Skip to content

OCPBUGS-96412: Move ec2 volume attach/detach to unscoped section#1049

Open
dlom wants to merge 1 commit into
openshift:masterfrom
dlom:OCPBUGS-96412
Open

OCPBUGS-96412: Move ec2 volume attach/detach to unscoped section#1049
dlom wants to merge 1 commit into
openshift:masterfrom
dlom:OCPBUGS-96412

Conversation

@dlom

@dlom dlom commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

xref: OCPBUGS-96412

followup for OCPBUGS-87829

Summary by CodeRabbit

  • Bug Fixes
    • Updated how certain EC2 volume actions are treated for cluster tag-based access checks.
    • AttachVolume and DetachVolume now follow the correct unscoped behavior, preventing unexpected policy matches when related resources don’t share the same ownership tag.
    • Aligned automated checks with the updated access classification.

@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jul 1, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@dlom: This pull request references Jira Issue OCPBUGS-96412, which is invalid:

  • expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

xref: OCPBUGS-96412

followup for OCPBUGS-87829

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 4e454aeb-0355-4c97-8b35-55e93a87b149

📥 Commits

Reviewing files that changed from the base of the PR and between b9b0355 and 6e83986.

📒 Files selected for processing (2)
  • pkg/aws/utils.go
  • pkg/aws/utils_test.go

Walkthrough

This PR reclassifies the AWS IAM actions ec2:AttachVolume and ec2:DetachVolume from resource-tag-scoped to unscoped in pkg/aws/utils.go, adding comments explaining their multi-resource evaluation behavior, and updates the corresponding test expectations in pkg/aws/utils_test.go.

Changes

IAM action tag-scope reclassification

Layer / File(s) Summary
Reclassify actions and update tests
pkg/aws/utils.go, pkg/aws/utils_test.go
ec2:AttachVolume and ec2:DetachVolume are moved from infraResourceTagScopedActions to infraResourceTagUnscopedActions with added comments, and test expectations are updated to scoped=false accordingly.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Possibly related PRs

Suggested reviewers: jstuever

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: moving EC2 volume attach/detach actions to the unscoped set.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed No test titles were added or changed; the PR only updates expected booleans, and existing subtest names are deterministic literals or table-derived static AWS actions.
Test Structure And Quality ✅ Passed Not a Ginkgo test change; the modified Go tests are focused, use cleanup-free unit assertions, and include meaningful failure messages.
Microshift Test Compatibility ✅ Passed Only pkg/aws utility code and unit tests changed; no new Ginkgo e2e tests or MicroShift-unsupported OpenShift APIs/features were added.
Single Node Openshift (Sno) Test Compatibility ✅ Passed PR only changes AWS action classification and unit tests; no new Ginkgo e2e tests or SNO-sensitive assumptions were added.
Topology-Aware Scheduling Compatibility ✅ Passed Only AWS IAM action classification/tests changed; no deployment manifests, controllers, affinities, node selectors, or topology logic were modified.
Ote Binary Stdout Contract ✅ Passed PR only updates AWS action classification maps and unit-test expectations; no main/init/suite stdout writes were introduced.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed PASS: The PR only updates pkg/aws utils and unit tests; no new Ginkgo e2e tests, IPv4-only assumptions, or external network calls were added.
No-Weak-Crypto ✅ Passed Changed files only reclassify AWS actions and tests; no weak crypto, custom crypto, or secret/token comparisons were added.
Container-Privileges ✅ Passed PASS: No privileged settings found; reviewed deployment manifests use allowPrivilegeEscalation:false, runAsNonRoot:true, and no hostPID/hostNetwork/hostIPC or SYS_ADMIN.
No-Sensitive-Data-In-Logs ✅ Passed The PR only changes AWS action classification maps and tests; no new or modified logging exposes passwords, tokens, PII, hostnames, or customer data.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot requested a review from jstuever July 1, 2026 22:46
@dlom

dlom commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

/jira refresh

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 1, 2026
@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jul 1, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@dlom: This pull request references Jira Issue OCPBUGS-96412, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)
Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@dlom

dlom commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

/payload 5.0 nightly informing

@openshift-ci

openshift-ci Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

@dlom: trigger 69 job(s) of type informing for the nightly release of OCP 5.0

  • periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-upgrade-fips
  • periodic-ci-openshift-hypershift-release-5.0-periodics-e2e-azure-aks-ovn-conformance
  • periodic-ci-openshift-release-main-nightly-5.0-console-aws
  • periodic-ci-openshift-cluster-control-plane-machine-set-operator-release-5.0-periodics-e2e-aws
  • periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-csi
  • periodic-ci-openshift-release-main-ci-5.0-e2e-aws-ovn
  • periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-cgroupsv2
  • periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-fips
  • periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-single-node
  • periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-single-node-csi
  • periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-single-node-serial
  • periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-single-node-techpreview
  • periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-single-node-techpreview-serial
  • periodic-ci-openshift-release-main-nightly-5.0-upgrade-from-stable-4.22-e2e-aws-upgrade-ovn-single-node
  • periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-upgrade-fips-no-nat-instance
  • periodic-ci-openshift-release-main-ci-5.0-e2e-aws-ovn-upgrade-out-of-change
  • periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-upi
  • periodic-ci-openshift-cluster-control-plane-machine-set-operator-release-5.0-periodics-e2e-azure
  • periodic-ci-openshift-release-main-nightly-5.0-e2e-azure-csi
  • periodic-ci-openshift-release-main-ci-5.0-e2e-azure-ovn
  • periodic-ci-openshift-release-main-ci-5.0-e2e-azure-ovn-serial
  • periodic-ci-openshift-release-main-ci-5.0-e2e-azure-ovn-techpreview
  • periodic-ci-openshift-release-main-ci-5.0-e2e-azure-ovn-techpreview-serial-1of2
  • periodic-ci-openshift-release-main-ci-5.0-e2e-azure-ovn-techpreview-serial-2of2
  • periodic-ci-openshift-release-main-ci-5.0-e2e-azure-ovn-upgrade-out-of-change
  • periodic-ci-openshift-release-main-cnv-nightly-5.0-deploy-azure-kubevirt-ovn
  • periodic-ci-openshift-cluster-control-plane-machine-set-operator-release-5.0-periodics-e2e-gcp
  • periodic-ci-openshift-release-main-ci-5.0-e2e-gcp-ovn
  • periodic-ci-openshift-release-main-nightly-5.0-e2e-gcp-ovn-csi
  • periodic-ci-openshift-release-main-nightly-5.0-e2e-gcp-ovn-rt
  • periodic-ci-openshift-release-main-nightly-5.0-e2e-gcp-ovn-serial
  • periodic-ci-openshift-release-main-ci-5.0-e2e-gcp-ovn-techpreview
  • periodic-ci-openshift-release-main-ci-5.0-e2e-gcp-ovn-techpreview-serial-1of2
  • periodic-ci-openshift-release-main-ci-5.0-e2e-gcp-ovn-techpreview-serial-2of2
  • periodic-ci-openshift-release-main-ci-5.0-upgrade-from-stable-4.22-e2e-gcp-ovn-upgrade
  • periodic-ci-openshift-release-main-ci-5.0-e2e-gcp-ovn-upgrade
  • periodic-ci-openshift-hypershift-release-5.0-periodics-e2e-azure-kubevirt-ovn
  • periodic-ci-openshift-release-main-nightly-5.0-e2e-metal-ipi-ovn-dualstack
  • periodic-ci-openshift-release-main-nightly-5.0-e2e-metal-ipi-ovn-dualstack-techpreview
  • periodic-ci-openshift-release-main-nightly-5.0-e2e-metal-ipi-ovn-ipv6-techpreview
  • periodic-ci-openshift-release-main-nightly-5.0-e2e-metal-ipi-ovn-serial-ipv4
  • periodic-ci-openshift-release-main-nightly-5.0-e2e-metal-ipi-ovn-serial-virtualmedia-1of2
  • periodic-ci-openshift-release-main-nightly-5.0-e2e-metal-ipi-ovn-serial-virtualmedia-2of2
  • periodic-ci-openshift-release-main-nightly-5.0-e2e-metal-ipi-ovn-techpreview
  • periodic-ci-openshift-release-main-nightly-5.0-e2e-metal-ipi-ovn-upgrade
  • periodic-ci-openshift-release-main-nightly-5.0-upgrade-from-stable-4.22-e2e-metal-ipi-ovn-upgrade
  • periodic-ci-openshift-release-main-nightly-5.0-e2e-metal-ipi-serial-ovn-ipv6
  • periodic-ci-openshift-release-main-nightly-5.0-e2e-metal-ipi-serial-ovn-dualstack
  • periodic-ci-openshift-release-main-nightly-5.0-e2e-metal-ipi-upgrade-ovn-ipv6
  • periodic-ci-openshift-release-main-nightly-5.0-upgrade-from-stable-4.22-e2e-metal-ipi-upgrade-ovn-ipv6
  • periodic-ci-openshift-release-main-nightly-5.0-metal-ovn-single-node-recert-cluster-rename
  • periodic-ci-openshift-microshift-release-5.0-periodics-e2e-aws-ovn-ocp-conformance
  • periodic-ci-openshift-microshift-release-5.0-periodics-e2e-aws-ovn-ocp-conformance-serial
  • periodic-ci-openshift-release-main-nightly-5.0-e2e-osd-ccs-gcp
  • periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-proxy
  • periodic-ci-openshift-release-main-nightly-5.0-e2e-metal-ovn-single-node-live-iso
  • periodic-ci-openshift-eng-ocp-qe-perfscale-ci-main-aws-5.0-nightly-x86-payload-control-plane-6nodes
  • periodic-ci-openshift-release-main-nightly-5.0-e2e-telco5g
  • periodic-ci-openshift-release-main-nightly-5.0-tls-scan
  • periodic-ci-openshift-release-main-nightly-5.0-e2e-vsphere-ovn
  • periodic-ci-openshift-release-main-nightly-5.0-e2e-vsphere-ovn-csi
  • periodic-ci-openshift-release-main-nightly-5.0-e2e-vsphere-ovn-serial
  • periodic-ci-openshift-release-main-nightly-5.0-e2e-vsphere-ovn-techpreview
  • periodic-ci-openshift-release-main-nightly-5.0-e2e-vsphere-ovn-techpreview-serial
  • periodic-ci-openshift-release-main-ci-5.0-upgrade-from-stable-4.22-e2e-vsphere-ovn-upgrade
  • periodic-ci-openshift-release-main-ci-5.0-e2e-vsphere-ovn-upgrade
  • periodic-ci-openshift-release-main-nightly-5.0-e2e-vsphere-ovn-upi
  • periodic-ci-openshift-release-main-nightly-5.0-e2e-vsphere-ovn-upi-serial
  • periodic-ci-openshift-release-main-nightly-5.0-e2e-vsphere-static-ovn

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/ce562270-759e-11f1-87c7-baee85f1f048-0

@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@dlom: This pull request references Jira Issue OCPBUGS-96412, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
Details

In response to this:

xref: OCPBUGS-96412

followup for OCPBUGS-87829

Summary by CodeRabbit

  • Bug Fixes
  • Updated how certain EC2 volume actions are treated for cluster tag-based access checks.
  • AttachVolume and DetachVolume now follow the correct unscoped behavior, preventing unexpected policy matches when related resources don’t share the same ownership tag.
  • Aligned automated checks with the updated access classification.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@dlom

dlom commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

/override ci/prow/security

@openshift-ci

openshift-ci Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

@dlom: Overrode contexts on behalf of dlom: ci/prow/security

Details

In response to this:

/override ci/prow/security

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@codecov

codecov Bot commented Jul 2, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 48.81%. Comparing base (b9b0355) to head (6e83986).
⚠️ Report is 4 commits behind head on master.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #1049      +/-   ##
==========================================
+ Coverage   47.33%   48.81%   +1.48%     
==========================================
  Files          97       97              
  Lines       12613    13006     +393     
==========================================
+ Hits         5970     6349     +379     
- Misses       5987     5994       +7     
- Partials      656      663       +7     
Files with missing lines Coverage Δ
pkg/aws/utils.go 86.11% <ø> (ø)

... and 2 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@dlom

dlom commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

/verified by periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-upi

@dlom

dlom commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

/assign @JoelSpeed

@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Jul 2, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@dlom: This PR has been marked as verified by periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-upi.

Details

In response to this:

/verified by periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-upi

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@JoelSpeed

Copy link
Copy Markdown
Contributor

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 3, 2026
@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dlom, JoelSpeed

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 3, 2026
@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@dlom: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/security 6e83986 link unknown /test security

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. verified Signifies that the PR passed pre-merge verification criteria

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants