OCPBUGS-1769: Check for AWS STS installation before trying to get all IAM Roles #6666
Conversation
openshift-ci-robot
added
the
jira/invalid-bug
|
@sadasu: This pull request references Jira Issue OCPBUGS-1769, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/jira refresh |
|
@sadasu: This pull request references Jira Issue OCPBUGS-1769, which is invalid:
Comment DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/jira refresh |
openshift-ci-robot
added
jira/valid-bug
|
@sadasu: This pull request references Jira Issue OCPBUGS-1769, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Jira (yuwan@redhat.com), skipping review request. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
pkg/destroy/aws/aws.go
Outdated
There was a problem hiding this comment.
CredentialsMode can be set to Manual without implying STS use: https://docs.openshift.com/container-platform/4.11/installing/installing_aws/manually-creating-iam.html#manually-creating-iam-aws. Do we also want to skip deleting IAM roles in that case?
pkg/destroy/aws/aws.go
Outdated
There was a problem hiding this comment.
Instead of skipping the finding of IAM roles entirely, we could also check the error for AccessDenied and ignore it in that case, either here or inside findIAMRoles since it's the GetRoleWithContext call that is failing.
There was a problem hiding this comment.
Also, the installer can still create IAM roles for the control plane nodes when it is in manual mode: https://github.com/openshift/installer/blob/master/data/data/aws/cluster/master/main.tf#L18
Manual mode specifically disables IAM role creation by the cloud credential operator. So if we gate based on manual mode we will be leaking the IAM roles created by the installer.
|
@sadasu: This pull request references Jira Issue OCPBUGS-1769, which is valid. 3 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Jira (yuwan@redhat.com), skipping review request. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
sadasu
force-pushed
the
aws-sts-uninstall
branch
from
d958698 to
f8ab810
Compare
|
@sadasu: This pull request references Jira Issue OCPBUGS-1769, which is valid. 3 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Jira (yuwan@redhat.com), skipping review request. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@sadasu: This pull request references Jira Issue OCPBUGS-1769, which is valid. 3 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Jira (yuwan@redhat.com), skipping review request. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
sadasu
force-pushed
the
aws-sts-uninstall
branch
from
f8ab810 to
6d903af
Compare
pkg/destroy/aws/iamhelpers.go
Outdated
There was a problem hiding this comment.
It looks a bit weird to import a quota package to check if an error is AccessDenied. Either IsUnauthorized should be moved out of the quota package so it can be shared with multiple packages, or we should just have our own isUnauthorized function in this file. Actually, I think this whole block would look better with a switch
| if quotaaws.IsUnauthorized(err) { | |
| // Installer does not have access to this IAM role | |
| // Ignore this IAM Role and donot report this error via | |
| // lastError | |
| search.unmatched[*role.Arn] = exists | |
| continue | |
| } | |
| var awsErr awserr.Error | |
| if errors.As(err, &awsErr) { | |
| switch awsErr.Code() { | |
| case "AccessDeniedException": | |
| // Installer does not have access to this IAM role | |
| // Ignore this IAM Role and do not report this error via | |
| // lastError | |
| search.logger.Debugf("AccessDenied to role %s. Expected if this is an STS install", *role.Arn) | |
| fallthrough | |
| case iam.ErrCodeNoSuchEntityException: | |
| search.unmatched[*role.Arn] = exists | |
| continue | |
| default: | |
| } | |
| } | |
| if lastError != nil { | |
| search.logger.Debug(lastError) | |
| } | |
| lastError = errors.Wrapf(err, "get tags for %s", *role.Arn) | |
| } |
There was a problem hiding this comment.
It would be nice to have one helper function which identifies unauthorized access for any AWS API's return code and that was the reason behind using the pre-existing method (unfortunately it exists in quota/aws).
Yes, this lends itself to using a switch statement.
I am concerned if logging a statement for the AccessDenied case would make the logs noisy hence stayed away from it. Happy to add it if it provides value to the customer (in non STS cases maybe?)
|
/retest-required |
1 similar comment
|
/retest-required |
|
/approve Overall approach looks good. I agree that we could simplify the error checking a bit: we can just string match on the unauthorized error without bringing in another package. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: patrickdillon The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
sadasu
force-pushed
the
aws-sts-uninstall
branch
from
6d903af to
bf8531a
Compare
sadasu
force-pushed
the
aws-sts-uninstall
branch
from
bf8531a to
54a7f13
Compare
r4f4
left a comment
r4f4
left a comment
There was a problem hiding this comment.
Just one nitpicking comment but not worth blocking the merge on it.
/lgtm
| ) | ||
|
|
||
| const ( | ||
| ErrCodeAccessDeniedException = "AccessDeniedException" |
There was a problem hiding this comment.
Nit: probably doesn't need to be exported outside the package
|
@sadasu: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-1769 has been moved to the MODIFIED state. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@sadasu: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/cherry-pick release-4.12 |
|
@patrickdillon: new pull request created: #6847 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
6 participants
In the AWS cluster destroy/uninstall path, the Installer tries to find all the IAM Roles in the cluster and then attempts to delete the resources with the tag
kubernetes.io/cluster/<cluster-name>. In the case of STS clusters, all IAM Roles are cleared outside the cluster (not by the Installer) and even trying to find them in the cluster results in errors because the Installer does not have the privileges to do that, let alone deleting them.The goal of the fix is not attempt to delete these IAM Roles that Installer does not have access to.