Bug 1830995: Add ModifyTargetGroupAttributes and Describe* to MasterIamRole

[cuppett]

Observed failure to convert default ingress to internal due to lack of
following permissions:

"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInternetGateways",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:ModifyTargetGroupAttributes",

This commit allows the benign Describe* to the EC2 and ELB resources as
well as the required ModifyTargetGroupAttributes utilized in the legacy
cloud provider.

[openshift-ci-robot]

@cuppett: An error was encountered searching for bug 1830995 on the Bugzilla server at https://bugzilla.redhat.com:

Get https://bugzilla.redhat.com/rest/bug/1830995?api_key=CENSORED: dial tcp: i/o timeout
Please contact an administrator to resolve this issue, then request a bug refresh with /bugzilla refresh.

In response to this:

Bug 1830995: Add ModifyTargetGroupAttributes and Describe* to MasterIamRole

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[cuppett]

/bugzilla refresh

[openshift-ci-robot]

@cuppett: This pull request references Bugzilla bug 1830995, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.5.0) matches configured target release for branch (4.5.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[cuppett]

/retest

[abhinavdahiya]

this change is in stark contrast to the precedent we wanted to set with #3451
now we have a expanding IAM permission even though it is Describe*, and no longer a smallest list.

I want to understand, we are we going back a little on our stance here, and maybe we can update the https://github.com/openshift/installer/blob/master/docs/dev/aws/iam_permissions.md to clarify our loosened requirements.

[cuppett]

We can be explicit about the Describe list as it is now; it's read-only operations. The main thing this does is scope the changes the master nodes can make to storage, loadbalancers or the environment which is the goal. This allows fixes to be made to this and subsequent versions where an extra read/describe on a resource may be needed to provide an accurate fix for public/private clusters without then bumping into a permission required to see something.

I still like the words in the README, this just doesn't block a fix or smarter controller/operator due to an AWS discoverability/visibility issue.

[abhinavdahiya]

/approve
/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: abhinavdahiya

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• data/data/aws/OWNERS [abhinavdahiya]
• upi/aws/OWNERS [abhinavdahiya]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-ci-robot]

@cuppett: The following test failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
ci/prow/e2e-ovirt	1d4a5b7	link	/test e2e-ovirt

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-ci-robot]

@cuppett: All pull requests linked via external trackers have merged: openshift/installer#3540. Bugzilla bug 1830995 has been moved to the MODIFIED state.

In response to this:

Bug 1830995: Add ModifyTargetGroupAttributes and Describe* to MasterIamRole

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.