Bug 1866881 - AWS provider: filter user tags
Summary: AWS provider: filter user tags
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Cloud Compute
Version: 4.6
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.6.0
Assignee: Michael Gugino
QA Contact: Milind Yadav
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-08-06 17:18 UTC by Michael Gugino
Modified: 2020-10-27 16:26 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-10-27 16:26:20 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-api-provider-aws pull 343 0 None closed Bug 1866881: Filter Name/Cluster instance tags 2021-01-28 12:10:30 UTC
Red Hat Product Errata RHBA-2020:4196 0 None None None 2020-10-27 16:26:22 UTC

Description Michael Gugino 2020-08-06 17:18:29 UTC 
Description of problem:

Currently, users can specify whatever instance tags they want
for a machineSpec. While we attempt to remove duplicates,
this results in us removing the proper values instead of
the user supplied ones for Name and clusterID.

We should not allow this.
Comment 3 Milind Yadav 2020-08-24 06:24:49 UTC 
VALIDATED ON:

 Cluster version is 4.6.0-0.nightly-2020-08-23-214712

I was able to edit machine tags and save them .Tags modified are as below - 
 oc edit machines miyadav-b556-jrgfw-worker-us-east-2a-fvj4m --config aws
machine.machine.openshift.io/miyadav-b556-jrgfw-worker-us-east-2a-fvj4m edited


      securityGroups:
      - filters:
        - name: tag:Name
          values:
          - miyadav-b56-jrgfw-worker-sg
      subnet:
        filters:
        - name: tag:Name
          values:
          - miyadav-b56-jrgfw-private-us-east-2a

Expected : I should not be able to update tags values
Comment 4 Milind Yadav 2020-08-24 09:28:56 UTC 
Other tag that was also tried - 

            tags:
            - name: kubernetes.io/cluster/miyadav-b556-jrgfw
              value: owned
Comment 5 Michael Gugino 2020-08-24 12:56:22 UTC 
The procedure to verify this is to set the tags on the machine object at creation time and verify they do not get placed on the instances in the cloud.  We're not removing/changing the machine object for this fix.
Comment 7 Milind Yadav 2020-08-24 13:34:22 UTC 
Hi Micheal , thanks for reverting , please review as I can see them propagating to the aws console as well ? snap attached.
 
I created a new machineset with those values (as you suggested during the creation time) ..
Comment 8 Michael Gugino 2020-08-24 13:39:00 UTC 
Milind,

In your screen shot, the second tag has a typo of 'cliuster' instead of 'cluster' therefor it won't get filtered.  The Name tag is set appropriately.

Everything that has a key of "Name" and every key that starts with "kubernetes.io/cluster" will get filtered and set the the appropriate value.  "kubernetes.io/cliuster" will be ignored due to typo.
Comment 9 Milind Yadav 2020-08-25 06:56:38 UTC 
Thanks Michael , it worked and user tags are getting filtered and not propagated 

Moved to VERIFIED ..

Updated the tag like below - 
          tags:
          - name: kubernetes.io/cluster/miydav-b556-jrgfw
            value: ownd


On the EC2 dashboard on aws console . we could see the tag value as "owned"

version validated on - Cluster version is 4.6.0-0.nightly-2020-08-23-214712
Comment 11 errata-xmlrpc 2020-10-27 16:26:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196
Note You need to log in before you can comment on or make changes to this bug.