NO-JIRA: Update openshift/api and openshift/client-go to latest#3023
Open
tssurya wants to merge 1 commit into
Open
NO-JIRA: Update openshift/api and openshift/client-go to latest#3023tssurya wants to merge 1 commit into
tssurya wants to merge 1 commit into
Conversation
openshift-ci
Bot
added
the
approved
|
Caution Review failedAn error occurred during the review process. Please try again later. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Bumps openshift/api to pick up the EVPN feature gate promotion to GA (Default + OKD feature sets), ensuring EVPN API fields and runtime components are available on GA clusters without requiring TechPreview. - github.com/openshift/api: v0.0.0-20260320151444-324a1bcb9f55 → v0.0.0-20260609121705-d3390bd1109f - github.com/openshift/client-go: v0.0.0-20260320040014-4b5fc2cdad98 → v0.0.0-20260603140539-6892dc3e1ffc Co-authored-by: Cursor <cursoragent@cursor.com> Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
tssurya
force-pushed
the
update-api-vendoring
branch
from
4a1d2a0 to
b223b6c
Compare
Contributor
|
/retest |
Contributor
Author
|
/verified by CI |
openshift-ci-robot
added
the
verified
Contributor
|
@tssurya: This PR has been marked as verified by DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
Contributor
Author
|
/retitle NO-JIRA: Update openshift/api and openshift/client-go to latest |
openshift-ci
Bot
changed the title
Contributor
|
@tssurya: This pull request explicitly references no jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci-robot
added
the
jira/valid-reference
Contributor
Author
|
/tide refresh |
Contributor
|
/lgtm |
Contributor
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mattedallo, tssurya The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Contributor
Author
|
@coderabbitai configuration |
|
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml CodeRabbit configurationlanguage: en-US
tone_instructions: ''
early_access: false
enable_free_tier: false
inheritance: false
focus: casual
reviews:
profile: chill
request_changes_workflow: false
high_level_summary: true
high_level_summary_instructions: ''
high_level_summary_placeholder: '`@coderabbitai` summary'
high_level_summary_in_walkthrough: false
auto_title_placeholder: '`@coderabbitai`'
auto_title_instructions: ''
review_status: true
review_details: false
commit_status: true
fail_commit_status: false
collapse_walkthrough: false
changed_files_summary: true
sequence_diagrams: true
estimate_code_review_effort: true
assess_linked_issues: true
related_issues: true
related_prs: true
suggested_labels: true
labeling_instructions: []
auto_apply_labels: false
suggested_reviewers: true
auto_assign_reviewers: false
suggested_reviewers_instructions: []
in_progress_fortune: false
poem: false
enable_prompt_for_ai_agents: true
path_filters:
- '!**/vendor/**'
- '!vendor/**'
- '!**/zz_generated*'
- '!boilerplate/**'
- '!node_modules/**'
- '!dist/**'
- '!*.min.js'
- '!yarn.lock'
path_instructions:
- path: '**/*.{py,js,ts,go,rs,java,rb,php,kt,swift,cs}'
instructions: |
Injection prevention (prodsec-skills):
- SQL: parameterized queries only; no string concatenation
- Command: no shell=True, os.system, or backtick exec with user input
- LDAP/XPath: escape special characters in filters
- Path traversal: canonicalize paths, reject ../
- Deserialization: no pickle/yaml.load()/eval on untrusted data
- Prototype pollution: no recursive merge of untrusted objects
- Validate at trust boundaries with allow-lists, not deny-lists
- Normalize Unicode and anchor regexes (^$); watch for ReDoS
- path: '**/*.{html,jsx,tsx,vue,svelte}'
instructions: >
Web security (prodsec-skills):
- No dangerouslySetInnerHTML or v-html with user data
- CSP: no unsafe-inline, no unsafe-eval
- CSRF tokens on state-changing requests
- Cookies: Secure, HttpOnly, SameSite=Strict
- No document.write, eval, new Function with user input
- GraphQL: depth/complexity limits, disable introspection in prod
- File uploads: validate by content magic, cap size, server-generate
names
- XML: disable external entities (XXE), reject DTDs from untrusted
sources
- path: '**/*{crypt,cipher,sign,hash,tls,ssl,cert,key,token}*'
instructions: |
Cryptographic security (prodsec-skills):
- Banned: MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB mode
- Symmetric: AES-256-GCM or ChaCha20-Poly1305
- Passwords: Argon2id (not bcrypt/scrypt for new code)
- Signing: Ed25519 or ECDSA P-256+
- Key exchange: X25519 or ECDH P-256+
- Constant-time comparison for all secret/token data
- Zeroize key material after use (no garbage-collector reliance)
- No custom crypto; use vetted libraries only
- Post-quantum: flag if protecting long-lived secrets
- path: '**/{Dockerfile,Containerfile}*'
instructions: |
Container security (prodsec-skills):
- Base image: UBI minimal or distroless from catalog.redhat.com
- Red Hat images: use floating tags (Red Hat manages updates);
non-RH images: pin by digest
- Multi-stage builds; no build tools in final image
- USER non-root; never run as root
- COPY specific files, not entire context
- No secrets in ENV, ARG, or COPY
- Read-only rootfs where possible
- No package manager cache in final layer
- HEALTHCHECK defined
- path: '**/*.{yaml,yml}'
instructions: |
If this is a Kubernetes/OpenShift manifest or Helm template:
- securityContext: runAsNonRoot, readOnlyRootFilesystem,
allowPrivilegeEscalation: false
- Drop ALL capabilities, add only what is required
- Resource limits (cpu, memory) on every container
- No hostPID, hostNetwork, hostIPC, privileged: true
- NetworkPolicy defined for the namespace
- OpenShift: SCC must be restricted or custom-scoped
- Liveness + readiness probes defined
- automountServiceAccountToken: false unless needed
- RBAC: least privilege; no cluster-admin for workloads
- Helm: no .Values interpolation in shell commands
- path: >-
**/{requirements*.txt,Pipfile*,pyproject.toml,package*.json,go.mod,go.sum,Cargo.toml,Gemfile*,pom.xml,build.gradle*}
instructions: |
Supply chain security (prodsec-skills):
- New deps: justify need, check license compatibility
- Pin exact versions; verify hashes where supported
- Flag known CVEs (cross-ref osv.dev)
- No pre-release or yanked versions in production
- SBOM: ensure build produces provenance attestations
- Signing: artifacts signed with Sigstore/cosign
- path: .github/workflows/**/*
instructions: |
CI/CD security (prodsec-skills):
- Pin actions by full SHA, not tag
- No secrets in logs; mask sensitive outputs
- Least privilege: minimize GITHUB_TOKEN permissions
- No pull_request_target with checkout of PR head
- SAST/SCA steps in pipeline
- Sign artifacts with Sigstore/cosign
- Agentic CI actions: audit for prompt injection via
issue/PR title/body flowing into LLM prompts
- path: '**/{.claude,.vscode}/**/*'
instructions: |
HIGH RISK — IDE and AI tool configuration (prodsec-skills):
These directories can be supply chain attack vectors.
Review every change with a security and malware lens.
Flag the following for close scrutiny:
- .claude: hook commands, MCP server definitions, or
permissive tool-use policies in settings.json
- .claude: any scripts or binaries (e.g., .mjs, .sh)
- .vscode: tasks.json or launch.json entries that execute
code on folder open, build, or save
- .vscode: settings.json entries that auto-run formatters,
linters, or extensions with broad permissions
- Any change that grants broad filesystem or network access
- Obfuscated content or suspiciously large files
- Changes without a clear, legitimate purpose
- path: '**/*.go'
instructions: |
Go security (prodsec-skills):
- Never ignore error returns
- database/sql with placeholders; no fmt.Sprintf in queries
- Use stdlib crypto/* and golang.org/x/crypto (Go team maintained);
avoid third-party crypto libraries
- Integer overflow: bounds-check user-supplied sizes
- context.Context for cancellation and timeouts
- path: '**/*.{c,cpp,cc,h,hpp}'
instructions: |
C/C++ security (prodsec-skills):
- Banned: gets, sprintf, strcpy, strcat, strtok
- Use strlcpy, snprintf, bounded APIs
- Compile: -fstack-protector-strong -fPIE -pie
-D_FORTIFY_SOURCE=2 -Wformat-security
- Nullify pointers after free; no use-after-free
- Integer overflow: check arithmetic on untrusted sizes
- path: '**/{db,database,redis,cache,storage}/**/*'
instructions: |
Data store security (prodsec-skills):
- Auth: no default credentials; use IAM or IdP tokens
- Encryption: TLS in transit, encryption at rest
- Least privilege: app user has minimal grants
- Redis/ElastiCache: AUTH required, no KEYS in prod,
rename dangerous commands (FLUSHALL, CONFIG)
- Connection strings: no embedded credentials
abort_on_close: true
disable_cache: false
slop_detection:
enabled: true
auto_review:
enabled: true
description_keyword: ''
auto_incremental_review: true
auto_pause_after_reviewed_commits: 5
ignore_title_keywords: []
labels: []
drafts: true
base_branches: []
ignore_usernames: []
finishing_touches:
docstrings:
enabled: true
unit_tests:
enabled: true
simplify:
enabled: false
custom: []
pre_merge_checks:
override_requested_reviewers_only: false
docstrings:
mode: warning
threshold: 80
title:
mode: warning
requirements: ''
description:
mode: warning
issue_assessment:
mode: warning
custom_checks:
- mode: error
name: Stable and Deterministic Test Names
instructions: >
Ginkgo test names MUST be stable and deterministic. They must never
contain dynamic
information that changes between runs.
Flag any test title (It(), Describe(), Context(), When(), etc.) that
includes:
- Pod names with generated suffixes (e.g., "test-pod-abc123")
- Timestamps or dates
- Random UUIDs or generated identifiers
- Node names
- Namespace names with random suffixes
- IP addresses
- Any value that could change between test runs
Additionally, flag overly-specific test titles likely to change in
later development iterations, to avoid the need to specify mappings
after changing the name.
Test names should use descriptive, static strings that clearly
indicate what
the test validates.
❌ Bad examples:
- `It("should create pod test-pod-xyz123 with custom security
context")`
- `It(fmt.Sprintf("should run on node %s", nodeName))`
- `It("should create namespace " + ns.Name)`
- `It("should complete initialization within 30s")`
✅ Good examples:
- `It("should create a pod with custom security context")`
- `It("should schedule workloads to labeled nodes")`
- `It("should enforce network policy between namespaces")`
- `It("should complete initialization quickly")`
Dynamic values belong in test BODIES (assertions, setup), never in
test TITLES.
- mode: warning
name: Test Structure and Quality
instructions: >
Review Ginkgo test code for these quality requirements:
1. **Single responsibility**: Each test (It block) should test one
specific behavior.
Flag tests that assert multiple unrelated behaviors.
2. **Setup and cleanup**: Tests should use BeforeEach/AfterEach for
setup and cleanup.
Flag tests that create resources without cleanup, especially cluster-scoped resources.
3. **Timeouts**: Operations that interact with the cluster (pod
creation, deployments,
waiting for conditions) must include appropriate timeouts. Flag indefinite waits
or missing timeouts on Eventually/Consistently calls.
4. **Assertion messages**: Assertions should include meaningful
failure messages
that help diagnose what went wrong.
❌ `Expect(err).NotTo(HaveOccurred())`
✅ `Expect(err).NotTo(HaveOccurred(), "failed to create test pod")`
5. **Consistency with codebase**: Tests should follow existing
patterns in the
repository for how fixtures are created, how clients are obtained, and how
waits are structured.
- mode: warning
name: MicroShift Test Compatibility
instructions: >
When new Ginkgo e2e tests are added (It(), Describe(), Context(),
When(), etc.),
check whether they use any APIs or features that are NOT available on
MicroShift.
MicroShift is a single-node, minimal OpenShift distribution and does
not support
all standard OpenShift APIs and features.
Note: The only OpenShift kube APIs available on MicroShift are Route
and
SecurityContextConstraints. All other OpenShift-specific APIs are
unavailable.
IMPORTANT: Do NOT flag a test if it is already protected from running
on
MicroShift by any of these mechanisms:
- The test name includes a `[Skipped:MicroShift]` label
- The test name includes an `[apigroup:...]` tag for an API group not
available
on MicroShift (e.g., `[apigroup:config.openshift.io]`,
`[apigroup:machine.openshift.io]`). The MicroShift CI jobs automatically skip
tests whose apigroup tag references an API group not served by MicroShift.
- The test body contains an `exutil.IsMicroShiftCluster()` check with
`g.Skip()`
- The test is wrapped in a Describe/Context that already has one of
the above
Flag the test if it references ANY of the following unavailable APIs
or resources:
- Project / ProjectRequest (project.openshift.io) — use plain
Namespaces instead
- Build / BuildConfig (build.openshift.io)
- DeploymentConfig (apps.openshift.io) — use Deployments instead
- ClusterOperator / ClusterOperators (config.openshift.io/v1)
- ClusterVersion / ClusterVersions (config.openshift.io/v1)
- Etcd operator or etcd pods (etcd.operator.openshift.io,
openshift-etcd namespace)
- ClusterServiceVersion (CSV) / OLM resources (operators.coreos.com)
- MachineSet / Machine / MachineHealthCheck (machine.openshift.io)
- ClusterAutoscaler / MachineAutoscaler
- Console (console.openshift.io, openshift-console namespace)
- Monitoring stack components (prometheus-k8s, alertmanager,
thanos-querier in openshift-monitoring)
- ImageRegistry operator (imageregistry.operator.openshift.io,
openshift-image-registry namespace)
- Samples operator (samples.operator.openshift.io,
openshift-cluster-samples-operator namespace)
- OperatorHub / CatalogSource / PackageManifest (operators.coreos.com,
marketplace.redhat.com)
- CloudCredential / CredentialsRequest (cloudcredential.openshift.io)
- Storage operator (operator.openshift.io/v1 storage,
openshift-cluster-storage-operator namespace)
- Network operator CRDs (operator.openshift.io/v1 network,
openshift-network-operator namespace)
- Any other OpenShift API group besides Route (route.openshift.io) and
SecurityContextConstraints (security.openshift.io)
Flag the test if it references ANY of the following namespaces that do
not exist on MicroShift:
- openshift-kube-apiserver
- openshift-kube-controller-manager
- openshift-kube-scheduler
Flag the test if it makes ANY of the following unsupported
assumptions:
- Multi-node or HA assumptions (e.g., expecting multiple
master/control-plane nodes,
pod anti-affinity across nodes, leader election across replicas)
- FeatureGate resources or TechPreviewNoUpgrade / CustomNoUpgrade
feature sets
- Upgrade or update workflows (ClusterVersion-based upgrades)
- Node scaling (expecting nodes to be added or removed)
- Multi-replica deployments of control-plane components
If a test is flagged, recommend the following:
> **MicroShift compatibility notice:** This test uses APIs or features
that are
> not available on MicroShift. If this repository's presubmit CI does
not already
> include MicroShift jobs, please verify your test works on MicroShift
by running
> an additional CI job:
>
> For parallel tests:
> `/payload-job
periodic-ci-openshift-microshift-release-4.22-periodics-e2e-aws-ovn-ocp-conformance`
>
> For serial tests (test name contains `[Serial]`):
> `/payload-job
periodic-ci-openshift-microshift-release-4.22-periodics-e2e-aws-ovn-ocp-conformance-serial`
>
> If the test is intentionally not applicable to MicroShift, there are
> several options:
>
> **Option 1 (preferred for API-specific tests):** Add an
`[apigroup:...]` tag
> to the test name for the OpenShift API group being used. MicroShift
CI jobs
> automatically skip tests whose apigroup is not served by MicroShift:
>
> ```go
> g.It("should report cluster operator status
[apigroup:config.openshift.io]", func() { ... })
> ```
>
> **Option 2:** Add a `[Skipped:MicroShift]` label to the test name:
>
> ```go
> g.It("should do something [Skipped:MicroShift]", func() { ... })
> ```
>
> **Option 3:** Guard the test with a runtime platform check. In the
> `openshift/origin` repository, the common pattern is:
>
> ```go
> isMicroShift, err :=
exutil.IsMicroShiftCluster(oc.AdminKubeClient())
> o.Expect(err).NotTo(o.HaveOccurred())
> if isMicroShift {
> g.Skip("Not supported on MicroShift")
> }
> ```
- mode: warning
name: Single Node OpenShift (SNO) Test Compatibility
instructions: >
When new Ginkgo e2e tests are added (It(), Describe(), Context(),
When(), etc.),
check whether they make assumptions about multi-node or HA clusters.
Single Node
OpenShift (SNO) runs the full OpenShift control plane and worker
components on a
single node. Unlike MicroShift, SNO includes all standard OpenShift
operators and
APIs, but any test that assumes multiple nodes will fail.
IMPORTANT: Do NOT flag a test if it is already protected from running
on
SNO by any of these mechanisms:
- The test name includes a `[Skipped:SingleReplicaTopology]` label
- The test body contains an `exutil.IsSingleNode()` check with
`g.Skip()`
- The test body contains a `skipOnSingleNodeTopology()` call
- The test body checks `infrastructure.Status.ControlPlaneTopology ==
configv1.SingleReplicaTopologyMode`
and skips accordingly
- The test is wrapped in a Describe/Context that already has one of
the above
Flag the test if it makes ANY of the following multi-node or HA
assumptions:
- Expects multiple control-plane/master nodes (e.g., counting master
nodes > 1)
- Expects multiple worker nodes or schedules pods across distinct
nodes
- Uses pod anti-affinity or topology spread constraints requiring
multiple nodes
- Tests node-to-node communication patterns that require separate
hosts
- Assumes leader election failover across multiple replicas on
different nodes
- Expects pod rescheduling to a different node after node drain or
failure
- Tests node scaling operations (adding or removing nodes)
- Assumes separate infra/worker/master node roles on different hosts
- Validates rolling updates that require scheduling to other nodes
- Tests ingress or load balancing behavior that depends on multiple
endpoints
on different nodes
Do NOT flag tests that:
- Use OpenShift APIs and operators (these are all available on SNO)
- Run multiple pods on the same node
- Test single-pod behavior, even with multiple replicas (replicas can
coexist on one node)
If a test is flagged, recommend the following:
> **Single Node OpenShift (SNO) compatibility notice:** This test
assumes a
> multi-node cluster and may fail on Single Node OpenShift
deployments. Please
> verify your test works on SNO by running an additional CI job:
>
> For parallel tests:
> `/payload-job
periodic-ci-openshift-release-master-ci-4.22-e2e-aws-upgrade-ovn-single-node`
>
> For serial tests (test name contains `[Serial]`):
> `/payload-job
periodic-ci-openshift-release-master-nightly-4.22-e2e-aws-ovn-single-node-serial`
>
> If the test is intentionally not applicable to SNO, there are
several
> options:
>
> **Option 1:** Add a `[Skipped:SingleReplicaTopology]` label to the
test name.
> SNO CI jobs automatically skip tests with this label:
>
> ```go
> g.It("should schedule pods across nodes
[Skipped:SingleReplicaTopology]", func() { ... })
> ```
>
> **Option 2:** Guard the test with a runtime topology check. In the
> `openshift/origin` repo, use the `exutil.IsSingleNode()` utility:
>
> ```go
> isSingleNode, err := exutil.IsSingleNode(context.Background(),
oc.AdminConfigClient())
> o.Expect(err).NotTo(o.HaveOccurred())
> if isSingleNode {
> g.Skip("Test requires multiple nodes and does not apply to
single-node topologies")
> }
> ```
>
> This checks `infrastructure.Status.ControlPlaneTopology ==
configv1.SingleReplicaTopologyMode`
> which is the canonical way to detect SNO clusters.
>
> **Option 3:** Some test packages define a local
`skipOnSingleNodeTopology()` helper:
>
> ```go
> func skipOnSingleNodeTopology(oc *exutil.CLI) {
> infra, err :=
oc.AdminConfigClient().ConfigV1().Infrastructures().Get(
> context.Background(), "cluster", metav1.GetOptions{})
> o.Expect(err).NotTo(o.HaveOccurred())
> if infra.Status.ControlPlaneTopology ==
configv1.SingleReplicaTopologyMode {
> e2eskipper.Skipf("This test does not apply to single-node
topologies")
> }
> }
> ```
>
> You can also use the `single_node.GetTopologies()` helper from
> `test/extended/single_node/topology.go` to get both control plane
and
> infrastructure topology modes.
- mode: warning
name: Topology-Aware Scheduling Compatibility
instructions: >
When deployment manifests, operator code, or controllers are added or
modified,
check whether they introduce scheduling constraints that assume a
standard
highly-available (HA) topology with 3+ control-plane nodes and
dedicated worker
nodes. OpenShift supports several topologies where these assumptions
break:
- **Single Node OpenShift (SNO):** One node runs everything.
`ControlPlaneTopology = SingleReplica`, 1 schedulable node.
- **Two-Node Fixed (TNF):** Two control-plane nodes, no dedicated
workers.
`ControlPlaneTopology = DualReplica`, 2 schedulable nodes.
Operators should run 2 replicas (not 1 as on SNO) to maintain HA.
- **Two-Node with Arbiter (TNA):** Two control-plane nodes plus a
resource-constrained arbiter node. The arbiter is NOT a master or worker
— it is a distinct role with label `node-role.kubernetes.io/arbiter` and
taint `node-role.kubernetes.io/arbiter:NoSchedule`. It only runs etcd
for quorum plus essential infrastructure (kubelet, SDN/OVN, MCD), and
may be as small as 2 cores / 8 GiB RAM. `ControlPlaneTopology =
HighlyAvailableArbiter`, but only 2 fully schedulable nodes.
- **External Control Plane (HyperShift):** Control plane runs outside
the
hosted cluster. `ControlPlaneTopology = External`. There are NO nodes with
`node-role.kubernetes.io/master` or `node-role.kubernetes.io/control-plane`
labels in the hosted cluster.
The `ControlPlaneTopology` values are defined in `openshift/api` as
the
`TopologyMode` type. Availability of each value depends on the release
version and enabled feature gates — check
`openshift/api/features/features.go`
and the `FeatureGateAwareEnum` annotations on the
`ControlPlaneTopology`
field for the target release:
- `HighlyAvailable` (default)
- `SingleReplica`
- `DualReplica` (feature gate: `DualReplica`)
- `HighlyAvailableArbiter`
- `External`
Do NOT flag changes that already check `ControlPlaneTopology`, node
counts,
or topology labels before applying scheduling constraints.
Flag changes that introduce ANY of the following without
topology-awareness:
- **Required pod anti-affinity with `maxUnavailable: 0`.**
(`requiredDuringSchedulingIgnoredDuringExecution` with
`topologyKey: kubernetes.io/hostname` combined with
`maxUnavailable: 0` in the rolling update strategy).
This combination deadlocks on ANY topology where replicas == schedulable
nodes (SNO, TNF, TNA, and even HA with 3 replicas on 3 nodes): the surge
pod cannot schedule (anti-affinity blocks it) and no old pod can be deleted
(maxUnavailable: 0 prevents it). Required anti-affinity is SAFE when paired
with `maxUnavailable >= 1` — this is the pattern used by most HA operators
(oauth-openshift, openshift-apiserver, image-registry, monitoring).
Preferred anti-affinity is NOT a safe alternative — it allows pods to
co-locate on the same node, defeating HA (see OCPBUGS-65984).
- **Pod topology spread constraints** with `whenUnsatisfiable:
DoNotSchedule`
and a hostname topology key. Breaks on SNO and is problematic when the spread
`maxSkew` exceeds the number of schedulable nodes (TNF, TNA).
- **Replica count derived from node count** (e.g., counting
control-plane nodes
and setting replicas to match) without considering that SNO and TNF have
fewer than 3 control-plane nodes, and TNA's arbiter node should not run
general workloads.
- **nodeSelector or node affinity targeting control-plane nodes**
(`node-role.kubernetes.io/master` or `node-role.kubernetes.io/control-plane`).
On HyperShift, no nodes carry these labels — pods will remain Pending
indefinitely.
- **Scheduling workloads to all control-plane nodes equally** without
excluding
arbiter nodes. On TNA, the arbiter node has a separate taint
(`node-role.kubernetes.io/arbiter:NoSchedule`) that blocks general
workloads. However, operators that use **broad or wildcard tolerations**
(e.g., tolerating all `NoSchedule` taints) will inadvertently schedule to
the resource-constrained arbiter. Only etcd and essential infrastructure
pods (kubelet, SDN/OVN, machine-config-daemon) should run on the arbiter.
- **Assuming dedicated worker nodes exist.** On SNO and TNF, all
workloads
run on control-plane nodes. Code that targets only worker nodes via
`node-role.kubernetes.io/worker` nodeSelector may need to also consider
nodes that carry both control-plane and worker roles.
- **PodDisruptionBudgets designed for 3+ nodes.** On TNF and TNA, only
2
nodes are fully schedulable. PDBs with `minAvailable: 2` on a 2-replica
deployment will block all voluntary disruptions (drains, upgrades).
PDBs should be reviewed for topology-appropriate values. Note: PDBs only
protect against the eviction API (`kubectl drain`). They do NOT protect
against `TaintManagerEviction` (node fencing, unreachable taints), which
directly deletes pods regardless of PDB settings.
If a change is flagged, recommend the following:
> **Topology-aware scheduling notice:** This change introduces
scheduling
> constraints that may not work on all supported OpenShift topologies
> (SNO, Two-Node, HyperShift).
>
> OpenShift clusters vary in topology:
> | Topology | `ControlPlaneTopology` | Schedulable nodes |
> |---|---|---|
> | HA | `HighlyAvailable` | 3+ CP + N workers |
> | SNO | `SingleReplica` | 1 (all roles) |
> | Two-Node Fixed | `DualReplica` | 2 CP (no workers) |
> | Two-Node + Arbiter | `HighlyAvailableArbiter` | 2 CP + 1 arbiter
(resource-limited) |
> | HyperShift | `External` | N workers (no CP nodes) |
>
> Please consider:
> - Checking `infrastructure.Status.ControlPlaneTopology` to detect
> `SingleReplica`, `DualReplica`, `HighlyAvailableArbiter`, or
> `External` topologies
> - Using required anti-affinity with `maxUnavailable >= 1` (not
> `maxUnavailable: 0`, which deadlocks). Preferred anti-affinity
> allows pods to co-locate, defeating HA.
> - Capping replica counts to the number of schedulable nodes
> - Excluding arbiter nodes (`node-role.kubernetes.io/arbiter`) from
> workload scheduling on TNA clusters
> - Avoiding `node-role.kubernetes.io/master` nodeSelectors on
HyperShift,
> where no control-plane nodes exist in-cluster
> - For operators using the library-go `DeploymentController`,
consider
> `WithTopologyAwareReplicasHook`,
`WithTopologyAwareSchedulingHook`,
> and `WithControlPlaneNodeSelectorHook` from
> `library-go/pkg/operator/deploymentcontroller/`
>
> Verify with topology-specific CI jobs before merging:
> ```
> /payload-job
periodic-ci-openshift-release-main-ci-4.22-e2e-aws-upgrade-ovn-single-node
> /payload-job
periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-hypershift
> /payload-job
periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ovn-two-node-arbiter
> /payload-job
periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ovn-two-node-fencing-techpreview
> ```
- mode: error
name: OTE Binary Stdout Contract
instructions: >
OpenShift Tests Extension (OTE) binaries communicate with
`openshift-tests` via
JSON on stdout. Any non-JSON stdout from the main binary process
corrupts the
test listing and breaks CI. Individual test cases (It, BeforeEach,
AfterEach) are
fine — their stdout is intercepted by the framework.
Only flag stdout writes in process-level code: main(), init(),
TestMain(),
BeforeSuite(), AfterSuite(), SynchronizedBeforeSuite(), RunSpecs()
setup, or
top-level var/const initializers.
Common violations:
- klog writing to stdout (default behavior — must redirect to stderr
via
`klog.SetOutput(os.Stderr)` or `klog.LogToStderr(true)`)
- fmt.Print/Println/Printf to stdout in main or suite setup
- Ginkgo v2 suite configuration that emits warnings to stdout
- log.SetOutput not set to stderr before any logging
Do NOT flag:
- Writes inside It(), BeforeEach(), AfterEach(), JustBeforeEach()
blocks
- Writes to explicitly-opened files or buffers
- Writes to os.Stderr or GinkgoWriter
- mode: warning
name: IPv6 and Disconnected Network Test Compatibility
instructions: >
When new Ginkgo e2e tests are added (It(), Describe(), Context(),
When(), etc.),
check whether they make assumptions about IPv4 networking or require
connectivity
to external/public internet services. IPv6-only CI jobs run in
disconnected
environments with no public internet access.
Flag the test if it contains ANY of the following IPv4 assumptions:
- Hardcoded IPv4 addresses (e.g., "10.0.0.1", "192.168.1.1",
"172.16.0.0/12")
- Hardcoded IPv4 localhost ("127.0.0.1") where "::1" would also be
needed
- Parsing or validating IPs assuming IPv4 format only (e.g., splitting
on "." to parse octets)
- Creating Service or Endpoint objects with hardcoded IPv4 CIDRs or
addresses
- Using net.ParseIP() or net.ParseCIDR() with hardcoded IPv4 values
only
- Assuming pod or node IPs will be IPv4 (e.g., checking ip.To4() !=
nil without fallback)
- Hardcoded IPv4-only network policies (ipBlock with IPv4 CIDRs only)
- Building URLs by interpolating a variable host/IP without brackets
for IPv6
(e.g., `fmt.Sprintf("http://%s:%d/path", host, port)` or `"http://" + host + ":" + port`).
Use `net.JoinHostPort(host, port)` instead, which adds brackets automatically for IPv6.
Flag the test if it requires ANY of the following external
connectivity:
- Connections to public internet hosts (e.g., google.com, github.com,
quay.io, registry.redhat.io)
- Pulling images from public registries without using a mirror or
internal registry
- Downloading content from external URLs (curl, wget to public
endpoints)
- DNS resolution of public hostnames
- Connections to external APIs or services outside the cluster
Do NOT flag tests that:
- Use cluster-internal service DNS names (e.g.,
service.namespace.svc.cluster.local)
- Use the cluster's own registry or image streams
- Dynamically detect IP family and adapt accordingly
If a test is flagged, recommend the following:
> **IPv6 and disconnected network compatibility notice:** This test
may contain
> IPv4 assumptions or external connectivity requirements that will
fail in IPv6-only
> disconnected environments. Please verify your test works on IPv6 by
running
> an additional CI job:
>
> For parallel tests:
> `/payload-job
periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-ovn-ipv6`
>
> For serial tests (test name contains `[Serial]`):
> `/payload-job
periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-serial-ovn-ipv6`
>
> In the `openshift/origin` repo, use `GetIPAddressFamily()` to detect
the
> cluster's IP family and adapt accordingly:
>
> ```go
> hasIPv4, hasIPv6, err := GetIPAddressFamily(oc)
> o.Expect(err).NotTo(o.HaveOccurred())
> if !hasIPv4 {
> // Use IPv6 addresses and CIDRs instead
> }
> ```
>
> Or use `GetIPFamilyForCluster()` to check the pod network IP family:
>
> ```go
> ipFamily := GetIPFamilyForCluster(oc.KubeFramework())
> if ipFamily == IPv6 {
> g.Skip("Test requires IPv4 connectivity")
> }
> ```
>
> You can also use the `InIPv4ClusterContext()` wrapper to
automatically skip
> tests that only apply to IPv4 clusters:
>
> ```go
> InIPv4ClusterContext(oc, func() {
> // Test body - only runs on IPv4 clusters
> })
> ```
>
> For CIDRs, use `correctCIDRFamily()` to select the right CIDR for
the cluster:
>
> ```go
> cidr := correctCIDRFamily(oc, "10.128.0.0/14", "fd01::/48")
> ```
>
> If the test requires external internet connectivity and cannot be
adapted for
> disconnected environments, add `[Skipped:Disconnected]` to the test
name to
> automatically skip it on disconnected clusters:
>
> ```go
> g.It("should fetch external content [Skipped:Disconnected]", func()
{ ... })
> ```
- mode: error
name: no-weak-crypto
instructions: |
Flag MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB mode usage.
Flag custom crypto implementations. Flag non-constant-time
comparison of secrets or tokens.
- mode: error
name: container-privileges
instructions: |
Flag privileged: true, hostPID, hostNetwork, hostIPC,
SYS_ADMIN capability, running as root without justification,
allowPrivilegeEscalation: true in container/K8s manifests.
- mode: error
name: no-sensitive-data-in-logs
instructions: |
Flag logging that may expose passwords, tokens, API keys,
PII (email, SSN, credit card), session IDs, internal
hostnames, or customer data.
tools:
ast-grep:
rule_dirs: []
util_dirs: []
essential_rules: true
packages: []
shellcheck:
enabled: true
ruff:
enabled: true
markdownlint:
enabled: true
github-checks:
enabled: true
timeout_ms: 90000
languagetool:
enabled: true
enabled_rules: []
disabled_rules: []
enabled_categories: []
disabled_categories: []
enabled_only: false
level: default
biome:
enabled: true
hadolint:
enabled: true
swiftlint:
enabled: true
phpstan:
enabled: true
level: default
phpmd:
enabled: true
phpcs:
enabled: true
golangci-lint:
enabled: true
yamllint:
enabled: true
gitleaks:
enabled: true
trufflehog:
enabled: true
checkov:
enabled: true
tflint:
enabled: true
detekt:
enabled: true
eslint:
enabled: true
flake8:
enabled: true
fbinfer:
enabled: false
enable_java: false
fortitudeLint:
enabled: true
rubocop:
enabled: true
buf:
enabled: true
regal:
enabled: true
actionlint:
enabled: true
zizmor:
enabled: true
pmd:
enabled: true
clang:
enabled: true
cppcheck:
enabled: true
opengrep:
enabled: true
semgrep:
enabled: true
circleci:
enabled: true
clippy:
enabled: true
sqlfluff:
enabled: true
trivy:
enabled: true
prismaLint:
enabled: true
pylint:
enabled: true
oxc:
enabled: true
shopifyThemeCheck:
enabled: true
luacheck:
enabled: true
brakeman:
enabled: true
dotenvLint:
enabled: true
htmlhint:
enabled: true
stylelint:
enabled: true
checkmake:
enabled: true
osvScanner:
enabled: true
oasdiff:
enabled: true
presidio:
enabled: false
blinter:
enabled: true
smartyLint:
enabled: true
emberTemplateLint:
enabled: true
skillspector:
enabled: true
psscriptanalyzer:
enabled: true
chat:
art: false
allow_non_org_members: true
auto_reply: true
integrations:
jira:
usage: auto
linear:
usage: auto
knowledge_base:
opt_out: false
web_search:
enabled: true
code_guidelines:
enabled: true
filePatterns:
- '**/AGENTS.md'
- '**/REDHAT.md'
- '**/CLAUDE.md'
- '**/CONTRIBUTING.md'
learnings:
scope: auto
approval_delay: 0
issues:
scope: auto
jira:
usage: auto
project_keys: []
linear:
usage: auto
team_keys: []
pull_requests:
scope: auto
mcp:
usage: auto
disabled_servers: []
automatic_repository_linking: false
linked_repositories: []
code_generation:
docstrings:
path_instructions: []
unit_tests:
path_instructions: []
issue_enrichment:
auto_enrich:
enabled: false
planning:
enabled: true
auto_planning:
enabled: true
labels: []
labeling:
labeling_instructions: []
auto_apply_labels: false
|
Contributor
Contributor
Author
|
/retest |
1 similar comment
Contributor
Author
|
/retest |
Contributor
|
@tssurya: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Contributor
Author
|
/retest |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps openshift/api to pick up the EVPN feature gate promotion to GA (Default + OKD feature sets)