Merge pull request #39266 from zmerlynn/fix-kubectl-rbac

Automatic merge from submit-queue Remove system:anonymous check from kubectl test This verbiage doesn't appear when the cluster is `AlwaysAllow` (and just makes the check more brittle). Follow-on to #39263, this is the last (consistent) failure on [kops-aws](https://k8s-testgrid.appspot.com/google-aws#kops-aws&sort-by-failures=)
2025-07-23 11:50:44 +00:00 · 2016-12-28 10:50:30 -08:00 · 2016-12-28 10:50:30 -08:00 · cc8065f1f1
commit cc8065f1f1
parent ebf679da96 4465068462
1 changed files with 2 additions and 2 deletions
--- a/test/e2e/kubectl.go
+++ b/test/e2e/kubectl.go
@ -583,11 +583,11 @@ var _ = framework.KubeDescribe("Kubectl client", func() {
 			_, err := framework.RunHostCmd(ns, simplePodName, "/kubectl get pods --token=invalid --v=7 2>&1")
 			framework.Logf("got err %v", err)
 			Expect(err).To(HaveOccurred())
 			Expect(err).To(ContainSubstring("User \"system:anonymous\" cannot list pods in the namespace"))
 			Expect(err).To(ContainSubstring("Using in-cluster namespace"))
 			Expect(err).To(ContainSubstring("Using in-cluster configuration"))
 			Expect(err).To(ContainSubstring("Authorization: Bearer invalid"))
-			Expect(err).To(ContainSubstring("Response Status: 403 Forbidden"))
+			// TODO(kubernetes/kubernetes#39267): We should only see a 401 from an invalid bearer token.
 			Expect(err).To(Or(ContainSubstring("Response Status: 403 Forbidden"), ContainSubstring("Response Status: 401 Unauthorized")))
 			By("trying to use kubectl with invalid server")
 			_, err = framework.RunHostCmd(ns, simplePodName, "/kubectl get pods --server=invalid --v=6 2>&1")