Description of problem: The CredentialsRequest manifests defined in https://github.com/openshift/cluster-network-operator/blob/master/manifests/02-cncc-credentials.yaml are missing the .spec.serviceAccountNames list. This means when running in STS credentials mode on AWS or workload-identity mode in GCP, the IAM Role / IAM ServiceAccount cannot be locked down to a specific k8s ServiceAccount inside the cluster. Version-Release number of selected component (if applicable): 4.10 How reproducible: 100% Steps to Reproduce: 1. View the CredentialsRequests objects in https://github.com/openshift/cluster-network-operator/blob/master/manifests/02-cncc-credentials.yaml 2. 3. Actual results: See that there is no .spec.serviceAccountNames for the AWS and GCP resources. Expected results: .spec.serviceAccountNames is filled out to specify any k8s ServiceAccounts that will be used for making AWS / GCP API calls. Additional info: reference bug: https://bugzilla.redhat.com/show_bug.cgi?id=2037061 https://bugzilla.redhat.com/show_bug.cgi?id=2029833#c3
Verified on 4.10.0-0.nightly-2022-01-20-033924 1. export RELEASE_IMAGE=registry.ci.openshift.org/ocp/release:4.10.0-0.nightly-2022-01-20-033924 2. oc adm release extract --credentials-requests --cloud=aws --to=./credrequests-aws $RELEASE_IMAGE oc adm release extract --credentials-requests --cloud=gcp --to=./credrequests-gcp $RELEASE_IMAGE oc adm release extract --credentials-requests --cloud=azure --to=./credrequests-azure $RELEASE_IMAGE 3. Check cncc cr, all have serviceAccountNames list $ cat credrequests-aws/0000_50_cluster-network-operator_02-cncc-credentials.yaml --- apiVersion: cloudcredential.openshift.io/v1 kind: CredentialsRequest metadata: annotations: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" name: openshift-cloud-network-config-controller-aws namespace: openshift-cloud-credential-operator spec: providerSpec: apiVersion: cloudcredential.openshift.io/v1 kind: AWSProviderSpec statementEntries: - action: - ec2:DescribeInstances - ec2:DescribeInstanceStatus - ec2:DescribeInstanceTypes - ec2:UnassignPrivateIpAddresses - ec2:AssignPrivateIpAddresses - ec2:UnassignIpv6Addresses - ec2:AssignIpv6Addresses - ec2:DescribeSubnets - ec2:DescribeNetworkInterfaces effect: Allow resource: '*' secretRef: name: cloud-credentials namespace: openshift-cloud-network-config-controller serviceAccountNames: - cloud-network-config-controller [lwan@lwan ocp410]$ cat credrequests-gcp/0000_50_cluster-network-operator_02-cncc-credentials.yaml --- apiVersion: cloudcredential.openshift.io/v1 kind: CredentialsRequest metadata: annotations: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" name: openshift-cloud-network-config-controller-gcp namespace: openshift-cloud-credential-operator spec: providerSpec: apiVersion: cloudcredential.openshift.io/v1 kind: GCPProviderSpec predefinedRoles: - roles/compute.admin secretRef: name: cloud-credentials namespace: openshift-cloud-network-config-controller serviceAccountNames: - cloud-network-config-controller [lwan@lwan ocp410]$ cat credrequests-azure/0000_50_cluster-network-operator_02-cncc-credentials.yaml --- apiVersion: cloudcredential.openshift.io/v1 kind: CredentialsRequest metadata: annotations: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" name: openshift-cloud-network-config-controller-azure namespace: openshift-cloud-credential-operator spec: providerSpec: apiVersion: cloudcredential.openshift.io/v1 kind: AzureProviderSpec roleBindings: - role: Contributor secretRef: name: cloud-credentials namespace: openshift-cloud-network-config-controller serviceAccountNames: - cloud-network-config-controller
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056