STOR-2996: Add gcp pd csi driver operator to legacy subdir

[mpatlasov]

The PR:

• moves gcp-pd-csi-driver-operator to csi-operator legacy dir with command

$ git subtree add --prefix=legacy/gcp-pd-csi-driver-operator --squash https://github.com/openshift/gcp-pd-csi-driver-operator main

• adds the Dockerfile for building the operator image from new location

[openshift-ci-robot]

@mpatlasov: This pull request references STOR-2996 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

The PR:

• moves gcp-pd-csi-driver-operator to csi-operator legacy dir with command

$ git subtree add --prefix=legacy/gcp-pd-csi-driver-operator --squash https://github.com/openshift/gcp-pd-csi-driver-operator main

• adds the Dockerfile for building the operator image from new location

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR introduces the GCP PD CSI driver operator for OpenShift, adding multi-stage Docker builds, a complete Makefile-based build system, Kubernetes manifests for CSI controller and node deployments with RBAC and metrics infrastructure, and a Go-based operator implementation that wires up CSI controllers, manages deployment hooks for GCP platform labels/tags, and injects storage class encryption parameters.

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (2 errors, 2 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Container-Privileges	❌ Error	Privileged settings found without justification: hostNetwork: true in controller.yaml and node.yaml; privileged: true in node.yaml; openshift.io/required-scc: privileged annotations undocumented.	Document privilege justification; remove unnecessary privileges; add hardening directives (allowPrivilegeEscalation: false, runAsNonRoot) to non-privileged containers.
No-Sensitive-Data-In-Logs	❌ Error	PR contains sensitive data exposure in logs: KMS key resource paths (ProjectID/keyRings/cryptoKeys) logged at storageclasshook.go:44, and infrastructure labels/tags logged at starter.go:299,338.	Remove or redact sensitive data from log statements: avoid logging KMS key paths, infrastructure labels with values, and resource tag values. Log only non-sensitive metadata or resource names without sensitive identifiers.
Docstring Coverage	⚠️ Warning	Docstring coverage is 29.41% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Topology-Aware Scheduling Compatibility	⚠️ Warning	Controller nodeSelector targets master nodes (breaks HyperShift). Node DaemonSet uses tolerations operator: Exists (risk on TNA arbiter scheduling).	Avoid node-role.kubernetes.io/master nodeSelector on HyperShift; exclude arbiter nodes in DaemonSet tolerations using specific taint matching rather than operator: Exists.
Test Structure And Quality	❓ Inconclusive	Custom check requires Ginkgo test review, but PR contains only standard Go tests (not Ginkgo). Ginkgo framework is not used anywhere in the added code.	Clarify: Is the check intended for Ginkgo tests only, or should it apply to all test code? PR's Go tests pass standard testing quality checks.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title clearly describes the main change: adding the GCP PD CSI driver operator to the legacy subdirectory, which is the primary objective of this pull request.
Description check	✅ Passed	The PR description accurately explains the changes: it documents the git subtree command used to move the operator and mentions the addition of a Dockerfile for building the operator image from the new location.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All test files use standard Go testing. Test names are static, descriptive, and deterministic with no dynamic values like UUIDs, timestamps, node names, or pod names.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests added. PR includes standard Go unit tests and CSI test configuration files only, not Ginkgo-based e2e tests. Check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. Only unit tests and YAML test configuration manifests for CSI driver e2e testing are included.
Ote Binary Stdout Contract	✅ Passed	This PR adds a CSI driver operator to legacy/, not an OTE test binary. OTE stdout contract checks don't apply to standard Kubernetes operator controllers.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests with IPv4 assumptions or external connectivity requirements found. PR adds only standard Go unit tests and YAML e2e manifests with no such constraints.
No-Weak-Crypto	✅ Passed	PR contains no weak cryptography (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret comparisons in new source code.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mpatlasov

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [mpatlasov]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 11

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

Dockerfile.gcp-pd (1)

1-11: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add USER directive for non-root execution.

The Dockerfile is missing a USER directive, causing the container to run as root. As per coding guidelines, containers should never run as root. Add a non-root user before the ENTRYPOINT.

🔒 Proposed fix

 FROM registry.ci.openshift.org/ocp/4.22:base-rhel9
 COPY --from=builder /go/src/github.com/openshift/gcp-pd-csi-driver-operator/gcp-pd-csi-driver-operator /usr/bin/
+RUN useradd -r -u 1001 -g 0 operator && \
+    chmod +x /usr/bin/gcp-pd-csi-driver-operator
+USER 1001
 ENTRYPOINT ["/usr/bin/gcp-pd-csi-driver-operator"]

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.gcp-pd` around lines 1 - 11, The Dockerfile runs the operator
binary as root (no USER directive); update the Dockerfile to create a non-root
user/group in the final image, chown the installed binary
(/usr/bin/gcp-pd-csi-driver-operator) to that user, and add a USER line before
ENTRYPOINT so the process runs unprivileged; keep the build stage (builder) and
COPY --from=builder step intact and ensure permissions are set for the chosen
non-root UID/GID referenced by USER.

Source: Coding guidelines

legacy/gcp-pd-csi-driver-operator/Dockerfile.openshift (1)

1-11: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add USER directive for non-root execution.

The Dockerfile is missing a USER directive, causing the container to run as root. As per coding guidelines, containers should never run as root.

🔒 Proposed fix

 FROM registry.ci.openshift.org/ocp/4.22:base-rhel9
 COPY --from=builder /go/src/github.com/openshift/gcp-pd-csi-driver-operator/gcp-pd-csi-driver-operator /usr/bin/
+RUN useradd -r -u 1001 -g 0 operator && \
+    chmod +x /usr/bin/gcp-pd-csi-driver-operator
+USER 1001
 ENTRYPOINT ["/usr/bin/gcp-pd-csi-driver-operator"]

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@legacy/gcp-pd-csi-driver-operator/Dockerfile.openshift` around lines 1 - 11,
The Dockerfile currently leaves the container running as root; modify the final
stage (the image based on registry.ci.openshift.org/ocp/4.22:base-rhel9) to
create or use a non-root user and switch to it before the ENTRYPOINT: ensure the
operator binary copied by COPY --from=builder is owned by that user (or adjust
file permissions) and add a USER directive (e.g., a numeric uid like 1001 or a
created user) after copying files and before ENTRYPOINT so the
gcp-pd-csi-driver-operator runs unprivileged; keep LABEL and ENTRYPOINT
unchanged.

Source: Coding guidelines

🧹 Nitpick comments (2)

legacy/gcp-pd-csi-driver-operator/assets/rbac/lease_leader_election_role.yaml (1)

8-10: ⚡ Quick win

Drop delete from Lease permissions for leader election.

Line 10 grants delete on leases; this is broader than needed for normal leader-election flow and weakens least-privilege posture.

As per coding guidelines, "RBAC: least privilege; no cluster-admin for workloads."

Suggested RBAC tightening

 - apiGroups: ["coordination.k8s.io"]
   resources: ["leases"]
-  verbs: ["get", "watch", "list", "delete", "update", "create"]
+  verbs: ["get", "watch", "list", "update", "create"]

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@legacy/gcp-pd-csi-driver-operator/assets/rbac/lease_leader_election_role.yaml`
around lines 8 - 10, Remove the unnecessary "delete" permission from the Lease
RBAC verbs so the role only grants least-privilege access for leader election;
update the verbs array for the "leases" resource to ["get", "watch", "list",
"update", "create"] (remove "delete") in the Lease role definition (the resource
"leases" and its verbs list in lease_leader_election_role.yaml).

Source: Coding guidelines

legacy/gcp-pd-csi-driver-operator/hack/e2e.sh (1)

5-15: ⚡ Quick win

Harden argument handling to avoid word-splitting/globbing bugs.

Line 5, Line 10, and Line 15 use unquoted expansions, and Line 11/Line 15 build optional args as a string. Prefer a Bash array for arguments so paths with spaces or glob chars don’t break execution.

Proposed patch

 #!/bin/bash
 
 set -e
 
-REPO_ROOT="$(dirname $0)/.."
+REPO_ROOT="$(dirname "$0")/.."
 
 # Prepare openshift-tests arguments for log output
-ADDITIONAL_TEST_ARGS=""
+ADDITIONAL_TEST_ARGS=()
 if [ -n "${ARTIFACT_DIR}" ]; then
-    mkdir -p ${ARTIFACT_DIR}
-    ADDITIONAL_TEST_ARGS="-o ${ARTIFACT_DIR}/e2e.log --junit-dir ${ARTIFACT_DIR}/junit"
+    mkdir -p "${ARTIFACT_DIR}"
+    ADDITIONAL_TEST_ARGS=(-o "${ARTIFACT_DIR}/e2e.log" --junit-dir "${ARTIFACT_DIR}/junit")
 fi
 
 # Run openshift-tests
-TEST_CSI_DRIVER_FILES=${REPO_ROOT}/test/e2e/manifest.yaml openshift-tests run openshift/csi $ADDITIONAL_TEST_ARGS
+TEST_CSI_DRIVER_FILES="${REPO_ROOT}/test/e2e/manifest.yaml" \
+  openshift-tests run openshift/csi "${ADDITIONAL_TEST_ARGS[@]}"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@legacy/gcp-pd-csi-driver-operator/hack/e2e.sh` around lines 5 - 15,
REPO_ROOT, ARTIFACT_DIR and ADDITIONAL_TEST_ARGS are expanded unquoted and
optional args are built as a single string which causes word-splitting/globbing
bugs; change REPO_ROOT assignment to quote the dirname expansion
(REPO_ROOT="$(dirname "$0")/.."), quote ARTIFACT_DIR in mkdir (mkdir -p
"${ARTIFACT_DIR}"), build test args as a Bash array (e.g.
ADDITIONAL_TEST_ARGS=() and append entries like ADDITIONAL_TEST_ARGS+=("-o"
"${ARTIFACT_DIR}/e2e.log" "--junit-dir" "${ARTIFACT_DIR}/junit") when
ARTIFACT_DIR is set) and invoke openshift-tests with the array expansion and
quoted env var (TEST_CSI_DRIVER_FILES="${REPO_ROOT}/test/e2e/manifest.yaml"
openshift-tests run openshift/csi "${ADDITIONAL_TEST_ARGS[@]}").

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@legacy/gcp-pd-csi-driver-operator/assets/controller.yaml`:
- Line 26: The manifest currently enables hostNetwork: true in the controller
pod spec; remove the hostNetwork: true entry from the Pod/Deployment spec in
controller.yaml (the controller pod spec) so the controller runs with normal pod
network isolation, and if host networking is strictly required, revert only
after adding an explicit rationale and compensating controls (network policy,
nodeSelector/taints, documented ports/hostPort usage) in the same manifest or
accompanying docs so reviewers can verify the justification.
- Around line 47-314: Several containers (csi-driver, csi-provisioner,
provisioner-kube-rbac-proxy, csi-attacher, attacher-kube-rbac-proxy,
csi-resizer, resizer-kube-rbac-proxy, csi-snapshotter,
snapshotter-kube-rbac-proxy, csi-liveness-probe) lack hardened securityContext
fields and missing resource limits; update each container spec to include
securityContext: allowPrivilegeEscalation: false, runAsNonRoot: true (and
runAsUser set to a non-root uid), capabilities: drop: ["ALL"], and explicitly
set resources.limits for cpu and memory (at least equal to or slightly above the
existing requests) to enforce upper bounds; apply these changes either
per-container (recommended) or via a pod-level securityContext where
appropriate, ensuring names above are updated consistently.

In `@legacy/gcp-pd-csi-driver-operator/assets/node.yaml`:
- Around line 27-193: The DaemonSet exposes excessive node privileges via
hostNetwork: true, privileged: true on containers (csi-driver,
csi-node-driver-registrar) and wide hostPath mounts (/dev, /sys,
/var/lib/kubelet, /run/udev); reduce the attack surface by removing hostNetwork
unless required, drop privileged:true and use specific capabilities or device
plugins for csi-driver and csi-node-driver-registrar, change broad hostPath
mounts to more restrictive options (use DirectoryOrCreate only where needed,
mount specific device nodes instead of /dev, avoid mounting /sys unless
absolutely required), and add manifest annotations documenting why any remaining
hostNetwork/privileged mounts are necessary to satisfy the YAML guideline that
these must be flagged and justified.
- Around line 35-154: The node Pod containers (csi-driver,
csi-node-driver-registrar, csi-liveness-probe) must get explicit resource limits
and stricter securityContext defaults: add resources.limits (cpu and memory)
matching/above requests for each container; remove privileged:true except where
absolutely required (confirm which of csi-driver or registrar truly needs
privileged and set privileged:false otherwise); add runAsNonRoot: true,
runAsUser/runAsGroup (non-root UID/GID), allowPrivilegeEscalation: false, and
capabilities.drop: ["ALL"] to each container's securityContext; ensure
readOnlyRootFilesystem remains true and add seccompProfile/type: RuntimeDefault
if applicable. Update the containers named csi-driver,
csi-node-driver-registrar, and csi-liveness-probe accordingly.

In
`@legacy/gcp-pd-csi-driver-operator/assets/rbac/controller_privileged_binding.yaml`:
- Around line 6-12: Remove the privileged SCC binding by deleting the
ClusterRoleBinding that ties the ServiceAccount gcp-pd-csi-driver-controller-sa
to the ClusterRole gcp-pd-privileged-role; update the manifest so the controller
service account no longer references gcp-pd-privileged-role and ensure any
required privileges are provided via a narrower ClusterRole (or Role) scoped to
only the needed verbs/resources rather than granting `use` on the `privileged`
SCC.

In `@legacy/gcp-pd-csi-driver-operator/assets/rbac/kube_rbac_proxy_role.yaml`:
- Around line 7-12: The Role currently only allows "create" on resources
"tokenreviews" in apiGroup "authentication.k8s.io"; add a separate policy rule
granting "create" on resource "subjectaccessreviews" in apiGroup
"authorization.k8s.io" so kube-rbac-proxy can perform delegated authorization
checks. Locate the Role stanza that contains apiGroups: "authentication.k8s.io",
resources: "tokenreviews", verbs: "create" and append another rule with
apiGroups: "authorization.k8s.io", resources: "subjectaccessreviews", verbs:
"create".

In `@legacy/gcp-pd-csi-driver-operator/go.mod`:
- Line 89: Update the vulnerable OpenTelemetry SDK to >= v1.43.0 by bumping the
go.opentelemetry.io/otel/sdk requirement (currently v1.42.0) in go.mod to at
least v1.43.0 (prefer v1.44.0 as suggested), and align any related OTel modules
that pull it in (e.g. go.opentelemetry.io/contrib/.../otelgrpc, .../otelhttp,
go.opentelemetry.io/otel/exporters/otlp/otlptrace) to compatible versions so the
SDK transitive dependency resolves to >= v1.43.0; then run go get/module tidy
and refresh the vendor directory (vendor/) so the updated dependency is
vendored.

In `@legacy/gcp-pd-csi-driver-operator/Makefile`:
- Line 28: The Makefile's image build invocation references a non-existent
Dockerfile ("./Dockerfile.rhel7") in the rule that calls $(call
build-image,gcp-pd-csi-driver-operator,$(IMAGE_REGISTRY)/ocp/4.7:gcp-pd-csi-driver-operator,./Dockerfile.rhel7,.);
change that third argument to one of the existing Dockerfiles (e.g.,
./Dockerfile.openshift or ./Dockerfile.test) so the build-image call points to a
real Dockerfile, and verify IMAGE_REGISTRY usage remains correct.

In `@legacy/gcp-pd-csi-driver-operator/pkg/operator/starter_test.go`:
- Line 123: The test currently ignores the error returned by
Config().V1().Infrastructures().Informer().GetIndexer().Add(infraObj); update
the test setup to capture that return value (e.g., err := ...Add(infraObj)) and
fail the test on error (use t.Fatalf or require.NoError(t, err)) so seeding
failures cause the test to stop; apply the same change to the other identical
Add(...) call in the test file.

In `@legacy/gcp-pd-csi-driver-operator/pkg/operator/starter.go`:
- Around line 184-187: The anonymous CRD existence check currently calls
apiExtClient.ApiextensionsV1().CustomResourceDefinitions().Get with
context.TODO(); change it to use the operator's ctx (from RunOperator) so the
call respects cancellation, e.g., create a bounded context using ctxWithTimeout,
cancel := context.WithTimeout(ctx, 10*time.Second); defer cancel(), and pass
ctxWithTimeout to Get; update the anonymous func() and any surrounding code to
accept/close over the existing ctx and remove context.TODO() usage.
- Around line 99-106: The select waiting on
featureGateAccessor.InitialFeatureGatesObserved() should honor shutdown by
adding a ctx.Done() case and should not ignore CurrentFeatureGates() errors:
update the select to include case <-ctx.Done() that returns ctx.Err(), call
featureGateAccessor.CurrentFeatureGates() and check/return its error instead of
discarding it, and replace context.TODO() used for the CRD existence check with
the passed ctx so the API Get call respects cancellation/timeouts (ensure you
propagate any Get errors appropriately).

---

Outside diff comments:
In `@Dockerfile.gcp-pd`:
- Around line 1-11: The Dockerfile runs the operator binary as root (no USER
directive); update the Dockerfile to create a non-root user/group in the final
image, chown the installed binary (/usr/bin/gcp-pd-csi-driver-operator) to that
user, and add a USER line before ENTRYPOINT so the process runs unprivileged;
keep the build stage (builder) and COPY --from=builder step intact and ensure
permissions are set for the chosen non-root UID/GID referenced by USER.

In `@legacy/gcp-pd-csi-driver-operator/Dockerfile.openshift`:
- Around line 1-11: The Dockerfile currently leaves the container running as
root; modify the final stage (the image based on
registry.ci.openshift.org/ocp/4.22:base-rhel9) to create or use a non-root user
and switch to it before the ENTRYPOINT: ensure the operator binary copied by
COPY --from=builder is owned by that user (or adjust file permissions) and add a
USER directive (e.g., a numeric uid like 1001 or a created user) after copying
files and before ENTRYPOINT so the gcp-pd-csi-driver-operator runs unprivileged;
keep LABEL and ENTRYPOINT unchanged.

---

Nitpick comments:
In
`@legacy/gcp-pd-csi-driver-operator/assets/rbac/lease_leader_election_role.yaml`:
- Around line 8-10: Remove the unnecessary "delete" permission from the Lease
RBAC verbs so the role only grants least-privilege access for leader election;
update the verbs array for the "leases" resource to ["get", "watch", "list",
"update", "create"] (remove "delete") in the Lease role definition (the resource
"leases" and its verbs list in lease_leader_election_role.yaml).

In `@legacy/gcp-pd-csi-driver-operator/hack/e2e.sh`:
- Around line 5-15: REPO_ROOT, ARTIFACT_DIR and ADDITIONAL_TEST_ARGS are
expanded unquoted and optional args are built as a single string which causes
word-splitting/globbing bugs; change REPO_ROOT assignment to quote the dirname
expansion (REPO_ROOT="$(dirname "$0")/.."), quote ARTIFACT_DIR in mkdir (mkdir
-p "${ARTIFACT_DIR}"), build test args as a Bash array (e.g.
ADDITIONAL_TEST_ARGS=() and append entries like ADDITIONAL_TEST_ARGS+=("-o"
"${ARTIFACT_DIR}/e2e.log" "--junit-dir" "${ARTIFACT_DIR}/junit") when
ARTIFACT_DIR is set) and invoke openshift-tests with the array expansion and
quoted env var (TEST_CSI_DRIVER_FILES="${REPO_ROOT}/test/e2e/manifest.yaml"
openshift-tests run openshift/csi "${ADDITIONAL_TEST_ARGS[@]}").

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 0c82453e-8135-443f-9dbd-da7fcef2005f

📥 Commits

Reviewing files that changed from the base of the PR and between 5021458 and 757fd18.

⛔ Files ignored due to path filters (245)

• legacy/gcp-pd-csi-driver-operator/go.sum is excluded by !**/*.sum
• legacy/gcp-pd-csi-driver-operator/vendor/cel.dev/expr/.bazelversion is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/cel.dev/expr/.gitattributes is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/cel.dev/expr/.gitignore is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/cel.dev/expr/BUILD.bazel is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/cel.dev/expr/CODE_OF_CONDUCT.md is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/cel.dev/expr/CONTRIBUTING.md is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/cel.dev/expr/GOVERNANCE.md is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/cel.dev/expr/LICENSE is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/cel.dev/expr/MAINTAINERS.md is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/cel.dev/expr/MODULE.bazel is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/cel.dev/expr/README.md is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/cel.dev/expr/WORKSPACE is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/cel.dev/expr/WORKSPACE.bzlmod is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/cel.dev/expr/checked.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/cel.dev/expr/cloudbuild.yaml is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/cel.dev/expr/eval.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/cel.dev/expr/explain.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/cel.dev/expr/regen_go_proto.sh is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/cel.dev/expr/regen_go_proto_canonical_protos.sh is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/cel.dev/expr/syntax.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/cel.dev/expr/value.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/NYTimes/gziphandler/.gitignore is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/NYTimes/gziphandler/.travis.yml is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/NYTimes/gziphandler/CODE_OF_CONDUCT.md is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/NYTimes/gziphandler/CONTRIBUTING.md is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/NYTimes/gziphandler/LICENSE is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/NYTimes/gziphandler/README.md is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/NYTimes/gziphandler/gzip.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/NYTimes/gziphandler/gzip_go18.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/.gitignore is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/LICENSE is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/README.md is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/antlrdoc.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/atn.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/atn_config.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/atn_config_set.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/atn_deserialization_options.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/atn_deserializer.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/atn_simulator.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/atn_state.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/atn_type.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/char_stream.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/common_token_factory.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/common_token_stream.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/comparators.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/configuration.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/dfa.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/dfa_serializer.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/dfa_state.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/diagnostic_error_listener.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/error_listener.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/error_strategy.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/errors.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/file_stream.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/input_stream.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/int_stream.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/interval_set.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/jcollect.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/lexer.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/lexer_action.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/lexer_action_executor.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/lexer_atn_simulator.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/ll1_analyzer.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/mutex.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/mutex_nomutex.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/nostatistics.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/parser.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/parser_atn_simulator.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/parser_rule_context.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/prediction_context.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/prediction_context_cache.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/prediction_mode.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/recognizer.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/rule_context.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/semantic_context.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/statistics.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/stats_data.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/token.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/token_source.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/token_stream.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/tokenstream_rewriter.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/trace_listener.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/transition.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/tree.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/trees.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/antlr4-go/antlr/v4/utils.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/beorn7/perks/LICENSE is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/beorn7/perks/quantile/exampledata.txt is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/beorn7/perks/quantile/stream.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/blang/semver/v4/LICENSE is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/blang/semver/v4/json.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/blang/semver/v4/range.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/blang/semver/v4/semver.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/blang/semver/v4/sort.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/blang/semver/v4/sql.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/cenkalti/backoff/v5/.gitignore is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/cenkalti/backoff/v5/CHANGELOG.md is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/cenkalti/backoff/v5/LICENSE is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/cenkalti/backoff/v5/README.md is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/cenkalti/backoff/v5/backoff.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/cenkalti/backoff/v5/error.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/cenkalti/backoff/v5/exponential.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/cenkalti/backoff/v5/retry.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/cenkalti/backoff/v5/ticker.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/cenkalti/backoff/v5/timer.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/cespare/xxhash/v2/LICENSE.txt is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/cespare/xxhash/v2/README.md is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/cespare/xxhash/v2/testall.sh is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/cespare/xxhash/v2/xxhash.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/cespare/xxhash/v2/xxhash_amd64.s is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/cespare/xxhash/v2/xxhash_arm64.s is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/cespare/xxhash/v2/xxhash_asm.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/cespare/xxhash/v2/xxhash_other.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/cespare/xxhash/v2/xxhash_safe.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/cespare/xxhash/v2/xxhash_unsafe.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/coreos/go-semver/LICENSE is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/coreos/go-semver/NOTICE is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/coreos/go-semver/semver/semver.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/coreos/go-semver/semver/sort.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/coreos/go-systemd/v22/LICENSE is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/coreos/go-systemd/v22/NOTICE is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/coreos/go-systemd/v22/daemon/sdnotify.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/coreos/go-systemd/v22/daemon/sdnotify_other.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/coreos/go-systemd/v22/daemon/sdnotify_unix.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/coreos/go-systemd/v22/daemon/watchdog.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/coreos/go-systemd/v22/journal/journal.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/coreos/go-systemd/v22/journal/journal_unix.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/coreos/go-systemd/v22/journal/journal_windows.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/davecgh/go-spew/LICENSE is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/davecgh/go-spew/spew/bypass.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/davecgh/go-spew/spew/bypasssafe.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/davecgh/go-spew/spew/common.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/davecgh/go-spew/spew/config.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/davecgh/go-spew/spew/doc.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/davecgh/go-spew/spew/dump.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/davecgh/go-spew/spew/format.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/davecgh/go-spew/spew/spew.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/.gitignore is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/.goconvey is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/CHANGES.md is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/LICENSE is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/Makefile is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/README.md is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/SECURITY.md is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/Srcfile is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/bench_test.sh is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/compress.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/compressor_cache.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/compressor_pools.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/compressors.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/constants.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/container.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/cors_filter.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/coverage.sh is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/curly.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/curly_route.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/custom_verb.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/doc.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/entity_accessors.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/extensions.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/filter.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/filter_adapter.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/jsr311.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/log/log.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/logger.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/mime.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/options_filter.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/parameter.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/path_expression.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/path_processor.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/request.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/response.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/route.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/route_builder.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/route_reader.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/router.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/service_error.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/web_service.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/emicklei/go-restful/v3/web_service_container.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/felixge/fgprof/BenchmarkProfilerGoroutines.txt is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/felixge/fgprof/LICENSE.txt is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/felixge/fgprof/README.md is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/felixge/fgprof/fgprof.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/felixge/fgprof/handler.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/felixge/httpsnoop/.gitignore is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/felixge/httpsnoop/LICENSE.txt is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/felixge/httpsnoop/Makefile is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/felixge/httpsnoop/README.md is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/felixge/httpsnoop/capture_metrics.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/felixge/httpsnoop/docs.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/felixge/httpsnoop/wrap_generated_gteq_1.8.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/felixge/httpsnoop/wrap_generated_lt_1.8.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fsnotify/fsnotify/.cirrus.yml is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fsnotify/fsnotify/.gitignore is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fsnotify/fsnotify/.mailmap is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fsnotify/fsnotify/CHANGELOG.md is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fsnotify/fsnotify/CONTRIBUTING.md is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fsnotify/fsnotify/LICENSE is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fsnotify/fsnotify/README.md is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fsnotify/fsnotify/backend_fen.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fsnotify/fsnotify/backend_inotify.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fsnotify/fsnotify/backend_kqueue.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fsnotify/fsnotify/backend_other.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fsnotify/fsnotify/backend_windows.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fsnotify/fsnotify/fsnotify.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fsnotify/fsnotify/internal/darwin.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fsnotify/fsnotify/internal/debug_darwin.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fsnotify/fsnotify/internal/debug_dragonfly.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fsnotify/fsnotify/internal/debug_freebsd.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fsnotify/fsnotify/internal/debug_kqueue.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fsnotify/fsnotify/internal/debug_linux.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fsnotify/fsnotify/internal/debug_netbsd.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fsnotify/fsnotify/internal/debug_openbsd.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fsnotify/fsnotify/internal/debug_solaris.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fsnotify/fsnotify/internal/debug_windows.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fsnotify/fsnotify/internal/freebsd.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fsnotify/fsnotify/internal/internal.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fsnotify/fsnotify/internal/unix.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fsnotify/fsnotify/internal/unix2.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fsnotify/fsnotify/internal/windows.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fsnotify/fsnotify/shared.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fsnotify/fsnotify/staticcheck.conf is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fsnotify/fsnotify/system_bsd.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fsnotify/fsnotify/system_darwin.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fxamacker/cbor/v2/.gitignore is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fxamacker/cbor/v2/.golangci.yml is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fxamacker/cbor/v2/CODE_OF_CONDUCT.md is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fxamacker/cbor/v2/CONTRIBUTING.md is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fxamacker/cbor/v2/LICENSE is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fxamacker/cbor/v2/README.md is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fxamacker/cbor/v2/SECURITY.md is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fxamacker/cbor/v2/bytestring.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fxamacker/cbor/v2/cache.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fxamacker/cbor/v2/common.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fxamacker/cbor/v2/decode.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fxamacker/cbor/v2/diagnose.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fxamacker/cbor/v2/doc.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fxamacker/cbor/v2/encode.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fxamacker/cbor/v2/encode_map.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fxamacker/cbor/v2/omitzero_go124.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fxamacker/cbor/v2/omitzero_pre_go124.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fxamacker/cbor/v2/simplevalue.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fxamacker/cbor/v2/stream.go is excluded by !**/vendor/**
• legacy/gcp-pd-csi-driver-operator/vendor/github.com/fxamacker/cbor/v2/structfields.go is excluded by !**/vendor/**

📒 Files selected for processing (55)

• Dockerfile.gcp-pd
• legacy/gcp-pd-csi-driver-operator/.ci-operator.yaml
• legacy/gcp-pd-csi-driver-operator/.gitignore
• legacy/gcp-pd-csi-driver-operator/.snyk
• legacy/gcp-pd-csi-driver-operator/Dockerfile.openshift
• legacy/gcp-pd-csi-driver-operator/Dockerfile.test
• legacy/gcp-pd-csi-driver-operator/LICENSE
• legacy/gcp-pd-csi-driver-operator/Makefile
• legacy/gcp-pd-csi-driver-operator/OWNERS
• legacy/gcp-pd-csi-driver-operator/README.md
• legacy/gcp-pd-csi-driver-operator/assets/assets.go
• legacy/gcp-pd-csi-driver-operator/assets/cabundle_cm.yaml
• legacy/gcp-pd-csi-driver-operator/assets/controller.yaml
• legacy/gcp-pd-csi-driver-operator/assets/controller_pdb.yaml
• legacy/gcp-pd-csi-driver-operator/assets/controller_sa.yaml
• legacy/gcp-pd-csi-driver-operator/assets/csidriver.yaml
• legacy/gcp-pd-csi-driver-operator/assets/node.yaml
• legacy/gcp-pd-csi-driver-operator/assets/node_sa.yaml
• legacy/gcp-pd-csi-driver-operator/assets/rbac/controller_privileged_binding.yaml
• legacy/gcp-pd-csi-driver-operator/assets/rbac/kube_rbac_proxy_binding.yaml
• legacy/gcp-pd-csi-driver-operator/assets/rbac/kube_rbac_proxy_role.yaml
• legacy/gcp-pd-csi-driver-operator/assets/rbac/lease_leader_election_role.yaml
• legacy/gcp-pd-csi-driver-operator/assets/rbac/lease_leader_election_rolebinding.yaml
• legacy/gcp-pd-csi-driver-operator/assets/rbac/main_attacher_binding.yaml
• legacy/gcp-pd-csi-driver-operator/assets/rbac/main_provisioner_binding.yaml
• legacy/gcp-pd-csi-driver-operator/assets/rbac/main_resizer_binding.yaml
• legacy/gcp-pd-csi-driver-operator/assets/rbac/main_snapshotter_binding.yaml
• legacy/gcp-pd-csi-driver-operator/assets/rbac/node_privileged_binding.yaml
• legacy/gcp-pd-csi-driver-operator/assets/rbac/privileged_role.yaml
• legacy/gcp-pd-csi-driver-operator/assets/rbac/prometheus_role.yaml
• legacy/gcp-pd-csi-driver-operator/assets/rbac/prometheus_rolebinding.yaml
• legacy/gcp-pd-csi-driver-operator/assets/rbac/storageclass_reader_resizer_binding.yaml
• legacy/gcp-pd-csi-driver-operator/assets/rbac/volumeattributesclass_reader_provisioner_binding.yaml
• legacy/gcp-pd-csi-driver-operator/assets/rbac/volumeattributesclass_reader_resizer_binding.yaml
• legacy/gcp-pd-csi-driver-operator/assets/rbac/volumesnapshot_reader_provisioner_binding.yaml
• legacy/gcp-pd-csi-driver-operator/assets/service.yaml
• legacy/gcp-pd-csi-driver-operator/assets/servicemonitor.yaml
• legacy/gcp-pd-csi-driver-operator/assets/storageclass.yaml
• legacy/gcp-pd-csi-driver-operator/assets/storageclass_ssd.yaml
• legacy/gcp-pd-csi-driver-operator/assets/volumesnapshotclass.yaml
• legacy/gcp-pd-csi-driver-operator/assets/volumesnapshotclass_images.yaml
• legacy/gcp-pd-csi-driver-operator/cmd/gcp-pd-csi-driver-operator/main.go
• legacy/gcp-pd-csi-driver-operator/go.mod
• legacy/gcp-pd-csi-driver-operator/hack/e2e.sh
• legacy/gcp-pd-csi-driver-operator/pkg/dependencymagnet/dependencymagnet.go
• legacy/gcp-pd-csi-driver-operator/pkg/operator/starter.go
• legacy/gcp-pd-csi-driver-operator/pkg/operator/starter_test.go
• legacy/gcp-pd-csi-driver-operator/pkg/operator/storageclasshook.go
• legacy/gcp-pd-csi-driver-operator/pkg/operator/storageclasshook_test.go
• legacy/gcp-pd-csi-driver-operator/pkg/version/version.go
• legacy/gcp-pd-csi-driver-operator/test/e2e/hyperdisk-manifest.yaml
• legacy/gcp-pd-csi-driver-operator/test/e2e/image-snapshot-manifest.yaml
• legacy/gcp-pd-csi-driver-operator/test/e2e/manifest.yaml
• legacy/gcp-pd-csi-driver-operator/test/e2e/ocp-manifest.yaml
• legacy/gcp-pd-csi-driver-operator/test/e2e/volumeattributesclass.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Remove hostNetwork from the controller pod unless there is a strict requirement.

Line 26 enables host networking, which bypasses normal pod network isolation and exposes container ports on node interfaces. If this is unavoidable, document the requirement and compensating controls in-manifest.
As per coding guidelines, Kubernetes manifests should not enable hostNetwork: true by default.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@legacy/gcp-pd-csi-driver-operator/assets/controller.yaml` at line 26, The
manifest currently enables hostNetwork: true in the controller pod spec; remove
the hostNetwork: true entry from the Pod/Deployment spec in controller.yaml (the
controller pod spec) so the controller runs with normal pod network isolation,
and if host networking is strictly required, revert only after adding an
explicit rationale and compensating controls (network policy,
nodeSelector/taints, documented ports/hostPort usage) in the same manifest or
accompanying docs so reviewers can verify the justification.

Source: Coding guidelines

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Harden container security defaults and define resource limits for every container.

Across Lines 47-314, containers mostly rely on defaults beyond readOnlyRootFilesystem; explicit allowPrivilegeEscalation: false/non-root posture/capability dropping and CPU+memory limits are missing. This leaves a weaker baseline and no upper bound per container.
As per coding guidelines, Kubernetes manifests should enforce least-privilege securityContext and set resource limits on every container.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@legacy/gcp-pd-csi-driver-operator/assets/controller.yaml` around lines 47 -
314, Several containers (csi-driver, csi-provisioner,
provisioner-kube-rbac-proxy, csi-attacher, attacher-kube-rbac-proxy,
csi-resizer, resizer-kube-rbac-proxy, csi-snapshotter,
snapshotter-kube-rbac-proxy, csi-liveness-probe) lack hardened securityContext
fields and missing resource limits; update each container spec to include
securityContext: allowPrivilegeEscalation: false, runAsNonRoot: true (and
runAsUser set to a non-root uid), capabilities: drop: ["ALL"], and explicitly
set resources.limits for cpu and memory (at least equal to or slightly above the
existing requests) to enforce upper bounds; apply these changes either
per-container (recommended) or via a pod-level securityContext where
appropriate, ensuring names above are updated consistently.

Source: Coding guidelines

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Reduce node-level privilege scope in this DaemonSet.

This spec combines host networking, privileged containers, and sensitive host mounts (/dev, /sys), which creates a large host attack surface. Keep only strictly required privileged access and document why each exception is necessary.
As per coding guidelines, YAML manifests must flag hostNetwork: true and privileged: true usage in workload specs.

🧰 Tools

🪛 Checkov (3.2.530)

[medium] 1-193: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

---

[high] 1-193: Container should not be privileged

(CKV_K8S_16)

---

[medium] 1-193: Minimize the admission of root containers

(CKV_K8S_23)

---

[medium] 1-193: Containers should not share the host network namespace

(CKV_K8S_19)

🪛 Trivy (0.69.3)

[error] 9-193: Access to host network

DaemonSet 'gcp-pd-csi-driver-node' should not set 'spec.template.spec.hostNetwork' to true

Rule: KSV-0009

Learn more

(IaC/Kubernetes)

---

[error] 35-91: Privileged

Container 'csi-driver' of DaemonSet 'gcp-pd-csi-driver-node' should set 'securityContext.privileged' to false

Rule: KSV-0017

Learn more

(IaC/Kubernetes)

---

[error] 92-136: Privileged

Container 'csi-node-driver-registrar' of DaemonSet 'gcp-pd-csi-driver-node' should set 'securityContext.privileged' to false

Rule: KSV-0017

Learn more

(IaC/Kubernetes)

---

[error] 26-193: Default security context configured

daemonset gcp-pd-csi-driver-node in openshift-cluster-csi-drivers namespace is using the default security context, which allows root privileges

Rule: KSV-0118

Learn more

(IaC/Kubernetes)

---

[error] 9-193: Kubernetes resource with disallowed volumes mounted

daemonset gcp-pd-csi-driver-node in openshift-cluster-csi-drivers namespace shouldn't have volumes set to {"/dev", "/sys"}

Rule: KSV-0121

Learn more

(IaC/Kubernetes)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@legacy/gcp-pd-csi-driver-operator/assets/node.yaml` around lines 27 - 193,
The DaemonSet exposes excessive node privileges via hostNetwork: true,
privileged: true on containers (csi-driver, csi-node-driver-registrar) and wide
hostPath mounts (/dev, /sys, /var/lib/kubelet, /run/udev); reduce the attack
surface by removing hostNetwork unless required, drop privileged:true and use
specific capabilities or device plugins for csi-driver and
csi-node-driver-registrar, change broad hostPath mounts to more restrictive
options (use DirectoryOrCreate only where needed, mount specific device nodes
instead of /dev, avoid mounting /sys unless absolutely required), and add
manifest annotations documenting why any remaining hostNetwork/privileged mounts
are necessary to satisfy the YAML guideline that these must be flagged and
justified.

Source: Coding guidelines

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add explicit hardening defaults and resource limits to all node containers.

Lines 35-154 set requests but no limits, and container security hardening is incomplete beyond read-only rootfs. Add explicit limits and least-privilege securityContext fields wherever containers are not strictly required to run privileged.
As per coding guidelines, Kubernetes manifests should enforce hardened securityContext defaults and define cpu/memory limits per container.

🧰 Tools

🪛 Trivy (0.69.3)

[error] 35-91: Privileged

Container 'csi-driver' of DaemonSet 'gcp-pd-csi-driver-node' should set 'securityContext.privileged' to false

Rule: KSV-0017

Learn more

(IaC/Kubernetes)

---

[error] 92-136: Privileged

Container 'csi-node-driver-registrar' of DaemonSet 'gcp-pd-csi-driver-node' should set 'securityContext.privileged' to false

Rule: KSV-0017

Learn more

(IaC/Kubernetes)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@legacy/gcp-pd-csi-driver-operator/assets/node.yaml` around lines 35 - 154,
The node Pod containers (csi-driver, csi-node-driver-registrar,
csi-liveness-probe) must get explicit resource limits and stricter
securityContext defaults: add resources.limits (cpu and memory) matching/above
requests for each container; remove privileged:true except where absolutely
required (confirm which of csi-driver or registrar truly needs privileged and
set privileged:false otherwise); add runAsNonRoot: true, runAsUser/runAsGroup
(non-root UID/GID), allowPrivilegeEscalation: false, and capabilities.drop:
["ALL"] to each container's securityContext; ensure readOnlyRootFilesystem
remains true and add seccompProfile/type: RuntimeDefault if applicable. Update
the containers named csi-driver, csi-node-driver-registrar, and
csi-liveness-probe accordingly.

Source: Coding guidelines

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Remove privileged SCC binding from the controller service account.

Line 7 binds gcp-pd-csi-driver-controller-sa to gcp-pd-privileged-role, which grants use on the privileged SCC. This is an unnecessary privilege expansion for the controller path and weakens isolation.

As per coding guidelines, "RBAC: least privilege; no cluster-admin for workloads."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@legacy/gcp-pd-csi-driver-operator/assets/rbac/controller_privileged_binding.yaml`
around lines 6 - 12, Remove the privileged SCC binding by deleting the
ClusterRoleBinding that ties the ServiceAccount gcp-pd-csi-driver-controller-sa
to the ClusterRole gcp-pd-privileged-role; update the manifest so the controller
service account no longer references gcp-pd-privileged-role and ensure any
required privileges are provided via a narrower ClusterRole (or Role) scoped to
only the needed verbs/resources rather than granting `use` on the `privileged`
SCC.

Source: Coding guidelines

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check which direct dependencies pull in the vulnerable otel/sdk version
go mod graph | grep 'go.opentelemetry.io/otel/sdk@v1.42.0'

# Check for available updates
go list -m -u go.opentelemetry.io/otel/sdk

Repository: openshift/csi-operator

Length of output: 1870

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the relevant go.mod section around the flagged line
FILE="legacy/gcp-pd-csi-driver-operator/go.mod"
echo "==> go.mod context (around line 89)"
nl -ba "$FILE" | sed -n '70,110p'

# Check whether a vendor directory exists (the previous go list -m -u failed because of it)
if [ -d "legacy/gcp-pd-csi-driver-operator/vendor" ]; then
  echo "==> vendor directory exists"
  ls -1 "legacy/gcp-pd-csi-driver-operator/vendor" | head
else
  echo "==> vendor directory does NOT exist"
fi

# Determine which top-level modules in this repo require otel/sdk@v1.42.0
echo "==> Direct/indirect module paths pulling in otel/sdk@v1.42.0"
(cd legacy/gcp-pd-csi-driver-operator && go mod graph | grep 'go.opentelemetry.io/otel/sdk@v1.42.0' | head -n 50)

# Try again to list available upgrades, bypassing vendor mode
echo "==> Available upgrades for otel/sdk (bypassing vendor)"
(cd legacy/gcp-pd-csi-driver-operator && go list -m -u -mod=mod go.opentelemetry.io/otel/sdk || true)

# Also list the current versions of key otel modules present in go.mod (if any)
echo "==> otel-related modules in this go.mod"
(cd legacy/gcp-pd-csi-driver-operator && rg -n "go\.opentelemetry\.io/otel" go.mod || true)

Repository: openshift/csi-operator

Length of output: 163

---

🌐 Web query:

GHSA-hfvc-g4fc-pqhx opentelemetry-go BSD kenv command not using absolute path fixed version

💡 Result:

The vulnerability GHSA-hfvc-g4fc-pqhx, also identified as CVE-2026-39883, involved a PATH hijacking issue in the opentelemetry-go SDK [1][2][3]. Specifically, the SDK used the bare command name "kenv" to retrieve system information on BSD and Solaris platforms [1][2]. Because the command was not invoked using its absolute path, an attacker with local access could place a malicious binary named "kenv" earlier in the system $PATH, leading to arbitrary code execution when the application initialized [1][2]. This vulnerability was fixed in opentelemetry-go version 1.43.0 [1][3]. The fix involved updating the code to use the absolute path /bin/kenv [1][4]. Top results: [1] GHSA-hfvc-g4fc-pqhx [2] https://osv.dev/vulnerability/GHSA-hfvc-g4fc-pqhx [3] https://guide.sonatype.com/vulnerability/CVE-2026-39883 [4] open-telemetry/opentelemetry-go@35214b6

Citations:

• 1: GHSA-hfvc-g4fc-pqhx
• 2: https://osv.dev/vulnerability/GHSA-hfvc-g4fc-pqhx
• 3: https://guide.sonatype.com/vulnerability/CVE-2026-39883
• 4: open-telemetry/opentelemetry-go@35214b6

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

REPO_ROOT="."
MODDIR="legacy/gcp-pd-csi-driver-operator"
FILE="$MODDIR/go.mod"

echo "==> Sanity check"
ls -la "$MODDIR" | head
test -f "$FILE" && echo "==> Found $FILE" || (echo "Missing $FILE" && exit 1)

echo "==> vendor directory check"
if [ -d "$MODDIR/vendor" ]; then
  echo "==> $MODDIR/vendor exists"
else
  echo "==> $MODDIR/vendor does NOT exist"
fi

echo "==> go.mod snippet around line ~89"
awk 'NR>=80 && NR<=98 {printf "%d\t%s\n", NR, $0}' "$FILE" | sed -n '1,40p'

echo "==> otel-related lines in go.mod"
rg -n "go\.opentelemetry\.io/otel|opentelemetry-go|otel/sdk|otelhttp|otelgrpc|otlptrace" "$FILE" || true

echo "==> Available upgrades for go.opentelemetry.io/otel/sdk (bypass vendor)"
( cd "$MODDIR" && go list -m -u -mod=mod go.opentelemetry.io/otel/sdk ) || true

Repository: openshift/csi-operator

Length of output: 2615

---

Vulnerable dependency: update go.opentelemetry.io/otel/sdk (GHSA-hfvc-g4fc-pqhx)
legacy/gcp-pd-csi-driver-operator/go.mod pins go.opentelemetry.io/otel/sdk v1.42.0 // indirect (line 89). GHSA-hfvc-g4fc-pqhx (“opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking”) is fixed in opentelemetry-go v1.43.0. This otel/sdk version is pulled in via other OTel modules (e.g. go.opentelemetry.io/contrib/.../otelgrpc@v0.67.0, .../otelhttp@v0.67.0, go.opentelemetry.io/otel/exporters/otlp/otlptrace*@v1.42.0``). An upgrade is available to go.opentelemetry.io/otel/sdk v1.44.0, so update OTel deps to a version >= 1.43.0 and refresh vendoring (`vendor/`) accordingly.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@legacy/gcp-pd-csi-driver-operator/go.mod` at line 89, Update the vulnerable
OpenTelemetry SDK to >= v1.43.0 by bumping the go.opentelemetry.io/otel/sdk
requirement (currently v1.42.0) in go.mod to at least v1.43.0 (prefer v1.44.0 as
suggested), and align any related OTel modules that pull it in (e.g.
go.opentelemetry.io/contrib/.../otelgrpc, .../otelhttp,
go.opentelemetry.io/otel/exporters/otlp/otlptrace) to compatible versions so the
SDK transitive dependency resolves to >= v1.43.0; then run go get/module tidy
and refresh the vendor directory (vendor/) so the updated dependency is
vendored.

Source: Coding guidelines

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Dockerfile reference is broken.

The Makefile references ./Dockerfile.rhel7 which does not exist in this PR. The available Dockerfiles are Dockerfile.openshift and Dockerfile.test in this directory. This will cause the build to fail.

🔧 Proposed fix

-$(call build-image,gcp-pd-csi-driver-operator,$(IMAGE_REGISTRY)/ocp/4.7:gcp-pd-csi-driver-operator,./Dockerfile.rhel7,.)
+$(call build-image,gcp-pd-csi-driver-operator,$(IMAGE_REGISTRY)/ocp/4.7:gcp-pd-csi-driver-operator,./Dockerfile.openshift,.)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	$(call build-image,gcp-pd-csi-driver-operator,$(IMAGE_REGISTRY)/ocp/4.7:gcp-pd-csi-driver-operator,./Dockerfile.rhel7,.)
	$(call build-image,gcp-pd-csi-driver-operator,$(IMAGE_REGISTRY)/ocp/4.7:gcp-pd-csi-driver-operator,./Dockerfile.openshift,.)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@legacy/gcp-pd-csi-driver-operator/Makefile` at line 28, The Makefile's image
build invocation references a non-existent Dockerfile ("./Dockerfile.rhel7") in
the rule that calls $(call
build-image,gcp-pd-csi-driver-operator,$(IMAGE_REGISTRY)/ocp/4.7:gcp-pd-csi-driver-operator,./Dockerfile.rhel7,.);
change that third argument to one of the existing Dockerfiles (e.g.,
./Dockerfile.openshift or ./Dockerfile.test) so the build-image call points to a
real Dockerfile, and verify IMAGE_REGISTRY usage remains correct.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Check Indexer().Add errors in test setup

legacy/gcp-pd-csi-driver-operator/pkg/operator/starter_test.go ignores the error return from GetIndexer().Add(infraObj) at lines 123 and 252; if seeding fails, tests may pass with broken setup. Handle the returned error and fail the test on failure.

Suggested fix

 			if test.createInfraCR {
-				configInformerFactory.Config().V1().Infrastructures().Informer().GetIndexer().Add(infraObj)
+				if err := configInformerFactory.Config().V1().Infrastructures().Informer().GetIndexer().Add(infraObj); err != nil {
+					t.Fatalf("failed to seed infrastructure indexer: %v", err)
+				}
 			}
@@
 			if test.createInfraCR {
-				configInformerFactory.Config().V1().Infrastructures().Informer().GetIndexer().Add(infraObj)
+				if err := configInformerFactory.Config().V1().Infrastructures().Informer().GetIndexer().Add(infraObj); err != nil {
+					t.Fatalf("failed to seed infrastructure indexer: %v", err)
+				}
 			}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	configInformerFactory.Config().V1().Infrastructures().Informer().GetIndexer().Add(infraObj)
	if test.createInfraCR {
	if err := configInformerFactory.Config().V1().Infrastructures().Informer().GetIndexer().Add(infraObj); err != nil {
	t.Fatalf("failed to seed infrastructure indexer: %v", err)
	}
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@legacy/gcp-pd-csi-driver-operator/pkg/operator/starter_test.go` at line 123,
The test currently ignores the error returned by
Config().V1().Infrastructures().Informer().GetIndexer().Add(infraObj); update
the test setup to capture that return value (e.g., err := ...Add(infraObj)) and
fail the test on error (use t.Fatalf or require.NoError(t, err)) so seeding
failures cause the test to stop; apply the same change to the other identical
Add(...) call in the test file.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Locate and print the relevant file section with line numbers
FILE="legacy/gcp-pd-csi-driver-operator/pkg/operator/starter.go"
if [ ! -f "$FILE" ]; then
  echo "Missing file: $FILE"
  exit 1
fi

echo "== File head (for context) =="
sed -n '1,140p' "$FILE" | nl -ba

echo "== FeatureGate init block =="
sed -n '80,140p' "$FILE" | nl -ba

echo "== Search for ctx usage around that block =="
rg -n "featureGateAccessor|InitialFeatureGatesObserved|CurrentFeatureGates|ctx\.Done\(\)|context\.TODO\(\)|time\.After" "$FILE"

echo "== Print around the context.TODO usage (if present) =="
# Show likely neighborhood of Line ~186 referenced in the review comment
sed -n '150,230p' "$FILE" | nl -ba

Repository: openshift/csi-operator

Length of output: 158

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE="legacy/gcp-pd-csi-driver-operator/pkg/operator/starter.go"
test -f "$FILE" || { echo "Missing file: $FILE"; exit 1; }

echo "== Tools check =="
command -v rg >/dev/null && echo "rg: ok" || echo "rg: missing"
command -v sed >/dev/null && echo "sed: ok" || echo "sed: missing"
command -v awk >/dev/null && echo "awk: ok" || echo "awk: missing"
command -v cat >/dev/null && echo "cat: ok" || echo "cat: missing"

echo "== FeatureGate init block (numbered) =="
# Show likely block; use cat -n (available on most systems)
sed -n '70,130p' "$FILE" | cat -n

echo "== Search for ctx.Done and context.TODO around the file =="
rg -n "InitialFeatureGatesObserved|CurrentFeatureGates|ctx\.Done\(\)|context\.TODO\(\)|time\.After|timed out waiting for FeatureGate detection" "$FILE" || true

echo "== Context.TODO neighborhood (numbered) =="
# The review referenced ~Line 186; show a wider window
sed -n '160,220p' "$FILE" | cat -n

echo "== Exact lines 90-115 (numbered) =="
sed -n '90,115p' "$FILE" | cat -n

Repository: openshift/csi-operator

Length of output: 7360

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE="legacy/gcp-pd-csi-driver-operator/pkg/operator/starter.go"

echo "== Function signature around select block =="
# show a bit earlier to capture the function signature and ctx definition
sed -n '1,120p' "$FILE" | cat -n

echo "== Wider context around context.TODO closure (numbered) =="
sed -n '150,210p' "$FILE" | cat -n

echo "== Identify where ctx comes from =="
rg -n "func \\(.*\\) Run|func .*\\(.*\\)|ctx :=|var ctx|context\\.With|WithCancel|WithTimeout" "$FILE" | head -n 50

Repository: openshift/csi-operator

Length of output: 9140

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE="legacy/gcp-pd-csi-driver-operator/pkg/operator/starter.go"

echo "== context.TODO() exact match lines =="
rg -n "context\.TODO\(\)" "$FILE" || true

echo "== Show exact neighborhood around context.TODO() (lines 175-200) =="
sed -n '170,205p' "$FILE" | cat -n

echo "== Search in repo for definition/signature of CurrentFeatureGates() =="
rg -n "CurrentFeatureGates\\(" -S . || true

echo "== Search in go module cache if present (best-effort) =="
if [ -d "$(go env GOPATH 2>/dev/null)/pkg/mod" ]; then
  GOPATH="$(go env GOPATH)"
  rg -n "func .*CurrentFeatureGates\\(" "$GOPATH/pkg/mod" 2>/dev/null | head -n 20 || true
else
  echo "No GOPATH/pkg/mod in sandbox (skipping)."
fi

Repository: openshift/csi-operator

Length of output: 4649

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

BASE="legacy/gcp-pd-csi-driver-operator/vendor/github.com/openshift/library-go/pkg/operator/configobserver/featuregates"
FILE1="$BASE/simple_featuregate_reader.go"
FILE2="$BASE/observe_featuregates.go"
FILE3="$BASE/hardcoded_featuregate_reader.go"

echo "== defaultFeatureGateAccess.CurrentFeatureGates (simple_featuregate_reader.go) =="
sed -n '230,330p' "$FILE1" | cat -n

echo "== FeatureGate accessor observers/InitialFeatureGatesObserved (observe_featuregates.go) =="
sed -n '1,140p' "$FILE2" | cat -n

echo "== hardcodedFeatureGateAccess.CurrentFeatureGates (hardcoded_featuregate_reader.go) =="
sed -n '40,120p' "$FILE3" | cat -n

echo "== Call site in starter.go context =="
sed -n '90,120p' legacy/gcp-pd-csi-driver-operator/pkg/operator/starter.go | cat -n

Repository: openshift/csi-operator

Length of output: 11348

---

Fix FeatureGate init + CRD probe to respect cancellation and errors

• The startup select waiting for featureGateAccessor.InitialFeatureGatesObserved() has no ctx.Done() case, so shutdown can be delayed up to 1 minute during startup.
• featureGateAccessor.CurrentFeatureGates()’s error is ignored; in library-go it only errors when initial feature gates haven’t been observed yet—your select should make that unlikely, but it still violates the “never ignore error returns” rule.
• The CRD existence check uses context.TODO() for the API Get, bypassing cancellation/timeouts.

Suggested fix

 	select {
 	case <-featureGateAccessor.InitialFeatureGatesObserved():
-		featureGates, _ = featureGateAccessor.CurrentFeatureGates()
+		var fgErr error
+		featureGates, fgErr = featureGateAccessor.CurrentFeatureGates()
+		if fgErr != nil {
+			return fmt.Errorf("failed to read initial feature gates: %w", fgErr)
+		}
 		klog.Info("FeatureGates initialized", "knownFeatures", featureGates.KnownFeatures())
+	case <-ctx.Done():
+		return ctx.Err()
 	case <-time.After(1 * time.Minute):
 		klog.Error(nil, "timed out waiting for FeatureGate detection")
 		return fmt.Errorf("timed out waiting for FeatureGate detection")
 	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@legacy/gcp-pd-csi-driver-operator/pkg/operator/starter.go` around lines 99 -
106, The select waiting on featureGateAccessor.InitialFeatureGatesObserved()
should honor shutdown by adding a ctx.Done() case and should not ignore
CurrentFeatureGates() errors: update the select to include case <-ctx.Done()
that returns ctx.Err(), call featureGateAccessor.CurrentFeatureGates() and
check/return its error instead of discarding it, and replace context.TODO() used
for the CRD existence check with the passed ctx so the API Get call respects
cancellation/timeouts (ensure you propagate any Get errors appropriately).

Source: Coding guidelines

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Locate occurrences of context.TODO() in the target file
rg -n "context\.TODO\(\)" legacy/gcp-pd-csi-driver-operator/pkg/operator/starter.go

# Print the surrounding code around the referenced lines (approx 160-210)
nl -ba legacy/gcp-pd-csi-driver-operator/pkg/operator/starter.go | sed -n '150,230p'

Repository: openshift/csi-operator

Length of output: 250

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE="legacy/gcp-pd-csi-driver-operator/pkg/operator/starter.go"

# Re-print occurrence context (no `nl`): use sed to extract, and prepend line numbers via python
rg -n "context\.TODO\(\)" "$FILE" || true

python3 - <<'PY'
from pathlib import Path
file = Path("legacy/gcp-pd-csi-driver-operator/pkg/operator/starter.go")
lines = file.read_text().splitlines()
start, end = 150, 210
for i in range(start, min(end, len(lines))):
    print(f"{i+1:4d}\t{lines[i]}")
PY

# Check whether this file already derives timeouts / uses time package and what `ctx` variable is called in scope
rg -n "WithTimeout\\(" "$FILE" || true
rg -n "\\btime\\." "$FILE" || true
rg -n "\\bctx\\b" "$FILE" || true

Repository: openshift/csi-operator

Length of output: 3010

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE="legacy/gcp-pd-csi-driver-operator/pkg/operator/starter.go"

python3 - <<'PY'
from pathlib import Path
file = Path("legacy/gcp-pd-csi-driver-operator/pkg/operator/starter.go")
lines = file.read_text().splitlines()
for start,end in [(50,120),(120,210)]:
    print("\n----",start+1,"-",end,"----")
    for i in range(start, min(end, len(lines))):
        print(f"{i+1:4d}\t{lines[i]}")
PY

# sanity check whether `ctx` is defined in this file besides the RunOperator parameter
rg -n "\\bfunc RunOperator\\(ctx context\\.Context" "$FILE" || true
rg -n "^\\s*ctx\\s*[:=]" "$FILE" || true

Repository: openshift/csi-operator

Length of output: 6759

---

Use ctx (and a timeout) for the CRD existence check instead of context.TODO().

In legacy/gcp-pd-csi-driver-operator/pkg/operator/starter.go (lines 184-188), the CRD lookup uses apiExtClient...Get(context.TODO(), ...), so it won’t respect cancellation from RunOperator(ctx ...) and can hang on slow API responses. Use the provided ctx (optionally bounded with WithTimeout) for the Get.

Suggested fix

 		func() bool {
 			name := "volumesnapshotclasses.snapshot.storage.k8s.io"
-			_, err := apiExtClient.ApiextensionsV1().CustomResourceDefinitions().Get(context.TODO(), name, metav1.GetOptions{})
+			reqCtx, cancel := context.WithTimeout(ctx, 10*time.Second)
+			defer cancel()
+			_, err := apiExtClient.ApiextensionsV1().CustomResourceDefinitions().Get(reqCtx, name, metav1.GetOptions{})
 			return err == nil
 		},

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@legacy/gcp-pd-csi-driver-operator/pkg/operator/starter.go` around lines 184 -
187, The anonymous CRD existence check currently calls
apiExtClient.ApiextensionsV1().CustomResourceDefinitions().Get with
context.TODO(); change it to use the operator's ctx (from RunOperator) so the
call respects cancellation, e.g., create a bounded context using ctxWithTimeout,
cancel := context.WithTimeout(ctx, 10*time.Second); defer cancel(), and pass
ctxWithTimeout to Get; update the anonymous func() and any surrounding code to
accept/close over the existing ctx and remove context.TODO() usage.

Source: Coding guidelines

[mpatlasov]

/retest-required

[openshift-ci]

@mpatlasov: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.