Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-15467

Ingress Controller is missing a required AWS resource permission for SC2S region us-isob-east-1

    XMLWordPrintable

Details

    • Moderate
    • 2
    • Sprint 238, Sprint 239, Sprint 240
    • 3
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      Previously, the Ingress Operator did not include an Amazon Web Services (AWS) permission in its cloud credentials request. This impacted the management of domain name system (DNS) records in the Commercial Cloud Services (C2S) ` us-iso-east-1` and Secret Commercial Cloud Services (SC2S) `us-isob-east-1` AWS Regions. For example, if you installed an {product-title} cluster in the C2S or SC2S AWS Region, the Ingress Operator failed to publish DNS records for the Route 53 service and you would receive an error message similar to the following example:

      [source,terminal]
      ----
      The DNS provider failed to ensure the record: failed to find hosted zone for record: failed to get tagged resources: AccessDenied: User: [...] is not authorized to perform: route53:ListTagsForResources on resource: [...]
      ----

      The {product-title} {product-version} release fixes this issue by adding the `route53:ListTagsForResources` permission to any Ingress Operator's cloud credentials request, so that the operator can publish DNS records in the previously stated AWS Regions for the Route 53 service.

      (link:https://issues.redhat.com/browse/OCPBUGS-15467[OCPBUGS-15434])
      Show
      Previously, the Ingress Operator did not include an Amazon Web Services (AWS) permission in its cloud credentials request. This impacted the management of domain name system (DNS) records in the Commercial Cloud Services (C2S) ` us-iso-east-1` and Secret Commercial Cloud Services (SC2S) `us-isob-east-1` AWS Regions. For example, if you installed an {product-title} cluster in the C2S or SC2S AWS Region, the Ingress Operator failed to publish DNS records for the Route 53 service and you would receive an error message similar to the following example: [source,terminal] ---- The DNS provider failed to ensure the record: failed to find hosted zone for record: failed to get tagged resources: AccessDenied: User: [...] is not authorized to perform: route53:ListTagsForResources on resource: [...] ---- The {product-title} {product-version} release fixes this issue by adding the `route53:ListTagsForResources` permission to any Ingress Operator's cloud credentials request, so that the operator can publish DNS records in the previously stated AWS Regions for the Route 53 service. (link: https://issues.redhat.com/browse/OCPBUGS-15467 [ OCPBUGS-15434 ])
    • Bug Fix
    • Done

    Description

      Description of problem:

      Ingress Controller is missing a required AWS resource permission for SC2S region us-isob-east-1

During the OpenShift 4 installation in SC2S region us-isob-east-1, the ingress operator degrades due to missing "route53:ListTagsForResources" permission from the "openshift-ingress" CredentialsRequest for which customer proactively raised a PR.
--> https://github.com/openshift/cluster-ingress-operator/pull/868

The code disables part of the logic for C2S isolated regions here: https://github.com/openshift/cluster-ingress-operator/blob/d9d1a2b44cc7955a18fbedfdc973daddba67bccd/pkg/dns/aws/dns.go#L167-L168
By not setting tagConfig, it results in the m.tags field to be set nil: https://github.com/openshift/cluster-ingress-operator/blob/d9d1a2b44cc7955a18fbedfdc973daddba67bccd/pkg/dns/aws/dns.go#L212-L222
This then drives the logic in the getZoneID method to use either lookupZoneID or lookupZoneIDWithoutResourceTagging: https://github.com/openshift/cluster-ingress-operator/blob/d9d1a2b44cc7955a18fbedfdc973daddba67bccd/pkg/dns/aws/dns.go#L280-L284
BLAB: the lookupZoneIDWithoutResourceTagging method is only ever called for endpoints.AwsIsoPartitionID, endpoints.AwsIsoBPartitionID regions.

      Version-Release number of selected component (if applicable):

       

      How reproducible:

      Everytime

      Steps to Reproduce:

      1. Create an IPI cluster in  SC2S region us-isob-east-1.

      Actual results:

      Ingress operator degrades due to missing "route53:ListTagsForResources" permission with following error.
~~~
The DNS provider failed to ensure the record: failed to find hosted zone for record: failed to get tagged resources: AccessDenied: User ....... rye... is not authorized to perform: route53:ListTagsForResources on resource.... hostedzone/.. because no identify based policy allows the route53:ListTagsForResources
~~~

      Expected results:

      Ingress operator should be in available state for new installation.

      Additional info:

       

      Attachments

        Issue Links

          causes

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-18193 Update release notes for 4.12.29+ to reflect AWS credentials creep

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed
          clones

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-4827 Ingress Controller is missing a required AWS resource permission for SC2S region us-isob-east-1

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is blocked by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-4827 Ingress Controller is missing a required AWS resource permission for SC2S region us-isob-east-1

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          links to

          GitHub openshift/cluster-ingress-operator#954: [release-4.12] OCPBUGS-15467: Add missing AWS permission for ListTagsForResources

          Web Link RHBA-2023:4608 OpenShift Container Platform 4.12.z bug fix update

          Activity

            People

              mmasters1@redhat.com Miciah Masters
              rhn-support-aygarg Ayush Garg
              Melvin Joseph Melvin Joseph
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: