CORENET-7046: Bump Kubernetes to 1.36.2 and OCP to 5.0 by miheer · Pull Request #3017 · openshift/cluster-network-operator

miheer · 2026-05-31T06:14:22Z

Bump Kubernetes to 1.36.2 and OCP to 5.0
go.mod: Bump Kubernetes modules to v0.36.2, move to Go 1.26, refresh OpenShift dependencies, and temporarily replace openshift/library-go with github.com/jubittajohn/library-go from openshift/library-go#2171 because Kubernetes 1.36 added HasSyncedChecker() and current library-go refs do not implement it in the fake informer. This keeps vendor generated by go mod vendor so verify-deps can reproduce it.

.ci-operator.yaml: Use openshift/release:rhel-9-release-golang-1.26-openshift-5.0 so CI runs with the matching Go 1.26/OCP 5.0 build root.

Dockerfile: Use the OCP 5.0 Go 1.26 builder and OCP 5.0 runtime base images for the updated dependency stack.

Commands run: go get k8s.io/{api,apiextensions-apiserver,apimachinery,apiserver,client-go,code-generator,component-base,kms,kube-aggregator,kube-proxy,streaming}@v0.36.2; go mod tidy; go mod vendor; make update-codegen; make verify; make build; make test

coderabbitai · 2026-05-31T06:14:49Z

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

@coderabbitai resume to resume automatic reviews.
@coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

▶️ Resume reviews
🔍 Trigger review

Walkthrough

Upgrades cluster-network-operator to Kubernetes 1.36.1 and OpenShift 5.0 with Go 1.26: CI operator and Dockerfile images updated, go.mod toolchain and dependencies bumped (with a temporary library-go replace), generated CRD controller-gen annotation advanced to v0.21.0, and documentation added for compatibility and vendor workarounds.

Changes

Kubernetes 1.36 and OpenShift 5.0 upgrade

Layer / File(s)	Summary
Go toolchain and direct requires `go.mod`	`go` directive set to 1.26.0; direct `require` versions bumped and a `replace` added to pin `openshift/library-go` to a fork/PR state for vendor reproducibility.
Indirect dependency bumps — openapi/protobuf/logging `go.mod`	Indirect upgrades for fsnotify, go-logr, go-openapi/swag, protobuf/cmp/uuid, and telemetry-related libs.
Indirect dependency bumps — golang.org/x, gRPC, kube-openapi `go.mod`	Broad indirect refresh across go.uber.org/zap, golang.org/x/*, gRPC/protobuf, kube-openapi, and sigs.k8s.io modules used by codegen and tooling.
OpenShift/Kubernetes tooling requires `go.mod`	Refresh direct OpenShift/Kubernetes tooling deps: `openshift/api`, `openshift/client-go`, `openshift/library-go`, `k8s.io/apiextensions-apiserver`, `k8s.io/client-go`, `sigs.k8s.io/controller-tools`.
CI and Docker image updates `.ci-operator.yaml`, `Dockerfile`	CI `build_root_image` tag updated to `rhel-9-release-golang-1.26-openshift-5.0`; Dockerfile builder and runtime base images switched to OCP 5.0 / Go 1.26 (comments updated).
Documentation for rebase and compatibility/workarounds `docs/kubernetes-ocp-5.0-bump.md`	Documents Kubernetes 1.36.1/OCP 5.0 rebase, Go 1.26 requirement, v0.36.1 module bumps, vendor regeneration, controller-gen v0.21.0, and the temporary `library-go` replace-based compatibility patch.
Generated CRD annotation `manifests/0000_70_cluster-network-operator_01_pki_crd.yaml`	Updated controller-gen annotation from `v0.20.1` to `v0.21.0` in the generated PKI CRD; no other CRD changes.
Hash algorithm migrations `pkg/*`	Switched object and rollout/change-detection hashes from MD5/SHA-1 to SHA-256 (`pkg/util/k8s/unstructured.CalculateHash`, `pkg/network/ovn_kubernetes.go` dedicated hashers).

🎯 3 (Moderate) | ⏱️ ~20 minutes

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
Container-Privileges	❌ Error	K8s YAMLs contain flagged privileges: bindata/allowlist/daemonset/daemonset.yaml has privileged: true & hostNetwork; bindata/network/ovn-kubernetes/common/ipsec-containerized.yaml has hostPID/privi...	Remove/avoid privileged: true, hostPID/hostNetwork/hostIPC, and SYS_ADMIN from container specs (or add explicit, reviewed justification and safer alternatives); set allowPrivilegeEscalation to false where applicable.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Repo has no non-vendor Ginkgo usage/imports and no Ginkgo-style test titles to evaluate; scanned *_test.go for It/Describe/Context/When patterns and found none.
Test Structure And Quality	✅ Passed	No Ginkgo-based tests found in this repo snapshot (no `github.com/onsi/ginkgo` imports; only “ginkgo” mentions in vendored gomega docs), so the checklist is not applicable.
Microshift Test Compatibility	✅ Passed	PR `#3017`’s changed files are limited to .ci-operator.yaml, Dockerfile, docs, go.mod, one CRD YAML, and two Go source files; no _test.go/Ginkgo e2e tests were added per PR page findings.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR `#3017` only bumps build/runtime deps, docs, CRDs, and hash logic; the changed-files view contains no ginkgo/e2e test code (no e2e/ or g.It/g.Describe), so no SNO multi-node assumptions to flag.
Topology-Aware Scheduling Compatibility	✅ Passed	Changed operator code files contain no affinity/anti-affinity, topologyKey/topologySpread, or control-plane nodeSelector constraints; manifest change is only CRD controller-gen version bump.
Ote Binary Stdout Contract	✅ Passed	Repo scan found no fmt/os.Stdout/log.Print* or klog default logging inside main/init/TestMain functions; PR-touched Go files don’t add process-level stdout writes.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR commit changes contain no files under test/ and no paths containing e2e/ginkgo; therefore no new Ginkgo e2e tests to flag for IPv4/external connectivity issues.
No-Weak-Crypto	✅ Passed	In changed files, hashing now uses SHA-256 (sha256.Sum256/sha256.New) with no crypto/md5 or crypto/sha1, and no DES/RC4/3DES/Blowfish/ECB or token/secret equality comparisons detected.
No-Sensitive-Data-In-Logs	✅ Passed	PR `#3017` GitHub page shows CodeRabbit check “No-Sensitive-Data-In-Logs ✅ Passed”, and no sensitive-token/password patterns or log/klog calls were found in the page text.
Title check	✅ Passed	The title clearly and specifically describes the main change: bumping Kubernetes to 1.36.2 and OCP to 5.0, which aligns with the comprehensive updates across go.mod, Dockerfile, CI configuration, and documentation shown in the changeset.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

coderabbitai

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Dockerfile (1)

8-16: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Set an explicit non-root runtime user.

The runtime stage still has no USER, so the container defaults to root. Please set a non-root UID/GID before CMD.

Suggested patch

 FROM registry.ci.openshift.org/ocp/5.0:base-rhel9
 COPY --from=builder  /go/src/github.com/openshift/cluster-network-operator/cluster-network-operator /usr/bin/
 COPY --from=builder  /go/src/github.com/openshift/cluster-network-operator/cluster-network-check-endpoints /usr/bin/
 COPY --from=builder  /go/src/github.com/openshift/cluster-network-operator/cluster-network-check-target /usr/bin/
@@
 ENV OPERATOR_NAME=cluster-network-operator
+USER 65532:65532
 CMD ["/usr/bin/cluster-network-operator"]

As per coding guidelines: "**/{Dockerfile,Containerfile}*: USER non-root; never run as root".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` around lines 8 - 16, The Dockerfile currently leaves the
container running as root (CMD ["/usr/bin/cluster-network-operator"])—add a
non-root runtime user/group and switch to it before CMD: create or specify a
numeric non-root UID/GID (e.g. 1000:1000) in the Dockerfile, ensure the copied
binaries (/usr/bin/cluster-network-operator, cluster-network-check-*) and
directories (manifests, bindata) are owned/readable by that UID/GID (adjust
ownership/permissions during the build stage where COPY occurs), and add a USER
instruction referencing that non-root UID/GID immediately before the CMD so
OPERATOR_NAME runs as non-root.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@Dockerfile`:
- Around line 8-16: The Dockerfile currently leaves the container running as
root (CMD ["/usr/bin/cluster-network-operator"])—add a non-root runtime
user/group and switch to it before CMD: create or specify a numeric non-root
UID/GID (e.g. 1000:1000) in the Dockerfile, ensure the copied binaries
(/usr/bin/cluster-network-operator, cluster-network-check-*) and directories
(manifests, bindata) are owned/readable by that UID/GID (adjust
ownership/permissions during the build stage where COPY occurs), and add a USER
instruction referencing that non-root UID/GID immediately before the CMD so
OPERATOR_NAME runs as non-root.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f9a30c23-4a4b-4f7b-9f28-04df924addd5

📥 Commits

Reviewing files that changed from the base of the PR and between 7d4c17a and 9266d45.

⛔ Files ignored due to path filters (295)

go.sum is excluded by !**/*.sum
vendor/github.com/Masterminds/semver/v3/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Masterminds/semver/v3/.golangci.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Masterminds/semver/v3/constraints.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Masterminds/semver/v3/version.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fatih/color/color.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fatih/color/color_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/.cirrus.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/backend_fen.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/backend_inotify.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/backend_kqueue.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/backend_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/fsnotify.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/darwin.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_darwin.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_dragonfly.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_freebsd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_kqueue.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_netbsd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_openbsd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/freebsd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/unix.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/unix2.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/.golangci.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/cache.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/decode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/decode_map_utils.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/diagnose.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/encode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/simplevalue.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/stream.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/structfields.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/tag.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/valid.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonpointer/.cliff.toml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonpointer/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonpointer/CONTRIBUTORS.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonpointer/NOTICE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonpointer/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonpointer/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonpointer/ifaces.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonpointer/options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonpointer/pointer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/CONTRIBUTORS.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/SECURITY.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/go.work is excluded by !**/*.work, !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonname/go_name_provider.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonname/ifaces.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonname/name_provider.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/btree/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/btree/btree_generic.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus/client_metrics.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus/client_options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus/constants.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus/options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus/reporter.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus/server_metrics.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus/server_options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/v2/COPYRIGHT is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/v2/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/callmeta.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/reporter.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/server.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/.travis.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/client_metrics.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/client_reporter.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/makefile is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/metric_options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/packages/grpcstatus/grpcstatus.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/packages/grpcstatus/native_unwrap1.12-.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/packages/grpcstatus/native_unwrap1.13+.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/server.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/server_metrics.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/server_reporter.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/util.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/mattn/go-colorable/colorable_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/mattn/go-isatty/isatty_others.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/mattn/go-isatty/isatty_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/gomega_dsl.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/.golangci.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/types_apiserver.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/types_authentication.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/types_cluster_operator.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/types_dns.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/types_image.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/types_infrastructure.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/types_kmsencryption.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/types_network.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/console/v1/types_console_plugin.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/console/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/envtest-releases.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/etcd/install.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/etcd/v1/Makefile is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/etcd/v1/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/etcd/v1/register.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/etcd/v1/types_pacemakercluster.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/etcd/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/etcd/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/etcd/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/etcd/v1alpha1/types_pacemakercluster.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/etcd/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/features.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/features/features.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/install.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/machine/v1beta1/types_machineset.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/machineconfiguration/v1/types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/machineconfiguration/v1/types_machineconfignode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/operator/v1/types_csi_cluster_driver.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/types_ingress.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-Default.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-DevPreviewNoUpgrade.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-OKD.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-TechPreviewNoUpgrade.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-CustomNoUpgrade.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-Default.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-DevPreviewNoUpgrade.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-OKD.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-TechPreviewNoUpgrade.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-Default.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-DevPreviewNoUpgrade.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-OKD.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-TechPreviewNoUpgrade.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/operator/v1alpha1/types_clusterapi.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/quota/v1/generated.proto is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/quota/v1/types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/quota/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/security/v1/generated.proto is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/security/v1/types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/security/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/security/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/build-machinery-go/OWNERS is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/build-machinery-go/OWNERS_ALIASES is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/build-machinery-go/make/lib/golang.mk is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/build-machinery-go/make/targets/openshift/yaml-patch.mk is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/build-machinery-go/make/targets/openshift/yq.mk is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiserverencryption.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsdnsspec.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awskmsconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/infrastructurestatus.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/kmsconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/kmspluginconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/prefixedclaimmapping.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/registrysources.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/usernameclaimmapping.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultapproleauthentication.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultauthentication.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultconfigmapreference.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultkmspluginconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultsecretreference.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaulttlsconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformspec.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/alertmanagercustomconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clustermonitoringspec.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/containerresource.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/metricsserverconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/monitoringpluginconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorbuddyinfoconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorcpufreqconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorethtoolconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorksmdconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectormountstatsconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectornetclasscollectconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectornetclassconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectornetdevconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorprocessesconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorsoftirqsconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorsystemdcollectconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorsystemdconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectortcpstatconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexporterconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/openshiftstatemetricsconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/prometheusconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/prometheusoperatoradmissionwebhookconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/prometheusoperatorconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/telemeterclientconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/thanosquerierconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/operator/applyconfigurations/internal/internal.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/awscsidriverconfigspec.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/ingresscontrollertuningoptions.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1alpha1/clusterapiinstallercomponent.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1alpha1/clusterapiinstallercomponentsource.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1alpha1/clusterapiinstallerrevision.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1alpha1/clusterapiinstallerrevisionmanifestsubstitution.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1alpha1/clusterapistatus.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/operator/applyconfigurations/utils.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/config/serving/server.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/controller/controllercmd/builder.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/controller/controllercmd/cmd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/crypto/cert_config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/crypto/keygen.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/crypto/options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/crypto/tls_adherence.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/operator/certrotation/client_cert_rotation_controller.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/operator/management/management_state.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/operator/v1helpers/helpers.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/operator/v1helpers/test_helpers.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/pki/profile.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/pki/provider.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/pki/resolve.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/pki/types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/expfmt/openmetrics_create.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/model/metric.go is excluded by !**/vendor/**, !vendor/**
vendor/go.uber.org/zap/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/go.uber.org/zap/zapcore/entry.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/crypto/hkdf/hkdf.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/html/parse.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/html/render.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/html/token.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/README.md is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/client_conn_pool.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/clientconn.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/config.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/http2.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/server.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/server_common.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/server_wrap.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/transport.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/transport_common.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/transport_wrap.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/writesched.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/writesched_common.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/writesched_random.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/writesched_roundrobin.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/go118.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/idna.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/idna9.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/pre_go118.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/punycode.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/tables10.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/tables11.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/tables12.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/tables13.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/tables15.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/tables17.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/tables9.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/trie12.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/trie13.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/internal/httpcommon/request.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sync/singleflight/singleflight.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/asm_darwin_arm64_gc.s is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu_arm64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu_darwin_arm64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu_darwin_arm64_other.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu_gccgo_arm64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu_linux_riscv64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu_loong64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu_other_arm64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu_riscv64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu_windows_arm64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/syscall_darwin_arm64_gc.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/zcpu_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/plan9/syscall_plan9.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/affinity_linux.go is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (5)

.ci-operator.yaml
Dockerfile
docs/kubernetes-ocp-5.0-bump.md
go.mod
manifests/0000_70_cluster-network-operator_01_pki_crd.yaml

coderabbitai

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Dockerfile (1)

8-18: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Run the runtime image as a non-root user.

This image still defaults to root because there is no USER directive. Please set a non-root UID/GID in the final stage.

Suggested hardening patch

 FROM registry.ci.openshift.org/ocp/5.0:base-rhel9
 COPY --from=builder  /go/src/github.com/openshift/cluster-network-operator/cluster-network-operator /usr/bin/
 COPY --from=builder  /go/src/github.com/openshift/cluster-network-operator/cluster-network-check-endpoints /usr/bin/
 COPY --from=builder  /go/src/github.com/openshift/cluster-network-operator/cluster-network-check-target /usr/bin/
@@
 ENV OPERATOR_NAME=cluster-network-operator
+USER 1001
 CMD ["/usr/bin/cluster-network-operator"]

As per coding guidelines: "USER non-root; never run as root".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` around lines 8 - 18, The final image is still running as root
because there is no USER directive; update the final Docker stage to run as a
non-root user by adding a USER directive with a non-root UID:GID (e.g., create
or use an existing unprivileged uid/gid and set USER 1000:1000) after copying
artifacts and before CMD; ensure ownership/permissions for
/usr/bin/cluster-network-operator, /usr/bin/cluster-network-check-endpoints,
/usr/bin/cluster-network-check-target, /manifests and /bindata are set so the
non-root user can execute/read them (adjust with chown/chmod earlier in the
Dockerfile if needed) and keep OPERATOR_NAME and CMD intact.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 8: Update the vulnerable dependency github.com/containernetworking/cni
from v0.8.0 to v0.8.1 (or newer) in go.mod, then regenerate module metadata and
vendor artifacts by running go mod tidy and updating vendor/go.sum (e.g., go mod
vendor) so go.sum and the vendor directory reflect the new version; ensure any
references to github.com/containernetworking/cni in go.mod and go.sum are
updated and commit the resulting changes.

---

Outside diff comments:
In `@Dockerfile`:
- Around line 8-18: The final image is still running as root because there is no
USER directive; update the final Docker stage to run as a non-root user by
adding a USER directive with a non-root UID:GID (e.g., create or use an existing
unprivileged uid/gid and set USER 1000:1000) after copying artifacts and before
CMD; ensure ownership/permissions for /usr/bin/cluster-network-operator,
/usr/bin/cluster-network-check-endpoints, /usr/bin/cluster-network-check-target,
/manifests and /bindata are set so the non-root user can execute/read them
(adjust with chown/chmod earlier in the Dockerfile if needed) and keep
OPERATOR_NAME and CMD intact.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 8d711572-d4fb-4d5d-aebd-106991eedbf7

📥 Commits

Reviewing files that changed from the base of the PR and between 9266d45 and bce3ff3.

⛔ Files ignored due to path filters (295)

go.sum is excluded by !**/*.sum
vendor/github.com/Masterminds/semver/v3/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Masterminds/semver/v3/.golangci.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Masterminds/semver/v3/constraints.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Masterminds/semver/v3/version.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fatih/color/color.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fatih/color/color_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/.cirrus.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/backend_fen.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/backend_inotify.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/backend_kqueue.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/backend_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/fsnotify.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/darwin.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_darwin.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_dragonfly.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_freebsd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_kqueue.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_netbsd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_openbsd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/freebsd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/unix.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/unix2.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/.golangci.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/cache.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/decode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/decode_map_utils.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/diagnose.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/encode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/simplevalue.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/stream.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/structfields.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/tag.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/valid.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonpointer/.cliff.toml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonpointer/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonpointer/CONTRIBUTORS.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonpointer/NOTICE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonpointer/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonpointer/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonpointer/ifaces.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonpointer/options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonpointer/pointer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/CONTRIBUTORS.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/SECURITY.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/go.work is excluded by !**/*.work, !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonname/go_name_provider.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonname/ifaces.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonname/name_provider.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/btree/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/btree/btree_generic.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus/client_metrics.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus/client_options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus/constants.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus/options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus/reporter.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus/server_metrics.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus/server_options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/v2/COPYRIGHT is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/v2/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/callmeta.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/reporter.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/server.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/.travis.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/client_metrics.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/client_reporter.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/makefile is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/metric_options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/packages/grpcstatus/grpcstatus.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/packages/grpcstatus/native_unwrap1.12-.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/packages/grpcstatus/native_unwrap1.13+.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/server.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/server_metrics.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/server_reporter.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/util.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/mattn/go-colorable/colorable_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/mattn/go-isatty/isatty_others.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/mattn/go-isatty/isatty_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/gomega_dsl.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/.golangci.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/types_apiserver.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/types_authentication.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/types_cluster_operator.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/types_dns.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/types_image.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/types_infrastructure.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/types_kmsencryption.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/types_network.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/console/v1/types_console_plugin.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/console/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/envtest-releases.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/etcd/install.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/etcd/v1/Makefile is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/etcd/v1/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/etcd/v1/register.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/etcd/v1/types_pacemakercluster.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/etcd/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/etcd/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/etcd/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/etcd/v1alpha1/types_pacemakercluster.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/etcd/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/features.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/features/features.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/install.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/machine/v1beta1/types_machineset.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/machineconfiguration/v1/types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/machineconfiguration/v1/types_machineconfignode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/operator/v1/types_csi_cluster_driver.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/types_ingress.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-Default.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-DevPreviewNoUpgrade.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-OKD.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-TechPreviewNoUpgrade.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-CustomNoUpgrade.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-Default.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-DevPreviewNoUpgrade.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-OKD.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-TechPreviewNoUpgrade.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-Default.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-DevPreviewNoUpgrade.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-OKD.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-TechPreviewNoUpgrade.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/operator/v1alpha1/types_clusterapi.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/quota/v1/generated.proto is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/quota/v1/types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/quota/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/security/v1/generated.proto is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/security/v1/types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/security/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/security/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/build-machinery-go/OWNERS is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/build-machinery-go/OWNERS_ALIASES is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/build-machinery-go/make/lib/golang.mk is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiserverencryption.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsdnsspec.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awskmsconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/infrastructurestatus.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/kmsconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/kmspluginconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/prefixedclaimmapping.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/registrysources.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/usernameclaimmapping.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultapproleauthentication.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultauthentication.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultconfigmapreference.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultkmspluginconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultsecretreference.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaulttlsconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformspec.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/alertmanagercustomconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clustermonitoringspec.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/containerresource.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/metricsserverconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/monitoringpluginconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorbuddyinfoconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorcpufreqconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorethtoolconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorksmdconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectormountstatsconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectornetclasscollectconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectornetclassconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectornetdevconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorprocessesconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorsoftirqsconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorsystemdcollectconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorsystemdconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectortcpstatconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexporterconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/openshiftstatemetricsconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/prometheusconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/prometheusoperatoradmissionwebhookconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/prometheusoperatorconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/telemeterclientconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/thanosquerierconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/operator/applyconfigurations/internal/internal.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/awscsidriverconfigspec.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/ingresscontrollertuningoptions.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1alpha1/clusterapiinstallercomponent.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1alpha1/clusterapiinstallercomponentsource.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1alpha1/clusterapiinstallerrevision.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1alpha1/clusterapiinstallerrevisionmanifestsubstitution.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1alpha1/clusterapistatus.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/operator/applyconfigurations/utils.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/config/serving/server.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/controller/controllercmd/builder.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/controller/controllercmd/cmd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/crypto/cert_config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/crypto/keygen.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/crypto/options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/crypto/tls_adherence.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/operator/certrotation/client_cert_rotation_controller.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/operator/management/management_state.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/operator/v1helpers/helpers.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/operator/v1helpers/test_helpers.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/pki/profile.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/pki/provider.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/pki/resolve.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/pki/types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/expfmt/openmetrics_create.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/model/metric.go is excluded by !**/vendor/**, !vendor/**
vendor/go.uber.org/zap/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/go.uber.org/zap/zapcore/entry.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/crypto/hkdf/hkdf.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/html/parse.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/html/render.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/html/token.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/README.md is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/client_conn_pool.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/clientconn.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/config.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/http2.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/server.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/server_common.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/server_wrap.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/transport.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/transport_common.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/transport_wrap.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/writesched.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/writesched_common.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/writesched_random.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/writesched_roundrobin.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/go118.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/idna.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/idna9.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/pre_go118.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/punycode.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/tables10.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/tables11.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/tables12.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/tables13.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/tables15.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/tables17.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/tables9.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/trie12.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/trie13.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/internal/httpcommon/request.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sync/singleflight/singleflight.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/asm_darwin_arm64_gc.s is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu_arm64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu_darwin_arm64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu_darwin_arm64_other.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu_gccgo_arm64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu_linux_riscv64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu_loong64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu_other_arm64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu_riscv64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu_windows_arm64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/syscall_darwin_arm64_gc.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/zcpu_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/plan9/syscall_plan9.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/affinity_linux.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/mkall.sh is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/mkerrors.sh is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (5)

.ci-operator.yaml
Dockerfile
docs/kubernetes-ocp-5.0-bump.md
go.mod
manifests/0000_70_cluster-network-operator_01_pki_crd.yaml

✅ Files skipped from review due to trivial changes (1)

manifests/0000_70_cluster-network-operator_01_pki_crd.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

.ci-operator.yaml

coderabbitai · 2026-05-31T07:02:15Z

GHSA-xjqr-g762-pxwp

 require (
 	github.com/Masterminds/semver v1.5.0
 	github.com/Masterminds/sprig/v3 v3.2.3
 	github.com/containernetworking/cni v0.8.0


⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash set -euo pipefail # Verify vulnerability status from OSV for the exact module+version in go.mod curl -s https://api.osv.dev/v1/query \ -H 'Content-Type: application/json' \ -d '{ "package": {"name":"github.com/containernetworking/cni","ecosystem":"Go"}, "version":"0.8.0" }' | jq '{vulns: [.vulns[]?.id], summary: [.vulns[]?.summary]}'

Repository: openshift/cluster-network-operator

Length of output: 306

🏁 Script executed:

#!/bin/bash set -euo pipefail curl -s https://api.osv.dev/v1/query \ -H 'Content-Type: application/json' \ -d '{ "package": {"name":"github.com/containernetworking/cni","ecosystem":"Go"}, "version":"0.8.0" }' \ | jq '{ vulns: [.vulns[]?.id], details: [.vulns[]? | {id, summary, fixed: .fixed?, references: (.references // [])}], affected: [.vulns[]? | .affected?] }'

Repository: openshift/cluster-network-operator

Length of output: 3252

Flag vulnerable Go dependency: bump github.com/containernetworking/cni v0.8.0
In go.mod, the dependency github.com/containernetworking/cni v0.8.0 is affected by OSV advisories GHSA-xjqr-g762-pxwp and GO-2022-0230; OSV indicates the fix is v0.8.1.

github.com/containernetworking/cni v0.8.0

Please bump to github.com/containernetworking/cni v0.8.1 (or newer) and regenerate vendor/update go.sum (e.g., via go mod tidy + go mod vendor).

🧰 Tools

🪛 OSV Scanner (2.3.8)

[HIGH] 8-8: github.com/containernetworking/cni 0.8.0: Improper limitation of path name in github.com/containernetworking/cni

(GO-2022-0230)

[HIGH] 8-8: github.com/containernetworking/cni 0.8.0: containernetworking/cni improper limitation of path name

(GHSA-xjqr-g762-pxwp)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@go.mod` at line 8, Update the vulnerable dependency github.com/containernetworking/cni from v0.8.0 to v0.8.1 (or newer) in go.mod, then regenerate module metadata and vendor artifacts by running go mod tidy and updating vendor/go.sum (e.g., go mod vendor) so go.sum and the vendor directory reflect the new version; ensure any references to github.com/containernetworking/cni in go.mod and go.sum are updated and commit the resulting changes.

coderabbitai

Actionable comments posted: 1

🧹 Nitpick comments (1)

Dockerfile (1)
8-17: ⚖️ Poor tradeoff

Dockerfile final stage lacks USER, but deployment manifests force non-root

No USER is declared in the final stage of Dockerfile (lines 8-17), but the operator pod securityContext sets runAsNonRoot: true and runAsUser: 65534 in manifests/0000_70_cluster-network-operator_03_deployment*.yaml, so it won’t run as root when deployed via these manifests.

Add USER 65534 in the image for defense-in-depth/alignment with the guideline (“never run as root”), and ensure filesystem permissions still work.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` around lines 8 - 17, The final Dockerfile stage lacks a USER
declaration which conflicts with the deployment manifests that set
runAsNonRoot/runAsUser 65534; update the Dockerfile final stage to set USER
65534 (so the container image matches manifests) and then verify and fix
filesystem ownership/permissions for installed files and directories (e.g.,
/usr/bin, /manifests, /bindata) so the non-root UID 65534 can read/execute them;
check the CMD ["/usr/bin/cluster-network-operator"] still works under this user
and adjust chown/chmod in the builder/final stages if necessary.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Around line 32-34: The go.mod replace points github.com/openshift/library-go
to a personal fork (github.com/jubittajohn/library-go) for PR `#2171` which is a
supply-chain risk; update the repository to remove the temporary replace once
upstream PR `#2171` is merged and revert to the official openshift/library-go
pseudo-version, and in the meantime add an explicit justification and provenance
note (including the PR number and the specific fixes: HasSyncedChecker and Go
1.26 vet) to the repo tracking docs or a TODO comment near the replace so the
change is auditable; also open or link a tracking issue to revert the replace
when openshift/library-go#2171 lands.

---

Nitpick comments:
In `@Dockerfile`:
- Around line 8-17: The final Dockerfile stage lacks a USER declaration which
conflicts with the deployment manifests that set runAsNonRoot/runAsUser 65534;
update the Dockerfile final stage to set USER 65534 (so the container image
matches manifests) and then verify and fix filesystem ownership/permissions for
installed files and directories (e.g., /usr/bin, /manifests, /bindata) so the
non-root UID 65534 can read/execute them; check the CMD
["/usr/bin/cluster-network-operator"] still works under this user and adjust
chown/chmod in the builder/final stages if necessary.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c9b94bfb-f17e-424b-8057-f74fb4e21448

📥 Commits

Reviewing files that changed from the base of the PR and between bce3ff3 and 9dc51b9.

⛔ Files ignored due to path filters (295)

go.sum is excluded by !**/*.sum
vendor/github.com/Masterminds/semver/v3/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Masterminds/semver/v3/.golangci.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Masterminds/semver/v3/constraints.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Masterminds/semver/v3/version.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fatih/color/color.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fatih/color/color_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/.cirrus.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/backend_fen.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/backend_inotify.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/backend_kqueue.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/backend_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/fsnotify.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/darwin.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_darwin.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_dragonfly.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_freebsd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_kqueue.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_netbsd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_openbsd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/freebsd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/unix.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/unix2.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/.golangci.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/cache.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/decode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/decode_map_utils.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/diagnose.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/encode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/simplevalue.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/stream.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/structfields.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/tag.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/valid.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonpointer/.cliff.toml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonpointer/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonpointer/CONTRIBUTORS.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonpointer/NOTICE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonpointer/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonpointer/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonpointer/ifaces.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonpointer/options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonpointer/pointer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/CONTRIBUTORS.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/SECURITY.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/go.work is excluded by !**/*.work, !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonname/go_name_provider.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonname/ifaces.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonname/name_provider.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/btree/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/btree/btree_generic.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus/client_metrics.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus/client_options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus/constants.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus/options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus/reporter.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus/server_metrics.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus/server_options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/v2/COPYRIGHT is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/v2/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/callmeta.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/reporter.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/server.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/.travis.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/client_metrics.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/client_reporter.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/makefile is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/metric_options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/packages/grpcstatus/grpcstatus.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/packages/grpcstatus/native_unwrap1.12-.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/packages/grpcstatus/native_unwrap1.13+.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/server.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/server_metrics.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/server_reporter.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/grpc-ecosystem/go-grpc-prometheus/util.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/mattn/go-colorable/colorable_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/mattn/go-isatty/isatty_others.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/mattn/go-isatty/isatty_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/gomega_dsl.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/.golangci.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/types_apiserver.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/types_authentication.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/types_cluster_operator.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/types_dns.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/types_image.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/types_infrastructure.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/types_kmsencryption.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/types_network.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/console/v1/types_console_plugin.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/console/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/envtest-releases.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/etcd/install.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/etcd/v1/Makefile is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/etcd/v1/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/etcd/v1/register.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/etcd/v1/types_pacemakercluster.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/etcd/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/etcd/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/etcd/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/etcd/v1alpha1/types_pacemakercluster.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/etcd/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/features.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/features/features.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/install.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/machine/v1beta1/types_machineset.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/machineconfiguration/v1/types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/machineconfiguration/v1/types_machineconfignode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/operator/v1/types_csi_cluster_driver.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/types_ingress.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-Default.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-DevPreviewNoUpgrade.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-OKD.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-TechPreviewNoUpgrade.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-CustomNoUpgrade.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-Default.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-DevPreviewNoUpgrade.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-OKD.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-TechPreviewNoUpgrade.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-Default.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-DevPreviewNoUpgrade.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-OKD.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-TechPreviewNoUpgrade.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/operator/v1alpha1/types_clusterapi.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/quota/v1/generated.proto is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/quota/v1/types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/quota/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/security/v1/generated.proto is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/security/v1/types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/security/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/security/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/build-machinery-go/OWNERS is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/build-machinery-go/OWNERS_ALIASES is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/build-machinery-go/make/lib/golang.mk is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiserverencryption.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsdnsspec.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awskmsconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/infrastructurestatus.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/kmsconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/kmspluginconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/prefixedclaimmapping.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/registrysources.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/usernameclaimmapping.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultapproleauthentication.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultauthentication.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultconfigmapreference.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultkmspluginconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultsecretreference.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaulttlsconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformspec.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/alertmanagercustomconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clustermonitoringspec.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/containerresource.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/metricsserverconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/monitoringpluginconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorbuddyinfoconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorcpufreqconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorethtoolconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorksmdconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectormountstatsconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectornetclasscollectconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectornetclassconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectornetdevconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorprocessesconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorsoftirqsconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorsystemdcollectconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorsystemdconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectortcpstatconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexporterconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/openshiftstatemetricsconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/prometheusconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/prometheusoperatoradmissionwebhookconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/prometheusoperatorconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/telemeterclientconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/thanosquerierconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/operator/applyconfigurations/internal/internal.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/awscsidriverconfigspec.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/ingresscontrollertuningoptions.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1alpha1/clusterapiinstallercomponent.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1alpha1/clusterapiinstallercomponentsource.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1alpha1/clusterapiinstallerrevision.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1alpha1/clusterapiinstallerrevisionmanifestsubstitution.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1alpha1/clusterapistatus.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/client-go/operator/applyconfigurations/utils.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/config/serving/server.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/controller/controllercmd/builder.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/controller/controllercmd/cmd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/crypto/cert_config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/crypto/keygen.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/crypto/options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/crypto/tls_adherence.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/operator/certrotation/client_cert_rotation_controller.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/operator/management/management_state.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/operator/v1helpers/helpers.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/operator/v1helpers/test_helpers.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/pki/profile.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/pki/provider.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/pki/resolve.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/pki/types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/expfmt/openmetrics_create.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/model/metric.go is excluded by !**/vendor/**, !vendor/**
vendor/go.uber.org/zap/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/go.uber.org/zap/zapcore/entry.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/crypto/hkdf/hkdf.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/html/parse.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/html/render.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/html/token.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/README.md is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/client_conn_pool.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/clientconn.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/config.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/http2.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/server.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/server_common.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/server_wrap.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/transport.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/transport_common.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/transport_wrap.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/writesched.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/writesched_common.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/writesched_random.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/writesched_roundrobin.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/go118.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/idna.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/idna9.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/pre_go118.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/punycode.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/tables10.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/tables11.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/tables12.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/tables13.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/tables15.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/tables17.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/tables9.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/trie12.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/idna/trie13.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/internal/httpcommon/request.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sync/singleflight/singleflight.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/asm_darwin_arm64_gc.s is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu_arm64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu_darwin_arm64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu_darwin_arm64_other.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu_gccgo_arm64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu_linux_riscv64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu_loong64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu_other_arm64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu_riscv64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu_windows_arm64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/syscall_darwin_arm64_gc.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/zcpu_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/plan9/syscall_plan9.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/affinity_linux.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/mkall.sh is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/mkerrors.sh is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (5)

.ci-operator.yaml
Dockerfile
docs/kubernetes-ocp-5.0-bump.md
go.mod
manifests/0000_70_cluster-network-operator_01_pki_crd.yaml

✅ Files skipped from review due to trivial changes (2)

manifests/0000_70_cluster-network-operator_01_pki_crd.yaml
docs/kubernetes-ocp-5.0-bump.md

miheer · 2026-06-01T04:07:56Z

/retest

openshift-ci-robot · 2026-06-01T08:02:10Z

@miheer: An error was encountered searching for bug CORENET-7046 on the Jira server at https://redhat.atlassian.net. No known errors were detected, please see the full error message for details.

Full error message.


No response returned: Get "https://redhat.atlassian.net/rest/api/2/issue/CORENET-7046": GET https://redhat.atlassian.net/rest/api/2/issue/CORENET-7046 giving up after 5 attempt(s)

Please contact an administrator to resolve this issue, then request a bug refresh with /jira refresh.

Details

In response to this:

Update the operator dependency baseline to Kubernetes 1.36.1 and align the build/runtime images with the OCP 5.0 toolchain. This keeps cluster-network-operator on the target platform versions expected by the next release while preserving the established dependency bump flow from earlier Kubernetes/OCP updates.

Refresh Go modules and vendor content for the Kubernetes 1.36.1 stack, controller-runtime/controller-tools updates, OpenShift API/client/library dependencies, and generated manifests. The OpenShift modules are updated without a release-5.0 suffix because the referenced previous bump pattern did not require it for these dependencies, and build-machinery-go did not provide that branch.

Keep controller-gen built through the vendored tools path, add the Kubernetes 1.36 SharedIndexInformer HasSyncedChecker compatibility method to the vendored library-go test helper, and update local Darwin arm64 tool bootstrap logic for yq/yaml-patch so make verify can get past the tool-install phase while Linux CI continues to use the release binaries.

Add inline comments in the touched build/tooling compatibility areas explaining what changed and why. Add docs/kubernetes-ocp-5.0-bump.md to document the version targets, previous-commit references, implementation behavior, local verification results, and expected make verify behavior.

Verification: make build, make test, hack/update-codegen.sh, and a vendored controller-gen build passed. make verify passed the prior yq/yaml-patch failure points locally and only stopped at the final git diff check before commit because the intended generated/vendor changes were present.

Summary by CodeRabbit

Chores

Bumped Go toolchain to 1.26, refreshed dependencies and vendor for Kubernetes 1.36 compatibility, and rebased builder/runtime images to OpenShift 5.0 (updated container build/runtime bases).

Documentation

Added upgrade notes detailing dependency bumps, vendor regeneration, controller-gen annotation update, compatibility workaround, and validation/verify outcomes.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

miheer · 2026-06-01T09:27:01Z

/retest

miheer · 2026-06-01T09:27:21Z

Failure due to image pulls from quay.io returning 502 Bad Gateway, causing ErrImagePull / ImagePullBackOff

miheer · 2026-06-02T08:24:14Z

/retest-failed

miheer · 2026-06-02T08:26:31Z

/retest

miheer · 2026-06-02T17:48:58Z

/retest-failed

miheer · 2026-06-03T18:15:34Z

/retest-failed

miheer · 2026-06-03T18:15:58Z

/retest

miheer · 2026-06-04T07:51:49Z

/retest

miheer · 2026-06-04T15:32:06Z

/retest

miheer · 2026-06-06T07:10:29Z

/retest

…erator#3017 which is to bump k8s to 1.36.1 This commit adds Snyk ignores/policy for vendored paths.

openshift-ci-robot · 2026-06-12T09:48:58Z

@miheer: This pull request references CORENET-7046 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Update the operator dependency baseline to Kubernetes 1.36.1 and align the build/runtime images with the OCP 5.0 toolchain. This keeps cluster-network-operator on the target platform versions expected by the next release while preserving the established dependency bump flow from earlier Kubernetes/OCP updates.

Refresh Go modules and vendor content for the Kubernetes 1.36.1 stack, controller-runtime/controller-tools updates, OpenShift API/client/library dependencies, and generated manifests. The OpenShift modules are updated without a release-5.0 suffix because the referenced previous bump pattern did not require it for these dependencies, and build-machinery-go did not provide that branch.

Keep controller-gen built through the vendored tools path, add the Kubernetes 1.36 SharedIndexInformer HasSyncedChecker compatibility method to the vendored library-go test helper, and update local Darwin arm64 tool bootstrap logic for yq/yaml-patch so make verify can get past the tool-install phase while Linux CI continues to use the release binaries.

Add inline comments in the touched build/tooling compatibility areas explaining what changed and why. Add docs/kubernetes-ocp-5.0-bump.md to document the version targets, previous-commit references, implementation behavior, local verification results, and expected make verify behavior.

Verification: make build, make test, hack/update-codegen.sh, and a vendored controller-gen build passed. make verify passed the prior yq/yaml-patch failure points locally and only stopped at the final git diff check before commit because the intended generated/vendor changes were present.

Summary by CodeRabbit

Chores

Bumped Go toolchain to 1.26, refreshed dependencies and regenerated vendor for Kubernetes 1.36 compatibility; rebased builder/runtime images to OpenShift 5.0.

Bug Fixes

Replaced weak change-detection hashes with SHA-256 across rollout/config hashing to address weak-hash findings.

Documentation

Added upgrade notes covering dependency/vendor regeneration, controller-gen update, compatibility workaround, validation results, and security-scan follow-up.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

miheer · 2026-06-15T03:13:08Z

/test security

…erator#3017 which is to bump k8s to 1.36.1 (openshift#80462) This commit adds Snyk ignores/policy for vendored paths.

miheer · 2026-06-16T03:22:02Z

/retest-failed

miheer · 2026-06-16T04:22:51Z

/retest

danwinship · 2026-06-16T11:10:48Z

The e2e test for security is failing because snyk checks for vendor folder was creating issues.

oh, yeah, that's never passed. It's not "required", so it doesn't block the PR. (Those tests got added to a bunch of repos years ago but were never made required... I'm not sure what's up with that.)

danwinship · 2026-06-16T11:16:38Z

@miheer too late now, but:

you shouldn't reference issues/PRs from commit messages, because it makes github obnoxiously spam that issue/PR with notifications. (It's supposed to be a feature, but it's... not.)

danwinship · 2026-06-16T11:21:28Z

temporarily replace openshift/library-go with github.com/jubittajohn/library-go from openshift/library-go#2171 because Kubernetes 1.36 added HasSyncedChecker() and current library-go refs do not implement it in the fake informer

Please create a Story or Task or whatever for fixing this temporary replacement, and add it to the Epic. The Epic shouldn't be closed while we still have a hack in place.

danwinship

just one note

danwinship · 2026-06-16T11:23:31Z

  namespace: openshift
-  tag: rhel-9-release-golang-1.25-openshift-4.22
+  # Keep CNO on the release build-root stream while moving to the Go 1.26/OCP 5.0 tag.
+  tag: rhel-9-release-golang-1.26-openshift-5.0


Remove the comment; that's an explanation of this PR, not an explanation of that code/config. We don't want future readers to think that this is supposed to always be kept on 1.26/5.0.

Likewise the comments in Dockerfile.

miheer · 2026-06-16T12:53:51Z

@miheer too late now, but:
you shouldn't reference issues/PRs from commit messages, because it makes github obnoxiously spam that issue/PR with notifications. (It's supposed to be a feature, but it's... not.)

miheer · 2026-06-16T12:55:49Z

The e2e test for security is failing because snyk checks for vendor folder was creating issues.

oh, yeah, that's never passed. It's not "required", so it doesn't block the PR. (Those tests got added to a bunch of repos years ago but were never made required... I'm not sure what's up with that.)

So, now I skip the checks for vendor folder openshift/release@2c8cd71

miheer · 2026-06-16T12:57:19Z

temporarily replace openshift/library-go with github.com/jubittajohn/library-go from openshift/library-go#2171 because Kubernetes 1.36 added HasSyncedChecker() and current library-go refs do not implement it in the fake informer

Please create a Story or Task or whatever for fixing this temporary replacement, and add it to the Epic. The Epic shouldn't be closed while we still have a hack in place.

Yes already a story had been created to track progress of this. https://redhat.atlassian.net/browse/CORENET-7287

miheer · 2026-06-17T02:39:09Z

/retest

miheer · 2026-06-18T03:13:59Z

/retest-failed

miheer · 2026-06-18T03:15:44Z

/retest

go.mod: Bump Kubernetes modules to v0.36.2, move to Go 1.26, refresh OpenShift dependencies, and temporarily replace openshift/library-go with github.com/jubittajohn/library-go from openshift/library-go#2171 because Kubernetes 1.36 added HasSyncedChecker() and current library-go refs do not implement it in the fake informer. This keeps vendor generated by go mod vendor so verify-deps can reproduce it. .ci-operator.yaml: Use openshift/release:rhel-9-release-golang-1.26-openshift-5.0 so CI runs with the matching Go 1.26/OCP 5.0 build root. Dockerfile: Use the OCP 5.0 Go 1.26 builder and OCP 5.0 runtime base images for the updated dependency stack. Commands run: go get k8s.io/{api,apiextensions-apiserver,apimachinery,apiserver,client-go,code-generator,component-base,kms,kube-aggregator,kube-proxy,streaming}@v0.36.2; go mod tidy; go mod vendor; make update-codegen; make verify; make build; make test

miheer · 2026-06-18T10:00:41Z

/retest

danwinship · 2026-06-18T15:02:27Z

/lgtm

openshift-ci · 2026-06-18T15:05:12Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danwinship, miheer

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [danwinship]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci · 2026-06-18T15:23:06Z

@miheer: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/4.22-upgrade-from-stable-4.21-e2e-aws-ovn-upgrade	`771a825`	link	false	`/test 4.22-upgrade-from-stable-4.21-e2e-aws-ovn-upgrade`
ci/prow/4.22-upgrade-from-stable-4.21-e2e-azure-ovn-upgrade	`771a825`	link	false	`/test 4.22-upgrade-from-stable-4.21-e2e-azure-ovn-upgrade`
ci/prow/4.22-upgrade-from-stable-4.21-e2e-gcp-ovn-upgrade	`771a825`	link	false	`/test 4.22-upgrade-from-stable-4.21-e2e-gcp-ovn-upgrade`
ci/prow/e2e-aws-ovn-upgrade-ipsec	`db28807`	link	true	`/test e2e-aws-ovn-upgrade-ipsec`
ci/prow/5.0-upgrade-from-stable-4.22-e2e-azure-ovn-upgrade	`db28807`	link	false	`/test 5.0-upgrade-from-stable-4.22-e2e-azure-ovn-upgrade`
ci/prow/e2e-metal-ipi-ovn-ipv6-ipsec	`db28807`	link	true	`/test e2e-metal-ipi-ovn-ipv6-ipsec`
ci/prow/e2e-aws-ovn-upgrade	`db28807`	link	true	`/test e2e-aws-ovn-upgrade`
ci/prow/e2e-metal-ipi-ovn-dualstack-bgp-local-gw	`db28807`	link	true	`/test e2e-metal-ipi-ovn-dualstack-bgp-local-gw`
ci/prow/5.0-upgrade-from-stable-4.22-e2e-gcp-ovn-upgrade	`db28807`	link	false	`/test 5.0-upgrade-from-stable-4.22-e2e-gcp-ovn-upgrade`
ci/prow/e2e-gcp-ovn-upgrade	`db28807`	link	true	`/test e2e-gcp-ovn-upgrade`
ci/prow/e2e-azure-ovn-upgrade	`db28807`	link	true	`/test e2e-azure-ovn-upgrade`
ci/prow/e2e-ovn-ipsec-step-registry	`db28807`	link	true	`/test e2e-ovn-ipsec-step-registry`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

miheer · 2026-06-19T10:23:24Z

/retest

openshift-ci Bot requested review from danwinship and martinkennelly May 31, 2026 06:15

coderabbitai Bot reviewed May 31, 2026

View reviewed changes

miheer force-pushed the CORENET-7046 branch 2 times, most recently from bce3ff3 to 9dc51b9 Compare May 31, 2026 07:00

coderabbitai Bot reviewed May 31, 2026

View reviewed changes

Comment thread go.mod

miheer force-pushed the CORENET-7046 branch from 9dc51b9 to 771a825 Compare May 31, 2026 08:54

miheer changed the title ~~Bump Kubernetes to 1.36.1 and OCP to 5.0~~ CORENET-7046: Bump Kubernetes to 1.36.1 and OCP to 5.0 Jun 1, 2026

miheer changed the title ~~CORENET-7046: Bump Kubernetes to 1.36.1 and OCP to 5.0~~ WIP: CORENET-7046: Bump Kubernetes to 1.36.1 and OCP to 5.0 Jun 1, 2026

openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 1, 2026

miheer mentioned this pull request Jun 12, 2026

CORENET-7277: Security ci/prow/security fails for PR openshift/cluster-network-operator#3017 which is to bump k8s to 1.36.1 openshift/release#80462

Merged

miheer added a commit to miheer/release that referenced this pull request Jun 12, 2026

Security ci/prow/security fails for PR openshift/cluster-network-op…

21c6952

…erator#3017 which is to bump k8s to 1.36.1 This commit adds Snyk ignores/policy for vendored paths.

miheer force-pushed the CORENET-7046 branch from 771a825 to d3d05d0 Compare June 12, 2026 09:44

miheer added a commit to miheer/release that referenced this pull request Jun 12, 2026

Security ci/prow/security fails for PR openshift/cluster-network-op…

2c8cd71

…erator#3017 which is to bump k8s to 1.36.1 This commit adds Snyk ignores/policy for vendored paths.

openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 12, 2026

miheer force-pushed the CORENET-7046 branch 2 times, most recently from c1d277b to e220e60 Compare June 15, 2026 03:50

miheer changed the title ~~CORENET-7046: Bump Kubernetes to 1.36.1 and OCP to 5.0~~ CORENET-7046: Bump Kubernetes to 1.36.2 and OCP to 5.0 Jun 15, 2026

miheer force-pushed the CORENET-7046 branch from e220e60 to 2ea5e70 Compare June 15, 2026 11:34

danwinship reviewed Jun 16, 2026

View reviewed changes

miheer closed this Jun 16, 2026

miheer reopened this Jun 16, 2026

miheer force-pushed the CORENET-7046 branch from 2ea5e70 to db28807 Compare June 18, 2026 03:23

openshift-ci Bot assigned danwinship Jun 18, 2026

openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jun 18, 2026

openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 18, 2026

Conversation

miheer commented May 31, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

coderabbitai Bot commented May 31, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Reviews paused

Walkthrough

Changes

Pre-merge checks failed

❌ Failed checks (1 error)

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot May 31, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

miheer commented Jun 1, 2026

Uh oh!

openshift-ci-robot commented Jun 1, 2026 • edited by openshift-ci Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

miheer commented Jun 1, 2026

Uh oh!

miheer commented Jun 1, 2026

Uh oh!

miheer commented Jun 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

miheer commented Jun 2, 2026

Uh oh!

miheer commented Jun 2, 2026

Uh oh!

miheer commented Jun 3, 2026

Uh oh!

miheer commented Jun 3, 2026

Uh oh!

miheer commented Jun 4, 2026

Uh oh!

miheer commented Jun 4, 2026

Uh oh!

miheer commented Jun 6, 2026

Uh oh!

openshift-ci-robot commented Jun 12, 2026 • edited by openshift-ci Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

miheer commented Jun 15, 2026

Uh oh!

miheer commented Jun 16, 2026

Uh oh!

miheer commented Jun 16, 2026

Uh oh!

danwinship commented Jun 16, 2026

Uh oh!

danwinship commented Jun 16, 2026

Uh oh!

danwinship commented Jun 16, 2026

Uh oh!

danwinship left a comment

Choose a reason for hiding this comment

Uh oh!

danwinship Jun 16, 2026

Choose a reason for hiding this comment

Uh oh!

miheer commented Jun 16, 2026

Uh oh!

miheer commented Jun 16, 2026

Uh oh!

miheer commented Jun 16, 2026

Uh oh!

miheer commented May 31, 2026 •

edited

Loading

coderabbitai Bot commented May 31, 2026 •

edited

Loading

openshift-ci-robot commented Jun 1, 2026 •

edited by openshift-ci Bot

Loading

miheer commented Jun 2, 2026 •

edited

Loading

openshift-ci-robot commented Jun 12, 2026 •

edited by openshift-ci Bot

Loading