Bug 2041329 - aws and gcp CredentialsRequest manifests missing ServiceAccountNames list for cloud-network-config-controller
Summary: aws and gcp CredentialsRequest manifests missing ServiceAccountNames list for...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.10
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.10.0
Assignee: Casey Callendrello
QA Contact: wang lin
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-01-17 06:41 UTC by wang lin
Modified: 2022-03-10 16:40 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-03-10 16:40:08 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-network-operator pull 1283 0 None open Bug 2041329: cncc: add serviceAccountNames to CredentialsRequests 2022-01-17 16:17:04 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-10 16:40:19 UTC

Description wang lin 2022-01-17 06:41:16 UTC
Description of problem:
The CredentialsRequest manifests defined in https://github.com/openshift/cluster-network-operator/blob/master/manifests/02-cncc-credentials.yaml are missing the .spec.serviceAccountNames list.

This means when running in STS credentials mode on AWS or workload-identity mode in GCP, the IAM Role / IAM ServiceAccount cannot be locked down to a specific k8s ServiceAccount inside the cluster.

Version-Release number of selected component (if applicable): 
4.10

How reproducible: 100%


Steps to Reproduce:
1. View the CredentialsRequests objects in https://github.com/openshift/cluster-network-operator/blob/master/manifests/02-cncc-credentials.yaml
2. 
3.

Actual results:
See that there is no .spec.serviceAccountNames for the AWS and GCP resources.


Expected results:
.spec.serviceAccountNames is filled out to specify any k8s ServiceAccounts that will be used for making AWS / GCP API calls.


Additional info:
reference bug: 
https://bugzilla.redhat.com/show_bug.cgi?id=2037061
https://bugzilla.redhat.com/show_bug.cgi?id=2029833#c3

Comment 3 wang lin 2022-01-20 09:20:49 UTC
Verified on 4.10.0-0.nightly-2022-01-20-033924

1. 
export RELEASE_IMAGE=registry.ci.openshift.org/ocp/release:4.10.0-0.nightly-2022-01-20-033924
2.
oc adm release extract --credentials-requests --cloud=aws --to=./credrequests-aws $RELEASE_IMAGE
oc adm release extract --credentials-requests --cloud=gcp --to=./credrequests-gcp $RELEASE_IMAGE
oc adm release extract --credentials-requests --cloud=azure --to=./credrequests-azure $RELEASE_IMAGE

3. Check cncc cr, all have serviceAccountNames list
$ cat credrequests-aws/0000_50_cluster-network-operator_02-cncc-credentials.yaml
---
apiVersion: cloudcredential.openshift.io/v1
kind: CredentialsRequest
metadata:
  annotations:
    include.release.openshift.io/ibm-cloud-managed: "true"
    include.release.openshift.io/self-managed-high-availability: "true"
    include.release.openshift.io/single-node-developer: "true"
  name: openshift-cloud-network-config-controller-aws
  namespace: openshift-cloud-credential-operator
spec:
  providerSpec:
    apiVersion: cloudcredential.openshift.io/v1
    kind: AWSProviderSpec
    statementEntries:
    - action:
      - ec2:DescribeInstances
      - ec2:DescribeInstanceStatus
      - ec2:DescribeInstanceTypes
      - ec2:UnassignPrivateIpAddresses
      - ec2:AssignPrivateIpAddresses
      - ec2:UnassignIpv6Addresses
      - ec2:AssignIpv6Addresses
      - ec2:DescribeSubnets
      - ec2:DescribeNetworkInterfaces
      effect: Allow
      resource: '*'
  secretRef:
    name: cloud-credentials
    namespace: openshift-cloud-network-config-controller
  serviceAccountNames:
  - cloud-network-config-controller
[lwan@lwan ocp410]$ cat credrequests-gcp/0000_50_cluster-network-operator_02-cncc-credentials.yaml
---
apiVersion: cloudcredential.openshift.io/v1
kind: CredentialsRequest
metadata:
  annotations:
    include.release.openshift.io/ibm-cloud-managed: "true"
    include.release.openshift.io/self-managed-high-availability: "true"
    include.release.openshift.io/single-node-developer: "true"
  name: openshift-cloud-network-config-controller-gcp
  namespace: openshift-cloud-credential-operator
spec:
  providerSpec:
    apiVersion: cloudcredential.openshift.io/v1
    kind: GCPProviderSpec
    predefinedRoles:
    - roles/compute.admin
  secretRef:
    name: cloud-credentials
    namespace: openshift-cloud-network-config-controller
  serviceAccountNames:
  - cloud-network-config-controller
[lwan@lwan ocp410]$ cat credrequests-azure/0000_50_cluster-network-operator_02-cncc-credentials.yaml
---
apiVersion: cloudcredential.openshift.io/v1
kind: CredentialsRequest
metadata:
  annotations:
    include.release.openshift.io/ibm-cloud-managed: "true"
    include.release.openshift.io/self-managed-high-availability: "true"
    include.release.openshift.io/single-node-developer: "true"
  name: openshift-cloud-network-config-controller-azure
  namespace: openshift-cloud-credential-operator
spec:
  providerSpec:
    apiVersion: cloudcredential.openshift.io/v1
    kind: AzureProviderSpec
    roleBindings:
    - role: Contributor
  secretRef:
    name: cloud-credentials
    namespace: openshift-cloud-network-config-controller
  serviceAccountNames:
  - cloud-network-config-controller

Comment 6 errata-xmlrpc 2022-03-10 16:40:08 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056


Note You need to log in before you can comment on or make changes to this bug.