"Unauthorized" errors are repeatedly output

[aii-nozomu-oki]

I followed the Installation page and installed OCM on two K3s with clusteradm.

$ export CTX_HUB_CLUSTER=k3s-hub
$ export CTX_MANAGED_CLUSTER=k3s-managed-1
$ clusteradm init --wait --context ${CTX_HUB_CLUSTER}
    [WARNING cluster-info check]: no ConfigMap named cluster-info in the kube-public namespace, clusteradm will creates it
CRD successfully registered.
Registration operator is now available.
ClusterManager registration is now available.
The multicluster hub control plane has been initialized successfully!

You can now register cluster(s) to the hub control plane. Log onto those cluster(s) and run the following command:

    clusteradm join --hub-token <TOKEN> --hub-apiserver https://<URL>:6443 --wait --cluster-name <cluster_name>

Replace <cluster_name> with a cluster name of your choice. For example, cluster1.

$ clusteradm join --hub-token <TOKEN> --hub-apiserver https://<URL>:6443 --wait --cluster-name k3s-managed-1 --context ${CTX_MANAGED_CLUSTER}
W0214 10:35:08.782324   15325 exec.go:110] Failed looking for cluster endpoint for the registering klusterlet: configmaps "cluster-info" not found
CRD successfully registered.
Registration operator is now available.
Klusterlet is now available.
Please log onto the hub cluster and run the following command:

    clusteradm accept --clusters k3s-managed-1

$ clusteradm accept --clusters k3s-managed-1 --context ${CTX_HUB_CLUSTER}
Starting approve csrs for the cluster k3s-managed-1
CSR k3s-managed-1-n8szm approved
set hubAcceptsClient to true for managed cluster k3s-managed-1

 Your managed cluster k3s-managed-1 has joined the Hub successfully. Visit https://open-cluster-management.io/scenarios or https://github.com/open-cluster-management-io/OCM/tree/main/solutions for next steps.

Approximately one hour after installation(This is probably because the sync interval is 1 hour. https://github.com/open-cluster-management-io/registration/blob/v0.10.0/pkg/spoke/managedcluster/creating_controller.go#L25 ), klusterlet-registration-agent repeatedly outputs the following error:

E0214 02:35:55.885449       1 base_controller.go:272] ManagedClusterCreatingController reconciliation failed: Unauthorized
E0214 02:35:55.894388       1 base_controller.go:272] ManagedClusterCreatingController reconciliation failed: Unauthorized
E0214 02:35:55.908126       1 base_controller.go:272] ManagedClusterCreatingController reconciliation failed: Unauthorized
E0214 02:35:55.931852       1 base_controller.go:272] ManagedClusterCreatingController reconciliation failed: Unauthorized
E0214 02:35:55.975005       1 base_controller.go:272] ManagedClusterCreatingController reconciliation failed: Unauthorized
E0214 02:35:56.057735       1 base_controller.go:272] ManagedClusterCreatingController reconciliation failed: Unauthorized
E0214 02:35:56.221023       1 base_controller.go:272] ManagedClusterCreatingController reconciliation failed: Unauthorized
E0214 02:35:56.544826       1 base_controller.go:272] ManagedClusterCreatingController reconciliation failed: Unauthorized
E0214 02:35:57.188584       1 base_controller.go:272] ManagedClusterCreatingController reconciliation failed: Unauthorized
E0214 02:35:58.473237       1 base_controller.go:272] ManagedClusterCreatingController reconciliation failed: Unauthorized
E0214 02:36:01.037010       1 base_controller.go:272] ManagedClusterCreatingController reconciliation failed: Unauthorized
E0214 02:36:06.160265       1 base_controller.go:272] ManagedClusterCreatingController reconciliation failed: Unauthorized
E0214 02:36:16.404390       1 base_controller.go:272] ManagedClusterCreatingController reconciliation failed: Unauthorized
E0214 02:36:36.887947       1 base_controller.go:272] ManagedClusterCreatingController reconciliation failed: Unauthorized
E0214 02:37:17.853292       1 base_controller.go:272] ManagedClusterCreatingController reconciliation failed: Unauthorized
E0214 02:38:39.777497       1 base_controller.go:272] ManagedClusterCreatingController reconciliation failed: Unauthorized
E0214 02:41:23.624753       1 base_controller.go:272] ManagedClusterCreatingController reconciliation failed: Unauthorized
E0214 02:46:51.312269       1 base_controller.go:272] ManagedClusterCreatingController reconciliation failed: Unauthorized

K3s outputs the following error:

Feb 14 02:35:55 k3s-hub k3s[322552]: E0214 02:35:55.882791  322552 authentication.go:63] "Unable to authenticate the request" err="[invalid bearer token, service account token has expired]"

According to my investigation, the error is originating from the following line. https://github.com/open-cluster-management-io/registration/blob/v0.10.0/pkg/spoke/managedcluster/creating_controller.go#L56

My understanding is that ManagedClusterCreatingController uses cluster-bootstrap token and the token expires in 1 hour( https://github.com/open-cluster-management-io/clusteradm/blob/v0.5.0/pkg/helpers/client.go#L210 ). So the error output itself is a natural behavior. However, I think the log output "Unauthorized" should be avoided because it gives the system administrator the impression that something is wrong with the system. Any thoughts?

K3s version: v1.26.1+k3s1 clusteradm version: v0.5.0 default bundle version: 0.10.0

[skeeey]

yes, I think we should avoid this error, and I think the problem is here https://github.com/open-cluster-management-io/registration/blob/v0.10.0/pkg/spoke/managedcluster/creating_controller.go#L57

now we only skip the unauthorized error when the user is an anonymous

[aii-nozomu-oki]

Thanks, I have confirmed that removing the anonymous check will stop the log from being output. And I have created a pull request.