Skip to content

SREP-3817: Allow day-2 CreateTags on existing EBS volumes and snapshots#2655

Draft
dustman9000 wants to merge 1 commit intoopenshift:masterfrom
dustman9000:fix/ebs-csi-createtags-day2
Draft

SREP-3817: Allow day-2 CreateTags on existing EBS volumes and snapshots#2655
dustman9000 wants to merge 1 commit intoopenshift:masterfrom
dustman9000:fix/ebs-csi-createtags-day2

Conversation

@dustman9000
Copy link
Member

@dustman9000 dustman9000 commented Mar 2, 2026

Summary

  • Add a new IAM policy statement (CreateTagsExistingVolumes) to the HCP EBS CSI driver policy allowing ec2:CreateTags on existing volumes and snapshots that have the red-hat-managed: true tag
  • Add a Sid to the existing creation-time statement (CreateTagsOnCreate) for clarity
  • Follows the same pattern already used by the CAPA Controller Manager policy for day-2 tag reconciliation

Problem

The EBS CSI driver's EBSVolumeTagsController (introduced in OCP 4.19 via CFE-1131 / PR #297) calls ec2:CreateTags on existing EBS volumes to reconcile infrastructure resource tags. The current policy restricts CreateTags with an ec2:CreateAction condition that only allows tagging during CreateVolume/CreateSnapshot, causing AccessDenied on all day-2 tag operations.

This affects all ROSA HCP clusters on OCP 4.19+. Classic STS clusters are not impacted (they have unrestricted ec2:CreateTags).

Support case: 04362496

Fix

Add a second CreateTags statement that allows tagging existing resources scoped to aws:ResourceTag/red-hat-managed: true. This is the same approach used by the CAPA Controller Manager policy (CreateTagsCAPAControllerReconcileVolume).

Test plan

  • Validate JSON syntax
  • Deploy to integration environment and verify EBS CSI driver day-2 tag reconciliation succeeds
  • Verify volume creation still works with tags applied at creation time
  • Check CloudTrail for absence of AccessDenied on CreateTags from the CSI driver role

Jira: https://issues.redhat.com/browse/SREP-3817

@dustman9000
SREP-3817: Allow day-2 CreateTags on existing EBS volumes and snapshots
f18c9a5 
The EBS CSI driver EBSVolumeTagsController (introduced in OCP 4.19 via CFE-1131) calls ec2:CreateTags on existing volumes to reconcile infrastructure resource tags. The current policy restricts CreateTags to only work during CreateVolume/CreateSnapshot via the ec2:CreateAction condition, causing AccessDenied on all day-2 tag operations.

Add a new statement allowing CreateTags on volumes and snapshots that already have the red-hat-managed tag, matching the pattern used by the CAPA Controller Manager policy for day-2 reconciliation.

Jira: https://issues.redhat.com/browse/SREP-3817
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Mar 2, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Mar 2, 2026
edited by openshift-ci bot
Loading

@dustman9000: This pull request references SREP-3817 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Summary

  • Add a new IAM policy statement (CreateTagsExistingVolumes) to the HCP EBS CSI driver policy allowing ec2:CreateTags on existing volumes and snapshots that have the red-hat-managed: true tag
  • Add a Sid to the existing creation-time statement (CreateTagsOnCreate) for clarity
  • Follows the same pattern already used by the CAPA Controller Manager policy for day-2 tag reconciliation

Problem

The EBS CSI driver's EBSVolumeTagsController (introduced in OCP 4.19 via CFE-1131 / PR #297) calls ec2:CreateTags on existing EBS volumes to reconcile infrastructure resource tags. The current policy restricts CreateTags with an ec2:CreateAction condition that only allows tagging during CreateVolume/CreateSnapshot, causing AccessDenied on all day-2 tag operations.

This affects all ROSA HCP clusters on OCP 4.19+. Classic STS clusters are not impacted (they have unrestricted ec2:CreateTags).

Support case: 04362496

Fix

Add a second CreateTags statement that allows tagging existing resources scoped to aws:ResourceTag/red-hat-managed: true. This is the same approach used by the CAPA Controller Manager policy (CreateTagsCAPAControllerReconcileVolume).

Test plan

  • Validate JSON syntax
  • Deploy to integration environment and verify EBS CSI driver day-2 tag reconciliation succeeds
  • Verify volume creation still works with tags applied at creation time
  • Check CloudTrail for absence of AccessDenied on CreateTags from the CSI driver role

Jira: https://issues.redhat.com/browse/SREP-3817

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 2, 2026
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Mar 2, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Mar 2, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dustman9000

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dustman9000 @openshift-ci-robot