Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-46360

[aws] missing ec2:AllocateAddress permission when Ipv4Pool is enabled

XMLWordPrintable

    • None
    • False
    • Hide

      None

      Show
      None
    • Hide
      Previously, the permissions ec2:AllocateAddress and ec2:AssociateAddress were not verified when the PublicIpv4Pool feature was used, which resulted in permission failures during the installation. With this release, the required permissions are validated before the cluster is installed.
      ====
      What: permissions `ec2:AllocateAddress` and `ec2:AssociateAddress` were not being check when PublicIpv4Pool feature is used, possibly resulting in permission failures during installation.
      Fix: The needed permissions are now validated before the cluster install.
      Show
      Previously, the permissions ec2:AllocateAddress and ec2:AssociateAddress were not verified when the PublicIpv4Pool feature was used, which resulted in permission failures during the installation. With this release, the required permissions are validated before the cluster is installed. ==== What: permissions `ec2:AllocateAddress` and `ec2:AssociateAddress` were not being check when PublicIpv4Pool feature is used, possibly resulting in permission failures during installation. Fix: The needed permissions are now validated before the cluster install.
    • Bug Fix
    • In Progress

      This is a clone of issue OCPBUGS-45711. The following is the description of the original issue:

      This is a clone of issue OCPBUGS-44925. The following is the description of the original issue:

      Description of problem:

          When using PublicIPv4Pool, CAPA will try to allocate IP address in the supplied pool which requires the `ec2:AllocateAddress` permission

      Version-Release number of selected component (if applicable):

          4.16+

      How reproducible:

          always

      Steps to Reproduce:

          1. Minimal permissions and publicIpv4Pool set
    2.
    3.

      Actual results:

          time="2024-11-21T05:39:49Z" level=debug msg="E1121 05:39:49.352606     327 awscluster_controller.go:279] \"failed to reconcile load balancer\" err=<"
time="2024-11-21T05:39:49Z" level=debug msg="\tfailed to allocate addresses to load balancer: failed to allocate address from Public IPv4 Pool \"ipv4pool-ec2-0768267342e327ea9\" to role lb-apiserver: failed to allocate Elastic IP for \"lb-apiserver\": UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:iam::460538899914:user/ci-op-2cr41ill-663fd-minimal-perm is not authorized to perform: ec2:AllocateAddress on resource: arn:aws:ec2:us-east-1:460538899914:ipv4pool-ec2/ipv4pool-ec2-0768267342e327ea9 because no identity-based policy allows the ec2:AllocateAddress action. Encoded authorization failure message: Iy1gCtvfPxZ2uqo-SHei1yJQvNwaOBl5F_8BnfeEYCLMczeDJDdS4fZ_AesPLdEQgK7ahuOffqIr--PWphjOUbL2BXKZSBFhn3iN9tZrDCnQQPKZxf9WaQmSkoGNWKNUGn6rvEZS5KvlHV5vf5mCz5Bk2lk3w-O6bfHK0q_dphLpJjU-sTGvB6bWAinukxSYZ3xbirOzxfkRfCFdr7nDfX8G4uD4ncA7_D-XriDvaIyvevWSnus5AI5RIlrCuFGsr1_3yEvrC_AsLENZHyE13fA83F5-Abpm6-jwKQ5vvK1WuD3sqpT5gfTxccEqkqqZycQl6nsxSDP2vDqFyFGKLAmPne8RBRbEV-TOdDJphaJtesf6mMPtyMquBKI769GW9zTYE7nQzSYUoiBOafxz6K1FiYFoc1y6v6YoosxT8bcSFT3gWZWNh2upRJtagRI_9IRyj7MpyiXJfcqQXZzXkAfqV4nsJP8wRXS2vWvtjOm0i7C82P0ys3RVkQVcSByTW6yFyxh8Scoy0HA4hTYKFrCAWA1N0SROJsS1sbfctpykdCntmp9M_gd7YkSN882Fy5FanA"
time="2024-11-21T05:39:49Z" level=debug msg="\t\tstatus code: 403, request id: 27752e3c-596e-43f7-8044-72246dbca486"

      Expected results:

      Additional info:

      Seems to happen consistently with shared-vpc-edge-zones CI job: https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_installer/9230/pull-ci-openshift-installer-master-e2e-aws-ovn-shared-vpc-edge-zones/1860015198224519168    

              rdossant Rafael Fonseca dos Santos
              openshift-crt-jira-prow OpenShift Prow Bot
              Yunfei Jiang Yunfei Jiang
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: