Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-22771

Masters are not attached with the provided custom security groups which defined in platform.aws.defaultMachinePlatform

XMLWordPrintable

    • Moderate
    • No
    • False
    • Hide

      None

      Show
      None
    • Hide
      What: when `additionalSecurityGroupIDs` were specified only in the `defaultMachinePlatform` stanza, they were not being used by the control plane nodes.
      Fix: use the value from the defaultMachinePlatform when not specified for the controlPlane nodes.
      Show
      What: when `additionalSecurityGroupIDs` were specified only in the `defaultMachinePlatform` stanza, they were not being used by the control plane nodes. Fix: use the value from the defaultMachinePlatform when not specified for the controlPlane nodes.
    • Bug Fix

      This is a clone of issue OCPBUGS-20525. The following is the description of the original issue:

      Description of problem:

      Set custom security group IDs in the installconfig.platform.aws.defaultMachinePlatform.additionalSecurityGroupIDs field of install-config.yaml
      
      such as: 
      
         apiVersion: v1
         controlPlane:
           architecture: amd64
           hyperthreading: Enabled
           name: master
           platform: {}
           replicas: 3
         compute:
         - architecture: amd64
           hyperthreading: Enabled
           name: worker
           platform: {}
           replicas: 3
         metadata:
           name: gpei-test1013
         platform:
           aws:
             region: us-east-2
             subnets:
             - subnet-0bc86b64e7736479c
             - subnet-0addd33c410b52251
             - subnet-093392f94a4099566
             - subnet-0b915a53042b6dc61
             defaultMachinePlatform:
               additionalSecurityGroupIDs:
               - sg-0fbc4c9733e6c18e7
               - sg-0b46b502b575d30ba
               - sg-02a59f8662d10c6d3
      
      
      After installation, check the Security Groups attached to master and worker, master doesn't have the specified custom security groups attached while workers have. 
      
      For one of the masters:
      [root@preserve-gpei-worker k_files]# aws ec2 describe-instances --instance-ids i-08c0b0b6e4308be3b  --query 'Reservations[*].Instances[*].SecurityGroups[*]' --output json
      [
          [
              [
                  {
                      "GroupName": "terraform-20231013000602175000000002",
                      "GroupId": "sg-04b104d07075afe96"
                  }
              ]
          ]
      ]
      
      For one of the workers:
      [root@preserve-gpei-worker k_files]# aws ec2 describe-instances --instance-ids i-00643f07748ec75da --query 'Reservations[*].Instances[*].SecurityGroups[*]' --output json
      [
          [
              [
                  {
                      "GroupName": "test-sg2",
                      "GroupId": "sg-0b46b502b575d30ba"
                  },
                  {
                      "GroupName": "terraform-20231013000602174300000001",
                      "GroupId": "sg-0d7cd50d4cb42e513"
                  },
                  {
                      "GroupName": "test-sg3",
                      "GroupId": "sg-02a59f8662d10c6d3"
                  },
                  {
                      "GroupName": "test-sg1",
                      "GroupId": "sg-0fbc4c9733e6c18e7"
                  }
              ]
          ]
      ]
      
      
      Also checked the master's controlplanemachineset, it does have the custom security groups configured, but they're not attached to the master instance in the end.
      
      [root@preserve-gpei-worker k_files]# oc get controlplanemachineset -n openshift-machine-api cluster -o yaml |yq .spec.template.machines_v1beta1_machine_openshift_io.spec.providerSpec.value.securityGroups
      - filters:
          - name: tag:Name
            values:
              - gpei-test1013-8lwtb-master-sg
      - id: sg-02a59f8662d10c6d3
      - id: sg-0b46b502b575d30ba
      - id: sg-0fbc4c9733e6c18e7
      
      
      

      Version-Release number of selected component (if applicable):

      4.14.0-0.nightly-2023-10-12-104602
      
      

      How reproducible:

      Always
      
      

      Steps to Reproduce:

      1.
      2.
      3.
      

      Actual results:

      
      

      Expected results:

      
      

      Additional info:

      It works well when setting the security groups in installconfig.controlPlane.platform.aws.additionalSecurityGroupIDs
      

              rdossant Rafael Fonseca dos Santos
              openshift-crt-jira-prow OpenShift Prow Bot
              Gaoyun Pei Gaoyun Pei
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: