From 6b3933b45e92624724ee612176e01f7adc23e1c5 Mon Sep 17 00:00:00 2001 From: Christopher Collins Date: Tue, 10 Mar 2026 12:07:11 -1000 Subject: [PATCH 1/2] Add servicelog template for Karpenter IAM role misconfiguration Add a new servicelog template to notify customers when the Karpenter operator IAM role is misconfigured in AWS. This error prevents the Karpenter pod from assuming its IAM role via STS AssumeRoleWithWebIdentity, resulting in access denied errors. The template includes: - Critical severity notification - Clear description of the issue and required customer action - Link to documentation on configuring operator IAM roles and OIDC trust Related: openshift/ops-sop#3916 Co-Authored-By: Claude Sonnet 4.5 --- hcp/karpenter_iam_role_misconfigured.json | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 hcp/karpenter_iam_role_misconfigured.json diff --git a/hcp/karpenter_iam_role_misconfigured.json b/hcp/karpenter_iam_role_misconfigured.json new file mode 100644 index 0000000..ff3d66a --- /dev/null +++ b/hcp/karpenter_iam_role_misconfigured.json @@ -0,0 +1,11 @@ +{ + "severity": "Critical", + "service_name": "SREManualAction", + "log_type": "cluster-configuration", + "summary": "Action required: Fix Karpenter operator IAM role configuration", + "description": "Your ROSA HCP cluster requires you to take action because the Karpenter operator IAM role is misconfigured in AWS, preventing the Karpenter component from functioning correctly. The Karpenter pod is unable to assume its IAM role via STS AssumeRoleWithWebIdentity, resulting in access denied errors. Please verify the Karpenter operator role's trust policy allows the cluster's OIDC provider to assume the role, and ensure the permissions policy matches the required policy for ROSA HCP operator roles. Review the documentation on configuring operator IAM roles and OIDC trust relationships: https://docs.redhat.com/en/documentation/red_hat_openshift_service_on_aws/4/html/install_rosa_with_hcp_clusters/rosa-hcp-sts-creating-a-cluster-quickly#rosa-sts-creating-operator-roles-and-policies_rosa-hcp-sts-creating-a-cluster-quickly", + "doc_references": [ + "https://docs.redhat.com/en/documentation/red_hat_openshift_service_on_aws/4/html/install_rosa_with_hcp_clusters/rosa-hcp-sts-creating-a-cluster-quickly#rosa-sts-creating-operator-roles-and-policies_rosa-hcp-sts-creating-a-cluster-quickly" + ], + "internal_only": false +} From 2e9e9ead6d4deb59d777e0a42e910f970f924228 Mon Sep 17 00:00:00 2001 From: Christopher Collins Date: Tue, 10 Mar 2026 12:17:52 -1000 Subject: [PATCH 2/2] Fix validation error: Add period at end of description The validation script requires the description field to end with a period. Co-Authored-By: Claude Sonnet 4.5 --- hcp/karpenter_iam_role_misconfigured.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hcp/karpenter_iam_role_misconfigured.json b/hcp/karpenter_iam_role_misconfigured.json index ff3d66a..a9656c1 100644 --- a/hcp/karpenter_iam_role_misconfigured.json +++ b/hcp/karpenter_iam_role_misconfigured.json @@ -3,7 +3,7 @@ "service_name": "SREManualAction", "log_type": "cluster-configuration", "summary": "Action required: Fix Karpenter operator IAM role configuration", - "description": "Your ROSA HCP cluster requires you to take action because the Karpenter operator IAM role is misconfigured in AWS, preventing the Karpenter component from functioning correctly. The Karpenter pod is unable to assume its IAM role via STS AssumeRoleWithWebIdentity, resulting in access denied errors. Please verify the Karpenter operator role's trust policy allows the cluster's OIDC provider to assume the role, and ensure the permissions policy matches the required policy for ROSA HCP operator roles. Review the documentation on configuring operator IAM roles and OIDC trust relationships: https://docs.redhat.com/en/documentation/red_hat_openshift_service_on_aws/4/html/install_rosa_with_hcp_clusters/rosa-hcp-sts-creating-a-cluster-quickly#rosa-sts-creating-operator-roles-and-policies_rosa-hcp-sts-creating-a-cluster-quickly", + "description": "Your ROSA HCP cluster requires you to take action because the Karpenter operator IAM role is misconfigured in AWS, preventing the Karpenter component from functioning correctly. The Karpenter pod is unable to assume its IAM role via STS AssumeRoleWithWebIdentity, resulting in access denied errors. Please verify the Karpenter operator role's trust policy allows the cluster's OIDC provider to assume the role, and ensure the permissions policy matches the required policy for ROSA HCP operator roles. Review the documentation on configuring operator IAM roles and OIDC trust relationships: https://docs.redhat.com/en/documentation/red_hat_openshift_service_on_aws/4/html/install_rosa_with_hcp_clusters/rosa-hcp-sts-creating-a-cluster-quickly#rosa-sts-creating-operator-roles-and-policies_rosa-hcp-sts-creating-a-cluster-quickly.", "doc_references": [ "https://docs.redhat.com/en/documentation/red_hat_openshift_service_on_aws/4/html/install_rosa_with_hcp_clusters/rosa-hcp-sts-creating-a-cluster-quickly#rosa-sts-creating-operator-roles-and-policies_rosa-hcp-sts-creating-a-cluster-quickly" ],