Skip to content

Rebase rebase 5.0 5.0.0 0.nightly 2026 07 05 172708 amd64 2026 07 05 arm64 2026 07 06#6992

Draft
pacevedom wants to merge 6 commits into
openshift:mainfrom
pacevedom:rebase-rebase-5.0-5.0.0-0.nightly-2026-07-05-172708_amd64-2026-07-05_arm64-2026-07-06
Draft

Rebase rebase 5.0 5.0.0 0.nightly 2026 07 05 172708 amd64 2026 07 05 arm64 2026 07 06#6992
pacevedom wants to merge 6 commits into
openshift:mainfrom
pacevedom:rebase-rebase-5.0-5.0.0-0.nightly-2026-07-05-172708_amd64-2026-07-05_arm64-2026-07-06

Conversation

@pacevedom

@pacevedom pacevedom commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Summary by CodeRabbit

  • New Features
    • Added optional mutual TLS client CA support in the router template.
    • Added optional HTTP access logging and error-page mounting support in the router template.
  • Improvements
    • Updated router container initialization, HAProxy health checks, and filesystem/mount behavior to improve reliability.
  • Chores
    • Bumped nightly release metadata and refreshed pinned image digests across supported architectures.
    • Regenerated auto-rebase changelog and commit pinning records.

@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 6, 2026
@openshift-ci

openshift-ci Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@pacevedom

Copy link
Copy Markdown
Contributor Author

/test ?

@openshift-ci

openshift-ci Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pacevedom

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 6, 2026
@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Walkthrough

This PR advances nightly version pins, regenerates auto-rebase metadata, and updates the OpenShift router deployment plus manifest patches for HAProxy, mTLS, and access logging.

Changes

Nightly rebase and release pins

Layer / File(s) Summary
Nightly pins and release digests
Makefile.version.aarch64.var, Makefile.version.x86_64.var, assets/components/multus/*, assets/optional/operator-lifecycle-manager/*, assets/release/*, scripts/auto-rebase/last_rebase.sh
OCP_VERSION, release.base values, and selected image digests are updated to newer nightly builds across release and component artifacts.
Auto-rebase metadata refresh
scripts/auto-rebase/changelog.txt, scripts/auto-rebase/commits.txt
Rebase tracking files are regenerated with updated component revision ranges, commit lists, and pinned hashes.

Router deployment and manifest patches

Layer / File(s) Summary
Router deployment and template patches
assets/components/openshift-router/deployment.yaml, scripts/auto-rebase/manifests_patches/*, scripts/auto-rebase/rebase.sh
The router deployment adds HAProxy-sidecar wiring, service-account and volume changes, and conditional mTLS and access-logging template support; rebase.sh also sets init container images.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Possibly related PRs

Suggested reviewers: copejon, kasturinarra

🚥 Pre-merge checks | ✅ 5 | ❌ 10

❌ Failed checks (10 inconclusive)

Check name Status Explanation Resolution
Stable And Deterministic Test Names ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Test Structure And Quality ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Microshift Test Compatibility ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Single Node Openshift (Sno) Test Compatibility ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Topology-Aware Scheduling Compatibility ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Ote Binary Stdout Contract ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Ipv6 And Disconnected Network Test Compatibility ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
No-Weak-Crypto ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Container-Privileges ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
No-Sensitive-Data-In-Logs ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is related to the main change, indicating a rebase to newer nightly builds for amd64 and arm64.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@pacevedom

Copy link
Copy Markdown
Contributor Author

/test e2e-aws-tests-cache
/test ocp-full-conformance-rhel-eus

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
scripts/auto-rebase/manifests_patches/011-ingress-deployment-access-logging.patch (2)

97-118: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Harden the new logs sidecar before enabling it.

This sidecar is long-lived but has no securityContext, limits, liveness probe, or readiness probe. Add those to the patch so regenerated manifests stay compliant.

As per path instructions, Kubernetes manifests require hardened securityContext fields, resource limits on every container, and liveness + readiness probes.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@scripts/auto-rebase/manifests_patches/011-ingress-deployment-access-logging.patch`
around lines 97 - 118, The new `logs` sidecar in the ingress deployment patch
needs hardening before it can be enabled. Update the sidecar definition added
under the `AccessLoggingEnabled`/`AccessLoggingSyslogAddress` condition to
include a `securityContext`, resource limits in addition to requests, and both
liveness and readiness probes so the generated manifest stays compliant. Use the
existing `logs` container block as the place to add these required fields.

Source: Path instructions


97-102: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Remove the duplicate imagePullPolicy key.

The logs container declares imagePullPolicy twice, which can break strict YAML tooling or make the manifest ambiguous.

Proposed fix
         - name: logs
           imagePullPolicy: IfNotPresent
           terminationMessagePolicy: FallbackToLogsOnError
           image: '{{ .ReleaseImage.haproxy_router }}'
-          imagePullPolicy: IfNotPresent
           command:
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@scripts/auto-rebase/manifests_patches/011-ingress-deployment-access-logging.patch`
around lines 97 - 102, The logs container in the ingress deployment patch
declares imagePullPolicy twice, which can make the manifest ambiguous and break
strict YAML validation. Update the logs container block under the
AccessLoggingEnabled condition to keep only one imagePullPolicy entry, and
verify the container spec in the ingress deployment patch remains valid after
removing the duplicate.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@assets/components/openshift-router/deployment.yaml`:
- Around line 23-30: The changed container specs are missing required hardening
and resource limits, especially the init-router initContainer and the
HAProxy/router blocks. Update the rebase source for the init-router and related
container definitions to include full securityContext settings (runAsNonRoot,
readOnlyRootFilesystem, allowPrivilegeEscalation: false, and dropping ALL
capabilities) plus CPU/memory limits for each container, then regenerate the
asset so the manifest reflects the hardened configuration.
- Around line 34-37: The container securityContext in the router deployment is
enabling privilege escalation, which conflicts with the restricted router pod
requirements. Update the securityContext for the HAProxy/router container to set
allowPrivilegeEscalation to false, and keep the existing readOnlyRootFilesystem
hardening in place. Use the securityContext block in the deployment manifest to
locate the change and ensure any exception would require an explicit SCC
justification elsewhere, not in this manifest.

In `@scripts/auto-rebase/last_rebase.sh`:
- Around line 1-2: The rebase launcher script is passing an extra literal
argument to rebase.sh and uses the wrong shell boilerplate. Update
last_rebase.sh so the invocation matches the intended argv shape by removing the
stray to token, and change the script header and safety settings to the required
bash form with set -euo pipefail. Keep the fix localized to the script
entrypoint so the rebase.sh call and shell setup are both corrected.

---

Outside diff comments:
In
`@scripts/auto-rebase/manifests_patches/011-ingress-deployment-access-logging.patch`:
- Around line 97-118: The new `logs` sidecar in the ingress deployment patch
needs hardening before it can be enabled. Update the sidecar definition added
under the `AccessLoggingEnabled`/`AccessLoggingSyslogAddress` condition to
include a `securityContext`, resource limits in addition to requests, and both
liveness and readiness probes so the generated manifest stays compliant. Use the
existing `logs` container block as the place to add these required fields.
- Around line 97-102: The logs container in the ingress deployment patch
declares imagePullPolicy twice, which can make the manifest ambiguous and break
strict YAML validation. Update the logs container block under the
AccessLoggingEnabled condition to keep only one imagePullPolicy entry, and
verify the container spec in the ingress deployment patch remains valid after
removing the duplicate.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 8a44bad4-50bb-45a8-8e41-f7058828c852

📥 Commits

Reviewing files that changed from the base of the PR and between 45630c7 and 8c653c5.

⛔ Files ignored due to path filters (2)
  • etcd/vendor/github.com/openshift/microshift/pkg/config/config.go is excluded by !**/vendor/**
  • etcd/vendor/github.com/openshift/microshift/pkg/config/ingress.go is excluded by !**/vendor/**
📒 Files selected for processing (16)
  • Makefile.version.aarch64.var
  • Makefile.version.x86_64.var
  • assets/components/multus/release-multus-aarch64.json
  • assets/components/multus/release-multus-x86_64.json
  • assets/components/openshift-router/deployment.yaml
  • assets/optional/operator-lifecycle-manager/kustomization.x86_64.yaml
  • assets/optional/operator-lifecycle-manager/release-olm-aarch64.json
  • assets/optional/operator-lifecycle-manager/release-olm-x86_64.json
  • assets/release/release-aarch64.json
  • assets/release/release-x86_64.json
  • scripts/auto-rebase/changelog.txt
  • scripts/auto-rebase/commits.txt
  • scripts/auto-rebase/last_rebase.sh
  • scripts/auto-rebase/manifests_patches/010-ingress-deployment-clientCA.patch
  • scripts/auto-rebase/manifests_patches/011-ingress-deployment-access-logging.patch
  • scripts/auto-rebase/rebase.sh

Comment on lines +23 to +30
- name: init-router
imagePullPolicy: IfNotPresent
terminationMessagePolicy: FallbackToLogsOnError
command: ["/bin/bash", "-c", "cp -R -p /var/lib/haproxy/* /mnt/config/"]
volumeMounts:
- mountPath: /mnt/config
name: haproxy-config
image: '{{ .ReleaseImage.haproxy_router }}'

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Complete securityContext and resource limits for changed containers.

init-router has no securityContext/resources, and the changed HAProxy/router blocks only set partial hardening and requests. Add the required non-root/no-escalation/drop-capabilities settings and CPU/memory limits in the rebase source, then regenerate the asset.

As per path instructions, Kubernetes manifests require runAsNonRoot, readOnlyRootFilesystem, allowPrivilegeEscalation: false, dropping ALL capabilities, and resource limits on every container.

Also applies to: 65-68, 92-93, 253-256

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@assets/components/openshift-router/deployment.yaml` around lines 23 - 30, The
changed container specs are missing required hardening and resource limits,
especially the init-router initContainer and the HAProxy/router blocks. Update
the rebase source for the init-router and related container definitions to
include full securityContext settings (runAsNonRoot, readOnlyRootFilesystem,
allowPrivilegeEscalation: false, and dropping ALL capabilities) plus CPU/memory
limits for each container, then regenerate the asset so the manifest reflects
the hardened configuration.

Source: Path instructions

Comment on lines 34 to +37
securityContext:
# See https://bugzilla.redhat.com/2007246
allowPrivilegeEscalation: true
readOnlyRootFilesystem: false
readOnlyRootFilesystem: true

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Do not enable privilege escalation in the restricted router pod.

allowPrivilegeEscalation: true conflicts with the restricted SCC annotation and the manifest hardening rules. If HAProxy truly requires this, use a narrowly scoped justification/SCC change; otherwise set it to false.

Proposed fix
-            allowPrivilegeEscalation: true
+            allowPrivilegeEscalation: false

As per coding guidelines, container manifests must flag allowPrivilegeEscalation: true; as per path instructions, Kubernetes manifests should use allowPrivilegeEscalation: false.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
securityContext:
# See https://bugzilla.redhat.com/2007246
allowPrivilegeEscalation: true
readOnlyRootFilesystem: false
readOnlyRootFilesystem: true
securityContext:
# See https://bugzilla.redhat.com/2007246
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@assets/components/openshift-router/deployment.yaml` around lines 34 - 37, The
container securityContext in the router deployment is enabling privilege
escalation, which conflicts with the restricted router pod requirements. Update
the securityContext for the HAProxy/router container to set
allowPrivilegeEscalation to false, and keep the existing readOnlyRootFilesystem
hardening in place. Use the securityContext block in the deployment manifest to
locate the change and ensure any exception would require an explicit SCC
justification elsewhere, not in this manifest.

Sources: Coding guidelines, Path instructions

Comment on lines 1 to +2
#!/bin/bash -x
./scripts/auto-rebase/rebase.sh to "registry.ci.openshift.org/ocp/release-5:5.0.0-0.nightly-2026-07-01-125918" "registry.ci.openshift.org/ocp-arm64/release-5-arm64:5.0.0-0.nightly-arm64-2026-07-02-035219"
./scripts/auto-rebase/rebase.sh to "registry.ci.openshift.org/ocp/release-5:5.0.0-0.nightly-2026-07-05-172708" "registry.ci.openshift.org/ocp-arm64/release-5-arm64:5.0.0-0.nightly-arm64-2026-07-06-035219"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Fix the rebase invocation and shell boilerplate.

to is being passed as a literal argument, so rebase.sh gets the wrong argv shape. This file also violates the shell-script rule: use #!/usr/bin/bash and set -euo pipefail.

🔧 Proposed fix
-#!/bin/bash -x
-./scripts/auto-rebase/rebase.sh to "registry.ci.openshift.org/ocp/release-5:5.0.0-0.nightly-2026-07-05-172708" "registry.ci.openshift.org/ocp-arm64/release-5-arm64:5.0.0-0.nightly-arm64-2026-07-06-035219"
+#!/usr/bin/bash
+set -euo pipefail
+./scripts/auto-rebase/rebase.sh \
+  "registry.ci.openshift.org/ocp/release-5:5.0.0-0.nightly-2026-07-05-172708" \
+  "registry.ci.openshift.org/ocp-arm64/release-5-arm64:5.0.0-0.nightly-arm64-2026-07-06-035219"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
#!/bin/bash -x
./scripts/auto-rebase/rebase.sh to "registry.ci.openshift.org/ocp/release-5:5.0.0-0.nightly-2026-07-01-125918" "registry.ci.openshift.org/ocp-arm64/release-5-arm64:5.0.0-0.nightly-arm64-2026-07-02-035219"
./scripts/auto-rebase/rebase.sh to "registry.ci.openshift.org/ocp/release-5:5.0.0-0.nightly-2026-07-05-172708" "registry.ci.openshift.org/ocp-arm64/release-5-arm64:5.0.0-0.nightly-arm64-2026-07-06-035219"
#!/usr/bin/bash
set -euo pipefail
./scripts/auto-rebase/rebase.sh \
"registry.ci.openshift.org/ocp/release-5:5.0.0-0.nightly-2026-07-05-172708" \
"registry.ci.openshift.org/ocp-arm64/release-5-arm64:5.0.0-0.nightly-arm64-2026-07-06-035219"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/auto-rebase/last_rebase.sh` around lines 1 - 2, The rebase launcher
script is passing an extra literal argument to rebase.sh and uses the wrong
shell boilerplate. Update last_rebase.sh so the invocation matches the intended
argv shape by removing the stray to token, and change the script header and
safety settings to the required bash form with set -euo pipefail. Keep the fix
localized to the script entrypoint so the rebase.sh call and shell setup are
both corrected.

Source: Coding guidelines

@pacevedom

Copy link
Copy Markdown
Contributor Author

/test e2e-aws-tests

@pacevedom pacevedom force-pushed the rebase-rebase-5.0-5.0.0-0.nightly-2026-07-05-172708_amd64-2026-07-05_arm64-2026-07-06 branch from 8c653c5 to bbf433c Compare July 6, 2026 16:09
@pacevedom

Copy link
Copy Markdown
Contributor Author

/test ocp-full-conformance-rhel-eus

/test e2e-aws-tests

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
scripts/auto-rebase/manifests_patches/011-ingress-deployment-access-logging.patch (2)

97-119: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Duplicate imagePullPolicy key in logs container.

Line 99 and line 102 both set imagePullPolicy: IfNotPresent in the same container spec.

🐛 Proposed fix
         - name: logs
           imagePullPolicy: IfNotPresent
           terminationMessagePolicy: FallbackToLogsOnError
           image: '{{ .ReleaseImage.haproxy_router }}'
-          imagePullPolicy: IfNotPresent
           command:
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@scripts/auto-rebase/manifests_patches/011-ingress-deployment-access-logging.patch`
around lines 97 - 119, The logs container spec in the ingress deployment patch
has a duplicated imagePullPolicy entry, which should be removed so the container
definition is valid. Update the logs container block in the rsyslog sidecar
section to keep only one imagePullPolicy field, and verify the rest of the
container fields in the same template remain unchanged.

97-119: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Add resource limits and securityContext to the new logs sidecar.

The logs container only defines requests (cpu/memory), no limits, and has no securityContext — unlike the router container in the same file, which sets readOnlyRootFilesystem: true. As per path instructions, containers should define resource limits and a hardened securityContext (runAsNonRoot, readOnlyRootFilesystem, allowPrivilegeEscalation: false, dropped capabilities).

🔒 Proposed fix
         - name: logs
           imagePullPolicy: IfNotPresent
           terminationMessagePolicy: FallbackToLogsOnError
           image: '{{ .ReleaseImage.haproxy_router }}'
+          securityContext:
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
           command:
             - /sbin/rsyslogd
             - -n
             - -i
             - /tmp/rsyslogd.pid
             - -f
             - /etc/rsyslog/rsyslog.conf
           resources:
             requests:
               cpu: 50m
               memory: 128Mi
+            limits:
+              cpu: 100m
+              memory: 256Mi

As per path instructions, **/*.{yaml,yml} manifests need securityContext: runAsNonRoot, readOnlyRootFilesystem, allowPrivilegeEscalation: false, dropped capabilities, and resource limits on every container.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@scripts/auto-rebase/manifests_patches/011-ingress-deployment-access-logging.patch`
around lines 97 - 119, The new logs sidecar added under the AccessLoggingEnabled
block is missing required hardening and resource limits. Update the logs
container in the ingress deployment patch to add CPU/memory limits alongside the
existing requests, and add a securityContext with runAsNonRoot,
readOnlyRootFilesystem, allowPrivilegeEscalation set to false, and dropped
capabilities, matching the hardened pattern used for the router container in the
same manifest.

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@assets/components/openshift-router/deployment.yaml`:
- Around line 345-357: The kube-api-access projected volume is using an
owner-read-only default mode that blocks the restricted SCC non-root UID from
reading the projected token and CA cert. Update the projected volume in the
deployment manifest for kube-api-access to use the standard service-account
token permission mode of 420 instead of the current value so token and ca.crt
remain readable without runAsUser or fsGroup.

---

Outside diff comments:
In
`@scripts/auto-rebase/manifests_patches/011-ingress-deployment-access-logging.patch`:
- Around line 97-119: The logs container spec in the ingress deployment patch
has a duplicated imagePullPolicy entry, which should be removed so the container
definition is valid. Update the logs container block in the rsyslog sidecar
section to keep only one imagePullPolicy field, and verify the rest of the
container fields in the same template remain unchanged.
- Around line 97-119: The new logs sidecar added under the AccessLoggingEnabled
block is missing required hardening and resource limits. Update the logs
container in the ingress deployment patch to add CPU/memory limits alongside the
existing requests, and add a securityContext with runAsNonRoot,
readOnlyRootFilesystem, allowPrivilegeEscalation set to false, and dropped
capabilities, matching the hardened pattern used for the router container in the
same manifest.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 21d7a7c6-3978-42f8-aa1b-30b9701eb162

📥 Commits

Reviewing files that changed from the base of the PR and between 8c653c5 and bbf433c.

⛔ Files ignored due to path filters (2)
  • etcd/vendor/github.com/openshift/microshift/pkg/config/config.go is excluded by !**/vendor/**
  • etcd/vendor/github.com/openshift/microshift/pkg/config/ingress.go is excluded by !**/vendor/**
📒 Files selected for processing (16)
  • Makefile.version.aarch64.var
  • Makefile.version.x86_64.var
  • assets/components/multus/release-multus-aarch64.json
  • assets/components/multus/release-multus-x86_64.json
  • assets/components/openshift-router/deployment.yaml
  • assets/optional/operator-lifecycle-manager/kustomization.x86_64.yaml
  • assets/optional/operator-lifecycle-manager/release-olm-aarch64.json
  • assets/optional/operator-lifecycle-manager/release-olm-x86_64.json
  • assets/release/release-aarch64.json
  • assets/release/release-x86_64.json
  • scripts/auto-rebase/changelog.txt
  • scripts/auto-rebase/commits.txt
  • scripts/auto-rebase/last_rebase.sh
  • scripts/auto-rebase/manifests_patches/010-ingress-deployment-clientCA.patch
  • scripts/auto-rebase/manifests_patches/011-ingress-deployment-access-logging.patch
  • scripts/auto-rebase/rebase.sh
✅ Files skipped from review due to trivial changes (10)
  • Makefile.version.x86_64.var
  • scripts/auto-rebase/last_rebase.sh
  • assets/components/multus/release-multus-aarch64.json
  • Makefile.version.aarch64.var
  • assets/components/multus/release-multus-x86_64.json
  • assets/optional/operator-lifecycle-manager/release-olm-aarch64.json
  • assets/release/release-aarch64.json
  • assets/optional/operator-lifecycle-manager/release-olm-x86_64.json
  • assets/release/release-x86_64.json
  • scripts/auto-rebase/changelog.txt
🚧 Files skipped from review as they are similar to previous changes (4)
  • scripts/auto-rebase/manifests_patches/010-ingress-deployment-clientCA.patch
  • scripts/auto-rebase/rebase.sh
  • scripts/auto-rebase/commits.txt
  • assets/optional/operator-lifecycle-manager/kustomization.x86_64.yaml

Comment on lines +345 to +357
- name: kube-api-access
projected:
defaultMode: 0400
sources:
- serviceAccountToken:
expirationSeconds: 3600
path: token
- configMap:
name: kube-root-ca.crt
items:
- key: ca.crt
path: ca.crt
- downwardAPI:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the relevant manifest section with line numbers.
FILE="assets/components/openshift-router/deployment.yaml"
sed -n '300,410p' "$FILE" | cat -n

# Look for pod/container security context and any user/group settings.
rg -n "securityContext|runAsUser|runAsGroup|fsGroup|supplementalGroups|defaultMode|serviceAccountToken|kube-api-access" "$FILE"

# Find the router container image/user hints elsewhere in the repo.
rg -n "openshift-router|router.*user|runAsNonRoot|runAsUser|fsGroup" assets components pkg docs . -g '!vendor' -g '!deps' -g '!assets/optional/**'

Repository: openshift/microshift

Length of output: 37313


🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE="assets/components/openshift-router/deployment.yaml"

# Show the pod spec and the router container security context.
sed -n '1,120p' "$FILE" | cat -n

# Show the full volume block around kube-api-access.
sed -n '336,360p' "$FILE" | cat -n

# Show any explicit runAsUser/runAsGroup/fsGroup values in this manifest.
rg -n "runAsUser|runAsGroup|fsGroup|runAsNonRoot|securityContext" "$FILE"

Repository: openshift/microshift

Length of output: 6938


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the restricted SCC used by the router service account.
rg -n "name: restricted|fsGroup:|runAsUser:|supplementalGroups:|required-scc|router" assets/controllers/openshift-default-scc-manager assets/components/openshift-router -g '*.yaml'

# Show the router deployment section around the security context and mounts again.
sed -n '1,130p' assets/components/openshift-router/deployment.yaml | cat -n

# Show the restricted SCC snippet if present.
sed -n '1,120p' assets/controllers/openshift-default-scc-manager/0000_20_kube-apiserver-operator_00_scc-restricted.yaml | cat -n

Repository: openshift/microshift

Length of output: 1963


Use 420 for the kube-api-access projection

This pod has no runAsUser/fsGroup, so the restricted SCC’s non-root UID can’t read token/ca.crt with owner-read-only permissions. 420 matches the usual projected service-account token mode.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@assets/components/openshift-router/deployment.yaml` around lines 345 - 357,
The kube-api-access projected volume is using an owner-read-only default mode
that blocks the restricted SCC non-root UID from reading the projected token and
CA cert. Update the projected volume in the deployment manifest for
kube-api-access to use the standard service-account token permission mode of 420
instead of the current value so token and ca.crt remain readable without
runAsUser or fsGroup.

@openshift-ci

openshift-ci Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

@pacevedom: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-tests bbf433c link true /test e2e-aws-tests

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant