managed-cluster-config icon indicating copy to clipboard operation
managed-cluster-config copied to clipboard

Published 20 hours ago verified publisher icon openshift

Allow ROSANodePoolManagementPolicy to reconcile tags on ENIs

Open mjlshen opened this issue 10 months ago • 3 comments

What type of PR is this?

bug

What this PR does / why we need it?

This is for the egressIP feature of the cluster-network-operator. It relies on performing actions against network interface (ENI) objects in AWS. However, its AWS Managed Policy only allows it to perform actions against ENIs with the red-hat-managed: true tag and none of the worker node ENIs of ROSA HCP clusters have this tag

cluster-api-provider-aws is already trying to tag the ENIs after creation https://github.com/kubernetes-sigs/cluster-api-provider-aws/blob/0baa03c61701a287678b0ac83b66a8018886e54f/pkg/cloud/services/ec2/instances.go#L294-L303, however the ROSANodePoolManagementPolicy does not have the necessary AWS permissions.

This PR fixies this bug on the ROSANodePoolManagementPolicy Managed Policy:

Allow CAPA to reconcile tags on ENIs

  • CAPA has been trying to tag ENIs, however this has not been allowed by our managed policy and considered non-impactful
  • However, recently we realized that this prevents the egressIP feature from working and this PR fixes this bug

Which Jira/Github issue(s) this PR fixes?

OSD-19650

Special notes for your reviewer:

Pre-checks (if applicable):

  • [x] Tested latest changes against a cluster

  • [ ] Included documentation changes with PR

  • [ ] If this is a new object that is not intended for the FedRAMP environment (if unsure, please reach out to team FedRAMP), please exclude it with:

    matchExpressions:
- key: api.openshift.com/fedramp
  operator: NotIn
  values: ["true"]

mjlshen avatar May 01 '24 03:05 mjlshen