New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 1830995: Add ModifyTargetGroupAttributes and Describe* to MasterIamRole #3540
Bug 1830995: Add ModifyTargetGroupAttributes and Describe* to MasterIamRole #3540
Conversation
…amRole Observed failure to convert default ingress to internal due to lack of following permissions: "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", "ec2:DescribeInstanceAttribute", "ec2:DescribeInternetGateways", "elasticloadbalancing:DescribeInstanceHealth", "elasticloadbalancing:DescribeTargetGroupAttributes", "elasticloadbalancing:ModifyTargetGroupAttributes", This commit allows the benign Describe* to the EC2 and ELB resources as well as the required ModifyTargetGroupAttributes utilized in the legacy cloud provider.
@cuppett: An error was encountered searching for bug 1830995 on the Bugzilla server at https://bugzilla.redhat.com:
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/bugzilla refresh |
@cuppett: This pull request references Bugzilla bug 1830995, which is valid. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/retest |
"ec2:DeleteSecurityGroup", | ||
"ec2:DeleteVolume", | ||
"ec2:Describe*", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this change is in stark contrast to the precedent we wanted to set with #3451
now we have a expanding IAM permission even though it is Describe*, and no longer a smallest list.
I want to understand, we are we going back a little on our stance here, and maybe we can update the https://github.com/openshift/installer/blob/master/docs/dev/aws/iam_permissions.md to clarify our loosened requirements.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can be explicit about the Describe list as it is now; it's read-only operations. The main thing this does is scope the changes the master nodes can make to storage, loadbalancers or the environment which is the goal. This allows fixes to be made to this and subsequent versions where an extra read/describe on a resource may be needed to provide an accurate fix for public/private clusters without then bumping into a permission required to see something.
I still like the words in the README, this just doesn't block a fix or smarter controller/operator due to an AWS discoverability/visibility issue.
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: abhinavdahiya The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest Please review the full test history for this PR and help us cut down flakes. |
5 similar comments
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
@cuppett: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/retest Please review the full test history for this PR and help us cut down flakes. |
@cuppett: All pull requests linked via external trackers have merged: openshift/installer#3540. Bugzilla bug 1830995 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Observed failure to convert default ingress to internal due to lack of
following permissions:
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInternetGateways",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:ModifyTargetGroupAttributes",
This commit allows the benign Describe* to the EC2 and ELB resources as
well as the required ModifyTargetGroupAttributes utilized in the legacy
cloud provider.