Skip to content

SPLAT-2721: Add SetSecurityGroups IAM permission#2727

Draft
mfbonfigli wants to merge 1 commit into
openshift:masterfrom
mfbonfigli:splat-2721_add-set-security-groups-iam-perm
Draft

SPLAT-2721: Add SetSecurityGroups IAM permission#2727
mfbonfigli wants to merge 1 commit into
openshift:masterfrom
mfbonfigli:splat-2721_add-set-security-groups-iam-perm

Conversation

@mfbonfigli
Copy link
Copy Markdown

@mfbonfigli mfbonfigli commented Apr 29, 2026
edited by coderabbitai Bot
Loading

What type of PR is this?

(feature)

What this PR does / why we need it?

This PR adds the elasticloadbalancing:SetSecurityGroups IAM permission required for the BYO Security Group feature for AWS NLBs by AWS CCM.

As part of the new Bring Your Own Security Groups (BYO SG) for AWS Network Load Balancers (NLBs) feature currently under review in upstream, it is required to add a new elasticloadbalancing:SetSecurityGroups permission to the role used by AWS CCM to interact with AWS APIs. For more info on the workstream see OCPSTRAT-1553.

The elasticloadbalancing:SetSecurityGroups permission is required to enable AWS CCM to change the security groups associated with Network Load Balancers without deleting and recreating the NLB, which is not viable.

Without this permission, the following operations are not possible:

  • Changing BYO security groups
  • Transition from managed to BYO Security Group
  • Transition from BYO Security Group to managed

Which Jira/Github issue(s) this PR fixes?

Fixes #https://redhat.atlassian.net/browse/SPLAT-2721
Fixes #https://redhat.atlassian.net/browse/SPLAT-2452

Special notes for your reviewer:

Pre-checks (if applicable):

  • Tested latest changes against a cluster

  • Included documentation changes with PR

  • If this is a new object that is not intended for the FedRAMP environment (if unsure, please reach out to team FedRAMP), please exclude it with:

    matchExpressions:
- key: api.openshift.com/fedramp
  operator: NotIn
  values: ["true"]

Summary by CodeRabbit

  • Chores
    • Updated IAM permissions for load balancer management operations.

@mfbonfigli
Add SetSecurityGroups IAM permission
cb2aac7 
Adds the elasticloadbalancing:SetSecurityGroups IAM permission
required for the BYO Security Group feature for AWS NLBs by AWS CCM.
This permission is needed so that the controller can associate or
disassociate security groups on AWS NLBs without deletion and
recreation of the NLB.
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Apr 29, 2026
@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Apr 29, 2026
edited by openshift-ci Bot
Loading

@mfbonfigli: This pull request references SPLAT-2721 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

What type of PR is this?

(feature)

What this PR does / why we need it?

This PR adds the elasticloadbalancing:SetSecurityGroups IAM permission required for the BYO Security Group feature for AWS NLBs by AWS CCM.

As part of the new Bring Your Own Security Groups (BYO SG) for AWS Network Load Balancers (NLBs) feature currently under review in upstream, it is required to add a new elasticloadbalancing:SetSecurityGroups permission to the role used by AWS CCM to interact with AWS APIs. For more info on the workstream see OCPSTRAT-1553.

The elasticloadbalancing:SetSecurityGroups permission is required to enable AWS CCM to change the security groups associated with Network Load Balancers without deleting and recreating the NLB, which is not viable.

Without this permission, the following operations are not possible:

  • Changing BYO security groups
  • Transition from managed to BYO Security Group
  • Transition from BYO Security Group to managed

Which Jira/Github issue(s) this PR fixes?

Fixes #https://redhat.atlassian.net/browse/SPLAT-2721
Fixes #https://redhat.atlassian.net/browse/SPLAT-2452

Special notes for your reviewer:

Pre-checks (if applicable):

  • Tested latest changes against a cluster

  • Included documentation changes with PR

  • If this is a new object that is not intended for the FedRAMP environment (if unsure, please reach out to team FedRAMP), please exclude it with:

    matchExpressions:
- key: api.openshift.com/fedramp
  operator: NotIn
  values: ["true"]

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 29, 2026
@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented Apr 29, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 29, 2026
edited
Loading

Walkthrough

A single line is added to an AWS IAM policy file for the OpenShift HCP kube-controller-manager credentials, extending the existing LoadBalancer management statement to include the elasticloadbalancing:SetSecurityGroups action.

Changes

Cohort / File(s) Summary
IAM Policy Update
resources/sts/hypershift/openshift_hcp_kube_controller_manager_credentials_policy.json		 Added elasticloadbalancing:SetSecurityGroups action to the existing LoadBalanacerManagementResourceTag statement in the controller-manager IAM policy.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 12
✅ Passed checks (12 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and specifically describes the main change: adding the SetSecurityGroups IAM permission, which directly aligns with the single file modification in the changeset.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed This check verifies Ginkgo test naming practices, but this PR contains no test files, only an IAM policy JSON modification.
Test Structure And Quality ✅ Passed The custom check for 'Test Structure and Quality' is not applicable to this PR because it only modifies an IAM policy JSON file and does not contain any Ginkgo test code, test files, or Go testing code.
Microshift Test Compatibility ✅ Passed This PR modifies only a JSON IAM policy file, not Ginkgo e2e tests. The check is not applicable to configuration repositories.
Single Node Openshift (Sno) Test Compatibility ✅ Passed PR modifies only JSON IAM policy configuration files with no new Ginkgo e2e tests. SNO Test Compatibility check applies exclusively to new test code and is not applicable here.
Topology-Aware Scheduling Compatibility ✅ Passed AWS IAM credentials policy file with no Kubernetes deployment manifests, operator code, or scheduling constraints.
Ote Binary Stdout Contract ✅ Passed PR only modifies static AWS IAM policy JSON file, adding elasticloadbalancing:SetSecurityGroups action. No executable code or test binaries present that could violate OTE Binary Stdout Contract.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed This PR only modifies an AWS IAM policy JSON file to add elasticloadbalancing:SetSecurityGroups permission. No e2e tests are added or modified.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented Apr 29, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mfbonfigli
Once this PR has been reviewed and has the lgtm label, please assign typeid for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@mfbonfigli
Copy link
Copy Markdown
Author

mfbonfigli commented Apr 30, 2026

/jira-refresh

This was referenced May 4, 2026
Open
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mfbonfigli @openshift-ci-robot