Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-23511

CPO needs to filter out IAM Role paths when modifying the allowed principals of a VPC Endpoint Service

    XMLWordPrintable

Details

    • Moderate
    • No
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, the control Plane Operator (CPO) failed to update the VPC endpoint service when an IAM role path ARN was provided as the additional allowed principal: `arn:aws:iam::${ACCOUNT_ID}:role/${PATH}/name` With this update, The CPO updates the VPC endpoint service with the `arn:aws:iam::${ACCOUNT_ID}:role/${PATH}/name` allowed principal successfully. (link:https://issues.redhat.com/browse/OCPBUGS-23511[*OCPBUGS-23511*])

      Show
      * Previously, the control Plane Operator (CPO) failed to update the VPC endpoint service when an IAM role path ARN was provided as the additional allowed principal: `arn:aws:iam::${ACCOUNT_ID}:role/${PATH}/name` With this update, The CPO updates the VPC endpoint service with the `arn:aws:iam::${ACCOUNT_ID}:role/${PATH}/name` allowed principal successfully. (link: https://issues.redhat.com/browse/OCPBUGS-23511 [* OCPBUGS-23511 *])
    • Bug Fix
    • Done

    Description

      Description of problem:

      When creating an IAM role with a "path" (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names) its "principal" when applied to trust policies or VPC Endpoint Service allowed principals confusingly does not include the path. That is, for the folowing rolesRef on a hostedcluster:

      spec:
  platform:
    aws:
      rolesRef:
        controlPlaneOperatorARN: arn:aws:iam::765374464689:role/adecorte/ad-int-path1-y4y2-kube-system-control-plane-operator
        imageRegistryARN: arn:aws:iam::765374464689:role/adecorte/ad-int-path1-y4y2-openshift-image-registry-installer-cloud-crede
        ingressARN: arn:aws:iam::765374464689:role/adecorte/ad-int-path1-y4y2-openshift-ingress-operator-cloud-credentials
        kubeCloudControllerARN: arn:aws:iam::765374464689:role/adecorte/ad-int-path1-y4y2-kube-system-kube-controller-manager
        networkARN: arn:aws:iam::765374464689:role/adecorte/ad-int-path1-y4y2-openshift-cloud-network-config-controller-clou
        nodePoolManagementARN: arn:aws:iam::765374464689:role/adecorte/ad-int-path1-y4y2-kube-system-capa-controller-manager
        storageARN: arn:aws:iam::765374464689:role/adecorte/ad-int-path1-y4y2-openshift-cluster-csi-drivers-ebs-cloud-creden

      The actual valid principal that should be added to the VPC Endpoint Service's allowed principals is: 

      arn:aws:iam::765374464689:role/ad-int-path1-y4y2-kube-system-control-plane-operator

      instead of

      arn:aws:iam::765374464689:role/adecorte/ad-int-path1-y4y2-kube-system-control-plane-operator

      However, for all other cases, the full ARN including the path should be used, e.g. https://github.com/openshift/hypershift/blob/082e880d0a492a357663d620fa58314a4a477730/hypershift-operator/controllers/hostedcluster/internal/platform/aws/aws.go#L237-L273

      Version-Release number of selected component (if applicable):

      4.14.1

      How reproducible:

      100%

      Steps to Reproduce:

      ROSA HCP-specific steps:
      1. rosa create account-roles --path /anything/ -m auto -y
2. rosa create cluster --hosted-cp
3. ...etc
4a. Observe on the hosted cluster AWS Account that the VPC Endpoint cannot be created with the error: 'failed to create vpc endpoint: InvalidServiceName'
4b. Observe on the management cluster that CPO is failing to update the VPC Endpoint Service's allowed principals with the error: Client.InvalidPrincipal
5. If the contents of .spec.platform.aws.rolesRef.controlPlaneOperatorARN are manually applied to the additional allowed principals with the path component removed, then the problems are largely fixed on the hosted cluster side. VPC Endpoint is created, worker nodes can spin up, etc.

      Actual results:

      The VPC Endpoint Service is attempting and failing to get this applied to its additional allowed principals:

arn:aws:iam::${ACCOUNT_ID}:role/path/name

      Expected results:

      The VPC Endpoint Service gets this applied to its additional allowed principals:

arn:aws:iam::${ACCOUNT_ID}:role/name

      Additional info:

       

      Attachments

        Issue Links

          blocks

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-27237 CPO needs to filter out IAM Role paths when modifying the allowed principals of a VPC Endpoint Service

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-27237 CPO needs to filter out IAM Role paths when modifying the allowed principals of a VPC Endpoint Service

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed
          links to

          GitHub openshift/hypershift#3215: OCPBUGS-23511: Remove IAM path when applying control-plane-operator ARN to VPC Endpoint Service allowed principals

          Web Link RHSA-2023:7198 OpenShift Container Platform 4.15 security update

          mentioned on

          GitLab Merge request - Bump HO to v0.1.17 in Production - remaining sectors

          GitLab Merge request - Bump HO version to v0.1.17 in 2 prod sectors.

          GitLab Merge request - Bump IBM integration to our latest prod image.

          GitLab Merge request - OCM-4958 | feat: add a preflight for roles with path for HCP

          Activity

            People

              mshen.openshift Michael Shen
              mshen.openshift Michael Shen
              Ying Zhang Ying Zhang
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: