Bug 1803221
| Summary: | Permission validation optional in OpenShift AWS installer incorrectly denies permission | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Joel Diaz <jdiaz> |
| Component: | Installer | Assignee: | Joel Diaz <jdiaz> |
| Installer sub component: | openshift-installer | QA Contact: | Johnny Liu <jialiu> |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | urgent | ||
| Priority: | urgent | CC: | aarapov, adahiya, ajuricic, dcaldwel, dhellard, fgaspar, gferrazs, hcisneir, jdiaz, jialiu, mfuruta, nchoudhu, openshift-bugs-escalate, sdodson |
| Version: | 4.1.z | ||
| Target Milestone: | --- | ||
| Target Release: | 4.2.z | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1750338 | Environment: | |
| Last Closed: | 2020-03-04 04:51:02 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1757244 | ||
| Bug Blocks: | |||
|
Comment 3
Scott Dodson
2020-02-19 20:35:51 UTC
Verified this bug with 4.2.0-0.nightly-2020-02-20-184122, and passed.
Create IAM policy like the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"ec2:Create*",
"ec2:Run*",
"eks:Create*",
"rds:Create*",
"es:Create*",
"lambda:Create*"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": "us-east-2"
}
}
}
]
}
Create a aws ueser attach it to the user, run the following testing using this user.
Reproduce it using old version of installer:
[root@preserve-jialiu-ansible ~]# openshift-install version
openshift-install v4.2.0
built from commit 90ccb37ac1f85ae811c50a29f9bb7e779c5045fb
release image quay.io/openshift-release-dev/ocp-release@sha256:c5337afd85b94c93ec513f21c8545e3f9e36a227f55d41bc1dfb8fcc3f2be129
[root@preserve-jialiu-ansible ~]# mkdir demo6
[root@preserve-jialiu-ansible ~]# cp ipi_template/install-config.yaml.aws demo6/install-config.yaml
[root@preserve-jialiu-ansible ~]# openshift-install create ignition-configs --dir demo6
INFO Consuming "Install Config" from target directory
WARNING Action not allowed with tested creds action="ec2:CreateDhcpOptions"
WARNING Action not allowed with tested creds action="ec2:CreateInternetGateway"
WARNING Action not allowed with tested creds action="ec2:CreateNatGateway"
WARNING Action not allowed with tested creds action="ec2:CreateNetworkInterface"
WARNING Action not allowed with tested creds action="ec2:CreateRoute"
WARNING Action not allowed with tested creds action="ec2:CreateRouteTable"
WARNING Action not allowed with tested creds action="ec2:CreateSecurityGroup"
WARNING Action not allowed with tested creds action="ec2:CreateSubnet"
WARNING Action not allowed with tested creds action="ec2:CreateTags"
WARNING Action not allowed with tested creds action="ec2:CreateVpc"
WARNING Action not allowed with tested creds action="ec2:CreateVpcEndpoint"
WARNING Action not allowed with tested creds action="ec2:CreateVolume"
WARNING Action not allowed with tested creds action="ec2:RunInstances"
WARNING Tested creds not able to perform all requested actions
FATAL failed to fetch Bootstrap Ignition Config: failed to fetch dependency of "Bootstrap Ignition Config": failed to fetch dependency of "Master Machines": failed to generate asset "Platform Credentials Check": validate AWS credentials: current credentials insufficient for performing cluster installation
Update installer from 4.2.0-0.nightly-2020-02-20-184122, verify it.
[root@preserve-jialiu-ansible ~]# openshift-install version
openshift-install v4.2.20
built from commit 8465c322cdd805ed5e43c3fc52a485ca63d305c7
release image registry.svc.ci.openshift.org/ocp/release@sha256:3c2170d5407ef21f03cae2e44cdca590151d49f11242a5e1c05595c583fb4bb8
[root@preserve-jialiu-ansible ~]# rm -rf demo6
[root@preserve-jialiu-ansible ~]# mkdir demo6
[root@preserve-jialiu-ansible ~]# cp ipi_template/install-config.yaml.aws demo6/install-config.yaml
[root@preserve-jialiu-ansible ~]# openshift-install create ignition-configs --dir demo6
INFO Consuming "Install Config" from target directory
[root@preserve-jialiu-ansible ~]# openshift-install create cluster --dir demo6
INFO Consuming "Worker Ignition Config" from target directory
INFO Consuming "Bootstrap Ignition Config" from target directory
INFO Consuming "Master Ignition Config" from target directory
INFO Creating infrastructure resources...
INFO Waiting up to 30m0s for the Kubernetes API at https://api.jialiu.qe.devcluster.openshift.com:6443...
INFO API v1.14.6+999bb21 up
INFO Waiting up to 30m0s for bootstrapping to complete...
INFO Destroying the bootstrap resources...
INFO Waiting up to 30m0s for the cluster at https://api.jialiu.qe.devcluster.openshift.com:6443 to initialize...
INFO Waiting up to 10m0s for the openshift-console route to be created...
INFO Install complete!
INFO To access the cluster as the system:admin user when using 'oc', run 'export KUBECONFIG=/root/demo6/auth/kubeconfig'
INFO Access the OpenShift web-console here: https://console-openshift-console.apps.jialiu.qe.devcluster.openshift.com
INFO Login to the console with user: kubeadmin, password: fRRpr-nnYTM-dwJiC-vomBf
[root@preserve-jialiu-ansible ~]# export KUBECONFIG=/root/demo6/auth/kubeconfig
[root@preserve-jialiu-ansible ~]# oc get node
NAME STATUS ROLES AGE VERSION
ip-10-0-130-206.us-east-2.compute.internal Ready master 38m v1.14.6+47933cbcc
ip-10-0-135-165.us-east-2.compute.internal Ready worker 32m v1.14.6+47933cbcc
ip-10-0-144-61.us-east-2.compute.internal Ready master 38m v1.14.6+47933cbcc
ip-10-0-154-38.us-east-2.compute.internal Ready worker 32m v1.14.6+47933cbcc
ip-10-0-170-189.us-east-2.compute.internal Ready master 38m v1.14.6+47933cbcc
ip-10-0-174-182.us-east-2.compute.internal Ready worker 32m v1.14.6+47933cbcc
[root@preserve-jialiu-ansible ~]# oc get co
NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE
authentication 4.2.0-0.nightly-2020-02-20-184122 True False False 22m
cloud-credential 4.2.0-0.nightly-2020-02-20-184122 True False False 36m
cluster-autoscaler 4.2.0-0.nightly-2020-02-20-184122 True False False 28m
console 4.2.0-0.nightly-2020-02-20-184122 True False False 26m
dns 4.2.0-0.nightly-2020-02-20-184122 True False False 36m
image-registry 4.2.0-0.nightly-2020-02-20-184122 True False False 28m
ingress 4.2.0-0.nightly-2020-02-20-184122 True False False 29m
insights 4.2.0-0.nightly-2020-02-20-184122 True False False 36m
kube-apiserver 4.2.0-0.nightly-2020-02-20-184122 True False False 34m
kube-controller-manager 4.2.0-0.nightly-2020-02-20-184122 True False False 34m
kube-scheduler 4.2.0-0.nightly-2020-02-20-184122 True False False 34m
machine-api 4.2.0-0.nightly-2020-02-20-184122 True False False 36m
machine-config 4.2.0-0.nightly-2020-02-20-184122 True False False 36m
marketplace 4.2.0-0.nightly-2020-02-20-184122 True False False 29m
monitoring 4.2.0-0.nightly-2020-02-20-184122 True False False 27m
network 4.2.0-0.nightly-2020-02-20-184122 True False False 35m
node-tuning 4.2.0-0.nightly-2020-02-20-184122 True False False 32m
openshift-apiserver 4.2.0-0.nightly-2020-02-20-184122 True False False 31m
openshift-controller-manager 4.2.0-0.nightly-2020-02-20-184122 True False False 34m
openshift-samples 4.2.0-0.nightly-2020-02-20-184122 True False False 29m
operator-lifecycle-manager 4.2.0-0.nightly-2020-02-20-184122 True False False 35m
operator-lifecycle-manager-catalog 4.2.0-0.nightly-2020-02-20-184122 True False False 35m
operator-lifecycle-manager-packageserver 4.2.0-0.nightly-2020-02-20-184122 True False False 33m
service-ca 4.2.0-0.nightly-2020-02-20-184122 True False False 36m
service-catalog-apiserver 4.2.0-0.nightly-2020-02-20-184122 True False False 32m
service-catalog-controller-manager 4.2.0-0.nightly-2020-02-20-184122 True False False 32m
storage 4.2.0-0.nightly-2020-02-20-184122 True False False 29m
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0614 |