Skip to content

OCPBUGS-97666: Classify ec2 instance management actions as scoped#1058

Open
razo7 wants to merge 1 commit into
openshift:masterfrom
razo7:OCPBUGS-97666-add-ec2-instance-actions
Open

OCPBUGS-97666: Classify ec2 instance management actions as scoped#1058
razo7 wants to merge 1 commit into
openshift:masterfrom
razo7:OCPBUGS-97666-add-ec2-instance-actions

Conversation

@razo7

@razo7 razo7 commented Jul 5, 2026

Copy link
Copy Markdown
Member

Hi all! First-time contributor here 😄
I'm from the Medik8s team. We maintain several node remediation operators for OpenShift, including Fence Agents Remediation (FAR).

Summary

Add ec2:StartInstances, ec2:StopInstances, and ec2:RebootInstances to infraResourceTagScopedActions in pkg/aws/utils.go.

These three EC2 instance management actions support the aws:ResourceTag condition (per the AWS Service Authorization Reference) and belong alongside ec2:TerminateInstances, which is already classified as scoped.

Why

PR #1043 introduced strict IAM policy scoping — any action not classified in either infraResourceTagScopedActions or infraResourceTagUnscopedActions now causes CCO to error.

Fence Agents Remediation (FAR) is a Medik8s operator for automated node remediation using fence agents across multiple platforms. When running e2e tests on OCP CI against AWS clusters, FAR provisions AWS credentials via a CredentialsRequest that declares ec2:StartInstances, ec2:StopInstances, and ec2:RebootInstances for EC2 fencing. Since these actions are missing from both classification maps, credential provisioning fails (source):

error syncing credentials: error syncing creds in mint-mode: cannot build scoped IAM policy:
unrecognized AWS action "ec2:StartInstances" has no aws:ResourceTag classification;
file a bug against openshift/cloud-credential-operator to add it to
infraResourceTagScopedActions or infraResourceTagUnscopedActions in pkg/aws/utils.go

This blocks all FAR e2e tests on OCP 4.23+ and 5.0:

Relationship to PR #1057

This PR is a surgical fix for the three missing actions. PR #1057 proposes a full revert of #1043 due to broader CSI snapshot failures (OCPBUGS-96892). If #1057 merges first, this PR becomes a no-op (the maps it adds to would no longer exist). If this PR merges first, it unblocks FAR independently of the revert.

Tracked in OCPBUGS-97666.

Changes

  • pkg/aws/utils.go: Add 3 actions to infraResourceTagScopedActions (alphabetically, next to ec2:TerminateInstances)
  • pkg/aws/utils_test.go: Add test verifying the 3 new actions are classified as scoped

Testing

$ go test ./pkg/aws/... -v -run TestSupportsInfraResourceTagCondition
--- PASS: TestSupportsInfraResourceTagCondition/ec2_instance_management_actions_are_scoped (0.00s)
PASS

@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jul 5, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@razo7: This pull request references Jira Issue OCPBUGS-97666, which is invalid:

  • expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

xref: OCPBUGS-97666

Summary

Add ec2:StartInstances, ec2:StopInstances, and ec2:RebootInstances to infraResourceTagScopedActions in pkg/aws/utils.go.

These three EC2 instance management actions support aws:ResourceTag conditions (per the AWS Service Authorization Reference) and belong alongside ec2:TerminateInstances, which is already classified as scoped.

Why

PR #1043 introduced strict IAM policy scoping — any action not classified in either infraResourceTagScopedActions or infraResourceTagUnscopedActions now causes CCO to error. The medik8s/fence-agents-remediation operator uses a CredentialsRequest with these three actions for AWS EC2 fencing (start/stop/reboot nodes). Since the actions are missing from both maps, credential provisioning fails:

error syncing credentials: cannot build scoped IAM policy:
unrecognized AWS action "ec2:StartInstances" has no aws:ResourceTag classification

This blocks all FAR e2e tests on OCP 4.23+ and 5.0.

Changes

  • pkg/aws/utils.go: Add 3 actions to infraResourceTagScopedActions (alphabetically, next to ec2:TerminateInstances)
  • pkg/aws/utils_test.go: Add test verifying the 3 new actions are classified as scoped

Testing

$ go test ./pkg/aws/... -v -run TestSupportsInfraResourceTagCondition
--- PASS: TestSupportsInfraResourceTagCondition/ec2_instance_management_actions_are_scoped (0.00s)
PASS

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci Bot requested review from dlom and jstuever July 5, 2026 07:24
@openshift-ci

openshift-ci Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: razo7
Once this PR has been reviewed and has the lgtm label, please assign dlom for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai

coderabbitai Bot commented Jul 5, 2026

Copy link
Copy Markdown

Walkthrough

Added three EC2 instance-management actions (ec2:RebootInstances, ec2:StartInstances, ec2:StopInstances) to the infraResourceTagScopedActions allowlist in pkg/aws/utils.go, and added a corresponding test subtest verifying these actions are classified as resource-tag scoped.

Changes

EC2 Resource Tag Scoping

Layer / File(s) Summary
Add EC2 instance actions to scoped allowlist and verify
pkg/aws/utils.go, pkg/aws/utils_test.go
Adds ec2:RebootInstances, ec2:StartInstances, and ec2:StopInstances to the infraResourceTagScopedActions map and adds a subtest asserting these actions return supported=true with no error from SupportsInfraResourceTagCondition.

Estimated code review effort: 1 (Trivial) | ~3 minutes

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed Added/updated test titles are static, descriptive strings; no generated names, timestamps, UUIDs, or other run-dependent data appear in the Ginkgo/t.Run names.
Test Structure And Quality ✅ Passed No Ginkgo tests were added; the new Go subtest is focused, needs no setup/cleanup/timeouts, and includes clear failure messages.
Microshift Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the PR only changes pkg/aws utils code and a standard Go unit test with no MicroShift-sensitive APIs.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No new Ginkgo/e2e tests were added; the PR only updates AWS action maps and a standard unit test, with no multi-node or HA assumptions.
Topology-Aware Scheduling Compatibility ✅ Passed Only AWS action classification and unit tests changed; no deployment manifests, controllers, replicas, affinity, node selectors, or topology logic were added.
Ote Binary Stdout Contract ✅ Passed PR only updates an action map and a normal test subtest; no main/init/TestMain/suite-level stdout writes were added.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed pkg/aws/utils_test.go adds a plain Go unit test (testing/testify), not Ginkgo e2e; no IPv4 or external-network assumptions were found.
No-Weak-Crypto ✅ Passed PR only adds AWS action classifications and tests; no weak crypto, custom crypto, or secret comparisons were introduced.
Container-Privileges ✅ Passed PR only changes pkg/aws utils and tests; no container/K8s manifests or privilege settings were added or modified.
No-Sensitive-Data-In-Logs ✅ Passed Changes only update action classification and tests; no new logs or sensitive fields were introduced.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change by classifying EC2 instance management actions as scoped.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Add ec2:StartInstances, ec2:StopInstances, and ec2:RebootInstances
to infraResourceTagScopedActions. These actions operate on existing
EC2 instances and support the aws:ResourceTag condition, matching
ec2:TerminateInstances which is already classified as scoped.

Without this classification, any CredentialsRequest that includes
these actions causes CCO to error with "unrecognized AWS action"
since PR openshift#1043 introduced strict action classification.

Assisted-by: Claude Code (claude-opus-4-6)
@razo7 razo7 force-pushed the OCPBUGS-97666-add-ec2-instance-actions branch from ebe863b to 08cd703 Compare July 5, 2026 08:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants