62: The IBM anonymous auth block is applied unconditionally for
IBMCloud (isIBMCloud) which can emit unsupported anonymous.conditions on guest
clusters older than K8s v1.34; instead, derive the guest Kubernetes semantic
version from the hosted control plane's release image (via cpContext/HCP release
image) and only set authConfig.Anonymous = ibmCloudAnonymousAuthConfig() when
the parsed guest version is >= 1.34.0; keep the existing
generateAuthConfig()/hasOIDCProviders flow and add a version-check helper (e.g.,
parse release image to semver and compare) before calling
ibmCloudAnonymousAuthConfig(), so clusters running <1.34 skip that assignment.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: e08e43a8-b3c2-42e2-8fc5-65e797de73db

📥 Commits

Reviewing files that changed from the base of the PR and between 2d72889 and d50476f.

⛔ Files ignored due to path filters (3)

• control-plane-operator/controllers/hostedcontrolplane/testdata/kube-apiserver/IBMCloud/zz_fixture_TestControlPlaneComponents_auth_config_configmap.yaml is excluded by !**/testdata/**
• control-plane-operator/controllers/hostedcontrolplane/testdata/kube-apiserver/IBMCloud/zz_fixture_TestControlPlaneComponents_kas_config_configmap.yaml is excluded by !**/testdata/**
• control-plane-operator/controllers/hostedcontrolplane/testdata/kube-apiserver/IBMCloud/zz_fixture_TestControlPlaneComponents_kube_apiserver_deployment.yaml is excluded by !**/testdata/**

📒 Files selected for processing (7)

• control-plane-operator/controllers/hostedcontrolplane/v2/kas/auth.go
• control-plane-operator/controllers/hostedcontrolplane/v2/kas/auth_test.go
• control-plane-operator/controllers/hostedcontrolplane/v2/kas/auth_types.go
• control-plane-operator/controllers/hostedcontrolplane/v2/kas/config.go
• control-plane-operator/controllers/hostedcontrolplane/v2/kas/config_test.go
• control-plane-operator/controllers/hostedcontrolplane/v2/kas/params.go
• control-plane-operator/controllers/hostedcontrolplane/v2/kas/params_test.go

[sjenning]

We already set the --anonymous-auth=true flag on the KAS

hypershift/control-plane-operator/controllers/hostedcontrolplane/v2/kas/config.go

Line 172 in 7000c24

args.Set("anonymous-auth", "true")

This PR isn't currently needed unless I'm missing something

xref https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/4633-anonymous-auth-configurable-endpoints/README.md#design-details

[smrtrfszm]

@sjenning --anonymous-auth=true allows anonymous auth for all endpoints, but on IBM Cloud we only want to allow it for the 4 probe endpoints.

[sjenning]

Per our discussion, let's refactor this to make in general policy in hypershift, not just for IBMCloud. Well look at merging next week after branch cut.

[openshift-ci-robot]

@smrtrfszm: This pull request references Jira Issue OCPBUGS-82036, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

What this PR does / why we need it:

Anonymous authentication on the kube-apiserver is currently globally enabled via --anonymous-auth=true. This unnecessarily exposes the KAS to unauthenticated requests beyond what is needed for health probes.

Instead of globally enabling anonymous auth, use the structured AuthenticationConfiguration to allow anonymous access only to probe endpoints (/healthz, /livez, /livez/ping, /readyz). The --anonymous-auth flag is removed and replaced with --authentication-config, which is now always set.

For this the AnonymousAuthConfigurableEndpoints feature gate is needed, but it was GAd in 1.34.

Which issue(s) this PR fixes:

Fixes #OCPBUGS-82036

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

• New Features

• Added structured anonymous authentication with path-scoped probe-only access.

• Authentication configuration is always emitted to a dedicated auth file and wired into the API server.

• Bug Fixes

• Removed unconditional anonymous flag from API server arguments to rely on the new auth config behavior.

• Tests

• Updated and added tests to validate anonymous-probe behavior and auth config generation.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[TwoDCube]

/retest
/pipeline required

[rtheis]

FYI: Vanilla HyperShift does not support /livez/ping like ROKS does. There was disagreement between IBM and Red Hat on supporting this endpoint. Is Red Hat okay with us adding this endpoint? See #6202 for some context on this.

[sjenning]

/test security

[sjenning]

/test e2e-aws-conformance

[sjenning]

/test e2e-conformance

[openshift-ci-robot]

@smrtrfszm: This pull request references Jira Issue OCPBUGS-82036, which is invalid:

• expected the bug to target either version "5.0." or "openshift-5.0.", but it targets "4.22.0" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

What this PR does / why we need it:

Anonymous authentication on the kube-apiserver is currently globally enabled via --anonymous-auth=true. This unnecessarily exposes the KAS to unauthenticated requests beyond what is needed for health probes.

Instead of globally enabling anonymous auth, use the structured AuthenticationConfiguration to allow anonymous access only to probe endpoints (/healthz, /livez, /livez/ping, /readyz). The --anonymous-auth flag is removed and replaced with --authentication-config, which is now always set.

For this the AnonymousAuthConfigurableEndpoints feature gate is needed, but it was GAd in 1.34.

Which issue(s) this PR fixes:

Fixes #OCPBUGS-82036

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

• New Features

• Emits a structured authentication config file that always includes anonymous auth limited to probe endpoints and JWT entries when providers exist.

• API server is wired to use the dedicated auth config file.

• Bug Fixes

• Removed reliance on the old unconditional anonymous flag; behavior now governed by the emitted auth config.

• Tests

• Updated and added tests to cover anonymous-probe behavior and auth config generation.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@control-plane-operator/controllers/hostedcontrolplane/v2/kas/auth.go`:
- Around line 72-85: The anonymousAuthConfig function currently unconditionally
includes "/.well-known/oauth-authorization-server" which exposes the OAuth
discovery document even when OAuth/ODIC is not enabled; update
anonymousAuthConfig (or its caller) to only append the
AnonymousAuthCondition{Path: "/.well-known/oauth-authorization-server"} when the
HostedControlPlane configuration indicates integrated OAuth is enabled (e.g.,
configuration.Authentication != nil and/or OIDCProviders not empty), otherwise
omit that condition so anonymous access remains limited to the probe endpoints;
ensure you reference AnonymousAuthConfig and AnonymousAuthCondition when
implementing the conditional addition.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: b54ef1c6-c20b-460f-a497-cb2d1ad94110

📥 Commits

Reviewing files that changed from the base of the PR and between b86d203 and 519b23d.

⛔ Files ignored due to path filters (15)

• control-plane-operator/controllers/hostedcontrolplane/testdata/kube-apiserver/AROSwift/zz_fixture_TestControlPlaneComponents_auth_config_configmap.yaml is excluded by !**/testdata/**
• control-plane-operator/controllers/hostedcontrolplane/testdata/kube-apiserver/AROSwift/zz_fixture_TestControlPlaneComponents_kas_config_configmap.yaml is excluded by !**/testdata/**
• control-plane-operator/controllers/hostedcontrolplane/testdata/kube-apiserver/AROSwift/zz_fixture_TestControlPlaneComponents_kube_apiserver_deployment.yaml is excluded by !**/testdata/**
• control-plane-operator/controllers/hostedcontrolplane/testdata/kube-apiserver/GCP/zz_fixture_TestControlPlaneComponents_auth_config_configmap.yaml is excluded by !**/testdata/**
• control-plane-operator/controllers/hostedcontrolplane/testdata/kube-apiserver/GCP/zz_fixture_TestControlPlaneComponents_kas_config_configmap.yaml is excluded by !**/testdata/**
• control-plane-operator/controllers/hostedcontrolplane/testdata/kube-apiserver/GCP/zz_fixture_TestControlPlaneComponents_kube_apiserver_deployment.yaml is excluded by !**/testdata/**
• control-plane-operator/controllers/hostedcontrolplane/testdata/kube-apiserver/IBMCloud/zz_fixture_TestControlPlaneComponents_auth_config_configmap.yaml is excluded by !**/testdata/**
• control-plane-operator/controllers/hostedcontrolplane/testdata/kube-apiserver/IBMCloud/zz_fixture_TestControlPlaneComponents_kas_config_configmap.yaml is excluded by !**/testdata/**
• control-plane-operator/controllers/hostedcontrolplane/testdata/kube-apiserver/IBMCloud/zz_fixture_TestControlPlaneComponents_kube_apiserver_deployment.yaml is excluded by !**/testdata/**
• control-plane-operator/controllers/hostedcontrolplane/testdata/kube-apiserver/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_auth_config_configmap.yaml is excluded by !**/testdata/**
• control-plane-operator/controllers/hostedcontrolplane/testdata/kube-apiserver/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_kas_config_configmap.yaml is excluded by !**/testdata/**
• control-plane-operator/controllers/hostedcontrolplane/testdata/kube-apiserver/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_kube_apiserver_deployment.yaml is excluded by !**/testdata/**
• control-plane-operator/controllers/hostedcontrolplane/testdata/kube-apiserver/zz_fixture_TestControlPlaneComponents_auth_config_configmap.yaml is excluded by !**/testdata/**
• control-plane-operator/controllers/hostedcontrolplane/testdata/kube-apiserver/zz_fixture_TestControlPlaneComponents_kas_config_configmap.yaml is excluded by !**/testdata/**
• control-plane-operator/controllers/hostedcontrolplane/testdata/kube-apiserver/zz_fixture_TestControlPlaneComponents_kube_apiserver_deployment.yaml is excluded by !**/testdata/**

📒 Files selected for processing (5)

• control-plane-operator/controllers/hostedcontrolplane/v2/kas/auth.go
• control-plane-operator/controllers/hostedcontrolplane/v2/kas/auth_test.go
• control-plane-operator/controllers/hostedcontrolplane/v2/kas/auth_types.go
• control-plane-operator/controllers/hostedcontrolplane/v2/kas/config.go
• control-plane-operator/controllers/hostedcontrolplane/v2/kas/config_test.go

✅ Files skipped from review due to trivial changes (2)

• control-plane-operator/controllers/hostedcontrolplane/v2/kas/config_test.go
• control-plane-operator/controllers/hostedcontrolplane/v2/kas/auth_types.go

🚧 Files skipped from review as they are similar to previous changes (2)

• control-plane-operator/controllers/hostedcontrolplane/v2/kas/config.go
• control-plane-operator/controllers/hostedcontrolplane/v2/kas/auth_test.go

[smrtrfszm]

/test e2e-conformance

[TwoDCube]

/jira refresh

[openshift-ci-robot]

@TwoDCube: This pull request references Jira Issue OCPBUGS-82036, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@smrtrfszm: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-conformance	7983f19	link	false	/test e2e-conformance

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[hypershift-jira-solve-ci]

Test Failure Analysis Complete

Job Information

• Prow Job: pull-ci-openshift-hypershift-main-e2e-conformance
• Build ID: 2046260340093620224
• Target: e2e-conformance
• PR: OCPBUGS-82036: Restrict anonymous auth to only probe endpoints #8133 — OCPBUGS-82036: Restrict anonymous auth to only probe endpoints
• Result: 77 blocking failures, 2 informing failures, 1848 pass, 2125 skip

Test Failure Analysis

Error

Mass test failures detected: 78 failures (threshold: 10)
  - Blocking test failures: 77
  - Synthetic test failures: 0
  - Monitor test failures: 1

Two distinct failure categories:
1) Anonymous auth now returns 401 Unauthorized instead of 403 Forbidden (5 tests)
2) Konnectivity tunnel / kubelet exec proxy broken — EOF and DNS lookup failures (72+ tests)

Summary

PR #8133 restricts anonymous authentication on the hosted cluster's kube-apiserver to only probe endpoints (/healthz, /livez, /livez/ping, /readyz) and the OAuth discovery endpoint. This causes two categories of mass failures: (1) 5 conformance tests that explicitly test anonymous access behavior now receive 401 Unauthorized instead of the previously expected 403 Forbidden or 200 OK, because anonymous requests to non-probe API paths are now rejected before authorization; and (2) 72+ tests fail due to a broken konnectivity tunnel — konnectivity-agent readiness probes started failing with HTTP 503 at 17:36:18Z, followed immediately by konnectivity-server-local DNS resolution failures and kubelet exec proxy EOF errors across all 3 worker nodes, collapsing pod exec, log retrieval, and port-forwarding operations cluster-wide.

Root Cause

Category 1 — Auth behavior change (5 tests, directly caused by PR):

The PR removes --anonymous-auth=true from kube-apiserver arguments and replaces it with a structured AuthenticationConfiguration that restricts anonymous access to specific probe endpoints via the AnonymousAuthConfigurableEndpoints feature gate. Previously, anonymous requests to any endpoint were authenticated as system:anonymous and then authorized (producing 403 Forbidden for unauthorized paths). Now, anonymous requests to non-allowlisted paths are rejected at the authentication layer with 401 Unauthorized, never reaching authorization.

Affected tests and their specific mismatch:

1. anonymous browsers should get a 403 from / — expects 403, gets 401 (root path is not in the allowlist)
2. oc basics can get version information from API — expects 200 from anonymous access to /version, gets 401
3. TestWebhook — expects 403 on webhook endpoint, gets 401
4. TestAuthorizationSubjectAccessReview — expects forbidden error for anonymous SAR, gets Unauthorized
5. TestBrowserSafeAuthorizer — expects forbidden for unsafe proxy verbs, gets Unauthorized

Category 2 — Konnectivity tunnel breakdown (72+ tests, likely infrastructure/timing issue):

Starting at 17:36:10Z (~14 minutes into the test run), all kubelet exec proxy requests began failing with EOF errors. At 17:36:18Z, konnectivity-agent readiness probes started failing with HTTP 503 across all 3 nodes (ip-10-0-12-126, ip-10-0-10-22, ip-10-0-5-209). Shortly after, konnectivity-server-local DNS resolution began failing with "no such host". This cascade broke all operations that proxy through the kube-apiserver to kubelets: pod exec (38 tests), pod log retrieval (3 tests), port-forwarding (4 tests), cgroup reads (12 tests), and DRA plugin interactions (10 tests). 10 additional tests were interrupted as a cascade effect.

The konnectivity tunnel failure is likely a transient infrastructure issue — konnectivity probes use the /healthz endpoint which IS in the anonymous auth allowlist, so the PR's auth restriction should not directly cause this. However, a kube-apiserver restart during auth config rollout could transiently break existing konnectivity connections.

Recommendations

1. For the 5 auth-related test failures — these tests need to be updated in the openshift/origin test suite (or skipped for HyperShift topology) to account for the new behavior where anonymous requests to non-probe endpoints return 401 instead of 403:

   • root_403.go:34 — update to expect 401 instead of 403 for anonymous requests to /
   • basics.go:220 — update to expect 401 for anonymous /version access, or add /version to the anonymous allowlist if version info should remain publicly accessible
   • webhook.go:428 — update to expect 401 instead of 403
   • authorization.go:848 and authorization.go:1246 — update anonymous access expectations

2. Consider adding /version to the anonymous auth allowlist — Kubernetes vanilla behavior exposes /version to anonymous users, and many tools/tests rely on this. Adding {Path: "/version"} to anonymousAuthConfig() would fix the oc basics test and maintain compatibility.

3. For the 72+ konnectivity/exec proxy failures — these appear to be an infrastructure flake (konnectivity tunnel breakdown). Rerun the job to confirm. If these persist, investigate whether the kube-apiserver restart during auth config rollout is disrupting existing konnectivity connections.

4. Consider a phased rollout — file issues against the affected test suites in openshift/origin to update their anonymous access expectations before merging this PR.

Evidence

Evidence	Detail
PR Change	Removes --anonymous-auth=true, adds AuthenticationConfiguration with anonymous access restricted to /healthz, /livez, /livez/ping, /readyz, /.well-known/oauth-authorization-server
Feature Gate	AnonymousAuthConfigurableEndpoints enabled (GA in k8s 1.34)
Auth failures	5 tests: got 401 Unauthorized instead of expected 403 Forbidden or 200 OK for anonymous requests
Konnectivity probe failures	Started 17:36:18Z — HTTP 503 on all 3 nodes (ip-10-0-12-126, ip-10-0-10-22, ip-10-0-5-209)
Exec proxy EOF errors	Started 17:36:10Z — 556 failures on node 10.0.5.209, 68 on 10.0.12.126, 37 on 10.0.10.22
Konnectivity DNS failures	lookup konnectivity-server-local on 172.30.0.10:53: no such host — 87 occurrences
Cluster creation	Successful — hostedcluster 908c92d8b6c47abf3cc5 reached Available and Completed states
Test suite totals	77 blocking fail, 2 informing fail, 1848 pass, 0 flaky, 2125 skip (1h31m27s)
Informing failures	2 CCO tests (non-blocking, unrelated to this PR)
Mass test meta-failure	[Jira:"Test Framework"] there should not be mass test failures triggered by >10 failure threshold

---