Merge pull request kubernetes#107276 from jlsong01/fix_flake_TestQuotaLimitService

Fix flake on TestQuotaLimitService

Author: k8s-ci-robot

test/integration/auth/auth_test.go

@@ -62,6 +62,7 @@ import (
 	clientset "k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
 	v1 "k8s.io/client-go/tools/clientcmd/api/v1"
+	resttransport "k8s.io/client-go/transport"
 	kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
 	"k8s.io/kubernetes/pkg/apis/autoscaling"
 	api "k8s.io/kubernetes/pkg/apis/core"
@@ -555,11 +556,9 @@ func TestAuthModeAlwaysDeny(t *testing.T) {
 	controlPlaneConfig.GenericConfig.Authorization.Authorizer = authorizerfactory.NewAlwaysDenyAuthorizer()
 	_, s, closeFn := framework.RunAnAPIServer(controlPlaneConfig)
 	defer closeFn()
-
 	ns := framework.CreateTestingNamespace("auth-always-deny", s, t)
 	defer framework.DeleteTestingNamespace(ns, s, t)
-
-	transport := http.DefaultTransport
+	transport := resttransport.NewBearerAuthRoundTripper(framework.UnprivilegedUserToken, http.DefaultTransport)
 
 	for _, r := range getTestRequests(ns.Name) {
 		bodyBytes := bytes.NewReader([]byte(r.body))

test/integration/controlplane/synthetic_controlplane_test.go

@@ -38,8 +38,10 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
+	authauthenticator "k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/group"
 	"k8s.io/apiserver/pkg/authentication/request/bearertoken"
+	authenticatorunion "k8s.io/apiserver/pkg/authentication/request/union"
 	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	"k8s.io/apiserver/pkg/authorization/authorizerfactory"
@@ -141,6 +143,15 @@ func TestEmptyList(t *testing.T) {
 
 func initStatusForbiddenControlPlaneConfig() *controlplane.Config {
 	controlPlaneConfig := framework.NewIntegrationTestControlPlaneConfig()
+	controlPlaneConfig.GenericConfig.Authentication.Authenticator = authenticatorunion.New(
+		authauthenticator.RequestFunc(func(req *http.Request) (*authauthenticator.Response, bool, error) {
+			return &authauthenticator.Response{
+				User: &user.DefaultInfo{
+					Name:   "unprivileged",
+					Groups: []string{user.AllAuthenticated},
+				},
+			}, true, nil
+		}))
 	controlPlaneConfig.GenericConfig.Authorization.Authorizer = authorizerfactory.NewAlwaysDenyAuthorizer()
 	return controlPlaneConfig
 }
@@ -178,7 +189,7 @@ func TestStatus(t *testing.T) {
 			statusCode:         http.StatusForbidden,
 			reqPath:            "/apis",
 			reason:             "Forbidden",
-			message:            `forbidden: User "" cannot get path "/apis": Everything is forbidden.`,
+			message:            `forbidden: User "unprivileged" cannot get path "/apis": Everything is forbidden.`,
 		},
 		{
 			name:               "401",

test/integration/framework/controlplane_utils.go

@@ -61,6 +61,10 @@ import (
 	netutils "k8s.io/utils/net"
 )
 
+const (
+	UnprivilegedUserToken = "unprivileged-user"
+)
+
 // Config is a struct of configuration directives for NewControlPlaneComponents.
 type Config struct {
 	// If nil, a default is used, partially filled configs will not get populated.
@@ -80,11 +84,16 @@ func (alwaysAllow) Authorize(ctx context.Context, requestAttributes authorizer.A
 	return authorizer.DecisionAllow, "always allow", nil
 }
 
-// alwaysEmpty simulates "no authentication" for old tests
-func alwaysEmpty(req *http.Request) (*authauthenticator.Response, bool, error) {
+// unsecuredUser simulates requests to the unsecured endpoint for old tests
+func unsecuredUser(req *http.Request) (*authauthenticator.Response, bool, error) {
+	auth := req.Header.Get("Authorization")
+	if len(auth) != 0 {
+		return nil, false, nil
+	}
 	return &authauthenticator.Response{
 		User: &user.DefaultInfo{
-			Name: "",
+			Name:   "system:unsecured",
+			Groups: []string{user.SystemPrivilegedGroup, user.AllAuthenticated},
 		},
 	}, true, nil
 }
@@ -171,12 +180,17 @@ func startAPIServerOrDie(controlPlaneConfig *controlplane.Config, incomingServer
 	tokens[privilegedLoopbackToken] = &user.DefaultInfo{
 		Name:   user.APIServerUser,
 		UID:    uuid.New().String(),
-		Groups: []string{user.SystemPrivilegedGroup},
+		Groups: []string{user.SystemPrivilegedGroup, user.AllAuthenticated},
+	}
+	tokens[UnprivilegedUserToken] = &user.DefaultInfo{
+		Name:   "unprivileged",
+		UID:    uuid.New().String(),
+		Groups: []string{user.AllAuthenticated},
 	}
 
 	tokenAuthenticator := authenticatorfactory.NewFromTokens(tokens, controlPlaneConfig.GenericConfig.Authentication.APIAudiences)
 	if controlPlaneConfig.GenericConfig.Authentication.Authenticator == nil {
-		controlPlaneConfig.GenericConfig.Authentication.Authenticator = authenticatorunion.New(tokenAuthenticator, authauthenticator.RequestFunc(alwaysEmpty))
+		controlPlaneConfig.GenericConfig.Authentication.Authenticator = authenticatorunion.New(tokenAuthenticator, authauthenticator.RequestFunc(unsecuredUser))
 	} else {
 		controlPlaneConfig.GenericConfig.Authentication.Authenticator = authenticatorunion.New(tokenAuthenticator, controlPlaneConfig.GenericConfig.Authentication.Authenticator)
 	}