Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: None
Affects Version/s: 4.11
Component/s: Networking / router
Labels:

Severity:
Moderate
Regression:
None
Story Points:
2
Sprint:
Sprint 229, Sprint 230, Sprint 231
sprint_count:
3
Release Blocker:
Rejected
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:

Hide
Cause: The Ingress Operator's cloud credentials request was missing an AWS resource permission that the Operator requires in order to manage DNS records in the C2S us-iso-east-1 and SC2S us-isob-east-1 regions.

Consequence: When OpenShift was installed in the C2S or SC2S regions, the Ingress Operator failed to publish DNS records in Route 53 and instead reported error messages similar to the following:

The DNS provider failed to ensure the record: failed to find hosted zone for record: failed to get tagged resources: AccessDenied: User: [...] is not authorized to perform: route53:ListTagsForResources on resource: [...]

This prevented ingress from working properly because host names for routes would not be resolvable.

Fix: The "route53:ListTagsForResources" permission was added to the Ingress Operator's cloud credentials request.

Result: Ingress Operator publishes DNS records in Route 53 in the C2S and SC2S regions, and ingress works properly.

Show
Cause: The Ingress Operator's cloud credentials request was missing an AWS resource permission that the Operator requires in order to manage DNS records in the C2S us-iso-east-1 and SC2S us-isob-east-1 regions. Consequence: When OpenShift was installed in the C2S or SC2S regions, the Ingress Operator failed to publish DNS records in Route 53 and instead reported error messages similar to the following: The DNS provider failed to ensure the record: failed to find hosted zone for record: failed to get tagged resources: AccessDenied: User: [...] is not authorized to perform: route53:ListTagsForResources on resource: [...] This prevented ingress from working properly because host names for routes would not be resolvable. Fix: The "route53:ListTagsForResources" permission was added to the Ingress Operator's cloud credentials request. Result: Ingress Operator publishes DNS records in Route 53 in the C2S and SC2S regions, and ingress works properly.
Release Note Type:
Bug Fix
Target Version:

4.13.0

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:
PX Priority Data:

Description of problem:

Ingress Controller is missing a required AWS resource permission for SC2S region us-isob-east-1

During the OpenShift 4 installation in SC2S region us-isob-east-1, the ingress operator degrades due to missing "route53:ListTagsForResources" permission from the "openshift-ingress" CredentialsRequest for which customer proactively raised a PR.
--> https://github.com/openshift/cluster-ingress-operator/pull/868

The code disables part of the logic for C2S isolated regions here: https://github.com/openshift/cluster-ingress-operator/blob/d9d1a2b44cc7955a18fbedfdc973daddba67bccd/pkg/dns/aws/dns.go#L167-L168
By not setting tagConfig, it results in the m.tags field to be set nil: https://github.com/openshift/cluster-ingress-operator/blob/d9d1a2b44cc7955a18fbedfdc973daddba67bccd/pkg/dns/aws/dns.go#L212-L222
This then drives the logic in the getZoneID method to use either lookupZoneID or lookupZoneIDWithoutResourceTagging: https://github.com/openshift/cluster-ingress-operator/blob/d9d1a2b44cc7955a18fbedfdc973daddba67bccd/pkg/dns/aws/dns.go#L280-L284
BLAB: the lookupZoneIDWithoutResourceTagging method is only ever called for endpoints.AwsIsoPartitionID, endpoints.AwsIsoBPartitionID regions.

Version-Release number of selected component (if applicable):

How reproducible:

Everytime

Steps to Reproduce:

1. Create an IPI cluster in  SC2S region us-isob-east-1.

Actual results:

Ingress operator degrades due to missing "route53:ListTagsForResources" permission with following error.
~~~
The DNS provider failed to ensure the record: failed to find hosted zone for record: failed to get tagged resources: AccessDenied: User ....... rye... is not authorized to perform: route53:ListTagsForResources on resource.... hostedzone/.. because no identify based policy allows the route53:ListTagsForResources
~~~

Expected results:

Ingress operator should be in available state for new installation.

Additional info:

blocks

OCPBUGS-15467 Ingress Controller is missing a required AWS resource permission for SC2S region us-isob-east-1

Closed

is cloned by

OCPBUGS-15467 Ingress Controller is missing a required AWS resource permission for SC2S region us-isob-east-1

Closed

links to

openshift/cluster-ingress-operator#868: OCPBUGS-4827: Add missing AWS permission for ListTagsForResources

Assignee:: Miciah Masters

Reporter:: Ayush Garg

QA Contact:: Hongan Li

Votes:: 0 Vote for this issue

Watchers:: 10 Start watching this issue

Created:: 2022/12/13 9:12 PM

Updated:: 2023/10/17 12:46 AM

Resolved:: 2023/05/17 10:38 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates