Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: 4.16.0, 4.17
Affects Version/s: 4.16, 4.17
Component/s: Installer / openshift-installer
Labels:
None

Severity:
Critical
Regression:
No
Release Blocker:
Proposed
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:
N/A
Release Note Type:
Release Note Not Required
Release Note Status:
In Progress
Target Version:

4.17.0
Target Backport Versions:

4.16, 4.17

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Description of problem:


Installation of 4.16 fails with a AWS AccessDenied error trying to attach a bootstrap s3 bucket policy.

Version-Release number of selected component (if applicable):


4.16+

How reproducible:


Every time

Steps to Reproduce:

1. Create an installer policy with the permissions listed in the installer [here|https://github.com/openshift/installer/blob/master/pkg/asset/installconfig/aws/permissions.go]
2. Run a install in AWS IPI

Actual results:


Install fails attempting to attach a policy to the bootstrap s3 bucket

{code:java}
time="2024-06-11T14:58:15Z" level=debug msg="I0611 14:58:15.485718     132 s3.go:256] \"Created bucket\" controller=\"awscluster\" controllerGroup=\"infrastru
cture.cluster.x-k8s.io\" controllerKind=\"AWSCluster\" AWSCluster=\"openshift-cluster-api-guests/jamesh-sts-8tl72\" namespace=\"openshift-cluster-api-guests\"
 name=\"jamesh-sts-8tl72\" reconcileID=\"c390f027-a2ee-4d37-9e5d-b6a11882c46b\" cluster=\"openshift-cluster-api-guests/jamesh-sts-8tl72\" bucket_name=\"opensh
ift-bootstrap-data-jamesh-sts-8tl72\""
time="2024-06-11T14:58:15Z" level=debug msg="E0611 14:58:15.643613     132 controller.go:329] \"Reconciler error\" err=<"
time="2024-06-11T14:58:15Z" level=debug msg="\tfailed to reconcile S3 Bucket for AWSCluster openshift-cluster-api-guests/jamesh-sts-8tl72: ensuring bucket pol
icy: creating S3 bucket policy: AccessDenied: Access Denied"

Expected results:{code:none}

Install completes successfully

Additional info:


The installer did not attach an S3 bootstrap bucket policy in the past as far as I can tell [here|https://github.com/openshift/installer/blob/release-4.15/data/data/aws/cluster/main.tf#L133-L148], this new permission is required because of new functionality. 

CAPA is placing a policy that denies non SSL encrypted traffic to the bucket, this shouldn't have an effect on installs, adding the IAM policy to allow the policy to be added results in a successful install. 

S3 bootstrap bucket policy:


{code:java}
            "Statement": [
                {
                    "Sid": "ForceSSLOnlyAccess",
                    "Principal": {
                        "AWS": [
                            "*"
                        ]
                    },
                    "Effect": "Deny",
                    "Action": [
                        "s3:*"
                    ],
                    "Resource": [
                        "arn:aws:s3:::openshift-bootstrap-data-jamesh-sts-2r5f7/*"
                    ],
                    "Condition": {
                        "Bool": {
                            "aws:SecureTransport": false
                        }
                    }
                }
            ]
        },

blocks

OCPBUGS-35323 4.16 bootstrap AWS S3 bucket fails to be created with s3 bucket policy

Closed

is cloned by

OCPBUGS-35323 4.16 bootstrap AWS S3 bucket fails to be created with s3 bucket policy

Closed

links to

openshift/installer#8573: OCPBUGS-35309: Add S3 permission to allow attaching S3 bucket policy

RHEA-2024:3718 OpenShift Container Platform 4.17.z bug fix update

Assignee:: James Harrington

Reporter:: James Harrington

QA Contact:: Yunfei Jiang

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Created:: 2024/06/11 9:13 PM

Updated:: 2024/06/28 12:31 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates