Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-16204

[CORS-2602]Masters are not attached with the provided custom security groups

XMLWordPrintable

    • Critical
    • No
    • 0
    • Sprint 240, Sprint 241
    • 2
    • Approved
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      Set custom security group IDs in the following fields of install-config.yaml

installconfig.controlPlane.platform.aws.additionalSecurityGroupIDs installconfig.compute.platform.aws.additionalSecurityGroupIDs

such as: 

apiVersion: v1
 controlPlane:
   architecture: amd64
   hyperthreading: Enabled
   name: master
   platform:
     aws:
       additionalSecurityGroupIDs:
       - sg-0d2f88b2980aa5547
       - sg-01f1d2f60a3b4cf6d
   replicas: 3
 compute:
 - architecture: amd64
   hyperthreading: Enabled
   name: worker
   platform:
     aws:
       additionalSecurityGroupIDs:
       - sg-03418b6e2f68e1f63
       - sg-0376fc68fd4b834a4
   replicas: 3


After installation, check the Security Groups attached to master and worker, master doesn’t have the specified custom security groups attached while workers have. 

For one of the masters:
[root@preserve-gpei-worker ~]# aws ec2 describe-instances --instance-ids i-0cd007cca57c86ee9 --region us-west-2 --query 'Reservations[*].Instances[*].SecurityGroups[*]' --output json
[
    [
        [
            {
                "GroupName": "terraform-20230713031140984600000002",
                "GroupId": "sg-05495718555950f77"
            }
        ]
    ]
]

For one of the workers:
[root@preserve-gpei-worker ~]# aws ec2 describe-instances --instance-ids i-0572b7bde8ff07ac4 --region us-west-2 --query 'Reservations[*].Instances[*].SecurityGroups[*]' --output json
[
    [
        [
            {
                "GroupName": "gpei-0613a-worker-2",
                "GroupId": "sg-0376fc68fd4b834a4"
            },
            {
                "GroupName": "gpei-0613a-worker-1",
                "GroupId": "sg-03418b6e2f68e1f63"
            },
            {
                "GroupName": "terraform-20230713031140982700000001",
                "GroupId": "sg-0ce73044e426fe249"
            }
        ]
    ]
]

Also checked the master’s controlplanemachineset, it does have the custom security groups configured, but they’re not attached to the master instance in the end.

[root@preserve-gpei-worker k_files]# oc get controlplanemachineset -n openshift-machine-api cluster -o yaml |yq .spec.template.machines_v1beta1_machine_openshift_io.spec.providerSpec.value.securityGroups
- filters:
    - name: tag:Name
      values:
        - gpei-0613a-pzjbk-master-sg
- id: sg-01f1d2f60a3b4cf6d
- id: sg-0d2f88b2980aa5547

      Version-Release number of selected component (if applicable):

      registry.ci.openshift.org/ocp/release:4.14.0-0.nightly-2023-07-11-092038

      How reproducible:

       Always

      Steps to Reproduce:

      1. As mentioned above
2.
3.

      Actual results:

      masters doesn't have custom security groups added

      Expected results:

      masters should have custom security groups added like workers

      Additional info:

              rdossant Rafael Fonseca dos Santos
              gpei@redhat.com Gaoyun Pei
              Gaoyun Pei Gaoyun Pei
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: