Bug 1969371
| Summary: | [AWS] destroyer tried to search resources in other china region. | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Yunfei Jiang <yunjiang> |
| Component: | Installer | Assignee: | Aditya Narayanaswamy <anarayan> |
| Installer sub component: | openshift-installer | QA Contact: | Yunfei Jiang <yunjiang> |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | low | ||
| Priority: | low | CC: | anarayan, mstaeble, vlours |
| Version: | 4.8 | Keywords: | Reopened |
| Target Milestone: | --- | ||
| Target Release: | 4.9.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
AWS destroyer checks for resources in the cn-northwest-1 even if the installation was not in that region. This behavior is correct for public AWS partition but not for the AWS China partitions where every region in the China partitions do not have any relation with each other, like they work as separate entities themselves.
Removing the piece of code that checks in northwest at all times.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-02-21 01:22:56 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
For the public AWS partition, this is the correct behavior. The us-east-1 region must be searched in order to find non-region resources. The resourcetaggingapi requires that the region be set to us-east-1 for those resources. For the China AWS partition, it is incorrect to search in cn-northwest-1 when the installed region is cn-north-1. Those two regions are really separate partitions rather than simply separate regions. There are no resources that are span those regions. Needs prioritized. verify failed.
OCP version: 4.9.0-0.nightly-2021-08-25-231643
destroyer was trying to search resources on us-east-1 while destroying a cluster on cn-northwest-1, is it correct?
08-26 13:57:46.943 level=debug msg=search for matching resources by tag in cn-northwest-1 matching aws.Filter{"kubernetes.io/cluster/yunjiang-bzcn4-kwjpr":"owned"}
08-26 13:57:49.567 level=debug msg=search for matching resources by tag in cn-northwest-1 matching aws.Filter{"openshiftClusterID":"86c849bb-4ecb-4d55-9e79-57cf4642ec50"}
08-26 13:57:49.842 level=debug msg=search for matching resources by tag in us-east-1 matching aws.Filter{"kubernetes.io/cluster/yunjiang-bzcn4-kwjpr":"owned"}
verified. PASS. OCP version: 4.9.0-0.nightly-2021-08-29-010334 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3759 Hi Team,
Sorry to re-open this BZ, but we have a customer who is facing the same issue with the 4.9.18 installer.
Cluster is installed in ap-southeast-1 region, but the installer failed to destroy the cluster as it try to access some resources from us-east-1
~~~
time="2022-02-19T14:26:32+08:00" level=debug msg="search for matching resources by tag in us-east-1 matching aws.Filter{\"kubernetes.io/cluster/<customerclusterid-abc123>\":\"owned\"}"
time="2022-02-19T14:26:33+08:00" level=info msg="get tagged resources: AccessDeniedException: User: arn:aws:iam::<IAM_ID>:user/ocp_user is not authorized to perform: tag:GetResources with an explicit deny in a service control policy\n\tstatus code: 400, request id: <id>"
~~~
The customer doesn't have any permission in us-east-1.
@vlours 1. Do not re-open a BZ that has already been closed and added to errata. If you feel that the issue addressed by the BZ still exists, open a new BZ. 2. The issue that your customer is facing is not the same issue as this BZ. Morevoer, the issue that your customer is facing is the expected behavior and not a bug. |
What happened? Destroy a cluster in us-east-2, but destroyer also tries to search resources in us-east-1: time="2021-06-08T04:15:11-04:00" level=debug msg="search for matching resources by tag in us-east-2 matching aws.Filter{\"kubernetes.io/cluster/yunjiang-us-m524b\":\"owned\"}" time="2021-06-08T04:15:11-04:00" level=debug msg="search for matching resources by tag in us-east-2 matching aws.Filter{\"openshiftClusterID\":\"f6ddcdb1-b22d-46f4-b3de-38ea62c4dcf2\"}" time="2021-06-08T04:15:11-04:00" level=debug msg="search for matching resources by tag in us-east-1 matching aws.Filter{\"kubernetes.io/cluster/yunjiang-us-m524b\":\"owned\"}" time="2021-06-08T04:15:12-04:00" level=debug msg="search for matching resources by tag in us-east-1 matching aws.Filter{\"openshiftClusterID\":\"f6ddcdb1-b22d-46f4-b3de-38ea62c4dcf2\"}" this issue also affects on AWS China regions, destroy a cluster in cn-north-1, but it also searches resources in cn-northwest-1 OCP version: 4.8.0-0.nightly-2021-06-08-005718 What did you expect to happen? destroyer should not search resources in other region.