AWS も OpenShift も超初心者なので OpenShift を壊してしまったため IPI で再構築しようとopenshift-install destroy cluster
で削除してたら止まってしまった。
openshift-install --log-level debug destroy cluster
で再実行したら以下の様なログが出た。どうやら AWS の Security Group に依存関係があるため消せなくなったようだ。
DEBUG search for and delete matching resources by tag in us-east-2 matching aws.Filter{"kubernetes.io/cluster/cluster-9373-dlhk2":"owned"}
DEBUG DependencyViolation: The dhcpOptions 'dopt-085c2dada1f343ae4' has dependencies and cannot be deleted.
status code: 400, request id: 45d53455-d1d7-41ce-ad6f-66934e8eca4b arn="arn:aws:ec2:us-east-2:434612646751:dhcp-options/dopt-085c2dada1f343ae4"
DEBUG DependencyViolation: resource sg-0a444d2ee4b09f1a1 has a dependent object
status code: 400, request id: b7665590-49ae-4179-98f8-1ffc1f268c5e arn="arn:aws:ec2:us-east-2:434612646751:security-group/sg-0a444d2ee4b09f1a1"
DEBUG Skipping default security group arn="arn:aws:ec2:us-east-2:434612646751:vpc/vpc-004bba1a4101c1ff0" id=vpc-004bba1a4101c1ff0 security group=sg-009a1a514280a6428
DEBUG deleting EC2 security group sg-0a444d2ee4b09f1a1: DependencyViolation: resource sg-0a444d2ee4b09f1a1 has a dependent object
status code: 400, request id: e09c5452-30cc-40a5-a250-68206a0c0500 arn="arn:aws:ec2:us-east-2:434612646751:vpc/vpc-004bba1a4101c1ff0"
DEBUG search for and delete matching resources by tag in us-east-2 matching aws.Filter{"openshiftClusterID":"2ec853c4-fdb5-4048-b121-4b2cdb884949"}
DEBUG search for and delete matching resources by tag in us-east-1 matching aws.Filter{"kubernetes.io/cluster/cluster-9373-dlhk2":"owned"}
DEBUG NoSuchHostedZone: No hosted zone found with ID: Z05082143QIXIT5Y0HD82
status code: 404, request id: 775594c5-092d-41a4-bac6-d610faad2aa1 arn="arn:aws:route53:::hostedzone/Z05082143QIXIT5Y0HD82"
DEBUG search for and delete matching resources by tag in us-east-1 matching aws.Filter{"openshiftClusterID":"2ec853c4-fdb5-4048-b121-4b2cdb884949"}
Webコンソールにはアクセスできないので、AWS CLI を使って対応していきます。
消せない Security Group は sg-0a444d2ee4b09f1a1
です。これを探してみると、default の Security Group である sg-009a1a514280a6428
に追加されているようです。
$ aws ec2 describe-security-groups
{
"SecurityGroups": [
{
"Description": "default VPC security group",
"GroupName": "default",
"IpPermissions": [
{
"IpProtocol": "-1",
"IpRanges": [],
"Ipv6Ranges": [],
"PrefixListIds": [],
"UserIdGroupPairs": [
{
"GroupId": "sg-009a1a514280a6428",
"UserId": "434612646751"
},
{
"GroupId": "sg-0a444d2ee4b09f1a1",
"UserId": "434612646751"
}
]
}
],
(略)
Security Group の ingress 情報を削除するのは aws ec2 revoke-security-group-ingress
らしい。以下の様にして取り除きます。
aws ec2 revoke-security-group-ingress --group-id sg-009a1a514280a6428 --ip-permissions '[{"IpProtocol":"-1","UserIdGroupPairs":[{"GroupId":"sg-0a444d2ee4b09f1a1","UserId":"434612646751"}]}]'
確認してみます。
$ aws ec2 describe-security-groups
{
"SecurityGroups": [
{
"Description": "default VPC security group",
"GroupName": "default",
"IpPermissions": [
{
"IpProtocol": "-1",
"IpRanges": [],
"Ipv6Ranges": [],
"PrefixListIds": [],
"UserIdGroupPairs": [
{
"GroupId": "sg-021e9474e3577bea9",
"UserId": "434612646751"
}
]
}
],
消えた!これでopenshift-install destroy cluster
で削除できるようになりました。