This is an automated email from the ASF dual-hosted git repository. pearl11594 pushed a commit to branch ghi11758-k8s-fw-rules-all in repository https://gitbox.apache.org/repos/asf/cloudstack.git
commit 23119504658b23852019411cf597bf80ac60c8a6 Author: Pearl Dsilva <[email protected]> AuthorDate: Thu Mar 12 16:05:20 2026 -0400 Fix K8s scaling and deletion issue if firewall rule is for ALL ports --- .../KubernetesClusterResourceModifierActionWorker.java | 3 ++- .../cluster/actionworkers/KubernetesClusterScaleWorker.java | 8 ++++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterResourceModifierActionWorker.java b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterResourceModifierActionWorker.java index d92d0692ca1..bd59cbbee6b 100644 --- a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterResourceModifierActionWorker.java +++ b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterResourceModifierActionWorker.java @@ -25,6 +25,7 @@ import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; +import java.util.Objects; import java.util.concurrent.ConcurrentHashMap; import java.util.stream.Collectors; @@ -517,7 +518,7 @@ public class KubernetesClusterResourceModifierActionWorker extends KubernetesClu FirewallRule rule = null; List<FirewallRuleVO> firewallRules = firewallRulesDao.listByIpAndPurposeAndNotRevoked(publicIp.getId(), FirewallRule.Purpose.Firewall); for (FirewallRuleVO firewallRule : firewallRules) { - if (firewallRule.getSourcePortStart() == CLUSTER_NODES_DEFAULT_START_SSH_PORT) { + if (Objects.equals(firewallRule.getSourcePortStart(), CLUSTER_NODES_DEFAULT_START_SSH_PORT)) { rule = firewallRule; firewallService.revokeIngressFwRule(firewallRule.getId(), true); logger.debug("The SSH firewall rule [%s] with the id [%s] was revoked",firewallRule.getName(),firewallRule.getId()); diff --git a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterScaleWorker.java b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterScaleWorker.java index f6828e3b203..38e919fc664 100644 --- a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterScaleWorker.java +++ b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterScaleWorker.java @@ -124,10 +124,14 @@ public class KubernetesClusterScaleWorker extends KubernetesClusterResourceModif // Remove existing SSH firewall rules FirewallRule firewallRule = removeSshFirewallRule(publicIp); + int existingFirewallRuleSourcePortEnd; if (firewallRule == null) { - throw new ManagementServerException("Firewall rule for node SSH access can't be provisioned"); + logger.warn("SSH firewall rule not found for Kubernetes cluster: {}. It may have been manually deleted or modified.", kubernetesCluster.getName()); + existingFirewallRuleSourcePortEnd = CLUSTER_NODES_DEFAULT_START_SSH_PORT + clusterVMIds.size() - 1; + } else { + existingFirewallRuleSourcePortEnd = firewallRule.getSourcePortEnd(); } - int existingFirewallRuleSourcePortEnd = firewallRule.getSourcePortEnd(); + try { removePortForwardingRules(publicIp, network, owner, CLUSTER_NODES_DEFAULT_START_SSH_PORT, existingFirewallRuleSourcePortEnd); } catch (ResourceUnavailableException e) {
