Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: 4.17.z, 4.16.z, 4.18.z, 4.19.z, 4.20.z, 4.21.z
Affects Version/s: 4.19
Component/s: Cloud Compute / Machine API Providers
Labels:
None

Activity Type:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Important
Regression:
None

Target Backport Versions:
None
Target Version:

4.22
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

IBM Cloud Infrastructure Service added the ability to create VPC Security Group Rules using additional protocols, one included is 'any'. Older IBM Cloud vpc-go-sdk versions are unable to process SG's and SG Rules and cause an error. The IBM Cloud MAPI component is using an old SDK, and is unable to create new Machines as a result.

Version-Release number of selected component (if applicable):

4.19.21

How reproducible:

100%

Steps to Reproduce:

    1. Create a new IPI deployed OCP cluster on IBM Cloud
    2. Using the VPC API's, via curl, create a new SecurityGroup Rule using 'any' protocol in the cluster's VPC
    3. Attempt to create a new MachineSet

Actual results:

Machine gets stuck Provisioning
machine.machine.openshift.io/ocp-jenkins-30-48nrh-worker-us-east-failset-ps8gt   Provisioning                                    61s


MAPI logs:

E0107 16:59:33.554905       1 actuator.go:66] ocp-jenkins-30-48nrh-worker-us-east-failset-ps8gt error: ocp-jenkins-30-48nrh-worker-us-east-failset-ps8gt: reconciler failed to Create machine: failed to create instance via ibm vpc client: could not retrieve security group ids of names: map[ocp-jenkins-30-48nrh-sg-cluster-wide: ocp-jenkins-30-48nrh-sg-openshift-net:]

Expected results:

New Machine is Provisioned and joins the cluster

Additional info:

Added an 'any' SG Rule to the existing cluster's default VPC SG
% ibmcloud is sg-rules r014-4da3252a-b066-45f1-a8d1-e424971fea1b ocp-jenkins-30-48nrh-vpc -q                  ID                                          Direction   IP version   Remote                        Protocol       Local       Name    r014-ec486e2b-ad12-483e-8ba4-0ec2e151992f   outbound    ipv4         0.0.0.0/0                     icmp_tcp_udp   0.0.0.0/0   outbound-icmp-tcp-udp    r014-6823adb1-a49e-4d7a-aaa4-2e1205a77e94   inbound     ipv4         polio-stoke-lurex-surcharge   icmp_tcp_udp   0.0.0.0/0   inbound-icmp-tcp-udp-from-this-security-group    r014-25f3f7cb-f117-4d3d-a006-85ebf1395493   outbound    ipv4         0.0.0.0/0                     any            0.0.0.0/0   shamrock-reformer-crawfish-trimester



The latest vpc-go-sdk available, should contain a fix to prevent this issue
https://github.com/IBM/vpc-go-sdk/releases/tag/v0.78.1

It is possible a long term fix is provided by IBM Cloud Infrastructure team soon, but updating to the latest vpc-go-sdk is still desirable.

Assignee:: Damiano Donati

Reporter:: Christopher Schaefer

Need Info From:: None

Contributors:: None

QA Contact:: Huali Liu

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2026/01/07 5:48 PM

Updated:: 2026/01/07 5:48 PM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates