OCPBUGS-95187: Reclassify ec2:ModifyNetworkInterfaceAttribute as unscoped#1053
Conversation
…oped AWS evaluates the aws:ResourceTag condition against the security groups referenced by the action, not only the ENI. Security groups created by some providers may not carry the kubernetes.io/cluster/ ownership tag, causing a 403 when the scoped condition is applied. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
|
@pmeida: This pull request references Jira Issue OCPBUGS-95187, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository: openshift/coderabbit/.coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (2)
👮 Files not reviewed due to content moderation or server errors (2)
Warning Walkthrough skippedFile diffs could not be summarized. 🚥 Pre-merge checks | ❌ 10❌ Failed checks (10 inconclusive)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
@pmeida: This pull request references Jira Issue OCPBUGS-95187, which is valid. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #1053 +/- ##
=======================================
Coverage 47.28% 47.28%
=======================================
Files 97 97
Lines 12631 12631
=======================================
Hits 5973 5973
Misses 6001 6001
Partials 657 657
🚀 New features to boost your workflow:
|
|
@pmeida: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/retest |
|
/override ci/prow/security |
|
/approve |
|
/lgtm |
|
@pmeida for sure we should backport this |
|
@dlom: Overrode contexts on behalf of dlom: ci/prow/security DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dlom, pmeida The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/verified by ci |
|
@pmeida: This PR has been marked as verified by DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@pmeida: Jira Issue Verification Checks: Jira Issue OCPBUGS-95187 Jira Issue OCPBUGS-95187 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/cherrypick release-4.22 |
|
@pmeida: #1053 failed to apply on top of branch "release-4.17": DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@pmeida: #1053 failed to apply on top of branch "release-4.18": DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@pmeida: #1053 failed to apply on top of branch "release-4.19": DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@pmeida: #1053 failed to apply on top of branch "release-4.20": DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@pmeida: new pull request created: #1055 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@pmeida: new pull request created: #1056 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Summary
ec2:ModifyNetworkInterfaceAttributefrominfraResourceTagScopedActionstoinfraResourceTagUnscopedActionsinpkg/aws/utils.gotrue→falseRoot cause
#1043 added an
aws:ResourceTag/kubernetes.io/cluster/<id>: ownedcondition to all actions ininfraResourceTagScopedActions, includingec2:ModifyNetworkInterfaceAttribute. However, AWS evaluates this condition not only against the ENI (primary resource of the action) but also against each security group passed as a parameter. Security groups created by some providers carry only their own provider-specific tag and not thekubernetes.io/cluster/ownership tag, causing a 403 on the call.The fix reclassifies this action as unscoped — consistent with the existing precedent for other ENI-related actions (
ec2:AssignIpv6Addresses, etc.) — so noaws:ResourceTagcondition is applied.This is directly affecting
CAPAoperations onCCAPIOpull-ci-openshift-cluster-capi-operator-main-e2e-aws-capi-techpreviewandpull-ci-openshift-cluster-capi-operator-main-e2e-aws-capi-techpreview-post-installCI jobsInvestigation details: https://redhat.atlassian.net/browse/OCPBUGS-95187?focusedCommentId=17472155
Policy modification in live job run resulted in success.
Open questions