OCPBUGS-97666: Classify ec2 instance management actions as scoped#1058
OCPBUGS-97666: Classify ec2 instance management actions as scoped#1058razo7 wants to merge 1 commit into
Conversation
|
@razo7: This pull request references Jira Issue OCPBUGS-97666, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: razo7 The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
WalkthroughAdded three EC2 instance-management actions (ec2:RebootInstances, ec2:StartInstances, ec2:StopInstances) to the infraResourceTagScopedActions allowlist in pkg/aws/utils.go, and added a corresponding test subtest verifying these actions are classified as resource-tag scoped. ChangesEC2 Resource Tag Scoping
Estimated code review effort: 1 (Trivial) | ~3 minutes 🚥 Pre-merge checks | ✅ 15✅ Passed checks (15 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Add ec2:StartInstances, ec2:StopInstances, and ec2:RebootInstances to infraResourceTagScopedActions. These actions operate on existing EC2 instances and support the aws:ResourceTag condition, matching ec2:TerminateInstances which is already classified as scoped. Without this classification, any CredentialsRequest that includes these actions causes CCO to error with "unrecognized AWS action" since PR openshift#1043 introduced strict action classification. Assisted-by: Claude Code (claude-opus-4-6)
ebe863b to
08cd703
Compare
Hi all! First-time contributor here 😄
I'm from the Medik8s team. We maintain several node remediation operators for OpenShift, including Fence Agents Remediation (FAR).
Summary
Add
ec2:StartInstances,ec2:StopInstances, andec2:RebootInstancestoinfraResourceTagScopedActionsinpkg/aws/utils.go.These three EC2 instance management actions support the
aws:ResourceTagcondition (per the AWS Service Authorization Reference) and belong alongsideec2:TerminateInstances, which is already classified as scoped.Why
PR #1043 introduced strict IAM policy scoping — any action not classified in either
infraResourceTagScopedActionsorinfraResourceTagUnscopedActionsnow causes CCO to error.Fence Agents Remediation (FAR) is a Medik8s operator for automated node remediation using fence agents across multiple platforms. When running e2e tests on OCP CI against AWS clusters, FAR provisions AWS credentials via a CredentialsRequest that declares
ec2:StartInstances,ec2:StopInstances, andec2:RebootInstancesfor EC2 fencing. Since these actions are missing from both classification maps, credential provisioning fails (source):This blocks all FAR e2e tests on OCP 4.23+ and 5.0:
Relationship to PR #1057
This PR is a surgical fix for the three missing actions. PR #1057 proposes a full revert of #1043 due to broader CSI snapshot failures (OCPBUGS-96892). If #1057 merges first, this PR becomes a no-op (the maps it adds to would no longer exist). If this PR merges first, it unblocks FAR independently of the revert.
Tracked in OCPBUGS-97666.
Changes
pkg/aws/utils.go: Add 3 actions toinfraResourceTagScopedActions(alphabetically, next toec2:TerminateInstances)pkg/aws/utils_test.go: Add test verifying the 3 new actions are classified as scopedTesting