cf-mgmt pipeline update space security groups successfully creates ASGs and binds them but rules are not propagated to apps instances
search cancel

cf-mgmt pipeline update space security groups successfully creates ASGs and binds them but rules are not propagated to apps instances

book

Article ID: 442414

calendar_today

Updated On:

Products

VMware Tanzu Platform Core VMware Tanzu Application Service

Issue/Introduction

the "cf security-groups" command will show cf-mgmt has created and bound ASGs correctly, but apps will not be able to reach endpoints defined in the asg rules.   The cloud controller nginx-access.log will show evidence that the ASG rules were updated successfully by the cf-mgmt client with version 1.0.45.

[29/May/2026:15:10:27 +0000] "PUT /v2/security_groups/<ASG-GUID> HTTP/1.1" 201 1603 "-" "cf-mgmt/v1.0.45" 10.#.#.#, 10.#.#.# vcap_request_id:<GUID> response_time:0.027

 

How to validate app does not have the asg rule assigned.  Use the below procedure to compare your ASG rule definition with what is actually applied at the app instance level

  • get the app GUID
    • cf app <app-name> --guid
  • get the instance guid
    • ~$ cf curl /v3/processes/<APP-GUID>/stats | jq '.resources[] | {"host":  .host, "instance_guid": .instance_guid}'
{
  "host": "10.#.#.#",
  "instance_guid": "a9178bd9-ff42-46a3-6a27-####"
}
  • ssh into the diego cell with the host ip above and convert the first 4 of 5 parts of the instance guid into the ASG iptables chain name
    • example ASG chain name from instance_guid in previous step is "asg-a9178bd9ff4246a36a27"
  • review the asg rules applied to instance
    • ~# iptables -vnL asg-a9178bd9ff4246a36a27 
Chain asg-a9178bd9ff4246a36a27 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            destination IP range 10.#.#.#-10.#.#.# tcp dpt:8080
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            destination IP range 169.255.0.0-255.255.255.255
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            destination IP range 0.0.0.0-169.253.255.255
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

 

Cause

in this case operator was using an older version of cf-mgmt 1.0.45 which uses the cloud controller v2 api.  v2 api does not support dynamic ASG policy syncer.  Given cf-mgmt pushed the ASG rules with a V2 api PUT request the policy syncer that manages dynamic asg rules will ignore the update and not propagate the changes to the app container. 

 

Resolution

upgrade cf-mgmt to the latest supported version from the Broadcom support portal. All current versions use v3 cloud controller api and support dynamic asgs.  Legacy cf-mgmt version from open source are no longer supported.

Powered by Wolken Software