Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Undefined
Fix Version/s: 4.16.0
Affects Version/s: 4.16, 4.17
Component/s: Installer / openshift-installer
Labels:
None

Severity:
Critical
Regression:
No
Release Blocker:
Approved
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Type:
Release Note Not Required
Target Version:

4.16.0
Target Backport Versions:

4.16, 4.17

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

This is a clone of issue ~~OCPBUGS-35309~~. The following is the description of the original issue:
—
Description of problem:


Installation of 4.16 fails with a AWS AccessDenied error trying to attach a bootstrap s3 bucket policy.

Version-Release number of selected component (if applicable):


4.16+

How reproducible:


Every time

Steps to Reproduce:

1. Create an installer policy with the permissions listed in the installer [here|https://github.com/openshift/installer/blob/master/pkg/asset/installconfig/aws/permissions.go]
2. Run a install in AWS IPI

Actual results:


Install fails attempting to attach a policy to the bootstrap s3 bucket

{code:java}
time="2024-06-11T14:58:15Z" level=debug msg="I0611 14:58:15.485718     132 s3.go:256] \"Created bucket\" controller=\"awscluster\" controllerGroup=\"infrastru
cture.cluster.x-k8s.io\" controllerKind=\"AWSCluster\" AWSCluster=\"openshift-cluster-api-guests/jamesh-sts-8tl72\" namespace=\"openshift-cluster-api-guests\"
 name=\"jamesh-sts-8tl72\" reconcileID=\"c390f027-a2ee-4d37-9e5d-b6a11882c46b\" cluster=\"openshift-cluster-api-guests/jamesh-sts-8tl72\" bucket_name=\"opensh
ift-bootstrap-data-jamesh-sts-8tl72\""
time="2024-06-11T14:58:15Z" level=debug msg="E0611 14:58:15.643613     132 controller.go:329] \"Reconciler error\" err=<"
time="2024-06-11T14:58:15Z" level=debug msg="\tfailed to reconcile S3 Bucket for AWSCluster openshift-cluster-api-guests/jamesh-sts-8tl72: ensuring bucket pol
icy: creating S3 bucket policy: AccessDenied: Access Denied"

Expected results:{code:none}

Install completes successfully

Additional info:


The installer did not attach an S3 bootstrap bucket policy in the past as far as I can tell [here|https://github.com/openshift/installer/blob/release-4.15/data/data/aws/cluster/main.tf#L133-L148], this new permission is required because of new functionality. 

CAPA is placing a policy that denies non SSL encrypted traffic to the bucket, this shouldn't have an effect on installs, adding the IAM policy to allow the policy to be added results in a successful install. 

S3 bootstrap bucket policy:


{code:java}
            "Statement": [
                {
                    "Sid": "ForceSSLOnlyAccess",
                    "Principal": {
                        "AWS": [
                            "*"
                        ]
                    },
                    "Effect": "Deny",
                    "Action": [
                        "s3:*"
                    ],
                    "Resource": [
                        "arn:aws:s3:::openshift-bootstrap-data-jamesh-sts-2r5f7/*"
                    ],
                    "Condition": {
                        "Bool": {
                            "aws:SecureTransport": false
                        }
                    }
                }
            ]
        },

clones

OCPBUGS-35309 4.16 bootstrap AWS S3 bucket fails to be created with s3 bucket policy

Closed

is blocked by

OCPBUGS-35309 4.16 bootstrap AWS S3 bucket fails to be created with s3 bucket policy

Closed

links to

openshift/installer#8576: [release-4.16] OCPBUGS-35323: Add S3 permission to allow attaching S3 bucket policy

RHEA-2024:0041 OpenShift Container Platform 4.16.z bug fix update

Assignee:: James Harrington

Reporter:: OpenShift Prow Bot

QA Contact:: Yunfei Jiang

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2024/06/12 6:12 AM

Updated:: 2024/06/27 11:49 AM

Resolved:: 2024/06/27 11:49 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates