Bug 1945907 - [aws] support byo iam roles for instances
Summary: [aws] support byo iam roles for instances
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.7
Hardware: Unspecified
OS: Unspecified
urgent
high
Target Milestone: ---
: 4.7.z
Assignee: Matthew Staebler
QA Contact: Pedro Amoedo
URL:
Whiteboard:
Depends On: 1945910 1946119 1948359
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-04-02 16:09 UTC by Matthew Staebler
Modified: 2021-05-19 15:16 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1945910 (view as bug list)
Environment:
Last Closed: 2021-05-19 15:15:46 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift installer pull 4813 0 None open Bug 1945907: Byo aws iam roles 4.7 2021-04-30 13:55:09 UTC
Red Hat Product Errata RHBA-2021:1550 0 None None None 2021-05-19 15:16:14 UTC

Description Matthew Staebler 2021-04-02 16:09:04 UTC
This is a clone of https://issues.redhat.com/browse/CORS-1653.

1. Proposed title of this feature request
    Permit using existing IAM roles for bootstrap, worker and control plane nodes in installer. Implementation should support AWS, Azure, and GCP.
2. What is the nature and description of the request?
    Enhance the installer to allow the customer to pre-create the IAM roles used by the bootstrap, worker and control plane nodes and supply those roles to the installer in IPI mode.
3. Why does the customer need this? (List the business requirements here)
    It is currently impossible to perform an IPI mode installation of OCP in the public cloud with additional restrictions. For instance, some customers require that all roles match a specific naming scheme and/or include a predefined permissions boundary in the role creation process.
4. List any affected packages or components.
    Installer

Comment 3 Pedro Amoedo 2021-05-04 10:57:34 UTC
[QA Summary]

[Version]

~~~
$ ./openshift-install version
./openshift-install 4.7.0-0.nightly-2021-05-01-081439
built from commit 3d157f47000c2a9963527ad1dc8c69b77053a4a6
release image registry.ci.openshift.org/ocp/release@sha256:eddc92aceef5e655e74015248e7d5f4b76fafe18bfc61f9e86648a77b1ca922d

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.7.0-0.nightly-2021-05-01-081439   True        False         34m     Cluster version is 4.7.0-0.nightly-2021-05-01-081439
~~~

[Parameters]

~~~
apiVersion: v1
baseDomain: qe.devcluster.openshift.com
compute:
- hyperthreading: Enabled
  name: worker
  platform:
    aws:
      type: m5.large
      iamRole: testcluster-982-8z8kf-worker-role
  replicas: 2
controlPlane:
  hyperthreading: Enabled
  name: master
  platform:
    aws:
      type: m5.xlarge
      iamRole: testcluster-982-8z8kf-master-role
  replicas: 3
metadata:
  creationTimestamp: null
  name: pamoedo-bz1945907
networking:
  clusterNetwork:
  - cidr: 10.128.0.0/14
    hostPrefix: 23
  machineCIDR: 10.0.0.0/16
  networkType: OpenShiftSDN
  serviceNetwork:
  - 172.30.0.0/16
platform:
  aws:
    region: eu-west-3
publish: External
~~~

[Results]

To expedite the testing, and avoid issues with the policies, I've taken some pre-existing iam roles from a previous OCP installation and reuse them for the custom "iamRole" selection for the new cluster, the installation was successful, the new instances are associated with the pre-existing roles as expected and the installer hasn't created new ones:

~~~
$ aws iam get-instance-profile --instance-profile-name pamoedo-bz1945907-5ldhb-master-profile
INSTANCEPROFILE	arn:aws:iam::301721915996:instance-profile/pamoedo-bz1945907-5ldhb-master-profile	2021-05-04T09:34:15Z	AIPAUMQAHCJOHGXZ2GD3U	pamoedo-bz1945907-5ldhb-master-profile/
ROLES	arn:aws:iam::301721915996:role/testcluster-982-8z8kf-master-role	2021-05-03T08:41:20Z	/	AROAUMQAHCJOAWK6FRKFX	testcluster-982-8z8kf-master-role
ASSUMEROLEPOLICYDOCUMENT	2012-10-17
STATEMENT	sts:AssumeRole	Allow	
PRINCIPAL	ec2.amazonaws.com

$ aws iam get-instance-profile --instance-profile-name pamoedo-bz1945907-5ldhb-worker-profile
INSTANCEPROFILE	arn:aws:iam::301721915996:instance-profile/pamoedo-bz1945907-5ldhb-worker-profile	2021-05-04T09:34:15Z	AIPAUMQAHCJONYRDZOZQD	pamoedo-bz1945907-5ldhb-worker-profile/
ROLES	arn:aws:iam::301721915996:role/testcluster-982-8z8kf-worker-role	2021-05-03T08:41:20Z	/	AROAUMQAHCJOGNLD23FTU	testcluster-982-8z8kf-worker-role
ASSUMEROLEPOLICYDOCUMENT	2012-10-17
STATEMENT	sts:AssumeRole	Allow	
PRINCIPAL	ec2.amazonaws.com

$ aws iam list-roles | grep pamoedo
(void)
~~~

Best Regards.

Comment 4 Siddharth Sharma 2021-05-10 17:58:19 UTC
This bug will be shipped as part of next z-stream release 4.7.11 on May 19th, as 4.7.10 was dropped due to a blocker https://bugzilla.redhat.com/show_bug.cgi?id=1958518.

Comment 8 errata-xmlrpc 2021-05-19 15:15:46 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.7.11 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1550


Note You need to log in before you can comment on or make changes to this bug.