-
Bug
-
Resolution: Done-Errata
-
Normal
-
4.14.0
-
Moderate
-
No
-
False
-
-
-
Bug Fix
This is a clone of issue OCPBUGS-20525. The following is the description of the original issue:
—
Description of problem:
Set custom security group IDs in the installconfig.platform.aws.defaultMachinePlatform.additionalSecurityGroupIDs field of install-config.yaml
such as:
apiVersion: v1
controlPlane:
architecture: amd64
hyperthreading: Enabled
name: master
platform: {}
replicas: 3
compute:
- architecture: amd64
hyperthreading: Enabled
name: worker
platform: {}
replicas: 3
metadata:
name: gpei-test1013
platform:
aws:
region: us-east-2
subnets:
- subnet-0bc86b64e7736479c
- subnet-0addd33c410b52251
- subnet-093392f94a4099566
- subnet-0b915a53042b6dc61
defaultMachinePlatform:
additionalSecurityGroupIDs:
- sg-0fbc4c9733e6c18e7
- sg-0b46b502b575d30ba
- sg-02a59f8662d10c6d3
After installation, check the Security Groups attached to master and worker, master doesn't have the specified custom security groups attached while workers have.
For one of the masters:
[root@preserve-gpei-worker k_files]# aws ec2 describe-instances --instance-ids i-08c0b0b6e4308be3b --query 'Reservations[*].Instances[*].SecurityGroups[*]' --output json
[
[
[
{
"GroupName": "terraform-20231013000602175000000002",
"GroupId": "sg-04b104d07075afe96"
}
]
]
]
For one of the workers:
[root@preserve-gpei-worker k_files]# aws ec2 describe-instances --instance-ids i-00643f07748ec75da --query 'Reservations[*].Instances[*].SecurityGroups[*]' --output json
[
[
[
{
"GroupName": "test-sg2",
"GroupId": "sg-0b46b502b575d30ba"
},
{
"GroupName": "terraform-20231013000602174300000001",
"GroupId": "sg-0d7cd50d4cb42e513"
},
{
"GroupName": "test-sg3",
"GroupId": "sg-02a59f8662d10c6d3"
},
{
"GroupName": "test-sg1",
"GroupId": "sg-0fbc4c9733e6c18e7"
}
]
]
]
Also checked the master's controlplanemachineset, it does have the custom security groups configured, but they're not attached to the master instance in the end.
[root@preserve-gpei-worker k_files]# oc get controlplanemachineset -n openshift-machine-api cluster -o yaml |yq .spec.template.machines_v1beta1_machine_openshift_io.spec.providerSpec.value.securityGroups
- filters:
- name: tag:Name
values:
- gpei-test1013-8lwtb-master-sg
- id: sg-02a59f8662d10c6d3
- id: sg-0b46b502b575d30ba
- id: sg-0fbc4c9733e6c18e7
Version-Release number of selected component (if applicable):
4.14.0-0.nightly-2023-10-12-104602
How reproducible:
Always
Steps to Reproduce:
1. 2. 3.
Actual results:
Expected results:
Additional info:
It works well when setting the security groups in installconfig.controlPlane.platform.aws.additionalSecurityGroupIDs
- clones
-
-
- Closed
-
- is blocked by
-
-
- Closed
-
- links to
-
RHBA-2024:0050
OpenShift Container Platform 4.14.z bug fix update