Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-4827

Ingress Controller is missing a required AWS resource permission for SC2S region us-isob-east-1

XMLWordPrintable

    • Moderate
    • 2
    • Sprint 229, Sprint 230, Sprint 231
    • 3
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      Cause: The Ingress Operator's cloud credentials request was missing an AWS resource permission that the Operator requires in order to manage DNS records in the C2S us-iso-east-1 and SC2S us-isob-east-1 regions.

      Consequence: When OpenShift was installed in the C2S or SC2S regions, the Ingress Operator failed to publish DNS records in Route 53 and instead reported error messages similar to the following:

          The DNS provider failed to ensure the record: failed to find hosted zone for record: failed to get tagged resources: AccessDenied: User: [...] is not authorized to perform: route53:ListTagsForResources on resource: [...]

      This prevented ingress from working properly because host names for routes would not be resolvable.

      Fix: The "route53:ListTagsForResources" permission was added to the Ingress Operator's cloud credentials request.

      Result: Ingress Operator publishes DNS records in Route 53 in the C2S and SC2S regions, and ingress works properly.
      Show
      Cause: The Ingress Operator's cloud credentials request was missing an AWS resource permission that the Operator requires in order to manage DNS records in the C2S us-iso-east-1 and SC2S us-isob-east-1 regions. Consequence: When OpenShift was installed in the C2S or SC2S regions, the Ingress Operator failed to publish DNS records in Route 53 and instead reported error messages similar to the following:     The DNS provider failed to ensure the record: failed to find hosted zone for record: failed to get tagged resources: AccessDenied: User: [...] is not authorized to perform: route53:ListTagsForResources on resource: [...] This prevented ingress from working properly because host names for routes would not be resolvable. Fix: The "route53:ListTagsForResources" permission was added to the Ingress Operator's cloud credentials request. Result: Ingress Operator publishes DNS records in Route 53 in the C2S and SC2S regions, and ingress works properly.
    • Bug Fix

      Description of problem:

      Ingress Controller is missing a required AWS resource permission for SC2S region us-isob-east-1
      
      During the OpenShift 4 installation in SC2S region us-isob-east-1, the ingress operator degrades due to missing "route53:ListTagsForResources" permission from the "openshift-ingress" CredentialsRequest for which customer proactively raised a PR.
      --> https://github.com/openshift/cluster-ingress-operator/pull/868
      
      The code disables part of the logic for C2S isolated regions here: https://github.com/openshift/cluster-ingress-operator/blob/d9d1a2b44cc7955a18fbedfdc973daddba67bccd/pkg/dns/aws/dns.go#L167-L168
      By not setting tagConfig, it results in the m.tags field to be set nil: https://github.com/openshift/cluster-ingress-operator/blob/d9d1a2b44cc7955a18fbedfdc973daddba67bccd/pkg/dns/aws/dns.go#L212-L222
      This then drives the logic in the getZoneID method to use either lookupZoneID or lookupZoneIDWithoutResourceTagging: https://github.com/openshift/cluster-ingress-operator/blob/d9d1a2b44cc7955a18fbedfdc973daddba67bccd/pkg/dns/aws/dns.go#L280-L284
      BLAB: the lookupZoneIDWithoutResourceTagging method is only ever called for endpoints.AwsIsoPartitionID, endpoints.AwsIsoBPartitionID regions.

      Version-Release number of selected component (if applicable):

       

      How reproducible:

      Everytime

      Steps to Reproduce:

      1. Create an IPI cluster in  SC2S region us-isob-east-1.
      

      Actual results:

      Ingress operator degrades due to missing "route53:ListTagsForResources" permission with following error.
      ~~~
      The DNS provider failed to ensure the record: failed to find hosted zone for record: failed to get tagged resources: AccessDenied: User ....... rye... is not authorized to perform: route53:ListTagsForResources on resource.... hostedzone/.. because no identify based policy allows the route53:ListTagsForResources
      ~~~

      Expected results:

      Ingress operator should be in available state for new installation.

      Additional info:

       

            mmasters1@redhat.com Miciah Masters
            rhn-support-aygarg Ayush Garg
            Hongan Li Hongan Li
            Votes:
            0 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated:
              Resolved: