[OCPBUGS-16204] [CORS-2602]Masters are not attached with the provided custom security groups

Type: Bug
Resolution: Done-Errata
Priority: Critical
Fix Version/s: 4.15.0
Affects Version/s: 4.14
Component/s: Installer / openshift-installer
Labels:
- pre-merge
- triaged

Severity:
Critical
Regression:
No
Story Points:
0
Sprint:
Sprint 240, Sprint 241
sprint_count:
2
Release Blocker:
Approved
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Target Version:

4.14.0

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Description of problem:

Set custom security group IDs in the following fields of install-config.yaml

installconfig.controlPlane.platform.aws.additionalSecurityGroupIDs installconfig.compute.platform.aws.additionalSecurityGroupIDs

such as: 

apiVersion: v1
 controlPlane:
   architecture: amd64
   hyperthreading: Enabled
   name: master
   platform:
     aws:
       additionalSecurityGroupIDs:
       - sg-0d2f88b2980aa5547
       - sg-01f1d2f60a3b4cf6d
   replicas: 3
 compute:
 - architecture: amd64
   hyperthreading: Enabled
   name: worker
   platform:
     aws:
       additionalSecurityGroupIDs:
       - sg-03418b6e2f68e1f63
       - sg-0376fc68fd4b834a4
   replicas: 3


After installation, check the Security Groups attached to master and worker, master doesn’t have the specified custom security groups attached while workers have. 

For one of the masters:
[root@preserve-gpei-worker ~]# aws ec2 describe-instances --instance-ids i-0cd007cca57c86ee9 --region us-west-2 --query 'Reservations[*].Instances[*].SecurityGroups[*]' --output json
[
    [
        [
            {
                "GroupName": "terraform-20230713031140984600000002",
                "GroupId": "sg-05495718555950f77"
            }
        ]
    ]
]

For one of the workers:
[root@preserve-gpei-worker ~]# aws ec2 describe-instances --instance-ids i-0572b7bde8ff07ac4 --region us-west-2 --query 'Reservations[*].Instances[*].SecurityGroups[*]' --output json
[
    [
        [
            {
                "GroupName": "gpei-0613a-worker-2",
                "GroupId": "sg-0376fc68fd4b834a4"
            },
            {
                "GroupName": "gpei-0613a-worker-1",
                "GroupId": "sg-03418b6e2f68e1f63"
            },
            {
                "GroupName": "terraform-20230713031140982700000001",
                "GroupId": "sg-0ce73044e426fe249"
            }
        ]
    ]
]

Also checked the master’s controlplanemachineset, it does have the custom security groups configured, but they’re not attached to the master instance in the end.

[root@preserve-gpei-worker k_files]# oc get controlplanemachineset -n openshift-machine-api cluster -o yaml |yq .spec.template.machines_v1beta1_machine_openshift_io.spec.providerSpec.value.securityGroups
- filters:
    - name: tag:Name
      values:
        - gpei-0613a-pzjbk-master-sg
- id: sg-01f1d2f60a3b4cf6d
- id: sg-0d2f88b2980aa5547

Version-Release number of selected component (if applicable):

registry.ci.openshift.org/ocp/release:4.14.0-0.nightly-2023-07-11-092038

How reproducible:

 Always

Steps to Reproduce:

1. As mentioned above
2.
3.

Actual results:

masters doesn't have custom security groups added

Expected results:

masters should have custom security groups added like workers

Additional info:

links to

openshift/installer#7352: OCPBUGS-16204: aws: attach additional security groups to controlPlane

RHEA-2023:5006 rpm

Errata Tool added a comment - 2023/10/31 1:35 PM

Since the problem described in this issue should be resolved in a recent advisory, it has been closed.

For information on the advisory (Important: OpenShift Container Platform 4.14.0 bug fix and security update), and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2023:5006

Errata Tool added a comment - 2023/10/31 1:35 PM Since the problem described in this issue should be resolved in a recent advisory, it has been closed. For information on the advisory (Important: OpenShift Container Platform 4.14.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:5006

Gaoyun Pei added a comment - 2023/09/03 5:41 AM

Move this bug as verified based on the pre-merge testing result.

Gaoyun Pei added a comment - 2023/09/03 5:41 AM Move this bug as verified based on the pre-merge testing result.

Gaoyun Pei added a comment - 2023/08/10 9:50 AM

Pre-merge testing on installer/pull/7352 verified the issue was fixed.

With the following two existing security groups specified for controlPlane:

  controlPlane:
   architecture: amd64
   hyperthreading: Enabled
   name: master
   platform:
      aws:
      additionalSecurityGroupIDs:
       - sg-0b46cd49558397795
       - sg-08526d1e25734c9e8
   replicas: 3

After installation, check the security groups added for the three masters:

[
    [
        [
            {
                "GroupName": "terraform-20230810081137491500000002",
                "GroupId": "sg-0687e1e54e0d2da49"
            },
            {
                "GroupName": "gpei-0810a-master-1",
                "GroupId": "sg-0b46cd49558397795"
            },
            {
                "GroupName": "gpei-0810a-master-2",
                "GroupId": "sg-08526d1e25734c9e8"
            }
        ]
    ]
]
[
    [
        [
            {
                "GroupName": "terraform-20230810081137491500000002",
                "GroupId": "sg-0687e1e54e0d2da49"
            },
            {
                "GroupName": "gpei-0810a-master-1",
                "GroupId": "sg-0b46cd49558397795"
            },
            {
                "GroupName": "gpei-0810a-master-2",
                "GroupId": "sg-08526d1e25734c9e8"
            }
        ]
    ]
]
[
    [
        [
            {
                "GroupName": "terraform-20230810081137491500000002",
                "GroupId": "sg-0687e1e54e0d2da49"
            },
            {
                "GroupName": "gpei-0810a-master-1",
                "GroupId": "sg-0b46cd49558397795"
            },
            {
                "GroupName": "gpei-0810a-master-2",
                "GroupId": "sg-08526d1e25734c9e8"
            }
        ]
    ]
]

Gaoyun Pei added a comment - 2023/08/10 9:50 AM Pre-merge testing on installer/pull/7352 verified the issue was fixed. With the following two existing security groups specified for controlPlane: controlPlane: architecture: amd64 hyperthreading: Enabled name: master platform: aws: additionalSecurityGroupIDs: - sg-0b46cd49558397795 - sg-08526d1e25734c9e8 replicas: 3 After installation, check the security groups added for the three masters: [ [ [ { "GroupName" : "terraform-20230810081137491500000002" , "GroupId" : "sg-0687e1e54e0d2da49" }, { "GroupName" : "gpei-0810a-master-1" , "GroupId" : "sg-0b46cd49558397795" }, { "GroupName" : "gpei-0810a-master-2" , "GroupId" : "sg-08526d1e25734c9e8" } ] ] ] [ [ [ { "GroupName" : "terraform-20230810081137491500000002" , "GroupId" : "sg-0687e1e54e0d2da49" }, { "GroupName" : "gpei-0810a-master-1" , "GroupId" : "sg-0b46cd49558397795" }, { "GroupName" : "gpei-0810a-master-2" , "GroupId" : "sg-08526d1e25734c9e8" } ] ] ] [ [ [ { "GroupName" : "terraform-20230810081137491500000002" , "GroupId" : "sg-0687e1e54e0d2da49" }, { "GroupName" : "gpei-0810a-master-1" , "GroupId" : "sg-0b46cd49558397795" }, { "GroupName" : "gpei-0810a-master-2" , "GroupId" : "sg-08526d1e25734c9e8" } ] ] ]

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

Collapse comment: Errata Tool added a comment - 2023/10/31 1:35 PM

Expand comment: Errata Tool added a comment - 2023/10/31 1:35 PM

Collapse comment: Gaoyun Pei added a comment - 2023/09/03 5:41 AM

Expand comment: Gaoyun Pei added a comment - 2023/09/03 5:41 AM

Collapse comment: Gaoyun Pei added a comment - 2023/08/10 9:50 AM

Expand comment: Gaoyun Pei added a comment - 2023/08/10 9:50 AM

People

Dates