Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

S3 Controller - repeat reconciling #2070

Open
stefanmcshane opened this issue May 9, 2024 · 0 comments
Open

S3 Controller - repeat reconciling #2070

stefanmcshane opened this issue May 9, 2024 · 0 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. service/s3 Indicates issues or PRs that are related to s3-controller.

Comments

@stefanmcshane
Copy link
Contributor

stefanmcshane commented May 9, 2024
edited
Loading

Describe the bug
When updating the bucket policy of an S3 bucket, the reconciler applies the change continuously. This was flagged by our cloudwatch alarms. The apply was successful from ACK, however ACK continuously tries to apply what should be a no-op change

Steps to reproduce

  1. Create S3 Bucket with policy
  2. Add a deny statement
  3. See changes applied every reconcile period

Expected outcome
No-op after first apply

Environment

  • Kubernetes version 1.24
  • Using EKS (yes/no), if so version? EKS 1.27
  • AWS service targeted (S3, RDS, etc.) S3 controller v1.0.11

The following is the policy that specify policy that was applied, where we only added the 3rd statement entry. The previous policy only contained the first 2 statements. Removing the 3rd policy afterwards, continues to trigger the cloudwatch alarm

        "bucketPolicy": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": "s3:GetBucketAcl",
                    "Condition": {
                        "StringEquals": {
                            "aws:SourceArn": "arn:aws:cloudtrail:us-east-1:XXXXX:trail/trail-UID"
                        }
                    },
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "cloudtrail.amazonaws.com"
                    },
                    "Resource": "arn:aws:s3:::aws-cloudtrail-logs-UID",
                    "Sid": "AWSCloudTrailAclCheck20150319"
                },
                {
                    "Action": "s3:PutObject",
                    "Condition": {
                        "StringEquals": {
                            "aws:SourceArn": "arn:aws:cloudtrail:us-east-1:XXXXXX:trail/trail-UID",
                            "s3:x-amz-acl": "bucket-owner-full-control"
                        }
                    },
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "cloudtrail.amazonaws.com"
                    },
                    "Resource": "arn:aws:s3:::aws-cloudtrail-logs-UID/AWSLogs/XXXXXX/*",
                    "Sid": "AWSCloudTrailWrite20150319"
                },
                {
                    "Action": "s3:PutObject",
                    "Condition": {
                        "StringNotEquals": {
                            "s3:x-amz-server-side-encryption": "AES256"
                        }
                    },
                    "Effect": "Deny",
                    "Principal": "*",
                    "Resource": "arn:aws:s3:::aws-cloudtrail-logs-UID/*",
                    "Sid": "enforce-encryption-method"
                }
            ]
        },
@a-hilaly a-hilaly added kind/bug Categorizes issue or PR as related to a bug. service/s3 Indicates issues or PRs that are related to s3-controller. priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. labels May 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. service/s3 Indicates issues or PRs that are related to s3-controller.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stefanmcshane @a-hilaly