Skip to content

REPLACE-WITH-JIRA-KEY: Bump Kubernetes dependencies to 1.36.2#732

Draft
dfarrell07 wants to merge 9 commits into
openshift:masterfrom
dfarrell07:bump1.36-20260716124118
Draft

REPLACE-WITH-JIRA-KEY: Bump Kubernetes dependencies to 1.36.2#732
dfarrell07 wants to merge 9 commits into
openshift:masterfrom
dfarrell07:bump1.36-20260716124118

Conversation

@dfarrell07

@dfarrell07 dfarrell07 commented Jul 16, 2026

Copy link
Copy Markdown

Summary

  • Bumps all k8s.io/* dependencies from v0.35.2 to v0.36.2
  • Updates Go from 1.25 to 1.26
  • Updates controller-runtime from v0.23.3 to v0.24.1
  • Upgrades golangci-lint from v1.54.2 to v2.12.2

What changed

Category Details
k8s deps All k8s.io/* bumped to v0.36.2
Go 1.25 → 1.26 (go.mod, Dockerfiles, generators.Dockerfile)
controller-runtime v0.23.3 → v0.24.1
golangci-lint v1.54.2 → v2.12.2 (new .golangci.yml config)
envtest ENVTEST_K8S_VERSION 1.32 → 1.36, setup-envtest release-0.24
KIND kindest/node v1.27.3 → v1.36.1
Lint fixes ioutil deprecation, duplicate imports, error string casing, dead code removal
Build fix IntOrString format verb for Go 1.26 vet strictness

Commits

4f74a08f Rebase k8s-rebase-1.36.2 to k8s 1.36          (mechanical)
3328ec47 Update version references for k8s 1.36          (mechanical)
3de68d7c Fix IntOrString format verb in port range error
eee356d4 Update version references and lint for k8s 1.36  (autofix)
c96c5eca Update missed version references for k8s 1.36
fedb1e96 Add golangci-lint v2 configuration
90662b04 Replace deprecated ioutil with os package equivalents
d5401c09 Fix duplicate imports and lowercase error strings
cf73724c Fix staticcheck findings in controller, reporter, and API

Verification

  • go build ./... passes
  • go vet ./... passes
  • golangci-lint run passes (0 issues)
  • Unit tests pass for: pkg/render, pkg/status, pkg/interfaces, pkg/tls, pkg/ebpf, pkg/ebpfsyncer
  • pkg/webhook and controllers tests require envtest binaries (etcd, kube-apiserver) not available locally — CI will cover these
  • Independent antagonistic review: APPROVE

Notes

  • 2 pre-existing k8s.io/klog v1 imports remain (pkg/bpf-mgr, pkg/ebpf) — the project intentionally uses klog v1
  • scheme.Builder deprecation (SA1019) suppressed with nolint — migration to runtime.SchemeBuilder is a separate effort
  • All commits carry Assisted-by: Claude Code trailers

Summary by CodeRabbit

  • Compatibility

    • Updated the application and build environment to Go 1.26.
    • Updated Kubernetes-related tooling and test environments to newer versions.
  • Bug Fixes

    • Improved handling when firewall rules, interfaces, or resources are removed.
    • Improved validation and error reporting for firewall actions, CIDR values, port ranges, and event processing.
    • Standardized error messages for clearer diagnostics.
  • Maintenance

    • Updated linting and development tools to current versions.
    • Replaced deprecated file-handling functionality.

go get k8s.io/apiextensions-apiserver@v0.36.2
go get k8s.io/apimachinery@v0.36.2
go get k8s.io/apiserver@v0.36.2
go get k8s.io/api@v0.36.2
go get k8s.io/client-go@v0.36.2
go get k8s.io/component-base@v0.36.2
go get sigs.k8s.io/controller-runtime@v0.24.1
go get github.com/openshift/api
go get github.com/openshift/library-go
go get k8s.io/klog
go get k8s.io/klog/v2
go get k8s.io/kube-openapi
go get k8s.io/kubernetes
go get k8s.io/utils
go get sigs.k8s.io/apiserver-network-proxy/konnectivity-client
go get sigs.k8s.io/json
go get sigs.k8s.io/randfill
go get sigs.k8s.io/structured-merge-diff/v6
go get sigs.k8s.io/yaml
go mod tidy

Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
Assisted-by: Claude Code <noreply@anthropic.com>
./Dockerfile
./Dockerfile.daemon
Makefile
./.rebase-tmp/k8s-rebase-patched.sh

Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
Assisted-by: Claude Code <noreply@anthropic.com>
IntOrString no longer satisfies the %q verb directly in k8s 1.36.
Use .String() to get the string representation for formatting.

Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
Assisted-by: Claude Code <noreply@anthropic.com>
Applied: bump golangci-lint version
Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
Assisted-by: Claude Code <noreply@anthropic.com>
Update kindest/node image to v1.36.1, Go version in
generators.Dockerfile to 1.26.0, and fix stale lint version
comment.

Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
Assisted-by: Claude Code <noreply@anthropic.com>
golangci-lint v2 removed default exclusions for common false
positives. Add .golangci.yml with exclusion presets and rules
to suppress errcheck in tests and style suggestions that are
not actionable (QF1008, QF1001, QF1003).

Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
Assisted-by: Claude Code <noreply@anthropic.com>
Migrate ioutil.ReadFile to os.ReadFile and ioutil.ReadDir to
os.ReadDir. Remove duplicate v1alpha1 import in loader.

Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
Assisted-by: Claude Code <noreply@anthropic.com>
Remove duplicate package imports in ebpfsyncer and namespaces.
Lowercase error strings per Go conventions (ST1005) and update
test assertions that match on the old error text.

Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
Assisted-by: Claude Code <noreply@anthropic.com>
Remove dead code building unused interfaces slice (SA4010),
replace unnecessary fmt.Sprintf with string literal (S1039),
deduplicate corev1 import in reporter (ST1019), and suppress
scheme.Builder deprecation (SA1019) with nolint directive.

Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
Assisted-by: Claude Code <noreply@anthropic.com>
@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 16, 2026
@openshift-ci

openshift-ci Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown

Walkthrough

Changes

The PR standardizes the project on Go 1.26, refreshes Kubernetes and related dependencies, upgrades golangci-lint to v2, updates Kubernetes test tooling, and applies compatibility and cleanup changes across ingress firewall components.

Toolchain and runtime refresh

Layer / File(s) Summary
Lint and build tooling
.golangci.yml, Makefile, hack/lint.sh, Dockerfile*, hack/generators.Dockerfile
Adds golangci-lint v2 configuration and local execution, and updates build tooling and images to Go 1.26.
Go and Kubernetes dependency updates
go.mod
Updates the Go directive and direct and indirect dependencies across Kubernetes, OpenShift, networking, protobuf, gRPC, and OpenTelemetry modules.
Kubernetes test environment updates
Makefile, hack/kind-cluster.sh, test/e2e/*
Updates envtest and kind Kubernetes versions and adjusts e2e Kubernetes type and not-found handling.
Ingress firewall compatibility and cleanup
api/*, controllers/*, pkg/ebpf/*, pkg/ebpfsyncer/*, pkg/render/*, pkg/utils/*
Updates API aliases and standard-library calls, removes unused detach preparation, and standardizes error text and lint annotations.

Estimated code review effort: 2 (Simple) | ~15 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Test Structure And Quality ⚠️ Warning Touched e2e helpers still use context.Background for cluster calls and defer f.Close inside a loop, so they miss required timeouts/cleanup. Use timeout/cancel contexts for List/GetLogs/Get/DeleteCollection and close each log file per iteration instead of deferring inside the loop.
✅ Passed checks (14 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title matches the main change: upgrading Kubernetes dependencies to 1.36.2.
Docstring Coverage ✅ Passed Docstring coverage is 83.33% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed Changed test files have no Ginkgo title declarations; pkg/ebpfsyncer/ebpfsyncer_test.go uses stdlib tests, and e2e edits are helper code only.
Microshift Test Compatibility ✅ Passed PR touches only e2e helper files; no new Ginkgo It/Describe/Context/When blocks were added, so MicroShift compatibility isn’t implicated.
Single Node Openshift (Sno) Test Compatibility ✅ Passed PASS: The PR adds no new Ginkgo e2e specs; the changed e2e files are helper/reporting code with no It/Describe/Context/When blocks or SNO assumptions.
Topology-Aware Scheduling Compatibility ✅ Passed Only API nolint, controller detach/error text, and e2e import cleanup changed; no scheduling, replicas, nodeSelector, affinity, or topology-aware placement logic.
Ote Binary Stdout Contract ✅ Passed No modified main/init/TestMain/BeforeSuite code writes to stdout; changed e2e helpers log to files/stderr only, and suite setup routes logs to GinkgoWriter/stderr.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No new Ginkgo e2e specs were added; the changed test files are helper code only and contain no IPv4 literals or public-internet dependencies.
No-Weak-Crypto ✅ Passed No touched file adds weak crypto, custom crypto, or secret/token comparisons; repo sweep found only unrelated vendor/docs references.
Container-Privileges ✅ Passed Changed Dockerfiles/KIND script only bump image tags; the diff adds no privileged, hostPID/hostNetwork, allowPrivilegeEscalation, or SYS_ADMIN settings.
No-Sensitive-Data-In-Logs ✅ Passed Changed files only adjust toolchain/error strings; no new logging of secrets, tokens, or customer data was introduced in the diff.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@openshift-ci

openshift-ci Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dfarrell07
Once this PR has been reviewed and has the lgtm label, please assign jcaamano for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 5

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)
hack/generators.Dockerfile (2)

6-8: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Merge package installation and cache cleanup.

As per path instructions, there should be no package manager cache in the final layer. Since dnf clean all runs in a separate RUN instruction, the cache from dnf install remains baked into the preceding layer. Combine these into a single command.

🛡️ Proposed fix
-RUN dnf install -y git kernel-devel make llvm clang glibc-devel.i686 unzip clang-tools-extra
-
-RUN dnf clean all
+RUN dnf install -y git kernel-devel make llvm clang glibc-devel.i686 unzip clang-tools-extra && \
+    dnf clean all
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hack/generators.Dockerfile` around lines 6 - 8, Merge the package
installation and cache cleanup steps into a single RUN instruction in the
Dockerfile, chaining dnf install and dnf clean all so package-manager cache is
removed within the same image layer.

Source: Path instructions


33-33: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Specify a non-root user.

As per path instructions, containers should never run as root. Consider specifying a USER directive before the ENTRYPOINT if root privileges are not strictly required for the generation steps.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hack/generators.Dockerfile` at line 33, Configure the generators container to
run as a non-root user by adding an appropriate USER directive before the
existing ENTRYPOINT. Ensure the selected user has the permissions required by
the ebpf-generate target.

Source: Path instructions

Dockerfile.daemon (1)

10-10: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Specify a non-root user.

As per path instructions, containers should never run as root. Specify a USER directive in the final stage. If the daemon requires specific system privileges (e.g., for loading eBPF programs), it should run as a non-root user with explicitly granted capabilities in the deployment manifest.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.daemon` at line 10, Update the final Dockerfile stage containing
CMD ["/usr/bin/daemon"] to add a USER directive for a dedicated non-root user,
ensuring that user exists and can access required daemon resources. Do not run
the daemon as root; handle any required elevated capabilities through the
deployment manifest.

Source: Path instructions

🧹 Nitpick comments (1)
hack/lint.sh (1)

12-14: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Quote the $(pwd) output to prevent word splitting.

Using $(pwd) unquoted can lead to word splitting if the directory path contains spaces, causing the container runtime command to fail.

♻️ Proposed fix
-$1 run --security-opt label=disable --rm -v $(pwd):/app -w /app -e GO111MODULE=on golangci/golangci-lint:${VERSION} \
+$1 run --security-opt label=disable --rm -v "$(pwd):/app" -w /app -e GO111MODULE=on golangci/golangci-lint:${VERSION} \
 	golangci-lint run --verbose \
 	--modules-download-mode=vendor --timeout=15m0s && \
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hack/lint.sh` around lines 12 - 14, Update the volume mount argument in the
lint command to quote the $(pwd) substitution, preventing directory paths
containing spaces from being split by the shell while preserving the existing
container invocation.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Dockerfile`:
- Line 2: Pin the golang builder image by SHA256 digest instead of the floating
1.26 tag in both Dockerfile lines 2-2 and Dockerfile.daemon lines 1-1,
preserving the golang:1.26 version while using the digest for reproducible
builds.

In `@Dockerfile.daemon`:
- Line 3: Replace the broad COPY . . instruction in Dockerfile.daemon with
explicit COPY directives for only the files and directories required by the
daemon build, excluding sensitive and unnecessary context while preserving the
existing build behavior.

In `@go.mod`:
- Around line 15-32: Address the OSV findings for the k8s.io/kubernetes v1.36.2
dependency by upgrading to a fixed release if available; otherwise add the
project’s supported mitigation or documented upgrade path in the dependency
configuration. Update related Kubernetes module versions consistently and verify
the resulting dependency graph no longer leaves GO-2025-3521 or GO-2025-3547
unaddressed.

In `@test/e2e/k8sreporter/reporter.go`:
- Around line 129-130: Update the external Kubernetes API calls to use bounded
contexts: in test/e2e/k8sreporter/reporter.go lines 129-130, create and pass a
timeout context to the Pods List call; at lines 148-149, use a timeout context
for GetLogs. In test/e2e/namespaces/namespaces.go lines 21-22, pass the provided
ctx to Get; at lines 64-66, create and pass a timeout context to
DeleteCollection, ensuring each newly created context is properly canceled.
- Line 144: Update the file-handling loop in logLogs to close each opened file
explicitly at the end of its iteration instead of deferring f.Close(). Preserve
the existing processing and ensure the close occurs before continuing to the
next pod.

---

Outside diff comments:
In `@Dockerfile.daemon`:
- Line 10: Update the final Dockerfile stage containing CMD ["/usr/bin/daemon"]
to add a USER directive for a dedicated non-root user, ensuring that user exists
and can access required daemon resources. Do not run the daemon as root; handle
any required elevated capabilities through the deployment manifest.

In `@hack/generators.Dockerfile`:
- Around line 6-8: Merge the package installation and cache cleanup steps into a
single RUN instruction in the Dockerfile, chaining dnf install and dnf clean all
so package-manager cache is removed within the same image layer.
- Line 33: Configure the generators container to run as a non-root user by
adding an appropriate USER directive before the existing ENTRYPOINT. Ensure the
selected user has the permissions required by the ebpf-generate target.

---

Nitpick comments:
In `@hack/lint.sh`:
- Around line 12-14: Update the volume mount argument in the lint command to
quote the $(pwd) substitution, preventing directory paths containing spaces from
being split by the shell while preserving the existing container invocation.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

Comment thread Dockerfile
@@ -1,5 +1,5 @@
# Build the manager binary
FROM golang:1.25 as builder
FROM golang:1.26 as builder

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Pin non-Red Hat base images by digest.

As per path instructions for container security, non-Red Hat images must be pinned by digest rather than a floating tag like 1.26 to ensure reproducible builds and prevent supply chain attacks.

  • Dockerfile#L2-L2: pin the golang:1.26 image by its SHA256 digest.
  • Dockerfile.daemon#L1-L1: pin the golang:1.26 image by its SHA256 digest.
📍 Affects 2 files
  • Dockerfile#L2-L2 (this comment)
  • Dockerfile.daemon#L1-L1
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` at line 2, Pin the golang builder image by SHA256 digest instead
of the floating 1.26 tag in both Dockerfile lines 2-2 and Dockerfile.daemon
lines 1-1, preserving the golang:1.26 version while using the digest for
reproducible builds.

Source: Path instructions

Comment thread Dockerfile.daemon
FROM golang:1.25 AS builder
FROM golang:1.26 AS builder
WORKDIR /go/src/github.com/openshift/ingress-node-firewall
COPY . .

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Copy specific files instead of the entire context.

As per path instructions, avoid using COPY . .. Instead, explicitly copy only the files necessary for the build. This prevents unintended inclusion of sensitive or unnecessary files and improves build cache efficiency.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.daemon` at line 3, Replace the broad COPY . . instruction in
Dockerfile.daemon with explicit COPY directives for only the files and
directories required by the daemon build, excluding sensitive and unnecessary
context while preserving the existing build behavior.

Source: Path instructions

Comment thread go.mod
Comment on lines +15 to +32
github.com/openshift/api v0.0.0-20260715165912-72066cc9718b
github.com/openshift/controller-runtime-common v0.0.0-20260428152732-64ee174f5e2e
github.com/openshift/library-go v0.0.0-20260615113748-bc9d4056464b
github.com/openshift/library-go v0.0.0-20260716135552-61990a0aa401
github.com/pkg/errors v0.9.1
github.com/prometheus/client_golang v1.23.2
github.com/prometheus/common v0.66.1
github.com/vishvananda/netlink v1.3.1-0.20250206174618-62fb240731fa
golang.org/x/sys v0.42.0
github.com/prometheus/common v0.67.5
github.com/vishvananda/netlink v1.3.1
golang.org/x/sys v0.45.0
gopkg.in/mcuadros/go-syslog.v2 v2.3.0
k8s.io/api v0.35.2
k8s.io/apiextensions-apiserver v0.35.1
k8s.io/apimachinery v0.35.2
k8s.io/client-go v0.35.2
k8s.io/component-base v0.35.1
k8s.io/api v0.36.2
k8s.io/apiextensions-apiserver v0.36.2
k8s.io/apimachinery v0.36.2
k8s.io/client-go v0.36.2
k8s.io/component-base v0.36.2
k8s.io/klog v1.0.0
k8s.io/kubernetes v1.32.3
k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2
sigs.k8s.io/controller-runtime v0.23.3
k8s.io/kubernetes v1.36.2
k8s.io/utils v0.0.0-20260707023825-cf1189d6abe3
sigs.k8s.io/controller-runtime v0.24.1

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Scan go.mod for known vulnerabilities.

go install github.com/google/osv-scanner/cmd/osv-scanner@latest
osv-scanner --lockfile=go.mod

Repository: openshift/ingress-node-firewall

Length of output: 6039


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== go.mod excerpt =="
nl -ba go.mod | sed -n '1,120p'

echo
echo "== search for k8s.io/kubernetes usage =="
rg -n 'k8s.io/kubernetes|GO-2025-3521|GO-2025-3547' -S .

Repository: openshift/ingress-node-firewall

Length of output: 230


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== go.mod excerpt =="
sed -n '1,120p' go.mod | cat -n

echo
echo "== search for k8s.io/kubernetes usage =="
rg -n 'k8s.io/kubernetes|GO-2025-3521|GO-2025-3547' -S .

Repository: openshift/ingress-node-firewall

Length of output: 14125


k8s.io/kubernetes v1.36.2 is flagged by OSV (GO-2025-3521, GO-2025-3547) with no fixed version yet; add a mitigation or upgrade path before merging.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 15 - 32, Address the OSV findings for the
k8s.io/kubernetes v1.36.2 dependency by upgrading to a fixed release if
available; otherwise add the project’s supported mitigation or documented
upgrade path in the dependency configuration. Update related Kubernetes module
versions consistently and verify the resulting dependency graph no longer leaves
GO-2025-3521 or GO-2025-3547 unaddressed.

Source: Path instructions

Comment on lines 129 to +130
func (r *KubernetesReporter) logLogs(filterPods func(*corev1.Pod) bool, dirName string) {
pods, err := r.clients.Pods(v1.NamespaceAll).List(context.Background(), metav1.ListOptions{})
pods, err := r.clients.Pods(corev1.NamespaceAll).List(context.Background(), metav1.ListOptions{})

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Missing timeout contexts for external API calls.

As per path instructions, always use a context.Context configured with a timeout or cancellation for external calls to prevent deadlocks if the Kubernetes API server is unresponsive.

  • test/e2e/k8sreporter/reporter.go#L129-L130: replace context.Background() with a timeout context for the List call.
  • test/e2e/k8sreporter/reporter.go#L148-L149: replace context.Background() with a timeout context for the GetLogs call.
  • test/e2e/namespaces/namespaces.go#L21-L22: replace context.Background() with the provided ctx (which already has a timeout applied) in the Get call.
  • test/e2e/namespaces/namespaces.go#L64-L66: replace context.Background() with a timeout context for the DeleteCollection call.
📍 Affects 2 files
  • test/e2e/k8sreporter/reporter.go#L129-L130 (this comment)
  • test/e2e/k8sreporter/reporter.go#L148-L149
  • test/e2e/namespaces/namespaces.go#L21-L22
  • test/e2e/namespaces/namespaces.go#L64-L66
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e/k8sreporter/reporter.go` around lines 129 - 130, Update the external
Kubernetes API calls to use bounded contexts: in
test/e2e/k8sreporter/reporter.go lines 129-130, create and pass a timeout
context to the Pods List call; at lines 148-149, use a timeout context for
GetLogs. In test/e2e/namespaces/namespaces.go lines 21-22, pass the provided ctx
to Get; at lines 64-66, create and pass a timeout context to DeleteCollection,
ensuring each newly created context is properly canceled.

Source: Path instructions

@@ -143,11 +142,11 @@ func (r *KubernetesReporter) logLogs(filterPods func(*corev1.Pod) bool, dirName
return
}
defer f.Close()

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🔴 Critical | ⚡ Quick win

Resource leak: defer f.Close() inside a loop.

Using defer f.Close() inside the for loop will delay closing the file descriptors until the entire logLogs function returns. If the cluster has many pods, this can exhaust the process's open file limit.

🐛 Proposed fix

Replace the defer with explicit closing at the end of the loop iteration:

 		if err != nil {
 			fmt.Fprintf(os.Stderr, "failed to open pods_logs file: %v\n", dirName)
 			return
 		}
-		defer f.Close()
 		containersToLog := make([]corev1.Container, 0)
 		containersToLog = append(containersToLog, pod.Spec.Containers...)
 		containersToLog = append(containersToLog, pod.Spec.InitContainers...)
 		for _, container := range containersToLog {
 			logs, err := r.clients.Pods(pod.Namespace).GetLogs(pod.Name, &corev1.PodLogOptions{Container: container.Name}).DoRaw(context.Background())
 			if err == nil {
 				fmt.Fprintf(f, "-----------------------------------\n")
 				fmt.Fprintf(f, "Dumping logs for pod %s-%s-%s\n", pod.Namespace, pod.Name, container.Name)
 				fmt.Fprintln(f, string(logs))
 			}
 		}
+		f.Close()
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
defer f.Close()
f.Close()
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e/k8sreporter/reporter.go` at line 144, Update the file-handling loop
in logLogs to close each opened file explicitly at the end of its iteration
instead of deferring f.Close(). Preserve the existing processing and ensure the
close occurs before continuing to the next pod.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant