Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-49735

[aws/byo-public-ipv4] missing permission ec2:ReleaseAddress when destroying the cluster

XMLWordPrintable

    • None
    • 2
    • OpenShift SPLAT - Sprint 266
    • 1
    • Proposed
    • False
    • Hide

      None

      Show
      None
    • Hide
      *Previously, a cluster that was created on {aws-first} could fail to deprovision the cluster without the permissions to release the EIP address, `ec2:ReleaseAddress`. This issue occurred where the cluster was created with the minimum permissions in an existing virtual private cloud (VPC) (an unmanaged VPC or bring your own (BYO) VPC)) and BYO Public IPv4 Pool address. With this release, a fix ensures that when deploying a cluster on {aws-short} with BYO VPC and BYO Public IPv4 Pool the `ec2:ReleaseAddress` permission is exported to the install-generated Identity and Access Management (IAM) policy. (link:https://issues.redhat.com/browse/OCPBUGS-49735 [*OCPBUGS-49735*])
      Show
      *Previously, a cluster that was created on {aws-first} could fail to deprovision the cluster without the permissions to release the EIP address, `ec2:ReleaseAddress`. This issue occurred where the cluster was created with the minimum permissions in an existing virtual private cloud (VPC) (an unmanaged VPC or bring your own (BYO) VPC)) and BYO Public IPv4 Pool address. With this release, a fix ensures that when deploying a cluster on {aws-short} with BYO VPC and BYO Public IPv4 Pool the `ec2:ReleaseAddress` permission is exported to the install-generated Identity and Access Management (IAM) policy. (link: https://issues.redhat.com/browse/OCPBUGS-49735 [* OCPBUGS-49735 *])
    • Bug Fix
    • Proposed

      This is a clone of issue OCPBUGS-49594. The following is the description of the original issue:

      Description of problem:

          The deprovision CI step[1] e2e-aws-ovn-shared-vpc-edge-zones-ipi-deprovision-deprovision is missing the permission ec2:ReleaseAddress in the installer user to remove the custom IPv4 Address (EIP) allocated in the cluster creation. The BYO IPv4 is default on CI jobs, and enabled when the pool has IP address.

Error:
level=warning msg=UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:iam::460538899914:user/ci-op-rxxt8srv-bf840-minimal-perm-installer is not authorized to perform: ec2:ReleaseAddress on resource: arn:aws:ec2:us-east-1:[redacted]:elastic-ip/eipalloc-0f4b652b702e73204 because no identity-based policy allows the ec2:ReleaseAddress action.

Job: https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_installer/9413/pull-ci-openshift-installer-main-e2e-aws-ovn-shared-vpc-edge-zones/1884340831955980288

      Version-Release number of selected component (if applicable):

      4.19

      How reproducible:

          always when BYO Public IPv4 pool is activated in the install-config

      Steps to Reproduce:

          1. install a cluster with byo IPv4 pool set on install-config
    2.
    3.

      Actual results:

      level=warning msg=UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:iam::460538899914:user/ci-op-rxxt8srv-bf840-minimal-perm-installer is not authorized to perform: ec2:ReleaseAddress on resource: arn:aws:ec2:us-east-1:[Redacted]:elastic-ip/eipalloc-0f4b652b702e73204 because no identity-based policy allows the ec2:ReleaseAddress action.  

      Expected results:

          Permissions granted, EIP released.

      Additional info:

              rhn-support-mrbraga Marco Braga
              openshift-crt-jira-prow OpenShift Prow Bot
              Yunfei Jiang Yunfei Jiang
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: