Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-4827

Ingress Controller is missing a required AWS resource permission for SC2S region us-isob-east-1

    XMLWordPrintable

Details

    • Moderate
    • 2
    • Sprint 229, Sprint 230, Sprint 231
    • 3
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      Cause: The Ingress Operator's cloud credentials request was missing an AWS resource permission that the Operator requires in order to manage DNS records in the C2S us-iso-east-1 and SC2S us-isob-east-1 regions.

      Consequence: When OpenShift was installed in the C2S or SC2S regions, the Ingress Operator failed to publish DNS records in Route 53 and instead reported error messages similar to the following:

          The DNS provider failed to ensure the record: failed to find hosted zone for record: failed to get tagged resources: AccessDenied: User: [...] is not authorized to perform: route53:ListTagsForResources on resource: [...]

      This prevented ingress from working properly because host names for routes would not be resolvable.

      Fix: The "route53:ListTagsForResources" permission was added to the Ingress Operator's cloud credentials request.

      Result: Ingress Operator publishes DNS records in Route 53 in the C2S and SC2S regions, and ingress works properly.
      Show
      Cause: The Ingress Operator's cloud credentials request was missing an AWS resource permission that the Operator requires in order to manage DNS records in the C2S us-iso-east-1 and SC2S us-isob-east-1 regions. Consequence: When OpenShift was installed in the C2S or SC2S regions, the Ingress Operator failed to publish DNS records in Route 53 and instead reported error messages similar to the following:     The DNS provider failed to ensure the record: failed to find hosted zone for record: failed to get tagged resources: AccessDenied: User: [...] is not authorized to perform: route53:ListTagsForResources on resource: [...] This prevented ingress from working properly because host names for routes would not be resolvable. Fix: The "route53:ListTagsForResources" permission was added to the Ingress Operator's cloud credentials request. Result: Ingress Operator publishes DNS records in Route 53 in the C2S and SC2S regions, and ingress works properly.
    • Bug Fix

    Description

      Description of problem:

      Ingress Controller is missing a required AWS resource permission for SC2S region us-isob-east-1

During the OpenShift 4 installation in SC2S region us-isob-east-1, the ingress operator degrades due to missing "route53:ListTagsForResources" permission from the "openshift-ingress" CredentialsRequest for which customer proactively raised a PR.
--> https://github.com/openshift/cluster-ingress-operator/pull/868

The code disables part of the logic for C2S isolated regions here: https://github.com/openshift/cluster-ingress-operator/blob/d9d1a2b44cc7955a18fbedfdc973daddba67bccd/pkg/dns/aws/dns.go#L167-L168
By not setting tagConfig, it results in the m.tags field to be set nil: https://github.com/openshift/cluster-ingress-operator/blob/d9d1a2b44cc7955a18fbedfdc973daddba67bccd/pkg/dns/aws/dns.go#L212-L222
This then drives the logic in the getZoneID method to use either lookupZoneID or lookupZoneIDWithoutResourceTagging: https://github.com/openshift/cluster-ingress-operator/blob/d9d1a2b44cc7955a18fbedfdc973daddba67bccd/pkg/dns/aws/dns.go#L280-L284
BLAB: the lookupZoneIDWithoutResourceTagging method is only ever called for endpoints.AwsIsoPartitionID, endpoints.AwsIsoBPartitionID regions.

      Version-Release number of selected component (if applicable):

       

      How reproducible:

      Everytime

      Steps to Reproduce:

      1. Create an IPI cluster in  SC2S region us-isob-east-1.

      Actual results:

      Ingress operator degrades due to missing "route53:ListTagsForResources" permission with following error.
~~~
The DNS provider failed to ensure the record: failed to find hosted zone for record: failed to get tagged resources: AccessDenied: User ....... rye... is not authorized to perform: route53:ListTagsForResources on resource.... hostedzone/.. because no identify based policy allows the route53:ListTagsForResources
~~~

      Expected results:

      Ingress operator should be in available state for new installation.

      Additional info:

       

      Attachments

        Issue Links

          blocks

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-15467 Ingress Controller is missing a required AWS resource permission for SC2S region us-isob-east-1

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-15467 Ingress Controller is missing a required AWS resource permission for SC2S region us-isob-east-1

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          links to

          GitHub openshift/cluster-ingress-operator#868: OCPBUGS-4827: Add missing AWS permission for ListTagsForResources

          Activity

            People

              mmasters1@redhat.com Miciah Masters
              rhn-support-aygarg Ayush Garg
              Hongan Li Hongan Li
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: