Bug 1866881

Summary: AWS provider: filter user tags
Product: OpenShift Container Platform Reporter: Michael Gugino <mgugino>
Component: Cloud ComputeAssignee: Michael Gugino <mgugino>
Cloud Compute sub component: Other Providers QA Contact: Milind Yadav <miyadav>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: unspecified    
Version: 4.6   
Target Milestone: ---   
Target Release: 4.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 16:26:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michael Gugino 2020-08-06 17:18:29 UTC 
Description of problem:

Currently, users can specify whatever instance tags they want
for a machineSpec. While we attempt to remove duplicates,
this results in us removing the proper values instead of
the user supplied ones for Name and clusterID.

We should not allow this.
Comment 3 Milind Yadav 2020-08-24 06:24:49 UTC 
VALIDATED ON:

 Cluster version is 4.6.0-0.nightly-2020-08-23-214712

I was able to edit machine tags and save them .Tags modified are as below - 
 oc edit machines miyadav-b556-jrgfw-worker-us-east-2a-fvj4m --config aws
machine.machine.openshift.io/miyadav-b556-jrgfw-worker-us-east-2a-fvj4m edited


      securityGroups:
      - filters:
        - name: tag:Name
          values:
          - miyadav-b56-jrgfw-worker-sg
      subnet:
        filters:
        - name: tag:Name
          values:
          - miyadav-b56-jrgfw-private-us-east-2a

Expected : I should not be able to update tags values
Comment 4 Milind Yadav 2020-08-24 09:28:56 UTC 
Other tag that was also tried - 

            tags:
            - name: kubernetes.io/cluster/miyadav-b556-jrgfw
              value: owned
Comment 5 Michael Gugino 2020-08-24 12:56:22 UTC 
The procedure to verify this is to set the tags on the machine object at creation time and verify they do not get placed on the instances in the cloud.  We're not removing/changing the machine object for this fix.
Comment 7 Milind Yadav 2020-08-24 13:34:22 UTC 
Hi Micheal , thanks for reverting , please review as I can see them propagating to the aws console as well ? snap attached.
 
I created a new machineset with those values (as you suggested during the creation time) ..
Comment 8 Michael Gugino 2020-08-24 13:39:00 UTC 
Milind,

In your screen shot, the second tag has a typo of 'cliuster' instead of 'cluster' therefor it won't get filtered.  The Name tag is set appropriately.

Everything that has a key of "Name" and every key that starts with "kubernetes.io/cluster" will get filtered and set the the appropriate value.  "kubernetes.io/cliuster" will be ignored due to typo.
Comment 9 Milind Yadav 2020-08-25 06:56:38 UTC 
Thanks Michael , it worked and user tags are getting filtered and not propagated 

Moved to VERIFIED ..

Updated the tag like below - 
          tags:
          - name: kubernetes.io/cluster/miydav-b556-jrgfw
            value: ownd


On the EC2 dashboard on aws console . we could see the tag value as "owned"

version validated on - Cluster version is 4.6.0-0.nightly-2020-08-23-214712
Comment 11 errata-xmlrpc 2020-10-27 16:26:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196