Skip to content

OCPBUGS-95187: Reclassify ec2:ModifyNetworkInterfaceAttribute as unscoped#1053

Merged
openshift-merge-bot[bot] merged 1 commit into
openshift:masterfrom
pmeida:OCPBUGS-95187-capa-resource-tag
Jul 3, 2026
Merged

OCPBUGS-95187: Reclassify ec2:ModifyNetworkInterfaceAttribute as unscoped#1053
openshift-merge-bot[bot] merged 1 commit into
openshift:masterfrom
pmeida:OCPBUGS-95187-capa-resource-tag

Conversation

@pmeida

@pmeida pmeida commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Moves ec2:ModifyNetworkInterfaceAttribute from infraResourceTagScopedActions to infraResourceTagUnscopedActions in pkg/aws/utils.go
  • Updates the corresponding payload classification test expectation from truefalse

Root cause

#1043 added an aws:ResourceTag/kubernetes.io/cluster/<id>: owned condition to all actions in infraResourceTagScopedActions, including ec2:ModifyNetworkInterfaceAttribute. However, AWS evaluates this condition not only against the ENI (primary resource of the action) but also against each security group passed as a parameter. Security groups created by some providers carry only their own provider-specific tag and not the kubernetes.io/cluster/ ownership tag, causing a 403 on the call.

The fix reclassifies this action as unscoped — consistent with the existing precedent for other ENI-related actions (ec2:AssignIpv6Addresses, etc.) — so no aws:ResourceTag condition is applied.

This is directly affecting CAPA operations on CCAPIO pull-ci-openshift-cluster-capi-operator-main-e2e-aws-capi-techpreview and pull-ci-openshift-cluster-capi-operator-main-e2e-aws-capi-techpreview-post-install CI jobs
Investigation details: https://redhat.atlassian.net/browse/OCPBUGS-95187?focusedCommentId=17472155

Policy modification in live job run resulted in success.

Open questions

…oped

AWS evaluates the aws:ResourceTag condition against the security groups
referenced by the action, not only the ENI. Security groups created by
some providers may not carry the kubernetes.io/cluster/ ownership tag,
causing a 403 when the scoped condition is applied.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Jul 2, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@pmeida: This pull request references Jira Issue OCPBUGS-95187, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary

  • Moves ec2:ModifyNetworkInterfaceAttribute from infraResourceTagScopedActions to infraResourceTagUnscopedActions in pkg/aws/utils.go
  • Updates the corresponding payload classification test expectation from truefalse

Root cause

OCPBUGS-87829 added an aws:ResourceTag/kubernetes.io/cluster/<id>: owned condition to all actions in infraResourceTagScopedActions, including ec2:ModifyNetworkInterfaceAttribute. However, AWS evaluates this condition not only against the ENI (primary resource of the action) but also against each security group passed as a parameter. Security groups created by some providers carry only their own provider-specific tag and not the kubernetes.io/cluster/ ownership tag, causing a 403 on the call.

The fix reclassifies this action as unscoped — consistent with the existing precedent for other ENI-related actions (ec2:AssignIpv6Addresses, etc.) — so no aws:ResourceTag condition is applied.

Test plan

  • go test ./pkg/aws/... passes

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci Bot requested review from dlom and jstuever July 2, 2026 11:36
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 871517cb-3fca-42e3-9970-1567b4aa2cb6

📥 Commits

Reviewing files that changed from the base of the PR and between 0564adf and 0f6a082.

📒 Files selected for processing (2)
  • pkg/aws/utils.go
  • pkg/aws/utils_test.go
👮 Files not reviewed due to content moderation or server errors (2)
  • pkg/aws/utils_test.go
  • pkg/aws/utils.go

Warning

Walkthrough skipped

File diffs could not be summarized.

🚥 Pre-merge checks | ❌ 10

❌ Failed checks (10 inconclusive)

Check name Status Explanation Resolution
Stable And Deterministic Test Names ❓ Inconclusive Custom check execution failed before a final verdict was produced. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Test Structure And Quality ❓ Inconclusive Custom check execution failed before a final verdict was produced. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Microshift Test Compatibility ❓ Inconclusive Custom check execution failed before a final verdict was produced. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Single Node Openshift (Sno) Test Compatibility ❓ Inconclusive Custom check execution failed before a final verdict was produced. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Topology-Aware Scheduling Compatibility ❓ Inconclusive Custom check execution failed before a final verdict was produced. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Ote Binary Stdout Contract ❓ Inconclusive Custom check execution failed before a final verdict was produced. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Ipv6 And Disconnected Network Test Compatibility ❓ Inconclusive Custom check execution failed before a final verdict was produced. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
No-Weak-Crypto ❓ Inconclusive Custom check execution failed before a final verdict was produced. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Container-Privileges ❓ Inconclusive Custom check execution failed before a final verdict was produced. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
No-Sensitive-Data-In-Logs ❓ Inconclusive Custom check execution failed before a final verdict was produced. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@pmeida: This pull request references Jira Issue OCPBUGS-95187, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
Details

In response to this:

Summary

  • Moves ec2:ModifyNetworkInterfaceAttribute from infraResourceTagScopedActions to infraResourceTagUnscopedActions in pkg/aws/utils.go
  • Updates the corresponding payload classification test expectation from truefalse

Root cause

OCPBUGS-87829 added an aws:ResourceTag/kubernetes.io/cluster/<id>: owned condition to all actions in infraResourceTagScopedActions, including ec2:ModifyNetworkInterfaceAttribute. However, AWS evaluates this condition not only against the ENI (primary resource of the action) but also against each security group passed as a parameter. Security groups created by some providers carry only their own provider-specific tag and not the kubernetes.io/cluster/ ownership tag, causing a 403 on the call.

The fix reclassifies this action as unscoped — consistent with the existing precedent for other ENI-related actions (ec2:AssignIpv6Addresses, etc.) — so no aws:ResourceTag condition is applied.

Investigation details: https://redhat.atlassian.net/browse/OCPBUGS-95187?focusedCommentId=17472155

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@codecov

codecov Bot commented Jul 2, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 47.28%. Comparing base (0564adf) to head (0f6a082).

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff           @@
##           master    #1053   +/-   ##
=======================================
  Coverage   47.28%   47.28%           
=======================================
  Files          97       97           
  Lines       12631    12631           
=======================================
  Hits         5973     5973           
  Misses       6001     6001           
  Partials      657      657           
Files with missing lines Coverage Δ
pkg/aws/utils.go 86.11% <ø> (ø)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

@pmeida: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/security 0f6a082 link true /test security
ci/prow/e2e-hypershift 0f6a082 link true /test e2e-hypershift

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@pmeida

pmeida commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

/retest

@dlom

dlom commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

/override ci/prow/security

@dlom

dlom commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

/approve

@dlom

dlom commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

/lgtm

@dlom

dlom commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

@pmeida for sure we should backport this

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 2, 2026
@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

@dlom: Overrode contexts on behalf of dlom: ci/prow/security

Details

In response to this:

/override ci/prow/security

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dlom, pmeida

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 2, 2026
@pmeida

pmeida commented Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

/verified by ci

@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Jul 3, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@pmeida: This PR has been marked as verified by ci.

Details

In response to this:

/verified by ci

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-merge-bot openshift-merge-bot Bot merged commit d9f0942 into openshift:master Jul 3, 2026
13 checks passed
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@pmeida: Jira Issue Verification Checks: Jira Issue OCPBUGS-95187
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-95187 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

Summary

  • Moves ec2:ModifyNetworkInterfaceAttribute from infraResourceTagScopedActions to infraResourceTagUnscopedActions in pkg/aws/utils.go
  • Updates the corresponding payload classification test expectation from truefalse

Root cause

#1043 added an aws:ResourceTag/kubernetes.io/cluster/<id>: owned condition to all actions in infraResourceTagScopedActions, including ec2:ModifyNetworkInterfaceAttribute. However, AWS evaluates this condition not only against the ENI (primary resource of the action) but also against each security group passed as a parameter. Security groups created by some providers carry only their own provider-specific tag and not the kubernetes.io/cluster/ ownership tag, causing a 403 on the call.

The fix reclassifies this action as unscoped — consistent with the existing precedent for other ENI-related actions (ec2:AssignIpv6Addresses, etc.) — so no aws:ResourceTag condition is applied.

This is directly affecting CAPA operations on CCAPIO pull-ci-openshift-cluster-capi-operator-main-e2e-aws-capi-techpreview and pull-ci-openshift-cluster-capi-operator-main-e2e-aws-capi-techpreview-post-install CI jobs
Investigation details: https://redhat.atlassian.net/browse/OCPBUGS-95187?focusedCommentId=17472155

Policy modification in live job run resulted in success.

Open questions

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@pmeida

pmeida commented Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

/cherrypick release-4.22
/cherrypick release-4.21
/cherrypick release-4.20
/cherrypick release-4.19
/cherrypick release-4.18
/cherrypick release-4.17

@openshift-cherrypick-robot

Copy link
Copy Markdown

@pmeida: #1053 failed to apply on top of branch "release-4.17":

Applying: OCPBUGS-95187: Reclassify ec2:ModifyNetworkInterfaceAttribute as unscoped
Using index info to reconstruct a base tree...
M	pkg/aws/utils.go
A	pkg/aws/utils_test.go
Falling back to patching base and 3-way merge...
Auto-merging pkg/aws/utils.go
CONFLICT (content): Merge conflict in pkg/aws/utils.go
CONFLICT (modify/delete): pkg/aws/utils_test.go deleted in HEAD and modified in OCPBUGS-95187: Reclassify ec2:ModifyNetworkInterfaceAttribute as unscoped.  Version OCPBUGS-95187: Reclassify ec2:ModifyNetworkInterfaceAttribute as unscoped of pkg/aws/utils_test.go left in tree.
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
Patch failed at 0001 OCPBUGS-95187: Reclassify ec2:ModifyNetworkInterfaceAttribute as unscoped

Details

In response to this:

/cherrypick release-4.22
/cherrypick release-4.21
/cherrypick release-4.20
/cherrypick release-4.19
/cherrypick release-4.18
/cherrypick release-4.17

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-cherrypick-robot

Copy link
Copy Markdown

@pmeida: #1053 failed to apply on top of branch "release-4.18":

Applying: OCPBUGS-95187: Reclassify ec2:ModifyNetworkInterfaceAttribute as unscoped
Using index info to reconstruct a base tree...
M	pkg/aws/utils.go
A	pkg/aws/utils_test.go
Falling back to patching base and 3-way merge...
Auto-merging pkg/aws/utils.go
CONFLICT (content): Merge conflict in pkg/aws/utils.go
CONFLICT (modify/delete): pkg/aws/utils_test.go deleted in HEAD and modified in OCPBUGS-95187: Reclassify ec2:ModifyNetworkInterfaceAttribute as unscoped.  Version OCPBUGS-95187: Reclassify ec2:ModifyNetworkInterfaceAttribute as unscoped of pkg/aws/utils_test.go left in tree.
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
Patch failed at 0001 OCPBUGS-95187: Reclassify ec2:ModifyNetworkInterfaceAttribute as unscoped

Details

In response to this:

/cherrypick release-4.22
/cherrypick release-4.21
/cherrypick release-4.20
/cherrypick release-4.19
/cherrypick release-4.18
/cherrypick release-4.17

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-cherrypick-robot

Copy link
Copy Markdown

@pmeida: #1053 failed to apply on top of branch "release-4.19":

Applying: OCPBUGS-95187: Reclassify ec2:ModifyNetworkInterfaceAttribute as unscoped
Using index info to reconstruct a base tree...
M	pkg/aws/utils.go
A	pkg/aws/utils_test.go
Falling back to patching base and 3-way merge...
Auto-merging pkg/aws/utils.go
CONFLICT (content): Merge conflict in pkg/aws/utils.go
CONFLICT (modify/delete): pkg/aws/utils_test.go deleted in HEAD and modified in OCPBUGS-95187: Reclassify ec2:ModifyNetworkInterfaceAttribute as unscoped.  Version OCPBUGS-95187: Reclassify ec2:ModifyNetworkInterfaceAttribute as unscoped of pkg/aws/utils_test.go left in tree.
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
Patch failed at 0001 OCPBUGS-95187: Reclassify ec2:ModifyNetworkInterfaceAttribute as unscoped

Details

In response to this:

/cherrypick release-4.22
/cherrypick release-4.21
/cherrypick release-4.20
/cherrypick release-4.19
/cherrypick release-4.18
/cherrypick release-4.17

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-cherrypick-robot

Copy link
Copy Markdown

@pmeida: #1053 failed to apply on top of branch "release-4.20":

Applying: OCPBUGS-95187: Reclassify ec2:ModifyNetworkInterfaceAttribute as unscoped
Using index info to reconstruct a base tree...
M	pkg/aws/utils.go
A	pkg/aws/utils_test.go
Falling back to patching base and 3-way merge...
Auto-merging pkg/aws/utils.go
CONFLICT (content): Merge conflict in pkg/aws/utils.go
CONFLICT (modify/delete): pkg/aws/utils_test.go deleted in HEAD and modified in OCPBUGS-95187: Reclassify ec2:ModifyNetworkInterfaceAttribute as unscoped.  Version OCPBUGS-95187: Reclassify ec2:ModifyNetworkInterfaceAttribute as unscoped of pkg/aws/utils_test.go left in tree.
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
Patch failed at 0001 OCPBUGS-95187: Reclassify ec2:ModifyNetworkInterfaceAttribute as unscoped

Details

In response to this:

/cherrypick release-4.22
/cherrypick release-4.21
/cherrypick release-4.20
/cherrypick release-4.19
/cherrypick release-4.18
/cherrypick release-4.17

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-cherrypick-robot

Copy link
Copy Markdown

@pmeida: new pull request created: #1055

Details

In response to this:

/cherrypick release-4.22
/cherrypick release-4.21
/cherrypick release-4.20
/cherrypick release-4.19
/cherrypick release-4.18
/cherrypick release-4.17

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-cherrypick-robot

Copy link
Copy Markdown

@pmeida: new pull request created: #1056

Details

In response to this:

/cherrypick release-4.22
/cherrypick release-4.21
/cherrypick release-4.20
/cherrypick release-4.19
/cherrypick release-4.18
/cherrypick release-4.17

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. verified Signifies that the PR passed pre-merge verification criteria

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants