Open fxierh opened 7 months ago
Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all
@fxierh: This pull request references Jira Issue OCPBUGS-29027, which is invalid:
Comment /jira refresh
to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.
The bug has been updated to refer to the pull request using the external bug tracker.
[APPROVALNOTIFIER] This PR is NOT APPROVED
This pull-request has been approved by: fxierh Once this PR has been reviewed and has the lgtm label, please assign lleshchi for approval. For more information see the Kubernetes Code Review Process.
The full list of commands accepted by this bot can be found here.
Before proceeding to code up a fix, I'd like to discuss about ways this issue can be solved: 1) Manually maintain the static list of perms required for passthrough. This is easy but it leaves us a maintenance burden. 2) Dynamically obtain the list of perms required for passthrough and check against it. The secret annotator controller will watch CredentialsRequests, and trigger a reconcile in one of the following scenarios:
statementEntries
are updated.syncPassthrough
func e.g.,
https://github.com/openshift/cloud-credential-operator/blob/3cf3099b60fbd886dd9582c55373f36419c96fff/pkg/gcp/actuator/actuator.go#L241-L288It looks like the installer is the only user of func CheckCloudCredPassthrough
:
https://github.com/openshift/installer/blob/3d78a2270aad5f71034bed9b7ab0ae992c6c83cd/pkg/asset/installconfig/aws/permissions.go#L310
Considering the above:
I guess option 1 is the way to go.
@jstuever @dlom WDTY ?
Sorry for the delay, I had to look into this one. I think we are stuck with option 1 for now. The credentialRequests can be obtained for a specific version with the following:
oc adm release extract --credentials-requests --cloud=aws to=./creds --from <release>
Note: This will become complicated as these operators become optional components, so the installer might need to rework this in the future.
@jstuever
Sorry for the late reply.
Note: This will become complicated as these operators become optional components, so the installer might need to rework this in the future.
Thanks for the reminder. This seems to be a common issue for both the CCO and the installer. Currently, among the 7 operators which request for cloud credentials on AWS, 4 are already optional: CCO, MAPI, ImageRegistry and Storage.
With the above taken into account, and if we go with option 1, we'd need to make the static list of permissions minimal, meaning that it will only contain permissions required by the non-optional operators. This makes CCO's secret annotator controller and installer's platform permission check kind of in-precise, even if we keep the static list of permissions up-to-date.
I'm thus wondering if it's good timing to solve this issue once and for all by
CheckCloudCredPassthrough
so the CCO and the installer could implement their own logic to obtain the list of permissions;CheckPermissionsAgainstActions
directly. @fxierh: all tests passed!
Full PR test history. Your PR dashboard.
Issues go stale after 90d of inactivity.
Mark the issue as fresh by commenting /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen
.
If this issue is safe to close now please do so with /close
.
/lifecycle stale
Stale issues rot after 30d of inactivity.
Mark the issue as fresh by commenting /remove-lifecycle rotten
.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen
.
If this issue is safe to close now please do so with /close
.
/lifecycle rotten /remove-lifecycle stale
On AWS, when CCO is in the default mode and the root credential is not sufficient for mint mode, the secret annotator controller checks if the root credential is good enough for passthrough against a static list of permissions https://github.com/openshift/cloud-credential-operator/blob/3cf3099b60fbd886dd9582c55373f36419c96fff/pkg/aws/utils.go#L35-L93 This list of perms is outdated.