diff --git a/pkg/apiserver/authentication/authenticators/jwttoken/jwt_token.go b/pkg/apiserver/authentication/authenticators/jwttoken/jwt_token.go index d4a9d55299c6d66cb12fc90f1cbf9194720568b3..25b62ea6661427e257f764b83e99898556066b78 100644 --- a/pkg/apiserver/authentication/authenticators/jwttoken/jwt_token.go +++ b/pkg/apiserver/authentication/authenticators/jwttoken/jwt_token.go @@ -47,7 +47,7 @@ func NewTokenAuthenticator(tokenOperator auth.TokenManagementInterface, userList func (t *tokenAuthenticator) AuthenticateToken(ctx context.Context, token string) (*authenticator.Response, bool, error) { providedUser, err := t.tokenOperator.Verify(token) if err != nil { - klog.Error(err) + klog.Warning(err) return nil, false, err } diff --git a/pkg/apiserver/authentication/token/jwt.go b/pkg/apiserver/authentication/token/jwt.go index c6ce49f041fddc4d8c1f5612b7557333a2e04ee0..646b6c9c3c6fd99dd2637142236b02cdab31f05e 100644 --- a/pkg/apiserver/authentication/token/jwt.go +++ b/pkg/apiserver/authentication/token/jwt.go @@ -49,7 +49,7 @@ func (s *jwtTokenIssuer) Verify(tokenString string) (user.Info, TokenType, error // verify token signature and expiration time _, err := jwt.ParseWithClaims(tokenString, clm, s.keyFunc) if err != nil { - klog.Error(err) + klog.V(4).Info(err) return nil, "", err } return &user.DefaultInfo{Name: clm.Username, Groups: clm.Groups, Extra: clm.Extra}, clm.TokenType, nil @@ -77,9 +77,8 @@ func (s *jwtTokenIssuer) IssueTo(user user.Info, tokenType TokenType, expiresIn token := jwt.NewWithClaims(jwt.SigningMethodHS256, clm) tokenString, err := token.SignedString(s.secret) - if err != nil { - klog.Error(err) + klog.V(4).Info(err) return "", err } diff --git a/pkg/apiserver/authorization/rbac/rbac.go b/pkg/apiserver/authorization/rbac/rbac.go index f918e41d1fe836203052e7c4635d2fdcd8ebd01b..ecfa5696f773090e2704466a69ae73bbac9a31b7 100644 --- a/pkg/apiserver/authorization/rbac/rbac.go +++ b/pkg/apiserver/authorization/rbac/rbac.go @@ -137,7 +137,7 @@ func (r *RBACAuthorizer) Authorize(requestAttributes authorizer.Attributes) (aut scope = "global-wide" } - klog.Infof("RBAC: no rules authorize user %q with groups %q to %s %s", requestAttributes.GetUser().GetName(), requestAttributes.GetUser().GetGroups(), operation, scope) + klog.V(4).Infof("RBAC: no rules authorize user %q with groups %q to %s %s", requestAttributes.GetUser().GetName(), requestAttributes.GetUser().GetGroups(), operation, scope) } reason := "" diff --git a/pkg/models/auth/token.go b/pkg/models/auth/token.go index 307fc07745fd84d2e8865a44fcec639bf82136d4..300812ab69606258e3b0fa1c61fc3d9edf67b6e5 100644 --- a/pkg/models/auth/token.go +++ b/pkg/models/auth/token.go @@ -19,6 +19,7 @@ package auth import ( + "errors" "fmt" "k8s.io/apiserver/pkg/authentication/user" "k8s.io/klog" @@ -54,7 +55,6 @@ func NewTokenOperator(cache cache.Interface, options *authoptions.Authentication func (t tokenOperator) Verify(tokenStr string) (user.Info, error) { authenticated, tokenType, err := t.issuer.Verify(tokenStr) if err != nil { - klog.Error(err) return nil, err } if t.options.OAuthOptions.AccessTokenMaxAge == 0 || @@ -62,7 +62,6 @@ func (t tokenOperator) Verify(tokenStr string) (user.Info, error) { return authenticated, nil } if err := t.tokenCacheValidate(authenticated.GetName(), tokenStr); err != nil { - klog.Error(err) return nil, err } return authenticated, nil @@ -131,7 +130,9 @@ func (t tokenOperator) tokenCacheValidate(username, token string) error { if exist, err := t.cache.Exists(key); err != nil { return err } else if !exist { - return fmt.Errorf("token not found in cache") + err = errors.New("token not found in cache") + klog.V(4).Info(fmt.Errorf("%s: %s", err, token)) + return err } return nil }