kiranchavala opened a new issue, #12641: URL: https://github.com/apache/cloudstack/issues/12641
### problem Unable to remove to external node from a cks cluster ### versions ACS 4.22 ### The steps to reproduce the bug 1. Create a cks cluster 2. Add a external node to the cks cluster > Make sure the cluster state is in running state 3. Navigate to Compute > Kubernetes > Instances > 4. Remove the external node <img width="1631" height="509" alt="Image" src="https://github.com/user-attachments/assets/94397044-0929-48cf-8aaf-6e073ecb1b57"; /> <img width="1626" height="539" alt="Image" src="https://github.com/user-attachments/assets/88a992df-aa8e-44b7-8f36-bcd20f6646aa"; /> logs ``` 2026-02-13 12:25:02,587 DEBUG [c.c.a.t.Request] (AgentManager-Handler-6:[]) (logid:) Seq 1-8418635078439010525: Processing: { Ans: , MgmtId: 32989459251691, via: 1, Ver: v1, Flags: 0, [{"com.cloud.agent.api.routing.GroupAnswer":{"results":["null - success: Creating file in VR, with ip: 169.254.182.185, file: firewall_rules.json.d45f9963-d2cd-4865-80af-0a843689bfb2","null - success: iptables v1.8.9 (nf_tables): CONNMARK target: No operation specified Try `iptables -h' or 'iptables --help' for more information. iptables v1.8.9 (nf_tables): CONNMARK target: No operation specified Try `iptables -h' or 'iptables --help' for more information. # Warning: table ip nat is managed by iptables-nft, do not touch! # Warning: table ip filter is managed by iptables-nft, do not touch! # Warning: table ip mangle is managed by iptables-nft, do not touch! "],"result":"true","wait":"0","bypassHostMaintenance":"false"}}] } 2026-02-13 12:25:02,587 DEBUG [c.c.a.t.Request] (API-Job-Executor-40:[ctx-17f62cf7, job-67, ctx-b2ccb842, ctx-7d53276c]) (logid:e1dfe4f3) Seq 1-8418635078439010525: Received: { Ans: , MgmtId: 32989459251691, via: 1(ref-trl-11027-k-Mol8-kiran-chavala-kvm1), Ver: v1, Flags: 0, { GroupAnswer } } 2026-02-13 12:25:02,750 INFO [c.c.k.c.a.KubernetesClusterScaleWorker] (API-Job-Executor-40:[ctx-17f62cf7, job-67, ctx-b2ccb842, ctx-7d53276c]) (logid:e1dfe4f3) Provisioned firewall rule to open up port 2222 to 2223 on 10.0.53.64 for Kubernetes cluster : cks2 2026-02-13 12:25:02,811 DEBUG [c.c.n.f.FirewallManagerImpl] (API-Job-Executor-40:[ctx-17f62cf7, job-67, ctx-b2ccb842, ctx-7d53276c]) (logid:e1dfe4f3) Rules ([FirewallRule {"id":9,"networkId":205,"purpose":"Firewall","state":"Active","uuid":"5a180f5b-87ef-4ba4-81c5-a47154ff9890"}] and [FirewallRule {"id":16,"networkId":205,"purpose":"Firewall","state":"Staged","uuid":"ae2520ff-eb89-41dd-970c-1894e37369ba"}]) do not have conflicting port ranges. 2026-02-13 12:25:02,811 DEBUG [c.c.n.f.FirewallManagerImpl] (API-Job-Executor-40:[ctx-17f62cf7, job-67, ctx-b2ccb842, ctx-7d53276c]) (logid:e1dfe4f3) Only one of the rules ([FirewallRule {"id":12,"networkId":205,"purpose":"LoadBalancing","state":"Active","uuid":"5fd561e7-4740-4332-996a-3fd3014d443b"}] and [FirewallRule {"id":16,"networkId":205,"purpose":"Firewall","state":"Staged","uuid":"ae2520ff-eb89-41dd-970c-1894e37369ba"}]) is firewall; therefore, their port ranges will not conflict. 2026-02-13 12:25:02,813 DEBUG [c.c.n.f.FirewallManagerImpl] (API-Job-Executor-40:[ctx-17f62cf7, job-67, ctx-b2ccb842, ctx-7d53276c]) (logid:e1dfe4f3) Rules ([FirewallRule {"id":13,"networkId":205,"purpose":"Firewall","state":"Active","uuid":"3d0da0fe-f760-4767-93db-b44666732a1c"}] and [FirewallRule {"id":16,"networkId":205,"purpose":"Firewall","state":"Staged","uuid":"ae2520ff-eb89-41dd-970c-1894e37369ba"}]) have conflicting port ranges. 2026-02-13 12:25:02,814 DEBUG [c.c.u.d.T.Transaction] (API-Job-Executor-40:[ctx-17f62cf7, job-67, ctx-b2ccb842, ctx-7d53276c]) (logid:e1dfe4f3) Rolling back the transaction: Time = 9 Name = API-Job-Executor-40; called by -TransactionLegacy.rollback:905-TransactionLegacy.removeUpTo:848-TransactionLegacy.close:672-Transaction.execute:36-FirewallManagerImpl.createFirewallRule:255-FirewallManagerImpl.createIngressFirewallRule:207-NativeMethodAccessorImpl.invoke0:-2-NativeMethodAccessorImpl.invoke:77-DelegatingMethodAccessorImpl.invoke:43-Method.invoke:569-AopUtils.invokeJoinpointUsingReflection:344-ReflectiveMethodInvocation.invokeJoinpoint:198 2026-02-13 12:25:02,917 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl] (API-Job-Executor-40:[ctx-17f62cf7, job-67]) (logid:e1dfe4f3) Complete async job-67, jobStatus: FAILED, resultCode: 530, result: org.apache.cloudstack.api.response.ExceptionResponse/null/{"uuidList":[],"errorcode":"530","errortext":"Failed to provision firewall rules for SSH access for the Kubernetes cluster : cks2"} ``` ... ### What to do about it? User should be able to remove the external node successfully -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
