Skip to content

[occm] openstack.(*LbaasV2).ensureAndUpdateOctaviaSecurityGroup encounters SIGSEGV #3101

Open
Open
[occm] openstack.(*LbaasV2).ensureAndUpdateOctaviaSecurityGroup encounters SIGSEGV#3101
Labels
kind/bugCategorizes issue or PR as related to a bug.
@judge-red

Description

@judge-red
judge-red
opened on Apr 29, 2026

/kind bug

What happened:

We have many Kubernetes clusters running, which are configured more or less identical as far as the occm is concerned. But the occm for one is in a CrashLoopBackOff. Presumably something that was done with OpenStack-powered Kubernetes resource in the cluster or that was done on the OpenStack side triggers this, but I have no idea where to even start looking. Thus I can only provide the most recent log with the SIGSEGV we're envountering. Please advise what additional information we should provide.

occm log:

Details 
Defaulted container "cloud-controller-manager" out of: cloud-controller-manager, copy-http-prober (init)
{"level":"info","time":"2026-04-29T12:55:45.276Z","logger":"http-prober","caller":"http-prober/main.go:137","msg":"Probing","attempt":1,"max-attempts":100,"target":"https://apiserver-externa
l.cluster-znqzsbl25p.svc.cluster.local./healthz"}
{"level":"info","time":"2026-04-29T12:55:45.283Z","logger":"http-prober","caller":"http-prober/main.go:126","msg":"Hostname resolved","hostname":"apiserver-external.cluster-znqzsbl25p.svc.cl
uster.local.","address":"10.111.75.178:443"}
{"level":"info","time":"2026-04-29T12:55:45.301Z","logger":"http-prober","caller":"http-prober/main.go:150","msg":"Endpoint is available"}
I0429 12:55:45.624917       1 serving.go:386] Generated self-signed cert in-memory
I0429 12:55:46.043872       1 serving.go:386] Generated self-signed cert in-memory
W0429 12:55:46.398830       1 authentication.go:476] failed to read in-cluster kubeconfig for delegated authentication: open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file
 or directory
W0429 12:55:46.398854       1 authentication.go:368] No authentication-kubeconfig provided in order to lookup client-ca-file in configmap/extension-apiserver-authentication in kube-system, s
o client certificate authentication won't work.
W0429 12:55:46.398861       1 authentication.go:392] No authentication-kubeconfig provided in order to lookup requestheader-client-ca-file in configmap/extension-apiserver-authentication in
kube-system, so request-header client certificate authentication won't work.
W0429 12:55:46.398874       1 authorization.go:225] failed to read in-cluster kubeconfig for delegated authorization: open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file o
r directory
W0429 12:55:46.398885       1 authorization.go:193] No authorization-kubeconfig provided, so SubjectAccessReview of authorization tokens won't work.
I0429 12:55:46.782755       1 controllermanager.go:160] Version: v1.35.0
I0429 12:55:46.786969       1 secure_serving.go:211] Serving securely on [::]:10258
I0429 12:55:46.787067       1 tlsconfig.go:243] "Starting DynamicServingCertificateController"
I0429 12:55:46.787214       1 leaderelection.go:258] "Attempting to acquire leader lease..." lock="kube-system/cloud-controller-manager"
I0429 12:56:03.197339       1 leaderelection.go:272] "Successfully acquired lease" lock="kube-system/cloud-controller-manager"
I0429 12:56:03.197819       1 event.go:389] "Event occurred" object="kube-system/cloud-controller-manager" fieldPath="" kind="Lease" apiVersion="coordination.k8s.io/v1" type="Normal" reason=
"LeaderElection" message="openstack-cloud-controller-manager-5658d675f4-99n6t_634ec517-8a0c-4aeb-8e96-b2132274a8b9 became leader"
I0429 12:56:03.201597       1 openstack.go:424] Setting up informers for Cloud
I0429 12:56:03.201839       1 controllermanager.go:310] Starting "cloud-node-lifecycle-controller"
I0429 12:56:03.249162       1 controllermanager.go:329] Started "cloud-node-lifecycle-controller"
I0429 12:56:03.249184       1 controllermanager.go:310] Starting "service-lb-controller"                                                                                                      I0429 12:56:03.249601       1 node_lifecycle_controller.go:112] Sending events to api server
W0429 12:56:03.316564       1 openstack.go:362] Failed to create an OpenStack Secret client: unable to initialize keymanager client for region zhw: No suitable endpoint could be found in the
 service catalog.
I0429 12:56:03.316612       1 openstack.go:373] Claiming to support LoadBalancer
I0429 12:56:03.316662       1 controllermanager.go:329] Started "service-lb-controller"
I0429 12:56:03.316695       1 controllermanager.go:310] Starting "node-route-controller"
I0429 12:56:03.317895       1 controller.go:235] Starting service controller
I0429 12:56:03.317993       1 shared_informer.go:370] "Waiting for caches to sync"
W0429 12:56:03.376811       1 openstack.go:408] Error initialising Routes support: router-id not set in cloud provider config
W0429 12:56:03.376834       1 core.go:111] --configure-cloud-routes is set, but cloud provider does not support routes. Will not configure cloud provider routes.
W0429 12:56:03.376842       1 controllermanager.go:317] Skipping "node-route-controller"
I0429 12:56:03.376848       1 controllermanager.go:310] Starting "cloud-node-controller"
I0429 12:56:03.388974       1 controllermanager.go:329] Started "cloud-node-controller"
I0429 12:56:03.389240       1 node_controller.go:176] Sending events to api server.
I0429 12:56:03.389312       1 node_controller.go:185] Waiting for informer caches to sync
I0429 12:56:03.418597       1 shared_informer.go:377] "Caches are synced"
I0429 12:56:03.418778       1 loadbalancer.go:1863] "EnsureLoadBalancer" cluster="znqzsbl25p" service="cilium-gateway/cilium-gateway-gateway-auth-dmz-v4"
I0429 12:56:03.418980       1 event.go:389] "Event occurred" object="cilium-gateway/cilium-gateway-gateway-auth-dmz-v4" fieldPath="" kind="Service" apiVersion="v1" type="Normal" reason="Ensu
ringLoadBalancer" message="Ensuring load balancer"
E0429 12:56:04.107997       1 panic.go:262] "Observed a panic" panic="runtime error: invalid memory address or nil pointer dereference" panicGoValue="\"invalid memory address or nil pointer
dereference\"" stacktrace=<
        goroutine 247 [running]:
        k8s.io/apimachinery/pkg/util/runtime.logPanic({0x2d44480, 0xc0009ab680}, {0x24b2940, 0x43db840})
                k8s.io/apimachinery@v0.35.0/pkg/util/runtime/runtime.go:132 +0xbc
        k8s.io/apimachinery/pkg/util/runtime.handleCrash({0x2d444b8, 0xc000370690}, {0x24b2940, 0x43db840}, {0x0, 0x0, 0xc000806cd0?})
                k8s.io/apimachinery@v0.35.0/pkg/util/runtime/runtime.go:107 +0x116
        k8s.io/apimachinery/pkg/util/runtime.HandleCrashWithContext({0x2d444b8, 0xc000370690}, {0x0, 0x0, 0x0})
                k8s.io/apimachinery@v0.35.0/pkg/util/runtime/runtime.go:78 +0x5a
        panic({0x24b2940?, 0x43db840?})
                runtime/panic.go:783 +0x132
        k8s.io/cloud-provider-openstack/pkg/openstack.(*LbaasV2).ensureAndUpdateOctaviaSecurityGroup(0xc0000e7520, {0x2d444b8, 0xc000370690}, {0x7ffff49e81a8, 0xa}, 0xc000225408, {0xc0009db3
e0, 0x2, 0x2}, 0xc000aaba20)
                k8s.io/cloud-provider-openstack/pkg/openstack/loadbalancer_sg.go:248 +0x73c
        k8s.io/cloud-provider-openstack/pkg/openstack.(*LbaasV2).ensureOctaviaLoadBalancer(0xc0000e7520, {0x2d444b8, 0xc000370690}, {0x7ffff49e81a8, 0xa}, 0xc000225408, {0xc0009db3e0, 0x2, 0
x2})
                k8s.io/cloud-provider-openstack/pkg/openstack/loadbalancer.go:1845 +0x1fc5
        k8s.io/cloud-provider-openstack/pkg/openstack.(*LbaasV2).EnsureLoadBalancer(0xc0000e7520, {0x2d444b8, 0xc000370690}, {0x7ffff49e81a8, 0xa}, 0xc000225408, {0xc0009db3e0, 0x2, 0x2})
                k8s.io/cloud-provider-openstack/pkg/openstack/loadbalancer.go:1864 +0x2c5
        k8s.io/cloud-provider/controllers/service.(*Controller).ensureLoadBalancer(0xc000942a90, {0x2d444b8, 0xc000370690}, 0xc000225408)
                k8s.io/cloud-provider@v0.35.0/controllers/service/controller.go:453 +0x132
        k8s.io/cloud-provider/controllers/service.(*Controller).syncLoadBalancerIfNeeded(0xc000942a90, {0x2d444b8, 0xc000370690}, 0xc000225408, {0xc000a2fd40, 0x31})
                k8s.io/cloud-provider@v0.35.0/controllers/service/controller.go:409 +0x745
        k8s.io/cloud-provider/controllers/service.(*Controller).processServiceCreateOrUpdate(0xc000942a90, {0x2d444b8, 0xc000370690}, 0xc000225408, {0xc000a2fd40, 0x31})
                k8s.io/cloud-provider@v0.35.0/controllers/service/controller.go:340 +0x13c
        k8s.io/cloud-provider/controllers/service.(*Controller).syncService(0xc000942a90, {0x2d444b8, 0xc000370690}, {0xc000a2fd40, 0x31})
                k8s.io/cloud-provider@v0.35.0/controllers/service/controller.go:897 +0x1ac
        k8s.io/cloud-provider/controllers/service.(*Controller).processNextServiceItem(0xc000942a90, {0x2d444b8, 0xc000370690})
                k8s.io/cloud-provider@v0.35.0/controllers/service/controller.go:291 +0xed
        k8s.io/cloud-provider/controllers/service.(*Controller).serviceWorker(...)
                k8s.io/cloud-provider@v0.35.0/controllers/service/controller.go:258
        k8s.io/apimachinery/pkg/util/wait.BackoffUntilWithContext.func1({0x2d444b8?, 0xc000370690?}, 0xc000a99f50?)
                k8s.io/apimachinery@v0.35.0/pkg/util/wait/backoff.go:255 +0x51
        k8s.io/apimachinery/pkg/util/wait.BackoffUntilWithContext({0x2d444b8, 0xc000370690}, 0xc0009db330, {0x2d1d460, 0xc000a99f50}, 0x1)
                k8s.io/apimachinery@v0.35.0/pkg/util/wait/backoff.go:256 +0xe5
        k8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext({0x2d444b8, 0xc000370690}, 0xc0009db330, 0x3b9aca00, 0x0, 0x1)
                k8s.io/apimachinery@v0.35.0/pkg/util/wait/backoff.go:223 +0x8f
        k8s.io/apimachinery/pkg/util/wait.UntilWithContext(...)
                k8s.io/apimachinery@v0.35.0/pkg/util/wait/backoff.go:172
        created by k8s.io/cloud-provider/controllers/service.(*Controller).Run in goroutine 213
                k8s.io/cloud-provider@v0.35.0/controllers/service/controller.go:245 +0x474
 >
panic: runtime error: invalid memory address or nil pointer dereference [recovered, repanicked]
[signal SIGSEGV: segmentation violation code=0x1 addr=0x48 pc=0x213809c]

goroutine 247 [running]:
k8s.io/apimachinery/pkg/util/runtime.handleCrash({0x2d444b8, 0xc000370690}, {0x24b2940, 0x43db840}, {0x0, 0x0, 0xc000806cd0?})
        k8s.io/apimachinery@v0.35.0/pkg/util/runtime/runtime.go:114 +0x1a9
k8s.io/apimachinery/pkg/util/runtime.HandleCrashWithContext({0x2d444b8, 0xc000370690}, {0x0, 0x0, 0x0})
        k8s.io/apimachinery@v0.35.0/pkg/util/runtime/runtime.go:78 +0x5a
panic({0x24b2940?, 0x43db840?})
        runtime/panic.go:783 +0x132
k8s.io/cloud-provider-openstack/pkg/openstack.(*LbaasV2).ensureAndUpdateOctaviaSecurityGroup(0xc0000e7520, {0x2d444b8, 0xc000370690}, {0x7ffff49e81a8, 0xa}, 0xc000225408, {0xc0009db3e0, 0x2, 0x2}, 0xc000aaba20)
        k8s.io/cloud-provider-openstack/pkg/openstack/loadbalancer_sg.go:248 +0x73c
k8s.io/cloud-provider-openstack/pkg/openstack.(*LbaasV2).ensureOctaviaLoadBalancer(0xc0000e7520, {0x2d444b8, 0xc000370690}, {0x7ffff49e81a8, 0xa}, 0xc000225408, {0xc0009db3e0, 0x2, 0x2})
        k8s.io/cloud-provider-openstack/pkg/openstack/loadbalancer.go:1845 +0x1fc5
k8s.io/cloud-provider-openstack/pkg/openstack.(*LbaasV2).EnsureLoadBalancer(0xc0000e7520, {0x2d444b8, 0xc000370690}, {0x7ffff49e81a8, 0xa}, 0xc000225408, {0xc0009db3e0, 0x2, 0x2})
        k8s.io/cloud-provider-openstack/pkg/openstack/loadbalancer.go:1864 +0x2c5
k8s.io/cloud-provider/controllers/service.(*Controller).ensureLoadBalancer(0xc000942a90, {0x2d444b8, 0xc000370690}, 0xc000225408)
        k8s.io/cloud-provider@v0.35.0/controllers/service/controller.go:453 +0x132
k8s.io/cloud-provider/controllers/service.(*Controller).syncLoadBalancerIfNeeded(0xc000942a90, {0x2d444b8, 0xc000370690}, 0xc000225408, {0xc000a2fd40, 0x31})
        k8s.io/cloud-provider@v0.35.0/controllers/service/controller.go:409 +0x745
k8s.io/cloud-provider/controllers/service.(*Controller).processServiceCreateOrUpdate(0xc000942a90, {0x2d444b8, 0xc000370690}, 0xc000225408, {0xc000a2fd40, 0x31})
        k8s.io/cloud-provider@v0.35.0/controllers/service/controller.go:340 +0x13c
k8s.io/cloud-provider/controllers/service.(*Controller).syncService(0xc000942a90, {0x2d444b8, 0xc000370690}, {0xc000a2fd40, 0x31})
        k8s.io/cloud-provider@v0.35.0/controllers/service/controller.go:897 +0x1ac
k8s.io/cloud-provider/controllers/service.(*Controller).processNextServiceItem(0xc000942a90, {0x2d444b8, 0xc000370690})
        k8s.io/cloud-provider@v0.35.0/controllers/service/controller.go:291 +0xed
k8s.io/cloud-provider/controllers/service.(*Controller).serviceWorker(...)
        k8s.io/cloud-provider@v0.35.0/controllers/service/controller.go:258
k8s.io/apimachinery/pkg/util/wait.BackoffUntilWithContext.func1({0x2d444b8?, 0xc000370690?}, 0xc000a99f50?)
        k8s.io/apimachinery@v0.35.0/pkg/util/wait/backoff.go:255 +0x51
k8s.io/apimachinery/pkg/util/wait.BackoffUntilWithContext({0x2d444b8, 0xc000370690}, 0xc0009db330, {0x2d1d460, 0xc000a99f50}, 0x1)
        k8s.io/apimachinery@v0.35.0/pkg/util/wait/backoff.go:256 +0xe5
k8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext({0x2d444b8, 0xc000370690}, 0xc0009db330, 0x3b9aca00, 0x0, 0x1)
        k8s.io/apimachinery@v0.35.0/pkg/util/wait/backoff.go:223 +0x8f
k8s.io/apimachinery/pkg/util/wait.UntilWithContext(...)
        k8s.io/apimachinery@v0.35.0/pkg/util/wait/backoff.go:172
created by k8s.io/cloud-provider/controllers/service.(*Controller).Run in goroutine 213
        k8s.io/cloud-provider@v0.35.0/controllers/service/controller.go:245 +0x474

What you expected to happen:

No SIGSEGV :)

How to reproduce it:

Unknown

Anything else we need to know?:

cloud-config:

Details 
[Global]
auth-url = "https://identity.openstack.url/v3"
region = "foo"
application-credential-id = "hello"
application-credential-secret = "world"

[LoadBalancer]
manage-security-groups = true
lb-version = "v2"
lb-provider = "ovn"
subnet-id = ""
floating-network-id = "xyz"
lb-method = "SOURCE_IP_PORT"

[BlockStorage]
ignore-volume-az = false
trust-device-path = false
bs-version = "auto"

Environment:

  • openstack-cloud-controller-manager(or other related binary) version: registry.k8s.io/provider-os/openstack-cloud-controller-manager:v1.35.0
  • OpenStack version: Caracal 2024.1
  • Others:

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions