Skip to content

OCPBUGS-96892: Revert "OCPBUGS-87829: Scope minted AWS IAM policies to cluster-owned resources"#1057

Merged
openshift-merge-bot[bot] merged 1 commit into
openshift:masterfrom
redhat-chai-bot:revert-1043-scoped-iam-policies
Jul 6, 2026
Merged

OCPBUGS-96892: Revert "OCPBUGS-87829: Scope minted AWS IAM policies to cluster-owned resources"#1057
openshift-merge-bot[bot] merged 1 commit into
openshift:masterfrom
redhat-chai-bot:revert-1043-scoped-iam-policies

Conversation

@redhat-chai-bot

Copy link
Copy Markdown
Contributor

Summary

This reverts commit 383d3a2 (PR #1043), which introduced scoped IAM policies for cluster-owned resources.

Why

PR #1043 caused multiple regressions in the e2e-aws-csi job — all snapshot-related tests have been permafailing since Jun 29. This has blocked PRs from merging in any repository that uses aws-csi as a required presubmit, including openshift/origin.

Merge conflict resolution

PR #1053 (OCPBUGS-95187: Reclassify ec2:ModifyNetworkInterfaceAttribute as unscoped) modified the scoped/unscoped action maps introduced by #1043. Since this revert removes those maps entirely, #1053's changes are also effectively reverted and will need to be re-applied when the scoping feature is re-landed.

Unreverting

To unrevert, please land a corrected version of this feature that fixes the snapshot test failures and verify with:

/payload-job periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-csi

A fix is being investigated in PR #1054.

@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jul 3, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@redhat-chai-bot: This pull request references Jira Issue OCPBUGS-96892, which is invalid:

  • expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary

This reverts commit 383d3a2 (PR #1043), which introduced scoped IAM policies for cluster-owned resources.

Why

PR #1043 caused multiple regressions in the e2e-aws-csi job — all snapshot-related tests have been permafailing since Jun 29. This has blocked PRs from merging in any repository that uses aws-csi as a required presubmit, including openshift/origin.

Merge conflict resolution

PR #1053 (OCPBUGS-95187: Reclassify ec2:ModifyNetworkInterfaceAttribute as unscoped) modified the scoped/unscoped action maps introduced by #1043. Since this revert removes those maps entirely, #1053's changes are also effectively reverted and will need to be re-applied when the scoping feature is re-landed.

Unreverting

To unrevert, please land a corrected version of this feature that fixes the snapshot test failures and verify with:

/payload-job periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-csi

A fix is being investigated in PR #1054.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@redhat-chai-bot, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 23 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 134e3b7e-32af-4d03-8e3b-dc4575b54231

📥 Commits

Reviewing files that changed from the base of the PR and between d9f0942 and 4ce2d15.

📒 Files selected for processing (5)
  • hack/verify-action-maps.sh
  • pkg/aws/actuator/actuator.go
  • pkg/aws/actuator/actuator_test.go
  • pkg/aws/utils.go
  • pkg/aws/utils_test.go
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot requested review from dlom and jstuever July 3, 2026 13:14
@dgoodwin

dgoodwin commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

/payload-job periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-csi

If this passes I will merge the revert today.

@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@dgoodwin: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

  • periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-csi

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/468eaa30-76e1-11f1-9fce-07bb33211d05-0

@codecov

codecov Bot commented Jul 3, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 47.03%. Comparing base (d9f0942) to head (4ce2d15).
⚠️ Report is 2 commits behind head on master.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #1057      +/-   ##
==========================================
- Coverage   47.28%   47.03%   -0.25%     
==========================================
  Files          97       97              
  Lines       12631    12583      -48     
==========================================
- Hits         5973     5919      -54     
- Misses       6001     6008       +7     
+ Partials      657      656       -1     
Files with missing lines Coverage Δ
pkg/aws/actuator/actuator.go 67.15% <100.00%> (-1.47%) ⬇️
pkg/aws/utils.go 83.87% <ø> (-2.25%) ⬇️

... and 1 file with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@dlom

dlom commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

/override ci/prow/security

@dlom

dlom commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

/lgtm

@openshift-ci

openshift-ci Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

@dlom: Overrode contexts on behalf of dlom: ci/prow/security

Details

In response to this:

/override ci/prow/security

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@dlom

dlom commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

/verified by everyone

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 5, 2026
@openshift-ci

openshift-ci Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dlom, redhat-chai-bot

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 5, 2026
@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Jul 5, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@dlom: This PR has been marked as verified by everyone.

Details

In response to this:

/verified by everyone

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@dlom

dlom commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

/jira refresh

@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@dlom: This pull request references Jira Issue OCPBUGS-96892, which is invalid:

  • expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@pmeida

pmeida commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

@dlom any update on this?
Would be interested on the following steps if this gets merged, as this is reverting the changes I did in #1053 and the backports for it were already opened: #1055 #1056

I would be fine with closing them, if this one gets merged, if the later reintroduction/fix of it includes the logic addressed in #1053

@neisw

neisw commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jul 6, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@neisw: This pull request references Jira Issue OCPBUGS-96892, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)
Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@neisw

neisw commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

/override ci/prow/okd-scos-images

@openshift-ci

openshift-ci Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

@neisw: Overrode contexts on behalf of neisw: ci/prow/okd-scos-images

Details

In response to this:

/override ci/prow/okd-scos-images

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci

openshift-ci Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

@redhat-chai-bot: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-merge-bot openshift-merge-bot Bot merged commit 9710974 into openshift:master Jul 6, 2026
13 checks passed
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@redhat-chai-bot: Jira Issue OCPBUGS-96892: Some pull requests linked via external trackers have merged:

The following pull request, linked via external tracker, has not merged:

All associated pull requests must be merged or unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with /jira refresh.

Jira Issue OCPBUGS-96892 has not been moved to the MODIFIED state.

This PR is marked as verified. If the remaining PRs listed above are marked as verified before merging, the issue will automatically be moved to VERIFIED after all of the changes from the PRs are available in an accepted nightly payload.

Details

In response to this:

Summary

This reverts commit 383d3a2 (PR #1043), which introduced scoped IAM policies for cluster-owned resources.

Why

PR #1043 caused multiple regressions in the e2e-aws-csi job — all snapshot-related tests have been permafailing since Jun 29. This has blocked PRs from merging in any repository that uses aws-csi as a required presubmit, including openshift/origin.

Merge conflict resolution

PR #1053 (OCPBUGS-95187: Reclassify ec2:ModifyNetworkInterfaceAttribute as unscoped) modified the scoped/unscoped action maps introduced by #1043. Since this revert removes those maps entirely, #1053's changes are also effectively reverted and will need to be re-applied when the scoping feature is re-landed.

Unreverting

To unrevert, please land a corrected version of this feature that fixes the snapshot test failures and verify with:

/payload-job periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-csi

A fix is being investigated in PR #1054.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@nrb

nrb commented Jul 6, 2026

Copy link
Copy Markdown

/cherry-pick release-4.22 release-4.21 release-4.20

@openshift-cherrypick-robot

Copy link
Copy Markdown

@nrb: #1057 failed to apply on top of branch "release-4.22":

Applying: OCPBUGS-96892: Revert "OCPBUGS-87829: Scope minted AWS IAM policies to cluster-owned resources"
Using index info to reconstruct a base tree...
M	hack/verify-action-maps.sh
M	pkg/aws/actuator/actuator.go
M	pkg/aws/utils.go
M	pkg/aws/utils_test.go
Falling back to patching base and 3-way merge...
CONFLICT (modify/delete): hack/verify-action-maps.sh deleted in OCPBUGS-96892: Revert "OCPBUGS-87829: Scope minted AWS IAM policies to cluster-owned resources" and modified in HEAD.  Version HEAD of hack/verify-action-maps.sh left in tree.
Auto-merging pkg/aws/actuator/actuator.go
Auto-merging pkg/aws/utils.go
CONFLICT (content): Merge conflict in pkg/aws/utils.go
CONFLICT (modify/delete): pkg/aws/utils_test.go deleted in OCPBUGS-96892: Revert "OCPBUGS-87829: Scope minted AWS IAM policies to cluster-owned resources" and modified in HEAD.  Version HEAD of pkg/aws/utils_test.go left in tree.
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
Patch failed at 0001 OCPBUGS-96892: Revert "OCPBUGS-87829: Scope minted AWS IAM policies to cluster-owned resources"

Details

In response to this:

/cherry-pick release-4.22 release-4.21 release-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@amitesh1201

Copy link
Copy Markdown

Revert PRs for the remaining release branches where #1043 cherry-picks had already merged:

release-4.21: #1060 (reverts #1046)
release-4.20: #1061 (reverts #1047)
release-4.22: #1059 (by @nrb, already in progress)

Cherry-pick PRs for release-4.19, 4.18, and 4.17 were still open and have been closed without merging.

These reverts need /lgtm and CI overrides (/override ci/prow/security) to merge. cc @dlom

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. verified Signifies that the PR passed pre-merge verification criteria

Projects

None yet

Development

Successfully merging this pull request may close these issues.

9 participants