Automated rebase to K8s 1.36.2

[dfarrell07]

Generated by the new/WIP k8s-rebase Claude skill.

openshift-eng/ai-helpers@main...dfarrell07:ai-helpers:k8s-rebase-skill

Summary by CodeRabbit

• Chores

  • Updated Go toolchain to 1.26 across build images and module settings.
  • Updated test tooling to Kubernetes 1.36 (envtest) and refreshed linter to golangci-lint v2.12.2, including lint script/config updates.

• Bug Fixes

  • Improved cleanup behavior for eBPF/bpfman teardown in deletion scenarios.
  • Fixed namespace selection for IngressNodeFirewallConfig availability status.
  • Improved error-message clarity in validation paths.

• Refactor

  • Updated webhook handling to use typed validation.
  • Removed deprecated file-handling utilities and modernized related logic.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Walkthrough

The PR upgrades the project to Go 1.26 across all Dockerfiles and go.mod, advances direct and indirect dependencies including Kubernetes/controller-runtime, bumps golangci-lint to v2.12.2 with local linting support enabled in the Makefile, updates Kubernetes test assets to version 1.36, refactors the webhook to use the typed admission.Validator[*IngressNodeFirewall] generic interface, migrates eBPF map field references from embedded BpfMaps.* to direct IngressNodeFirewall* fields, refactors bpfman application spec configuration, removes deprecated io/ioutil usage, consolidates import aliases for consistency, updates error message capitalization, and simplifies controller logic with switch statements.

Changes

Go 1.26 Upgrade and Code Modernization

Layer / File(s)	Summary
Go 1.26 infrastructure and toolchain updates Dockerfile, Dockerfile.daemon, Dockerfile.openshift, go.mod, Makefile, hack/lint.sh, hack/kind-cluster.sh, .golangci.yml	All Dockerfiles switch builder stages from Go 1.25 to 1.26. go.mod sets toolchain to go 1.26.0 and bumps direct dependencies (Kubernetes, controller-runtime, Prometheus, netlink, logr, gomega) and a large set of indirect transitive modules. ENVTEST_K8S_VERSION raised to 1.36, setup-envtest to release-0.24, and GOLANGCI_LINT_VERSION to v2.12.2. The lint target now installs and runs golangci-lint locally instead of requiring a container. .golangci.yml introduced with errcheck linter configuration excluding Close-related errors.
Webhook typed admission.Validator refactoring pkg/webhook/webhook.go, pkg/webhook/webhook_suite_test.go	Webhook switches to typed admission.Validator[*IngressNodeFirewall] generic interface and SetupWebhookWithManager registers a typed validator, eliminating runtime type assertions and NewBadRequest error handling. ValidateCreate, ValidateUpdate, and ValidateDelete now accept *IngressNodeFirewall directly. Test helper initCIDRTransportRule refactors protocol selection from if/else to switch statement.
eBPF map field migration from BpfMaps to direct references pkg/ebpf/ingress_node_firewall_loader.go	All embedded objs.BpfMaps.* field accesses replaced with direct objs.IngressNodeFirewall* fields across pinned map loading, rule table operations (Update, Iterate, Delete), and stale-key computations. Deprecated io/ioutil import removed in favor of os.ReadDir. Error message capitalization standardized to lowercase.
BpfApplication spec field refactoring pkg/bpf-mgr/lib-bpfman.go	prepareBpfApplication moves GlobalData and ByteCode configuration from nested Spec.BpfAppCommon structure to top-level Spec fields.
Controller logic simplifications and updates controllers/ingressnodefirewall_controller.go, controllers/ingressnodefirewallconfig_controller.go, controllers/ingressnodefirewallnodestate_controller.go	bpfman detach path removes pre-computation of interface slice and passes nil to BpfmanDetachNodeFirewall. Attach error message changed from formatted string to literal. Config controller updates namespace argument to status.IsIngressNodeFirewallConfigAvailable. NodeState controller accesses DeletionTimestamp directly instead of through ObjectMeta.
Code cleanup: ioutil removal, imports, error messages, and control flow refactoring pkg/render/render.go, pkg/utils/utils.go, pkg/ebpfsyncer/ebpfsyncer.go, pkg/ebpfsyncer/ebpfsyncer_test.go, pkg/ebpf/ingress_node_firewall_events.go, api/v1alpha1/groupversion_info.go, test/e2e/k8sreporter/reporter.go, test/e2e/namespaces/namespaces.go, test/e2e/events/events.go, test/e2e/functional/tests/e2e.go, test/e2e/ingress-node-firewall/ingress-node-firewall.go, test/e2e/validation/tests/validation.go	io/ioutil replaced with os.ReadFile/os.ReadDir in render and syncer code. k8sreporter consolidates to single corev1 alias, namespaces uses k8serrors alias for consistency. Error messages standardized from capitalized to lowercase ("Failed" → "failed", "Nil" → "nil"). Event parsing, syncer test, and webhook test refactor if/else chains to switch statements. Test imports updated with //nolint:staticcheck annotations. SchemeBuilder gets //nolint:staticcheck comment.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 41.18% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Automated rebase to K8s 1.36.2' directly and accurately summarizes the main purpose of this pull request, which is an automated upgrade to Kubernetes 1.36.2.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo test names in the PR use stable, deterministic strings with no dynamic content. Test titles use descriptive static text (e.g., "block a port with a single rule defining the destinations...
Test Structure And Quality	✅ Passed	Test code follows quality requirements: tests have single responsibility (It blocks test specific behaviors), proper setup/cleanup (BeforeEach/AfterEach with defers), appropriate timeouts (Eventual...
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added in this PR. Changes to test files consist of refactoring existing helper functions and adding linter suppression comments to imports only.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. All test file changes involve import modifications, code refactoring, nolint directives, and error message text updates to existing tests. The custom c...
Topology-Aware Scheduling Compatibility	✅ Passed	PR is a K8s 1.36.2 dependency rebase with no deployment manifests, operator code, or scheduling constraints introduced. No topology-aware scheduling issues detected.
Ote Binary Stdout Contract	✅ Passed	PR contains no stdout writes in process-level code (main(), init(), BeforeSuite(), etc.). Logger is properly configured with zap/structured logging directed to stderr/GinkgoWriter, not stdout.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests (It(), Describe(), Context(), When()) were added in this PR; all test file changes are import/refactoring maintenance of existing code, making the IPv6/disconnected compatib...
No-Weak-Crypto	✅ Passed	No weak cryptography patterns detected. The PR (Kubernetes 1.36.2 rebase) contains no usage of MD5, SHA1, DES, RC4, 3DES, Blowfish, or ECB mode. No custom crypto implementations or non-constant-tim...
Container-Privileges	✅ Passed	This PR contains no changes to Kubernetes manifest files (daemonset.yaml, namespace.yaml, etc.). All modifications are to Dockerfiles, Go source code, Makefiles, and test files. No container privil...
No-Sensitive-Data-In-Logs	✅ Passed	The PR contains no logging that exposes passwords, tokens, API keys, PII, session IDs, or customer data. Error messages log only system paths, interface names, port numbers, and configuration values.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dfarrell07
Once this PR has been reviewed and has the lgtm label, please assign danwinship for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

Dockerfile.openshift (1)

21-26: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Container runs as root (violates security guidelines and inconsistent with base Dockerfile).

The runtime stage does not include a USER directive, so the container will run as root by default. As per coding guidelines, containers must run as non-root.

The base Dockerfile correctly includes USER nonroot:nonroot at line 29. This OpenShift variant should follow the same pattern.

🔒 Proposed fix to match the base Dockerfile

 FROM registry.ci.openshift.org/ocp/4.22:base-rhel9
 WORKDIR /
 COPY --from=builder /workspace/manager .
 COPY --from=builder /workspace/bindata/manifests /bindata/manifests
+
+USER 65532:65532
 
 ENTRYPOINT ["/manager"]

Note: Using UID/GID 65532 is the numeric equivalent of the nonroot user in distroless images.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.openshift` around lines 21 - 26, The OpenShift runtime stage
currently leaves the container running as root (ENTRYPOINT ["/manager"])—add a
non-root user directive to match the base Dockerfile by inserting a USER
directive (use nonroot:nonroot or the numeric UID/GID 65532:65532) in the
runtime stage before the ENTRYPOINT so the container runs as non-root and aligns
with the base Dockerfile behavior.

Source: Coding guidelines

Dockerfile.daemon (1)

7-10: ⚠️ Potential issue | 🔴 Critical | 🏗️ Heavy lift

Daemon containers run as root across both build variants.

Both Dockerfile.daemon and Dockerfile.daemon.openshift lack a USER directive in their runtime stages, causing the daemon containers to run as root by default. As per coding guidelines, containers must run as non-root.

If the daemon requires elevated privileges for eBPF/firewall operations, consider using capabilities or privileged security contexts explicitly rather than implicit root execution. The security context should be declared in the DaemonSet manifest rather than baked into the container image.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.daemon` around lines 7 - 10, The runtime stage in
Dockerfile.daemon leaves the container running as root; add a non-root user and
switch to it by creating a user/group (e.g., daemon user), chown the installed
binaries (/usr/bin/daemon and /usr/bin/syslog) to that user and add a USER
directive so the image no longer defaults to root; do not grant extra privileges
in the Dockerfile—leave any capabilities or privileged securityContext to the
DaemonSet manifest—ensure the binaries are executable by the non-root user
before switching.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@hack/lint.sh`:
- Around line 5-6: The comment above the VERSION variable is stale: update the
comment that currently says "pin golangci-lint version to 1.54.2" to reflect the
actual value of the VERSION variable (v1.64.8); change the comment text to match
VERSION and keep the reference consistent with the VERSION variable in
hack/lint.sh so future updates are obvious.

In `@Makefile`:
- Line 422: Update GOLANGCI_LINT_VERSION in the Makefile because v1.64.8 is not
built with Go 1.26 compatibility; set the GOLANGCI_LINT_VERSION variable to a
golangci-lint release that explicitly lists Go 1.26 support (pick the latest
release that declares Go 1.26 compatibility) and update the Makefile
accordingly; after changing GOLANGCI_LINT_VERSION, review the golangci-lint
changelog between v1.54.2 and v1.64.8 for any rule/config changes and adjust
your .golangci.yml (or linter config) or CI commands to accommodate
renamed/removed linters or new defaults.

---

Outside diff comments:
In `@Dockerfile.daemon`:
- Around line 7-10: The runtime stage in Dockerfile.daemon leaves the container
running as root; add a non-root user and switch to it by creating a user/group
(e.g., daemon user), chown the installed binaries (/usr/bin/daemon and
/usr/bin/syslog) to that user and add a USER directive so the image no longer
defaults to root; do not grant extra privileges in the Dockerfile—leave any
capabilities or privileged securityContext to the DaemonSet manifest—ensure the
binaries are executable by the non-root user before switching.

In `@Dockerfile.openshift`:
- Around line 21-26: The OpenShift runtime stage currently leaves the container
running as root (ENTRYPOINT ["/manager"])—add a non-root user directive to match
the base Dockerfile by inserting a USER directive (use nonroot:nonroot or the
numeric UID/GID 65532:65532) in the runtime stage before the ENTRYPOINT so the
container runs as non-root and aligns with the base Dockerfile behavior.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 91e35a94-15cc-4029-a949-167060f9a34d

📥 Commits

Reviewing files that changed from the base of the PR and between 1c7880a and 1107ec0.

⛔ Files ignored due to path filters (282)

• api/v1alpha1/zz_generated.deepcopy.go is excluded by !**/zz_generated*
• go.sum is excluded by !**/*.sum
• vendor/github.com/emicklei/go-restful/v3/.travis.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/emicklei/go-restful/v3/CHANGES.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/emicklei/go-restful/v3/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/emicklei/go-restful/v3/curly.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/emicklei/go-restful/v3/custom_verb.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/emicklei/go-restful/v3/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/emicklei/go-restful/v3/jsr311.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/emicklei/go-restful/v3/route.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/.cirrus.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/.editorconfig is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/.gitattributes is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/.gitignore is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/backend_fen.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/backend_inotify.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/backend_kqueue.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/backend_other.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/backend_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/fsnotify.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/darwin.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/debug_darwin.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/debug_dragonfly.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/debug_freebsd.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/debug_kqueue.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/debug_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/debug_netbsd.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/debug_openbsd.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/debug_solaris.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/debug_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/freebsd.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/unix.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/unix2.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/mkdoc.zsh is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/shared.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/staticcheck.conf is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/system_bsd.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/system_darwin.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/bytestring.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/cache.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/common.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/decode.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/encode.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/encode_map.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/encode_map_go117.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/omitzero_go124.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/omitzero_pre_go124.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/simplevalue.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/stream.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/structfields.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/tag.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-logr/logr/.golangci.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/.codecov.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/.golangci.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/.mockery.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/BENCHMARK.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/SECURITY.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/cmdutils/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/cmdutils/cmd_utils.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/cmdutils/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/cmdutils_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/conv/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/conv/convert.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/conv/convert_types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/conv/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/conv/format.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/conv/sizeof.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/conv/type_constraints.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/conv_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/convert.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/convert_types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/file.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/fileutils/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/fileutils/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/fileutils/file.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/fileutils/path.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/fileutils_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/go.work is excluded by !**/*.work, !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/go.work.sum is excluded by !**/*.sum, !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/initialism_index.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/json.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonname/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonname/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonname/name_provider.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonname_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/ifaces.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/registry_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/registry.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/adapter.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/lexer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/ordered_map.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/pool.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/register.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/writer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/concat.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/json.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/ordered_map.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading/errors.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading/json.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading/loading.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading/options.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading/yaml.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/BENCHMARK.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/initialism_index.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/name_lexem.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/name_mangler.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/options.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/pools.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/split.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/string_bytes.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/util.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/name_lexem.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/net.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/netutils/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/netutils/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/netutils/net.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/netutils_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/path.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/split.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/string_bytes.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/stringutils/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/stringutils/collection_formats.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/stringutils/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/stringutils/strings.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/stringutils_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/typeutils/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/typeutils/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/typeutils/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/typeutils_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/util.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/yaml.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/yamlutils/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/yamlutils/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/yamlutils/errors.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/yamlutils/ordered_map.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/yamlutils/yaml.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/yamlutils_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/AUTHORS is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/CONTRIBUTORS is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/Makefile is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/clone.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/custom_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/decode.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/deprecated.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/discard.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/duration.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/duration_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/encode.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/encode_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/equal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/extensions.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/extensions_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/lib.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/lib_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/message_set.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/pointer_reflect.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/pointer_reflect_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/pointer_unsafe.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/pointer_unsafe_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/properties.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/properties_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/skip_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/table_marshal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/table_marshal_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/table_merge.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/table_unmarshal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/table_unmarshal_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/text.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/text_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/text_parser.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/timestamp.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/timestamp_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/wrappers.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/wrappers_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/sortkeys/sortkeys.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/AUTHORS is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/CONTRIBUTORS is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/proto/buffer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/proto/defaults.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/proto/deprecated.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/proto/discard.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/proto/extensions.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/proto/properties.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/proto/proto.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/proto/registry.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/proto/text_decode.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/proto/text_encode.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/proto/wire.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/proto/wrappers.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/ptypes/any.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/ptypes/any/any.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/ptypes/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/ptypes/duration.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/ptypes/duration/duration.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/ptypes/timestamp.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/ptypes/timestamp/timestamp.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/google/btree/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/btree/btree.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/btree/btree_generic.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/compiler/context.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/compiler/extensions.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/compiler/helpers.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/compiler/reader.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/extensions/extension.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/extensions/extensions.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/jsonschema/models.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/jsonschema/reader.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/jsonschema/writer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/openapiv2/OpenAPIv2.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/openapiv2/OpenAPIv2.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/openapiv2/document.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/openapiv3/OpenAPIv3.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/openapiv3/OpenAPIv3.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/openapiv3/annotations.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/openapiv3/annotations.proto is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/openapiv3/document.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gofuzz/.travis.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gofuzz/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gofuzz/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gofuzz/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gofuzz/fuzz.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gorilla/websocket/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gorilla/websocket/client.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gorilla/websocket/compression.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gorilla/websocket/conn.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gorilla/websocket/proxy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gorilla/websocket/server.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gorilla/websocket/tls_handshake.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gorilla/websocket/tls_handshake_116.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gorilla/websocket/util.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gorilla/websocket/x_net_proxy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/josharian/intern/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/josharian/intern/intern.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/josharian/intern/license.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mailru/easyjson/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mailru/easyjson/buffer/pool.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mailru/easyjson/jlexer/bytestostr.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mailru/easyjson/jlexer/bytestostr_nounsafe.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mailru/easyjson/jlexer/error.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mailru/easyjson/jlexer/lexer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mailru/easyjson/jwriter/writer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/moby/spdystream/NOTICE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/moby/spdystream/connection.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/moby/spdystream/spdy/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/moby/spdystream/spdy/PATENTS is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/moby/spdystream/spdy/dictionary.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/moby/spdystream/spdy/options.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/moby/spdystream/spdy/read.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/moby/spdystream/spdy/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/moby/spdystream/spdy/write.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/modern-go/reflect2/safe_type.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mxk/go-flowrate/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mxk/go-flowrate/flowrate/flowrate.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mxk/go-flowrate/flowrate/io.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mxk/go-flowrate/flowrate/util.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/format/format.go is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (18)

• .ci-operator.yaml
• Dockerfile
• Dockerfile.daemon
• Dockerfile.daemon.openshift
• Dockerfile.openshift
• Makefile
• api/v1alpha1/groupversion_info.go
• api/v1alpha1/ingressnodefirewall_types.go
• api/v1alpha1/ingressnodefirewallconfig_types.go
• api/v1alpha1/ingressnodefirewallnodestate_types.go
• controllers/ingressnodefirewall_controller.go
• controllers/suite_test.go
• go.mod
• hack/lint.sh
• pkg/ebpf/ingress_node_firewall_loader.go
• pkg/render/render.go
• pkg/utils/utils.go
• pkg/webhook/webhook.go

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Dockerfile.daemon (1)

7-10: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Set a non-root runtime user.

The final image runs as root by default because no USER is set. This violates the container hardening requirement and matches the Trivy DS-0002 finding.

Suggested patch

 FROM quay.io/centos/centos:stream8
 COPY --from=builder /go/src/github.com/openshift/ingress-node-firewall/bin/daemon /usr/bin/
 COPY --from=builder /go/src/github.com/openshift/ingress-node-firewall/bin/syslog /usr/bin/
+USER 65532:65532
 CMD ["/usr/bin/daemon"]

As per coding guidelines: “USER non-root; never run as root.” Based on learnings from static analysis hint DS-0002.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.daemon` around lines 7 - 10, The Dockerfile lacks a USER
directive, causing the container to run as root by default, which violates
container hardening requirements and the DS-0002 security finding. Add a USER
directive after the COPY commands and before the CMD instruction to specify a
non-root user for runtime execution. This ensures the daemon process runs with
reduced privileges as required by the coding guidelines.

Sources: Coding guidelines, Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Dockerfile.daemon`:
- Line 1: The FROM golang:1.26 AS builder statement uses a mutable image tag
that does not guarantee reproducible builds. Pin the golang image by its SHA256
digest by appending `@sha256`:[digest] to the image reference. Look up the correct
digest for the golang:1.26 image and update the FROM statement to use the full
image reference with the digest to ensure builds are reproducible and reduce
supply-chain drift.

In `@Makefile`:
- Line 389: The golangci-lint invocation on line 389 relies on the binary being
in PATH after installation, which fails on hosts where the go binary
installation directory is not in PATH. Replace the `golangci-lint` command
reference with an explicit path to the just-installed binary by using a go
environment variable (such as constructing the path from go env GOPATH or
GOBIN), following the same pattern already used elsewhere in the Makefile for
other installed binaries.

---

Outside diff comments:
In `@Dockerfile.daemon`:
- Around line 7-10: The Dockerfile lacks a USER directive, causing the container
to run as root by default, which violates container hardening requirements and
the DS-0002 security finding. Add a USER directive after the COPY commands and
before the CMD instruction to specify a non-root user for runtime execution.
This ensures the daemon process runs with reduced privileges as required by the
coding guidelines.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 8f0c81df-446b-4367-847e-6f5698e01bb6

📥 Commits

Reviewing files that changed from the base of the PR and between 1107ec0 and 4c54595.

⛔ Files ignored due to path filters (286)

• go.sum is excluded by !**/*.sum
• vendor/github.com/emicklei/go-restful/v3/.travis.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/emicklei/go-restful/v3/CHANGES.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/emicklei/go-restful/v3/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/emicklei/go-restful/v3/curly.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/emicklei/go-restful/v3/custom_verb.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/emicklei/go-restful/v3/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/emicklei/go-restful/v3/jsr311.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/emicklei/go-restful/v3/route.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/.cirrus.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/.editorconfig is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/.gitattributes is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/.gitignore is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/backend_fen.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/backend_inotify.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/backend_kqueue.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/backend_other.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/backend_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/fsnotify.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/darwin.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/debug_darwin.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/debug_dragonfly.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/debug_freebsd.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/debug_kqueue.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/debug_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/debug_netbsd.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/debug_openbsd.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/debug_solaris.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/debug_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/freebsd.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/unix.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/unix2.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/mkdoc.zsh is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/shared.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/staticcheck.conf is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/system_bsd.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/system_darwin.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/bytestring.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/cache.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/common.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/decode.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/encode.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/encode_map.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/encode_map_go117.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/omitzero_go124.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/omitzero_pre_go124.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/simplevalue.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/stream.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/structfields.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/tag.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-logr/logr/.golangci.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/.codecov.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/.golangci.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/.mockery.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/BENCHMARK.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/SECURITY.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/cmdutils/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/cmdutils/cmd_utils.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/cmdutils/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/cmdutils_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/conv/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/conv/convert.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/conv/convert_types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/conv/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/conv/format.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/conv/sizeof.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/conv/type_constraints.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/conv_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/convert.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/convert_types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/file.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/fileutils/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/fileutils/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/fileutils/file.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/fileutils/path.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/fileutils_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/go.work is excluded by !**/*.work, !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/go.work.sum is excluded by !**/*.sum, !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/initialism_index.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/json.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonname/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonname/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonname/name_provider.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonname_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/ifaces.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/registry_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/registry.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/adapter.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/lexer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/ordered_map.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/pool.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/register.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/writer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/concat.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/json.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/ordered_map.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading/errors.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading/json.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading/loading.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading/options.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading/yaml.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/BENCHMARK.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/initialism_index.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/name_lexem.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/name_mangler.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/options.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/pools.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/split.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/string_bytes.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/util.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/name_lexem.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/net.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/netutils/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/netutils/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/netutils/net.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/netutils_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/path.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/split.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/string_bytes.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/stringutils/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/stringutils/collection_formats.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/stringutils/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/stringutils/strings.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/stringutils_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/typeutils/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/typeutils/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/typeutils/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/typeutils_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/util.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/yaml.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/yamlutils/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/yamlutils/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/yamlutils/errors.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/yamlutils/ordered_map.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/yamlutils/yaml.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/yamlutils_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/AUTHORS is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/CONTRIBUTORS is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/Makefile is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/clone.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/custom_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/decode.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/deprecated.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/discard.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/duration.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/duration_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/encode.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/encode_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/equal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/extensions.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/extensions_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/lib.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/lib_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/message_set.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/pointer_reflect.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/pointer_reflect_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/pointer_unsafe.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/pointer_unsafe_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/properties.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/properties_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/skip_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/table_marshal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/table_marshal_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/table_merge.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/table_unmarshal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/table_unmarshal_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/text.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/text_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/text_parser.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/timestamp.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/timestamp_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/wrappers.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/wrappers_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/sortkeys/sortkeys.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/AUTHORS is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/CONTRIBUTORS is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/proto/buffer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/proto/defaults.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/proto/deprecated.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/proto/discard.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/proto/extensions.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/proto/properties.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/proto/proto.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/proto/registry.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/proto/text_decode.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/proto/text_encode.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/proto/wire.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/proto/wrappers.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/ptypes/any.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/ptypes/any/any.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/ptypes/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/ptypes/duration.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/ptypes/duration/duration.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/ptypes/timestamp.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/ptypes/timestamp/timestamp.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/google/btree/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/btree/btree.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/btree/btree_generic.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/compiler/context.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/compiler/extensions.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/compiler/helpers.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/compiler/reader.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/extensions/extension.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/extensions/extensions.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/jsonschema/models.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/jsonschema/reader.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/jsonschema/writer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/openapiv2/OpenAPIv2.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/openapiv2/OpenAPIv2.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/openapiv2/document.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/openapiv3/OpenAPIv3.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/openapiv3/OpenAPIv3.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/openapiv3/annotations.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/openapiv3/annotations.proto is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/openapiv3/document.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gofuzz/.travis.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gofuzz/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gofuzz/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gofuzz/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gofuzz/fuzz.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gorilla/websocket/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gorilla/websocket/client.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gorilla/websocket/compression.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gorilla/websocket/conn.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gorilla/websocket/proxy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gorilla/websocket/server.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gorilla/websocket/tls_handshake.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gorilla/websocket/tls_handshake_116.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gorilla/websocket/util.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gorilla/websocket/x_net_proxy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/josharian/intern/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/josharian/intern/intern.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/josharian/intern/license.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mailru/easyjson/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mailru/easyjson/buffer/pool.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mailru/easyjson/jlexer/bytestostr.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mailru/easyjson/jlexer/bytestostr_nounsafe.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mailru/easyjson/jlexer/error.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mailru/easyjson/jlexer/lexer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mailru/easyjson/jwriter/writer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/moby/spdystream/NOTICE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/moby/spdystream/connection.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/moby/spdystream/spdy/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/moby/spdystream/spdy/PATENTS is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/moby/spdystream/spdy/dictionary.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/moby/spdystream/spdy/options.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/moby/spdystream/spdy/read.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/moby/spdystream/spdy/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/moby/spdystream/spdy/write.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/modern-go/reflect2/safe_type.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mxk/go-flowrate/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mxk/go-flowrate/flowrate/flowrate.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mxk/go-flowrate/flowrate/io.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mxk/go-flowrate/flowrate/util.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/format/format.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/gomega_dsl.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/internal/async_assertion.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/matchers.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/matchers/be_comparable_to_matcher.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/matchers/have_key_matcher.go is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (12)

• Dockerfile
• Dockerfile.daemon
• Dockerfile.openshift
• Makefile
• api/v1alpha1/groupversion_info.go
• controllers/ingressnodefirewall_controller.go
• go.mod
• hack/lint.sh
• pkg/ebpf/ingress_node_firewall_loader.go
• pkg/render/render.go
• pkg/utils/utils.go
• pkg/webhook/webhook.go

✅ Files skipped from review due to trivial changes (3)

• api/v1alpha1/groupversion_info.go
• Dockerfile.openshift
• pkg/utils/utils.go

🚧 Files skipped from review as they are similar to previous changes (4)

• Dockerfile
• hack/lint.sh
• controllers/ingressnodefirewall_controller.go
• go.mod

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pin the builder image by digest (or use a Red Hat catalog base image).

golang:1.26 is mutable. Per the container policy, non-Red Hat images must be digest-pinned to make builds reproducible and reduce supply-chain drift.

Suggested patch

-FROM golang:1.26 AS builder
+FROM golang:1.26@sha256:<verified-digest> AS builder

As per coding guidelines: “non-RH images: pin by digest.”

🧰 Tools

🪛 Trivy (0.69.3)

[error] 1-1: Image user should not be 'root'

Specify at least 1 USER command in Dockerfile with non-root user as argument

Rule: DS-0002

Learn more

(IaC/Dockerfile)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.daemon` at line 1, The FROM golang:1.26 AS builder statement uses
a mutable image tag that does not guarantee reproducible builds. Pin the golang
image by its SHA256 digest by appending `@sha256`:[digest] to the image reference.
Look up the correct digest for the golang:1.26 image and update the FROM
statement to use the full image reference with the digest to ensure builds are
reproducible and reduce supply-chain drift.

Source: Coding guidelines

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Use the just-installed linter binary explicitly

Line 389 installs golangci-lint, then invokes golangci-lint from PATH. On hosts where $(go env GOPATH)/bin (or GOBIN) is not in PATH, lint fails even though install succeeded. Run the binary via an explicit path variable (same pattern used elsewhere in this Makefile) to avoid PATH-dependent failures.

Suggested patch

-	go install github.com/golangci/golangci-lint/cmd/golangci-lint@$(GOLANGCI_LINT_VERSION) 2>/dev/null && golangci-lint run --verbose --timeout=15m0s
+	GOBIN=$(shell go env GOPATH)/bin GOFLAGS="" go install github.com/golangci/golangci-lint/cmd/golangci-lint@$(GOLANGCI_LINT_VERSION) && \
+	$(shell go env GOPATH)/bin/golangci-lint run --verbose --timeout=15m0s

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	go install github.com/golangci/golangci-lint/cmd/golangci-lint@$(GOLANGCI_LINT_VERSION) 2>/dev/null && golangci-lint run --verbose --timeout=15m0s
	GOBIN=$(shell go env GOPATH)/bin GOFLAGS="" go install github.com/golangci/golangci-lint/cmd/golangci-lint@$(GOLANGCI_LINT_VERSION) && \
	$(shell go env GOPATH)/bin/golangci-lint run --verbose --timeout=15m0s

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Makefile` at line 389, The golangci-lint invocation on line 389 relies on the
binary being in PATH after installation, which fails on hosts where the go
binary installation directory is not in PATH. Replace the `golangci-lint`
command reference with an explicit path to the just-installed binary by using a
go environment variable (such as constructing the path from go env GOPATH or
GOBIN), following the same pattern already used elsewhere in the Makefile for
other installed binaries.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

Dockerfile.daemon (1)

7-10: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Run the runtime image as a non-root user.

The final image does not set USER, so it runs as root by default. Add a dedicated non-root user/group and switch to it before CMD.

As per coding guidelines: “USER non-root; never run as root.”

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.daemon` around lines 7 - 10, The Dockerfile runs the daemon as
root by default because no USER instruction is set. Before the CMD instruction
that executes /usr/bin/daemon, add a RUN command to create a dedicated non-root
user and group, then add a USER instruction to switch to that non-root user.
This ensures the container runs with minimal privileges as per security
guidelines.

Sources: Coding guidelines, Linters/SAST tools

test/e2e/k8sreporter/reporter.go (1)

149-153: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Redact sensitive values before persisting pod logs to artifacts.

This path writes raw container logs directly to disk, which can leak tokens, credentials, and PII in CI artifacts.

Suggested hardening

-			logs, err := r.clients.Pods(pod.Namespace).GetLogs(pod.Name, &corev1.PodLogOptions{Container: container.Name}).DoRaw(context.Background())
+			logs, err := r.clients.Pods(pod.Namespace).GetLogs(
+				pod.Name,
+				&corev1.PodLogOptions{Container: container.Name},
+			).DoRaw(context.Background())
 			if err == nil {
 				fmt.Fprintf(f, "-----------------------------------\n")
 				fmt.Fprintf(f, "Dumping logs for pod %s-%s-%s\n", pod.Namespace, pod.Name, container.Name)
-				fmt.Fprintln(f, string(logs))
+				fmt.Fprintln(f, redactSensitive(string(logs)))
 			}

As per coding guidelines, “Flag logging that may expose sensitive data: passwords, tokens, API keys, PII (email, SSN, credit card), session IDs, internal hostnames, or customer data”.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e/k8sreporter/reporter.go` around lines 149 - 153, The raw pod logs
retrieved from the GetLogs method call are being written directly to the file
without redacting sensitive information like tokens, credentials, API keys, and
PII. Before writing the logs to the file using fmt.Fprintf and fmt.Fprintln,
implement a redaction mechanism that filters out or masks sensitive patterns
(such as authentication tokens, API keys, passwords, email addresses, and other
PII) from the logs variable. This will prevent accidental exposure of sensitive
data in CI artifacts.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Dockerfile.openshift`:
- Line 2: The Dockerfile uses non-compliant base images from
registry.ci.openshift.org which violate the coding guidelines requiring UBI
minimal or distroless images from catalog.redhat.com. Replace the FROM statement
in the builder stage with an approved UBI-based golang image from
catalog.redhat.com that provides the necessary Go toolchain, and replace the
FROM statement on line 21 (the runtime stage) with an approved UBI minimal or
distroless image from catalog.redhat.com to ensure both stages comply with the
policy.

In `@pkg/ebpf/ingress_node_firewall_loader.go`:
- Around line 136-156: The sequential map loading in the BPFManager mode block
(loading IngressNodeFirewallEventsMap, IngressNodeFirewallStatisticsMap,
IngressNodeFirewallTableMap, and IngressNodeFirewallDbgMap) does not properly
clean up maps that were successfully loaded before a failure occurs. When any
ebpf.LoadPinnedMap call fails after previous maps have been loaded, the function
returns immediately without closing those previously loaded maps, causing file
descriptor leaks. Modify the error handling to track which maps have been
successfully loaded and ensure they are closed (by calling their Close method)
before returning the error when a subsequent LoadPinnedMap call fails.

---

Outside diff comments:
In `@Dockerfile.daemon`:
- Around line 7-10: The Dockerfile runs the daemon as root by default because no
USER instruction is set. Before the CMD instruction that executes
/usr/bin/daemon, add a RUN command to create a dedicated non-root user and
group, then add a USER instruction to switch to that non-root user. This ensures
the container runs with minimal privileges as per security guidelines.

In `@test/e2e/k8sreporter/reporter.go`:
- Around line 149-153: The raw pod logs retrieved from the GetLogs method call
are being written directly to the file without redacting sensitive information
like tokens, credentials, API keys, and PII. Before writing the logs to the file
using fmt.Fprintf and fmt.Fprintln, implement a redaction mechanism that filters
out or masks sensitive patterns (such as authentication tokens, API keys,
passwords, email addresses, and other PII) from the logs variable. This will
prevent accidental exposure of sensitive data in CI artifacts.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: fca020bb-2429-48fe-b629-eb49f695d404

📥 Commits

Reviewing files that changed from the base of the PR and between 4c54595 and 6d61cdf.

⛔ Files ignored due to path filters (273)

• go.sum is excluded by !**/*.sum
• vendor/github.com/emicklei/go-restful/v3/.travis.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/emicklei/go-restful/v3/CHANGES.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/emicklei/go-restful/v3/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/emicklei/go-restful/v3/curly.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/emicklei/go-restful/v3/custom_verb.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/emicklei/go-restful/v3/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/emicklei/go-restful/v3/jsr311.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/emicklei/go-restful/v3/route.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/.cirrus.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/.editorconfig is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/.gitattributes is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/.gitignore is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/backend_fen.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/backend_inotify.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/backend_kqueue.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/backend_other.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/backend_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/fsnotify.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/darwin.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/debug_darwin.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/debug_dragonfly.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/debug_freebsd.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/debug_kqueue.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/debug_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/debug_netbsd.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/debug_openbsd.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/debug_solaris.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/debug_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/freebsd.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/unix.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/unix2.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/mkdoc.zsh is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/shared.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/staticcheck.conf is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/system_bsd.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/system_darwin.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/bytestring.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/cache.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/common.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/decode.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/encode.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/encode_map.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/encode_map_go117.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/omitzero_go124.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/omitzero_pre_go124.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/simplevalue.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/stream.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/structfields.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/tag.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-logr/logr/.golangci.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/.codecov.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/.golangci.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/.mockery.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/BENCHMARK.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/SECURITY.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/cmdutils/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/cmdutils/cmd_utils.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/cmdutils/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/cmdutils_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/conv/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/conv/convert.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/conv/convert_types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/conv/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/conv/format.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/conv/sizeof.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/conv/type_constraints.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/conv_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/convert.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/convert_types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/file.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/fileutils/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/fileutils/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/fileutils/file.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/fileutils/path.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/fileutils_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/go.work is excluded by !**/*.work, !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/go.work.sum is excluded by !**/*.sum, !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/initialism_index.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/json.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonname/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonname/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonname/name_provider.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonname_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/ifaces.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/registry_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/registry.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/adapter.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/lexer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/ordered_map.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/pool.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/register.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/writer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/concat.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/json.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/ordered_map.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading/errors.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading/json.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading/loading.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading/options.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading/yaml.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/BENCHMARK.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/initialism_index.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/name_lexem.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/name_mangler.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/options.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/pools.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/split.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/string_bytes.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/util.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/name_lexem.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/net.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/netutils/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/netutils/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/netutils/net.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/netutils_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/path.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/split.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/string_bytes.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/stringutils/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/stringutils/collection_formats.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/stringutils/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/stringutils/strings.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/stringutils_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/typeutils/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/typeutils/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/typeutils/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/typeutils_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/util.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/yaml.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/yamlutils/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/yamlutils/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/yamlutils/errors.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/yamlutils/ordered_map.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/yamlutils/yaml.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/yamlutils_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/AUTHORS is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/CONTRIBUTORS is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/Makefile is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/clone.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/custom_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/decode.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/deprecated.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/discard.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/duration.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/duration_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/encode.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/encode_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/equal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/extensions.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/extensions_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/lib.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/lib_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/message_set.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/pointer_reflect.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/pointer_reflect_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/pointer_unsafe.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/pointer_unsafe_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/properties.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/properties_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/skip_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/table_marshal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/table_marshal_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/table_merge.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/table_unmarshal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/table_unmarshal_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/text.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/text_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/text_parser.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/timestamp.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/timestamp_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/wrappers.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/proto/wrappers_gogo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/sortkeys/sortkeys.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/AUTHORS is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/CONTRIBUTORS is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/proto/buffer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/proto/defaults.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/proto/deprecated.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/proto/discard.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/proto/extensions.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/proto/properties.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/proto/proto.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/proto/registry.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/proto/text_decode.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/proto/text_encode.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/proto/wire.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/proto/wrappers.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/ptypes/any.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/ptypes/any/any.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/ptypes/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/ptypes/duration.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/ptypes/duration/duration.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/ptypes/timestamp.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/ptypes/timestamp/timestamp.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/google/btree/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/btree/btree.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/btree/btree_generic.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/compiler/context.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/compiler/extensions.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/compiler/helpers.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/compiler/reader.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/extensions/extension.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/extensions/extensions.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/jsonschema/models.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/jsonschema/reader.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/jsonschema/writer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/openapiv2/OpenAPIv2.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/openapiv2/OpenAPIv2.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/openapiv2/document.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/openapiv3/OpenAPIv3.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/openapiv3/OpenAPIv3.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/openapiv3/annotations.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/openapiv3/annotations.proto is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/openapiv3/document.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gofuzz/.travis.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gofuzz/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gofuzz/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gofuzz/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gofuzz/fuzz.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gorilla/websocket/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gorilla/websocket/client.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gorilla/websocket/compression.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gorilla/websocket/conn.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gorilla/websocket/proxy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gorilla/websocket/server.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gorilla/websocket/tls_handshake.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gorilla/websocket/tls_handshake_116.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gorilla/websocket/util.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gorilla/websocket/x_net_proxy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/josharian/intern/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/josharian/intern/intern.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/josharian/intern/license.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mailru/easyjson/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mailru/easyjson/buffer/pool.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mailru/easyjson/jlexer/bytestostr.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mailru/easyjson/jlexer/bytestostr_nounsafe.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mailru/easyjson/jlexer/error.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mailru/easyjson/jlexer/lexer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mailru/easyjson/jwriter/writer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/moby/spdystream/NOTICE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/moby/spdystream/connection.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/moby/spdystream/spdy/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/moby/spdystream/spdy/PATENTS is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/moby/spdystream/spdy/dictionary.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/moby/spdystream/spdy/options.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/moby/spdystream/spdy/read.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/moby/spdystream/spdy/types.go is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (27)

• .golangci.yml
• Dockerfile
• Dockerfile.daemon
• Dockerfile.openshift
• Makefile
• api/v1alpha1/groupversion_info.go
• controllers/ingressnodefirewall_controller.go
• controllers/ingressnodefirewallconfig_controller.go
• controllers/ingressnodefirewallnodestate_controller.go
• go.mod
• hack/kind-cluster.sh
• hack/lint.sh
• pkg/bpf-mgr/lib-bpfman.go
• pkg/ebpf/ingress_node_firewall_events.go
• pkg/ebpf/ingress_node_firewall_loader.go
• pkg/ebpfsyncer/ebpfsyncer.go
• pkg/ebpfsyncer/ebpfsyncer_test.go
• pkg/render/render.go
• pkg/utils/utils.go
• pkg/webhook/webhook.go
• pkg/webhook/webhook_suite_test.go
• test/e2e/events/events.go
• test/e2e/functional/tests/e2e.go
• test/e2e/ingress-node-firewall/ingress-node-firewall.go
• test/e2e/k8sreporter/reporter.go
• test/e2e/namespaces/namespaces.go
• test/e2e/validation/tests/validation.go

✅ Files skipped from review due to trivial changes (10)

• test/e2e/validation/tests/validation.go
• test/e2e/ingress-node-firewall/ingress-node-firewall.go
• pkg/ebpf/ingress_node_firewall_events.go
• controllers/ingressnodefirewallnodestate_controller.go
• test/e2e/events/events.go
• test/e2e/functional/tests/e2e.go
• hack/kind-cluster.sh
• api/v1alpha1/groupversion_info.go
• Dockerfile
• test/e2e/namespaces/namespaces.go

🚧 Files skipped from review as they are similar to previous changes (5)

• pkg/render/render.go
• pkg/webhook/webhook.go
• controllers/ingressnodefirewall_controller.go
• Makefile
• go.mod

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Use policy-compliant base images for both stages.

Line 2 and Line 21 use registry.ci.openshift.org/... images, but the repo guideline requires UBI minimal or distroless images from catalog.redhat.com. Please switch both FROM images to approved bases before merge.

As per coding guidelines, "**/{Dockerfile,Containerfile}*: Base image: UBI minimal or distroless from catalog.redhat.com".

Also applies to: 21-21

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.openshift` at line 2, The Dockerfile uses non-compliant base
images from registry.ci.openshift.org which violate the coding guidelines
requiring UBI minimal or distroless images from catalog.redhat.com. Replace the
FROM statement in the builder stage with an approved UBI-based golang image from
catalog.redhat.com that provides the necessary Go toolchain, and replace the
FROM statement on line 21 (the runtime stage) with an approved UBI minimal or
distroless image from catalog.redhat.com to ensure both stages comply with the
policy.

Source: Coding guidelines

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cd /tmp && git ls-files | grep -E "ingress_node_firewall_loader\.go"

Repository: openshift/ingress-node-firewall

Length of output: 144

---

🏁 Script executed:

cat -n pkg/ebpf/ingress_node_firewall_loader.go | sed -n '130,160p'

Repository: openshift/ingress-node-firewall

Length of output: 1582

---

🏁 Script executed:

# Check if ebpf.LoadPinnedMap returns a map that needs explicit Close()
# and understand the type signature
cat -n pkg/ebpf/ingress_node_firewall_loader.go | sed -n '1,50p'

Repository: openshift/ingress-node-firewall

Length of output: 1973

---

🏁 Script executed:

# Look for cleanup patterns and defer statements in the function
cat -n pkg/ebpf/ingress_node_firewall_loader.go | sed -n '100,200p'

Repository: openshift/ingress-node-firewall

Length of output: 4583

---

🏁 Script executed:

# Check the full function to see if there's cleanup on error paths
grep -n "func.*LoadIngress\|func.*BPFManager" pkg/ebpf/ingress_node_firewall_loader.go

Repository: openshift/ingress-node-firewall

Length of output: 57

---

🏁 Script executed:

# Search for Close() calls on maps in the codebase to understand cleanup patterns
rg -n "\.Close\(\)" pkg/ebpf/ingress_node_firewall_loader.go

Repository: openshift/ingress-node-firewall

Length of output: 161

---

🏁 Script executed:

# Check if there's a Close or Cleanup method on IngNodeFwController
rg -n "func.*IngNodeFwController.*Close\|func.*IngNodeFwController.*Cleanup" pkg/ebpf/ingress_node_firewall_loader.go

Repository: openshift/ingress-node-firewall

Length of output: 57

---

🏁 Script executed:

# Look at the full context of the function to see if there's any defer or error cleanup
cat -n pkg/ebpf/ingress_node_firewall_loader.go | sed -n '70,175p'

Repository: openshift/ingress-node-firewall

Length of output: 4189

---

🏁 Script executed:

# Check what happens to infc when it's returned and what the caller does with it
rg -n "LoadIngress\|NewIngNodeFwController" pkg/ebpf/ -A 3

Repository: openshift/ingress-node-firewall

Length of output: 57

---

🏁 Script executed:

# Search for any cleanup or deallocation of BpfObjects in the codebase
rg -n "objs\." pkg/ebpf/ingress_node_firewall_loader.go | grep -i "close\|cleanup\|dealloc" || echo "No cleanup patterns found in query"

Repository: openshift/ingress-node-firewall

Length of output: 168

---

🏁 Script executed:

# Check the BpfObjects structure to understand what maps it contains
rg -n "type BpfObjects struct" pkg/ebpf/ -A 20

Repository: openshift/ingress-node-firewall

Length of output: 5459

---

🏁 Script executed:

# Verify if maps need explicit Close() - check how cilium/ebpf LoadPinnedMap works
# by looking at how other maps are closed in the codebase
rg -n "LoadPinnedMap\|ebpf\.Load" pkg/ebpf/ingress_node_firewall_loader.go -B 2 -A 5

Repository: openshift/ingress-node-firewall

Length of output: 57

---

🏁 Script executed:

# Check the cleaneBPFObjs function to see what it does with maps
cat -n pkg/ebpf/ingress_node_firewall_loader.go | sed -n '418,430p'

Repository: openshift/ingress-node-firewall

Length of output: 571

---

🏁 Script executed:

# Check if _BpfClose closes all maps in the BpfMaps struct
rg -n "_BpfClose" pkg/ebpf/bpf_x86_bpfel.go -A 10 | head -20

Repository: openshift/ingress-node-firewall

Length of output: 630

---

🏁 Script executed:

# Verify: when infc is discarded (not returned), will the maps be garbage collected properly?
# Check how ebpf.Map cleanup works - look for any finalize/cleanup patterns
rg -n "runtime\.SetFinalizer\|finalize" pkg/ebpf/

Repository: openshift/ingress-node-firewall

Length of output: 57

---

🌐 Web query:

cilium ebpf package Map Close finalizer garbage collection

💡 Result:

In the cilium/ebpf library, the Map and Program objects are designed to automatically manage their underlying file descriptors through Go's garbage collector [1]. When a Map or Program object becomes unreachable, the Go runtime executes a finalizer that closes the underlying file descriptor, which helps prevent resource leaks [1]. While this automatic cleanup exists, it is considered a secondary safety mechanism rather than a primary lifecycle management tool [1]. Reliance on garbage collection for resource cleanup can be problematic, particularly with map types like Program Arrays that are sensitive to the timing of file descriptor closure [1]. The best practice for managing Map and Program objects in cilium/ebpf is as follows: 1. Explicit Lifecycle Management: Always close Maps and Programs explicitly using the Close method when they are no longer needed [1][2]. Using patterns like defer m.Close() is standard practice to ensure resources are released immediately when the enclosing scope exits, rather than waiting for the garbage collector [1][3]. 2. Ownership: Only the component that originally created or owns the map should manage its lifecycle (i.e., call Close) [4][5]. If a component merely accesses a map shared by others, it should not close the map, as this can lead to concurrency bugs and unexpected behavior in other parts of the application [4][5]. 3. Documentation: The library documentation highlights the importance of retaining references to Map objects for as long as they are needed, especially in long-running applications, to prevent premature garbage collection and subsequent closure of the file descriptors [1]. In complex scenarios, such as loading collections, the library internally manages finalization passes (e.g., separating 'scalar' map finalization from maps that hold references to programs or other maps) to ensure proper loading order and dependency resolution [6][7].

Citations:

• 1: https://ebpf-go.dev/concepts/object-lifecycle/
• 2: https://github.com/cilium/ebpf/blob/main/docs/ebpf/concepts/loader.md
• 3: https://github.com/cilium/ebpf/blob/master/examples/map_in_map/main.go
• 4: Remove or unexport bpf.Map.Close() cilium/cilium#43343
• 5: Prevent closing of open BPF maps cilium/cilium#39287
• 6: cilium/ebpf@9598c01
• 7: https://github.com/cilium/ebpf/blob/main/collection.go

---

🏁 Script executed:

# Check if there's a defer infc.cleaneBPFObjs() or similar cleanup pattern used
# after NewIngNodeFwController is called
rg -n "NewIngNodeFwController\|cleaneBPFObjs" pkg/ cmd/ -B 2 -A 5

Repository: openshift/ingress-node-firewall

Length of output: 57

---

🏁 Script executed:

# Search for where the IngNodeFwController is instantiated or used
rg -n "IngNodeFwController" . --type go | head -30

Repository: openshift/ingress-node-firewall

Length of output: 2886

---

🏁 Script executed:

# Look for the function signature that contains lines 136-156
cat -n pkg/ebpf/ingress_node_firewall_loader.go | sed -n '50,75p'

Repository: openshift/ingress-node-firewall

Length of output: 1327

---

🏁 Script executed:

# Check the Close() method and the flow of map lifecycle in bpfman mode
cat -n pkg/ebpf/ingress_node_firewall_loader.go | sed -n '376,390p'

Repository: openshift/ingress-node-firewall

Length of output: 595

---

🏁 Script executed:

# Verify: in bpfman mode, are the objs populated before LoadPinnedMap?
# Check what happens to infc if an error occurs at line 140, 145, 150, or 155
cat -n pkg/ebpf/ingress_node_firewall_loader.go | sed -n '120,175p'

Repository: openshift/ingress-node-firewall

Length of output: 2301

---

Close already-opened pinned maps on partial load failure.

Lines 138–156 load maps sequentially, but if a later ebpf.LoadPinnedMap call fails, the function returns immediately without closing maps loaded in earlier iterations. This leaks map file descriptors during repeated initialization or reconciliation retries. Although cilium/ebpf's finalizers provide secondary cleanup via garbage collection, relying on them for resource management violates best practices and can cause resource exhaustion.

Proposed fix

 		klog.Info("BPFManager mode: loading ingress firewall pinned maps")
+		loadedMaps := make([]*ebpf.Map, 0, 4)
+		cleanupLoadedMaps := func() {
+			for _, m := range loadedMaps {
+				if m != nil {
+					_ = m.Close()
+				}
+			}
+		}
 		mPath := path.Join(pinDir, "ingress_node_firewall_events_map")
 		infc.objs.IngressNodeFirewallEventsMap, err = ebpf.LoadPinnedMap(mPath, opts)
 		if err != nil {
 			return nil, fmt.Errorf("failed to load %s: %w", mPath, err)
 		}
+		loadedMaps = append(loadedMaps, infc.objs.IngressNodeFirewallEventsMap)
 		mPath = path.Join(pinDir, "ingress_node_firewall_statistics_map")
 		infc.objs.IngressNodeFirewallStatisticsMap, err = ebpf.LoadPinnedMap(mPath, opts)
 		if err != nil {
+			cleanupLoadedMaps()
 			return nil, fmt.Errorf("failed to load %s: %w", mPath, err)
 		}
+		loadedMaps = append(loadedMaps, infc.objs.IngressNodeFirewallStatisticsMap)
 		mPath = path.Join(pinDir, "ingress_node_firewall_table_map")
 		infc.objs.IngressNodeFirewallTableMap, err = ebpf.LoadPinnedMap(mPath, opts)
 		if err != nil {
+			cleanupLoadedMaps()
 			return nil, fmt.Errorf("failed to load %s: %w", mPath, err)
 		}
+		loadedMaps = append(loadedMaps, infc.objs.IngressNodeFirewallTableMap)
 		mPath = path.Join(pinDir, "ingress_node_firewall_dbg_map")
 		infc.objs.IngressNodeFirewallDbgMap, err = ebpf.LoadPinnedMap(mPath, opts)
 		if err != nil {
+			cleanupLoadedMaps()
 			return nil, fmt.Errorf("failed to load %s: %w", mPath, err)
 		}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/ebpf/ingress_node_firewall_loader.go` around lines 136 - 156, The
sequential map loading in the BPFManager mode block (loading
IngressNodeFirewallEventsMap, IngressNodeFirewallStatisticsMap,
IngressNodeFirewallTableMap, and IngressNodeFirewallDbgMap) does not properly
clean up maps that were successfully loaded before a failure occurs. When any
ebpf.LoadPinnedMap call fails after previous maps have been loaded, the function
returns immediately without closing those previously loaded maps, causing file
descriptor leaks. Modify the error handling to track which maps have been
successfully loaded and ensure they are closed (by calling their Close method)
before returning the error when a subsequent LoadPinnedMap call fails.

[openshift-ci]

@dfarrell07: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/ingress-node-firewall-e2e-metal-ipi	6d61cdf	link	true	/test ingress-node-firewall-e2e-metal-ipi

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.