Bug 1757244 - Permission validation optional in OpenShift AWS installer incorrectly denies permission
Summary: Permission validation optional in OpenShift AWS installer incorrectly denies ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.1.z
Hardware: Unspecified
OS: Unspecified
medium
high
Target Milestone: ---
: 4.3.z
Assignee: Joel Diaz
QA Contact: Johnny Liu
URL:
Whiteboard:
: 1815331 (view as bug list)
Depends On: 1829101 1750338 1832640
Blocks: 1803221
TreeView+ depends on / blocked
 
Reported: 2019-09-30 23:09 UTC by Abhinav Dahiya
Modified: 2020-05-15 17:46 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1750338
Environment:
Last Closed: 2020-02-25 06:17:59 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github openshift cloud-credential-operator pull 155 None closed [release-4.3] Bug 1757244: improve permissions simulation by adding region info 2020-05-14 17:12:51 UTC
Github openshift installer pull 3102 None closed [release-4.3] Bug 1757244: use region info when simulating permissions 2020-05-14 17:12:51 UTC
Red Hat Product Errata RHBA-2020:0528 None None None 2020-02-25 06:18:12 UTC

Comment 5 Devan Goodwin 2020-02-04 18:54:49 UTC
Joel is this clone still valid? Both it and the original target 4.4.

Comment 6 Joel Diaz 2020-02-04 19:51:29 UTC
We're using the parent of this BZ (1750338) to track the changes to add region info into the permissions simulations, so perhaps this can be used for the non-master PR that will be coming shortly.

Scott, WDYT?

Comment 7 Scott Dodson 2020-02-04 20:00:49 UTC
SGTM, shuffled papers.

Comment 11 Johnny Liu 2020-02-20 06:05:56 UTC
Verified this bug with 4.3.3-x86_64, and passed.

Create IAM policy like the following:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": [
                "ec2:Create*",
                "ec2:Run*",
                "eks:Create*",
                "rds:Create*",
                "es:Create*",
                "lambda:Create*"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "aws:RequestedRegion": "us-east-2"
                }
            }
        }
    ]
}
Create a aws ueser attach it to the user, run the following testing using this user.

[root@preserve-jialiu-ansible ~]# cp ipi_template/install-config.yaml.aws demo6/install-config.yaml
[root@preserve-jialiu-ansible ~]# openshift-install create ignition-configs --dir demo6
INFO Consuming Install Config from target directory 
WARNING Action not allowed with tested creds          action="ec2:CreateNetworkInterface"
WARNING Action not allowed with tested creds          action="ec2:CreateSecurityGroup"
WARNING Action not allowed with tested creds          action="ec2:CreateTags"
WARNING Action not allowed with tested creds          action="ec2:CreateVolume"
WARNING Action not allowed with tested creds          action="ec2:RunInstances"
WARNING Action not allowed with tested creds          action="ec2:CreateDhcpOptions"
WARNING Action not allowed with tested creds          action="ec2:CreateInternetGateway"
WARNING Action not allowed with tested creds          action="ec2:CreateNatGateway"
WARNING Action not allowed with tested creds          action="ec2:CreateRoute"
WARNING Action not allowed with tested creds          action="ec2:CreateRouteTable"
WARNING Action not allowed with tested creds          action="ec2:CreateSubnet"
WARNING Action not allowed with tested creds          action="ec2:CreateVpc"
WARNING Action not allowed with tested creds          action="ec2:CreateVpcEndpoint"
WARNING Tested creds not able to perform all requested actions 
FATAL failed to fetch Bootstrap Ignition Config: failed to fetch dependency of "Bootstrap Ignition Config": failed to fetch dependency of "Master Machines": failed to generate asset "Platform Credentials Check": validate AWS credentials: current credentials insufficient for performing cluster installation

[root@preserve-jialiu-ansible ~]# rm -rf demo6
[root@preserve-jialiu-ansible ~]# mkdir  demo6
[root@preserve-jialiu-ansible ~]# cp ipi_template/install-config.yaml.aws demo6/install-config.yaml
[root@preserve-jialiu-ansible ~]# openshift-install version
openshift-install 4.3.3
built from commit c7325a3c6045c7f4c8f1ac98d037ffca919be05a
release image quay.io/openshift-release-dev/ocp-release@sha256:9b8708b67dd9b7720cb7ab3ed6d12c394f689cc8927df0e727c76809ab383f44
[root@preserve-jialiu-ansible ~]# openshift-install create ignition-configs --dir demo6
INFO Consuming Install Config from target directory
[root@preserve-jialiu-ansible ~]# openshift-install create cluster --dir demo6
INFO Consuming Worker Ignition Config from target directory 
INFO Consuming Master Ignition Config from target directory 
INFO Consuming Bootstrap Ignition Config from target directory 
INFO Creating infrastructure resources...         
INFO Waiting up to 30m0s for the Kubernetes API at https://api.jialiu.qe.devcluster.openshift.com:6443... 
INFO API v1.16.2 up                               
INFO Waiting up to 30m0s for bootstrapping to complete... 
INFO Destroying the bootstrap resources...        
INFO Waiting up to 30m0s for the cluster at https://api.jialiu.qe.devcluster.openshift.com:6443 to initialize...

Comment 15 errata-xmlrpc 2020-02-25 06:17:59 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0528

Comment 16 Abhinav Dahiya 2020-03-20 03:13:51 UTC
*** Bug 1815331 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.