Anonymous user unable to access backend api group

[smarterclayton]

Running metrics server behind aggregation on 3.7.0-alpha.1, verified proxy auth is working.

When trying for anonymous to hit, no group is set. When trying authenticated, system:authenticated is set.:

$ oc get --raw /apis/metrics/v1alpha1

... on extension server

I0906 18:34:49.783565       1 request.go:991] Request Body: {"kind":"SubjectAccessReview","apiVersion":"authorization.k8s.io/v1beta1","metadata":{"creationTimestamp":null},"spec":{"nonResourceAttributes":{"path":"/apis/metrics/v1alpha1","verb":"get"},"user":"system:admin","group":["system:authenticated"]},"status":{"allowed":false}}
I0906 18:34:49.783626       1 round_trippers.go:383] POST https://172.30.0.1:443/apis/authorization.k8s.io/v1beta1/subjectaccessreviews
I0906 18:34:49.783633       1 round_trippers.go:390] Request Headers:
I0906 18:34:49.783638       1 round_trippers.go:393]     Accept: application/json, */*
I0906 18:34:49.783641       1 round_trippers.go:393]     Content-Type: application/json
I0906 18:34:49.783645       1 round_trippers.go:393]     User-Agent: metrics-server/v0.0.0 (linux/amd64) kubernetes/$Format
I0906 18:34:49.783655       1 round_trippers.go:393]     Authorization: Bearer...
I0906 18:34:49.789079       1 round_trippers.go:408] Response Status: 201 Created in 5 milliseconds
I0906 18:34:49.789101       1 round_trippers.go:411] Response Headers:
I0906 18:34:49.789106       1 round_trippers.go:414]     Content-Type: application/json
I0906 18:34:49.789109       1 round_trippers.go:414]     Content-Length: 309
I0906 18:34:49.789112       1 round_trippers.go:414]     Date: Wed, 06 Sep 2017 18:34:49 GMT
I0906 18:34:49.789115       1 round_trippers.go:414]     Cache-Control: no-store
I0906 18:34:49.790531       1 request.go:991] Response Body: {"kind":"SubjectAccessReview","apiVersion":"authorization.k8s.io/v1beta1","metadata":{"creationTimestamp":null},"spec":{"nonResourceAttributes":{"path":"/apis/metrics/v1alpha1","verb":"get"},"user":"system:admin","group":["system:authenticated"]},"status":{"allowed":true,"reason":"allowed by cluster rule"}}

For anonymous

$ curl https://api.ci.openshift.org/apis/metrics/v1alpha1

... on extension server

I0906 18:30:56.563169       1 request.go:991] Request Body: {"kind":"SubjectAccessReview","apiVersion":"authorization.k8s.io/v1beta1","metadata":{"creationTimestamp":null},"spec":{"nonResourceAttributes":{"path":"/apis/metrics/v1alpha1","verb":"get"},"user":"system:anonymous"},"status":{"allowed":false}}
I0906 18:30:56.563238       1 round_trippers.go:383] POST https://172.30.0.1:443/apis/authorization.k8s.io/v1beta1/subjectaccessreviews
I0906 18:30:56.563244       1 round_trippers.go:390] Request Headers:
I0906 18:30:56.563248       1 round_trippers.go:393]     User-Agent: metrics-server/v0.0.0 (linux/amd64) kubernetes/$Format
I0906 18:30:56.563253       1 round_trippers.go:393]     Authorization: Bearer ...
I0906 18:30:56.563264       1 round_trippers.go:393]     Accept: application/json, */*
I0906 18:30:56.563269       1 round_trippers.go:393]     Content-Type: application/json
I0906 18:30:56.572737       1 round_trippers.go:408] Response Status: 201 Created in 9 milliseconds
I0906 18:30:56.572753       1 round_trippers.go:411] Response Headers:
I0906 18:30:56.572757       1 round_trippers.go:414]     Content-Type: application/json
I0906 18:30:56.572760       1 round_trippers.go:414]     Content-Length: 328
I0906 18:30:56.572763       1 round_trippers.go:414]     Date: Wed, 06 Sep 2017 18:30:56 GMT
I0906 18:30:56.572766       1 round_trippers.go:414]     Cache-Control: no-store
I0906 18:30:56.572945       1 request.go:991] Response Body: {"kind":"SubjectAccessReview","apiVersion":"authorization.k8s.io/v1beta1","metadata":{"creationTimestamp":null},"spec":{"nonResourceAttributes":{"path":"/apis/metrics/v1alpha1","verb":"get"},"user":"system:anonymous"},"status":{"allowed":false,"reason":"User \"system:anonymous\" cannot \"get\" on \"/apis/metrics/v1alpha1\""}}

oc get configmaps extension-apiserver-authentication -o yaml
apiVersion: v1
data:
  client-ca-file: |
    -----BEGIN CERTIFICATE-----
    XXXX
    -----END CERTIFICATE-----
  requestheader-allowed-names: '["system:openshift-aggregator"]'
  requestheader-client-ca-file: |
    -----BEGIN CERTIFICATE-----
    XXXX
    -----END CERTIFICATE-----
  requestheader-extra-headers-prefix: '["x-remote-extra-"]'
  requestheader-group-headers: '["x-remote-group"]'
  requestheader-username-headers: '["x-remote-user"]'
kind: ConfigMap
metadata:
  creationTimestamp: 2017-08-30T15:04:49Z
  name: extension-apiserver-authentication
  namespace: kube-system
  resourceVersion: "1115866"
  selfLink: /api/v1/namespaces/kube-system/configmaps/extension-apiserver-authentication
  uid: 915984b2-8d94-11e7-a412-42010a800002

@deads2k

[smarterclayton]

Change the case to X-Remote-Groups made it work.

[deads2k]

kubernetes/kubernetes#49219