Skip to content

OCPBUGS-76867: remove anonymous-auth from apiserver #6221

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
pacevedom wants to merge 1 commit into
base: main
Choose a base branch
from
Open

OCPBUGS-76867: remove anonymous-auth from apiserver #6221

pacevedom wants to merge 1 commit into from
+4 −2

Conversation

@pacevedom
Copy link
Contributor

@pacevedom pacevedom commented Feb 13, 2026
edited by coderabbitai bot
Loading

Summary by CodeRabbit

Release Notes

  • Bug Fixes

    • Improved API server authentication configuration by properly utilizing kubeconfig for credential and certificate authority handling.

  • Security

    • Anonymous authentication is now explicitly disabled at the API server level for enhanced security.

@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Feb 13, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Feb 13, 2026

@pacevedom: This pull request references Jira Issue OCPBUGS-76867, which is invalid:

  • expected the bug to target the "4.22.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested review from agullon and vanhalenar February 13, 2026 12:01
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 13, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pacevedom

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 13, 2026
@coderabbitai
Copy link

coderabbitai bot commented Feb 13, 2026
edited
Loading

📝 Walkthrough

Walkthrough

Modified the KubeAPIServer controller to use kubeconfig-based authentication configuration. Added a kubeconfigPath field, initialized it from config, passed it to REST client construction, removed manual CA file assignment, and explicitly disabled anonymous authentication via API server arguments.

Changes

Cohort / File(s) Summary
Kubeconfig and Authentication Configuration
pkg/controllers/kube-apiserver.go		 Added kubeconfigPath struct field initialized in configure method; updated Run method to use kubeconfig path in clientcmd.BuildConfigFromFlags() instead of empty string; removed manual CA file assignment; added "anonymous-auth": {"false"} to API server arguments to disable anonymous authentication.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 2
❌ Failed checks (2 warnings)
Check name Status Explanation Resolution
Title check ⚠️ Warning The title references removing anonymous-auth, but the changes actually add anonymous-auth set to false, representing a configuration change rather than a removal. Update the title to reflect the actual change, such as 'OCPBUGS-76867: disable anonymous-auth in apiserver' or 'OCPBUGS-76867: configure anonymous-auth to false'.
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (2 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Merge Conflict Detection ✅ Passed ✅ No merge conflicts detected when merging into main

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

No actionable comments were generated in the recent review. 🎉

🧹 Recent nitpick comments
pkg/controllers/kube-apiserver.go (1)

82-86: Remove unused servingCAPath field.

The field is declared (line 83) and assigned (line 117) but never referenced anywhere in the codebase. It was likely used before restConfig.CAFile = s.servingCAPath was removed.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@pacevedom
Copy link
Contributor Author

pacevedom commented Feb 13, 2026

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Feb 13, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Feb 13, 2026

@pacevedom: This pull request references Jira Issue OCPBUGS-76867, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.22.0) matches configured target version for branch (4.22.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @jogeo

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested a review from jogeo February 13, 2026 12:02
@openshift-ci-robot
Copy link

openshift-ci-robot commented Feb 13, 2026

@pacevedom: This pull request references Jira Issue OCPBUGS-76867, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.22.0) matches configured target version for branch (4.22.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @jogeo

Details

In response to this:

Summary by CodeRabbit

Release Notes

  • Bug Fixes

  • Improved API server authentication configuration by properly utilizing kubeconfig for credential and certificate authority handling.

  • Security

  • Anonymous authentication is now explicitly disabled at the API server level for enhanced security.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 13, 2026

@pacevedom: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/ocp-full-conformance-serial-rhel-eus 9a7c0a3 link true /test ocp-full-conformance-serial-rhel-eus
ci/prow/e2e-aws-tests-bootc-arm 9a7c0a3 link true /test e2e-aws-tests-bootc-arm
ci/prow/ocp-full-conformance-rhel-eus 9a7c0a3 link true /test ocp-full-conformance-rhel-eus

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@pacevedom
Copy link
Contributor Author

pacevedom commented Feb 13, 2026

/test e2e-aws-tests-bootc-arm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@agullon agullon Awaiting requested review from agullon

@vanhalenar vanhalenar Awaiting requested review from vanhalenar

@jogeo jogeo Awaiting requested review from jogeo

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pacevedom @openshift-ci-robot