CORENET-6886: downstream sync to kube 1.35 and go to 1.25 by yingwang-0320 · Pull Request #281 · openshift/multus-cni

yingwang-0320 · 2026-03-20T06:09:21Z

make build & make test
e2e test passed locally.

openshift-ci-robot · 2026-03-20T06:09:25Z

@yingwang-0320: This pull request references CORENET-6886 which is a valid jira issue.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

coderabbitai · 2026-03-20T06:09:36Z

Walkthrough

Bumps Go toolchain and images to 1.25, updates CI/trivy, upgrades go.mod dependencies, adds exported device-ID sorting (with callers/tests updated), refactors per-node kubeconfig/cert validation and CSR retry/error paths, treats STATUS/GC as plugin-level commands, and seeds informer stores in tests instead of waiting for cache sync.

Changes

Cohort / File(s)	Summary
CI Workflows & Scanning `/.github/workflows/build.yml`, `/.github/workflows/release.yml`, `/.github/workflows/test.yml`, `/.github/workflows/image-build.yml`	Updated Go matrix/toolchain from `1.24.x` → `1.25.x`; test job preserves PATH when sudo-ing; Trivy action bumped to `aquasecurity/trivy-action@0.35.0`.
Go module & deps `go.mod`	Raised `go` directive to `1.25.x` and bumped numerous direct/indirect dependencies (testing, Prometheus, k8s.io/, golang.org/x/, grpc/protobuf, etc.).
Container images & Dockerfiles `images/Dockerfile`, `images/Dockerfile.debug`, `images/Dockerfile.thick`, `Dockerfile.microshift`, `Dockerfile.openshift`	Switched build-stage base images from `golang:1.24` → `golang:1.25` and updated OpenShift/MicroShift builder/runtime tags; other Dockerfile logic unchanged.
CI operator config `.ci-operator.yaml`	Updated `build_root_image.tag` to `rhel-9-release-golang-1.25-openshift-4.22`.
Device ID sorting (types, callers, tests) `pkg/types/types.go`, `pkg/checkpoint/checkpoint.go`, `pkg/kubeletclient/kubeletclient.go`, `pkg/checkpoint/checkpoint_test.go`	Added exported `SortDeviceIDs(resourceMap map[string]*ResourceInfo)` to lexicographically sort `DeviceIDs`; `GetPodResourceMap` callers invoke it; tests adjusted to expect sorted order.
Kubeconfig & per-node cert handling `pkg/k8sclient/kubeconfig.go`	Refactored per-node kubeconfig creation to copy bootstrap config and clear bootstrap auth fields; replaced pod-list validation with `Discovery().ServerVersion()` for per-node cert validation; improved error propagation and CSR retry/reload logic when CA is unknown.
Kubelet/checkpoint callers `pkg/checkpoint/checkpoint.go`, `pkg/kubeletclient/kubeletclient.go`	Callers now invoke `types.SortDeviceIDs(...)` before returning resource maps to ensure deterministic device ordering.
CNI server: STATUS/GC handling & tests `pkg/server/server.go`, `pkg/server/thick_cni_test.go`	Treat `STATUS` and `GC` as plugin-level commands: skip deriving pod-scoped k8s args, allow nil `*types.K8sArgs`, and bypass required env var extraction; added tests validating STATUS/GC succeed without pod-scoped env vars.
Multus behavior & informer tests `pkg/multus/multus.go`, `pkg/multus/multus_cni100_test.go`	`conflistStatus` now returns early for CNI versions <1.1.0; informer tests removed WaitForCacheSync and explicitly seed informer stores via `GetStore().Add()` (delayed-add flows updated to seed both fake client and informer store).

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

coderabbitai

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/test.yml:
- Line 32: Replace the use of sudo -E which preserves the full environment;
instead preserve only PATH when invoking the script (e.g., call sudo env
"PATH=$PATH" ./hack/test-go.sh or use sudo --preserve-env=PATH
./hack/test-go.sh) so that the run step that executes hack/test-go.sh does not
forward all env vars to root.

In `@go.mod`:
- Line 18: The grpc dependency version in go.mod (google.golang.org/grpc
v1.73.0) is vulnerable; update the module to at least v1.79.3 by changing the
version entry for google.golang.org/grpc to v1.79.3 (or later) and then run
module tooling to resolve transitive changes (e.g., update with go commands and
run go mod tidy) so the project builds against the fixed gRPC release and
removes the vulnerable version from the dependency graph.

In `@pkg/k8sclient/kubeconfig.go`:
- Around line 116-118: The code currently logs non-x509 errors from
ServerVersion() but leaves cfg pointing at the invalid per-node config so
kubernetes.NewForConfig(cfg) will use a bad config; update the control flow in
the ServerVersion() handling (the block that calls ServerVersion() and logs via
logging.Errorf) to either return the error immediately or explicitly fall back
to the bootstrap config by reassigning cfg to the bootstrap credentials before
continuing; locate the ServerVersion() call and the subsequent
kubernetes.NewForConfig(cfg) usage and ensure that on any non-x509 error you do
one of those two actions so kubernetes.NewForConfig never receives the known-bad
per-node cfg.

In `@pkg/kubeletclient/kubeletclient.go`:
- Around line 146-147: The sort mutates cached kubelet state because
types.SortDeviceIDs(resourceMap) operates on slices that alias rc.resources
entries via dev.DeviceIds; to fix, when building resourceMap inside
GetPodResourceMap, deep-copy each dev.DeviceIds slice into a new slice (e.g.,
append a nil slice or make+copy) before assigning into resourceMap so in-place
sorting of resourceMap cannot change rc.resources or race with concurrent calls;
update the code paths that insert dev.DeviceIds into resourceMap to use the
copied slice and keep the rest unchanged.

In `@pkg/types/types.go`:
- Around line 184-188: The loop in SortDeviceIDs dereferences rInfo without
checking for nil, which can panic for nil map values; update the loop in
SortDeviceIDs to first check if rInfo == nil and continue if so, then retain the
existing check for rInfo.DeviceIDs != nil before calling sort.Strings on
ResourceInfo.DeviceIDs so nil entries are safely skipped.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 922e9b3a-7b67-4e89-add8-b87e1a2ac467

📥 Commits

Reviewing files that changed from the base of the PR and between 0d343fe and 4cd6c4c.

⛔ Files ignored due to path filters (286)

go.sum is excluded by !**/*.sum
vendor/github.com/gogo/protobuf/AUTHORS is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/CONTRIBUTORS is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/Makefile is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/clone.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/custom_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/decode.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/deprecated.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/discard.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/duration.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/duration_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/encode.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/encode_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/equal.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/extensions.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/extensions_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/lib.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/lib_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/message_set.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/pointer_reflect.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/pointer_reflect_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/pointer_unsafe.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/pointer_unsafe_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/properties.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/properties_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/skip_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/table_marshal.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/table_marshal_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/table_merge.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/table_unmarshal.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/table_unmarshal_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/text.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/text_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/text_parser.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/timestamp.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/timestamp_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/wrappers.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/wrappers_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/sortkeys/sortkeys.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/README.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/core_dsl.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/decorator_dsl.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/README.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/automaxprocs.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cgroup.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cgroups.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cgroups2.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cpu_quota_linux.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cpu_quota_unsupported.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/errors.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/mountpoint.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/runtime.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/subsys.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/profiles_and_reports.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/run.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/main.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo_t_dsl.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/group.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/node.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/ordering.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson_event_writer.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson_reporter.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/suite.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/reporters/default_reporter.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/reporters/gojson_report.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/reporting_dsl.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/table_dsl.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/types/config.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/types/types.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/types/version.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/gomega_dsl.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/pkg/errors/.gitignore is excluded by !vendor/**, !**/vendor/**
vendor/github.com/pkg/errors/.travis.yml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/pkg/errors/LICENSE is excluded by !vendor/**, !**/vendor/**
vendor/github.com/pkg/errors/Makefile is excluded by !vendor/**, !**/vendor/**
vendor/github.com/pkg/errors/README.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/pkg/errors/appveyor.yml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/pkg/errors/errors.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/pkg/errors/go113.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/pkg/errors/stack.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/client_golang/prometheus/desc.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/client_golang/prometheus/internal/difflib.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/client_golang/prometheus/internal/go_runtime_metrics.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/client_golang/prometheus/labels.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/client_golang/prometheus/metric.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/client_golang/prometheus/process_collector_darwin.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/client_golang/prometheus/process_collector_mem_nocgo_darwin.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/client_golang/prometheus/process_collector_procfsenabled.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/client_golang/prometheus/vec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/client_golang/prometheus/wrap.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/common/expfmt/decode.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/common/expfmt/encode.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/common/expfmt/expfmt.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/common/expfmt/fuzz.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/common/expfmt/openmetrics_create.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/common/expfmt/text_create.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/common/expfmt/text_parse.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/common/model/alert.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/common/model/labels.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/common/model/labelset.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/common/model/metric.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/common/model/time.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/common/model/value.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/common/model/value_histogram.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/common/model/value_type.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/.golangci.yml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/Makefile.common is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/README.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/arp.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/fs.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/fs_statfs_notype.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/fscache.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/internal/fs/fs.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/internal/util/parse.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/internal/util/sysreadfile.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/mountstats.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/net_dev_snmp6.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/net_ip_socket.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/net_protocols.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/net_tcp.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/net_unix.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/proc.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/proc_cgroup.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/proc_io.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/proc_netstat.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/proc_smaps.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/proc_snmp.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/proc_snmp6.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/proc_status.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/proc_sys.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/softirqs.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/spf13/pflag/README.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/spf13/pflag/bool_func.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/spf13/pflag/count.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/spf13/pflag/errors.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/spf13/pflag/flag.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/spf13/pflag/func.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/spf13/pflag/golangflag.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/spf13/pflag/ipnet_slice.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/spf13/pflag/string_to_string.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/spf13/pflag/text.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/spf13/pflag/time.go is excluded by !vendor/**, !**/vendor/**
vendor/go.uber.org/automaxprocs/.codecov.yml is excluded by !vendor/**, !**/vendor/**
vendor/go.uber.org/automaxprocs/.gitignore is excluded by !vendor/**, !**/vendor/**
vendor/go.uber.org/automaxprocs/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/go.uber.org/automaxprocs/CODE_OF_CONDUCT.md is excluded by !vendor/**, !**/vendor/**
vendor/go.uber.org/automaxprocs/CONTRIBUTING.md is excluded by !vendor/**, !**/vendor/**
vendor/go.uber.org/automaxprocs/LICENSE is excluded by !vendor/**, !**/vendor/**
vendor/go.uber.org/automaxprocs/Makefile is excluded by !vendor/**, !**/vendor/**
vendor/go.uber.org/automaxprocs/README.md is excluded by !vendor/**, !**/vendor/**
vendor/go.uber.org/automaxprocs/automaxprocs.go is excluded by !vendor/**, !**/vendor/**
vendor/go.uber.org/automaxprocs/internal/cgroups/doc.go is excluded by !vendor/**, !**/vendor/**
vendor/go.uber.org/automaxprocs/maxprocs/maxprocs.go is excluded by !vendor/**, !**/vendor/**
vendor/go.uber.org/automaxprocs/maxprocs/version.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/mod/LICENSE is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/mod/PATENTS is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/mod/semver/semver.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/context/context.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/html/escape.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/html/parse.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/html/render.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/http2/config.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/http2/config_go124.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/http2/config_go125.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/http2/config_go126.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/http2/config_pre_go124.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/http2/frame.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/http2/gotrack.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/http2/http2.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/http2/server.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/http2/timer.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/http2/transport.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/http2/writesched.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/http2/writesched_roundrobin.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/internal/httpcommon/request.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/oauth2/internal/doc.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/oauth2/internal/oauth2.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/oauth2/internal/token.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/oauth2/internal/transport.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/oauth2/oauth2.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/oauth2/pkce.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/oauth2/token.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/oauth2/transport.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sync/LICENSE is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sync/PATENTS is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sync/errgroup/errgroup.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/plan9/pwd_go15_plan9.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/plan9/pwd_plan9.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/affinity_linux.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/fdset.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/ifreq_linux.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/mkall.sh is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/mkerrors.sh is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/syscall_linux.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/syscall_netbsd.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/syscall_solaris.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/zsyscall_linux.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/zsyscall_solaris_amd64.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/ztypes_linux.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/windows/syscall_windows.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/windows/types_windows.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/windows/zsyscall_windows.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/term/terminal.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/text/unicode/bidi/core.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/go/ast/inspector/cursor.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/go/gcexportdata/gcexportdata.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/go/gcexportdata/importer.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/go/packages/doc.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/go/packages/external.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/go/packages/golist.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/go/packages/golist_overlay.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/go/packages/loadmode_string.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/go/packages/packages.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/go/packages/visit.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/go/types/objectpath/objectpath.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/go/types/typeutil/callee.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/go/types/typeutil/imports.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/go/types/typeutil/map.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/go/types/typeutil/methodsetcache.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/go/types/typeutil/ui.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/aliases/aliases.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/aliases/aliases_go122.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/event/core/event.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/event/core/export.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/event/core/fast.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/event/doc.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/event/event.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/event/keys/keys.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/event/keys/standard.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/event/keys/util.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/event/label/label.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/gcimporter/bimport.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/gcimporter/exportdata.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/gcimporter/gcimporter.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/gcimporter/iexport.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/gcimporter/iimport.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/gcimporter/predeclared.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/gcimporter/support.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/gcimporter/ureader_yes.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/gocommand/invoke.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/gocommand/invoke_notunix.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/gocommand/invoke_unix.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/gocommand/vendor.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/gocommand/version.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/packagesinternal/packages.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/pkgbits/codes.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/pkgbits/decoder.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/pkgbits/doc.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/pkgbits/encoder.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/pkgbits/flags.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/pkgbits/reloc.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/pkgbits/support.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/pkgbits/sync.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/pkgbits/syncmarker_string.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/pkgbits/version.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/stdlib/deps.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/stdlib/import.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/stdlib/manifest.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/stdlib/stdlib.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/typeparams/common.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/typeparams/coretype.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/typeparams/free.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/typeparams/normalize.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/typeparams/termlist.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/typeparams/typeterm.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/typesinternal/classify_call.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/typesinternal/element.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/typesinternal/errorcode.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/typesinternal/errorcode_string.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/typesinternal/fx.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/typesinternal/isnamed.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/typesinternal/qualifier.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/typesinternal/recv.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/typesinternal/toonew.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/typesinternal/types.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/typesinternal/varkind.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/typesinternal/zerovalue.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/versions/features.go is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (14)

.github/workflows/build.yml
.github/workflows/image-build.yml
.github/workflows/release.yml
.github/workflows/test.yml
go.mod
images/Dockerfile
images/Dockerfile.debug
images/Dockerfile.thick
pkg/checkpoint/checkpoint.go
pkg/checkpoint/checkpoint_test.go
pkg/k8sclient/kubeconfig.go
pkg/kubeletclient/kubeletclient.go
pkg/multus/multus_cni100_test.go
pkg/types/types.go

.github/workflows/test.yml

go.mod

pkg/k8sclient/kubeconfig.go

coderabbitai · 2026-03-20T06:14:50Z

pkg/kubeletclient/kubeletclient.go

+	types.SortDeviceIDs(resourceMap)
 	return resourceMap, nil


⚠️ Potential issue | 🟠 Major

In-place sort mutates cached kubelet data due slice aliasing.

At Line 146, sorting resourceMap mutates rc.resources entries because new map entries reuse dev.DeviceIds slices (Line 155). That creates hidden state mutation and potential races on concurrent GetPodResourceMap calls.

Proposed fix (copy slice when inserting)

func (rc *kubeletClient) getDevicePluginResources(devices []*podresourcesapi.ContainerDevices, resourceMap map[string]*types.ResourceInfo) { for _, dev := range devices { if rInfo, ok := resourceMap[dev.ResourceName]; ok { rInfo.DeviceIDs = append(rInfo.DeviceIDs, dev.DeviceIds...) } else { - resourceMap[dev.ResourceName] = &types.ResourceInfo{DeviceIDs: dev.DeviceIds} + resourceMap[dev.ResourceName] = &types.ResourceInfo{ + DeviceIDs: append([]string(nil), dev.DeviceIds...), + } } } }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@pkg/kubeletclient/kubeletclient.go` around lines 146 - 147, The sort mutates cached kubelet state because types.SortDeviceIDs(resourceMap) operates on slices that alias rc.resources entries via dev.DeviceIds; to fix, when building resourceMap inside GetPodResourceMap, deep-copy each dev.DeviceIds slice into a new slice (e.g., append a nil slice or make+copy) before assigning into resourceMap so in-place sorting of resourceMap cannot change rc.resources or race with concurrent calls; update the code paths that insert dev.DeviceIds into resourceMap to use the copied slice and keep the rest unchanged.

Hi @bpickard22 , for this comment, do you think we need modify like AI suggested or not.

Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!

sorting is idempotent, I will make an issue to track that we should fix this, but that can happen upstream. This is fine to merge as is

pkg/types/types.go

The trivy-action@0.29.0 was trying to install Trivy v0.57.1 which no longer exists in the GitHub releases. This was causing all PR builds to fail on the "Image thick plugin" job. Update to v0.35.0 which properly installs the latest Trivy version. Assisted by Claude Sonnet 4.5 Signed-off-by: Benjamin Pickard <bpickard@redhat.com>

When a namespace uses a primary User-Defined Network (UDN) with a device-plugin resource (e.g. SR-IOV), OVN-Kubernetes uses the last device in the list for the primary interface while Multus assigns earlier devices to cluster-default/secondary interfaces. The kubelet and checkpoint paths build the list from map iteration, so order was non-deterministic and the "last" device could differ between callers. Sorting ensures both Multus and OVN-K8s see the same order so the last device is consistently the one reserved for the primary UDN. Signed-off-by: Yun Zhou <yunz@nvidia.com>

Signed-off-by: Ying Wang <yingwang@rehat.com>

…00_test.go Signed-off-by: Ying Wang <yingwang@rehat.com>

Signed-off-by: Ying Wang <yingwang@rehat.com>

…ation Listing all pods across all namespaces during bootstrap is expensive in large clusters and unnecessary since the result is discarded. Use the lightweight /version endpoint to validate connectivity instead. Signed-off-by: Peng Liu <pliu@redhat.com>

Validate the per-node kubeconfig when a current certificate is available and fall back to the bootstrap kubeconfig only when the per-node config is no longer trusted. Also rebuild the derived per-node rest.Config from the reloaded bootstrap config so TLS settings are preserved and refreshed consistently. Signed-off-by: Peng Liu <pliu@redhat.com>

Signed-off-by: Ying Wang <yingwang@rehat.com>

yingwang-0320 · 2026-03-20T12:31:39Z

/retest

yingwang-0320 · 2026-03-23T08:30:27Z

/verified by pre-merge testing

openshift-ci-robot · 2026-03-23T08:30:42Z

@yingwang-0320: This PR has been marked as verified by pre-merge testing.

Details

In response to this:

/verified by pre-merge testing

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot · 2026-03-23T14:50:32Z

@yingwang-0320: This pull request references CORENET-6886 which is a valid jira issue.

Details

In response to this:

make build & make test
e2e test passed locally.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

yingwang-0320 · 2026-03-23T14:56:01Z

@bpickard22 could you please help review?

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

coderabbitai

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Dockerfile.openshift (1)
26-29: ⚠️ Potential issue | 🔴 Critical

Build will fail: rhel10 stage no longer exists.

The rhel10 builder stage was removed, but line 29 still references COPY --from=rhel10. This will cause the Docker build to fail with an error like invalid from flag value rhel10: no such stage.

Line 26 also creates a directory that will never be populated.
🐛 Proposed fix: Remove rhel10 references
-       mkdir -p /usr/src/multus-cni/rhel10/bin && \
        mkdir -p /usr/src/multus-cni/rhel9/bin && \
        mkdir -p /usr/src/multus-cni/rhel8/bin
-COPY --from=rhel10 /usr/src/multus-cni/bin /usr/src/multus-cni/rhel10/bin
 COPY --from=rhel9 /usr/src/multus-cni/bin /usr/src/multus-cni/rhel9/bin
 COPY --from=rhel8 /usr/src/multus-cni/bin /usr/src/multus-cni/rhel8/bin
Also verify that the runtime binary selection logic on line 33-34 handles the absence of rhel10 correctly (it should, since it uses VERSION_ID from the base image).
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@Dockerfile.openshift` around lines 26 - 29, The Dockerfile references a
non-existent builder stage "rhel10" (the COPY --from=rhel10 and mkdir for
/usr/src/multus-cni/rhel10/bin), causing builds to fail; remove the rhel10 mkdir
and the COPY --from=rhel10 entry and update any related filesystem setup to only
create/populate rhel9 and rhel8 directories, then verify the runtime binary
selection logic (the code that picks binaries based on VERSION_ID from the base
image) correctly handles the absence of rhel10 so no further changes are needed.

♻️ Duplicate comments (3)

go.mod (1)

18-18: ⚠️ Potential issue | 🔴 Critical

Upgrade google.golang.org/grpc to a patched version (>= v1.79.3).

Line 18 still pins google.golang.org/grpc v1.73.0, which is in the vulnerable range for GHSA-p77j-4mvh-x3m3 (authz bypass). Please bump to at least v1.79.3 and refresh module resolution (go mod tidy) so the vulnerable version is removed from the graph.

#!/bin/bash
set -euo pipefail

echo "== Current grpc version in go.mod =="
rg -nP '^\s*google\.golang\.org/grpc\s+v' go.mod

echo
echo "== OSV check for google.golang.org/grpc v1.73.0 =="
cat <<'JSON' > /tmp/osv-query.json
{
  "package": { "name": "google.golang.org/grpc", "ecosystem": "Go" },
  "version": "1.73.0"
}
JSON
curl -sS https://api.osv.dev/v1/query -H 'Content-Type: application/json' --data `@/tmp/osv-query.json`

echo
echo "== Expected result =="
echo "- OSV response contains GHSA-p77j-4mvh-x3m3 for v1.73.0"
echo "- go.mod should be updated to grpc >= v1.79.3"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 18, Update the pinned dependency for google.golang.org/grpc
in go.mod from v1.73.0 to at least v1.79.3 to address GHSA-p77j-4mvh-x3m3, then
run module resolution (go mod tidy) to refresh the dependency graph and update
go.sum; ensure the line containing "google.golang.org/grpc" now shows v1.79.3 or
newer and verify with a local OSV or go list check that v1.73.0 is no longer
present.

pkg/types/types.go (1)

185-187: ⚠️ Potential issue | 🔴 Critical

Guard nil *ResourceInfo entries before dereferencing.

Line 186 dereferences rInfo without a nil check; a nil map value will panic at runtime.

Proposed fix

 func SortDeviceIDs(resourceMap map[string]*ResourceInfo) {
 	for _, rInfo := range resourceMap {
+		if rInfo == nil {
+			continue
+		}
 		if rInfo.DeviceIDs != nil {
 			sort.Strings(rInfo.DeviceIDs)
 		}
 	}
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/types/types.go` around lines 185 - 187, The loop over resourceMap
dereferences rInfo (a *ResourceInfo) without checking for nil which can panic;
update the loop that iterates resourceMap to first guard that rInfo != nil
(e.g., continue when rInfo is nil) before accessing rInfo.DeviceIDs and then
sort.Strings(rInfo.DeviceIDs) only when rInfo and rInfo.DeviceIDs are non-nil to
avoid runtime panics.

pkg/k8sclient/kubeconfig.go (1)

100-118: ⚠️ Potential issue | 🟠 Major

Don't continue after per-node validation fails.

At Line 100 cfg is switched to the per-node config. If ServerVersion() fails with anything other than the specific unknown-authority case, Lines 116-118 only log and Line 121 still builds a client from that same config. That keeps CSR renewal on a kubeconfig we've already proven unusable, and this function can later return a ClientInfo built from the same stale per-node config.

Either return the validation error here or explicitly reset cfg to bootstrapKubeconfig before continuing.

🐛 Minimal fix

 			_, err = tempClient.Discovery().ServerVersion()
 			if err != nil {
 				if strings.Contains(err.Error(), "x509: certificate signed by unknown authority") {
 					logging.Verbosef("cert mgr gets invalid per-node config. rebuild from bootstrap kubeconfig")
 					newBootstrapKubeconfig, reloadErr := clientcmd.BuildConfigFromFlags("", bootstrapKubeconfigFile)
 					if reloadErr != nil {
 						return nil, logging.Errorf("failed to reload bootstrap kubeconfig: %v", reloadErr)
 					}
 					bootstrapKubeconfig = newBootstrapKubeconfig
 					config = getPerNodeKubeconfig(bootstrapKubeconfig, certDir)
 					cfg = bootstrapKubeconfig
 				} else {
-					logging.Errorf("failed to validate per-node kubeconfig: %v", err)
+					return nil, logging.Errorf("failed to validate per-node kubeconfig: %v", err)
 				}
 			}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/k8sclient/kubeconfig.go` around lines 100 - 118, The per-node kubeconfig
validation currently logs non-unknown-authority errors but continues using the
invalid cfg; update the error path in the block that checks
tempClient.Discovery().ServerVersion() so that when err is non-nil and not the
"x509: certificate signed by unknown authority" case you return the validation
error immediately (use logging.Errorf with the err) instead of just logging, or
alternatively reset cfg back to bootstrapKubeconfig (and recompute
config/getPerNodeKubeconfig as needed) before proceeding; make this change
around the tempClient, ServerVersion, bootstrapKubeconfig, cfg, and
getPerNodeKubeconfig usage.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@Dockerfile.openshift`:
- Around line 26-29: The Dockerfile references a non-existent builder stage
"rhel10" (the COPY --from=rhel10 and mkdir for /usr/src/multus-cni/rhel10/bin),
causing builds to fail; remove the rhel10 mkdir and the COPY --from=rhel10 entry
and update any related filesystem setup to only create/populate rhel9 and rhel8
directories, then verify the runtime binary selection logic (the code that picks
binaries based on VERSION_ID from the base image) correctly handles the absence
of rhel10 so no further changes are needed.

---

Duplicate comments:
In `@go.mod`:
- Line 18: Update the pinned dependency for google.golang.org/grpc in go.mod
from v1.73.0 to at least v1.79.3 to address GHSA-p77j-4mvh-x3m3, then run module
resolution (go mod tidy) to refresh the dependency graph and update go.sum;
ensure the line containing "google.golang.org/grpc" now shows v1.79.3 or newer
and verify with a local OSV or go list check that v1.73.0 is no longer present.

In `@pkg/k8sclient/kubeconfig.go`:
- Around line 100-118: The per-node kubeconfig validation currently logs
non-unknown-authority errors but continues using the invalid cfg; update the
error path in the block that checks tempClient.Discovery().ServerVersion() so
that when err is non-nil and not the "x509: certificate signed by unknown
authority" case you return the validation error immediately (use logging.Errorf
with the err) instead of just logging, or alternatively reset cfg back to
bootstrapKubeconfig (and recompute config/getPerNodeKubeconfig as needed) before
proceeding; make this change around the tempClient, ServerVersion,
bootstrapKubeconfig, cfg, and getPerNodeKubeconfig usage.

In `@pkg/types/types.go`:
- Around line 185-187: The loop over resourceMap dereferences rInfo (a
*ResourceInfo) without checking for nil which can panic; update the loop that
iterates resourceMap to first guard that rInfo != nil (e.g., continue when rInfo
is nil) before accessing rInfo.DeviceIDs and then sort.Strings(rInfo.DeviceIDs)
only when rInfo and rInfo.DeviceIDs are non-nil to avoid runtime panics.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ec81035c-273e-4199-b4d5-88f97d1c8f29

📥 Commits

Reviewing files that changed from the base of the PR and between 4cd6c4c and 2a929bb.

⛔ Files ignored due to path filters (283)

go.sum is excluded by !**/*.sum
vendor/github.com/gogo/protobuf/AUTHORS is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/CONTRIBUTORS is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/Makefile is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/clone.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/custom_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/decode.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/deprecated.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/discard.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/duration.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/duration_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/encode.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/encode_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/equal.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/extensions.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/extensions_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/lib.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/lib_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/message_set.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/pointer_reflect.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/pointer_reflect_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/pointer_unsafe.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/pointer_unsafe_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/properties.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/properties_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/skip_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/table_marshal.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/table_marshal_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/table_merge.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/table_unmarshal.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/table_unmarshal_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/text.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/text_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/text_parser.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/timestamp.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/timestamp_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/wrappers.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/wrappers_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/sortkeys/sortkeys.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/README.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/core_dsl.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/decorator_dsl.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/README.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/automaxprocs.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cgroup.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cgroups.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cgroups2.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cpu_quota_linux.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cpu_quota_unsupported.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/errors.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/mountpoint.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/runtime.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/subsys.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/profiles_and_reports.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/run.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/main.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo_t_dsl.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/group.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/node.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/ordering.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson_event_writer.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson_reporter.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/suite.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/reporters/default_reporter.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/reporters/gojson_report.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/reporting_dsl.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/table_dsl.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/types/config.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/types/types.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/types/version.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/gomega_dsl.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/pkg/errors/.gitignore is excluded by !vendor/**, !**/vendor/**
vendor/github.com/pkg/errors/.travis.yml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/pkg/errors/LICENSE is excluded by !vendor/**, !**/vendor/**
vendor/github.com/pkg/errors/Makefile is excluded by !vendor/**, !**/vendor/**
vendor/github.com/pkg/errors/README.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/pkg/errors/appveyor.yml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/pkg/errors/errors.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/pkg/errors/go113.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/pkg/errors/stack.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/client_golang/prometheus/desc.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/client_golang/prometheus/internal/difflib.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/client_golang/prometheus/internal/go_runtime_metrics.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/client_golang/prometheus/labels.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/client_golang/prometheus/metric.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/client_golang/prometheus/process_collector_darwin.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/client_golang/prometheus/process_collector_mem_nocgo_darwin.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/client_golang/prometheus/process_collector_procfsenabled.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/client_golang/prometheus/vec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/client_golang/prometheus/wrap.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/common/expfmt/decode.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/common/expfmt/encode.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/common/expfmt/expfmt.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/common/expfmt/fuzz.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/common/expfmt/openmetrics_create.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/common/expfmt/text_create.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/common/expfmt/text_parse.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/common/model/alert.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/common/model/labels.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/common/model/labelset.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/common/model/metric.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/common/model/time.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/common/model/value.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/common/model/value_histogram.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/common/model/value_type.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/.golangci.yml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/Makefile.common is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/README.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/arp.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/fs.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/fs_statfs_notype.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/fscache.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/internal/fs/fs.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/internal/util/parse.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/internal/util/sysreadfile.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/mountstats.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/net_dev_snmp6.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/net_ip_socket.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/net_protocols.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/net_tcp.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/net_unix.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/proc.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/proc_cgroup.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/proc_io.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/proc_netstat.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/proc_smaps.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/proc_snmp.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/proc_snmp6.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/proc_status.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/proc_sys.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/prometheus/procfs/softirqs.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/spf13/pflag/README.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/spf13/pflag/bool_func.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/spf13/pflag/count.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/spf13/pflag/errors.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/spf13/pflag/flag.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/spf13/pflag/func.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/spf13/pflag/golangflag.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/spf13/pflag/ipnet_slice.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/spf13/pflag/string_to_string.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/spf13/pflag/text.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/spf13/pflag/time.go is excluded by !vendor/**, !**/vendor/**
vendor/go.uber.org/automaxprocs/.codecov.yml is excluded by !vendor/**, !**/vendor/**
vendor/go.uber.org/automaxprocs/.gitignore is excluded by !vendor/**, !**/vendor/**
vendor/go.uber.org/automaxprocs/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/go.uber.org/automaxprocs/CODE_OF_CONDUCT.md is excluded by !vendor/**, !**/vendor/**
vendor/go.uber.org/automaxprocs/CONTRIBUTING.md is excluded by !vendor/**, !**/vendor/**
vendor/go.uber.org/automaxprocs/LICENSE is excluded by !vendor/**, !**/vendor/**
vendor/go.uber.org/automaxprocs/Makefile is excluded by !vendor/**, !**/vendor/**
vendor/go.uber.org/automaxprocs/README.md is excluded by !vendor/**, !**/vendor/**
vendor/go.uber.org/automaxprocs/automaxprocs.go is excluded by !vendor/**, !**/vendor/**
vendor/go.uber.org/automaxprocs/internal/cgroups/doc.go is excluded by !vendor/**, !**/vendor/**
vendor/go.uber.org/automaxprocs/maxprocs/maxprocs.go is excluded by !vendor/**, !**/vendor/**
vendor/go.uber.org/automaxprocs/maxprocs/version.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/mod/LICENSE is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/mod/PATENTS is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/mod/semver/semver.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/context/context.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/html/escape.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/html/parse.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/html/render.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/http2/config.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/http2/config_go124.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/http2/config_go125.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/http2/config_go126.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/http2/config_pre_go124.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/http2/frame.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/http2/gotrack.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/http2/http2.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/http2/server.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/http2/timer.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/http2/transport.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/http2/writesched.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/http2/writesched_roundrobin.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/internal/httpcommon/request.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/oauth2/internal/doc.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/oauth2/internal/oauth2.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/oauth2/internal/token.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/oauth2/internal/transport.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/oauth2/oauth2.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/oauth2/pkce.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/oauth2/token.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/oauth2/transport.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sync/LICENSE is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sync/PATENTS is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sync/errgroup/errgroup.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/plan9/pwd_go15_plan9.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/plan9/pwd_plan9.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/affinity_linux.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/fdset.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/ifreq_linux.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/mkall.sh is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/mkerrors.sh is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/syscall_linux.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/syscall_netbsd.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/syscall_solaris.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/zsyscall_linux.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/zsyscall_solaris_amd64.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/ztypes_linux.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/windows/syscall_windows.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/windows/types_windows.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/windows/zsyscall_windows.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/term/terminal.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/text/unicode/bidi/core.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/go/ast/inspector/cursor.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/go/gcexportdata/gcexportdata.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/go/gcexportdata/importer.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/go/packages/doc.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/go/packages/external.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/go/packages/golist.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/go/packages/golist_overlay.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/go/packages/loadmode_string.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/go/packages/packages.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/go/packages/visit.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/go/types/objectpath/objectpath.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/go/types/typeutil/callee.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/go/types/typeutil/imports.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/go/types/typeutil/map.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/go/types/typeutil/methodsetcache.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/go/types/typeutil/ui.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/aliases/aliases.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/aliases/aliases_go122.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/event/core/event.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/event/core/export.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/event/core/fast.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/event/doc.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/event/event.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/event/keys/keys.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/event/keys/standard.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/event/keys/util.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/event/label/label.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/gcimporter/bimport.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/gcimporter/exportdata.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/gcimporter/gcimporter.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/gcimporter/iexport.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/gcimporter/iimport.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/gcimporter/predeclared.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/gcimporter/support.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/gcimporter/ureader_yes.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/gocommand/invoke.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/gocommand/invoke_notunix.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/gocommand/invoke_unix.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/gocommand/vendor.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/gocommand/version.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/packagesinternal/packages.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/pkgbits/codes.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/pkgbits/decoder.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/pkgbits/doc.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/pkgbits/encoder.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/pkgbits/flags.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/pkgbits/reloc.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/pkgbits/support.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/pkgbits/sync.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/pkgbits/syncmarker_string.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/pkgbits/version.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/stdlib/deps.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/stdlib/import.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/stdlib/manifest.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/stdlib/stdlib.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/typeparams/common.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/typeparams/coretype.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/typeparams/free.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/typeparams/normalize.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/typeparams/termlist.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/typeparams/typeterm.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/typesinternal/classify_call.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/typesinternal/element.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/typesinternal/errorcode.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/typesinternal/errorcode_string.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/typesinternal/fx.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/typesinternal/isnamed.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/typesinternal/qualifier.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/typesinternal/recv.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/typesinternal/toonew.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/typesinternal/types.go is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (17)

.ci-operator.yaml
.github/workflows/build.yml
.github/workflows/image-build.yml
.github/workflows/release.yml
.github/workflows/test.yml
Dockerfile.microshift
Dockerfile.openshift
go.mod
images/Dockerfile
images/Dockerfile.debug
images/Dockerfile.thick
pkg/checkpoint/checkpoint.go
pkg/checkpoint/checkpoint_test.go
pkg/k8sclient/kubeconfig.go
pkg/kubeletclient/kubeletclient.go
pkg/multus/multus_cni100_test.go
pkg/types/types.go

✅ Files skipped from review due to trivial changes (10)

.github/workflows/build.yml
images/Dockerfile
.github/workflows/image-build.yml
images/Dockerfile.debug
images/Dockerfile.thick
.github/workflows/release.yml
pkg/checkpoint/checkpoint_test.go
Dockerfile.microshift
.github/workflows/test.yml
.ci-operator.yaml

🚧 Files skipped from review as they are similar to previous changes (3)

pkg/kubeletclient/kubeletclient.go
pkg/checkpoint/checkpoint.go
pkg/multus/multus_cni100_test.go

Signed-off-by: Ying Wang <yingwang@rehat.com>

coderabbitai

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 3: The go.mod toolchain directive currently specifies an invalid Go
version ("go 1.25.0"); update the module directive to a valid Go 1.25.x patch
(for example change the directive to "go 1.25.8") so the project uses a real,
supported Go toolchain version; modify the go directive in go.mod accordingly.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 128ae539-b2fa-4637-9392-20d67929738c

📥 Commits

Reviewing files that changed from the base of the PR and between 2a929bb and 817f903.

⛔ Files ignored due to path filters (43)

go.sum is excluded by !**/*.sum
vendor/golang.org/x/mod/semver/semver.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/http2/transport.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/net/trace/events.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/oauth2/deviceauth.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/oauth2/oauth2.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/oauth2/pkce.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/oauth2/token.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/oauth2/transport.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sync/errgroup/errgroup.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/mkerrors.sh is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_386.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_arm.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_mips.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/sys/unix/ztypes_netbsd_arm.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/text/encoding/japanese/eucjp.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/text/encoding/japanese/iso2022jp.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/text/encoding/japanese/shiftjis.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/text/encoding/korean/euckr.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/text/encoding/simplifiedchinese/gbk.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/text/encoding/simplifiedchinese/hzgb2312.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/text/encoding/traditionalchinese/big5.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/text/encoding/unicode/unicode.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/go/ast/inspector/cursor.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/go/packages/visit.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/go/types/objectpath/objectpath.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/go/types/typeutil/map.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/gcimporter/bimport.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/gcimporter/iexport.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/internal/gcimporter/iimport.go is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (1)

go.mod

go.mod

coderabbitai

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/types/types.go`:
- Around line 192-193: There are two stray closing braces after the
SortDeviceIDs definition that break parsing; open pkg/types/types.go, locate the
SortDeviceIDs function (or type) near the end of the file and remove the extra
top-level `}` characters that appear after its closing brace so the file has
only the matching braces for declared types/functions and parses correctly.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0af1d12b-100e-479a-a7ac-3d29bca31eed

📥 Commits

Reviewing files that changed from the base of the PR and between 817f903 and 65a177d.

📒 Files selected for processing (1)

pkg/types/types.go

pkg/types/types.go

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

Signed-off-by: Ying Wang <yingwang@rehat.com>

yingwang-0320 · 2026-03-24T07:00:45Z

@coderabbitai resume

coderabbitai · 2026-03-24T07:00:53Z

✅ Actions performed

Reviews resumed.

coderabbitai

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 3: Update the Go module version declaration: replace the "go 1.25.7"
directive in go.mod with "go 1.25.8" (i.e., change the literal go version string
"1.25.7" to "1.25.8") so the module uses the official Go 1.25.8 release.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 76743f8e-ccb2-42c6-9735-c21b680499a3

📥 Commits

Reviewing files that changed from the base of the PR and between 65a177d and 91253b7.

📒 Files selected for processing (3)

Dockerfile.openshift
go.mod
pkg/types/types.go

✅ Files skipped from review due to trivial changes (1)

Dockerfile.openshift

coderabbitai · 2026-03-24T07:03:50Z

go.mod

 module gopkg.in/k8snetworkplumbingwg/multus-cni.v4

-go 1.24.2
+go 1.25.7


⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash # Description: Verify Go 1.25.7 is a valid release echo "=== Checking Go 1.25.x releases ===" curl -s https://go.dev/dl/?mode=json | jq -r '.[] | select(.version | startswith("go1.25")) | .version' | sort -V

Repository: openshift/multus-cni

Length of output: 108

Use Go 1.25.8 instead of 1.25.7.

Go 1.25.7 is not an official release. Only Go 1.25.8 is available in the 1.25.x series. Update go 1.25.7 to go 1.25.8 on line 3.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@go.mod` at line 3, Update the Go module version declaration: replace the "go 1.25.7" directive in go.mod with "go 1.25.8" (i.e., change the literal go version string "1.25.7" to "1.25.8") so the module uses the official Go 1.25.8 release.

ci needs go 1.25.7

@yingwang-0320, understood — the OpenShift CI uses Red Hat-supplied Go toolchains (as seen in the rhel-9-release-golang-1.25-openshift-4.22 builder images), which can differ from official golang.org releases. Go 1.25.7 being a valid toolchain for that environment makes sense. Apologies for the noise.

📝 Learnings were identified and not saved (knowledge base disabled). Enable

CI servers are using go 1.25.7

@yingwang-0320, noted — Go 1.25.7 is the correct version used by the OpenShift CI servers. No changes needed.

📝 Learnings were identified and not saved (knowledge base disabled). Enable

STATUS and GC are plugin-level commands with no pod context per the CNI 1.1.0 spec. The thick plugin daemon incorrectly required CNI_CONTAINERID, CNI_NETNS, and K8S_POD_NAME/K8S_POD_NAMESPACE for these commands, causing failures when invoked by kubelet. Signed-off-by: Jason Kary <jkary@redhat.com>

- Check os.OpenFile error in STATUS/GC test - Document that k8sArgs may be nil for STATUS/GC in HandleCNIRequest Made-with: Cursor

coderabbitai

🧹 Nitpick comments (1)

pkg/server/thick_cni_test.go (1)
178-178: Consider adding error check for consistency.

The new test context at line 108 properly checks the os.OpenFile error, but this existing call does not. For consistency within the file, consider applying the same pattern.
♻️ Optional fix for consistency
-			os.OpenFile(configPath, os.O_RDONLY|os.O_CREATE, 0755)
+			_, err = os.OpenFile(configPath, os.O_RDONLY|os.O_CREATE, 0755)
+			Expect(err).NotTo(HaveOccurred())
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@pkg/server/thick_cni_test.go` at line 178, The os.OpenFile(configPath,
os.O_RDONLY|os.O_CREATE, 0755) call lacks error handling; update the call to
capture the returned file and error (e.g., f, err := os.OpenFile(...)), check
err and fail the test or t.Fatal on error, and ensure the file is closed (defer
f.Close()) to match the error-checking pattern used elsewhere in this test file
and maintain consistency with the other OpenFile usage around configPath.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/server/thick_cni_test.go`:
- Line 178: The os.OpenFile(configPath, os.O_RDONLY|os.O_CREATE, 0755) call
lacks error handling; update the call to capture the returned file and error
(e.g., f, err := os.OpenFile(...)), check err and fail the test or t.Fatal on
error, and ensure the file is closed (defer f.Close()) to match the
error-checking pattern used elsewhere in this test file and maintain consistency
with the other OpenFile usage around configPath.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e9f4674f-40a8-4746-96bd-dac5c976119c

📥 Commits

Reviewing files that changed from the base of the PR and between 91253b7 and 2a1b966.

📒 Files selected for processing (3)

pkg/multus/multus.go
pkg/server/server.go
pkg/server/thick_cni_test.go

openshift-ci · 2026-03-25T05:17:25Z

@yingwang-0320: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/security	`2a1b966`	link	false	`/test security`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

yingwang-0320 · 2026-03-25T11:58:59Z

/verified by pre-merge testing

openshift-ci-robot · 2026-03-25T11:59:12Z

@yingwang-0320: This PR has been marked as verified by pre-merge testing.

Details

In response to this:

/verified by pre-merge testing

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

yingwang-0320 · 2026-03-25T12:00:55Z

cherry-picked commits from k8snetworkplumbingwg/multus-cni#1490

bpickard22 · 2026-03-25T21:12:18Z

/lgtm

bpickard22 · 2026-03-25T21:12:24Z

/approve

openshift-ci · 2026-03-25T21:12:48Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bpickard22, yingwang-0320

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [bpickard22]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci · 2026-03-25T21:12:48Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bpickard22, yingwang-0320

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [bpickard22]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Mar 20, 2026

openshift-ci bot requested review from bpickard22 and dougbtv March 20, 2026 06:09

coderabbitai bot reviewed Mar 20, 2026

View reviewed changes

yingwang-0320 changed the title ~~CORENET-6886: downstream sync to kube 1.35 and go to 1.25~~ [WIP]CORENET-6886: downstream sync to kube 1.35 and go to 1.25 Mar 20, 2026

openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 20, 2026

bpickard22 and others added 9 commits March 20, 2026 15:12

multus-cni kube 1.35 rebase

04f90cd

Signed-off-by: Ying Wang <yingwang@rehat.com>

update go version to 1.25 in dockerfile and workflows files

1014f34

Signed-off-by: Ying Wang <yingwang@rehat.com>

fix make test error: informer synchronization timeouts in multus_cni1…

cad6465

…00_test.go Signed-off-by: Ying Wang <yingwang@rehat.com>

fix error of no such tool covdata

710df8e

Signed-off-by: Ying Wang <yingwang@rehat.com>

go mod tidy & go mod vendor and update Dockerfile and ci-opertor

1a8007f

Signed-off-by: Ying Wang <yingwang@rehat.com>

yingwang-0320 force-pushed the CORENET-6886-rebase branch from feaf3d0 to 1a8007f Compare March 20, 2026 07:16

yingwang-0320 changed the title ~~[WIP]CORENET-6886: downstream sync to kube 1.35 and go to 1.25~~ CORENET-6886: downstream sync to kube 1.35 and go to 1.25 Mar 20, 2026

openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 20, 2026

openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Mar 23, 2026

Merge branch 'main' into CORENET-6886-rebase

5d6bbbc

openshift-ci-robot removed the verified Signifies that the PR passed pre-merge verification criteria label Mar 24, 2026

Update .github/workflows/test.yml

2a929bb

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

coderabbitai bot reviewed Mar 24, 2026

View reviewed changes

update google.golang.org/grpc to v1.79.3

817f903

Signed-off-by: Ying Wang <yingwang@rehat.com>

coderabbitai bot reviewed Mar 24, 2026

View reviewed changes

go.mod Outdated Show resolved Hide resolved

coderabbitai bot reviewed Mar 24, 2026

View reviewed changes

pkg/types/types.go Outdated Show resolved Hide resolved

Update pkg/types/types.go

1b84d1e

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

yingwang-0320 force-pushed the CORENET-6886-rebase branch from 65a177d to 1b84d1e Compare March 24, 2026 05:18

update go1.25.0 to go 1.25.7

424c4dc

Signed-off-by: Ying Wang <yingwang@rehat.com>

yingwang-0320 force-pushed the CORENET-6886-rebase branch from 67e3580 to 424c4dc Compare March 24, 2026 05:33

modify Dockerfile

91253b7

Signed-off-by: Ying Wang <yingwang@rehat.com>

coderabbitai bot reviewed Mar 24, 2026

View reviewed changes

jkary and others added 2 commits March 25, 2026 10:02

Address PR review nits from pliurh

2a1b966

- Check os.OpenFile error in STATUS/GC test - Document that k8sArgs may be nil for STATUS/GC in HandleCNIRequest Made-with: Cursor

coderabbitai bot reviewed Mar 25, 2026

View reviewed changes

openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Mar 25, 2026

openshift-ci bot assigned bpickard22 Mar 25, 2026

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Mar 25, 2026

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 25, 2026

openshift-merge-bot bot merged commit b4ec7d8 into openshift:main Mar 25, 2026
7 of 8 checks passed

Conversation

yingwang-0320 commented Mar 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-ci-robot commented Mar 20, 2026 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

coderabbitai bot commented Mar 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Estimated code review effort

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

coderabbitai bot Mar 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

yingwang-0320 Mar 24, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Mar 24, 2026

Choose a reason for hiding this comment

Uh oh!

bpickard22 Mar 25, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

yingwang-0320 commented Mar 20, 2026

Uh oh!

yingwang-0320 commented Mar 23, 2026

Uh oh!

openshift-ci-robot commented Mar 23, 2026

Uh oh!

openshift-ci-robot commented Mar 23, 2026 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

yingwang-0320 commented Mar 23, 2026

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

yingwang-0320 commented Mar 24, 2026

Uh oh!

coderabbitai bot commented Mar 24, 2026

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Mar 24, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

yingwang-0320 Mar 24, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Mar 24, 2026

Choose a reason for hiding this comment

Uh oh!

yingwang-0320 Mar 24, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Mar 24, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

yingwang-0320 commented Mar 20, 2026 •

edited

Loading

openshift-ci-robot commented Mar 20, 2026 •

edited by openshift-ci bot

Loading

coderabbitai bot commented Mar 20, 2026 •

edited

Loading

coderabbitai bot Mar 20, 2026 •

edited

Loading

openshift-ci-robot commented Mar 23, 2026 •

edited by openshift-ci bot

Loading

coderabbitai bot Mar 24, 2026 •

edited

Loading