[OCPBUGS-46360] [aws] missing ec2:AllocateAddress permission when Ipv4Pool is enabled

Type: Bug
Resolution: Done-Errata
Priority: Undefined
Fix Version/s: None
Affects Version/s: 4.16, 4.17, 4.18
Component/s: Installer / openshift-installer
Labels:
- aws

Regression:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:

Hide
Previously, the permissions ec2:AllocateAddress and ec2:AssociateAddress were not verified when the PublicIpv4Pool feature was used, which resulted in permission failures during the installation. With this release, the required permissions are validated before the cluster is installed.
====
What: permissions `ec2:AllocateAddress` and `ec2:AssociateAddress` were not being check when PublicIpv4Pool feature is used, possibly resulting in permission failures during installation.
Fix: The needed permissions are now validated before the cluster install.

Show
Previously, the permissions ec2:AllocateAddress and ec2:AssociateAddress were not verified when the PublicIpv4Pool feature was used, which resulted in permission failures during the installation. With this release, the required permissions are validated before the cluster is installed. ==== What: permissions `ec2:AllocateAddress` and `ec2:AssociateAddress` were not being check when PublicIpv4Pool feature is used, possibly resulting in permission failures during installation. Fix: The needed permissions are now validated before the cluster install.
Release Note Type:
Bug Fix
Release Note Status:
In Progress
Target Version:

4.17.z
Target Backport Versions:

4.17.z, 4.16.z

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

This is a clone of issue ~~OCPBUGS-45711~~. The following is the description of the original issue:
—
This is a clone of issue OCPBUGS-44925. The following is the description of the original issue:
—
Description of problem:

    When using PublicIPv4Pool, CAPA will try to allocate IP address in the supplied pool which requires the `ec2:AllocateAddress` permission

Version-Release number of selected component (if applicable):

    4.16+

How reproducible:

    always

Steps to Reproduce:

    1. Minimal permissions and publicIpv4Pool set
    2.
    3.

Actual results:

    time="2024-11-21T05:39:49Z" level=debug msg="E1121 05:39:49.352606     327 awscluster_controller.go:279] \"failed to reconcile load balancer\" err=<"
time="2024-11-21T05:39:49Z" level=debug msg="\tfailed to allocate addresses to load balancer: failed to allocate address from Public IPv4 Pool \"ipv4pool-ec2-0768267342e327ea9\" to role lb-apiserver: failed to allocate Elastic IP for \"lb-apiserver\": UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:iam::460538899914:user/ci-op-2cr41ill-663fd-minimal-perm is not authorized to perform: ec2:AllocateAddress on resource: arn:aws:ec2:us-east-1:460538899914:ipv4pool-ec2/ipv4pool-ec2-0768267342e327ea9 because no identity-based policy allows the ec2:AllocateAddress action. Encoded authorization failure message: Iy1gCtvfPxZ2uqo-SHei1yJQvNwaOBl5F_8BnfeEYCLMczeDJDdS4fZ_AesPLdEQgK7ahuOffqIr--PWphjOUbL2BXKZSBFhn3iN9tZrDCnQQPKZxf9WaQmSkoGNWKNUGn6rvEZS5KvlHV5vf5mCz5Bk2lk3w-O6bfHK0q_dphLpJjU-sTGvB6bWAinukxSYZ3xbirOzxfkRfCFdr7nDfX8G4uD4ncA7_D-XriDvaIyvevWSnus5AI5RIlrCuFGsr1_3yEvrC_AsLENZHyE13fA83F5-Abpm6-jwKQ5vvK1WuD3sqpT5gfTxccEqkqqZycQl6nsxSDP2vDqFyFGKLAmPne8RBRbEV-TOdDJphaJtesf6mMPtyMquBKI769GW9zTYE7nQzSYUoiBOafxz6K1FiYFoc1y6v6YoosxT8bcSFT3gWZWNh2upRJtagRI_9IRyj7MpyiXJfcqQXZzXkAfqV4nsJP8wRXS2vWvtjOm0i7C82P0ys3RVkQVcSByTW6yFyxh8Scoy0HA4hTYKFrCAWA1N0SROJsS1sbfctpykdCntmp9M_gd7YkSN882Fy5FanA"
time="2024-11-21T05:39:49Z" level=debug msg="\t\tstatus code: 403, request id: 27752e3c-596e-43f7-8044-72246dbca486"

Expected results:

Additional info:

Seems to happen consistently with shared-vpc-edge-zones CI job: https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_installer/9230/pull-ci-openshift-installer-master-e2e-aws-ovn-shared-vpc-edge-zones/1860015198224519168

clones

OCPBUGS-45711 [aws] missing ec2:AllocateAddress permission when Ipv4Pool is enabled

Closed

is blocked by

OCPBUGS-45711 [aws] missing ec2:AllocateAddress permission when Ipv4Pool is enabled

Closed

links to

openshift/installer#9313: [release-4.17] OCPBUGS-46360: aws: add ec2:AllocateAddress perm requirement.

RHBA-2025:0023 OpenShift Container Platform 4.17.z bug fix update

Errata Tool added a comment - 2025/01/08 3:01 PM

Since the problem described in this issue should be resolved in a recent advisory, it has been closed.

For information on the advisory (OpenShift Container Platform 4.17.11 bug fix update), and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2025:0023

Errata Tool added a comment - 2025/01/08 3:01 PM Since the problem described in this issue should be resolved in a recent advisory, it has been closed. For information on the advisory (OpenShift Container Platform 4.17.11 bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2025:0023

Yunfei Jiang added a comment - 2024/12/20 5:16 AM

verified on 4.17.0-0.nightly-2024-12-20-050618

Yunfei Jiang added a comment - 2024/12/20 5:16 AM verified on 4.17.0-0.nightly-2024-12-20-050618

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

Collapse comment: Errata Tool added a comment - 2025/01/08 3:01 PM

Expand comment: Errata Tool added a comment - 2025/01/08 3:01 PM

Collapse comment: Yunfei Jiang added a comment - 2024/12/20 5:16 AM

Expand comment: Yunfei Jiang added a comment - 2024/12/20 5:16 AM

People

Dates