Bug 1803221 - Permission validation optional in OpenShift AWS installer incorrectly denies permission
Summary: Permission validation optional in OpenShift AWS installer incorrectly denies ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.1.z
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: ---
: 4.2.z
Assignee: Joel Diaz
QA Contact: Johnny Liu
URL:
Whiteboard:
Depends On: 1757244
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-02-14 17:58 UTC by Joel Diaz
Modified: 2020-03-04 04:51 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1750338
Environment:
Last Closed: 2020-03-04 04:51:02 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cloud-credential-operator pull 157 0 None closed [release-4.2] Bug 1803221: improve permissions simulation by adding region info 2021-02-16 12:21:59 UTC
Github openshift installer pull 3142 0 None closed [release-4.2] Bug 1803221: use region info when simulating permissions 2021-02-16 12:21:59 UTC
Red Hat Product Errata RHBA-2020:0614 0 None None None 2020-03-04 04:51:12 UTC

Comment 3 Scott Dodson 2020-02-19 20:35:51 UTC
A follow up openshift/installer PR is necessary to fix this, moving back to ASSIGNED.

Comment 5 Johnny Liu 2020-02-21 07:05:24 UTC
Verified this bug with 4.2.0-0.nightly-2020-02-20-184122, and passed.

Create IAM policy like the following:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": [
                "ec2:Create*",
                "ec2:Run*",
                "eks:Create*",
                "rds:Create*",
                "es:Create*",
                "lambda:Create*"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "aws:RequestedRegion": "us-east-2"
                }
            }
        }
    ]
}
Create a aws ueser attach it to the user, run the following testing using this user.

Reproduce it using old version of installer:
[root@preserve-jialiu-ansible ~]# openshift-install version
openshift-install v4.2.0
built from commit 90ccb37ac1f85ae811c50a29f9bb7e779c5045fb
release image quay.io/openshift-release-dev/ocp-release@sha256:c5337afd85b94c93ec513f21c8545e3f9e36a227f55d41bc1dfb8fcc3f2be129
[root@preserve-jialiu-ansible ~]# mkdir demo6
[root@preserve-jialiu-ansible ~]# cp ipi_template/install-config.yaml.aws demo6/install-config.yaml
[root@preserve-jialiu-ansible ~]# openshift-install create ignition-configs --dir demo6
INFO Consuming "Install Config" from target directory 
WARNING Action not allowed with tested creds          action="ec2:CreateDhcpOptions"
WARNING Action not allowed with tested creds          action="ec2:CreateInternetGateway"
WARNING Action not allowed with tested creds          action="ec2:CreateNatGateway"
WARNING Action not allowed with tested creds          action="ec2:CreateNetworkInterface"
WARNING Action not allowed with tested creds          action="ec2:CreateRoute"
WARNING Action not allowed with tested creds          action="ec2:CreateRouteTable"
WARNING Action not allowed with tested creds          action="ec2:CreateSecurityGroup"
WARNING Action not allowed with tested creds          action="ec2:CreateSubnet"
WARNING Action not allowed with tested creds          action="ec2:CreateTags"
WARNING Action not allowed with tested creds          action="ec2:CreateVpc"
WARNING Action not allowed with tested creds          action="ec2:CreateVpcEndpoint"
WARNING Action not allowed with tested creds          action="ec2:CreateVolume"
WARNING Action not allowed with tested creds          action="ec2:RunInstances"
WARNING Tested creds not able to perform all requested actions 
FATAL failed to fetch Bootstrap Ignition Config: failed to fetch dependency of "Bootstrap Ignition Config": failed to fetch dependency of "Master Machines": failed to generate asset "Platform Credentials Check": validate AWS credentials: current credentials insufficient for performing cluster installation 


Update installer from 4.2.0-0.nightly-2020-02-20-184122, verify it.
[root@preserve-jialiu-ansible ~]# openshift-install version
openshift-install v4.2.20
built from commit 8465c322cdd805ed5e43c3fc52a485ca63d305c7
release image registry.svc.ci.openshift.org/ocp/release@sha256:3c2170d5407ef21f03cae2e44cdca590151d49f11242a5e1c05595c583fb4bb8
[root@preserve-jialiu-ansible ~]# rm -rf demo6
[root@preserve-jialiu-ansible ~]# mkdir demo6
[root@preserve-jialiu-ansible ~]# cp ipi_template/install-config.yaml.aws demo6/install-config.yaml
[root@preserve-jialiu-ansible ~]# openshift-install create ignition-configs --dir demo6
INFO Consuming "Install Config" from target directory 
[root@preserve-jialiu-ansible ~]# openshift-install create cluster --dir demo6
INFO Consuming "Worker Ignition Config" from target directory 
INFO Consuming "Bootstrap Ignition Config" from target directory 
INFO Consuming "Master Ignition Config" from target directory 
INFO Creating infrastructure resources...         
INFO Waiting up to 30m0s for the Kubernetes API at https://api.jialiu.qe.devcluster.openshift.com:6443... 
INFO API v1.14.6+999bb21 up                       
INFO Waiting up to 30m0s for bootstrapping to complete... 
INFO Destroying the bootstrap resources...        
INFO Waiting up to 30m0s for the cluster at https://api.jialiu.qe.devcluster.openshift.com:6443 to initialize... 
INFO Waiting up to 10m0s for the openshift-console route to be created... 
INFO Install complete!                            
INFO To access the cluster as the system:admin user when using 'oc', run 'export KUBECONFIG=/root/demo6/auth/kubeconfig' 
INFO Access the OpenShift web-console here: https://console-openshift-console.apps.jialiu.qe.devcluster.openshift.com 
INFO Login to the console with user: kubeadmin, password: fRRpr-nnYTM-dwJiC-vomBf 
[root@preserve-jialiu-ansible ~]# export KUBECONFIG=/root/demo6/auth/kubeconfig
[root@preserve-jialiu-ansible ~]# oc get node
NAME                                         STATUS   ROLES    AGE   VERSION
ip-10-0-130-206.us-east-2.compute.internal   Ready    master   38m   v1.14.6+47933cbcc
ip-10-0-135-165.us-east-2.compute.internal   Ready    worker   32m   v1.14.6+47933cbcc
ip-10-0-144-61.us-east-2.compute.internal    Ready    master   38m   v1.14.6+47933cbcc
ip-10-0-154-38.us-east-2.compute.internal    Ready    worker   32m   v1.14.6+47933cbcc
ip-10-0-170-189.us-east-2.compute.internal   Ready    master   38m   v1.14.6+47933cbcc
ip-10-0-174-182.us-east-2.compute.internal   Ready    worker   32m   v1.14.6+47933cbcc
[root@preserve-jialiu-ansible ~]# oc get co
NAME                                       VERSION                             AVAILABLE   PROGRESSING   DEGRADED   SINCE
authentication                             4.2.0-0.nightly-2020-02-20-184122   True        False         False      22m
cloud-credential                           4.2.0-0.nightly-2020-02-20-184122   True        False         False      36m
cluster-autoscaler                         4.2.0-0.nightly-2020-02-20-184122   True        False         False      28m
console                                    4.2.0-0.nightly-2020-02-20-184122   True        False         False      26m
dns                                        4.2.0-0.nightly-2020-02-20-184122   True        False         False      36m
image-registry                             4.2.0-0.nightly-2020-02-20-184122   True        False         False      28m
ingress                                    4.2.0-0.nightly-2020-02-20-184122   True        False         False      29m
insights                                   4.2.0-0.nightly-2020-02-20-184122   True        False         False      36m
kube-apiserver                             4.2.0-0.nightly-2020-02-20-184122   True        False         False      34m
kube-controller-manager                    4.2.0-0.nightly-2020-02-20-184122   True        False         False      34m
kube-scheduler                             4.2.0-0.nightly-2020-02-20-184122   True        False         False      34m
machine-api                                4.2.0-0.nightly-2020-02-20-184122   True        False         False      36m
machine-config                             4.2.0-0.nightly-2020-02-20-184122   True        False         False      36m
marketplace                                4.2.0-0.nightly-2020-02-20-184122   True        False         False      29m
monitoring                                 4.2.0-0.nightly-2020-02-20-184122   True        False         False      27m
network                                    4.2.0-0.nightly-2020-02-20-184122   True        False         False      35m
node-tuning                                4.2.0-0.nightly-2020-02-20-184122   True        False         False      32m
openshift-apiserver                        4.2.0-0.nightly-2020-02-20-184122   True        False         False      31m
openshift-controller-manager               4.2.0-0.nightly-2020-02-20-184122   True        False         False      34m
openshift-samples                          4.2.0-0.nightly-2020-02-20-184122   True        False         False      29m
operator-lifecycle-manager                 4.2.0-0.nightly-2020-02-20-184122   True        False         False      35m
operator-lifecycle-manager-catalog         4.2.0-0.nightly-2020-02-20-184122   True        False         False      35m
operator-lifecycle-manager-packageserver   4.2.0-0.nightly-2020-02-20-184122   True        False         False      33m
service-ca                                 4.2.0-0.nightly-2020-02-20-184122   True        False         False      36m
service-catalog-apiserver                  4.2.0-0.nightly-2020-02-20-184122   True        False         False      32m
service-catalog-controller-manager         4.2.0-0.nightly-2020-02-20-184122   True        False         False      32m
storage                                    4.2.0-0.nightly-2020-02-20-184122   True        False         False      29m

Comment 7 errata-xmlrpc 2020-03-04 04:51:02 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0614


Note You need to log in before you can comment on or make changes to this bug.