Merge pull request #27890 from rphillips/add_anonymous_cert_issue

add anonymous cert detection test case
openshift · Apr 25, 2023 · 9aff6f7 · 9aff6f7
2 parents 0648f35 + d2ca02c
commit 9aff6f7
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 0 deletions.
diff --git a/pkg/monitor/intervalcreation/node.go b/pkg/monitor/intervalcreation/node.go
@@ -186,6 +186,7 @@ func eventsFromKubeletLogs(nodeName string, kubeletLog []byte) monitorapi.Interv
 		ret = append(ret, startupProbeError(currLine)...)
 		ret = append(ret, errParsingSignature(currLine)...)
 		ret = append(ret, failedToDeleteCGroupsPath(nodeLocator, currLine)...)
+		ret = append(ret, anonymousCertConnectionError(nodeLocator, currLine)...)
 	}
 
 	return ret
@@ -434,6 +435,26 @@ func failedToDeleteCGroupsPath(nodeLocator, logLine string) monitorapi.Intervals
 	}
 }
 
+func anonymousCertConnectionError(nodeLocator, logLine string) monitorapi.Intervals {
+	if !strings.Contains(logLine, "User \"system:anonymous\"") {
+		return nil
+	}
+
+	failureTime := kubeletLogTime(logLine)
+
+	return monitorapi.Intervals{
+		{
+			Condition: monitorapi.Condition{
+				Level:   monitorapi.Error,
+				Locator: nodeLocator,
+				Message: monitorapi.ReasonedMessage("FailedToAuthenticateWithOpenShiftUser", logLine),
+			},
+			From: failureTime,
+			To:   failureTime.Add(1 * time.Second),
+		},
+	}
+}
+
 var nodeRefRegex = regexp.MustCompile(`error getting node \\"(?P<NODEID>[a-z0-9.-]+)\\"`)
 var nodeOutputRegex = regexp.MustCompile(`err="(?P<OUTPUT>.+)"`)
 

diff --git a/pkg/synthetictests/event_junits.go b/pkg/synthetictests/event_junits.go
@@ -74,6 +74,7 @@ func StableSystemEventInvariants(events monitorapi.Intervals, duration time.Dura
 	tests = append(tests, testNodeHasSufficientPID(events)...)
 
 	tests = append(tests, testFailedToDeleteCGroupsPath(events)...)
+	tests = append(tests, testAnonymousCertConnectionFailure(events)...)
 	tests = append(tests, testHttpConnectionLost(events)...)
 	tests = append(tests, testMarketplaceStartupProbeFailure(events)...)
 	tests = append(tests, testErrImagePullUnrecognizedSignatureFormat(events)...)
@@ -144,6 +145,7 @@ func SystemUpgradeEventInvariants(events monitorapi.Intervals, duration time.Dur
 	tests = append(tests, testNodeHasSufficientMemory(events)...)
 	tests = append(tests, testNodeHasSufficientPID(events)...)
 
+	tests = append(tests, testAnonymousCertConnectionFailure(events)...)
 	tests = append(tests, testFailedToDeleteCGroupsPath(events)...)
 	tests = append(tests, testHttpConnectionLost(events)...)
 	tests = append(tests, testMarketplaceStartupProbeFailure(events)...)

diff --git a/pkg/synthetictests/kubelet.go b/pkg/synthetictests/kubelet.go
@@ -100,6 +100,33 @@ func testHttpConnectionLost(events monitorapi.Intervals) []*junitapi.JUnitTestCa
 	return []*junitapi.JUnitTestCase{failure, success}
 }
 
+func testAnonymousCertConnectionFailure(events monitorapi.Intervals) []*junitapi.JUnitTestCase {
+	const testName = "[sig-node] kubelet should not use an anonymous user"
+
+	var failures []string
+	for _, event := range events {
+		if strings.Contains(event.Message, "reason/FailedToAuthenticateWithOpenShiftUser") {
+			failures = append(failures, fmt.Sprintf("%v - %v", event.Locator, event.Message))
+		}
+	}
+
+	if len(failures) == 0 {
+		success := &junitapi.JUnitTestCase{Name: testName}
+		return []*junitapi.JUnitTestCase{success}
+	}
+
+	failure := &junitapi.JUnitTestCase{
+		Name:      testName,
+		SystemOut: strings.Join(failures, "\n"),
+		FailureOutput: &junitapi.FailureOutput{
+			Output: fmt.Sprintf("kubelet logs contain %d failures using an anonymous user .\n\n%v", len(failures), strings.Join(failures, "\n")),
+		},
+	}
+	// add success to flake the test because this fails very commonly.
+	success := &junitapi.JUnitTestCase{Name: testName}
+	return []*junitapi.JUnitTestCase{failure, success}
+}
+
 func testFailedToDeleteCGroupsPath(events monitorapi.Intervals) []*junitapi.JUnitTestCase {
 	const testName = "[sig-node] kubelet should be able to delete cgroups path"