Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-29027

The static list of passthrough permissions against which the secret annotator controller checks is outdated - AWS

XMLWordPrintable

    • No
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      When the CCO is in the default mode, the secret annotator checks if the root credential is good enough for mint mode. If not, if then checks if it is sufficient for passthrough mode against a static list of permissions that are required for this mode. 

The aforementioned list of permissions is outdated. For example, the permissions specified in credentialsrequest/openshift-ingress (for AWS) i.e.,
apiVersion: cloudcredential.openshift.io/v1
kind: CredentialsRequest
...
spec:
  providerSpec:
    apiVersion: cloudcredential.openshift.io/v1
    kind: AWSProviderSpec
    statementEntries:
    - action:
      - elasticloadbalancing:DescribeLoadBalancers
      - route53:ListHostedZones
      - route53:ListTagsForResources
      - route53:ChangeResourceRecordSets
      - tag:GetResources
      - sts:AssumeRole
      effect: Allow
      resource: '*'
  secretRef:
    name: cloud-credentials
    namespace: openshift-ingress-operator
  serviceAccountNames:
  - ingress-operator 

is different from the ones specified in the static list of permissions in CCO's code i.e.,
// openshift-ingress
"elasticloadbalancing:DescribeLoadBalancers",
"route53:ListHostedZones",
"route53:ChangeResourceRecordSets",
"tag:GetResources"
see https://github.com/openshift/cloud-credential-operator/blob/5b3a050cfae7d53a7735093e61939cb119b101c6/pkg/aws/utils.go#L40-L44

      Additional info:

      This issue is found for AWS and GCP.

            fxierh Feilian Xie
            fxierh Feilian Xie
            Jianping Shu Jianping Shu
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: