diff --git a/Makefile.kube_git.var b/Makefile.kube_git.var index 9a2e09ba1f..5b01a5a264 100644 --- a/Makefile.kube_git.var +++ b/Makefile.kube_git.var @@ -1,5 +1,5 @@ KUBE_GIT_MAJOR=1 KUBE_GIT_MINOR=35 KUBE_GIT_VERSION=v1.35.3 -KUBE_GIT_COMMIT=99b75aa92a7f60c4446ee29f54d511f140a8aed0 +KUBE_GIT_COMMIT=872bd3722d0954b31459f715fbd4fb7612aaf338 KUBE_GIT_TREE_STATE=clean diff --git a/Makefile.version.aarch64.var b/Makefile.version.aarch64.var index ba519e3a09..a93dd947c6 100644 --- a/Makefile.version.aarch64.var +++ b/Makefile.version.aarch64.var @@ -1 +1 @@ -OCP_VERSION := 5.0.0-0.nightly-arm64-2026-06-04-190103 +OCP_VERSION := 5.0.0-0.nightly-arm64-2026-06-08-012537 diff --git a/Makefile.version.x86_64.var b/Makefile.version.x86_64.var index f805152db4..5530db160b 100644 --- a/Makefile.version.x86_64.var +++ b/Makefile.version.x86_64.var @@ -1 +1 @@ -OCP_VERSION := 5.0.0-0.nightly-2026-06-04-190102 +OCP_VERSION := 5.0.0-0.nightly-2026-06-07-132537 diff --git a/assets/components/multus/kustomization.aarch64.yaml b/assets/components/multus/kustomization.aarch64.yaml index ff16be9af1..446ef9978f 100644 --- a/assets/components/multus/kustomization.aarch64.yaml +++ b/assets/components/multus/kustomization.aarch64.yaml @@ -2,7 +2,7 @@ images: - name: multus-cni-microshift newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev - digest: sha256:d95acb85de525f3ed6c179c7c780245d7f50821d881f2c5c84c9f08c947d47b3 + digest: sha256:c4c1ba07ed890fb4f59cf6e67b39b77f6db5976adb20a9ba037ea2446b3e3d93 - name: containernetworking-plugins-microshift newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev - digest: sha256:5fed52311e3e769dbb5dc03067ce33c7de0c1308ee033310cc53f7203f7fbe5f + digest: sha256:137bf91943370a9be844a2727b26630f2e962501d08742816426d94cb2ff7246 diff --git a/assets/components/multus/kustomization.x86_64.yaml b/assets/components/multus/kustomization.x86_64.yaml index 868983bcfe..2346451573 100644 --- a/assets/components/multus/kustomization.x86_64.yaml +++ b/assets/components/multus/kustomization.x86_64.yaml @@ -2,7 +2,7 @@ images: - name: multus-cni-microshift newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev - digest: sha256:d6d962ee038eac98ae9a7cb182052a79804740db2c03bfeedb0dd7196a894a62 + digest: sha256:53ff24eb2aa039458a2b6063e7ad6d54a192047f2e683965938fdbc3af964081 - name: containernetworking-plugins-microshift newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev - digest: sha256:51b0ac230b385565a5285a95b29ff48a65b7110445f7631b9888212329e7f165 + digest: sha256:c0c398bbac716ad20b404521beb4e7b19065ca07b49d81842c6f0b7e4bfe8f9a diff --git a/assets/components/multus/release-multus-aarch64.json b/assets/components/multus/release-multus-aarch64.json index 4151308b00..38cc556b83 100644 --- a/assets/components/multus/release-multus-aarch64.json +++ b/assets/components/multus/release-multus-aarch64.json @@ -1,9 +1,9 @@ { "release": { - "base": "5.0.0-0.nightly-arm64-2026-06-04-190103" + "base": "5.0.0-0.nightly-arm64-2026-06-08-012537" }, "images": { - "multus-cni-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:d95acb85de525f3ed6c179c7c780245d7f50821d881f2c5c84c9f08c947d47b3", - "containernetworking-plugins-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:5fed52311e3e769dbb5dc03067ce33c7de0c1308ee033310cc53f7203f7fbe5f" + "multus-cni-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:c4c1ba07ed890fb4f59cf6e67b39b77f6db5976adb20a9ba037ea2446b3e3d93", + "containernetworking-plugins-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:137bf91943370a9be844a2727b26630f2e962501d08742816426d94cb2ff7246" } } diff --git a/assets/components/multus/release-multus-x86_64.json b/assets/components/multus/release-multus-x86_64.json index 09c64a90c4..062769b347 100644 --- a/assets/components/multus/release-multus-x86_64.json +++ b/assets/components/multus/release-multus-x86_64.json @@ -1,9 +1,9 @@ { "release": { - "base": "5.0.0-0.nightly-2026-06-04-190102" + "base": "5.0.0-0.nightly-2026-06-07-132537" }, "images": { - "multus-cni-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:d6d962ee038eac98ae9a7cb182052a79804740db2c03bfeedb0dd7196a894a62", - "containernetworking-plugins-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:51b0ac230b385565a5285a95b29ff48a65b7110445f7631b9888212329e7f165" + "multus-cni-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:53ff24eb2aa039458a2b6063e7ad6d54a192047f2e683965938fdbc3af964081", + "containernetworking-plugins-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:c0c398bbac716ad20b404521beb4e7b19065ca07b49d81842c6f0b7e4bfe8f9a" } } diff --git a/assets/components/ovn/multi-node/master/daemonset.yaml b/assets/components/ovn/multi-node/master/daemonset.yaml index c968672326..d739afcdfe 100644 --- a/assets/components/ovn/multi-node/master/daemonset.yaml +++ b/assets/components/ovn/multi-node/master/daemonset.yaml @@ -376,7 +376,8 @@ spec: echo "I$(date "+%m%d %H:%M:%S.%N") - ovnkube-master - start ovnkube --init-master ${K8S_NODE}" exec /usr/bin/ovnkube \ - --init-master "${K8S_NODE}" \ + --init-cluster-manager "${K8S_NODE}" \ + --init-ovnkube-controller "${K8S_NODE}" \ --nb-address "{{.OVN_NB_DB_LIST}}" \ --sb-address "{{.OVN_SB_DB_LIST}}" \ --config-file=/run/ovnkube-config/ovnkube.conf \ diff --git a/assets/components/ovn/single-node/master/daemonset.yaml b/assets/components/ovn/single-node/master/daemonset.yaml index 2d698042a3..b45fb9be17 100644 --- a/assets/components/ovn/single-node/master/daemonset.yaml +++ b/assets/components/ovn/single-node/master/daemonset.yaml @@ -337,7 +337,8 @@ spec: echo "I$(date "+%m%d %H:%M:%S.%N") - ovnkube-master - start ovnkube --init-master ${K8S_NODE} --init-node ${K8S_NODE}" exec /usr/bin/ovnkube \ - --init-master "${K8S_NODE}" \ + --init-cluster-manager "${K8S_NODE}" \ + --init-ovnkube-controller "${K8S_NODE}" \ --init-node "${K8S_NODE}" \ --allow-no-uplink \ --config-file=/run/ovnkube-config/ovnkube.conf \ diff --git a/assets/optional/operator-lifecycle-manager/kustomization.aarch64.yaml b/assets/optional/operator-lifecycle-manager/kustomization.aarch64.yaml index a6499e02ff..46fde49fac 100644 --- a/assets/optional/operator-lifecycle-manager/kustomization.aarch64.yaml +++ b/assets/optional/operator-lifecycle-manager/kustomization.aarch64.yaml @@ -2,13 +2,13 @@ images: - name: quay.io/operator-framework/olm newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev - digest: sha256:d3328a007e3059145dc4261121a0dcb6c9c2f7f82aba8bed2dc7fe4442b44317 + digest: sha256:0ec48c1246f7ceff0ce419c0654220ed3b81bd43338a19d10e8e772edca265de - name: quay.io/operator-framework/configmap-operator-registry newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev - digest: sha256:1fb113ed086cc02b16fcb089d0456ffd3faa917ad28ed669cad0b40b7bfe11b8 + digest: sha256:80c2c256795ec60d072e1649ff6174a852c7da8e2df4acbe078822db99cff034 - name: quay.io/openshift/origin-kube-rbac-proxy newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev - digest: sha256:793a8dbe8247852c605ad6bebb039641eeef1a84842d7661a7ec3c8c2c8617fb + digest: sha256:a51e40c312acb95b55559b8228df6f5f65a04e688a2aa6f09ff60d1d9df6397c patches: - patch: |- @@ -16,12 +16,12 @@ patches: path: /spec/template/spec/containers/0/env/- value: name: OPERATOR_REGISTRY_IMAGE - value: quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:1fb113ed086cc02b16fcb089d0456ffd3faa917ad28ed669cad0b40b7bfe11b8 + value: quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:80c2c256795ec60d072e1649ff6174a852c7da8e2df4acbe078822db99cff034 - op: add path: /spec/template/spec/containers/0/env/- value: name: OLM_IMAGE - value: quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:d3328a007e3059145dc4261121a0dcb6c9c2f7f82aba8bed2dc7fe4442b44317 + value: quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:0ec48c1246f7ceff0ce419c0654220ed3b81bd43338a19d10e8e772edca265de target: kind: Deployment labelSelector: app=catalog-operator diff --git a/assets/optional/operator-lifecycle-manager/kustomization.x86_64.yaml b/assets/optional/operator-lifecycle-manager/kustomization.x86_64.yaml index 47ddf85bad..9f6854ae59 100644 --- a/assets/optional/operator-lifecycle-manager/kustomization.x86_64.yaml +++ b/assets/optional/operator-lifecycle-manager/kustomization.x86_64.yaml @@ -2,13 +2,13 @@ images: - name: quay.io/operator-framework/olm newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev - digest: sha256:5983a2a3a4a7505ef21024cb248c8b8011789eb51de8fc4fd0528df4b6652a9e + digest: sha256:341f8ea2724f3487c90d649b64749f6fa2d5f97ca8f00dce227725e8bca03ef9 - name: quay.io/operator-framework/configmap-operator-registry newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev - digest: sha256:83031211e6f9b1d120da82554fba373db194236cf7395058efaeb74bf7015e84 + digest: sha256:9b7343b0927caee13e51334c6d9e8d2d85e0f4c671f6a3d20de2b2076726f1aa - name: quay.io/openshift/origin-kube-rbac-proxy newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev - digest: sha256:b2f55f068d30a61367962c5af6c43d399a5ecba5b1ba24749c2268131ba4ed98 + digest: sha256:694eff563bee1f5c0366c51b9adb17f3ff563199075a162c1587639b04b6f918 patches: - patch: |- @@ -16,12 +16,12 @@ patches: path: /spec/template/spec/containers/0/env/- value: name: OPERATOR_REGISTRY_IMAGE - value: quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:83031211e6f9b1d120da82554fba373db194236cf7395058efaeb74bf7015e84 + value: quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:9b7343b0927caee13e51334c6d9e8d2d85e0f4c671f6a3d20de2b2076726f1aa - op: add path: /spec/template/spec/containers/0/env/- value: name: OLM_IMAGE - value: quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:5983a2a3a4a7505ef21024cb248c8b8011789eb51de8fc4fd0528df4b6652a9e + value: quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:341f8ea2724f3487c90d649b64749f6fa2d5f97ca8f00dce227725e8bca03ef9 target: kind: Deployment labelSelector: app=catalog-operator diff --git a/assets/optional/operator-lifecycle-manager/release-olm-aarch64.json b/assets/optional/operator-lifecycle-manager/release-olm-aarch64.json index e5c0a2bfc5..275f66ad37 100644 --- a/assets/optional/operator-lifecycle-manager/release-olm-aarch64.json +++ b/assets/optional/operator-lifecycle-manager/release-olm-aarch64.json @@ -1,10 +1,10 @@ { "release": { - "base": "5.0.0-0.nightly-arm64-2026-06-04-190103" + "base": "5.0.0-0.nightly-arm64-2026-06-08-012537" }, "images": { - "operator-lifecycle-manager": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:d3328a007e3059145dc4261121a0dcb6c9c2f7f82aba8bed2dc7fe4442b44317", - "operator-registry": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:1fb113ed086cc02b16fcb089d0456ffd3faa917ad28ed669cad0b40b7bfe11b8", - "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:793a8dbe8247852c605ad6bebb039641eeef1a84842d7661a7ec3c8c2c8617fb" + "operator-lifecycle-manager": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:0ec48c1246f7ceff0ce419c0654220ed3b81bd43338a19d10e8e772edca265de", + "operator-registry": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:80c2c256795ec60d072e1649ff6174a852c7da8e2df4acbe078822db99cff034", + "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:a51e40c312acb95b55559b8228df6f5f65a04e688a2aa6f09ff60d1d9df6397c" } } diff --git a/assets/optional/operator-lifecycle-manager/release-olm-x86_64.json b/assets/optional/operator-lifecycle-manager/release-olm-x86_64.json index 5166fdb7d0..3ec8ad5b7b 100644 --- a/assets/optional/operator-lifecycle-manager/release-olm-x86_64.json +++ b/assets/optional/operator-lifecycle-manager/release-olm-x86_64.json @@ -1,10 +1,10 @@ { "release": { - "base": "5.0.0-0.nightly-2026-06-04-190102" + "base": "5.0.0-0.nightly-2026-06-07-132537" }, "images": { - "operator-lifecycle-manager": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:5983a2a3a4a7505ef21024cb248c8b8011789eb51de8fc4fd0528df4b6652a9e", - "operator-registry": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:83031211e6f9b1d120da82554fba373db194236cf7395058efaeb74bf7015e84", - "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:b2f55f068d30a61367962c5af6c43d399a5ecba5b1ba24749c2268131ba4ed98" + "operator-lifecycle-manager": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:341f8ea2724f3487c90d649b64749f6fa2d5f97ca8f00dce227725e8bca03ef9", + "operator-registry": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:9b7343b0927caee13e51334c6d9e8d2d85e0f4c671f6a3d20de2b2076726f1aa", + "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:694eff563bee1f5c0366c51b9adb17f3ff563199075a162c1587639b04b6f918" } } diff --git a/assets/optional/sriov/kustomization.aarch64.yaml b/assets/optional/sriov/kustomization.aarch64.yaml index 4d03c4b108..d1574ea6ea 100644 --- a/assets/optional/sriov/kustomization.aarch64.yaml +++ b/assets/optional/sriov/kustomization.aarch64.yaml @@ -1,7 +1,7 @@ images: - name: quay.io/openshift/sriov-network-operator newName: registry.redhat.io/openshift4/ose-sriov-network-rhel9-operator - digest: sha256:a1a0500a8bac2a4f4757c6e48dfb2205162551225c14147147d64c3adb77aa21 + digest: sha256:d7ee254fc9d47bd5179f76e4122983304ec75b5ea43f4defe2d0f96f04eb8690 patches: - patch: |- @@ -9,47 +9,47 @@ patches: path: /spec/template/spec/containers/0/env/- value: name: SRIOV_CNI_IMAGE - value: registry.redhat.io/openshift4/sriov-cni-rhel9@sha256:74aeffb1a137054c6c3203a814f8c926e44d22c27e38273bdd564a28a2d5df77 + value: registry.redhat.io/openshift4/sriov-cni-rhel9@sha256:71edd9e131252d72242756270e02b75859134de7ccbb49bd109f9b3e349c2367 - op: add path: /spec/template/spec/containers/0/env/- value: name: SRIOV_DEVICE_PLUGIN_IMAGE - value: registry.redhat.io/openshift4/ose-sriov-network-device-plugin-rhel9@sha256:e617fc5c01293973db96e4a8f5dc2ba1b60b812881cf562c069ac2d0ea519c2f + value: registry.redhat.io/openshift4/ose-sriov-network-device-plugin-rhel9@sha256:6be7361f4c3a345589994dc785b2cd5da3c8123c6ad56211e4af5de232800f76 - op: add path: /spec/template/spec/containers/0/env/- value: name: NETWORK_RESOURCES_INJECTOR_IMAGE - value: registry.redhat.io/openshift4/ose-sriov-dp-admission-controller-rhel9@sha256:cc6b9e185652895f39472f27c6da521c53d70fbd5137b8ba0cb171d0d32b67e2 + value: registry.redhat.io/openshift4/ose-sriov-dp-admission-controller-rhel9@sha256:162cbf43222d4c7943574f84f59e29f69b6996e1693db85ddee19832441a0718 - op: add path: /spec/template/spec/containers/0/env/- value: name: SRIOV_NETWORK_CONFIG_DAEMON_IMAGE - value: registry.redhat.io/openshift4/ose-sriov-network-config-daemon-rhel9@sha256:7e53a785922f7dc329dbc85b012e46fd75c367ebb8a43c8ba2a391b3f361b31c + value: registry.redhat.io/openshift4/ose-sriov-network-config-daemon-rhel9@sha256:6d7ed1bc1504105bbad73bc98c78a19074e81b9ea5fc1a090612086893f5130a - op: add path: /spec/template/spec/containers/0/env/- value: name: SRIOV_NETWORK_WEBHOOK_IMAGE - value: registry.redhat.io/openshift4/ose-sriov-network-webhook-rhel9@sha256:6b71695714628b2cc3e21481cb817f72b07c00b0f69f67bd67d5b03f85554306 + value: registry.redhat.io/openshift4/ose-sriov-network-webhook-rhel9@sha256:5142fd6ea06766233e916ee0564fdb02e75582c8154814da05f66e9695665f35 - op: add path: /spec/template/spec/containers/0/env/- value: name: SRIOV_INFINIBAND_CNI_IMAGE - value: registry.redhat.io/openshift4/ose-sriov-infiniband-cni-rhel9@sha256:c9068855e766e4e95f941e4151902c3d21be84fcfd364f810c888f12b3dc8de8 + value: registry.redhat.io/openshift4/ose-sriov-infiniband-cni-rhel9@sha256:003aaeab02e56e3ea2d46cd0ac875f001f18939915fdd1bb6767a8e67e552877 - op: add path: /spec/template/spec/containers/0/env/- value: name: RDMA_CNI_IMAGE - value: registry.redhat.io/openshift4/ose-sriov-rdma-cni-rhel9@sha256:16adb2f8c239ed05e84333a19430fcc5131606888954b130604256081c6ad459 + value: registry.redhat.io/openshift4/ose-sriov-rdma-cni-rhel9@sha256:e43211c222e1734a5443826afc1f1104b61457ef7b67647e5f608136a355d5d6 - op: add path: /spec/template/spec/containers/0/env/- value: name: METRICS_EXPORTER_IMAGE - value: registry.redhat.io/openshift4/ose-sriov-network-metrics-exporter-rhel9@sha256:e7da6d9a2ba24e20af1ba29bdfbaef8b606b2b4820dc4620599c07311ca35762 + value: registry.redhat.io/openshift4/ose-sriov-network-metrics-exporter-rhel9@sha256:7b7b706bc0c431f1961336b0b205c59ae8b87d89e05d54d038f67e7acfbc241c - op: add path: /spec/template/spec/containers/0/env/- value: name: METRICS_EXPORTER_KUBE_RBAC_PROXY_IMAGE - value: registry.redhat.io/openshift4/ose-kube-rbac-proxy-rhel9@sha256:4b69b69236d6ee41ccf24422fa7c407baa593558378702b7384c7c01ff21a85c + value: registry.redhat.io/openshift4/ose-kube-rbac-proxy-rhel9@sha256:22469fe4645b112b9db600a2eb90b93d55ea18ce2da2a8637c50ac781618c495 target: kind: Deployment name: sriov-network-operator diff --git a/assets/optional/sriov/kustomization.x86_64.yaml b/assets/optional/sriov/kustomization.x86_64.yaml index eb8b82cf63..89063ce487 100644 --- a/assets/optional/sriov/kustomization.x86_64.yaml +++ b/assets/optional/sriov/kustomization.x86_64.yaml @@ -1,7 +1,7 @@ images: - name: quay.io/openshift/sriov-network-operator newName: registry.redhat.io/openshift4/ose-sriov-network-rhel9-operator - digest: sha256:154224ecb924514505b9ea38350891b22eb44e6f25cdb2ecfeb6fa1fd930b645 + digest: sha256:568d7734e5bd64f9bd74b836810c1b89f2f481a4eb403d93b218604fa8a5ee62 patches: - patch: |- @@ -9,47 +9,47 @@ patches: path: /spec/template/spec/containers/0/env/- value: name: SRIOV_CNI_IMAGE - value: registry.redhat.io/openshift4/sriov-cni-rhel9@sha256:fd7ac1e086d9cf49448b88c36eab2cb1cdd9da08e7071be062c7d8e8e499ee3f + value: registry.redhat.io/openshift4/sriov-cni-rhel9@sha256:309f2975276b6407402bd1ac0ef7a07e809845a33259283c28925ee2321271e8 - op: add path: /spec/template/spec/containers/0/env/- value: name: SRIOV_DEVICE_PLUGIN_IMAGE - value: registry.redhat.io/openshift4/ose-sriov-network-device-plugin-rhel9@sha256:c0d8e53931ad08b55d1f7b4b542daeea4f3cfde01a715f4876f444c6e18b2fc7 + value: registry.redhat.io/openshift4/ose-sriov-network-device-plugin-rhel9@sha256:479a1835efcb315af7681a0c6e9cb959570e850a4cb5844a797390e27cd619c6 - op: add path: /spec/template/spec/containers/0/env/- value: name: NETWORK_RESOURCES_INJECTOR_IMAGE - value: registry.redhat.io/openshift4/ose-sriov-dp-admission-controller-rhel9@sha256:e9610f603344110f5245368ce4670141d35748d9a4fa535e5e24c534e8199f38 + value: registry.redhat.io/openshift4/ose-sriov-dp-admission-controller-rhel9@sha256:671dd3ee25bb4a24ec5741cbb6b5d168d7af4e4e7e90a332913552ff6576efa0 - op: add path: /spec/template/spec/containers/0/env/- value: name: SRIOV_NETWORK_CONFIG_DAEMON_IMAGE - value: registry.redhat.io/openshift4/ose-sriov-network-config-daemon-rhel9@sha256:09c66ab96ce61ebc27fc2d129d0dfe45b305717f9e361ade85c78ddaa2a34832 + value: registry.redhat.io/openshift4/ose-sriov-network-config-daemon-rhel9@sha256:837d9b0b190a87e6037babecde6c7667f9e69fd044620da0fc795881b6a42ad7 - op: add path: /spec/template/spec/containers/0/env/- value: name: SRIOV_NETWORK_WEBHOOK_IMAGE - value: registry.redhat.io/openshift4/ose-sriov-network-webhook-rhel9@sha256:715ff1f1a7f056954cc8b88cd9b0feed3bbc914bace96b5d8d4a249f6076fc3b + value: registry.redhat.io/openshift4/ose-sriov-network-webhook-rhel9@sha256:cc70de95764cdd38fd41500e34e40640782095a84a12a797981946a95dbfdd83 - op: add path: /spec/template/spec/containers/0/env/- value: name: SRIOV_INFINIBAND_CNI_IMAGE - value: registry.redhat.io/openshift4/ose-sriov-infiniband-cni-rhel9@sha256:a0cd540c80e6409fe850f76538454b523c458b9e6fbaf19e54cb706005eac2de + value: registry.redhat.io/openshift4/ose-sriov-infiniband-cni-rhel9@sha256:77c3b55e366168b1eb1dbdf9482595d547b8cc0a69a1655a34c873c0d3487cab - op: add path: /spec/template/spec/containers/0/env/- value: name: RDMA_CNI_IMAGE - value: registry.redhat.io/openshift4/ose-sriov-rdma-cni-rhel9@sha256:4d9567b193481c4cbf7667b989265faf6e27369756bb50fbaefda44a56912700 + value: registry.redhat.io/openshift4/ose-sriov-rdma-cni-rhel9@sha256:7fccda1ff324927248587007f684dea1db2bfdd6d1943dd9c2d24a4a0ccda33e - op: add path: /spec/template/spec/containers/0/env/- value: name: METRICS_EXPORTER_IMAGE - value: registry.redhat.io/openshift4/ose-sriov-network-metrics-exporter-rhel9@sha256:33821791d1c646669b4d942d681328ac5e792ba39da13140448398230e0caf14 + value: registry.redhat.io/openshift4/ose-sriov-network-metrics-exporter-rhel9@sha256:8ad8a53e0df7112d0f4f0abc373bf24bbec42e3033f5b27dfe9e6be674cef94d - op: add path: /spec/template/spec/containers/0/env/- value: name: METRICS_EXPORTER_KUBE_RBAC_PROXY_IMAGE - value: registry.redhat.io/openshift4/ose-kube-rbac-proxy-rhel9@sha256:3531cbdb9512d8c734ae154a9694632d14e60efbc06fa3a68cc9bd1180a8e3e8 + value: registry.redhat.io/openshift4/ose-kube-rbac-proxy-rhel9@sha256:0299bce77fb9f786465c23efc36aca6557ddea63b9642c2176b17f827addddb2 target: kind: Deployment name: sriov-network-operator diff --git a/assets/optional/sriov/release-sriov-aarch64.json b/assets/optional/sriov/release-sriov-aarch64.json index 88c5863c43..8f84c5e58b 100644 --- a/assets/optional/sriov/release-sriov-aarch64.json +++ b/assets/optional/sriov/release-sriov-aarch64.json @@ -1,17 +1,17 @@ { "release": { - "base": "4.21.0-202605200241" + "base": "4.21.0-202605261300" }, "images": { - "metrics-exporter-image": "registry.redhat.io/openshift4/ose-sriov-network-metrics-exporter-rhel9@sha256:e7da6d9a2ba24e20af1ba29bdfbaef8b606b2b4820dc4620599c07311ca35762", - "metrics-exporter-kube-rbac-proxy-image": "registry.redhat.io/openshift4/ose-kube-rbac-proxy-rhel9@sha256:4b69b69236d6ee41ccf24422fa7c407baa593558378702b7384c7c01ff21a85c", - "network-resources-injector-image": "registry.redhat.io/openshift4/ose-sriov-dp-admission-controller-rhel9@sha256:cc6b9e185652895f39472f27c6da521c53d70fbd5137b8ba0cb171d0d32b67e2", - "rdma-cni-image": "registry.redhat.io/openshift4/ose-sriov-rdma-cni-rhel9@sha256:16adb2f8c239ed05e84333a19430fcc5131606888954b130604256081c6ad459", - "sriov-cni-image": "registry.redhat.io/openshift4/sriov-cni-rhel9@sha256:74aeffb1a137054c6c3203a814f8c926e44d22c27e38273bdd564a28a2d5df77", - "sriov-device-plugin-image": "registry.redhat.io/openshift4/ose-sriov-network-device-plugin-rhel9@sha256:e617fc5c01293973db96e4a8f5dc2ba1b60b812881cf562c069ac2d0ea519c2f", - "sriov-infiniband-cni-image": "registry.redhat.io/openshift4/ose-sriov-infiniband-cni-rhel9@sha256:c9068855e766e4e95f941e4151902c3d21be84fcfd364f810c888f12b3dc8de8", - "sriov-network-config-daemon-image": "registry.redhat.io/openshift4/ose-sriov-network-config-daemon-rhel9@sha256:7e53a785922f7dc329dbc85b012e46fd75c367ebb8a43c8ba2a391b3f361b31c", - "sriov-network-operator": "registry.redhat.io/openshift4/ose-sriov-network-rhel9-operator@sha256:a1a0500a8bac2a4f4757c6e48dfb2205162551225c14147147d64c3adb77aa21", - "sriov-network-webhook-image": "registry.redhat.io/openshift4/ose-sriov-network-webhook-rhel9@sha256:6b71695714628b2cc3e21481cb817f72b07c00b0f69f67bd67d5b03f85554306" + "metrics-exporter-image": "registry.redhat.io/openshift4/ose-sriov-network-metrics-exporter-rhel9@sha256:7b7b706bc0c431f1961336b0b205c59ae8b87d89e05d54d038f67e7acfbc241c", + "metrics-exporter-kube-rbac-proxy-image": "registry.redhat.io/openshift4/ose-kube-rbac-proxy-rhel9@sha256:22469fe4645b112b9db600a2eb90b93d55ea18ce2da2a8637c50ac781618c495", + "network-resources-injector-image": "registry.redhat.io/openshift4/ose-sriov-dp-admission-controller-rhel9@sha256:162cbf43222d4c7943574f84f59e29f69b6996e1693db85ddee19832441a0718", + "rdma-cni-image": "registry.redhat.io/openshift4/ose-sriov-rdma-cni-rhel9@sha256:e43211c222e1734a5443826afc1f1104b61457ef7b67647e5f608136a355d5d6", + "sriov-cni-image": "registry.redhat.io/openshift4/sriov-cni-rhel9@sha256:71edd9e131252d72242756270e02b75859134de7ccbb49bd109f9b3e349c2367", + "sriov-device-plugin-image": "registry.redhat.io/openshift4/ose-sriov-network-device-plugin-rhel9@sha256:6be7361f4c3a345589994dc785b2cd5da3c8123c6ad56211e4af5de232800f76", + "sriov-infiniband-cni-image": "registry.redhat.io/openshift4/ose-sriov-infiniband-cni-rhel9@sha256:003aaeab02e56e3ea2d46cd0ac875f001f18939915fdd1bb6767a8e67e552877", + "sriov-network-config-daemon-image": "registry.redhat.io/openshift4/ose-sriov-network-config-daemon-rhel9@sha256:6d7ed1bc1504105bbad73bc98c78a19074e81b9ea5fc1a090612086893f5130a", + "sriov-network-operator": "registry.redhat.io/openshift4/ose-sriov-network-rhel9-operator@sha256:d7ee254fc9d47bd5179f76e4122983304ec75b5ea43f4defe2d0f96f04eb8690", + "sriov-network-webhook-image": "registry.redhat.io/openshift4/ose-sriov-network-webhook-rhel9@sha256:5142fd6ea06766233e916ee0564fdb02e75582c8154814da05f66e9695665f35" } } diff --git a/assets/optional/sriov/release-sriov-x86_64.json b/assets/optional/sriov/release-sriov-x86_64.json index dced541166..74ca5c5588 100644 --- a/assets/optional/sriov/release-sriov-x86_64.json +++ b/assets/optional/sriov/release-sriov-x86_64.json @@ -1,17 +1,17 @@ { "release": { - "base": "4.21.0-202605200241" + "base": "4.21.0-202605261300" }, "images": { - "metrics-exporter-image": "registry.redhat.io/openshift4/ose-sriov-network-metrics-exporter-rhel9@sha256:33821791d1c646669b4d942d681328ac5e792ba39da13140448398230e0caf14", - "metrics-exporter-kube-rbac-proxy-image": "registry.redhat.io/openshift4/ose-kube-rbac-proxy-rhel9@sha256:3531cbdb9512d8c734ae154a9694632d14e60efbc06fa3a68cc9bd1180a8e3e8", - "network-resources-injector-image": "registry.redhat.io/openshift4/ose-sriov-dp-admission-controller-rhel9@sha256:e9610f603344110f5245368ce4670141d35748d9a4fa535e5e24c534e8199f38", - "rdma-cni-image": "registry.redhat.io/openshift4/ose-sriov-rdma-cni-rhel9@sha256:4d9567b193481c4cbf7667b989265faf6e27369756bb50fbaefda44a56912700", - "sriov-cni-image": "registry.redhat.io/openshift4/sriov-cni-rhel9@sha256:fd7ac1e086d9cf49448b88c36eab2cb1cdd9da08e7071be062c7d8e8e499ee3f", - "sriov-device-plugin-image": "registry.redhat.io/openshift4/ose-sriov-network-device-plugin-rhel9@sha256:c0d8e53931ad08b55d1f7b4b542daeea4f3cfde01a715f4876f444c6e18b2fc7", - "sriov-infiniband-cni-image": "registry.redhat.io/openshift4/ose-sriov-infiniband-cni-rhel9@sha256:a0cd540c80e6409fe850f76538454b523c458b9e6fbaf19e54cb706005eac2de", - "sriov-network-config-daemon-image": "registry.redhat.io/openshift4/ose-sriov-network-config-daemon-rhel9@sha256:09c66ab96ce61ebc27fc2d129d0dfe45b305717f9e361ade85c78ddaa2a34832", - "sriov-network-operator": "registry.redhat.io/openshift4/ose-sriov-network-rhel9-operator@sha256:154224ecb924514505b9ea38350891b22eb44e6f25cdb2ecfeb6fa1fd930b645", - "sriov-network-webhook-image": "registry.redhat.io/openshift4/ose-sriov-network-webhook-rhel9@sha256:715ff1f1a7f056954cc8b88cd9b0feed3bbc914bace96b5d8d4a249f6076fc3b" + "metrics-exporter-image": "registry.redhat.io/openshift4/ose-sriov-network-metrics-exporter-rhel9@sha256:8ad8a53e0df7112d0f4f0abc373bf24bbec42e3033f5b27dfe9e6be674cef94d", + "metrics-exporter-kube-rbac-proxy-image": "registry.redhat.io/openshift4/ose-kube-rbac-proxy-rhel9@sha256:0299bce77fb9f786465c23efc36aca6557ddea63b9642c2176b17f827addddb2", + "network-resources-injector-image": "registry.redhat.io/openshift4/ose-sriov-dp-admission-controller-rhel9@sha256:671dd3ee25bb4a24ec5741cbb6b5d168d7af4e4e7e90a332913552ff6576efa0", + "rdma-cni-image": "registry.redhat.io/openshift4/ose-sriov-rdma-cni-rhel9@sha256:7fccda1ff324927248587007f684dea1db2bfdd6d1943dd9c2d24a4a0ccda33e", + "sriov-cni-image": "registry.redhat.io/openshift4/sriov-cni-rhel9@sha256:309f2975276b6407402bd1ac0ef7a07e809845a33259283c28925ee2321271e8", + "sriov-device-plugin-image": "registry.redhat.io/openshift4/ose-sriov-network-device-plugin-rhel9@sha256:479a1835efcb315af7681a0c6e9cb959570e850a4cb5844a797390e27cd619c6", + "sriov-infiniband-cni-image": "registry.redhat.io/openshift4/ose-sriov-infiniband-cni-rhel9@sha256:77c3b55e366168b1eb1dbdf9482595d547b8cc0a69a1655a34c873c0d3487cab", + "sriov-network-config-daemon-image": "registry.redhat.io/openshift4/ose-sriov-network-config-daemon-rhel9@sha256:837d9b0b190a87e6037babecde6c7667f9e69fd044620da0fc795881b6a42ad7", + "sriov-network-operator": "registry.redhat.io/openshift4/ose-sriov-network-rhel9-operator@sha256:568d7734e5bd64f9bd74b836810c1b89f2f481a4eb403d93b218604fa8a5ee62", + "sriov-network-webhook-image": "registry.redhat.io/openshift4/ose-sriov-network-webhook-rhel9@sha256:cc70de95764cdd38fd41500e34e40640782095a84a12a797981946a95dbfdd83" } } diff --git a/assets/release/release-aarch64.json b/assets/release/release-aarch64.json index 7badaabd6c..bb6df15a75 100644 --- a/assets/release/release-aarch64.json +++ b/assets/release/release-aarch64.json @@ -1,16 +1,16 @@ { "release": { - "base": "5.0.0-0.nightly-arm64-2026-06-04-190103" + "base": "5.0.0-0.nightly-arm64-2026-06-08-012537" }, "images": { - "cli": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:55907bd20ec3842c334cf0226d4d28df82d4957f3f71213a574ad766da99cf17", - "coredns": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:7c4e908fe93c8708a99301c9a0ef14759411f78e6c5a808fc596be08442827b2", - "haproxy-router": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:0e9dc401a27f987fd240c57853e762f3b27c433d7eb54d71e7ecad107cd9ed2f", - "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:793a8dbe8247852c605ad6bebb039641eeef1a84842d7661a7ec3c8c2c8617fb", - "ovn-kubernetes-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:62054084006a6e09fd13a3f7dfcba6e31c87ef38cfe7e7d85d1531ca9bb8b056", - "pod": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:bc19885aeb4dd9c3bb8157fa3f5fbb5e7b2e26eb221fbf9bdecbd93a1b454c2f", - "service-ca-operator": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:a8cd2a992324089c2a52ce09313c0442db7f6af34f65ec44e5ab63ea13e3ed2d", + "cli": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:8deefd23f1cbe8d90b402339c8994713f9f69b42a9eedf650242aee931c52332", + "coredns": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:9b4ff4b42daa59161c64e29110990905767a293dd7ae55de0aee9b9a33f88c35", + "haproxy-router": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:23035e2ef5fcd9b95d35f4c14f37f6e171073ea1d15087f0e7b8a241888bcd8d", + "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:a51e40c312acb95b55559b8228df6f5f65a04e688a2aa6f09ff60d1d9df6397c", + "ovn-kubernetes-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:09d2c523bdd6601e849aef780c9b0586101338046f228fd1d2babcd6719ac619", + "pod": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:89c0dee8fad6277b67d933b367b827b89d5d5556effb0c3df04136bdd500ebb4", + "service-ca-operator": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:9f571f62b8a9eb084b93ffc5d58be803e58a0e037391e2cbf59b77e94a0745bb", "lvms_operator": "registry.redhat.io/lvms4/lvms-rhel9-operator@sha256:e77365e44676fbd8ab9e4ce53f3a406856bbdfef3467c545a7df1197d84477af", - "csi-snapshot-controller": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:22423c0373c6bcfd931e95be278c6f74d7c4b36a0d7967662dca02cd86243b5b" + "csi-snapshot-controller": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:81ae2684e75f5b7948f9750d9e2853103602fa69d9c5fbb4ed30b195d9ea2f64" } } diff --git a/assets/release/release-x86_64.json b/assets/release/release-x86_64.json index 8b6834d8f6..816770e851 100644 --- a/assets/release/release-x86_64.json +++ b/assets/release/release-x86_64.json @@ -1,16 +1,16 @@ { "release": { - "base": "5.0.0-0.nightly-2026-06-04-190102" + "base": "5.0.0-0.nightly-2026-06-07-132537" }, "images": { - "cli": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:76b2782a71641225901307dee52db196138ce2fda3dd21214a7239a6c87c76cd", - "coredns": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:aee08a2b05d706e5fc35a9f2672207d86c15ce32126706f19a57f984004e289d", - "haproxy-router": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:42a9650f03b6db9f60ef77c7c86bd3ab26b45c8ccb6b60725812f7e145aecf95", - "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:b2f55f068d30a61367962c5af6c43d399a5ecba5b1ba24749c2268131ba4ed98", - "ovn-kubernetes-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:26cceed0404a6663a8b4c6b7770ca2331913ac20bed03a361d09c4a049386085", - "pod": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:c88bf8c8745f9140316f2be4fe922ece86ebd99083e7c5ee942540bcbee12c0a", - "service-ca-operator": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:44d9a33c6699de6a47288c50f87bda2a87859568ac4b1c11256959167cf27bfb", + "cli": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:96c4bfe15029ca7ed406b4a0cb5c9baad5b0a4074f45227fa2471613cd9f18f7", + "coredns": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:7855fc379cb5132a46297e8eb1ab6ef79519c6c5b7197a67efe92f9c4446a77d", + "haproxy-router": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:b6328004015f0b0367b4f345a8a985fbe7310ae06f8a6d16ce798ee5c7bc899e", + "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:694eff563bee1f5c0366c51b9adb17f3ff563199075a162c1587639b04b6f918", + "ovn-kubernetes-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:434a1eb0d9d8cfa841791514bd4cafe51e27b2ba3cb52ee906a0bde5b300c1b8", + "pod": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:f80444cc3da6b00878bbbea034b4122d40e88ce47aa00486d6874d8a49a2dfd1", + "service-ca-operator": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:1f972056e73eae5769a2aef0a68f8ea0ad796c953e7a03909cda2312fb759a62", "lvms_operator": "registry.redhat.io/lvms4/lvms-rhel9-operator@sha256:10c9ccab4f2857d113b55e12cac29aed0dc97d5a4e29ed2e4ea0f77551ee55f8", - "csi-snapshot-controller": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:b2ddaffd296f87873e3a2f1b486bad33b865eb03678e4a8d4ebc0616a8c475da" + "csi-snapshot-controller": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:5e138693e4635a21ec4b037759ec023a72102601cd43af51512bc5ca589d266a" } } diff --git a/deps/github.com/openshift/kubernetes/pkg/controller/volume/selinuxwarning/cache/volumecache.go b/deps/github.com/openshift/kubernetes/pkg/controller/volume/selinuxwarning/cache/volumecache.go index 4b19c985c8..ebd756584c 100644 --- a/deps/github.com/openshift/kubernetes/pkg/controller/volume/selinuxwarning/cache/volumecache.go +++ b/deps/github.com/openshift/kubernetes/pkg/controller/volume/selinuxwarning/cache/volumecache.go @@ -17,12 +17,15 @@ limitations under the License. package cache import ( + "slices" "sort" "sync" v1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/util/sets" "k8s.io/client-go/tools/cache" "k8s.io/klog/v2" + "k8s.io/kubernetes/pkg/controller/volume/selinuxwarning/internal/parse" "k8s.io/kubernetes/pkg/controller/volume/selinuxwarning/translator" ) @@ -45,8 +48,8 @@ type VolumeCache interface { // change their SELinux support dynamically. GetPodsForCSIDriver(driverName string) []cache.ObjectName - // SendConflicts sends all current conflicts to the given channel. - SendConflicts(logger klog.Logger, ch chan<- Conflict) + // GetConflicts returns the current set of active conflicts (both directions). + GetConflicts(logger klog.Logger) []Conflict } // VolumeCache stores all volumes used by Pods and their properties that the controller needs to track, @@ -56,6 +59,11 @@ type volumeCache struct { seLinuxTranslator *translator.ControllerSELinuxTranslator // All volumes of all existing Pods. volumes map[v1.UniqueVolumeName]usedVolume + // Reverse index: maps each pod to the list of volumes it uses. + // The index is used during pod deletion. + podToVolumes map[cache.ObjectName]sets.Set[v1.UniqueVolumeName] + // Currently active conflicts per volume (both directions, symmetric pairs). + conflicts map[v1.UniqueVolumeName][]Conflict } var _ VolumeCache = &volumeCache{} @@ -65,6 +73,8 @@ func NewVolumeLabelCache(seLinuxTranslator *translator.ControllerSELinuxTranslat return &volumeCache{ seLinuxTranslator: seLinuxTranslator, volumes: make(map[v1.UniqueVolumeName]usedVolume), + podToVolumes: make(map[cache.ObjectName]sets.Set[v1.UniqueVolumeName]), + conflicts: make(map[v1.UniqueVolumeName][]Conflict), } } @@ -81,6 +91,8 @@ type podInfo struct { // SELinux seLinuxLabel to be applied to the volume in the Pod. // Either as mount option or recursively by the container runtime. seLinuxLabel string + // Pre-parsed SELinux label parts for fast conflict detection. + seLinuxParts [4]string // SELinuxChangePolicy of the Pod. changePolicy v1.PodSELinuxChangePolicy } @@ -89,6 +101,7 @@ func newPodInfoListForPod(podKey cache.ObjectName, seLinuxLabel string, changePo return map[cache.ObjectName]podInfo{ podKey: { seLinuxLabel: seLinuxLabel, + seLinuxParts: parse.ParseSELinuxLabel(seLinuxLabel), changePolicy: changePolicy, }, } @@ -110,12 +123,16 @@ func (c *volumeCache) AddVolume(logger klog.Logger, volumeName v1.UniqueVolumeNa pods: newPodInfoListForPod(podKey, label, changePolicy), } c.volumes[volumeName] = volume + + // Add to reverse index + c.registerPodVolume(podKey, volumeName) return conflicts } // The volume is already known podInfo := podInfo{ seLinuxLabel: label, + seLinuxParts: parse.ParseSELinuxLabel(label), changePolicy: changePolicy, } oldPodInfo, found := volume.pods[podKey] @@ -128,6 +145,9 @@ func (c *volumeCache) AddVolume(logger klog.Logger, volumeName v1.UniqueVolumeNa // Add the updated pod info to the cache volume.pods[podKey] = podInfo + // Add to reverse index + c.registerPodVolume(podKey, volumeName) + // Emit conflicts for the pod for otherPodKey, otherPodInfo := range volume.pods { if otherPodInfo.changePolicy != changePolicy { @@ -147,8 +167,9 @@ func (c *volumeCache) AddVolume(logger klog.Logger, volumeName v1.UniqueVolumeNa OtherPod: podKey, OtherPropertyValue: string(changePolicy), }) + } - if c.seLinuxTranslator.Conflicts(otherPodInfo.seLinuxLabel, label) { + if c.seLinuxTranslator.ConflictsParsed(otherPodInfo.seLinuxParts, podInfo.seLinuxParts) { // Send conflict to both pods conflicts = append(conflicts, Conflict{ PropertyName: "SELinuxLabel", @@ -167,6 +188,21 @@ func (c *volumeCache) AddVolume(logger klog.Logger, volumeName v1.UniqueVolumeNa }) } } + // Update the conflict cache for this volume: remove stale conflicts for this pod, then add new ones + volumeConflicts := c.conflicts[volumeName] + updated := make([]Conflict, 0, len(volumeConflicts)) + for _, existing := range volumeConflicts { + if existing.Pod != podKey && existing.OtherPod != podKey { + updated = append(updated, existing) + } + } + updated = append(updated, conflicts...) + if len(updated) == 0 { + delete(c.conflicts, volumeName) + } else { + c.conflicts[volumeName] = updated + } + return conflicts } @@ -176,12 +212,47 @@ func (c *volumeCache) DeletePod(logger klog.Logger, podKey cache.ObjectName) { defer c.mutex.Unlock() defer c.dump(logger) - for volumeName, volume := range c.volumes { + for volumeName := range c.podToVolumes[podKey] { + conflicts, found := c.conflicts[volumeName] + if !found { + continue + } + updated := make([]Conflict, 0, len(conflicts)) + for _, existing := range conflicts { + // preserve other conflicts belonging to volume + if existing.Pod != podKey && existing.OtherPod != podKey { + updated = append(updated, existing) + } + } + if len(updated) == 0 { + delete(c.conflicts, volumeName) + } else { + c.conflicts[volumeName] = updated + } + } + + // Use reverse index to only iterate through volumes this pod actually uses. + for volumeName := range c.podToVolumes[podKey] { + volume, found := c.volumes[volumeName] + if !found { + continue + } delete(volume.pods, podKey) if len(volume.pods) == 0 { delete(c.volumes, volumeName) } } + delete(c.podToVolumes, podKey) +} + +// registerPodVolume adds volumeName to the pod volume index. +// Make sure to hold c.mutex when calling this function. +func (c *volumeCache) registerPodVolume(podKey cache.ObjectName, volumeName v1.UniqueVolumeName) { + if podVolumes, ok := c.podToVolumes[podKey]; ok { + podVolumes.Insert(volumeName) + } else { + c.podToVolumes[podKey] = sets.New(volumeName) + } } func (c *volumeCache) dump(logger klog.Logger) { @@ -215,6 +286,22 @@ func (c *volumeCache) dump(logger klog.Logger) { logger.Info(" pod", "pod", podKey, "seLinuxLabel", podInfo.seLinuxLabel, "changePolicy", podInfo.changePolicy) } } + + // Collect all pods, sort them and print the associated volumes. + podKeys := make([]cache.ObjectName, 0, len(c.podToVolumes)) + for podKey := range c.podToVolumes { + podKeys = append(podKeys, podKey) + } + sort.Slice(podKeys, func(i, j int) bool { + return podKeys[i].String() < podKeys[j].String() + }) + + logger.Info("VolumeCache reverse index dump:") + for _, podKey := range podKeys { + podVolumes := sets.List(c.podToVolumes[podKey]) + slices.Sort(podVolumes) + logger.Info(" pod", "pod", podKey, "volumes", podVolumes) + } } // GetPodsForCSIDriver returns all pods that use volumes with the given CSI driver. @@ -234,42 +321,16 @@ func (c *volumeCache) GetPodsForCSIDriver(driverName string) []cache.ObjectName return pods } -// SendConflicts sends all current conflicts to the given channel. -func (c *volumeCache) SendConflicts(logger klog.Logger, ch chan<- Conflict) { +// GetConflicts returns the current set of active conflicts (both directions, symmetric pairs). +func (c *volumeCache) GetConflicts(logger klog.Logger) []Conflict { c.mutex.RLock() defer c.mutex.RUnlock() logger.V(4).Info("Scraping conflicts") c.dump(logger) - for _, volume := range c.volumes { - // compare pods that use the same volume with each other - for podKey, podInfo := range volume.pods { - for otherPodKey, otherPodInfo := range volume.pods { - if podKey == otherPodKey { - continue - } - // create conflict only for the first pod. The other pod will get the same conflict in its own iteration of `volume.pods` loop. - if podInfo.changePolicy != otherPodInfo.changePolicy { - ch <- Conflict{ - PropertyName: "SELinuxChangePolicy", - EventReason: "SELinuxChangePolicyConflict", - Pod: podKey, - PropertyValue: string(podInfo.changePolicy), - OtherPod: otherPodKey, - OtherPropertyValue: string(otherPodInfo.changePolicy), - } - } - if c.seLinuxTranslator.Conflicts(podInfo.seLinuxLabel, otherPodInfo.seLinuxLabel) { - ch <- Conflict{ - PropertyName: "SELinuxLabel", - EventReason: "SELinuxLabelConflict", - Pod: podKey, - PropertyValue: podInfo.seLinuxLabel, - OtherPod: otherPodKey, - OtherPropertyValue: otherPodInfo.seLinuxLabel, - } - } - } - } + result := sets.New[Conflict]() + for _, volConflicts := range c.conflicts { + result.Insert(volConflicts...) } + return result.UnsortedList() } diff --git a/deps/github.com/openshift/kubernetes/pkg/controller/volume/selinuxwarning/cache/volumecache_test.go b/deps/github.com/openshift/kubernetes/pkg/controller/volume/selinuxwarning/cache/volumecache_test.go index 5bba301b69..55a82d0ec2 100644 --- a/deps/github.com/openshift/kubernetes/pkg/controller/volume/selinuxwarning/cache/volumecache_test.go +++ b/deps/github.com/openshift/kubernetes/pkg/controller/volume/selinuxwarning/cache/volumecache_test.go @@ -25,6 +25,7 @@ import ( "k8s.io/client-go/tools/cache" "k8s.io/klog/v2" "k8s.io/klog/v2/ktesting" + "k8s.io/kubernetes/pkg/controller/volume/selinuxwarning/internal/parse" "k8s.io/kubernetes/pkg/controller/volume/selinuxwarning/translator" ) @@ -45,6 +46,39 @@ func sortConflicts(conflicts []Conflict) { }) } +// verifyReverseIndexConsistency checks that forward and reverse indexes are symmetric +func verifyReverseIndexConsistency(t *testing.T, c *volumeCache) { + t.Helper() + + // For every (pod, volume) in reverse index, verify it exists in forward index. + for podKey, volumes := range c.podToVolumes { + for volumeName := range volumes { + volume, found := c.volumes[volumeName] + if !found { + t.Errorf("Reverse index has pod %s -> volume %s, but volume not in forward index", podKey, volumeName) + continue + } + if _, found := volume.pods[podKey]; !found { + t.Errorf("Reverse index has pod %s -> volume %s, but pod not in volume's pod list", podKey, volumeName) + } + } + } + + // For every (volume, pod) in forward index, verify it exists in reverse index. + for volumeName, volume := range c.volumes { + for podKey := range volume.pods { + podVolumes, found := c.podToVolumes[podKey] + if !found { + t.Errorf("Forward index has volume %s -> pod %s, but pod not in reverse index", volumeName, podKey) + continue + } + if _, found := podVolumes[volumeName]; !found { + t.Errorf("Forward index has volume %s -> pod %s, but volume not in pod's volume list", volumeName, podKey) + } + } + } +} + // Delete all items in a bigger cache and check it's empty func TestVolumeCache_DeleteAll(t *testing.T) { var podsToDelete []cache.ObjectName @@ -69,6 +103,8 @@ func TestVolumeCache_DeleteAll(t *testing.T) { t.Log("Before deleting all pods:") c.dump(dumpLogger) + verifyReverseIndexConsistency(t, c) + // Act: delete all pods for _, podKey := range podsToDelete { c.DeletePod(logger, podKey) @@ -79,6 +115,12 @@ func TestVolumeCache_DeleteAll(t *testing.T) { t.Errorf("Expected cache to be empty, got %d volumes", len(c.volumes)) c.dump(dumpLogger) } + + // Assert: the reverse index is also empty + if len(c.podToVolumes) != 0 { + t.Errorf("Expected reverse index to be empty, got %d pods", len(c.podToVolumes)) + } + verifyReverseIndexConsistency(t, c) } type podWithVolume struct { @@ -105,8 +147,8 @@ func addReverseConflict(conflicts []Conflict) []Conflict { return newConflicts } -// Test AddVolume and SendConflicts together, they both provide []conflict with the same data -func TestVolumeCache_AddVolumeSendConflicts(t *testing.T) { +// Test that AddVolume and GetConflicts return the same []conflict data +func TestVolumeCache_AddVolumeGetConflicts(t *testing.T) { existingPods := []podWithVolume{ { podNamespace: "ns1", @@ -436,33 +478,232 @@ func TestVolumeCache_AddVolumeSendConflicts(t *testing.T) { } expectedPodInfo := podInfo{ seLinuxLabel: tt.podToAdd.label, + seLinuxParts: parse.ParseSELinuxLabel(tt.podToAdd.label), changePolicy: tt.podToAdd.changePolicy, } if !reflect.DeepEqual(existingInfo, expectedPodInfo) { t.Errorf("pod %s has unexpected info: %+v", podKey, existingInfo) } - // Act again: get the conflicts via SendConflicts - ch := make(chan Conflict) - go func() { - c.SendConflicts(logger, ch) - close(ch) - }() + // Verify reverse index consistency + verifyReverseIndexConsistency(t, c) - // Assert - receivedConflicts := []Conflict{} - for c := range ch { - receivedConflicts = append(receivedConflicts, c) - } + // Verify that GetConflicts returns the same conflicts + receivedConflicts := c.GetConflicts(logger) sortConflicts(receivedConflicts) if !reflect.DeepEqual(receivedConflicts, expectedConflicts) { - t.Errorf("SendConflicts returned unexpected conflicts: %+v", receivedConflicts) + t.Errorf("GetConflicts returned unexpected conflicts: %+v", receivedConflicts) c.dump(dumpLogger) } }) } } +// Test that conflicts are tracked per-volume: a pod with conflicts on +// multiple volumes retains all of them after successive AddVolume calls. +func TestVolumeCache_MultiVolumeConflicts(t *testing.T) { + logger, _ := getTestLoggers(t) + seLinuxTranslator := &translator.ControllerSELinuxTranslator{} + c := NewVolumeLabelCache(seLinuxTranslator).(*volumeCache) + + podA := cache.ObjectName{Namespace: "ns", Name: "podA"} + podB := cache.ObjectName{Namespace: "ns", Name: "podB"} + podC := cache.ObjectName{Namespace: "ns", Name: "podC"} + + // podB uses vol1 with label1 + c.AddVolume(logger, "vol1", podB, "system_u:system_r:labelB", v1.SELinuxChangePolicyMountOption, "driver1") + // podC uses vol2 with label2 + c.AddVolume(logger, "vol2", podC, "system_u:system_r:labelC", v1.SELinuxChangePolicyMountOption, "driver1") + + // podA uses vol1 with a different label (conflict with podB) + conflicts1 := c.AddVolume(logger, "vol1", podA, "system_u:system_r:labelA", v1.SELinuxChangePolicyMountOption, "driver1") + if len(conflicts1) == 0 { + t.Fatal("Expected conflicts on vol1 between podA and podB") + } + + // podA also uses vol2 with a different label (conflict with podC) + conflicts2 := c.AddVolume(logger, "vol2", podA, "system_u:system_r:labelA", v1.SELinuxChangePolicyMountOption, "driver1") + if len(conflicts2) == 0 { + t.Fatal("Expected conflicts on vol2 between podA and podC") + } + + // GetConflicts must return conflicts from BOTH volumes + allConflicts := c.GetConflicts(logger) + expectedCount := len(conflicts1) + len(conflicts2) + if len(allConflicts) != expectedCount { + t.Errorf("GetConflicts returned %d conflicts, expected %d (vol1: %d + vol2: %d)", + len(allConflicts), expectedCount, len(conflicts1), len(conflicts2)) + } + + // After deleting podA, all conflicts should be gone + c.DeletePod(logger, podA) + remaining := c.GetConflicts(logger) + if len(remaining) != 0 { + t.Errorf("Expected no conflicts after deleting podA, got %d: %+v", len(remaining), remaining) + } + + // Verify deduplication: podD and podE conflict on two volumes with the same labels. + // Identical Conflict entries from different volumes must be deduplicated by GetConflicts. + podD := cache.ObjectName{Namespace: "ns", Name: "podD"} + podE := cache.ObjectName{Namespace: "ns", Name: "podE"} + + c.AddVolume(logger, "vol3", podD, "system_u:system_r:labelD", v1.SELinuxChangePolicyMountOption, "driver1") + c.AddVolume(logger, "vol4", podD, "system_u:system_r:labelD", v1.SELinuxChangePolicyMountOption, "driver1") + + conflictsVol3 := c.AddVolume(logger, "vol3", podE, "system_u:system_r:labelE", v1.SELinuxChangePolicyMountOption, "driver1") + conflictsVol4 := c.AddVolume(logger, "vol4", podE, "system_u:system_r:labelE", v1.SELinuxChangePolicyMountOption, "driver1") + + if len(conflictsVol3) != len(conflictsVol4) { + t.Fatalf("Expected same number of conflicts from vol3 and vol4 (%d vs %d)", len(conflictsVol3), len(conflictsVol4)) + } + if len(conflictsVol3) == 0 { + t.Fatal("Expected conflicts between podD and podE") + } + + allConflicts = c.GetConflicts(logger) + deCount := 0 + for _, conflict := range allConflicts { + if conflict.Pod == podD || conflict.Pod == podE || conflict.OtherPod == podD || conflict.OtherPod == podE { + deCount++ + } + } + if deCount != len(conflictsVol3) { + t.Errorf("Expected %d deduplicated conflicts for podD/podE (from 2 volumes), got %d", len(conflictsVol3), deCount) + } +} + +func TestVolumeCache_DeletePodConflicts(t *testing.T) { + podA := cache.ObjectName{Namespace: "ns", Name: "podA"} + podB := cache.ObjectName{Namespace: "ns", Name: "podB"} + podC := cache.ObjectName{Namespace: "ns", Name: "podC"} + podD := cache.ObjectName{Namespace: "ns", Name: "podD"} + + tests := []struct { + name string + // Pods to add before deletion. + initialPods []podWithVolume + // Pod to delete. + podToDelete cache.ObjectName + // If true, delete the pod a second time to verify idempotency. + deleteTwice bool + // Pod pairs that must still have symmetric conflicts after deletion. + // Each pair [2]cache.ObjectName expects both (A→B) and (B→A) to be present. + expectedSurvivingPairs [][2]cache.ObjectName + }{ + { + name: "delete one of two conflicting pods clears all conflicts", + initialPods: []podWithVolume{ + {podNamespace: "ns", podName: "podA", volumeName: "vol1", label: "system_u:system_r:labelA", changePolicy: v1.SELinuxChangePolicyMountOption}, + {podNamespace: "ns", podName: "podB", volumeName: "vol1", label: "system_u:system_r:labelB", changePolicy: v1.SELinuxChangePolicyMountOption}, + }, + podToDelete: podA, + expectedSurvivingPairs: nil, + }, + { + name: "delete non-conflicting pod preserves existing conflicts", + initialPods: []podWithVolume{ + {podNamespace: "ns", podName: "podA", volumeName: "vol1", label: "system_u:system_r:labelA", changePolicy: v1.SELinuxChangePolicyMountOption}, + {podNamespace: "ns", podName: "podB", volumeName: "vol1", label: "system_u:system_r:labelB", changePolicy: v1.SELinuxChangePolicyMountOption}, + {podNamespace: "ns", podName: "podC", volumeName: "vol2", label: "system_u:system_r:labelC", changePolicy: v1.SELinuxChangePolicyMountOption}, + }, + podToDelete: podC, + expectedSurvivingPairs: [][2]cache.ObjectName{{podA, podB}}, + }, + { + name: "three pods on same volume delete one leaves remaining pair conflict", + initialPods: []podWithVolume{ + {podNamespace: "ns", podName: "podA", volumeName: "vol1", label: "system_u:system_r:labelA", changePolicy: v1.SELinuxChangePolicyMountOption}, + {podNamespace: "ns", podName: "podB", volumeName: "vol1", label: "system_u:system_r:labelB", changePolicy: v1.SELinuxChangePolicyMountOption}, + {podNamespace: "ns", podName: "podC", volumeName: "vol1", label: "system_u:system_r:labelC", changePolicy: v1.SELinuxChangePolicyMountOption}, + }, + podToDelete: podA, + expectedSurvivingPairs: [][2]cache.ObjectName{{podB, podC}}, + }, + { + name: "delete pod with conflicts on multiple volumes", + initialPods: []podWithVolume{ + {podNamespace: "ns", podName: "podB", volumeName: "vol1", label: "system_u:system_r:labelB", changePolicy: v1.SELinuxChangePolicyMountOption}, + {podNamespace: "ns", podName: "podC", volumeName: "vol2", label: "system_u:system_r:labelC", changePolicy: v1.SELinuxChangePolicyMountOption}, + {podNamespace: "ns", podName: "podA", volumeName: "vol1", label: "system_u:system_r:labelA", changePolicy: v1.SELinuxChangePolicyMountOption}, + {podNamespace: "ns", podName: "podA", volumeName: "vol2", label: "system_u:system_r:labelA", changePolicy: v1.SELinuxChangePolicyMountOption}, + }, + podToDelete: podA, + expectedSurvivingPairs: nil, + }, + { + name: "delete pod preserves conflicts on unrelated volumes", + initialPods: []podWithVolume{ + {podNamespace: "ns", podName: "podA", volumeName: "vol1", label: "system_u:system_r:labelA", changePolicy: v1.SELinuxChangePolicyMountOption}, + {podNamespace: "ns", podName: "podB", volumeName: "vol1", label: "system_u:system_r:labelB", changePolicy: v1.SELinuxChangePolicyMountOption}, + {podNamespace: "ns", podName: "podC", volumeName: "vol2", label: "system_u:system_r:labelC", changePolicy: v1.SELinuxChangePolicyMountOption}, + {podNamespace: "ns", podName: "podD", volumeName: "vol2", label: "system_u:system_r:labelD", changePolicy: v1.SELinuxChangePolicyMountOption}, + }, + podToDelete: podA, + expectedSurvivingPairs: [][2]cache.ObjectName{{podC, podD}}, + }, + { + name: "delete pod that was already deleted is a no-op", + initialPods: []podWithVolume{ + {podNamespace: "ns", podName: "podA", volumeName: "vol1", label: "system_u:system_r:labelA", changePolicy: v1.SELinuxChangePolicyMountOption}, + {podNamespace: "ns", podName: "podB", volumeName: "vol1", label: "system_u:system_r:labelB", changePolicy: v1.SELinuxChangePolicyMountOption}, + }, + podToDelete: podA, + deleteTwice: true, + expectedSurvivingPairs: nil, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + logger, _ := getTestLoggers(t) + seLinuxTranslator := &translator.ControllerSELinuxTranslator{} + c := NewVolumeLabelCache(seLinuxTranslator).(*volumeCache) + + for _, pod := range tt.initialPods { + c.AddVolume(logger, pod.volumeName, cache.ObjectName{Namespace: pod.podNamespace, Name: pod.podName}, pod.label, pod.changePolicy, "driver1") + } + + c.DeletePod(logger, tt.podToDelete) + if tt.deleteTwice { + c.DeletePod(logger, tt.podToDelete) + } + + remaining := c.GetConflicts(logger) + + // Deleted pod must not appear in any conflict + for _, conflict := range remaining { + if conflict.Pod == tt.podToDelete || conflict.OtherPod == tt.podToDelete { + t.Errorf("found conflict involving deleted pod %s: %+v", tt.podToDelete, conflict) + } + } + + // Verify each expected surviving pair exists in both directions + for _, pair := range tt.expectedSurvivingPairs { + hasForward := false + hasReverse := false + for _, conflict := range remaining { + if conflict.Pod == pair[0] && conflict.OtherPod == pair[1] { + hasForward = true + } + if conflict.Pod == pair[1] && conflict.OtherPod == pair[0] { + hasReverse = true + } + } + if !hasForward || !hasReverse { + t.Errorf("expected symmetric conflict between %s and %s, got %+v", pair[0], pair[1], remaining) + } + } + + // If no pairs are expected, there should be no conflicts at all + if len(tt.expectedSurvivingPairs) == 0 && len(remaining) != 0 { + t.Errorf("expected no conflicts, got %+v", remaining) + } + + verifyReverseIndexConsistency(t, c) + }) + } +} + func TestVolumeCache_GetPodsForCSIDriver(t *testing.T) { seLinuxTranslator := &translator.ControllerSELinuxTranslator{} c := NewVolumeLabelCache(seLinuxTranslator).(*volumeCache) diff --git a/deps/github.com/openshift/kubernetes/pkg/controller/volume/selinuxwarning/internal/parse/selinux_label.go b/deps/github.com/openshift/kubernetes/pkg/controller/volume/selinuxwarning/internal/parse/selinux_label.go new file mode 100644 index 0000000000..0fd48ed8b6 --- /dev/null +++ b/deps/github.com/openshift/kubernetes/pkg/controller/volume/selinuxwarning/internal/parse/selinux_label.go @@ -0,0 +1,32 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package parse + +import "strings" + +// ParseSELinuxLabel parses a SELinux label string into its components. +// Format: "user:role:type:level" -> [user, role, type, level] +// Missing components are represented as empty strings. +func ParseSELinuxLabel(label string) [4]string { + var parts [4]string + if label == "" { + return parts + } + split := strings.SplitN(label, ":", 4) + copy(parts[:], split) + return parts +} diff --git a/deps/github.com/openshift/kubernetes/pkg/controller/volume/selinuxwarning/internal/parse/selinux_label_test.go b/deps/github.com/openshift/kubernetes/pkg/controller/volume/selinuxwarning/internal/parse/selinux_label_test.go new file mode 100644 index 0000000000..e82feed748 --- /dev/null +++ b/deps/github.com/openshift/kubernetes/pkg/controller/volume/selinuxwarning/internal/parse/selinux_label_test.go @@ -0,0 +1,106 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package parse + +import ( + "reflect" + "testing" +) + +func TestParseSELinuxLabel(t *testing.T) { + tests := []struct { + name string + label string + expectedParts []string + }{ + { + name: "empty label", + label: "", + expectedParts: []string{"", "", "", ""}, + }, + { + name: "complete label with all components", + label: "system_u:system_r:container_t:s0:c0,c1", + expectedParts: []string{"system_u", "system_r", "container_t", "s0:c0,c1"}, + }, + { + name: "label with user, role, and type only", + label: "system_u:system_r:container_t", + expectedParts: []string{"system_u", "system_r", "container_t", ""}, + }, + { + name: "label with user and role only", + label: "system_u:system_r", + expectedParts: []string{"system_u", "system_r", "", ""}, + }, + { + name: "label with user only", + label: "system_u", + expectedParts: []string{"system_u", "", "", ""}, + }, + { + name: "label missing user but with role and type", + label: ":system_r:container_t", + expectedParts: []string{"", "system_r", "container_t", ""}, + }, + { + name: "label missing user and role but with type", + label: "::container_t", + expectedParts: []string{"", "", "container_t", ""}, + }, + { + name: "label missing user and role but with type and level", + label: "::container_t:s0", + expectedParts: []string{"", "", "container_t", "s0"}, + }, + { + name: "label with all empty components except level", + label: ":::s0:c0,c1", + expectedParts: []string{"", "", "", "s0:c0,c1"}, + }, + { + name: "label with special characters in components", + label: "user_with_underscore:role-with-dash:type.with.dots:s0:c0.c1", + expectedParts: []string{"user_with_underscore", "role-with-dash", "type.with.dots", "s0:c0.c1"}, + }, + { + name: "label with extra colons in level component", + label: "user:role:type:s0:c0,c1:extra", + expectedParts: []string{"user", "role", "type", "s0:c0,c1:extra"}, + }, + { + name: "multiple colons only", + label: ":::", + expectedParts: []string{"", "", "", ""}, + }, + { + name: "five colons", + label: ":::::", + expectedParts: []string{"", "", "", "::"}, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + parts := ParseSELinuxLabel(tt.label) + partsSlice := parts[:] + if !reflect.DeepEqual(partsSlice, tt.expectedParts) { + t.Errorf("ParseSELinuxLabel(%q) = %v, expected parts = %v", tt.label, partsSlice, tt.expectedParts) + } + }) + } +} diff --git a/deps/github.com/openshift/kubernetes/pkg/controller/volume/selinuxwarning/metrics.go b/deps/github.com/openshift/kubernetes/pkg/controller/volume/selinuxwarning/metrics.go index d95665c916..c285bd78db 100644 --- a/deps/github.com/openshift/kubernetes/pkg/controller/volume/selinuxwarning/metrics.go +++ b/deps/github.com/openshift/kubernetes/pkg/controller/volume/selinuxwarning/metrics.go @@ -59,13 +59,7 @@ func (c *collector) DescribeWithStability(ch chan<- *metrics.Desc) { } func (c *collector) CollectWithStability(ch chan<- metrics.Metric) { - conflictCh := make(chan cache.Conflict) - go func() { - c.cache.SendConflicts(c.logger, conflictCh) - close(conflictCh) - }() - - for conflict := range conflictCh { + for _, conflict := range c.cache.GetConflicts(c.logger) { ch <- metrics.NewLazyConstMetric(seLinuxConflictDesc, metrics.GaugeValue, 1.0, diff --git a/deps/github.com/openshift/kubernetes/pkg/controller/volume/selinuxwarning/selinux_warning_controller_test.go b/deps/github.com/openshift/kubernetes/pkg/controller/volume/selinuxwarning/selinux_warning_controller_test.go index 9d9998bc62..1d2e66f4e4 100644 --- a/deps/github.com/openshift/kubernetes/pkg/controller/volume/selinuxwarning/selinux_warning_controller_test.go +++ b/deps/github.com/openshift/kubernetes/pkg/controller/volume/selinuxwarning/selinux_warning_controller_test.go @@ -783,12 +783,12 @@ func (f *fakeVolumeCache) GetPodsForCSIDriver(driverName string) []cache.ObjectN return pods } -func (f *fakeVolumeCache) SendConflicts(logger klog.Logger, ch chan<- volumecache.Conflict) { +func (f *fakeVolumeCache) GetConflicts(logger klog.Logger) []volumecache.Conflict { + result := make([]volumecache.Conflict, 0) for _, conflicts := range f.conflictsToSend { - for _, conflict := range conflicts { - ch <- conflict - } + result = append(result, conflicts...) } + return result } func collectEvents(source <-chan string) []string { diff --git a/deps/github.com/openshift/kubernetes/pkg/controller/volume/selinuxwarning/translator/selinux_translator.go b/deps/github.com/openshift/kubernetes/pkg/controller/volume/selinuxwarning/translator/selinux_translator.go index 99ce3e97dd..db599c98cd 100644 --- a/deps/github.com/openshift/kubernetes/pkg/controller/volume/selinuxwarning/translator/selinux_translator.go +++ b/deps/github.com/openshift/kubernetes/pkg/controller/volume/selinuxwarning/translator/selinux_translator.go @@ -20,6 +20,7 @@ import ( "strings" v1 "k8s.io/api/core/v1" + "k8s.io/kubernetes/pkg/controller/volume/selinuxwarning/internal/parse" "k8s.io/kubernetes/pkg/volume/util" ) @@ -70,18 +71,16 @@ func (c *ControllerSELinuxTranslator) SELinuxOptionsToFileLabel(opts *v1.SELinux // However: "system_u:system_r:container_t:s0:c1,c2" *does* conflict with ":::s0:c98,c99". // And ":::s0:c1,c2" *does* conflict with "" or ":::", because it's never defaulted by the OS. func (c *ControllerSELinuxTranslator) Conflicts(labelA, labelB string) bool { - partsA := strings.SplitN(labelA, ":", 4) - partsB := strings.SplitN(labelB, ":", 4) - - // Reorder, so partsA is always longer than partsB - if len(partsA) < len(partsB) { - partsB, partsA = partsA, partsB - } + return c.ConflictsParsed(parse.ParseSELinuxLabel(labelA), parse.ParseSELinuxLabel(labelB)) +} - for len(partsB) < len(partsA) { - partsB = append(partsB, "") - } - for i := range partsA { +// ConflictsParsed returns true if two pre-parsed SELinux labels conflict. +// This is an optimized version of Conflicts() that operates on pre-split labels +// to avoid repeated string allocations in hot paths (e.g., metrics collection). +// partsA and partsB must be 4-element arrays in the format: [user, role, type, level] +func (c *ControllerSELinuxTranslator) ConflictsParsed(partsA, partsB [4]string) bool { + // Compare each component + for i := range 4 { if partsA[i] == partsB[i] { continue } diff --git a/deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver/pkg/server/options/etcd.go b/deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver/pkg/server/options/etcd.go index c0574c8bfe..3cad57cc5b 100644 --- a/deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver/pkg/server/options/etcd.go +++ b/deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver/pkg/server/options/etcd.go @@ -23,6 +23,7 @@ import ( "sort" "strconv" "strings" + "sync" "time" "github.com/spf13/pflag" @@ -240,32 +241,98 @@ func (s *EtcdOptions) ApplyWithStorageFactoryTo(factory serverstorage.StorageFac return err } - metrics.SetStorageMonitorGetter(monitorGetter(factory)) + monitorCache, err := newMonitorCache(factory, c.DrainedNotify()) + if err != nil { + return err + } + metrics.SetStorageMonitorGetter(monitorCache.get) c.RESTOptionsGetter = s.CreateRESTOptionsGetter(factory, c.ResourceTransformers) return nil } -func monitorGetter(factory serverstorage.StorageFactory) func() (monitors []metrics.Monitor, err error) { - return func() (monitors []metrics.Monitor, err error) { - defer func() { - if err != nil { - for _, m := range monitors { - m.Close() - } - } - }() +type monitorCache struct { + mu sync.RWMutex + closed bool + monitors []metrics.Monitor + factory serverstorage.StorageFactory + stopCh <-chan struct{} +} - var m metrics.Monitor - for _, cfg := range factory.Configs() { - m, err = storagefactory.CreateMonitor(cfg) - if err != nil { - return nil, err +var createMonitor = storagefactory.CreateMonitor + +func newMonitorCache(factory serverstorage.StorageFactory, stopCh <-chan struct{}) (*monitorCache, error) { + if stopCh == nil { + return nil, fmt.Errorf("stopCh is required for monitor cache cleanup") + } + cache := &monitorCache{ + factory: factory, + stopCh: stopCh, + } + return cache, nil +} + +func (c *monitorCache) get() ([]metrics.Monitor, error) { + // Fast path: check if already initialized with read lock + c.mu.RLock() + if c.closed { + c.mu.RUnlock() + return nil, fmt.Errorf("monitor cache is closed") + } + if c.monitors != nil { + result := c.monitors + c.mu.RUnlock() + return result, nil + } + c.mu.RUnlock() + + // Slow path: initialize with write lock + return c.initialize() +} + +func (c *monitorCache) initialize() ([]metrics.Monitor, error) { + c.mu.Lock() + defer c.mu.Unlock() + + if c.closed { + return nil, fmt.Errorf("monitor cache is closed") + } + if c.monitors != nil { + return c.monitors, nil + } + + var monitors []metrics.Monitor + for _, cfg := range c.factory.Configs() { + m, err := createMonitor(cfg) + if err != nil { + for _, already := range monitors { + already.Close() //nolint:errcheck } - monitors = append(monitors, m) + return nil, err } - return monitors, nil + monitors = append(monitors, m) + } + c.monitors = monitors + + go func() { + <-c.stopCh + c.close() + }() + + return c.monitors, nil +} + +func (c *monitorCache) close() { + c.mu.Lock() + defer c.mu.Unlock() + if c.closed { + return + } + c.closed = true + for _, m := range c.monitors { + m.Close() //nolint:errcheck } + c.monitors = nil } func (s *EtcdOptions) CreateRESTOptionsGetter(factory serverstorage.StorageFactory, resourceTransformers storagevalue.ResourceTransformers) generic.RESTOptionsGetter { diff --git a/deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver/pkg/server/options/etcd_test.go b/deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver/pkg/server/options/etcd_test.go index bd3af58143..2d04281b23 100644 --- a/deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver/pkg/server/options/etcd_test.go +++ b/deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver/pkg/server/options/etcd_test.go @@ -17,7 +17,10 @@ limitations under the License. package options import ( + "context" "strings" + "sync" + "sync/atomic" "testing" "time" @@ -29,6 +32,7 @@ import ( "k8s.io/apiserver/pkg/features" "k8s.io/apiserver/pkg/server" "k8s.io/apiserver/pkg/server/healthz" + "k8s.io/apiserver/pkg/storage/etcd3/metrics" "k8s.io/apiserver/pkg/storage/storagebackend" utilfeature "k8s.io/apiserver/pkg/util/feature" featuregatetesting "k8s.io/component-base/featuregate/testing" @@ -492,3 +496,163 @@ func TestRestOptionsStorageObjectCountTracker(t *testing.T) { t.Errorf("There are different StorageObjectCountTracker in restOptions and serverConfig") } } + +func TestMonitorCache(t *testing.T) { + setCreateMonitor := func(t *testing.T, fn func(storagebackend.Config) (metrics.Monitor, error)) { + t.Helper() + original := createMonitor + createMonitor = fn + t.Cleanup(func() { + createMonitor = original + }) + } + + newTestCache := func(t *testing.T) *monitorCache { + t.Helper() + stopCh := make(chan struct{}) + t.Cleanup(func() { close(stopCh) }) + cache, err := newMonitorCache(&SimpleStorageFactory{}, stopCh) + if err != nil { + t.Fatalf("newMonitorCache() returned error: %v", err) + } + return cache + } + + testCases := []struct { + name string + test func(t *testing.T) + }{ + { + name: "reuses cached monitors on subsequent get calls", + test: func(t *testing.T) { + cache := newTestCache(t) + monitor := &fakeMonitor{} + var createCalls atomic.Int32 + + setCreateMonitor(t, func(cfg storagebackend.Config) (metrics.Monitor, error) { + createCalls.Add(1) + return monitor, nil + }) + + first, err := cache.get() + if err != nil { + t.Fatalf("first get() returned error: %v", err) + } + second, err := cache.get() + if err != nil { + t.Fatalf("second get() returned error: %v", err) + } + + if got := createCalls.Load(); got != 1 { + t.Fatalf("expected createMonitor to be called once, got %d", got) + } + if len(first) != 1 || len(second) != 1 { + t.Fatalf("expected exactly one monitor from each call, got %d and %d", len(first), len(second)) + } + if first[0] != monitor || second[0] != monitor { + t.Fatal("expected both calls to return the cached monitor instance") + } + }, + }, + { + name: "returns error when get is called after cache is closed", + test: func(t *testing.T) { + cache := newTestCache(t) + monitor := &fakeMonitor{} + + setCreateMonitor(t, func(cfg storagebackend.Config) (metrics.Monitor, error) { + return monitor, nil + }) + + if _, err := cache.get(); err != nil { + t.Fatalf("initial get() returned error: %v", err) + } + + cache.close() + + if got := monitor.closeCalls.Load(); got != 1 { + t.Fatalf("expected close to be called once, got %d", got) + } + if _, err := cache.get(); err == nil || err.Error() != "monitor cache is closed" { + t.Fatalf("expected closed-cache error, got %v", err) + } + }, + }, + { + name: "concurrent get calls all return the first initialized monitors", + test: func(t *testing.T) { + cache := newTestCache(t) + monitor := &fakeMonitor{} + initStarted := make(chan struct{}) + allowInit := make(chan struct{}) + var createCalls atomic.Int32 + + setCreateMonitor(t, func(cfg storagebackend.Config) (metrics.Monitor, error) { + if createCalls.Add(1) == 1 { + close(initStarted) + } + <-allowInit + return monitor, nil + }) + + const numGoroutines = 10 + start := make(chan struct{}) + results := make(chan []metrics.Monitor, numGoroutines) + errs := make(chan error, numGoroutines) + var wg sync.WaitGroup + wg.Add(numGoroutines) + + for range numGoroutines { + go func() { + defer wg.Done() + <-start + got, err := cache.get() + results <- got + errs <- err + }() + } + + close(start) + <-initStarted + close(allowInit) + wg.Wait() + + if got := createCalls.Load(); got != 1 { + t.Fatalf("expected createMonitor to be called once, got %d", got) + } + if len(cache.monitors) != 1 || cache.monitors[0] != monitor { + t.Fatal("expected the initialized monitor to be cached") + } + + for range numGoroutines { + if err := <-errs; err != nil { + t.Fatalf("get() returned error: %v", err) + } + got := <-results + if len(got) != 1 || got[0] != monitor { + t.Fatal("expected all goroutines to receive the same cached monitor") + } + } + }, + }, + } + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + tc.test(t) + }) + } +} + +type fakeMonitor struct { + closeCalls atomic.Int32 +} + +func (f *fakeMonitor) Monitor(ctx context.Context) (metrics.StorageMetrics, error) { + return metrics.StorageMetrics{}, nil +} + +func (f *fakeMonitor) Close() error { + f.closeCalls.Add(1) + return nil +} diff --git a/deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver/pkg/storage/etcd3/metrics/metrics.go b/deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver/pkg/storage/etcd3/metrics/metrics.go index 263c04ec02..f77eee9576 100644 --- a/deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver/pkg/storage/etcd3/metrics/metrics.go +++ b/deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiserver/pkg/storage/etcd3/metrics/metrics.go @@ -355,7 +355,6 @@ func (c *monitorCollector) CollectWithStability(ch chan<- compbasemetrics.Metric ctx, cancel := context.WithTimeout(context.Background(), time.Second) metrics, err := m.Monitor(ctx) cancel() - m.Close() if err != nil { klog.InfoS("Failed to get storage metrics", "storage_cluster_id", storageClusterID, "err", err) continue diff --git a/packaging/crio.conf.d/10-microshift_amd64.conf b/packaging/crio.conf.d/10-microshift_amd64.conf index eac1b7bea0..0c91250313 100644 --- a/packaging/crio.conf.d/10-microshift_amd64.conf +++ b/packaging/crio.conf.d/10-microshift_amd64.conf @@ -2,6 +2,6 @@ # for community builds on top of OKD, this setting has no effect [crio.image] global_auth_file="/etc/crio/openshift-pull-secret" -pause_image = "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:c88bf8c8745f9140316f2be4fe922ece86ebd99083e7c5ee942540bcbee12c0a" +pause_image = "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:f80444cc3da6b00878bbbea034b4122d40e88ce47aa00486d6874d8a49a2dfd1" pause_image_auth_file = "/etc/crio/openshift-pull-secret" pause_command = "/usr/bin/pod" diff --git a/packaging/crio.conf.d/10-microshift_arm64.conf b/packaging/crio.conf.d/10-microshift_arm64.conf index 74bbaed0f5..901bf02328 100644 --- a/packaging/crio.conf.d/10-microshift_arm64.conf +++ b/packaging/crio.conf.d/10-microshift_arm64.conf @@ -2,6 +2,6 @@ # for community builds on top of OKD, this setting has no effect [crio.image] global_auth_file="/etc/crio/openshift-pull-secret" -pause_image = "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:bc19885aeb4dd9c3bb8157fa3f5fbb5e7b2e26eb221fbf9bdecbd93a1b454c2f" +pause_image = "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:89c0dee8fad6277b67d933b367b827b89d5d5556effb0c3df04136bdd500ebb4" pause_image_auth_file = "/etc/crio/openshift-pull-secret" pause_command = "/usr/bin/pod" diff --git a/scripts/auto-rebase/changelog.txt b/scripts/auto-rebase/changelog.txt index e69de29bb2..ed4995c0f6 100644 --- a/scripts/auto-rebase/changelog.txt +++ b/scripts/auto-rebase/changelog.txt @@ -0,0 +1,340 @@ +- api embedded-component 70f01b82bb532c61086160b6033575b65540f73e to 1194f4c62539275cd6dec231cc2bf7e0a010bd94 + - 62daf685 2026-06-03T13:24:33-04:00 feat: add mutable topology featuregate + - c88eece8 2026-06-03T12:55:20+05:30 Add KubeletConfigAccepted const in 'machineconfiguration/v1/types.go' + - d0ab2290 2026-06-02T14:28:54+01:00 Update getLatestReleases to ignore non OCP releases + - 1a302b0d 2026-06-02T12:04:50+02:00 MON-4029: Add KubeStateMetricsConfig to ClusterMonitoring API + - f9a89e1d 2026-05-29T11:39:12+02:00 Move userAlertmanagerConfigSelection under alertmanager customConfig + - 83c13572 2026-05-29T11:29:32+02:00 Add userAlertmanagerConfigSelection to ClusterMonitoring API + - 71b14e62 2026-05-28T09:41:09+02:00 MCO-2296: Promote OSImageStreams to v1 + +- cluster-dns-operator embedded-component 3d2141182243cde1ec6417bd005c76d29aa88a01 to 65d60f9c12297a91ee89359e90f591fd44e661b0 + - 2999248 2026-04-03T16:43:59+02:00 test: add unit tests for tolerationsTolerateTaints + - aadbb48 2026-04-03T16:33:25+02:00 fix(operator): require all taints to be tolerated for node schedulability + +- cluster-ingress-operator embedded-component 53b8a64230fb27b820297d6dcd1b90cf0c176573 to 140e0bf13b3d01c369672c766c44b4be0b4ec78c + - 76a3286b 2026-06-02T12:09:46+05:30 OCPBUGS-36723: Add missing include annotations to IBM Cloud and PowerVS ingress CredentialsRequests + - 62d1b982 2026-05-29T12:12:11+01:00 OCPBUGS-85676: Harden CRD permission RBAC in operator ClusterRole + - b7c45b0f 2026-05-27T10:25:23-03:00 pass context down on retries, make default timeout a constant + - 7366a45a 2026-05-26T10:47:49-03:00 Add missing logging to avoid silent drop + - b7a92dbc 2026-05-26T10:33:19-03:00 fix endpoint resolver to use sdk resolver + - 5cedade2 2026-05-25T17:32:52-03:00 address coderabbit comments on e2e resiliency + - aad2628d 2026-05-25T16:42:42-03:00 Make e2e resource creation more resilient + - e54bede1 2026-05-25T14:44:49-03:00 fix resource creation inside utils + - 786628aa 2026-05-21T11:04:50-03:00 address more coderabbit comments + - b9345f47 2026-05-21T10:45:08-03:00 address more coderabbit comments + - 0c36601e 2026-05-21T10:05:55-03:00 address coderabbit comments + - fa5773ac 2026-05-21T10:00:11-03:00 Address coderabbit comments + - d423d394 2026-05-21T10:00:11-03:00 improve e2e resiliency + - 63caca77 2026-05-21T10:00:11-03:00 NO-JIRA: Improve e2e tests reliability + - 0d72f794 2026-05-14T09:00:30-03:00 NE-2723: Address coderabbit comments + - 6d8c121f 2026-05-13T19:03:03-03:00 NE-2723: vendor new aws-sdk-go-v2 libraries + - 41940070 2026-05-13T19:03:03-03:00 NE-2723: Migrate to aws-sdk-go-v2 + +- cluster-kube-apiserver-operator embedded-component 7547b7c84d27699706e1746428f4d0d82bf1ce7e to 24b60d04b3478e04a728fb0ae1385abc6a478d20 + - 6d0c185 2026-06-05T12:42:47-04:00 kms: switch to real Vault plugin in CI + - f3b8801 2026-06-04T11:08:23-04:00 kms: use new function to deploy KMS plugin in static pods + - 5fb4d68 2026-06-04T11:08:14-04:00 bump(openshift/library-go): to get KMS plugin credentials change + - 0cfdb1a 2026-06-03T13:00:44+02:00 Fix encryption rotation test after library-go rebase + - 2d55b4c 2026-06-03T12:39:17+02:00 NO-JIRA: Automatic agentic rebase: Update library-go to d8750ed + - 97b71a7 2026-06-02T14:58:02+02:00 NO-JIRA: Automatic agentic rebase: Update library-go to 0cf249e + +- cluster-kube-controller-manager-operator embedded-component ca150c42a7982509b8bba34080308cff00c09310 to 9d636ab4992bd501006d2b0c1d3ac512666c6ca7 + - aebd7e5 2026-06-01T12:34:38+05:30 keeping go stuct format + - 2e3cccb 2026-05-21T14:04:41+05:30 migrate prefrreed-host to ote + - b2c40fd 2026-05-07T22:19:20+05:30 Migrate KCM-O cases to ote + +- cluster-network-operator embedded-component 7d4c17ac28ac25d47be68694956a693c15b80939 to 6dc18040e7c214f6a1db25b6f5ef4642c6c6a186 + - 4fe0b63 2026-05-27T14:47:30+03:00 OCPBUGS-56949: Add openshift.io/node-selector annotation to openshift-network-console namespace + +- kubernetes embedded-component 99b75aa92a7f60c4446ee29f54d511f140a8aed0 to 872bd3722d0954b31459f715fbd4fb7612aaf338 + - 8eef07fbb 2026-05-28T15:56:10+02:00 UPSTREAM: 138075: apiserver: cache etcd storage monitors to avoid recreating clients on each metrics scrape + - 1f27b44a8 2026-05-18T10:51:25-04:00 UPSTREAM: 138981: Cache selinux conflicts + - 9ebcf5792 2026-05-18T10:51:25-04:00 UPSTREAM: 137226: controller/selinuxwarning/cache: Add reverse index + - 037baac16 2026-05-18T10:51:25-04:00 UPSTREAM: 137224: controller/selinuxwarning: Pre-parse SELinux label + +- machine-config-operator embedded-component d72b715f8f9e0fad5d27a45420ea074ea2628207 to 62b06d28399b348cb7238d32ad74b9a978c4292f + - 0f0da9b2 2026-06-04T09:44:46-04:00 Remove localhost.localdomain workaround for MCN IRI image field + - c2fb2d3d 2026-06-03T13:48:36-04:00 Remove skopeo-install script + - 15fd6b77 2026-06-03T16:08:56+02:00 MCO-2296: Remove OSImageStreams v1 replace + - 5529b6d8 2026-06-03T09:44:13-04:00 Remove trailing newline (\n) characters in klog message strings + - 02910734 2026-06-03T14:23:52+02:00 MCO-2296: OSImageStreams v1 promotion + - 75c98287 2026-06-03T10:11:46Z OCPBUGS-86965: make test 69755 more stable + - 8c54b9a1 2026-06-02T13:51:29-04:00 NO_ISSUE: Add -L flag to curl to follow redirects automatically + - 294bbd3c 2026-06-02T13:21:20-04:00 fix: update arbiter crio config + - 8e518a10 2026-06-02T13:05:52-04:00 internalreleaseimage: lower deletion log verbosity + - 4633c01c 2026-06-02T18:18:32+05:30 Fix format verb in mco_drain.go error messages + - 60ff74a4 2026-06-01T10:39:11-04:00 render: guard OSImageStream ver before generation + - 5da95772 2026-06-01T09:36:46-04:00 fix e2e tests + - 7f193dee 2026-06-01T08:48:44-04:00 test helper: update IsSNO helper function to correctly access the cluster's topology + - e19aa6b1 2026-06-01T15:56:10+05:30 Migrate MCO tests from openshift-tests-private + - d374adcb 2026-06-01T05:41:54-04:00 disable htpasswd auth on IRI registry, keep read-only + - 9c88c2d9 2026-06-01T00:04:21Z chore: update AMIs + - 10cbf0c0 2026-05-29T07:56:09Z OCPBUGS-86554: in test OCP-85467 wait for operators after removing master machine + - 541a3c9f 2026-05-28T09:14:22-04:00 tests: make MCP machine count transition tests resilient on SNO + - 5b8fde11 2026-05-13T12:44:30+02:00 OCPBUG-77140: increase LRU cache and prefetch timeout for PinnedImageSet + +- operator-framework-olm embedded-component bc60033b299368309e8d3ca001cba75970c227c9 to a1de734673fb56da500b6ea212a70d50bd5740ab + - 3654e95c 2026-06-03T00:04:25Z chore: upgrade gopkg.in/yaml from v2 to v3 (#3842) + - 7f389311 2026-06-03T00:03:35Z :seedling: Bump github.com/go-git/go-git/v5 from 5.16.4 to 5.19.1 (#3841) + - 29e23d5b 2026-05-28T00:05:59Z fix: use gh release upload instead of softprops/action-gh-release (#3840) + +- oc image-amd64 9557cf3d482ecbc4e271eb4eefeefff5eaf4bdac to d1f312bb855e741cadb8b3ac419d2cb3f3fd7ba5 + - ab95216f 2026-06-05T12:48:40+02:00 Fix windows builds of oc rpm + +- router image-amd64 676113436feb61e5c89376d6a7ae66fdaefe8e98 to a86164c8ebaed55a2a28451fa913a04f10cc9a72 + - 768a467 2026-06-03T12:59:58+01:00 Adding escapeHAProxySingleQuotes for sanitize + +- ovn-kubernetes image-amd64 3ce6353a1ed2962dc8aabe96dcef0e5bd7a40555 to e9295c0d0d7caa1eda7cc9f2f3900c64096c943c + - 92ede818 2026-06-03T14:33:40+02:00 Sync informing EVPN E2Es with upstream naming + - 39817947 2026-05-19T14:45:17+05:30 sync test annotations with upstream changes + - 37dd7188 2026-05-19T14:44:30+05:30 sync openshift/go.mod with upstream dependencies + - ee94d9a4 2026-05-18T10:20:10+02:00 Force fake iptables/nftables helpers at start of unit tests + - 3e26af30 2026-05-15T12:53:19+02:00 Fix data race in DPU management port tests + - 20dd3e78 2026-05-15T11:59:31+02:00 e2e: Use shared VTEP for nodeIPs EVPN tests and per-network random VTEPs + - 8175f422 2026-05-15T11:59:28+02:00 Gate NAD creation on VTEP Accepted status in UDN controller + - b30df3d7 2026-05-15T10:15:40+02:00 Extract TransportAccepted reason strings into exported constants + - b78f6667 2026-05-14T11:27:06-04:00 Switch to JSON + - 69d5e41d 2026-05-14T11:27:06-04:00 Performance Report + - b6075565 2026-05-13T14:09:47-07:00 Clean up all stale pod OVS interfaces + - 1070abc8 2026-05-13T12:07:14-04:00 Fixing performance-test + - 770898ba 2026-05-13T10:56:11-04:00 Dynamic UDN: Make activity more level driven + - e0f8f042 2026-05-13T10:35:50-04:00 networkmanager: clear stale dynamic NAD removal marks on sync + - 1431d97d 2026-05-13T10:35:50-04:00 NM: make filterNADsOnNode more obvious + - bd2d769d 2026-05-13T10:35:50-04:00 Add UT to cover tracker edge updates + - 44de5b95 2026-05-13T10:35:50-04:00 Revert "Skip CNC service connectivity E2E tests when dynamic UDN allocation is enabled" + - 6f6ecf05 2026-05-13T10:35:50-04:00 Fix executing NM tests + - 85c5212e 2026-05-13T10:35:50-04:00 Dynamic UDN + CNC: Notify on remote+connected node events + - 5cd52f00 2026-05-13T10:35:50-04:00 Adds E2E test with dynamic UDN + CNC + - a6b093ce 2026-05-13T09:15:50-04:00 networkconnect: react to node activity and filter inactive L3 remotes + - 23d943e3 2026-05-13T09:15:50-04:00 networkmanager: derive dynamic UDN activity from CNC pod connectivity + - 2938a9e8 2026-05-12T20:23:08-07:00 node: regenerate host-network flows when localEndpoints change + - 2d8d5960 2026-05-12T20:23:01-07:00 node: restore else-if to prevent shared gateway fallthrough for ETP=Local + - 4b925578 2026-05-12T20:21:42-07:00 e2e: add tests for services with multiple named target ports + - 2dd28966 2026-05-12T11:12:37-07:00 OpenFlow Services: use groups to select multiple target ports + - 172fee01 2026-05-12T11:12:37-07:00 node: generate OpenFlow rules for all target ports during rolling updates + - 028f6796 2026-05-12T11:12:37-07:00 [SDN-3551] Add unit test for buildTemplateLBs with multiple target ports + - 4b215f56 2026-05-12T11:12:37-07:00 [SDN-3551] LB eps not updated correctly while target port changes + - 0577b840 2026-05-12T14:22:24+05:30 Alginment fix in large screen + - 2dc51f5e 2026-05-11T19:45:56-04:00 Services Controller: filter node update events + - f29899e5 2026-05-11T19:39:34-04:00 Services: Rename methods with "queue" to "enqueue" + - 21f258dd 2026-05-11T18:48:14-04:00 Services: Pass NetworkOptions to networkState + - d2fdd047 2026-05-11T18:48:14-04:00 services: rebuild nodeInfo before service requeue + - 104f5ba9 2026-05-11T18:48:14-04:00 services: require scoped sync keys + - dc3ff7ee 2026-05-11T18:48:14-04:00 services: fix race with bootstrap and node handling + - 173b0364 2026-05-11T18:48:14-04:00 services: cover shared network registration requeue + - 3f5d1258 2026-05-11T18:48:14-04:00 services: register UDNs with shared controller + - 68f35802 2026-05-11T18:10:11-04:00 services: use shared event handlers for multi-network controller + - 5907de09 2026-05-11T18:10:11-04:00 services: add network registration infrastructure + - 267a653f 2026-05-11T17:45:48-04:00 services: move per-network state behind networkState + - 84271a4f 2026-05-11T11:58:12-07:00 docs: Add note about HA replicas configuration + - d14bba00 2026-05-11T11:33:57-07:00 node: harden OVS cleanup state handling + - 6cb18e49 2026-05-11T11:33:04-07:00 node/managementport: migrate root-row sites to libovsdb + - 3b77ff47 2026-05-11T11:33:04-07:00 node/bridgeconfig: add UDN test coverage for libovsdb migration + - 769d3768 2026-05-11T11:33:04-07:00 node/bridgeconfig: migrate bridgedGatewayNodeSetup to libovsdb + - bac9acce 2026-05-11T11:33:04-07:00 node: migrate CleanupClusterNode chain to libovsdb + - 86fc84ac 2026-05-11T10:39:19-07:00 ovnkube-trace: drop dead IsInterConnect field on podInfo + - f25471b3 2026-05-11T10:39:18-07:00 Fix licenses + - 21499105 2026-05-11T10:39:18-07:00 test: port node gateway retry test to IC mode + - 99b542fa 2026-05-11T10:39:18-07:00 helm, ci, contrib: drop multi-node-per-zone topology support + - 91c4348f 2026-05-11T10:39:18-07:00 ovn: fix and skip failing unit tests + - 33dc6e43 2026-05-11T10:39:18-07:00 go-controller: go mod tidy && go mod vendor + - 5b391cf9 2026-05-11T10:39:18-07:00 docs: small fixes for central-mode references + - f2a10a31 2026-05-11T10:39:18-07:00 ovn: clean up interconnect-only test scaffolding + - 3259cf5b 2026-05-11T10:39:18-07:00 config: remove ic mode switch + - fba86e07 2026-05-11T10:39:18-07:00 node: remove central-mode branches from core controllers + - 5658f679 2026-05-11T10:39:17-07:00 controllermanager: remove interconnect gates from route and egress + - dacf29b1 2026-05-11T10:39:17-07:00 factory: remove central-mode IPAMClaim informer setup + - 8093b630 2026-05-11T10:39:17-07:00 clustermanager: remove interconnect informer gates + - 82043129 2026-05-11T10:39:17-07:00 clustermanager: make L2 tunnel ID allocation unconditional + - ad84d509 2026-05-11T10:39:17-07:00 clustermanager: remove interconnect allocation guards + - 3860b382 2026-05-11T10:39:17-07:00 helm, ovnkube: drop OVN_ENABLE_INTERCONNECT toggle + - 37379ca1 2026-05-11T10:39:17-07:00 helm: remove ic mode option + - 81d3b85f 2026-05-11T10:39:17-07:00 ovnkube-identity: remove interconnect mode switch + - 361e4673 2026-05-11T10:39:16-07:00 ci, e2e: remove interconnect env checks + - 8d75320a 2026-05-11T09:33:27-07:00 contrib, dist: remove stale central-mode helper paths + - 867f7387 2026-05-11T09:22:30-07:00 ovnkube: remove legacy init-master mode + - 3bf7f4a6 2026-05-11T09:22:22-07:00 ovnkube, metrics: remove central-mode metrics wait + - 85a35c76 2026-05-11T09:22:22-07:00 clustermanager: fix wording about ic mode in code comments + - 2ca1c6bc 2026-05-11T09:22:22-07:00 docs: update feature docs for interconnect-only deployments + - 805fd798 2026-05-11T09:22:22-07:00 docs: remove central-mode from design docs + - b25811ad 2026-05-11T09:22:21-07:00 docs: remove obsolete central-mode install docs + - 9c6cddb1 2026-05-11T09:17:27-07:00 dist: clean up stale image docs + - dc15c1dc 2026-05-11T09:14:42-07:00 dist: remove raft-mode commands + - 3431b8ef 2026-05-11T09:13:35-07:00 dist: remove central-mode ovn-master command from ovnkube.sh + - 13e79f65 2026-05-11T09:06:46-07:00 dist: remove legacy ovn-db-checker + - 72249c64 2026-05-11T09:06:46-07:00 e2e: remove central-mode coverage + - 2f6a71d6 2026-05-11T09:06:46-07:00 docs, helm: remove central-mode observability assets + - 73cceec9 2026-05-11T09:06:46-07:00 contrib, test: remove central-mode controller cleanups + - 40f55ad4 2026-05-11T09:06:46-07:00 docs: amend installation docs to remove central-mode + - fbf83071 2026-05-11T09:06:46-07:00 helm: remove central-mode from chart packaging + - 7d959a6f 2026-05-11T09:06:46-07:00 contrib: remove central-mode from kind helm deploy helpers + - 7f8a166f 2026-05-11T09:06:46-07:00 ci: remove central-mode test matrix entries + - ab06dc72 2026-05-11T09:06:46-07:00 helm, dist: remove central-mode deployment artifacts + - e251ce50 2026-05-11T09:00:31-07:00 libovsdb/ops: add RemoveOpenvSwitchExternalIDs + - a9aed111 2026-05-11T09:00:31-07:00 node: migrate ovn-encap-ip update to libovsdb + - 6beb23ed 2026-05-11T09:00:31-07:00 libovsdb/ops: Add UpdateOpenvSwitchExternalIDs + - 1826e997 2026-05-11T10:02:27+02:00 Move primary UDN out of pod request + - a36ec0ff 2026-05-11T09:42:25+02:00 cniserver: inline HandlePodRequest into handleCNIRequest + - e1fec473 2026-05-11T09:41:59+02:00 Delete CNIPluginLibOps interface + - c191d77a 2026-05-08T14:54:38-07:00 set mac address on VF representor + - 586fb8a2 2026-05-08T16:41:13-04:00 [dpu-sim] Add github.com/ovn-kubernetes/dpu-simulator library + - 5027cc6a 2026-05-08T16:41:13-04:00 [dpu-sim] Add Github Action CI lane for dpu-sim + - 8bc2c95e 2026-05-08T16:41:13-04:00 [dpu-sim] Added a check when retrieving the netdev name from deviceId + - 5ca141aa 2026-05-08T16:41:13-04:00 [dpu-sim] Rename GetDPUHostInterface to GetDPUHostRepInterface + - a78b2fd0 2026-05-08T16:41:06-04:00 [dpu-sim] Add DPU Simulation docs for new configuration parameters + - 7c333026 2026-05-07T11:41:11Z kubevirt: skip source LSP re-enable when source pod is not local + - 95f7f213 2026-05-07T14:25:40+05:30 Fixing toc + - 557e2b6e 2026-05-07T14:03:11+05:30 Fixing margin + - 8e24f964 2026-05-06T09:44:26-04:00 Drop unnecessary make bld step when building fedora image + - a708bf0a 2026-05-06T09:44:26-04:00 Use make bld when building ubuntu image + - d0ad4648 2026-05-06T07:59:14-04:00 Make the TransportAccepted message assertion transport-aware + - 98383469 2026-05-06T07:59:14-04:00 E2E tests for CUDN with transport NoOverlay routing unmanaged + - ba7f76dc 2026-05-05T11:41:01-04:00 [dpu-sim] Fix linter issues and remove setting DPU Host Rep in nicstobridge + - 35b2967e 2026-05-05T11:41:01-04:00 [dpu-sim] Use netdev as device ID for simulated DPU host + - f0dba828 2026-05-05T11:41:01-04:00 [dpu-sim] Fix Issue with aux name regex and allow netdev DeviceID for simulation + - b68626ca 2026-05-05T11:41:01-04:00 [dpu-sim] Add DPU CNI Support for DPU Simulation + - baec1038 2026-05-05T11:41:01-04:00 [dpu-sim] Add to Helm the simulation & DPU Host Gateway Representor config + - 95fb7215 2026-05-05T11:41:01-04:00 [dpu-sim] Add DPU Abstration code for simulation + - bbff4537 2026-05-05T11:41:01-04:00 [dpu-sim] Refactor DPU/DPU Host mode to be more readable. + - b29d4fae 2026-05-05T11:41:01-04:00 [dpu-sim] Add dpu-host-gateway-representor-interface config option + - 7d0d5c11 2026-05-05T11:41:01-04:00 [dpu-sim] Allow gateway options override for DPU Host Helm Chart + - 15e2a359 2026-04-27T13:56:11-07:00 Fix NodePort ingress flaky test by handling empty pokeEndpoint responses + - 4161bc31 2026-04-15T17:31:03+01:00 docs: Add AI Guidelines + - 2b29a92c 2025-10-09T13:00:02-04:00 Revert "check disk usage before and after test steps (#4305)" + +- kubernetes image-amd64 99b75aa92a7f60c4446ee29f54d511f140a8aed0 to 872bd3722d0954b31459f715fbd4fb7612aaf338 + - 8eef07fbb 2026-05-28T15:56:10+02:00 UPSTREAM: 138075: apiserver: cache etcd storage monitors to avoid recreating clients on each metrics scrape + - 1f27b44a8 2026-05-18T10:51:25-04:00 UPSTREAM: 138981: Cache selinux conflicts + - 9ebcf5792 2026-05-18T10:51:25-04:00 UPSTREAM: 137226: controller/selinuxwarning/cache: Add reverse index + - 037baac16 2026-05-18T10:51:25-04:00 UPSTREAM: 137224: controller/selinuxwarning: Pre-parse SELinux label + +- oc image-arm64 9557cf3d482ecbc4e271eb4eefeefff5eaf4bdac to d1f312bb855e741cadb8b3ac419d2cb3f3fd7ba5 + - ab95216f 2026-06-05T12:48:40+02:00 Fix windows builds of oc rpm + +- router image-arm64 676113436feb61e5c89376d6a7ae66fdaefe8e98 to a86164c8ebaed55a2a28451fa913a04f10cc9a72 + - 768a467 2026-06-03T12:59:58+01:00 Adding escapeHAProxySingleQuotes for sanitize + +- ovn-kubernetes image-arm64 3ce6353a1ed2962dc8aabe96dcef0e5bd7a40555 to e9295c0d0d7caa1eda7cc9f2f3900c64096c943c + - 92ede818 2026-06-03T14:33:40+02:00 Sync informing EVPN E2Es with upstream naming + - 39817947 2026-05-19T14:45:17+05:30 sync test annotations with upstream changes + - 37dd7188 2026-05-19T14:44:30+05:30 sync openshift/go.mod with upstream dependencies + - ee94d9a4 2026-05-18T10:20:10+02:00 Force fake iptables/nftables helpers at start of unit tests + - 3e26af30 2026-05-15T12:53:19+02:00 Fix data race in DPU management port tests + - 20dd3e78 2026-05-15T11:59:31+02:00 e2e: Use shared VTEP for nodeIPs EVPN tests and per-network random VTEPs + - 8175f422 2026-05-15T11:59:28+02:00 Gate NAD creation on VTEP Accepted status in UDN controller + - b30df3d7 2026-05-15T10:15:40+02:00 Extract TransportAccepted reason strings into exported constants + - b78f6667 2026-05-14T11:27:06-04:00 Switch to JSON + - 69d5e41d 2026-05-14T11:27:06-04:00 Performance Report + - b6075565 2026-05-13T14:09:47-07:00 Clean up all stale pod OVS interfaces + - 1070abc8 2026-05-13T12:07:14-04:00 Fixing performance-test + - 770898ba 2026-05-13T10:56:11-04:00 Dynamic UDN: Make activity more level driven + - e0f8f042 2026-05-13T10:35:50-04:00 networkmanager: clear stale dynamic NAD removal marks on sync + - 1431d97d 2026-05-13T10:35:50-04:00 NM: make filterNADsOnNode more obvious + - bd2d769d 2026-05-13T10:35:50-04:00 Add UT to cover tracker edge updates + - 44de5b95 2026-05-13T10:35:50-04:00 Revert "Skip CNC service connectivity E2E tests when dynamic UDN allocation is enabled" + - 6f6ecf05 2026-05-13T10:35:50-04:00 Fix executing NM tests + - 85c5212e 2026-05-13T10:35:50-04:00 Dynamic UDN + CNC: Notify on remote+connected node events + - 5cd52f00 2026-05-13T10:35:50-04:00 Adds E2E test with dynamic UDN + CNC + - a6b093ce 2026-05-13T09:15:50-04:00 networkconnect: react to node activity and filter inactive L3 remotes + - 23d943e3 2026-05-13T09:15:50-04:00 networkmanager: derive dynamic UDN activity from CNC pod connectivity + - 2938a9e8 2026-05-12T20:23:08-07:00 node: regenerate host-network flows when localEndpoints change + - 2d8d5960 2026-05-12T20:23:01-07:00 node: restore else-if to prevent shared gateway fallthrough for ETP=Local + - 4b925578 2026-05-12T20:21:42-07:00 e2e: add tests for services with multiple named target ports + - 2dd28966 2026-05-12T11:12:37-07:00 OpenFlow Services: use groups to select multiple target ports + - 172fee01 2026-05-12T11:12:37-07:00 node: generate OpenFlow rules for all target ports during rolling updates + - 028f6796 2026-05-12T11:12:37-07:00 [SDN-3551] Add unit test for buildTemplateLBs with multiple target ports + - 4b215f56 2026-05-12T11:12:37-07:00 [SDN-3551] LB eps not updated correctly while target port changes + - 0577b840 2026-05-12T14:22:24+05:30 Alginment fix in large screen + - 2dc51f5e 2026-05-11T19:45:56-04:00 Services Controller: filter node update events + - f29899e5 2026-05-11T19:39:34-04:00 Services: Rename methods with "queue" to "enqueue" + - 21f258dd 2026-05-11T18:48:14-04:00 Services: Pass NetworkOptions to networkState + - d2fdd047 2026-05-11T18:48:14-04:00 services: rebuild nodeInfo before service requeue + - 104f5ba9 2026-05-11T18:48:14-04:00 services: require scoped sync keys + - dc3ff7ee 2026-05-11T18:48:14-04:00 services: fix race with bootstrap and node handling + - 173b0364 2026-05-11T18:48:14-04:00 services: cover shared network registration requeue + - 3f5d1258 2026-05-11T18:48:14-04:00 services: register UDNs with shared controller + - 68f35802 2026-05-11T18:10:11-04:00 services: use shared event handlers for multi-network controller + - 5907de09 2026-05-11T18:10:11-04:00 services: add network registration infrastructure + - 267a653f 2026-05-11T17:45:48-04:00 services: move per-network state behind networkState + - 84271a4f 2026-05-11T11:58:12-07:00 docs: Add note about HA replicas configuration + - d14bba00 2026-05-11T11:33:57-07:00 node: harden OVS cleanup state handling + - 6cb18e49 2026-05-11T11:33:04-07:00 node/managementport: migrate root-row sites to libovsdb + - 3b77ff47 2026-05-11T11:33:04-07:00 node/bridgeconfig: add UDN test coverage for libovsdb migration + - 769d3768 2026-05-11T11:33:04-07:00 node/bridgeconfig: migrate bridgedGatewayNodeSetup to libovsdb + - bac9acce 2026-05-11T11:33:04-07:00 node: migrate CleanupClusterNode chain to libovsdb + - 86fc84ac 2026-05-11T10:39:19-07:00 ovnkube-trace: drop dead IsInterConnect field on podInfo + - f25471b3 2026-05-11T10:39:18-07:00 Fix licenses + - 21499105 2026-05-11T10:39:18-07:00 test: port node gateway retry test to IC mode + - 99b542fa 2026-05-11T10:39:18-07:00 helm, ci, contrib: drop multi-node-per-zone topology support + - 91c4348f 2026-05-11T10:39:18-07:00 ovn: fix and skip failing unit tests + - 33dc6e43 2026-05-11T10:39:18-07:00 go-controller: go mod tidy && go mod vendor + - 5b391cf9 2026-05-11T10:39:18-07:00 docs: small fixes for central-mode references + - f2a10a31 2026-05-11T10:39:18-07:00 ovn: clean up interconnect-only test scaffolding + - 3259cf5b 2026-05-11T10:39:18-07:00 config: remove ic mode switch + - fba86e07 2026-05-11T10:39:18-07:00 node: remove central-mode branches from core controllers + - 5658f679 2026-05-11T10:39:17-07:00 controllermanager: remove interconnect gates from route and egress + - dacf29b1 2026-05-11T10:39:17-07:00 factory: remove central-mode IPAMClaim informer setup + - 8093b630 2026-05-11T10:39:17-07:00 clustermanager: remove interconnect informer gates + - 82043129 2026-05-11T10:39:17-07:00 clustermanager: make L2 tunnel ID allocation unconditional + - ad84d509 2026-05-11T10:39:17-07:00 clustermanager: remove interconnect allocation guards + - 3860b382 2026-05-11T10:39:17-07:00 helm, ovnkube: drop OVN_ENABLE_INTERCONNECT toggle + - 37379ca1 2026-05-11T10:39:17-07:00 helm: remove ic mode option + - 81d3b85f 2026-05-11T10:39:17-07:00 ovnkube-identity: remove interconnect mode switch + - 361e4673 2026-05-11T10:39:16-07:00 ci, e2e: remove interconnect env checks + - 8d75320a 2026-05-11T09:33:27-07:00 contrib, dist: remove stale central-mode helper paths + - 867f7387 2026-05-11T09:22:30-07:00 ovnkube: remove legacy init-master mode + - 3bf7f4a6 2026-05-11T09:22:22-07:00 ovnkube, metrics: remove central-mode metrics wait + - 85a35c76 2026-05-11T09:22:22-07:00 clustermanager: fix wording about ic mode in code comments + - 2ca1c6bc 2026-05-11T09:22:22-07:00 docs: update feature docs for interconnect-only deployments + - 805fd798 2026-05-11T09:22:22-07:00 docs: remove central-mode from design docs + - b25811ad 2026-05-11T09:22:21-07:00 docs: remove obsolete central-mode install docs + - 9c6cddb1 2026-05-11T09:17:27-07:00 dist: clean up stale image docs + - dc15c1dc 2026-05-11T09:14:42-07:00 dist: remove raft-mode commands + - 3431b8ef 2026-05-11T09:13:35-07:00 dist: remove central-mode ovn-master command from ovnkube.sh + - 13e79f65 2026-05-11T09:06:46-07:00 dist: remove legacy ovn-db-checker + - 72249c64 2026-05-11T09:06:46-07:00 e2e: remove central-mode coverage + - 2f6a71d6 2026-05-11T09:06:46-07:00 docs, helm: remove central-mode observability assets + - 73cceec9 2026-05-11T09:06:46-07:00 contrib, test: remove central-mode controller cleanups + - 40f55ad4 2026-05-11T09:06:46-07:00 docs: amend installation docs to remove central-mode + - fbf83071 2026-05-11T09:06:46-07:00 helm: remove central-mode from chart packaging + - 7d959a6f 2026-05-11T09:06:46-07:00 contrib: remove central-mode from kind helm deploy helpers + - 7f8a166f 2026-05-11T09:06:46-07:00 ci: remove central-mode test matrix entries + - ab06dc72 2026-05-11T09:06:46-07:00 helm, dist: remove central-mode deployment artifacts + - e251ce50 2026-05-11T09:00:31-07:00 libovsdb/ops: add RemoveOpenvSwitchExternalIDs + - a9aed111 2026-05-11T09:00:31-07:00 node: migrate ovn-encap-ip update to libovsdb + - 6beb23ed 2026-05-11T09:00:31-07:00 libovsdb/ops: Add UpdateOpenvSwitchExternalIDs + - 1826e997 2026-05-11T10:02:27+02:00 Move primary UDN out of pod request + - a36ec0ff 2026-05-11T09:42:25+02:00 cniserver: inline HandlePodRequest into handleCNIRequest + - e1fec473 2026-05-11T09:41:59+02:00 Delete CNIPluginLibOps interface + - c191d77a 2026-05-08T14:54:38-07:00 set mac address on VF representor + - 586fb8a2 2026-05-08T16:41:13-04:00 [dpu-sim] Add github.com/ovn-kubernetes/dpu-simulator library + - 5027cc6a 2026-05-08T16:41:13-04:00 [dpu-sim] Add Github Action CI lane for dpu-sim + - 8bc2c95e 2026-05-08T16:41:13-04:00 [dpu-sim] Added a check when retrieving the netdev name from deviceId + - 5ca141aa 2026-05-08T16:41:13-04:00 [dpu-sim] Rename GetDPUHostInterface to GetDPUHostRepInterface + - a78b2fd0 2026-05-08T16:41:06-04:00 [dpu-sim] Add DPU Simulation docs for new configuration parameters + - 7c333026 2026-05-07T11:41:11Z kubevirt: skip source LSP re-enable when source pod is not local + - 95f7f213 2026-05-07T14:25:40+05:30 Fixing toc + - 557e2b6e 2026-05-07T14:03:11+05:30 Fixing margin + - 8e24f964 2026-05-06T09:44:26-04:00 Drop unnecessary make bld step when building fedora image + - a708bf0a 2026-05-06T09:44:26-04:00 Use make bld when building ubuntu image + - d0ad4648 2026-05-06T07:59:14-04:00 Make the TransportAccepted message assertion transport-aware + - 98383469 2026-05-06T07:59:14-04:00 E2E tests for CUDN with transport NoOverlay routing unmanaged + - ba7f76dc 2026-05-05T11:41:01-04:00 [dpu-sim] Fix linter issues and remove setting DPU Host Rep in nicstobridge + - 35b2967e 2026-05-05T11:41:01-04:00 [dpu-sim] Use netdev as device ID for simulated DPU host + - f0dba828 2026-05-05T11:41:01-04:00 [dpu-sim] Fix Issue with aux name regex and allow netdev DeviceID for simulation + - b68626ca 2026-05-05T11:41:01-04:00 [dpu-sim] Add DPU CNI Support for DPU Simulation + - baec1038 2026-05-05T11:41:01-04:00 [dpu-sim] Add to Helm the simulation & DPU Host Gateway Representor config + - 95fb7215 2026-05-05T11:41:01-04:00 [dpu-sim] Add DPU Abstration code for simulation + - bbff4537 2026-05-05T11:41:01-04:00 [dpu-sim] Refactor DPU/DPU Host mode to be more readable. + - b29d4fae 2026-05-05T11:41:01-04:00 [dpu-sim] Add dpu-host-gateway-representor-interface config option + - 7d0d5c11 2026-05-05T11:41:01-04:00 [dpu-sim] Allow gateway options override for DPU Host Helm Chart + - 15e2a359 2026-04-27T13:56:11-07:00 Fix NodePort ingress flaky test by handling empty pokeEndpoint responses + - 4161bc31 2026-04-15T17:31:03+01:00 docs: Add AI Guidelines + - 2b29a92c 2025-10-09T13:00:02-04:00 Revert "check disk usage before and after test steps (#4305)" + +- kubernetes image-arm64 99b75aa92a7f60c4446ee29f54d511f140a8aed0 to 872bd3722d0954b31459f715fbd4fb7612aaf338 + - 8eef07fbb 2026-05-28T15:56:10+02:00 UPSTREAM: 138075: apiserver: cache etcd storage monitors to avoid recreating clients on each metrics scrape + - 1f27b44a8 2026-05-18T10:51:25-04:00 UPSTREAM: 138981: Cache selinux conflicts + - 9ebcf5792 2026-05-18T10:51:25-04:00 UPSTREAM: 137226: controller/selinuxwarning/cache: Add reverse index + - 037baac16 2026-05-18T10:51:25-04:00 UPSTREAM: 137224: controller/selinuxwarning: Pre-parse SELinux label + diff --git a/scripts/auto-rebase/commits.txt b/scripts/auto-rebase/commits.txt index 5f2142d080..b06a44092a 100644 --- a/scripts/auto-rebase/commits.txt +++ b/scripts/auto-rebase/commits.txt @@ -1,35 +1,35 @@ -https://github.com/openshift/api embedded-component 70f01b82bb532c61086160b6033575b65540f73e +https://github.com/openshift/api embedded-component 1194f4c62539275cd6dec231cc2bf7e0a010bd94 https://github.com/openshift/cluster-csi-snapshot-controller-operator embedded-component 108f37f0e378accc322cbeb68136ec500ec35b94 -https://github.com/openshift/cluster-dns-operator embedded-component 3d2141182243cde1ec6417bd005c76d29aa88a01 -https://github.com/openshift/cluster-ingress-operator embedded-component 53b8a64230fb27b820297d6dcd1b90cf0c176573 -https://github.com/openshift/cluster-kube-apiserver-operator embedded-component 7547b7c84d27699706e1746428f4d0d82bf1ce7e -https://github.com/openshift/cluster-kube-controller-manager-operator embedded-component ca150c42a7982509b8bba34080308cff00c09310 +https://github.com/openshift/cluster-dns-operator embedded-component 65d60f9c12297a91ee89359e90f591fd44e661b0 +https://github.com/openshift/cluster-ingress-operator embedded-component 140e0bf13b3d01c369672c766c44b4be0b4ec78c +https://github.com/openshift/cluster-kube-apiserver-operator embedded-component 24b60d04b3478e04a728fb0ae1385abc6a478d20 +https://github.com/openshift/cluster-kube-controller-manager-operator embedded-component 9d636ab4992bd501006d2b0c1d3ac512666c6ca7 https://github.com/openshift/cluster-kube-scheduler-operator embedded-component d43423b583269eea8236040424609c3f108ac9c4 -https://github.com/openshift/cluster-network-operator embedded-component 7d4c17ac28ac25d47be68694956a693c15b80939 +https://github.com/openshift/cluster-network-operator embedded-component 6dc18040e7c214f6a1db25b6f5ef4642c6c6a186 https://github.com/openshift/cluster-openshift-controller-manager-operator embedded-component 34f95b07f4afbc47558e54e4fa2710fd692e615e https://github.com/openshift/cluster-policy-controller embedded-component bb429f5b2a7d77791110b06d8ec5c017183e3ab9 https://github.com/openshift/csi-external-snapshotter embedded-component 77d02e52a442c1a98457797bf8eb5777489aabae https://github.com/openshift/etcd embedded-component c543fe15324510d13e896c31232ecd5d100d9de5 -https://github.com/openshift/kubernetes embedded-component 99b75aa92a7f60c4446ee29f54d511f140a8aed0 +https://github.com/openshift/kubernetes embedded-component 872bd3722d0954b31459f715fbd4fb7612aaf338 https://github.com/openshift/kubernetes-kube-storage-version-migrator embedded-component 72835e43c7754356645e41031f3a99926b4d42e6 -https://github.com/openshift/machine-config-operator embedded-component d72b715f8f9e0fad5d27a45420ea074ea2628207 +https://github.com/openshift/machine-config-operator embedded-component 62b06d28399b348cb7238d32ad74b9a978c4292f https://github.com/openshift/openshift-controller-manager embedded-component 5631cf493b006cbc72a8600a7435813272d71940 -https://github.com/openshift/operator-framework-olm embedded-component bc60033b299368309e8d3ca001cba75970c227c9 +https://github.com/openshift/operator-framework-olm embedded-component a1de734673fb56da500b6ea212a70d50bd5740ab https://github.com/openshift/route-controller-manager embedded-component 1916ceb059f500f06e8552f88bf38cd09f9522fd https://github.com/openshift/service-ca-operator embedded-component e7ccfa308e69ce4ad1f2afcd1d7c8ff25144374b -https://github.com/openshift/oc image-amd64 9557cf3d482ecbc4e271eb4eefeefff5eaf4bdac +https://github.com/openshift/oc image-amd64 d1f312bb855e741cadb8b3ac419d2cb3f3fd7ba5 https://github.com/openshift/coredns image-amd64 3c21b066c9bd86caa06f790dcd1c046667875d46 https://github.com/openshift/csi-external-snapshotter image-amd64 77d02e52a442c1a98457797bf8eb5777489aabae -https://github.com/openshift/router image-amd64 676113436feb61e5c89376d6a7ae66fdaefe8e98 +https://github.com/openshift/router image-amd64 a86164c8ebaed55a2a28451fa913a04f10cc9a72 https://github.com/openshift/kube-rbac-proxy image-amd64 d12e274605248f6c59373240a7eae7a7a357dcb3 -https://github.com/openshift/ovn-kubernetes image-amd64 3ce6353a1ed2962dc8aabe96dcef0e5bd7a40555 -https://github.com/openshift/kubernetes image-amd64 99b75aa92a7f60c4446ee29f54d511f140a8aed0 +https://github.com/openshift/ovn-kubernetes image-amd64 e9295c0d0d7caa1eda7cc9f2f3900c64096c943c +https://github.com/openshift/kubernetes image-amd64 872bd3722d0954b31459f715fbd4fb7612aaf338 https://github.com/openshift/service-ca-operator image-amd64 e7ccfa308e69ce4ad1f2afcd1d7c8ff25144374b -https://github.com/openshift/oc image-arm64 9557cf3d482ecbc4e271eb4eefeefff5eaf4bdac +https://github.com/openshift/oc image-arm64 d1f312bb855e741cadb8b3ac419d2cb3f3fd7ba5 https://github.com/openshift/coredns image-arm64 3c21b066c9bd86caa06f790dcd1c046667875d46 https://github.com/openshift/csi-external-snapshotter image-arm64 77d02e52a442c1a98457797bf8eb5777489aabae -https://github.com/openshift/router image-arm64 676113436feb61e5c89376d6a7ae66fdaefe8e98 +https://github.com/openshift/router image-arm64 a86164c8ebaed55a2a28451fa913a04f10cc9a72 https://github.com/openshift/kube-rbac-proxy image-arm64 d12e274605248f6c59373240a7eae7a7a357dcb3 -https://github.com/openshift/ovn-kubernetes image-arm64 3ce6353a1ed2962dc8aabe96dcef0e5bd7a40555 -https://github.com/openshift/kubernetes image-arm64 99b75aa92a7f60c4446ee29f54d511f140a8aed0 +https://github.com/openshift/ovn-kubernetes image-arm64 e9295c0d0d7caa1eda7cc9f2f3900c64096c943c +https://github.com/openshift/kubernetes image-arm64 872bd3722d0954b31459f715fbd4fb7612aaf338 https://github.com/openshift/service-ca-operator image-arm64 e7ccfa308e69ce4ad1f2afcd1d7c8ff25144374b diff --git a/scripts/auto-rebase/last_rebase.sh b/scripts/auto-rebase/last_rebase.sh index 54eaa2dd8d..8bb003639f 100755 --- a/scripts/auto-rebase/last_rebase.sh +++ b/scripts/auto-rebase/last_rebase.sh @@ -1,2 +1,2 @@ #!/bin/bash -x -./scripts/auto-rebase/rebase.sh to "registry.ci.openshift.org/ocp/release-5:5.0.0-0.nightly-2026-06-04-190102" "registry.ci.openshift.org/ocp-arm64/release-5-arm64:5.0.0-0.nightly-arm64-2026-06-04-190103" +./scripts/auto-rebase/rebase.sh to "registry.ci.openshift.org/ocp/release-5:5.0.0-0.nightly-2026-06-07-132537" "registry.ci.openshift.org/ocp-arm64/release-5-arm64:5.0.0-0.nightly-arm64-2026-06-08-012537" diff --git a/scripts/devenv-builder/configure-vm.sh b/scripts/devenv-builder/configure-vm.sh index 0a5b6c68e6..493c14861a 100755 --- a/scripts/devenv-builder/configure-vm.sh +++ b/scripts/devenv-builder/configure-vm.sh @@ -278,7 +278,7 @@ function install_build_deps() { # run only if booted with systemd [[ -d /run/systemd/system ]] && sudo systemctl enable --now cockpit.socket - GO_VER=1.26.3 + GO_VER=1.25.8 GO_ARCH=$([ "$(uname -m)" == "x86_64" ] && echo "amd64" || echo "arm64") GO_INSTALL_DIR="/usr/local/go${GO_VER}" if [ ! -d "${GO_INSTALL_DIR}" ]; then diff --git a/vendor/k8s.io/apiserver/pkg/server/options/etcd.go b/vendor/k8s.io/apiserver/pkg/server/options/etcd.go index c0574c8bfe..3cad57cc5b 100644 --- a/vendor/k8s.io/apiserver/pkg/server/options/etcd.go +++ b/vendor/k8s.io/apiserver/pkg/server/options/etcd.go @@ -23,6 +23,7 @@ import ( "sort" "strconv" "strings" + "sync" "time" "github.com/spf13/pflag" @@ -240,32 +241,98 @@ func (s *EtcdOptions) ApplyWithStorageFactoryTo(factory serverstorage.StorageFac return err } - metrics.SetStorageMonitorGetter(monitorGetter(factory)) + monitorCache, err := newMonitorCache(factory, c.DrainedNotify()) + if err != nil { + return err + } + metrics.SetStorageMonitorGetter(monitorCache.get) c.RESTOptionsGetter = s.CreateRESTOptionsGetter(factory, c.ResourceTransformers) return nil } -func monitorGetter(factory serverstorage.StorageFactory) func() (monitors []metrics.Monitor, err error) { - return func() (monitors []metrics.Monitor, err error) { - defer func() { - if err != nil { - for _, m := range monitors { - m.Close() - } - } - }() +type monitorCache struct { + mu sync.RWMutex + closed bool + monitors []metrics.Monitor + factory serverstorage.StorageFactory + stopCh <-chan struct{} +} - var m metrics.Monitor - for _, cfg := range factory.Configs() { - m, err = storagefactory.CreateMonitor(cfg) - if err != nil { - return nil, err +var createMonitor = storagefactory.CreateMonitor + +func newMonitorCache(factory serverstorage.StorageFactory, stopCh <-chan struct{}) (*monitorCache, error) { + if stopCh == nil { + return nil, fmt.Errorf("stopCh is required for monitor cache cleanup") + } + cache := &monitorCache{ + factory: factory, + stopCh: stopCh, + } + return cache, nil +} + +func (c *monitorCache) get() ([]metrics.Monitor, error) { + // Fast path: check if already initialized with read lock + c.mu.RLock() + if c.closed { + c.mu.RUnlock() + return nil, fmt.Errorf("monitor cache is closed") + } + if c.monitors != nil { + result := c.monitors + c.mu.RUnlock() + return result, nil + } + c.mu.RUnlock() + + // Slow path: initialize with write lock + return c.initialize() +} + +func (c *monitorCache) initialize() ([]metrics.Monitor, error) { + c.mu.Lock() + defer c.mu.Unlock() + + if c.closed { + return nil, fmt.Errorf("monitor cache is closed") + } + if c.monitors != nil { + return c.monitors, nil + } + + var monitors []metrics.Monitor + for _, cfg := range c.factory.Configs() { + m, err := createMonitor(cfg) + if err != nil { + for _, already := range monitors { + already.Close() //nolint:errcheck } - monitors = append(monitors, m) + return nil, err } - return monitors, nil + monitors = append(monitors, m) + } + c.monitors = monitors + + go func() { + <-c.stopCh + c.close() + }() + + return c.monitors, nil +} + +func (c *monitorCache) close() { + c.mu.Lock() + defer c.mu.Unlock() + if c.closed { + return + } + c.closed = true + for _, m := range c.monitors { + m.Close() //nolint:errcheck } + c.monitors = nil } func (s *EtcdOptions) CreateRESTOptionsGetter(factory serverstorage.StorageFactory, resourceTransformers storagevalue.ResourceTransformers) generic.RESTOptionsGetter { diff --git a/vendor/k8s.io/apiserver/pkg/storage/etcd3/metrics/metrics.go b/vendor/k8s.io/apiserver/pkg/storage/etcd3/metrics/metrics.go index 263c04ec02..f77eee9576 100644 --- a/vendor/k8s.io/apiserver/pkg/storage/etcd3/metrics/metrics.go +++ b/vendor/k8s.io/apiserver/pkg/storage/etcd3/metrics/metrics.go @@ -355,7 +355,6 @@ func (c *monitorCollector) CollectWithStability(ch chan<- compbasemetrics.Metric ctx, cancel := context.WithTimeout(context.Background(), time.Second) metrics, err := m.Monitor(ctx) cancel() - m.Close() if err != nil { klog.InfoS("Failed to get storage metrics", "storage_cluster_id", storageClusterID, "err", err) continue diff --git a/vendor/k8s.io/kubernetes/pkg/controller/volume/selinuxwarning/cache/volumecache.go b/vendor/k8s.io/kubernetes/pkg/controller/volume/selinuxwarning/cache/volumecache.go index 4b19c985c8..ebd756584c 100644 --- a/vendor/k8s.io/kubernetes/pkg/controller/volume/selinuxwarning/cache/volumecache.go +++ b/vendor/k8s.io/kubernetes/pkg/controller/volume/selinuxwarning/cache/volumecache.go @@ -17,12 +17,15 @@ limitations under the License. package cache import ( + "slices" "sort" "sync" v1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/util/sets" "k8s.io/client-go/tools/cache" "k8s.io/klog/v2" + "k8s.io/kubernetes/pkg/controller/volume/selinuxwarning/internal/parse" "k8s.io/kubernetes/pkg/controller/volume/selinuxwarning/translator" ) @@ -45,8 +48,8 @@ type VolumeCache interface { // change their SELinux support dynamically. GetPodsForCSIDriver(driverName string) []cache.ObjectName - // SendConflicts sends all current conflicts to the given channel. - SendConflicts(logger klog.Logger, ch chan<- Conflict) + // GetConflicts returns the current set of active conflicts (both directions). + GetConflicts(logger klog.Logger) []Conflict } // VolumeCache stores all volumes used by Pods and their properties that the controller needs to track, @@ -56,6 +59,11 @@ type volumeCache struct { seLinuxTranslator *translator.ControllerSELinuxTranslator // All volumes of all existing Pods. volumes map[v1.UniqueVolumeName]usedVolume + // Reverse index: maps each pod to the list of volumes it uses. + // The index is used during pod deletion. + podToVolumes map[cache.ObjectName]sets.Set[v1.UniqueVolumeName] + // Currently active conflicts per volume (both directions, symmetric pairs). + conflicts map[v1.UniqueVolumeName][]Conflict } var _ VolumeCache = &volumeCache{} @@ -65,6 +73,8 @@ func NewVolumeLabelCache(seLinuxTranslator *translator.ControllerSELinuxTranslat return &volumeCache{ seLinuxTranslator: seLinuxTranslator, volumes: make(map[v1.UniqueVolumeName]usedVolume), + podToVolumes: make(map[cache.ObjectName]sets.Set[v1.UniqueVolumeName]), + conflicts: make(map[v1.UniqueVolumeName][]Conflict), } } @@ -81,6 +91,8 @@ type podInfo struct { // SELinux seLinuxLabel to be applied to the volume in the Pod. // Either as mount option or recursively by the container runtime. seLinuxLabel string + // Pre-parsed SELinux label parts for fast conflict detection. + seLinuxParts [4]string // SELinuxChangePolicy of the Pod. changePolicy v1.PodSELinuxChangePolicy } @@ -89,6 +101,7 @@ func newPodInfoListForPod(podKey cache.ObjectName, seLinuxLabel string, changePo return map[cache.ObjectName]podInfo{ podKey: { seLinuxLabel: seLinuxLabel, + seLinuxParts: parse.ParseSELinuxLabel(seLinuxLabel), changePolicy: changePolicy, }, } @@ -110,12 +123,16 @@ func (c *volumeCache) AddVolume(logger klog.Logger, volumeName v1.UniqueVolumeNa pods: newPodInfoListForPod(podKey, label, changePolicy), } c.volumes[volumeName] = volume + + // Add to reverse index + c.registerPodVolume(podKey, volumeName) return conflicts } // The volume is already known podInfo := podInfo{ seLinuxLabel: label, + seLinuxParts: parse.ParseSELinuxLabel(label), changePolicy: changePolicy, } oldPodInfo, found := volume.pods[podKey] @@ -128,6 +145,9 @@ func (c *volumeCache) AddVolume(logger klog.Logger, volumeName v1.UniqueVolumeNa // Add the updated pod info to the cache volume.pods[podKey] = podInfo + // Add to reverse index + c.registerPodVolume(podKey, volumeName) + // Emit conflicts for the pod for otherPodKey, otherPodInfo := range volume.pods { if otherPodInfo.changePolicy != changePolicy { @@ -147,8 +167,9 @@ func (c *volumeCache) AddVolume(logger klog.Logger, volumeName v1.UniqueVolumeNa OtherPod: podKey, OtherPropertyValue: string(changePolicy), }) + } - if c.seLinuxTranslator.Conflicts(otherPodInfo.seLinuxLabel, label) { + if c.seLinuxTranslator.ConflictsParsed(otherPodInfo.seLinuxParts, podInfo.seLinuxParts) { // Send conflict to both pods conflicts = append(conflicts, Conflict{ PropertyName: "SELinuxLabel", @@ -167,6 +188,21 @@ func (c *volumeCache) AddVolume(logger klog.Logger, volumeName v1.UniqueVolumeNa }) } } + // Update the conflict cache for this volume: remove stale conflicts for this pod, then add new ones + volumeConflicts := c.conflicts[volumeName] + updated := make([]Conflict, 0, len(volumeConflicts)) + for _, existing := range volumeConflicts { + if existing.Pod != podKey && existing.OtherPod != podKey { + updated = append(updated, existing) + } + } + updated = append(updated, conflicts...) + if len(updated) == 0 { + delete(c.conflicts, volumeName) + } else { + c.conflicts[volumeName] = updated + } + return conflicts } @@ -176,12 +212,47 @@ func (c *volumeCache) DeletePod(logger klog.Logger, podKey cache.ObjectName) { defer c.mutex.Unlock() defer c.dump(logger) - for volumeName, volume := range c.volumes { + for volumeName := range c.podToVolumes[podKey] { + conflicts, found := c.conflicts[volumeName] + if !found { + continue + } + updated := make([]Conflict, 0, len(conflicts)) + for _, existing := range conflicts { + // preserve other conflicts belonging to volume + if existing.Pod != podKey && existing.OtherPod != podKey { + updated = append(updated, existing) + } + } + if len(updated) == 0 { + delete(c.conflicts, volumeName) + } else { + c.conflicts[volumeName] = updated + } + } + + // Use reverse index to only iterate through volumes this pod actually uses. + for volumeName := range c.podToVolumes[podKey] { + volume, found := c.volumes[volumeName] + if !found { + continue + } delete(volume.pods, podKey) if len(volume.pods) == 0 { delete(c.volumes, volumeName) } } + delete(c.podToVolumes, podKey) +} + +// registerPodVolume adds volumeName to the pod volume index. +// Make sure to hold c.mutex when calling this function. +func (c *volumeCache) registerPodVolume(podKey cache.ObjectName, volumeName v1.UniqueVolumeName) { + if podVolumes, ok := c.podToVolumes[podKey]; ok { + podVolumes.Insert(volumeName) + } else { + c.podToVolumes[podKey] = sets.New(volumeName) + } } func (c *volumeCache) dump(logger klog.Logger) { @@ -215,6 +286,22 @@ func (c *volumeCache) dump(logger klog.Logger) { logger.Info(" pod", "pod", podKey, "seLinuxLabel", podInfo.seLinuxLabel, "changePolicy", podInfo.changePolicy) } } + + // Collect all pods, sort them and print the associated volumes. + podKeys := make([]cache.ObjectName, 0, len(c.podToVolumes)) + for podKey := range c.podToVolumes { + podKeys = append(podKeys, podKey) + } + sort.Slice(podKeys, func(i, j int) bool { + return podKeys[i].String() < podKeys[j].String() + }) + + logger.Info("VolumeCache reverse index dump:") + for _, podKey := range podKeys { + podVolumes := sets.List(c.podToVolumes[podKey]) + slices.Sort(podVolumes) + logger.Info(" pod", "pod", podKey, "volumes", podVolumes) + } } // GetPodsForCSIDriver returns all pods that use volumes with the given CSI driver. @@ -234,42 +321,16 @@ func (c *volumeCache) GetPodsForCSIDriver(driverName string) []cache.ObjectName return pods } -// SendConflicts sends all current conflicts to the given channel. -func (c *volumeCache) SendConflicts(logger klog.Logger, ch chan<- Conflict) { +// GetConflicts returns the current set of active conflicts (both directions, symmetric pairs). +func (c *volumeCache) GetConflicts(logger klog.Logger) []Conflict { c.mutex.RLock() defer c.mutex.RUnlock() logger.V(4).Info("Scraping conflicts") c.dump(logger) - for _, volume := range c.volumes { - // compare pods that use the same volume with each other - for podKey, podInfo := range volume.pods { - for otherPodKey, otherPodInfo := range volume.pods { - if podKey == otherPodKey { - continue - } - // create conflict only for the first pod. The other pod will get the same conflict in its own iteration of `volume.pods` loop. - if podInfo.changePolicy != otherPodInfo.changePolicy { - ch <- Conflict{ - PropertyName: "SELinuxChangePolicy", - EventReason: "SELinuxChangePolicyConflict", - Pod: podKey, - PropertyValue: string(podInfo.changePolicy), - OtherPod: otherPodKey, - OtherPropertyValue: string(otherPodInfo.changePolicy), - } - } - if c.seLinuxTranslator.Conflicts(podInfo.seLinuxLabel, otherPodInfo.seLinuxLabel) { - ch <- Conflict{ - PropertyName: "SELinuxLabel", - EventReason: "SELinuxLabelConflict", - Pod: podKey, - PropertyValue: podInfo.seLinuxLabel, - OtherPod: otherPodKey, - OtherPropertyValue: otherPodInfo.seLinuxLabel, - } - } - } - } + result := sets.New[Conflict]() + for _, volConflicts := range c.conflicts { + result.Insert(volConflicts...) } + return result.UnsortedList() } diff --git a/vendor/k8s.io/kubernetes/pkg/controller/volume/selinuxwarning/internal/parse/selinux_label.go b/vendor/k8s.io/kubernetes/pkg/controller/volume/selinuxwarning/internal/parse/selinux_label.go new file mode 100644 index 0000000000..0fd48ed8b6 --- /dev/null +++ b/vendor/k8s.io/kubernetes/pkg/controller/volume/selinuxwarning/internal/parse/selinux_label.go @@ -0,0 +1,32 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package parse + +import "strings" + +// ParseSELinuxLabel parses a SELinux label string into its components. +// Format: "user:role:type:level" -> [user, role, type, level] +// Missing components are represented as empty strings. +func ParseSELinuxLabel(label string) [4]string { + var parts [4]string + if label == "" { + return parts + } + split := strings.SplitN(label, ":", 4) + copy(parts[:], split) + return parts +} diff --git a/vendor/k8s.io/kubernetes/pkg/controller/volume/selinuxwarning/metrics.go b/vendor/k8s.io/kubernetes/pkg/controller/volume/selinuxwarning/metrics.go index d95665c916..c285bd78db 100644 --- a/vendor/k8s.io/kubernetes/pkg/controller/volume/selinuxwarning/metrics.go +++ b/vendor/k8s.io/kubernetes/pkg/controller/volume/selinuxwarning/metrics.go @@ -59,13 +59,7 @@ func (c *collector) DescribeWithStability(ch chan<- *metrics.Desc) { } func (c *collector) CollectWithStability(ch chan<- metrics.Metric) { - conflictCh := make(chan cache.Conflict) - go func() { - c.cache.SendConflicts(c.logger, conflictCh) - close(conflictCh) - }() - - for conflict := range conflictCh { + for _, conflict := range c.cache.GetConflicts(c.logger) { ch <- metrics.NewLazyConstMetric(seLinuxConflictDesc, metrics.GaugeValue, 1.0, diff --git a/vendor/k8s.io/kubernetes/pkg/controller/volume/selinuxwarning/translator/selinux_translator.go b/vendor/k8s.io/kubernetes/pkg/controller/volume/selinuxwarning/translator/selinux_translator.go index 99ce3e97dd..db599c98cd 100644 --- a/vendor/k8s.io/kubernetes/pkg/controller/volume/selinuxwarning/translator/selinux_translator.go +++ b/vendor/k8s.io/kubernetes/pkg/controller/volume/selinuxwarning/translator/selinux_translator.go @@ -20,6 +20,7 @@ import ( "strings" v1 "k8s.io/api/core/v1" + "k8s.io/kubernetes/pkg/controller/volume/selinuxwarning/internal/parse" "k8s.io/kubernetes/pkg/volume/util" ) @@ -70,18 +71,16 @@ func (c *ControllerSELinuxTranslator) SELinuxOptionsToFileLabel(opts *v1.SELinux // However: "system_u:system_r:container_t:s0:c1,c2" *does* conflict with ":::s0:c98,c99". // And ":::s0:c1,c2" *does* conflict with "" or ":::", because it's never defaulted by the OS. func (c *ControllerSELinuxTranslator) Conflicts(labelA, labelB string) bool { - partsA := strings.SplitN(labelA, ":", 4) - partsB := strings.SplitN(labelB, ":", 4) - - // Reorder, so partsA is always longer than partsB - if len(partsA) < len(partsB) { - partsB, partsA = partsA, partsB - } + return c.ConflictsParsed(parse.ParseSELinuxLabel(labelA), parse.ParseSELinuxLabel(labelB)) +} - for len(partsB) < len(partsA) { - partsB = append(partsB, "") - } - for i := range partsA { +// ConflictsParsed returns true if two pre-parsed SELinux labels conflict. +// This is an optimized version of Conflicts() that operates on pre-split labels +// to avoid repeated string allocations in hot paths (e.g., metrics collection). +// partsA and partsB must be 4-element arrays in the format: [user, role, type, level] +func (c *ControllerSELinuxTranslator) ConflictsParsed(partsA, partsB [4]string) bool { + // Compare each component + for i := range 4 { if partsA[i] == partsB[i] { continue } diff --git a/vendor/modules.txt b/vendor/modules.txt index 8111233905..d48af84e56 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -2716,6 +2716,7 @@ k8s.io/kubernetes/pkg/controller/volume/pvcprotection k8s.io/kubernetes/pkg/controller/volume/pvprotection k8s.io/kubernetes/pkg/controller/volume/selinuxwarning k8s.io/kubernetes/pkg/controller/volume/selinuxwarning/cache +k8s.io/kubernetes/pkg/controller/volume/selinuxwarning/internal/parse k8s.io/kubernetes/pkg/controller/volume/selinuxwarning/translator k8s.io/kubernetes/pkg/controller/volume/vacprotection k8s.io/kubernetes/pkg/controlplane