Fix exec to pod has no workloadUID and update packages

[YakirOren]

Summary by CodeRabbit

• New Features

  • Runtime alerts now include Workload UID and Container ID; container resolution defaults to the first container when no name is provided.

• Tests

  • Test coverage extended to assert Workload UID and Container ID are populated, including cases with empty container name.

• Dependencies

  • Go toolchain bumped to 1.25.0 and a broad set of Kubernetes, AWS SDK, and container runtime dependencies updated.

[coderabbitai]

Warning

Rate limit exceeded

@YakirOren has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 20 minutes and 17 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📝 Walkthrough

Walkthrough

GetControllerDetails now returns the Pod and workload UID in addition to prior workload metadata; helper signatures for resolving owners were expanded to include UIDs; GetContainerID was added to obtain a container's ID from a Pod. Rules and tests were updated to propagate WorkloadUID and ContainerID. go.mod dependency upgrades included.

Changes

Cohort / File(s)	Summary
Helpers admission/rules/v1/helpers.go	Signature changes: GetControllerDetails(...) now returns (*corev1.Pod, kind, name, namespace, uid, nodeName, error). ExtractPodOwner, resolveReplicaSet, resolveJob now return UIDs. Added GetContainerID(pod *corev1.Pod, containerName string) string.
Exec-to-pod rule admission/rules/v1/r2000_exec_to_pod.go	Updated call sites for expanded GetControllerDetails return values; compute containerID from returned Pod; add WorkloadUID and ContainerID to apitypes.RuntimeAlertK8sDetails and propagate into rule failure payloads.
Port-forward rule admission/rules/v1/r2001_portforward.go	Adjusted call to GetControllerDetails to accept new return shape; threaded WorkloadUID into runtime alert details.
Tests admission/rules/v1/r2000_exec_to_pod_test.go, admission/rules/v1/r2001_portforward_test.go	Extended assertions to check WorkloadUID and ContainerID. Added new test TestR2000_EmptyContainerName validating default container selection and container ID resolution.
Test mock objectcache/objectcache_mock.go	Mock initialization now creates a ReplicaSet with UID and sets Pod OwnerReference to include that UID; Pod status includes ContainerStatuses with ContainerID and ImageID.
Dependencies go.mod	Bumped Go toolchain to 1.25.0 and updated many module versions (Kubernetes client libs, AWS SDK v2, Docker client, and numerous transitive dependencies).

Sequence Diagram

sequenceDiagram
    participant Rule as exec-to-pod Rule
    participant Helper as GetControllerDetails / helpers
    participant K8sAPI as Kubernetes API
    participant Alert as Alert Generator

    Rule->>Helper: call GetControllerDetails(event, clientset)
    Helper->>K8sAPI: Get Pod by event info
    K8sAPI-->>Helper: Pod object
    Helper->>Helper: Extract ownerRef → workload kind/name/namespace
    Helper->>K8sAPI: Query workload resource (resolveReplicaSet/resolveJob/...)
    K8sAPI-->>Helper: Workload resource (includes UID)
    Helper-->>Rule: Pod, workloadKind, workloadName, workloadNamespace, workloadUID, nodeName
    Rule->>Rule: GetContainerID(pod, containerName) → containerID
    Rule->>Alert: Create alert with ContainerID, WorkloadUID, other details
    Alert-->>Rule: Enriched RuntimeAlertK8sDetails

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰
I hopped through pods at break of day,
Found UIDs and IDs along the way,
Helpers now fetch pod and owner true,
Alerts grow wiser with each debut,
A tiny rabbit cheers — hops off to play 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 63.64% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main changes: fixing missing workloadUID in exec-to-pod rules and updating package dependencies.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/exec-to-pod-no-containerID

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR updates the exec-to-pod admission rule to enrich emitted alerts with workload UID and container ID, and performs a broad dependency/toolchain update to align with newer Kubernetes/Go ecosystems.

Changes:

• Add pod-returning controller lookup and new helpers to derive container ID and workload UID.
• Populate WorkloadUID and ContainerID in the R2000 “Exec to pod” alert, and update tests/mocks accordingly.
• Bump Go version and refresh a large set of Go module dependencies (including Kubernetes libraries).

Reviewed changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
admission/rules/v1/r2000_exec_to_pod.go	Uses new helper to fetch pod + sets WorkloadUID/ContainerID in alert details.
admission/rules/v1/helpers.go	Adds GetControllerDetailsWithPod, GetContainerID, and GetWorkloadUID helpers.
admission/rules/v1/r2000_exec_to_pod_test.go	Extends assertions to cover WorkloadUID and ContainerID.
objectcache/objectcache_mock.go	Enhances fake objects with ReplicaSet UID + pod container status data for tests.
go.mod	Updates Go version, dependencies, and changes the inspektor-gadget replace to a different fork.
go.sum	Regenerated dependency checksums to match go.mod updates.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@admission/rules/v1/r2000_exec_to_pod.go`:
- Around line 88-91: workloadUID is only being set when containerID is
non-empty, but workload UID resolution is independent; remove the containerID
gating and always call GetWorkloadUID so workloadUID is populated even if
containerID/status is empty. Locate the workloadUID variable and the conditional
that checks containerID, then change the flow to call GetWorkloadUID(client,
workloadKind, workloadName, workloadNamespace) unconditionally (retain any error
handling/logging around GetWorkloadUID as needed) so correlation works when
containerID is absent.

In `@go.mod`:
- Around line 41-44: The dependency bump to k8s.io/api, k8s.io/apimachinery,
k8s.io/apiserver, and k8s.io/client-go v0.35.0 requires you to: ensure the
project Go toolchain is >=1.25 (verify go.mod "go" version and CI images), scan
code and dependencies for uses of the removed ProtoMessage() marker and either
update those callsites or add the temporary build tag
kubernetes_protomessage_one_more_release where necessary, review any logic that
compares or assumes opaque resourceVersion (watch/informer/relist-resume code)
and update to the new ordering semantics, and confirm target clusters (EKS/GKE)
meet Kubernetes 1.35 before merging.

🧹 Nitpick comments (3)

admission/rules/v1/helpers.go (2)

15-52: GetControllerDetails should delegate to GetControllerDetailsWithPod to avoid duplication.

The two functions share identical logic. Refactoring GetControllerDetails to wrap the new variant eliminates the duplicated code.

♻️ Proposed refactor

 func GetControllerDetails(event admission.Attributes, clientset kubernetes.Interface) (string, string, string, string, error) {
-	podName, namespace := event.GetName(), event.GetNamespace()
-
-	if podName == "" || namespace == "" {
-		return "", "", "", "", fmt.Errorf("invalid pod details from admission event")
-	}
-
-	pod, err := GetPodDetails(clientset, podName, namespace)
-	if err != nil {
-		return "", "", "", "", fmt.Errorf("failed to get pod details: %w", err)
-	}
-
-	workloadKind, workloadName, workloadNamespace := ExtractPodOwner(pod, clientset)
-	nodeName := pod.Spec.NodeName
-
-	return workloadKind, workloadName, workloadNamespace, nodeName, nil
+	_, workloadKind, workloadName, workloadNamespace, nodeName, err := GetControllerDetailsWithPod(event, clientset)
+	return workloadKind, workloadName, workloadNamespace, nodeName, err
 }

---

156-195: Errors from API calls are silently discarded — consider logging them.

When the clientset call fails (e.g., network issue, RBAC), the function returns "" with no indication of failure. A debug/warning log would help troubleshoot cases where the UID is unexpectedly empty.

go.mod (1)

358-358: Fork replacement for inspektor-gadget — track upstream merge.

This points to a personal fork (matthyx/inspektor-gadget). Ensure there's a tracking issue to switch back to the upstream module once the required changes are merged.

[github-actions]

Summary:

• License scan: success
• Credentials scan: failure
• Vulnerabilities scan: failure
• Unit test: success
• Go linting: failure

[github-actions]

Summary:

• License scan: success
• Credentials scan: failure
• Vulnerabilities scan: failure
• Unit test: success
• Go linting: failure