Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-77571

ec2:CreateTags calls for EBS CSI driver on ROSA clusters failing

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • 4.22.0
    • 4.19, 4.20, 4.21
    • HyperShift / ROSA
    • None
    • True
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      The EBSVolumeTagsController in csi-operator reconciles infrastructure resource tags on existing EBS volumes every 30 minutes. It computes a hash of the desired tags from the Infrastructure CR and compares it against an annotation (ebs.openshift.io/volume-tags-hash) stored on each PersistentVolume. If the annotation is missing or doesn't match, the controller calls ec2:CreateTags to apply the tags, and only sets the annotation after a successful call. ROSA HCP doesn't have the permission in AWS managed policies to CreateTags after the resource is created. The only CreateTags statement uses an ec2:CreateAction condition that restricts it to tagging at resource creation time. As a result, the CreateTags call always fails, the annotation is never written, and every 30-minute sync re-queues every EBS volume for another failed attempt with exponential backoff, generating UnauthorizedOperation errors into CloudWatch indefinitely. The volumes already have the correct tags applied at creation time by the AWS EBS CSI driver via --extra-tags, but the controller has no way to know this since it only checks its own annotation. We need to ensure the annotation is set on ROSA HCP clusters when the volume is created successfully, so the controller recognizes the tags are already present and does not attempt redundant CreateTags calls.

      Version-Release number of selected component (if applicable):

      CSI-operator - Currently known 4.19+

      How reproducible:

          100%

      Steps to Reproduce:

          1.Spin up ROSA HCP Cluster
    2.Create a PVC backed by gp3-csi storage class and run a pod with this pvc
    3.Wait for resync or restsart the csi-driver-operator pod 
    4. Errors in cloud trail

      Actual results:

      ec2:CreateTags calls fail with UnauthorizedOperation, generating error logs in CloudWatch. Volume tags applied at creation time remain intact but cannot be modified or reconciled post-creation.    

      Expected results:

      The ebs.openshift.io/volume-tags-hash annotation should be set on ROSA HCP clusters when the volume is created successfully, so the controller recognizes the tags are already present and does not attempt redundant CreateTags calls.                                                                                             
                  

      Additional info:

      The current CreateTags calls do not result in any tag changes and cluster operation is not affected. However, ROSA HCP should not be making these calls since it does not have the permission to do so.

              hekumar@redhat.com Hemant Kumar
              razevedo.openshift Rafael Azevedo
              Jie Zhao Jie Zhao
              None
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated: