Skip to content

NSG EgressSecurityRule shouldn't allow missing required parameters #457

New issue
New issue
Open
Bug
#458
Open
NSG EgressSecurityRule shouldn't allow missing required parameters#457
Bug
#458
Assignees
joekr
Labels
bugSomething isn't working
@joekr

Description

@joekr
joekr
opened on Oct 9, 2025

What happened:
When creating a cluster using the cluster-template.yaml and adding networkSecurityGroup to the networkSpec I'm able to apply the template even if I'm missing the required destination and protocol as defined herehttps://docs.oracle.com/en-us/iaas/api/#/en/iaas/20160918/datatypes/EgressSecurityRule.

What you expected to happen:
I would expect this to get caught pre-apply in a webhook like we do for a bad CIDR

How to reproduce it (as minimally and precisely as possible):
Add a rule like

- egressRule:
    description: Allow Kubernetes API endpoint to communicate with OKE.
    destination: all-iad-services-in-oracle-services-network
    destinationType: SERVICE_CIDR_BLOCK
    isStateless: false

Then apply the config

...
...
--from cluster-template-bad-nsg.yaml | kubectl apply -f -
cluster.cluster.x-k8s.io/capoci-example-cluster created
ocicluster.infrastructure.cluster.x-k8s.io/capoci-example-cluster created
kubeadmcontrolplane.controlplane.cluster.x-k8s.io/capoci-example-cluster-control-plane created
ocimachinetemplate.infrastructure.cluster.x-k8s.io/capoci-example-cluster-control-plane created
ocimachinetemplate.infrastructure.cluster.x-k8s.io/capoci-example-cluster-md-0 created
kubeadmconfigtemplate.bootstrap.cluster.x-k8s.io/capoci-example-cluster-md-0 created
machinedeployment.cluster.x-k8s.io/capoci-example-cluster-md-0 created

and in the logs you will see

E1009 15:27:19.431698       1 nsg_reconciler.go:419] "failed add nsg security rules" err=<
	Error returned by VirtualNetwork Service. Http Status Code: 400. Error Code: InvalidParameter. Opc request id: <opc-request-id. Message: securityRules[4].protocol must not be null
	Operation Name: AddNetworkSecurityGroupSecurityRules
	Timestamp: 2025-10-09 15:27:19 +0000 GMT
	Client Version: Oracle-GoSDK/65.81.1
	Request Endpoint: POST https://iaas.us-ashburn-1.oraclecloud.com/20160918/networkSecurityGroups/ocid1.networksecuritygroup.oc1.iad.aaaaaaaaa/actions/addSecurityRules
	Troubleshooting Tips: See https://docs.oracle.com/iaas/Content/API/References/apierrors.htm#apierrors_400__400_invalidparameter for more information about resolving this error.
	Also see https://docs.oracle.com/iaas/api/#/en/iaas/20160918/SecurityRule/AddNetworkSecurityGroupSecurityRules for details on this operation's requirements.
	To get more info on the failing request, you can set OCI_GO_SDK_DEBUG env var to info or higher level to log the request/response details.
	If you are unable to resolve this VirtualNetwork issue, please contact Oracle support and provide them this full error message.

Anything else we need to know?:

Environment:

  • CAPOCI version: v0.20.x (but happens on main)
  • Cluster-API version (use clusterctl version): NA
  • Kubernetes version (use kubectl version): NA
  • Docker version (use docker info): NA
  • OS (e.g. from /etc/os-release): NA

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

Bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions