Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-4827

Ingress Controller is missing a required AWS resource permission for SC2S region us-isob-east-1

    XMLWordPrintable

Details

    • Moderate
    • Sprint 229, Sprint 230, Sprint 231
    • 2
    • Rejected
    • Hide

      None

      Show
      None

    Description

      Description of problem:

      Ingress Controller is missing a required AWS resource permission for SC2S region us-isob-east-1
      
      During the OpenShift 4 installation in SC2S region us-isob-east-1, the ingress operator degrades due to missing "route53:ListTagsForResources" permission from the "openshift-ingress" CredentialsRequest for which customer proactively raised a PR.
      --> https://github.com/openshift/cluster-ingress-operator/pull/868
      
      The code disables part of the logic for C2S isolated regions here: https://github.com/openshift/cluster-ingress-operator/blob/d9d1a2b44cc7955a18fbedfdc973daddba67bccd/pkg/dns/aws/dns.go#L167-L168
      By not setting tagConfig, it results in the m.tags field to be set nil: https://github.com/openshift/cluster-ingress-operator/blob/d9d1a2b44cc7955a18fbedfdc973daddba67bccd/pkg/dns/aws/dns.go#L212-L222
      This then drives the logic in the getZoneID method to use either lookupZoneID or lookupZoneIDWithoutResourceTagging: https://github.com/openshift/cluster-ingress-operator/blob/d9d1a2b44cc7955a18fbedfdc973daddba67bccd/pkg/dns/aws/dns.go#L280-L284
      BLAB: the lookupZoneIDWithoutResourceTagging method is only ever called for endpoints.AwsIsoPartitionID, endpoints.AwsIsoBPartitionID regions.

      Version-Release number of selected component (if applicable):

       

      How reproducible:

      Everytime

      Steps to Reproduce:

      1. Create an IPI cluster in  SC2S region us-isob-east-1.
      

      Actual results:

      Ingress operator degrades due to missing "route53:ListTagsForResources" permission with following error.
      ~~~
      The DNS provider failed to ensure the record: failed to find hosted zone for record: failed to get tagged resources: AccessDenied: User ....... rye... is not authorized to perform: route53:ListTagsForResources on resource.... hostedzone/.. because no identify based policy allows the route53:ListTagsForResources
      ~~~

      Expected results:

      Ingress operator should be in available state for new installation.

      Additional info:

       

      Attachments

        Activity

          People

            mmasters1@redhat.com Miciah Masters
            rhn-support-aygarg Ayush Garg
            Hongan Li Hongan Li
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: