Description of problem: Ingress operator is trying to contact sts directly "sts.amazonaws.com" as opposed to the configured VPC endpoint for the cluster. To be clear this is not ok as the cluster needs to be as air-gapped as possible. Also worth noting that other OCP components work fine with the STS VPC endpoint OpenShift release version: 4.9.latest Cluster Platform: OCP AWS UPI How reproducible: Always Actual results: Expected results: Impact of the problem: Additional info: Support case: 03157778 ** Please do not disregard the report template; filling the template out as much as possible will allow us to help you. Please consider attaching a must-gather archive (via `oc adm must-gather`). Please review must-gather contents for sensitive information before attaching any must-gathers to a bugzilla report. You may also mark the bug private if you wish.
Is there any possible known workaround for this in the meantime?
After some discussion offline, this appears to be a configuration issue. Setting blocker-, low priority. For disconnected clusters, OpenShift can be configured not to manage DNS, and the cluster administrator can configure DNS manually. Use the following command to configure OpenShift not to manage DNS: oc patch dnses.config.openshift.io/cluster --type=merge --patch='{"spec":{"privateZone":null,"publicZone":null}}' We may need a documentation change for this issue.
Moving this to the installer. We will update docs to indicate that disconnected clusters must drop the zones from the dns configs.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5069