Bug 1969371 - [AWS] destroyer tried to search resources in other china region.
Summary: [AWS] destroyer tried to search resources in other china region.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.8
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
: 4.9.0
Assignee: Aditya Narayanaswamy
QA Contact: Yunfei Jiang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-06-08 10:08 UTC by Yunfei Jiang
Modified: 2022-02-21 02:33 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
AWS destroyer checks for resources in the cn-northwest-1 even if the installation was not in that region. This behavior is correct for public AWS partition but not for the AWS China partitions where every region in the China partitions do not have any relation with each other, like they work as separate entities themselves. Removing the piece of code that checks in northwest at all times.
Clone Of:
Environment:
Last Closed: 2022-02-21 01:22:56 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift installer pull 5156 0 None None None 2021-08-18 15:47:35 UTC
Github openshift installer pull 5170 0 None None None 2021-08-26 12:30:31 UTC
Red Hat Product Errata RHSA-2021:3759 0 None None None 2021-10-18 17:33:36 UTC

Description Yunfei Jiang 2021-06-08 10:08:21 UTC
What happened?

Destroy a cluster in us-east-2, but destroyer also tries to search resources in us-east-1:
time="2021-06-08T04:15:11-04:00" level=debug msg="search for matching resources by tag in us-east-2 matching aws.Filter{\"kubernetes.io/cluster/yunjiang-us-m524b\":\"owned\"}"
time="2021-06-08T04:15:11-04:00" level=debug msg="search for matching resources by tag in us-east-2 matching aws.Filter{\"openshiftClusterID\":\"f6ddcdb1-b22d-46f4-b3de-38ea62c4dcf2\"}"
time="2021-06-08T04:15:11-04:00" level=debug msg="search for matching resources by tag in us-east-1 matching aws.Filter{\"kubernetes.io/cluster/yunjiang-us-m524b\":\"owned\"}"
time="2021-06-08T04:15:12-04:00" level=debug msg="search for matching resources by tag in us-east-1 matching aws.Filter{\"openshiftClusterID\":\"f6ddcdb1-b22d-46f4-b3de-38ea62c4dcf2\"}"

this issue also affects on AWS China regions, destroy a cluster in cn-north-1, but it also searches resources in cn-northwest-1

OCP version:
4.8.0-0.nightly-2021-06-08-005718

What did you expect to happen?
destroyer should not search resources in other region.

Comment 1 Matthew Staebler 2021-06-08 13:42:33 UTC
For the public AWS partition, this is the correct behavior. The us-east-1 region must be searched in order to find non-region resources. The resourcetaggingapi requires that the region be set to us-east-1 for those resources.

For the China AWS partition, it is incorrect to search in cn-northwest-1 when the installed region is cn-north-1. Those two regions are really separate partitions rather than simply separate regions. There are no resources that are span those regions.

Comment 2 Russell Teague 2021-08-02 17:48:58 UTC
Needs prioritized.

Comment 4 Yunfei Jiang 2021-08-26 06:25:27 UTC
verify failed.
OCP version: 4.9.0-0.nightly-2021-08-25-231643


destroyer was trying to search resources on us-east-1 while destroying a cluster on cn-northwest-1, is it correct?

08-26 13:57:46.943  level=debug msg=search for matching resources by tag in cn-northwest-1 matching aws.Filter{"kubernetes.io/cluster/yunjiang-bzcn4-kwjpr":"owned"}
08-26 13:57:49.567  level=debug msg=search for matching resources by tag in cn-northwest-1 matching aws.Filter{"openshiftClusterID":"86c849bb-4ecb-4d55-9e79-57cf4642ec50"}
08-26 13:57:49.842  level=debug msg=search for matching resources by tag in us-east-1 matching aws.Filter{"kubernetes.io/cluster/yunjiang-bzcn4-kwjpr":"owned"}

Comment 7 Yunfei Jiang 2021-08-30 06:01:14 UTC
verified. PASS.
OCP version: 4.9.0-0.nightly-2021-08-29-010334

Comment 10 errata-xmlrpc 2021-10-18 17:33:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759

Comment 11 Vincent Lours 2022-02-20 23:50:52 UTC
Hi Team,

Sorry to re-open this BZ, but we have a customer who is facing the same issue with the 4.9.18 installer.

Cluster is installed in ap-southeast-1 region, but the installer failed to destroy the cluster as it try to access some resources from us-east-1
~~~
time="2022-02-19T14:26:32+08:00" level=debug msg="search for matching resources by tag in us-east-1 matching aws.Filter{\"kubernetes.io/cluster/<customerclusterid-abc123>\":\"owned\"}"
time="2022-02-19T14:26:33+08:00" level=info msg="get tagged resources: AccessDeniedException: User: arn:aws:iam::<IAM_ID>:user/ocp_user is not authorized to perform: tag:GetResources with an explicit deny in a service control policy\n\tstatus code: 400, request id: <id>"
~~~

The customer doesn't have any permission in us-east-1.

Comment 14 Matthew Staebler 2022-02-21 01:22:56 UTC
@vlours

1. Do not re-open a BZ that has already been closed and added to errata. If you feel that the issue addressed by the BZ still exists, open a new BZ.
2. The issue that your customer is facing is not the same issue as this BZ. Morevoer, the issue that your customer is facing is the expected behavior and not a bug.


Note You need to log in before you can comment on or make changes to this bug.