Skip to content

backend: kubeconfig: Fix node drain anonymous auth in OIDC deployments#6460

Open
srajang1805 wants to merge 1 commit into
kubernetes-sigs:mainfrom
srajang1805:backend/fix-node-drain-anonymous-oidc
Open

backend: kubeconfig: Fix node drain anonymous auth in OIDC deployments#6460
srajang1805 wants to merge 1 commit into
kubernetes-sigs:mainfrom
srajang1805:backend/fix-node-drain-anonymous-oidc

Conversation

@srajang1805

Copy link
Copy Markdown
Contributor

Summary

Fixes #5110 — node drain operations fail with system:anonymous in
in-cluster OIDC deployments because the in-cluster context's AuthInfo
had no token file when unsafeUseServiceAccountToken was disabled.

Root cause

getInClusterContext at kubeconfig.go:1114 set the service account
token file only when unsafeUseServiceAccountToken was true. Without
this flag, TokenFile was left empty. Backend-initiated operations
like node drain (which don't go through the user-token reverse proxy)
used a clientset with no credentials, authenticating as
system:anonymous.

A secondary issue: ClientSetWithToken set restConf.BearerToken
directly without stripping the Bearer prefix, which could cause a
duplicate-prefix Authorization header if a caller passed it.

Changes

  • backend/pkg/kubeconfig/kubeconfig.go: Always set the in-cluster
    AuthInfo.TokenFile from clusterConfig.BearerTokenFile. The
    unsafe flag now controls which path (custom vs. default), not
    whether a path is set at all.
  • backend/pkg/kubeconfig/kubeconfig.go: Strip Bearer prefix in
    ClientSetWithToken before setting restConf.BearerToken.
  • backend/pkg/kubeconfig/service_account_token_test.go: Update test
    to expect the token file is preserved when unsafe is disabled.

Testing

go test ./pkg/kubeconfig/...   # PASS
golangci-lint run               # 0 issues

…OIDC deployments

Set the in-cluster service account token file path on the AuthInfo
even when unsafeUseServiceAccountToken is disabled. Previously the
TokenFile was left empty, causing backend-initiated operations like
node drain to use a clientset with no credentials when no user token
was available, authenticating as system:anonymous.

The unsafe flag now controls which token file path is used (custom
vs. default), while the token file is always present as a credential
fallback for the RESTConfig.

Also strip the Bearer prefix from tokens in ClientSetWithToken to
prevent duplicate prefixes in the Authorization header.

Ref: kubernetes-sigs#5110
@kubernetes-prow

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: srajang1805
Once this PR has been reviewed and has the lgtm label, please assign yolossn for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubernetes-prow kubernetes-prow Bot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jul 10, 2026
@srajang1805

Copy link
Copy Markdown
Contributor Author

@illume @skoeva Fixes #5110

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Node drain fails with "system:anonymous" in in-cluster OIDC deployments

1 participant