USHIFT-6778: rebase-release-4.22-4.22.0-0.nightly-2026-04-01-151631_amd64-2026-04-01_arm64-2026-04-02

[eslutsky]

No description provided.

[openshift-ci-robot]

@eslutsky: This pull request references USHIFT-6778 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Updated Kubernetes from v1.35.2 to v1.35.3, bumped OpenShift nightly release versions across multiple architectures, refreshed container image digests in release manifests and kustomization files, and applied upstream Kubernetes dependency updates including feature gate and controller logic adjustments.

Changes

Cohort / File(s)	Summary
Kubernetes Patch Version Bump Makefile.kube_git.var, deps/.../Dockerfile.rhel, go.mod, etcd/go.mod	Upgraded Kubernetes from v1.35.2 to v1.35.3 with updated commit hashes and module versions across build configuration and Go dependencies.
OpenShift Nightly Release Updates Makefile.version.*.var, assets/release/release-*.json, assets/optional/operator-lifecycle-manager/release-olm-*.json, assets/components/multus/release-multus-*.json, scripts/auto-rebase/last_rebase.sh	Advanced OpenShift nightly build identifiers from 2026-03-29/31 to 2026-04-01/02 dates across x86_64 and aarch64 architectures.
Container Image Digests assets/components/multus/kustomization.aarch64.yaml, assets/optional/operator-lifecycle-manager/kustomization.*.yaml, packaging/crio.conf.d/*.conf	Updated sha256 digests for multus-cni, container networking plugins, OLM components, and pod pause image references across all target architectures.
Kubernetes Upstream Logic Changes deps/.../build/common.sh, deps/.../build/dependencies.yaml, deps/.../cmd/kubeadm/.../unmount_linux.go, deps/.../cmd/kubeadm/.../etcd.go, deps/.../pkg/controller/devicetainteviction/*.go, deps/.../pkg/features/kube_features.go	Enhanced error handling for unmount failures, updated etcd learner member endpoint logic, refactored device taint eviction scheduling and status updates, toggled MaxUnavailableStatefulSet feature gate default to false.
Fake Clientset Documentation Updates deps/.../staging/src/k8s.io/*/fake/clientset_generated.go, deps/.../staging/src/k8s.io/code-generator/.../*.go	Removed deprecation notices from NewSimpleClientset and enhanced NewClientset documentation to clarify field-tracking and server-side apply support across generated fake clientsets.
Test and Integration Updates deps/.../test/e2e/node/pods.go, deps/.../test/integration/dra/binding_conditions_test.go, deps/.../staging/src/k8s.io/apiextensions-apiserver/test/integration/finalization_test.go, deps/.../pkg/controller/devicetainteviction/device_taint_eviction_test.go	Updated test image references, adjusted scheduler startup timing, added CRD terminating condition waits, and refactored device taint eviction test expectations to account for new status update scheduling behavior.
Auto-rebase and Build Configuration scripts/auto-rebase/assets.yaml, scripts/auto-rebase/changelog.txt, scripts/auto-rebase/commits.txt	Updated service-ca asset path, refreshed embedded component and image commit pinnings for multiple OpenShift components, and revised changelog entries reflecting new upstream versions.
Kubernetes Release Metadata deps/.../CHANGELOG/CHANGELOG-1.35.md, deps/.../openshift-hack/cmd/k8s-tests-ext/provider.go, deps/.../test/compatibility_lifecycle/reference/versioned_feature_list.yaml	Added v1.35.2 release documentation, registered OpenShift cloud providers in test framework, and reflected feature gate default changes in compatibility reference.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.11.4)

level=error msg="Running error: context loading failed: failed to load packages: failed to load packages: failed to load with go/packages: err: exit status 1: stderr: go: inconsistent vendoring in :\n\tgithub.com/apparentlymart/go-cidr@v1.1.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/coreos/go-systemd@v0.0.0-20190321100706-95778dfbb74e: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/google/go-cmp@v0.7.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/miekg/dns@v1.1.63: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/openshift/api@v0.0.0-20260309155933-45fd88d185dd: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/openshift/build-machinery-go@v0.0.0-20251023084048-5d77c1a5e5af: is explicitly required in go.mod, but not marked as explicit

... [truncated 29518 characters] ...

belet: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\tk8s.io/metrics: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\tk8s.io/mount-utils: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\tk8s.io/pod-security-admission: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\tk8s.io/sample-apiserver: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\tk8s.io/sample-cli-plugin: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\tk8s.io/sample-controller: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\n\tTo ignore the vendor directory, use -mod=readonly or -mod=mod.\n\tTo sync the vendor directory, run:\n\t\tgo mod vendor\n"

🔧 Trivy (0.69.3)

Trivy execution failed: Unknown error

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

deps/github.com/openshift/kubernetes/pkg/controller/devicetainteviction/device_taint_eviction.go (1)

1285-1307: ⚠️ Potential issue | 🟠 Major

Multiple workers can race on status update timing.

Queueing the rule-status item before handlePods doesn't guarantee it executes first when Run uses more than one worker. After the mutex releases, concurrent workers can dequeue items in any order, so the "status before pods" behavior is not deterministic. The test forces Run(..., 1) specifically to avoid this race, as documented in the test comment.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@deps/github.com/openshift/kubernetes/pkg/controller/devicetainteviction/device_taint_eviction.go`
around lines 1285 - 1307, The current approach enqueues a status-update work
item (workqueue.Add(workItemForRule(newRule))) expecting it to run before
pod-eviction handling, but multiple workers (Run with >1) can dequeue in any
order and race with handlePods; to fix, perform the immediate status update
synchronously instead of relying on the queue: call the controller's status sync
path directly while still holding the relevant mutex (e.g., invoke the rule
status update helper used by workers or a new tc.syncRuleStatus(tc, newRule)
function) before releasing the lock and before adding the eviction work item,
then keep the workqueue.Add(workItemForRule(newRule)) only for subsequent async
processing; this ensures status is updated deterministically prior to handlePods
regardless of Run worker count and avoids relying on workqueue ordering.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@deps/github.com/openshift/kubernetes/cmd/kubeadm/app/util/etcd/etcd.go`:
- Around line 536-539: After promoting a learner to a voting member (flow
involving AddMemberAsLearner -> MemberPromote), the client’s cached endpoints
(c.Endpoints) are not refreshed so WaitForClusterAvailable can skip the new
member; call c.Sync() immediately after MemberPromote completes to refresh
endpoints before any availability/health checks (e.g., before invoking
WaitForClusterAvailable), and handle/log any Sync() error so the join sequence
fails fast if endpoint refresh fails.

In
`@deps/github.com/openshift/kubernetes/pkg/controller/devicetainteviction/device_taint_eviction.go`:
- Around line 1493-1498: The debounce loop scheduling a delayed status update
can miss the initial transition to EvictionInProgress=True; change the logic in
the eviction.reason loop (where workqueue.AddAfter(workItemForRule(reason.rule),
ruleStatusPeriod) is called) to trigger an immediate status update via
maybeUpdateRuleStatus for the rule when countPendingPods for that rule is > 0
(i.e., first pending pod) and the rule's status is not already
EvictionInProgress, then still schedule the delayed workItemForRule(reason.rule)
for subsequent updates; use the existing functions maybeUpdateRuleStatus,
countPendingPods and workItemForRule to detect and perform the immediate update
before adding the delayed work.

---

Outside diff comments:
In
`@deps/github.com/openshift/kubernetes/pkg/controller/devicetainteviction/device_taint_eviction.go`:
- Around line 1285-1307: The current approach enqueues a status-update work item
(workqueue.Add(workItemForRule(newRule))) expecting it to run before
pod-eviction handling, but multiple workers (Run with >1) can dequeue in any
order and race with handlePods; to fix, perform the immediate status update
synchronously instead of relying on the queue: call the controller's status sync
path directly while still holding the relevant mutex (e.g., invoke the rule
status update helper used by workers or a new tc.syncRuleStatus(tc, newRule)
function) before releasing the lock and before adding the eviction work item,
then keep the workqueue.Add(workItemForRule(newRule)) only for subsequent async
processing; this ensures status is updated deterministically prior to handlePods
regardless of Run worker count and avoids relying on workqueue ordering.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 75dc4b3c-c996-41e9-9827-89d3b7eee4af

📥 Commits

Reviewing files that changed from the base of the PR and between 397b4c9 and b100fd3.

⛔ Files ignored due to path filters (21)

• deps/github.com/openshift/kubernetes/staging/src/k8s.io/sample-apiserver/pkg/generated/clientset/versioned/fake/clientset_generated.go is excluded by !**/generated/**
• deps/github.com/openshift/kubernetes/staging/src/k8s.io/sample-controller/pkg/generated/clientset/versioned/fake/clientset_generated.go is excluded by !**/generated/**
• etcd/go.sum is excluded by !**/*.sum
• etcd/vendor/github.com/openshift/api/config/v1/types.go is excluded by !**/vendor/**
• etcd/vendor/github.com/openshift/api/config/v1/types_authentication.go is excluded by !**/vendor/**
• etcd/vendor/github.com/openshift/api/config/v1/types_dns.go is excluded by !**/vendor/**
• etcd/vendor/github.com/openshift/api/config/v1/types_infrastructure.go is excluded by !**/vendor/**
• etcd/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**
• etcd/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**
• etcd/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**
• etcd/vendor/github.com/openshift/api/operator/v1/types_csi_cluster_driver.go is excluded by !**/vendor/**
• etcd/vendor/github.com/openshift/api/operator/v1/types_ingress.go is excluded by !**/vendor/**
• etcd/vendor/github.com/openshift/api/operator/v1/types_network.go is excluded by !**/vendor/**
• etcd/vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**
• etcd/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**
• etcd/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**
• etcd/vendor/modules.txt is excluded by !**/vendor/**
• vendor/k8s.io/client-go/kubernetes/fake/clientset_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/kubernetes/pkg/controller/devicetainteviction/device_taint_eviction.go is excluded by !vendor/**, !**/vendor/**
• vendor/k8s.io/kubernetes/pkg/features/kube_features.go is excluded by !vendor/**, !**/vendor/**
• vendor/modules.txt is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (45)

• Makefile.kube_git.var
• Makefile.version.aarch64.var
• Makefile.version.x86_64.var
• assets/components/multus/kustomization.aarch64.yaml
• assets/components/multus/release-multus-aarch64.json
• assets/components/multus/release-multus-x86_64.json
• assets/optional/operator-lifecycle-manager/kustomization.aarch64.yaml
• assets/optional/operator-lifecycle-manager/kustomization.x86_64.yaml
• assets/optional/operator-lifecycle-manager/release-olm-aarch64.json
• assets/optional/operator-lifecycle-manager/release-olm-x86_64.json
• assets/release/release-aarch64.json
• assets/release/release-x86_64.json
• deps/github.com/openshift/kubernetes/CHANGELOG/CHANGELOG-1.35.md
• deps/github.com/openshift/kubernetes/build/common.sh
• deps/github.com/openshift/kubernetes/build/dependencies.yaml
• deps/github.com/openshift/kubernetes/cmd/kubeadm/app/cmd/phases/reset/unmount_linux.go
• deps/github.com/openshift/kubernetes/cmd/kubeadm/app/util/etcd/etcd.go
• deps/github.com/openshift/kubernetes/openshift-hack/cmd/k8s-tests-ext/provider.go
• deps/github.com/openshift/kubernetes/openshift-hack/images/hyperkube/Dockerfile.rhel
• deps/github.com/openshift/kubernetes/pkg/controller/devicetainteviction/device_taint_eviction.go
• deps/github.com/openshift/kubernetes/pkg/controller/devicetainteviction/device_taint_eviction_test.go
• deps/github.com/openshift/kubernetes/pkg/features/kube_features.go
• deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiextensions-apiserver/examples/client-go/pkg/client/clientset/versioned/fake/clientset_generated.go
• deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/fake/clientset_generated.go
• deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiextensions-apiserver/test/integration/finalization_test.go
• deps/github.com/openshift/kubernetes/staging/src/k8s.io/client-go/kubernetes/fake/clientset_generated.go
• deps/github.com/openshift/kubernetes/staging/src/k8s.io/code-generator/cmd/client-gen/generators/fake/generator_fake_for_clientset.go
• deps/github.com/openshift/kubernetes/staging/src/k8s.io/code-generator/examples/HyphenGroup/clientset/versioned/fake/clientset_generated.go
• deps/github.com/openshift/kubernetes/staging/src/k8s.io/code-generator/examples/MixedCase/clientset/versioned/fake/clientset_generated.go
• deps/github.com/openshift/kubernetes/staging/src/k8s.io/code-generator/examples/apiserver/clientset/versioned/fake/clientset_generated.go
• deps/github.com/openshift/kubernetes/staging/src/k8s.io/code-generator/examples/crd/clientset/versioned/fake/clientset_generated.go
• deps/github.com/openshift/kubernetes/staging/src/k8s.io/code-generator/examples/single/clientset/versioned/fake/clientset_generated.go
• deps/github.com/openshift/kubernetes/staging/src/k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/fake/clientset_generated.go
• deps/github.com/openshift/kubernetes/staging/src/k8s.io/metrics/pkg/client/clientset/versioned/fake/clientset_generated.go
• deps/github.com/openshift/kubernetes/test/compatibility_lifecycle/reference/versioned_feature_list.yaml
• deps/github.com/openshift/kubernetes/test/e2e/node/pods.go
• deps/github.com/openshift/kubernetes/test/integration/dra/binding_conditions_test.go
• etcd/go.mod
• go.mod
• packaging/crio.conf.d/10-microshift_amd64.conf
• packaging/crio.conf.d/10-microshift_arm64.conf
• scripts/auto-rebase/assets.yaml
• scripts/auto-rebase/changelog.txt
• scripts/auto-rebase/commits.txt
• scripts/auto-rebase/last_rebase.sh

💤 Files with no reviewable changes (4)

• deps/github.com/openshift/kubernetes/staging/src/k8s.io/metrics/pkg/client/clientset/versioned/fake/clientset_generated.go
• deps/github.com/openshift/kubernetes/build/dependencies.yaml
• deps/github.com/openshift/kubernetes/staging/src/k8s.io/code-generator/examples/apiserver/clientset/versioned/fake/clientset_generated.go
• deps/github.com/openshift/kubernetes/staging/src/k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/fake/clientset_generated.go

[eslutsky]

/retest-required

[openshift-ci]

@eslutsky: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[ggiguash]

/lgtm
/verified by ci

[openshift-ci-robot]

@ggiguash: This PR has been marked as verified by ci.

Details

In response to this:

/lgtm
/verified by ci

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: eslutsky, ggiguash

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [eslutsky,ggiguash]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment