Skip to content

Add servicelog template for Karpenter IAM role misconfiguration#406

Open
clcollins wants to merge 2 commits intoopenshift:masterfrom
clcollins:add-karpenter-iam-misconfigured-servicelog
Open

Add servicelog template for Karpenter IAM role misconfiguration#406
clcollins wants to merge 2 commits intoopenshift:masterfrom
clcollins:add-karpenter-iam-misconfigured-servicelog

Conversation

@clcollins
Copy link
Member

@clcollins clcollins commented Mar 10, 2026

Summary

Add a new servicelog template to notify customers when the Karpenter operator IAM role is misconfigured in AWS, preventing the Karpenter component from functioning correctly.

Changes

  • New file: hcp/karpenter_iam_role_misconfigured.json
  • Critical severity notification template
  • Describes IAM role trust policy and permissions policy requirements
  • Includes documentation link for configuring operator IAM roles and OIDC trust relationships

Template Details

Severity: Critical
Service: SREManualAction
Log Type: cluster-configuration

The template is triggered when the Karpenter pod cannot assume its IAM role via STS AssumeRoleWithWebIdentity, resulting in 403 AccessDenied errors.

Related PRs

  • SOP documentation: openshift/ops-sop#3916

Test plan

  • JSON structure validated
  • Review template language with team
  • Verify documentation link is correct and accessible

🤖 Generated with Claude Code

@clcollins @claude
Add servicelog template for Karpenter IAM role misconfiguration
6b3933b 
Add a new servicelog template to notify customers when the Karpenter
operator IAM role is misconfigured in AWS. This error prevents the
Karpenter pod from assuming its IAM role via STS AssumeRoleWithWebIdentity,
resulting in access denied errors.

The template includes:
- Critical severity notification
- Clear description of the issue and required customer action
- Link to documentation on configuring operator IAM roles and OIDC trust

Related: openshift/ops-sop#3916

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@openshift-ci openshift-ci bot requested review from bmeng and iamkirkbater March 10, 2026 22:08
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Mar 10, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: clcollins
Once this PR has been reviewed and has the lgtm label, please assign rh-wadhwani for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@clcollins @claude
Fix validation error: Add period at end of description
2e9e9ea 
The validation script requires the description field to end with a period.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Mar 10, 2026

@clcollins: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

bmeng
bmeng reviewed Mar 11, 2026
View reviewed changes
hcp/karpenter_iam_role_misconfigured.json
"service_name": "SREManualAction",
"log_type": "cluster-configuration",
"summary": "Action required: Fix Karpenter operator IAM role configuration",
"description": "Your ROSA HCP cluster requires you to take action because the Karpenter operator IAM role is misconfigured in AWS, preventing the Karpenter component from functioning correctly. The Karpenter pod is unable to assume its IAM role via STS AssumeRoleWithWebIdentity, resulting in access denied errors. Please verify the Karpenter operator role's trust policy allows the cluster's OIDC provider to assume the role, and ensure the permissions policy matches the required policy for ROSA HCP operator roles. Review the documentation on configuring operator IAM roles and OIDC trust relationships: https://docs.redhat.com/en/documentation/red_hat_openshift_service_on_aws/4/html/install_rosa_with_hcp_clusters/rosa-hcp-sts-creating-a-cluster-quickly#rosa-sts-creating-operator-roles-and-policies_rosa-hcp-sts-creating-a-cluster-quickly.",
Copy link
Contributor

@bmeng bmeng Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems there is no such quick link rosa-sts-creating-operator-roles-and-policies_rosa-hcp-sts-creating-a-cluster-quickly in page https://docs.redhat.com/en/documentation/red_hat_openshift_service_on_aws/4/html/install_rosa_with_hcp_clusters/rosa-hcp-sts-creating-a-cluster-quickly

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bmeng bmeng bmeng left review comments

@iamkirkbater iamkirkbater Awaiting requested review from iamkirkbater

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@clcollins @bmeng