Skip to content

OCPBUGS-97920: allow specific actions for AWS EFS CredentialsRequest#578

Open
dobsonj wants to merge 1 commit into
openshift:mainfrom
dobsonj:OCPBUGS-97920
Open

OCPBUGS-97920: allow specific actions for AWS EFS CredentialsRequest#578
dobsonj wants to merge 1 commit into
openshift:mainfrom
dobsonj:OCPBUGS-97920

Conversation

@dobsonj

@dobsonj dobsonj commented Jul 15, 2026

Copy link
Copy Markdown
Member

https://redhat.atlassian.net/browse/OCPBUGS-97920

This PR replaces the wildcard elasticfilesystem:* in the CredentialsRequest for AWS EFS with specific actions from https://github.com/openshift/aws-efs-csi-driver/blob/master/docs/iam-policy-example.json

/cc @openshift/storage

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jul 15, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@dobsonj: This pull request references Jira Issue OCPBUGS-97920, which is invalid:

  • expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

https://redhat.atlassian.net/browse/OCPBUGS-97920

/cc @openshift/storage

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci

openshift-ci Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

@dobsonj: GitHub didn't allow me to request PR reviews from the following users: openshift/storage.

Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs.

Details

In response to this:

https://redhat.atlassian.net/browse/OCPBUGS-97920

/cc @openshift/storage

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

The AWS EFS CSI driver credentials request now grants an explicit set of Elastic File System API actions instead of the wildcard elasticfilesystem:* permission. The list includes describe operations, access point creation and deletion, and resource tagging.

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed PR only updates AWS EFS credential YAML files; no Ginkgo test titles or test files were changed.
Test Structure And Quality ✅ Passed No Ginkgo test code was changed; the PR only updates AWS EFS credentials YAML files.
Microshift Test Compatibility ✅ Passed Only AWS EFS IAM YAML overlays changed; no Ginkgo/e2e test files or test keywords were added, so MicroShift compatibility isn’t impacted.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No Ginkgo tests were added; the diff only changes AWS EFS credentials YAML files.
Topology-Aware Scheduling Compatibility ✅ Passed Only AWS EFS IAM action lists changed in two CredentialsRequest YAMLs; no pod specs, replicas, affinity, selectors, or topology constraints were added.
Ote Binary Stdout Contract ✅ Passed Only the AWS EFS credentials YAML is changed; no main/init/TestMain/suite setup code or stdout writes were touched.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed PR only changes AWS EFS credentials YAML; no new Ginkgo/e2e test files or test bodies were added, so no IPv4/disconnected-network risk here.
No-Weak-Crypto ✅ Passed Touched files only adjust AWS EFS IAM actions in YAML; no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret/token comparisons found.
Container-Privileges ✅ Passed Touched manifests only changed IAM actions in CredentialsRequest; no privileged, host*, SYS_ADMIN, root, or allowPrivilegeEscalation fields were added.
No-Sensitive-Data-In-Logs ✅ Passed The PR only changes an AWS EFS credentials policy file; no logging code or secret-bearing log statements were added.
Title check ✅ Passed The title clearly summarizes the change to replace wildcard AWS EFS permissions with specific actions.
Description check ✅ Passed The description matches the patch and explains the CredentialsRequest permission change.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci

openshift-ci Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dobsonj

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 15, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@assets/overlays/aws-efs/base/credentials.yaml`:
- Around line 16-22: Update the EFS permissions list in credentials.yaml by
removing elasticfilesystem:CreateAccessPoint and
elasticfilesystem:DeleteAccessPoint. Keep elasticfilesystem:TagResource only if
required, and ensure it remains scoped by the existing cluster-tag condition
rather than resource "*".
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 038478f9-782a-45b3-844b-0a2aaff3eff1

📥 Commits

Reviewing files that changed from the base of the PR and between 1f64834 and e190622.

⛔ Files ignored due to path filters (1)
  • assets/overlays/aws-efs/generated/standalone/credentials.yaml is excluded by !**/generated/**
📒 Files selected for processing (1)
  • assets/overlays/aws-efs/base/credentials.yaml

Comment thread assets/overlays/aws-efs/base/credentials.yaml
@dobsonj

dobsonj commented Jul 15, 2026

Copy link
Copy Markdown
Member Author

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jul 15, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@dobsonj: This pull request references Jira Issue OCPBUGS-97920, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)
Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci

openshift-ci Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

@dobsonj: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/aws-efs-operator-e2e-extended e190622 link false /test aws-efs-operator-e2e-extended
ci/prow/aws-efs-single-zone-operator-e2e-extended e190622 link false /test aws-efs-single-zone-operator-e2e-extended
ci/prow/hypershift-aws-e2e-external e190622 link true /test hypershift-aws-e2e-external
ci/prow/aws-efs-sts-cross-account-operator-e2e e190622 link false /test aws-efs-sts-cross-account-operator-e2e

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-ci-robot

Copy link
Copy Markdown

@dobsonj: This pull request references Jira Issue OCPBUGS-97920, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
Details

In response to this:

https://redhat.atlassian.net/browse/OCPBUGS-97920

This PR replaces the wildcard elasticfilesystem:* in the CredentialsRequest for AWS EFS with specific actions from https://github.com/openshift/aws-efs-csi-driver/blob/master/docs/iam-policy-example.json

/cc @openshift/storage

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants