1695048 – Conformance tests failing with "Unauthorized" or "You must be logged in to the server"

Bug 1695048 - Conformance tests failing with "Unauthorized" or "You must be logged in to the server"

Summary: Conformance tests failing with "Unauthorized" or "You must be logged in to th...

Keywords:
Status:	CLOSED DUPLICATE of bug 1694878
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	apiserver-auth
Sub Component:
Version:	4.1.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Target Release:	4.1.0
Assignee:	Mo
QA Contact:	Chuan Yu
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-04-02 11:41 UTC by Devan Goodwin
Modified:	2019-04-05 13:22 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-04-05 13:22:21 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Devan Goodwin 2019-04-02 11:41:23 UTC

Description of problem:

Investigating failures as build cop today, saw some conformance tests failing with "unauthorized" or "you must be logged into the server" errors. 

It appears to be related to OpenShift types, image streams, deployment configs, etc.

e2e failures: https://openshift-gce-devel.appspot.com/build/origin-ci-test/pr-logs/pull/openshift_machine-config-operator/596/pull-ci-openshift-machine-config-operator-master-e2e-aws/2875

In the openshift-apiserver logs I see a lot of:

E0402 09:46:06.727061       1 webhook.go:192] Failed to make webhook authorizer request: .authorization.k8s.io "" is invalid: spec.user: Invalid value: "": at least one of user or group must be specified

Not sure if this is master or auth, please redirect if I'm wrong.

Version-Release number of selected component (if applicable):

See build link above.


How reproducible:

Looks like maybe 14 hits in the last week: https://search.svc.ci.openshift.org/?search=error%3A+You+must+be+logged+in+to+the+server&maxAge=168h&context=2&type=all

Comment 1 Devan Goodwin 2019-04-02 11:50:39 UTC

Moving to auth.

Michal Fojtik   [3 minutes ago]
i think that flakes are caused by something creating SAR request without user/group

Michal Fojtik   [2 minutes ago]
@auth-team should check the audit logs, grep create calls for subject access reviews and find the one returning 403 (likely)

Michal Fojtik   [2 minutes ago]
then identify service account and track down what is making that invalid request

Comment 2 Clayton Coleman 2019-04-03 14:09:04 UTC

Moving to urgent, this is a top flake and causes failures/flakes in almost every single run.

Comment 3 Gabe Montero 2019-04-03 14:27:38 UTC

Looks at least related to https://bugzilla.redhat.com/show_bug.cgi?id=1694878 if not a duplicate

I am also seeing the same TLS errors in the authentication server

For example:  I0402 09:19:48.937291       1 log.go:172] http: TLS handshake error from 10.131.0.6:44300: EOF

from the  run Devan mentioned in his description.

Adding Standa to the cc: ... you agree?

Comment 4 Standa Laznicka 2019-04-03 14:38:00 UTC

Indeed, the TLS handshake errors seem to be the same in both the cases.

Note that the logged error 'Failed to make webhook authorizer request: .authorization.k8s.io "" is invalid: spec.user: Invalid value: "": at least one of user or group must be specified' does not seem to have actual influence on the test result as explained in https://bugzilla.redhat.com/show_bug.cgi?id=1694878#c1.

I still need to figure out what causes the TLS errors.

Comment 5 Erica von Buelow 2019-04-05 12:39:55 UTC

Assigning to Mo who has been helping to debug the issue

Comment 6 Erica von Buelow 2019-04-05 13:22:21 UTC


*** This bug has been marked as a duplicate of bug 1694878 ***

Note You need to log in before you can comment on or make changes to this bug.