SPLAT-2685: Add permission check to destroy cluster command#10404
SPLAT-2685: Add permission check to destroy cluster command#10404vr4manta wants to merge 2 commits intoopenshift:mainfrom
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@vr4manta: This pull request references SPLAT-2685 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
|
Important Review skippedAuto reviews are limited based on label configuration. 🚫 Review skipped — only excluded labels are configured. (1)
Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
📝 Coding Plan
Comment |
|
@vr4manta: This pull request references SPLAT-2685 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
mtulio
left a comment
mtulio
left a comment
There was a problem hiding this comment.
That's a good improvement in the destroy flow for DH, I have a few questions related to when to call it, as well verbosity of this new flow.
| // Dedicated host permissions - always include DescribeHosts since we need to check | ||
| permissionGroups = append(permissionGroups, awssession.PermissionDedicatedHosts) |
There was a problem hiding this comment.
ec2:DescribeHosts will always be required on destroy flow?
|
|
||
| // Build IAM endpoint URL | ||
| iamEndpoint := "" | ||
| for _, endpoint := range endpoints { |
There was a problem hiding this comment.
What about to just call it as endpoints is used only here?
| for _, endpoint := range endpoints { | |
| for _, endpoint := range metadata.AWS.ServiceEndpoints { |
| kubeconfigPath := filepath.Join(rootDir, "auth", "kubeconfig") | ||
|
|
||
| // Check if kubeconfig exists | ||
| if _, err := os.Stat(kubeconfigPath); os.IsNotExist(err) { | ||
| logger.Debugf("Kubeconfig not found at %s, skipping dynamic dedicated host check", kubeconfigPath) | ||
| return false, nil | ||
| } | ||
|
|
There was a problem hiding this comment.
Do you think we can also evaluate the KUBECONFIG environment variable?
Is it an anti-pattern for installer? cc/wdyt @patrickdillon @tthvo
| // Check if cluster has dynamic dedicated hosts | ||
| hasDynamicDHs, err := aws.HasDynamicDedicatedHosts(ctx, rootDir, logger) | ||
| if err != nil { | ||
| logger.WithError(err).Debug("Failed to check for dynamic dedicated hosts, continuing without dynamic DH permissions") | ||
| hasDynamicDHs = false | ||
| } | ||
| if hasDynamicDHs { | ||
| logger.Info("Dynamic dedicated hosts detected in cluster") | ||
| } | ||
|
|
There was a problem hiding this comment.
Considering this verification can grow, what do you think moving those validations to dedicated functions based on ValidateDestroyPermissions()?
| // Validate AWS permissions for destroy operation | ||
| // This checks all required delete permissions plus dynamic DH permissions if needed | ||
| if err := aws.ValidateDestroyPermissions(ctx, clusterMetadata, hasDynamicDHs, logger); err != nil { | ||
| return nil, errors.Wrap(err, "AWS credential validation failed") |
There was a problem hiding this comment.
How acculturated is this message?
| // ValidateDestroyPermissions validates that AWS credentials have all necessary permissions | ||
| // to destroy the cluster. This provides comprehensive upfront validation similar to install-time checks. | ||
| func ValidateDestroyPermissions(ctx context.Context, metadata *types.ClusterMetadata, hasDynamicDedicatedHosts bool, logger logrus.FieldLogger) error { | ||
| logger.Info("Validating AWS permissions for cluster destroy") |
There was a problem hiding this comment.
Maybe using Debug level here?
| return nil, errors.New("no platform configured in metadata") | ||
| } | ||
|
|
||
| // For AWS platforms, perform comprehensive permission validation upfront |
There was a problem hiding this comment.
I think we should move those functions to the "AWS run destroyer" context, something like RunWithContext, WDYT?
3 participants
SPLAT-2685
Changes
Notes
Currently it seems destroy cluster does not check AWS account permissions. During the review of the #10079 it was requested to make sure we check for permissions for destroy. For DHA, there is no installation configuration (install-config) that defines the use of DHA. You can specify BYO DH and for that we can check that we have permission to describe the host to make sure its in the correct zone that the install-config is targeting. For destroy cluster, BYO only removes tags and that is a general permission that we check during install and that logic is provided by #10079 .