USHIFT-6401: Patch unbounded KAS context to break pre-hook deadlock

[copejon]

Replace context.TODO() with the hook's cancelable context in the RBAC bootstrap post-start hook helpers (primeAggregatedClusterRoles, primeSplitClusterRoleBindings)

• On resource-constrained edge devices, these calls can block indefinitely through the loopback client, deadlocking KAS on restart
• Upstream: [-]poststarthook/rbac/bootstrap-roles failed: reason withheld kubernetes/kubernetes#86715, Optimize rbac/bootstrap-roles post-startup-hook kubernetes/kubernetes#97119

Summary by CodeRabbit

• Chores

  • RBAC bootstrap/reconciliation now uses per-attempt timeout-bound operation contexts for readiness checks and role/role-binding priming, improving boundedness and retry behavior of initialization attempts.
  • Priming steps for aggregated roles and split role-bindings now honor operation timeouts.

• Tests

  • RBAC benchmark updated to propagate contexts and to fail on unexpected errors.

[openshift-ci-robot]

@copejon: This pull request references USHIFT-6401 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target either version "5.0." or "openshift-5.0.", but it targets "openshift-4.22" instead.

Details

In response to this:

Replace context.TODO() with the hook's cancelable context in the RBAC bootstrap post-start hook helpers (primeAggregatedClusterRoles, primeSplitClusterRoleBindings)

• On resource-constrained edge devices, these calls can block indefinitely through the loopback client, deadlocking KAS on restart
• Upstream: [-]poststarthook/rbac/bootstrap-roles failed: reason withheld kubernetes/kubernetes#86715, Optimize rbac/bootstrap-roles post-startup-hook kubernetes/kubernetes#97119

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: ff15f0f4-7413-4d20-8944-e103f2724692

📥 Commits

Reviewing files that changed from the base of the PR and between 0f2657e and 13c8c28.

📒 Files selected for processing (1)

• deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac_test.go

---

Walkthrough

RBAC bootstrap context threading: post-start hook derives a per-attempt 15s timeout ctx and internal wait.Poll attempts use 5s timeout; ensureRBACPolicy accepts ctx, uses it for ClusterRole/ClusterRoleBinding List calls, forwards ctx to priming helpers, and priming helpers use ctx for Get/Create calls; benchmark updated to pass a context and check errors.

Changes

RBAC bootstrap context threading

Layer / File(s)	Summary
Entry point: per-attempt timeout context scripts/auto-rebase/rebase_patches/0040-rbac-bootstrap-hook-context-threading.patch	Post-start hook derives a per-attempt context.WithTimeout(hookContext, 15*time.Second) and passes the derived ctx into ensureRBACPolicy.
Core: ensureRBACPolicy context usage deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac.go, scripts/auto-rebase/rebase_patches/0040-rbac-bootstrap-hook-context-threading.patch	ensureRBACPolicy(ctx context.Context) signature added; uses ctx for initial ClusterRoles/ClusterRoleBindings List readiness calls, returns a retry on ctx deadline, and forwards ctx to priming helpers. EnsureRBACPolicy() wraps each wait.Poll attempt in context.WithTimeout(hookContext, 5*time.Second) and passes that context into ensureRBACPolicy.
Priming: aggregated ClusterRoles use ctx deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac.go, scripts/auto-rebase/rebase_patches/0040-rbac-bootstrap-hook-context-threading.patch	primeAggregatedClusterRoles(ctx) accepts ctx and uses it for ClusterRoles().Get checks and Create calls (replacing prior context.TODO()).
Priming: split ClusterRoleBindings use ctx deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac.go, scripts/auto-rebase/rebase_patches/0040-rbac-bootstrap-hook-context-threading.patch	primeSplitClusterRoleBindings(ctx) accepts ctx and uses it for ClusterRoleBindings().Get existence checks and Create calls (replacing prior context.TODO()).
Benchmarks/tests updated to pass context deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac_test.go	Benchmark imports context, calls ensureRBACPolicy(context.Background(), ...), and fails the benchmark with b.Fatalf if ensureRBACPolicy returns an error or reports not done.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

ready-for-human-review

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly identifies the specific change: patching unbounded KAS context to resolve a pre-hook deadlock issue. It directly relates to the main objective of threading a cancelable context through RBAC bootstrap helpers to prevent indefinite blocking.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR #6635 only updates RBAC bootstrap/benchmark code; no Ginkgo It/Describe/Context/When titles are changed or present, so no unstable test names were introduced.
Test Structure And Quality	✅ Passed	The test file is a Go benchmark (BenchmarkEnsureRBACPolicy), not a Ginkgo test suite, so the Ginkgo test quality requirements don't apply. The check is not applicable to this PR.
Microshift Test Compatibility	✅ Passed	PR #6635 only modifies RBAC bootstrap code + a Go benchmark (storage_rbac.go/storage_rbac_test.go and one rebase patch); no new Ginkgo e2e tests were added.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR #6635 only updates RBAC storage code and a Go benchmark; PR page indicates it contains no Ginkgo e2e tests, so SNO compatibility check doesn’t apply.
Topology-Aware Scheduling Compatibility	✅ Passed	PR updates RBAC bootstrap hook context/timeouts in storage_rbac.go; no topology/affinity/spread/PDB/nodeSelector scheduling constraints were introduced (checked storage_rbac.go, storage_rbac_test.g...
Ote Binary Stdout Contract	✅ Passed	Scanned PR files (storage_rbac.go, storage_rbac_test.go, rebase patch) for fmt/os.Stdout/klog os.Stdout—none. Also scanned vendored openshift-tests-extension for init/top-level stdout—0 hits.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR changes only RBAC storage bootstrap code/benchmark; modified files contain no Ginkgo e2e constructs (Describe/It/Context/When), nor any external IPv4/network assumptions.
No-Weak-Crypto	✅ Passed	In the PR-mentioned files (storage_rbac.go/test and the patch), there are no references to MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, no crypto/* imports, and no constant-time token comparisons.
Container-Privileges	✅ Passed	Searched PR-related files (storage_rbac.go, storage_rbac_test.go, rbac-bootstrap context patch) for privileged/hostPID/hostNetwork/hostIPC/SYS_ADMIN/allowPrivilegeEscalation; none found.
No-Sensitive-Data-In-Logs	✅ Passed	Scanned the PR patch and storage_rbac.go additions: only a timeout klog.Warningf was added; no password/token/PII-like data is logged.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

level=warning msg="The linter 'gomodguard' is deprecated (since v2.12.0) due to: new major version. Replaced by gomodguard_v2."
level=warning msg="Suggested new configuration:\nlinters:\n enable:\n - gomodguard_v2\n"
level=error msg="Running error: context loading failed: failed to load packages: failed to load packages: failed to load with go/packages: err: exit status 1: stderr: go: inconsistent vendoring in :\n\tgithub.com/apparentlymart/go-cidr@v1.1.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/coreos/go-systemd@v0.0.0-20190321100706-95778dfbb74e: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/google/go-cmp@v0.7.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/miekg/dns@v1.1.63: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/openshift/api@v0.0.0-20260511191110-9b69e5fa27e9: is

... [truncated 31032 characters] ...

elet: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\tk8s.io/metrics: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\tk8s.io/mount-utils: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\tk8s.io/pod-security-admission: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\tk8s.io/sample-apiserver: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\tk8s.io/sample-cli-plugin: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\tk8s.io/sample-controller: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\n\tTo ignore the vendor directory, use -mod=readonly or -mod=mod.\n\tTo sync the vendor directory, run:\n\t\tgo mod vendor\n"

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac.go (1)

166-173: ⚡ Quick win

wait.Poll loop is not context-aware — cancellation won't short-circuit it.

The hook context is now correctly threaded into the inner function, so individual API calls will fail fast when the context is cancelled. However, wait.Poll itself has no awareness of the context; if the context is cancelled mid-poll-interval, the loop continues blocking for up to 30 more seconds before the next iteration observes the error. Replacing it with wait.PollWithContext (or wait.PollUntilContextTimeout) fully honors the shutdown signal.

♻️ Proposed refactor

-		err := wait.Poll(1*time.Second, 30*time.Second, func() (done bool, err error) {
+		err := wait.PollUntilContextTimeout(hookContext.Context, 1*time.Second, 30*time.Second, true, func(ctx context.Context) (done bool, err error) {
 			client, err := clientset.NewForConfig(hookContext.LoopbackClientConfig)
 			if err != nil {
 				utilruntime.HandleError(fmt.Errorf("unable to initialize client set: %v", err))
 				return false, nil
 			}
-			return ensureRBACPolicy(hookContext, p, client)
+			return ensureRBACPolicy(ctx, p, client)
 		})

Note: adjust hookContext.Context to hookContext if PostStartHookContext embeds context.Context.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac.go`
around lines 166 - 173, The wait.Poll call in the RBAC setup loop is not
context-aware and can block after cancellation; replace the wait.Poll invocation
in storage_rbac.go with a context-aware variant (e.g., wait.PollWithContext or
wait.PollUntilContextTimeout) so the loop short-circuits on hookContext
cancellation; pass the hookContext (or hookContext.Context if
PostStartHookContext embeds context.Context) as the context argument and keep
the same polling interval and timeout while preserving the existing
ensureRBACPolicy(hookContext, p, client) call and error handling.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac.go`:
- Around line 166-173: The wait.Poll call in the RBAC setup loop is not
context-aware and can block after cancellation; replace the wait.Poll invocation
in storage_rbac.go with a context-aware variant (e.g., wait.PollWithContext or
wait.PollUntilContextTimeout) so the loop short-circuits on hookContext
cancellation; pass the hookContext (or hookContext.Context if
PostStartHookContext embeds context.Context) as the context argument and keep
the same polling interval and timeout while preserving the existing
ensureRBACPolicy(hookContext, p, client) call and error handling.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 9f88f2a4-91ab-409f-bd6c-6d75d87351ef

📥 Commits

Reviewing files that changed from the base of the PR and between e98bbde and d255cf8.

⛔ Files ignored due to path filters (1)

• vendor/k8s.io/kubernetes/pkg/registry/rbac/rest/storage_rbac.go is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (2)

• deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac.go
• deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac_test.go

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac_test.go`:
- Line 38: The benchmark currently ignores the error return from
ensureRBACPolicy; change the call to capture the error and fail the benchmark on
error (e.g., call b.Fatalf or b.Fatal with an explanatory message and the error)
so that ensureRBACPolicy(policy, coreClientSet, context.Background()) failures
are reported instead of being swallowed; reference ensureRBACPolicy, policy and
coreClientSet to locate the call and replace the ignored error with an if err !=
nil check that fails the test/benchmark.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 3303d4e4-2601-44ac-987c-eafc2eb27940

📥 Commits

Reviewing files that changed from the base of the PR and between 1d08a19 and 9efba0f.

⛔ Files ignored due to path filters (1)

• vendor/k8s.io/kubernetes/pkg/registry/rbac/rest/storage_rbac.go is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (3)

• deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac.go
• deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac_test.go
• scripts/auto-rebase/rebase_patches/0040-rbac-bootstrap-hook-context-threading.patch

🚧 Files skipped from review as they are similar to previous changes (1)

• deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac.go

[copejon]

/test test-rebase

[coderabbitai]

♻️ Duplicate comments (1)

deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac_test.go (1)

38-40: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Also check the done return value.

The benchmark currently discards the done return value from ensureRBACPolicy. If done == false (but err == nil), the RBAC policy setup did not complete, which would invalidate the benchmark results.

Proposed fix

-		if _, err := ensureRBACPolicy(context.Background(), policy, coreClientSet); err != nil {
+		done, err := ensureRBACPolicy(context.Background(), policy, coreClientSet)
+		if err != nil {
 			b.Fatalf("ensureRBACPolicy failed: %v", err)
 		}
+		if !done {
+			b.Fatalf("ensureRBACPolicy did not complete")
+		}

As per coding guidelines, Go security (prodsec-skills): Never ignore error returns.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac_test.go`
around lines 38 - 40, The benchmark is ignoring the boolean "done" returned by
ensureRBACPolicy; update the call in the test to capture both returns (done, err
:= ensureRBACPolicy(...)) and if err != nil or done == false, call b.Fatalf with
an explanatory message (e.g., "ensureRBACPolicy failed or did not complete:
done=%v err=%v") so a nil error but incomplete setup is treated as a failure;
locate the call to ensureRBACPolicy in storage_rbac_test.go and modify the
b.Fatalf checks accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In
`@deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac_test.go`:
- Around line 38-40: The benchmark is ignoring the boolean "done" returned by
ensureRBACPolicy; update the call in the test to capture both returns (done, err
:= ensureRBACPolicy(...)) and if err != nil or done == false, call b.Fatalf with
an explanatory message (e.g., "ensureRBACPolicy failed or did not complete:
done=%v err=%v") so a nil error but incomplete setup is treated as a failure;
locate the call to ensureRBACPolicy in storage_rbac_test.go and modify the
b.Fatalf checks accordingly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 32dc0bb5-f181-4e30-b94d-68d80d05caff

📥 Commits

Reviewing files that changed from the base of the PR and between 9efba0f and c25ec4d.

⛔ Files ignored due to path filters (1)

• vendor/k8s.io/kubernetes/pkg/registry/rbac/rest/storage_rbac_test.go is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (1)

• deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac_test.go

[openshift-ci]

@copejon: you cannot LGTM your own PR.

Details

In response to this:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[copejon]

/cherrypick release-4.22

[openshift-cherrypick-robot]

@copejon: once the present PR merges, I will cherry-pick it on top of release-4.22 in a new PR and assign it to you.

Details

In response to this:

/cherrypick release-4.22

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[pmtk]

/lgtm

[copejon]

/test e2e-aws-tests-bootc-arm-el9

[ggiguash]

/test e2e-aws-tests-bootc-arm-el9

[ggiguash]

/test periodics-e2e-aws-tests-bootc-release-arm-periodic-el9

[ggiguash]

/test e2e-aws-tests-bootc-release-arm-el9

[ggiguash]

/test e2e-aws-tests-bootc-release-arm-el9

[ggiguash]

/test e2e-aws-tests-bootc-release-arm-el9

[ggiguash]

/test e2e-aws-tests-bootc-release-arm-el9

[copejon]

/test e2e-aws-tests-bootc-release-arm-el9

[copejon]

CI failure analysis: e2e-aws-tests-bootc-release-arm-el9 (run 2063615533986615296)

22/23 scenarios passed. The sole failure was el98-lrel@dual-stack-configuration1 — 6/8 Dns-Resource-Configuration tests failed with resource value mismatches (50m != 100m, setup errors 0 != 1). Unrelated to this PR's RBAC bootstrap hook changes (storage_rbac.go).

Retested.

[copejon]

Retest failure analysis (run 2064018858921955328)

3/23 scenarios failed, all unrelated to this PR:

1. el98-lrel@dual-stack-configuration1 — same 6/8 DNS resource config test failures as previous run (deterministic pre-existing bug)
2. el98-lrel@nightly-brew-standard1 — greenboot healthcheck failed at boot (greenboot-healthcheck.service: Main process exited, code=exited, status=1/FAILURE)
3. el98-lrel@nightly-brew-standard2 — identical greenboot healthcheck failure

The nightly-brew failures are transient (brew image availability). Retesting.

/test e2e-aws-tests-bootc-release-arm-el9

[openshift-ci]

@copejon: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-tests-bootc-release-arm-el9	b9495d6	link	true	/test e2e-aws-tests-bootc-release-arm-el9

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[copejon]

ISO build failures across multiple jobs

/retest

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: copejon, pmtk

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [copejon,pmtk]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment