OCPBUGS-63305: Make SimulatePrincipalPolicy optional

[barbacbd]

Removing SimulatePrincipalPolicy as a required permission for Mint and Passthrough modes. Instead it will be required when a credential mode is not set.

[openshift-ci-robot]

@barbacbd: This pull request references Jira Issue OCPBUGS-63305, which is invalid:

• expected the bug to target the "4.21.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Removing SimulatePrincipalPolicy as a required permission for Mint and Passthrough modes. Instead it will be required when a credential mode is not set.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[barbacbd]

/cc @tthvo
/cc @patrickdillon

[barbacbd]

/jira refresh

[openshift-ci-robot]

@barbacbd: This pull request references Jira Issue OCPBUGS-63305, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.0) matches configured target version for branch (4.21.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @gpei

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[tthvo]

Looks like have a tiny problem 🤔 related to #10081 (comment). Jobs are failing with:

level=warning msg=Action not allowed with tested creds action=iam:CreateAccessKey
level=warning msg=Action not allowed with tested creds action=iam:CreateUser
level=warning msg=Action not allowed with tested creds action=iam:DeleteUserPolicy
level=warning msg=Action not allowed with tested creds action=iam:GetUserPolicy
level=warning msg=Action not allowed with tested creds action=iam:ListAccessKeys
level=warning msg=Action not allowed with tested creds action=iam:PutUserPolicy
level=warning msg=Action not allowed with tested creds action=iam:TagUser
level=warning msg=Tested creds not able to perform all requested actions
level=warning msg=Action not allowed with tested creds action=s3:PutLifecycleConfiguration
level=warning msg=Action not allowed with tested creds action=s3:ListBucketMultipartUploads
level=warning msg=Action not allowed with tested creds action=s3:AbortMultipartUpload
level=warning msg=Action not allowed with tested creds action=iam:GetUserPolicy
level=warning msg=Action not allowed with tested creds action=iam:ListAccessKeys
level=warning msg=Tested creds not able to perform all requested actions
level=fatal msg=failed to fetch Cluster: failed to fetch dependency of "Cluster": failed to generate asset
"Platform Permissions Check": validate AWS credentials: AWS credentials cannot be used to either create
new creds or use as-is
Installer exit with code 1

[barbacbd]

/retest-required

[patrickdillon]

/approve

[patrickdillon]

/hold

It seems CCO does require this: https://redhat-internal.slack.com/archives/C68TNFWA2/p1763145109506449?thread_ts=1760641140.491929&cid=C68TNFWA2

[tthvo]

/cc @jstuever

[tthvo]

I read through the CCO code more... The 2 places in the actuator where the permission check is called here: actuator.go#L280 and actuator.go#L488.

I tried so many ways (i.e. all with credentialsMode: <mode> explicitly set) but those lines were never reached:

1. Day-1 Mint mode
2. Day-1 Passthrough
3. Day-1 Passthrough and switch to Mint mode in Day 2
4. Day-1 Mint mode and modify policy document for CredentialsRequest

My expectation is that if those lines were ever called, we would see a Cloud Trail event regardless of success or Auth error. There is none ❌ The installation completes successfully all the times with a happy CCO and all CredentialsRequest satisifed, and day 2 cases above worked just fine.

Maybe we are missing something, but CCO doesn't seem to perform any permission checks in explicitly Mint mode at all?

[gpei]

/jira refresh

[openshift-ci-robot]

@gpei: This pull request references Jira Issue OCPBUGS-63305, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.0) matches configured target version for branch (4.21.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @yunjiang29

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: patrickdillon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• pkg/asset/installconfig/aws/OWNERS [patrickdillon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[deepsm007]

/test

[openshift-ci]

@deepsm007: The /test command needs one or more targets.
The following commands are available to trigger required jobs:

/test artifacts-images

/test e2e-agent-compact-ipv4

/test e2e-aws-ovn

/test e2e-aws-ovn-edge-zones-manifest-validation

/test e2e-aws-ovn-upi

/test e2e-azure-nat-gateway-single-zone

/test e2e-azure-ovn

/test e2e-gcp-ovn

/test e2e-gcp-ovn-upi

/test e2e-metal-ipi-ovn-ipv6

/test e2e-openstack-ovn

/test e2e-vsphere-ovn

/test e2e-vsphere-ovn-upi

/test gofmt

/test golint

/test govet

/test images

/test integration-tests

/test integration-tests-nodejoiner

/test okd-scos-images

/test openstack-manifests

/test shellcheck

/test unit

/test verify-codegen

/test verify-deps

/test verify-vendor

/test yaml-lint

The following commands are available to trigger optional jobs:

/test aws-private

/test azure-ovn-marketplace-images

/test azure-private

/test e2e-agent-4control-ipv4

/test e2e-agent-5control-ipv4

/test e2e-agent-compact-ipv4-appliance-diskimage

/test e2e-agent-compact-ipv4-iso-no-registry

/test e2e-agent-compact-ipv4-none-platform

/test e2e-agent-compact-ipv6-minimaliso

/test e2e-agent-ha-dualstack

/test e2e-agent-sno-ipv4-pxe

/test e2e-agent-sno-ipv6

/test e2e-agent-two-node-fencing-ipv4

/test e2e-aws-byo-subnet-role-security-groups

/test e2e-aws-custom-dns-techpreview

/test e2e-aws-default-config

/test e2e-aws-overlay-mtu-ovn-1200

/test e2e-aws-ovn-custom-iam-profile

/test e2e-aws-ovn-edge-zones

/test e2e-aws-ovn-fips

/test e2e-aws-ovn-heterogeneous

/test e2e-aws-ovn-imdsv2

/test e2e-aws-ovn-proxy

/test e2e-aws-ovn-public-ipv4-pool

/test e2e-aws-ovn-public-ipv4-pool-disabled

/test e2e-aws-ovn-public-subnets

/test e2e-aws-ovn-shared-vpc-custom-security-groups

/test e2e-aws-ovn-shared-vpc-edge-zones

/test e2e-aws-ovn-single-node

/test e2e-aws-ovn-techpreview

/test e2e-aws-ovn-upgrade

/test e2e-aws-upi-proxy

/test e2e-azure-custom-dns-techpreview

/test e2e-azure-default-config

/test e2e-azure-ovn-multidisk-techpreview

/test e2e-azure-ovn-resourcegroup

/test e2e-azure-ovn-shared-vpc

/test e2e-azure-ovn-techpreview

/test e2e-azure-ovn-upi

/test e2e-azurestack

/test e2e-azurestack-upi

/test e2e-crc

/test e2e-external-aws

/test e2e-external-aws-ccm

/test e2e-gcp-custom-dns

/test e2e-gcp-custom-endpoints

/test e2e-gcp-default-config

/test e2e-gcp-ovn-byo-vpc

/test e2e-gcp-ovn-heterogeneous

/test e2e-gcp-ovn-techpreview

/test e2e-gcp-ovn-xpn

/test e2e-gcp-secureboot

/test e2e-gcp-upgrade

/test e2e-gcp-upi-xpn

/test e2e-gcp-xpn-dedicated-dns-project

/test e2e-ibmcloud-ovn

/test e2e-metal-assisted

/test e2e-metal-ipi-ovn

/test e2e-metal-ipi-ovn-dualstack

/test e2e-metal-ipi-ovn-swapped-hosts

/test e2e-metal-ipi-ovn-virtualmedia

/test e2e-metal-ovn-two-node-arbiter

/test e2e-metal-ovn-two-node-fencing

/test e2e-metal-single-node-live-iso

/test e2e-nutanix-ovn

/test e2e-openstack-ccpmso

/test e2e-openstack-ccpmso-zone

/test e2e-openstack-dualstack

/test e2e-openstack-dualstack-upi

/test e2e-openstack-externallb

/test e2e-openstack-nfv-intel

/test e2e-openstack-proxy

/test e2e-openstack-singlestackv6

/test e2e-powervs-capi-ovn

/test e2e-vsphere-externallb-ovn

/test e2e-vsphere-host-groups-ovn-techpreview

/test e2e-vsphere-multi-vcenter-ovn

/test e2e-vsphere-ovn-disk-setup-techpreview

/test e2e-vsphere-ovn-hybrid-env

/test e2e-vsphere-ovn-multi-disk

/test e2e-vsphere-ovn-multi-network

/test e2e-vsphere-ovn-techpreview

/test e2e-vsphere-ovn-upi-zones

/test e2e-vsphere-ovn-zones

/test e2e-vsphere-ovn-zones-techpreview

/test e2e-vsphere-static-ovn

/test gcp-private

/test okd-scos-e2e-aws-ovn

Use /test all to run the following jobs that were automatically triggered:

pull-ci-openshift-installer-main-artifacts-images

pull-ci-openshift-installer-main-aws-private

pull-ci-openshift-installer-main-e2e-aws-byo-subnet-role-security-groups

pull-ci-openshift-installer-main-e2e-aws-default-config

pull-ci-openshift-installer-main-e2e-aws-ovn

pull-ci-openshift-installer-main-e2e-aws-ovn-edge-zones

pull-ci-openshift-installer-main-e2e-aws-ovn-edge-zones-manifest-validation

pull-ci-openshift-installer-main-e2e-aws-ovn-fips

pull-ci-openshift-installer-main-e2e-aws-ovn-heterogeneous

pull-ci-openshift-installer-main-e2e-aws-ovn-imdsv2

pull-ci-openshift-installer-main-e2e-aws-ovn-shared-vpc-custom-security-groups

pull-ci-openshift-installer-main-e2e-aws-ovn-shared-vpc-edge-zones

pull-ci-openshift-installer-main-e2e-aws-ovn-single-node

pull-ci-openshift-installer-main-gofmt

pull-ci-openshift-installer-main-golint

pull-ci-openshift-installer-main-govet

pull-ci-openshift-installer-main-images

pull-ci-openshift-installer-main-okd-scos-images

pull-ci-openshift-installer-main-shellcheck

pull-ci-openshift-installer-main-unit

pull-ci-openshift-installer-main-verify-codegen

pull-ci-openshift-installer-main-verify-deps

pull-ci-openshift-installer-main-verify-vendor

pull-ci-openshift-installer-main-yaml-lint

In response to this:

/test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[deepsm007]

/test all

[tthvo]

/retest
/test e2e-aws-ovn-public-subnets e2e-aws-ovn-public-ipv4-pool e2e-aws-ovn-custom-iam-profile e2e-aws-overlay-mtu-ovn-1200

[openshift-ci]

@barbacbd: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/okd-scos-e2e-aws-ovn	991c8a0	link	false	/test okd-scos-e2e-aws-ovn
ci/prow/e2e-aws-ovn-heterogeneous	6f9176e	link	false	/test e2e-aws-ovn-heterogeneous
ci/prow/e2e-aws-ovn-public-ipv4-pool	6f9176e	link	false	/test e2e-aws-ovn-public-ipv4-pool

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[tthvo]

/lgtm

IIUC, the latest commit removes the iam:SimulatePrincipalPolicy requirement for Manual and Passthrough credentials mode while keep it for MintMode or default empty.

I am unsure if we need to also remove it for Mint mode as in #10081 (comment). But we can definitely remove it later if so.