Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-7690

[azure] Public DNS records are leftover without any error when destroying cluster with limited permission

XMLWordPrintable

    • Moderate
    • No
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      Following doc[1] to assign custom role with minimum permission for destroying cluster to installer Service Principle.

As read permission misses on public dns zone and private dns zone in that doc for destroying IPI cluster, public dns records have no permission to be removed.

But installer destroy is completed without any warning message.
$ ./openshift-install destroy cluster --dir ipi --log-level debug
DEBUG OpenShift Installer 4.13.0-0.nightly-2023-02-16-120330 
DEBUG Built from commit c0bf49ca9e83fd00dfdfbbdddd47fbe6b5cdd510 
INFO Credentials loaded from file "/home/fedora/.azure/osServicePrincipal.json" 
DEBUG deleting public records                      
DEBUG deleting resource group                      
INFO deleted                                       resource group=jima-ipi-role-l7qgz-rg
DEBUG deleting application registrations           
DEBUG Purging asset "Metadata" from disk           
DEBUG Purging asset "Master Ignition Customization Check" from disk 
DEBUG Purging asset "Worker Ignition Customization Check" from disk 
DEBUG Purging asset "Terraform Variables" from disk 
DEBUG Purging asset "Kubeconfig Admin Client" from disk 
DEBUG Purging asset "Kubeadmin Password" from disk 
DEBUG Purging asset "Certificate (journal-gatewayd)" from disk 
DEBUG Purging asset "Cluster" from disk            
INFO Time elapsed: 6m16s                          
INFO Uninstallation complete!                     

$ az network dns record-set a list --resource-group os4-common --zone-name qe.azure.devcluster.openshift.com  -o table| grep jima-ipi-role
*.apps.jima-ipi-role                                       os4-common       30     A       kubernetes.io_cluster.jima-ipi-role-l7qgz="owned"

$ az network dns record-set cname list --resource-group os4-common --zone-name qe.azure.devcluster.openshift.com  -o table| grep jima-ipi-role
api.jima-ipi-role                 os4-common       300    CNAME   kubernetes.io_cluster.jima-ipi-role-l7qgz="owned"

[1] https://docs.google.com/document/d/1iEs7T09Opj0iMXvpKeSatsAyPoda_gWQvFKQuWA3QdM/edit#

      Version-Release number of selected component (if applicable):

      4.13 nightly build

      How reproducible:

      always

      Steps to Reproduce:

      1. Create custom role with limited permission for destroying cluster, without read permission on public dns zone and private dns zone.
2. Assign the custom role to Service Principal
3. Use this SP to destroy cluster

      Actual results:

      Although some permissions missed, installer destroy cluster completed without any warning.

      Expected results:

      Installer should have some warning message that indicate resources leftover with some specific reason, so that user can process further.

      Additional info:

       

       

       

       

       

       

              rdossant Rafael Fonseca dos Santos
              jinyunma Jinyun Ma
              Jinyun Ma Jinyun Ma
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: