From 53cc350cb3de4e3a9200fa02df7bcc2ac7afc0f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Piotr=20Kieszczy=C5=84ski?= Date: Mon, 19 Jan 2026 11:14:02 +0100 Subject: [PATCH] fix: nil pointer dereferences in private cluster reconciliation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes two nil pointer dereference issues when creating/reconciling private GKE clusters: 1. Creation path: Initialize NetworkConfig before accessing DefaultEnablePrivateNodes. Also set EnablePrivateNodes on PrivateClusterConfig to match (GCP SDK requires both to be equal). 2. Reconciliation path: Initialize DesiredControlPlaneEndpointsConfig and IpEndpointsConfig before assigning AuthorizedNetworksConfig in checkDiffAndPrepareUpdate. Both issues occur when using private clusters with PSC (Private Service Connect) mode, i.e., enablePrivateEndpoint: true without specifying controlPlaneCidrBlock. Related issues: - https://github.com/kubernetes-sigs/cluster-api-provider-gcp/issues/1497 - https://github.com/kubernetes-sigs/cluster-api-provider-gcp/pull/1503 Signed-off-by: Piotr KieszczyƄski --- .../services/container/clusters/reconcile.go | 24 ++++++++++++------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/cloud/services/container/clusters/reconcile.go b/cloud/services/container/clusters/reconcile.go index 3adcc40d7..94a81a559 100644 --- a/cloud/services/container/clusters/reconcile.go +++ b/cloud/services/container/clusters/reconcile.go @@ -291,27 +291,29 @@ func (s *Service) createCluster(ctx context.Context, log *logr.Logger) error { } if cn.PrivateCluster != nil { - cluster.PrivateClusterConfig = &containerpb.PrivateClusterConfig{} - enablePublicEndpoint := !cn.PrivateCluster.EnablePrivateEndpoint cluster.ControlPlaneEndpointsConfig.IpEndpointsConfig.EnablePublicEndpoint = &enablePublicEndpoint - if cn.PrivateCluster.EnablePrivateEndpoint { cluster.ControlPlaneEndpointsConfig.IpEndpointsConfig.AuthorizedNetworksConfig = &containerpb.MasterAuthorizedNetworksConfig{ Enabled: true, } } - cluster.NetworkConfig.DefaultEnablePrivateNodes = &cn.PrivateCluster.EnablePrivateNodes - - cluster.PrivateClusterConfig.MasterIpv4CidrBlock = cn.PrivateCluster.ControlPlaneCidrBlock - cluster.ControlPlaneEndpointsConfig.IpEndpointsConfig.GlobalAccess = &cn.PrivateCluster.ControlPlaneGlobalAccess - + // Initialize NetworkConfig before accessing DefaultEnablePrivateNodes cluster.NetworkConfig = &containerpb.NetworkConfig{ DefaultSnatStatus: &containerpb.DefaultSnatStatus{ Disabled: cn.PrivateCluster.DisableDefaultSNAT, }, } + cluster.NetworkConfig.DefaultEnablePrivateNodes = &cn.PrivateCluster.EnablePrivateNodes + + cluster.PrivateClusterConfig = &containerpb.PrivateClusterConfig{ + MasterIpv4CidrBlock: cn.PrivateCluster.ControlPlaneCidrBlock, + // EnablePrivateNodes is deprecated but GCP SDK raises an error if the value + // of this field is different from the value of NetworkConfig.DefaultEnablePrivateNodes + EnablePrivateNodes: cn.PrivateCluster.EnablePrivateNodes, + } + cluster.ControlPlaneEndpointsConfig.IpEndpointsConfig.GlobalAccess = &cn.PrivateCluster.ControlPlaneGlobalAccess } } @@ -516,6 +518,12 @@ func (s *Service) checkDiffAndPrepareUpdate(existingCluster *containerpb.Cluster desiredMasterAuthorizedNetworksConfig := convertToSdkMasterAuthorizedNetworksConfig(s.scope.GCPManagedControlPlane.Spec.MasterAuthorizedNetworksConfig) if !compareMasterAuthorizedNetworksConfig(desiredMasterAuthorizedNetworksConfig, existingCluster.GetControlPlaneEndpointsConfig().GetIpEndpointsConfig().GetAuthorizedNetworksConfig()) { needUpdate = true + if clusterUpdate.DesiredControlPlaneEndpointsConfig == nil { + clusterUpdate.DesiredControlPlaneEndpointsConfig = &containerpb.ControlPlaneEndpointsConfig{} + } + if clusterUpdate.DesiredControlPlaneEndpointsConfig.IpEndpointsConfig == nil { + clusterUpdate.DesiredControlPlaneEndpointsConfig.IpEndpointsConfig = &containerpb.ControlPlaneEndpointsConfig_IPEndpointsConfig{} + } clusterUpdate.DesiredControlPlaneEndpointsConfig.IpEndpointsConfig.AuthorizedNetworksConfig = desiredMasterAuthorizedNetworksConfig log.V(2).Info("Master authorized networks config update required", "current", existingCluster.GetControlPlaneEndpointsConfig().GetIpEndpointsConfig().GetAuthorizedNetworksConfig(), "desired", desiredMasterAuthorizedNetworksConfig) }