Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-15548

HCP Service Loadbalancer uses default SecurityGroup


    • No
    • Proposed
    • False
    • Hide



      This is a clone of issue OCPBUGS-15512. The following is the description of the original issue:

      This is a clone of issue OCPBUGS-14969. The following is the description of the original issue:

      Description of problem:

      When an HCP Service LB is created, for example for an IngressController, the CAPA controller calls ModifyNetworkInterfaceAttribute. It references the default security group for the VPC in addition to the security group created for the cluster ( with the right tags). Ideally, the LBs (and any other HCP components) should not be using the default VPC SecurityGroup

      Version-Release number of selected component (if applicable):

      All 4.12 and 4.13

      How reproducible:


      Steps to Reproduce:

      1. Create HCP
      2. Wait for Ingress to come up.
      3. Look in CloudTrail for ModifyNetworkInterfaceAttribute, and see default security group referenced 

      Actual results:

      Default security group is used

      Expected results:

      Default security group should not be used

      Additional info:

      This is problematic as we are attempting to scope our AWS permissions as small as possible. The goal is to only use resources that are tagged with `red-hat-managed: true` so that our IAM Policies can conditioned to only access these resources. Using the Security Group created for the cluster should be sufficient, and the default Security Group does not need to be used, so if the usage can be removed here, we can secure our AWS policies that much better. Similar to OCPBUGS-11894

            agarcial@redhat.com Alberto Garcia Lamela
            openshift-crt-jira-prow OpenShift Prow Bot
            Jie Zhao Jie Zhao
            0 Vote for this issue
            8 Start watching this issue