Skip to content

REPLACE-WITH-JIRA-KEY: Bump Kubernetes dependencies to v1.36.2#734

Draft
dfarrell07 wants to merge 8 commits into
openshift:masterfrom
dfarrell07:bump1.36-20260718042126
Draft

REPLACE-WITH-JIRA-KEY: Bump Kubernetes dependencies to v1.36.2#734
dfarrell07 wants to merge 8 commits into
openshift:masterfrom
dfarrell07:bump1.36-20260718042126

Conversation

@dfarrell07

@dfarrell07 dfarrell07 commented Jul 18, 2026

Copy link
Copy Markdown

Summary

Bumps all k8s.io/* dependencies from v0.35.2 to v0.36.2 (Kubernetes 1.36.2) and Go from 1.25 to 1.26.

What changed

  • Dependency bump: k8s.io/* v0.35.2 → v0.36.2, controller-runtime v0.23.3 → v0.24.1
  • Go version: 1.25.0 → 1.26.0 (Dockerfiles, go.mod, CI builder images)
  • golangci-lint: v1.54.2 → v2.12.2 (v1 cannot parse Go 1.26)
  • klog: Migrated 2 files from klog v1 to klog/v2
  • KIND: Updated kindest/node from v1.27.3 to v1.36.1, kubeadm config to v1beta4 format
  • Lint fixes: io/ioutil deprecation, import deduplication, error string casing (ST1005), unused append (SA4010), unnecessary Sprintf (S1039)
  • Format string fix: IntOrString requires explicit .String() for %q in Go 1.26

Commits

Commit Description Type
bb99ff8 Rebase k8s-rebase-1.36.2 to k8s 1.36 Mechanical
cf8ac1a Update version references for k8s 1.36 Mechanical
f8f0116 utils: fix IntOrString format string for Go 1.26 vet Fix
ab2e899 ci: bump golangci-lint from v1.54.2 to v2.12.2 Fix
3059a1d deps: migrate klog v1 to klog/v2 Fix
088352c e2e: update KIND image to v1.36.1 and kubeadm v1beta4 format Fix
22148ad lint: migrate io/ioutil and deduplicate imports Fix
52a06f3 lint: fix staticcheck and errcheck issues for golangci-lint v2 Fix

Verification

  • go build ./... — PASS
  • go vet ./... — PASS
  • golangci-lint run — PASS (v2.12.2)
  • go test — 6/8 packages pass; 2 failures are pre-existing envtest infrastructure requirements (controllers and pkg/webhook need etcd/kube-apiserver binaries)

All commits carry Assisted-by: Claude Code trailers.

Summary by CodeRabbit

  • Improvements
    • Updated the application build environment to Go 1.26.
    • Refreshed Kubernetes test and local cluster tooling for newer Kubernetes versions.
    • Improved linting support with updated configuration and more consistent local and container-based checks.
    • Modernized file handling and logging behavior for improved compatibility and clearer diagnostics.
    • Corrected ingress firewall rule loading, attachment, and removal flows.
    • Improved validation and error messages for invalid firewall rules and port ranges.

go get k8s.io/api@v0.36.2
go get k8s.io/apiextensions-apiserver@v0.36.2
go get k8s.io/apimachinery@v0.36.2
go get k8s.io/apiserver@v0.36.2
go get k8s.io/client-go@v0.36.2
go get k8s.io/component-base@v0.36.2
go get sigs.k8s.io/controller-runtime@v0.24.1
go get github.com/openshift/api
go get github.com/openshift/library-go
go get k8s.io/klog
go get k8s.io/klog/v2
go get k8s.io/kube-openapi
go get k8s.io/kubernetes
go get k8s.io/utils
go get sigs.k8s.io/apiserver-network-proxy/konnectivity-client
go get sigs.k8s.io/json
go get sigs.k8s.io/randfill
go get sigs.k8s.io/structured-merge-diff/v6
go get sigs.k8s.io/yaml
go mod tidy

Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
Assisted-by: Claude Code <noreply@anthropic.com>
./Dockerfile
./Dockerfile.daemon
Makefile

Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
Assisted-by: Claude Code <noreply@anthropic.com>
Go 1.26 vet catches that IntOrString is a struct, not a string,
so %q requires .String() to be called explicitly.

Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
Assisted-by: Claude Code <noreply@anthropic.com>
golangci-lint v1 cannot parse Go 1.26 source code.
Update Makefile and hack/lint.sh to use v2.

Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
Assisted-by: Claude Code <noreply@anthropic.com>
Two files imported k8s.io/klog (v1) instead of k8s.io/klog/v2.
The API surface used (Info, Infof) is identical between versions.

Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
Assisted-by: Claude Code <noreply@anthropic.com>
Update kindest/node from v1.27.3 to v1.36.1 to match the k8s
1.36 dependency bump. Convert kubeadm extraArgs from map format
to list-of-name-value-pairs format required by v1beta4.

Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
Assisted-by: Claude Code <noreply@anthropic.com>
Replace deprecated io/ioutil with os package equivalents.
Remove duplicate package imports flagged by staticcheck ST1019.

Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
Assisted-by: Claude Code <noreply@anthropic.com>
Add .golangci.yml config to exclude style-only suggestions (QF1008,
QF1001, QF1003) and dot imports in test files (ST1001).
Fix ST1005 capitalized error strings, SA4010 unused append result,
S1039 unnecessary Sprintf, and SA1019 scheme.Builder deprecation.

Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
Assisted-by: Claude Code <noreply@anthropic.com>
@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 18, 2026
@openshift-ci

openshift-ci Bot commented Jul 18, 2026

Copy link
Copy Markdown
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci

openshift-ci Bot commented Jul 18, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dfarrell07
Once this PR has been reviewed and has the lgtm label, please assign tssurya for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai

coderabbitai Bot commented Jul 18, 2026

Copy link
Copy Markdown

Walkthrough

The PR upgrades the project to Go 1.26 and golangci-lint v2, refreshes dependencies and Kubernetes test tooling, modernizes API and filesystem references, normalizes errors, and adjusts BPFMan detach and attach handling.

Changes

Runtime and tooling modernization

Layer / File(s) Summary
Toolchain, dependencies, and linting
.golangci.yml, Dockerfile*, Makefile, go.mod, hack/lint.sh
Builds move to Go 1.26, dependencies are refreshed, and golangci-lint v2 configuration and execution are added.
Kubernetes test infrastructure updates
Makefile, hack/kind-cluster.sh, test/e2e/*
Envtest and kind versions are updated, cluster argument formatting changes, and e2e Kubernetes references use consistent aliases.
API and eBPF compatibility updates
api/v1alpha1/*, pkg/bpf-mgr/*, pkg/ebpf/*, pkg/ebpfsyncer/*, pkg/render/*, pkg/utils/*
Ingress API aliases, klog v2 imports, os.ReadDir/os.ReadFile, and standardized error text are applied across runtime code.
BPFMan detach and attach handling
controllers/ingressnodefirewall_controller.go
BPFMan detach receives a nil interface argument, and attach failures use a direct fixed log message.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title matches the main change by describing the Kubernetes dependency bump to v1.36.2.
Docstring Coverage ✅ Passed Docstring coverage is 83.33% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed No Ginkgo-style titles exist in the repo or changed files; the only test edit is a string-casing change inside a standard Test function.
Test Structure And Quality ✅ Passed No Ginkgo specs were modified; touched test code is standard testing/helpers, and timeout/cleanup usage matches repo patterns.
Microshift Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the diff only touches a unit test and an e2e helper, with no MicroShift-unsupported OpenShift APIs found.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No new Ginkgo e2e specs were added; the changed test files are helper utilities/reporter code, with no It/Describe/Context/When additions.
Topology-Aware Scheduling Compatibility ✅ Passed Diffs only change logging/error strings and one detach call; no affinity, replicas, nodeSelectors, topologySpread, or topology-mode assumptions were introduced.
Ote Binary Stdout Contract ✅ Passed The PR’s changed process-level entrypoints use zap/GinkgoWriter or stderr; no new stdout writes were introduced in main/init/BeforeSuite/AfterSuite setup.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No new Ginkgo e2e specs were added; the only e2e change is a namespace helper typo fix, with no IPv4 literals or external network use.
No-Weak-Crypto ✅ Passed No added weak-crypto APIs or unsafe secret comparisons appear in the patch.
Container-Privileges ✅ Passed No new privileged/container-security settings were added; matched hostNetwork/hostPID/privileged lines in hack/kind-cluster.sh were pre-existing.
No-Sensitive-Data-In-Logs ✅ Passed PASS: The only log-change hunk is a generic error message; other logging hunks are unchanged or type-only, with no added secret/PII output.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
controllers/ingressnodefirewall_controller.go (1)

107-113: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Do not silently ignore the error returned by isUsingBpfmanManager.

Both blocks use an inline condition yes && err == nil that evaluates to false if an error is returned (e.g., due to an API error when fetching the configuration). This causes the error to be silently swallowed, resulting in skipped eBPF program detachment/attachment without logging or bubbling up the reconciliation error. As per path instructions, "Never ignore error returns".

  • controllers/ingressnodefirewall_controller.go#L107-L113: Extract the isUsingBpfmanManager call, check if err != nil, and explicitly log and return ctrl.Result{}, err before checking if yes.
  • controllers/ingressnodefirewall_controller.go#L362-L378: Extract the isUsingBpfmanManager call, explicitly handle err != nil by logging the error and updating state.Status to SyncError, and then proceed with if yes.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@controllers/ingressnodefirewall_controller.go` around lines 107 - 113, The
inline isUsingBpfmanManager checks must not discard errors. In
controllers/ingressnodefirewall_controller.go lines 107-113, extract the call,
log and return ctrl.Result{}, err when it fails, then check yes before
detaching; in lines 362-378, extract the call, log failures, set state.Status to
SyncError, and then proceed with the yes branch.

Source: Path instructions

test/e2e/k8sreporter/reporter.go (1)

149-154: 📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win

Do not ignore error returns.

As per Go security path instructions, you must never ignore error returns. Currently, if an error occurs while fetching the pod logs, it is silently swallowed. Please log the error so that failures during test log gathering are observable.

♻️ Proposed fix to handle the error
 			logs, err := r.clients.Pods(pod.Namespace).GetLogs(pod.Name, &corev1.PodLogOptions{Container: container.Name}).DoRaw(context.Background())
-			if err == nil {
-				fmt.Fprintf(f, "-----------------------------------\n")
-				fmt.Fprintf(f, "Dumping logs for pod %s-%s-%s\n", pod.Namespace, pod.Name, container.Name)
-				fmt.Fprintln(f, string(logs))
+			if err != nil {
+				fmt.Fprintf(os.Stderr, "failed to get logs for pod %s-%s-%s: %v\n", pod.Namespace, pod.Name, container.Name, err)
+				continue
 			}
+			fmt.Fprintf(f, "-----------------------------------\n")
+			fmt.Fprintf(f, "Dumping logs for pod %s-%s-%s\n", pod.Namespace, pod.Name, container.Name)
+			fmt.Fprintln(f, string(logs))
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e/k8sreporter/reporter.go` around lines 149 - 154, Handle the non-nil
error returned by the pod log retrieval in the reporter’s log-gathering flow
instead of silently skipping it. Add an error log that includes the pod and
container context plus the returned error, while preserving the existing output
behavior when retrieval succeeds.

Source: Path instructions

🧹 Nitpick comments (4)
pkg/utils/utils.go (1)

40-40: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Remove the extra space in the error message.

There is an unintended double space between found and %q.

✏️ Proposed fix
-		return 0, 0, fmt.Errorf("invalid ports range. Expected two integers separated by hyphen but found  %q", p.Ports.String())
+		return 0, 0, fmt.Errorf("invalid ports range. Expected two integers separated by hyphen but found %q", p.Ports.String())
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/utils/utils.go` at line 40, Remove the unintended extra space between
“found” and the quoted value in the error message returned by the ports-range
validation in the relevant utility function, leaving the rest of the message
unchanged.
Makefile (1)

389-389: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Ensure golangci-lint is executable regardless of $PATH configuration.

The golangci-lint executable is installed to the Go bin directory, but the subsequent command assumes it is available in the system $PATH. If $GOPATH/bin or $HOME/go/bin is not in $PATH, the lint target will fail. Consider invoking it via its explicit path.

♻️ Proposed refactor
-	GOFLAGS="" GOLANGCI_LINT_CACHE=/tmp/golangci-lint-cache go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@$(GOLANGCI_LINT_VERSION) 2>/dev/null && GOLANGCI_LINT_CACHE=/tmp/golangci-lint-cache golangci-lint run --verbose --timeout=15m0s
+	GOFLAGS="" GOLANGCI_LINT_CACHE=/tmp/golangci-lint-cache go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@$(GOLANGCI_LINT_VERSION) 2>/dev/null && GOLANGCI_LINT_CACHE=/tmp/golangci-lint-cache $$(go env GOPATH)/bin/golangci-lint run --verbose --timeout=15m0s
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Makefile` at line 389, Update the lint target’s golangci-lint invocation
after installation to use the executable’s explicit Go bin path rather than
relying on $PATH, while preserving the existing flags, cache settings, and
timeout.
test/e2e/namespaces/namespaces.go (1)

68-68: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Prefer %w over %v for wrapping errors.

When formatting errors with fmt.Errorf, it is idiomatic in modern Go to use %w to wrap the original error. This preserves the error type and allows callers to inspect it using errors.Is and errors.As. Consider also adding a colon for better readability.

♻️ Proposed refactor
-		return fmt.Errorf("failed to delete pods %v", err)
+		return fmt.Errorf("failed to delete pods: %w", err)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e/namespaces/namespaces.go` at line 68, Update the error formatting in
the pod-deletion error path to use %w instead of %v and include a colon
separator, preserving the original error for errors.Is and errors.As callers.
Modify the fmt.Errorf call returning “failed to delete pods” while keeping its
existing context and behavior.
hack/lint.sh (1)

7-14: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Fix shell quoting issues to prevent word splitting.

The script has unquoted variables and arrays that can cause issues if arguments or the current working directory contain spaces (as flagged by Shellcheck).

  • Line 8: Mixing a string with $@ expands to multiple arguments. Use $* to print the arguments as a single space-separated string.
  • Line 12: Unquoted $(pwd) will cause word splitting if the path contains spaces, breaking the container runtime arguments.
♻️ Proposed fixes
 if [ "$#" -ne 1 ]; then
-    echo "Expected command line argument - container runtime (docker/podman) got $# arguments: $@"
+    echo "Expected command line argument - container runtime (docker/podman) got $# arguments: $*"
     exit 1
 fi
 
-$1 run --security-opt label=disable --rm -v $(pwd):/app -w /app -e GO111MODULE=on golangci/golangci-lint:${VERSION} \
+$1 run --security-opt label=disable --rm -v "$(pwd):/app" -w /app -e GO111MODULE=on golangci/golangci-lint:${VERSION} \
 	golangci-lint run --verbose --show-stats \
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hack/lint.sh` around lines 7 - 14, Fix shell quoting in the
argument-validation and volume-mount logic of the script: use a single
space-separated expansion when reporting all received arguments in the `"$#"`
error branch, and quote the `$(pwd)` substitution in the `run` command’s volume
mapping so paths containing spaces remain one argument.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Dockerfile`:
- Line 2: Update Dockerfile line 2 to pin the golang:1.26 image by digest and
add an explicit HEALTHCHECK. Update Dockerfile.daemon lines 1-1 to use the
digest-pinned base image, and its final execution stage at lines 7-10 to define
a HEALTHCHECK and run under a non-root USER.

In `@go.mod`:
- Around line 15-32: Update the k8s.io/kubernetes dependency in go.mod to a
patched release newer than v1.36.2 that resolves GO-2025-3521 and GO-2025-3547;
if the module is only required by tests, remove its direct require instead.
Regenerate dependency metadata as needed while keeping the Kubernetes dependency
set consistent.

---

Outside diff comments:
In `@controllers/ingressnodefirewall_controller.go`:
- Around line 107-113: The inline isUsingBpfmanManager checks must not discard
errors. In controllers/ingressnodefirewall_controller.go lines 107-113, extract
the call, log and return ctrl.Result{}, err when it fails, then check yes before
detaching; in lines 362-378, extract the call, log failures, set state.Status to
SyncError, and then proceed with the yes branch.

In `@test/e2e/k8sreporter/reporter.go`:
- Around line 149-154: Handle the non-nil error returned by the pod log
retrieval in the reporter’s log-gathering flow instead of silently skipping it.
Add an error log that includes the pod and container context plus the returned
error, while preserving the existing output behavior when retrieval succeeds.

---

Nitpick comments:
In `@hack/lint.sh`:
- Around line 7-14: Fix shell quoting in the argument-validation and
volume-mount logic of the script: use a single space-separated expansion when
reporting all received arguments in the `"$#"` error branch, and quote the
`$(pwd)` substitution in the `run` command’s volume mapping so paths containing
spaces remain one argument.

In `@Makefile`:
- Line 389: Update the lint target’s golangci-lint invocation after installation
to use the executable’s explicit Go bin path rather than relying on $PATH, while
preserving the existing flags, cache settings, and timeout.

In `@pkg/utils/utils.go`:
- Line 40: Remove the unintended extra space between “found” and the quoted
value in the error message returned by the ports-range validation in the
relevant utility function, leaving the rest of the message unchanged.

In `@test/e2e/namespaces/namespaces.go`:
- Line 68: Update the error formatting in the pod-deletion error path to use %w
instead of %v and include a colon separator, preserving the original error for
errors.Is and errors.As callers. Modify the fmt.Errorf call returning “failed to
delete pods” while keeping its existing context and behavior.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

Comment thread Dockerfile
@@ -1,5 +1,5 @@
# Build the manager binary
FROM golang:1.25 as builder
FROM golang:1.26 as builder

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Address container security path instructions across Dockerfiles.

Both Dockerfile and Dockerfile.daemon are missing key security configurations required by the path instructions for container security, including digest pinning, explicit health checks, and non-root users.

  • Dockerfile#L2-L2: Pin the non-Red Hat golang:1.26 base image by digest (e.g., golang:1.26@sha256:...) and define a HEALTHCHECK.
  • Dockerfile.daemon#L1-L1: Pin the non-Red Hat golang:1.26 base image by digest.
  • Dockerfile.daemon#L7-L10: Define a HEALTHCHECK and specify a non-root USER for the final execution stage to prevent it from running as root (as also flagged by Trivy).
📍 Affects 2 files
  • Dockerfile#L2-L2 (this comment)
  • Dockerfile.daemon#L1-L1
  • Dockerfile.daemon#L7-L10
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` at line 2, Update Dockerfile line 2 to pin the golang:1.26 image
by digest and add an explicit HEALTHCHECK. Update Dockerfile.daemon lines 1-1 to
use the digest-pinned base image, and its final execution stage at lines 7-10 to
define a HEALTHCHECK and run under a non-root USER.

Sources: Path instructions, Linters/SAST tools

Comment thread go.mod
Comment on lines +15 to +32
github.com/openshift/api v0.0.0-20260715165912-72066cc9718b
github.com/openshift/controller-runtime-common v0.0.0-20260428152732-64ee174f5e2e
github.com/openshift/library-go v0.0.0-20260615113748-bc9d4056464b
github.com/openshift/library-go v0.0.0-20260716164659-7926d144f96a
github.com/pkg/errors v0.9.1
github.com/prometheus/client_golang v1.23.2
github.com/prometheus/common v0.66.1
github.com/vishvananda/netlink v1.3.1-0.20250206174618-62fb240731fa
golang.org/x/sys v0.42.0
github.com/prometheus/common v0.67.5
github.com/vishvananda/netlink v1.3.1
golang.org/x/sys v0.45.0
gopkg.in/mcuadros/go-syslog.v2 v2.3.0
k8s.io/api v0.35.2
k8s.io/apiextensions-apiserver v0.35.1
k8s.io/apimachinery v0.35.2
k8s.io/client-go v0.35.2
k8s.io/component-base v0.35.1
k8s.io/klog v1.0.0
k8s.io/kubernetes v1.32.3
k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2
sigs.k8s.io/controller-runtime v0.23.3
k8s.io/api v0.36.2
k8s.io/apiextensions-apiserver v0.36.2
k8s.io/apimachinery v0.36.2
k8s.io/client-go v0.36.2
k8s.io/component-base v0.36.2
k8s.io/klog/v2 v2.140.0
k8s.io/kubernetes v1.36.2
k8s.io/utils v0.0.0-20260707023825-cf1189d6abe3
sigs.k8s.io/controller-runtime v0.24.1

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check for known CVEs in the updated Go dependencies using the OSV API.

deps=(
  "github.com/openshift/api@v0.0.0-20260715165912-72066cc9718b"
  "github.com/openshift/controller-runtime-common@v0.0.0-20260428152732-64ee174f5e2e"
  "github.com/openshift/library-go@v0.0.0-20260716164659-7926d144f96a"
  "github.com/pkg/errors@v0.9.1"
  "github.com/prometheus/client_golang@v1.23.2"
  "github.com/prometheus/common@v0.67.5"
  "github.com/vishvananda/netlink@v1.3.1"
  "golang.org/x/sys@v0.45.0"
  "gopkg.in/mcuadros/go-syslog.v2@v2.3.0"
  "k8s.io/api@v0.36.2"
  "k8s.io/apiextensions-apiserver@v0.36.2"
  "k8s.io/apimachinery@v0.36.2"
  "k8s.io/client-go@v0.36.2"
  "k8s.io/component-base@v0.36.2"
  "k8s.io/klog/v2@v2.140.0"
  "k8s.io/kubernetes@v1.36.2"
  "k8s.io/utils@v0.0.0-20260707023825-cf1189d6abe3"
  "sigs.k8s.io/controller-runtime@v0.24.1"
)

echo "Checking updated dependencies against OSV.dev..."
for dep in "${deps[@]}"; do
  pkg="${dep%@*}"
  ver="${dep#*@}"
  
  # Clean up pseudo-version formats for OSV queries if needed, 
  # but OSV handles standard module queries.
  curl -s -X POST -H "Content-Type: application/json" \
    -d "{\"version\": \"$ver\", \"package\": {\"name\": \"$pkg\", \"ecosystem\": \"Go\"}}" \
    "https://api.osv.dev/v1/query" | jq -c "{package: \"$pkg\", version: \"$ver\", vulns: .vulns}"
done

Repository: openshift/ingress-node-firewall

Length of output: 3848


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the relevant go.mod section with line numbers.
sed -n '1,80p' go.mod | cat -n

# Show whether k8s.io/kubernetes is referenced elsewhere in the repo.
rg -n --hidden --glob '!**/vendor/**' 'k8s\.io/kubernetes' .

Repository: openshift/ingress-node-firewall

Length of output: 4562


Bump k8s.io/kubernetes off v1.36.2
go.mod:30 still pulls in GO-2025-3521 / GO-2025-3547 (CVE-2025-1767, CVE-2024-7598). Move to a patched release, or drop the direct require if it is only needed for tests.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 15 - 32, Update the k8s.io/kubernetes dependency in
go.mod to a patched release newer than v1.36.2 that resolves GO-2025-3521 and
GO-2025-3547; if the module is only required by tests, remove its direct require
instead. Regenerate dependency metadata as needed while keeping the Kubernetes
dependency set consistent.

Source: Path instructions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant