Bug 2029833
| Summary: | CredentialsRequest for capi operator lack of serviceAccountNames field in spec | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | wang lin <lwan> |
| Component: | Cloud Compute | Assignee: | Michael McCune <mimccune> |
| Cloud Compute sub component: | Cloud Controller Manager | QA Contact: | sunzhaohua <zhsun> |
| Status: | CLOSED DUPLICATE | Docs Contact: | |
| Severity: | high | ||
| Priority: | high | CC: | aos-bugs, jdiaz, lwan, mimccune |
| Version: | 4.10 | ||
| Target Milestone: | --- | ||
| Target Release: | 4.10.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-01-04 21:11:29 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
wang lin
2021-12-07 12:08:39 UTC
This BZ should/could be about both AWS and GCP. We recently added GCP Workload Identity support which works nearly identically to the AWS implementation, and the GCP CredentialsRequest would also require the ServiceAccountNames field to be set appropriately. just trying to figure out the proper component, @lwan is this a problem with the capi operator or with the ccoctl tool? (In reply to Michael McCune from comment #2) > just trying to figure out the proper component, @lwan is this a > problem with the capi operator or with the ccoctl tool? No need to wait for Lin to respond while I'm online :). The ccoctl tool can no longer make IAM Roles while processing a CredentialsRequest if the SeriviceAccountNames field is empty. ccoctl locks down access to the IAM Role via the namespace/name of the ServiceAccount(s). Don't know why the TODO in the code is still lying around, but it sums things up nicely https://github.com/openshift/cloud-credential-operator/blob/master/pkg/cmd/provisioning/aws/create-iam-roles.go#L259-L263: // We used to support leaving the list of ServiceAccounts blank in the CredentialsRequest while // we transitioned all the existing CredReqs. That work is complete, and we should not // create Role policies that limit the Role by audience any more. // Return an error indicating that ccoctl requires the ServiceAccount list to be populated. In the absence of the ServiceAccountNames, ccoctl has nothing to restrict which ServiceAccounts inside the cluster are allowed to AssumeRole() to the target IAM Role. As a transition, we allowed AssumeRole() from any ServiceAccount with the "right" audience field, but (for example) that means any ServiceAccount in the cluster can AssumeRole to the IAM Role that is meant for the machine-api-operator (not a good security situation). But now that all in-cluster CredentialsRequests populate the ServiceAccountNames field, we took away that transitional support. thanks for the explanation Joel. it sounds like we need to update the CredentialsRequests in this file[0] to add the ServiceAccountNames ? [0] https://github.com/openshift/cluster-capi-operator/blob/main/manifests/0000_30_capi-operator_00_credentials-request.yaml Yes for both GCP and AWS. And in an ideal world we'd also update the permissions in that GCP CredentialsRequest to not use the beta level loadbalanceradmin role too. perfect, thanks for the confirmation and extra context. hey all, i didn't realize we had this open when we hit the error earlier today. subsequently we created a new bug, https://bugzilla.redhat.com/show_bug.cgi?id=2037061, and i have posted a pull request to fix the issue. i am marking this bug as a duplicate of the other, even though we opened this one first. apologies for the confusion. *** This bug has been marked as a duplicate of bug 2037061 *** |