IssueTracker

What you expected to happen:

if I provide a mocked (invalid) auth token, it should still be able to download Public Images (as it was in GCR)

Background:
in minikube we have an integration test for GCP-Auth Addon (that authenticates kubernetes pods to GCP) https://github.com/GoogleContainerTools/gcp-auth-webhook
in our test we use a Mocked creds, just to see if the fake creds are propagated into the pods

Steps to reproduce:


After migrating to AR, when our GCP-Auth addon is enabled with the mock credentials we use for testing, attempting to pull images from gcr.io/k8s-minikube result in unauthorized: authentication failed errors.

Reproduction
$ export GOOGLE_APPLICATION_CREDENTIALS="/Users/<user>/repo/minikube/test/integration/testdata/gcp-creds.json"
$ export GOOGLE_CLOUD_PROJECT="this_is_fake"
$ export MOCK_GOOGLE_TOKEN="true"
$ minikube start --addons gcp-auth
😄  minikube v1.34.0 on Darwin 14.7 (arm64)
✨  Automatically selected the docker driver. Other choices: qemu2, ssh, vfkit (experimental)
📌  Using Docker Desktop driver with root privileges
👍  Starting "minikube" primary control-plane node in "minikube" cluster
🚜  Pulling base image v0.0.45-1727108449-19696 ...
🔥  Creating docker container (CPUs=2, Memory=4000MB) ...
🐳  Preparing Kubernetes v1.31.1 on Docker 27.3.1 ...
    ▪ Generating certificates and keys ...
    ▪ Booting up control plane ...
    ▪ Configuring RBAC rules ...
🔗  Configuring bridge CNI (Container Networking Interface) ...
🔎  Verifying Kubernetes components...
    ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5
    ▪ Using image registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3
    ▪ Using image gcr.io/k8s-minikube/gcp-auth-webhook:v0.1.2
🔎  Verifying gcp-auth addon...
📌  Your GCP credentials will now be mounted into every pod created in the minikube cluster.
📌  If you don't want your credentials mounted into a specific pod, add a label with the `gcp-auth-skip-secret` key to your pod configuration.
📌  If you want existing pods to be mounted with credentials, either recreate them or rerun addons enable with --refresh.
🌟  Enabled addons: storage-provisioner, default-storageclass, gcp-auth
🏄  Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default

$ kubectl run --rm registry-test --restart=Never --image=gcr.io/k8s-minikube/busybox -it -- sh -c "wget --spider -S http://registry.kube-system.svc.cluster.local"
pod "registry-test" deleted
error: timed out waiting for the condition

$ kubectl get pods -A
NAMESPACE     NAME                               READY   STATUS         RESTARTS   AGE
default       registry-test                      0/1     ErrImagePull   0          5s

$ kubectl describe pods registry-test
...
Events:
  Type     Reason     Age               From               Message
  ----     ------     ----              ----               -------
  Normal   Scheduled  15s               default-scheduler  Successfully assigned default/registry-test to minikube
  Normal   BackOff    13s               kubelet            Back-off pulling image "gcr.io/k8s-minikube/busybox"
  Warning  Failed     13s               kubelet            Error: ImagePullBackOff
  Normal   Pulling    3s (x2 over 15s)  kubelet            Pulling image "gcr.io/k8s-minikube/busybox"
  Warning  Failed     2s (x2 over 14s)  kubelet            Failed to pull image "gcr.io/k8s-minikube/busybox": Error response from daemon: Head "https://gcr.io/v2/k8s-minikube/busybox/manifests/latest": unauthorized: authentication failed
  Warning  Failed     2s (x2 over 14s)  kubelet            Error: ErrImagePull




Other information (workarounds you have tried, documentation consulted, etc):
related issue on minikube repo
https://github.com/kubernetes/minikube/issues/19714