Skip to content

Reconciler error when updating AWSMCP publicCIDRs to empty list with endpointPrivateAccess: true and endpointPublicAccess: false #5441

New issue
New issue
Open
#5442
Open
Reconciler error when updating AWSMCP publicCIDRs to empty list with endpointPrivateAccess: true and endpointPublicAccess: false#5441
#5442
Labels
kind/bugCategorizes issue or PR as related to a bug.needs-priorityneeds-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.
@pavansokkenagaraj

Description

@pavansokkenagaraj
pavansokkenagaraj
opened on Mar 25, 2025

/kind bug

What steps did you take and what happened:
CAPA EKS reconciler errors when an EKS cluster is deployed with:

  • endpointPrivateAccess: true
  • endpointPublicAccess: false

...and later, the AWSManagedControlPlane (AWSMCP) resource is updated to change publicCIDRs from a list of IPs to an empty list.

This results in a Reconciler error:

271] [capa-controller-manager-694c8f6879-wxg8q] 1 controller.go:326] "msg"="Reconciler error" "error"="failed to reconcile control plane for AWSManagedControlPlane cluster-67bdf4503897e994b608c9f3/alias-eks-privatetest-cp: failed reconciling cluster config: failed to update EKS cluster: InvalidParameterException: Cluster is already at the desired configuration with endpointPrivateAccess: true , endpointPublicAccess: false, and Public Endpoint Restrictions: [42.35.163.177/32, 34.23.247.65/32, 98.11.13.11/32, 52.6.49.73/32, 94.80.29.17/32, 13.52.68.26/32, 34.158.209.13/32, 34.22.106.120/32]\n{\n RespMetadata: {\n StatusCode: 400,\n RequestID: \"10163f97-d89b-44c1-bee1-75a3c476b980\"\n },\n ClusterName: \"alias-eks-privatetest\",\n Message_: \"Cluster is already at the desired configuration with endpointPrivateAccess: true , endpointPublicAccess: false, and Public Endpoint Restrictions: [42.35.163.177/32, 34.23.247.65/32, 98.11.13.11/32, 52.6.49.73/32, 94.80.29.17/32, 13.52.68.26/32, 34.158.209.13/32, 34.22.106.120/32]\"\n}" "AWSManagedControlPlane"={"name":"alias-eks-privatetest-cp","namespace":"cluster-67bdf4503897e994b608c9f3"} "controller"="awsmanagedcontrolplane" "controllerGroup"="controlplane.cluster.x-k8s.io" "controllerKind"="AWSManagedControlPlane" "name"="alias-eks-privatetest-cp" "namespace"="cluster-67bdf4503897e994b608c9f3" "reconcileID"="81216a1c-47f8-4059-b3b4-4f9664c3806f"

What steps did you take and what happened:
[A clear and concise description of what the bug is.]

Update EKS AWSMCP PublicCIDRS to empty for a private access cluster

What did you expect to happen:
EKS Cluster updated with PublicAccessCIDRS to empty list

Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]

Environment:

  • Cluster-api-provider-aws version:
  • Kubernetes version: (use kubectl version):
  • OS (e.g. from /etc/os-release):

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.needs-priorityneeds-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions