Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-20525

Masters are not attached with the provided custom security groups which defined in platform.aws.defaultMachinePlatform

XMLWordPrintable

    • Moderate
    • No
    • False
    • Hide

      None

      Show
      None
    • Hide
      Previously, if you only used the default machine configuration to specify existing AWS security groups when installing a cluster on AWS (`platform.aws.defaultMachinePlatform.additonalSecurityGroupsIDs`), the security groups were not applied to control plane machines. With this update, existing AWS security groups are correctly applied to control planes when they are specified using the default machine configuration. (link:https://issues.redhat.com/browse/OCPBUGS-20525[*OCPBUGS-20525*])
      Show
      Previously, if you only used the default machine configuration to specify existing AWS security groups when installing a cluster on AWS (`platform.aws.defaultMachinePlatform.additonalSecurityGroupsIDs`), the security groups were not applied to control plane machines. With this update, existing AWS security groups are correctly applied to control planes when they are specified using the default machine configuration. (link: https://issues.redhat.com/browse/OCPBUGS-20525 [* OCPBUGS-20525 *])
    • Bug Fix
    • Done

      Description of problem:

      Set custom security group IDs in the installconfig.platform.aws.defaultMachinePlatform.additionalSecurityGroupIDs field of install-config.yaml
      
      such as: 
      
         apiVersion: v1
         controlPlane:
           architecture: amd64
           hyperthreading: Enabled
           name: master
           platform: {}
           replicas: 3
         compute:
         - architecture: amd64
           hyperthreading: Enabled
           name: worker
           platform: {}
           replicas: 3
         metadata:
           name: gpei-test1013
         platform:
           aws:
             region: us-east-2
             subnets:
             - subnet-0bc86b64e7736479c
             - subnet-0addd33c410b52251
             - subnet-093392f94a4099566
             - subnet-0b915a53042b6dc61
             defaultMachinePlatform:
               additionalSecurityGroupIDs:
               - sg-0fbc4c9733e6c18e7
               - sg-0b46b502b575d30ba
               - sg-02a59f8662d10c6d3
      
      
      After installation, check the Security Groups attached to master and worker, master doesn't have the specified custom security groups attached while workers have. 
      
      For one of the masters:
      [root@preserve-gpei-worker k_files]# aws ec2 describe-instances --instance-ids i-08c0b0b6e4308be3b  --query 'Reservations[*].Instances[*].SecurityGroups[*]' --output json
      [
          [
              [
                  {
                      "GroupName": "terraform-20231013000602175000000002",
                      "GroupId": "sg-04b104d07075afe96"
                  }
              ]
          ]
      ]
      
      For one of the workers:
      [root@preserve-gpei-worker k_files]# aws ec2 describe-instances --instance-ids i-00643f07748ec75da --query 'Reservations[*].Instances[*].SecurityGroups[*]' --output json
      [
          [
              [
                  {
                      "GroupName": "test-sg2",
                      "GroupId": "sg-0b46b502b575d30ba"
                  },
                  {
                      "GroupName": "terraform-20231013000602174300000001",
                      "GroupId": "sg-0d7cd50d4cb42e513"
                  },
                  {
                      "GroupName": "test-sg3",
                      "GroupId": "sg-02a59f8662d10c6d3"
                  },
                  {
                      "GroupName": "test-sg1",
                      "GroupId": "sg-0fbc4c9733e6c18e7"
                  }
              ]
          ]
      ]
      
      
      Also checked the master's controlplanemachineset, it does have the custom security groups configured, but they're not attached to the master instance in the end.
      
      [root@preserve-gpei-worker k_files]# oc get controlplanemachineset -n openshift-machine-api cluster -o yaml |yq .spec.template.machines_v1beta1_machine_openshift_io.spec.providerSpec.value.securityGroups
      - filters:
          - name: tag:Name
            values:
              - gpei-test1013-8lwtb-master-sg
      - id: sg-02a59f8662d10c6d3
      - id: sg-0b46b502b575d30ba
      - id: sg-0fbc4c9733e6c18e7
      
      
      

      Version-Release number of selected component (if applicable):

      4.14.0-0.nightly-2023-10-12-104602
      
      

      How reproducible:

      Always
      
      

      Steps to Reproduce:

      1.
      2.
      3.
      

      Actual results:

      
      

      Expected results:

      
      

      Additional info:

      It works well when setting the security groups in installconfig.controlPlane.platform.aws.additionalSecurityGroupIDs
      

              rdossant Rafael Fonseca dos Santos
              gpei@redhat.com Gaoyun Pei
              Gaoyun Pei Gaoyun Pei
              Mike Pytlak Mike Pytlak (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: