USHIFT-6401: Patch unbounded KAS context to break pre-hook deadlock

[copejon]

Replace context.TODO() with the hook's cancelable context in the RBAC bootstrap post-start hook helpers (primeAggregatedClusterRoles, primeSplitClusterRoleBindings)

• On resource-constrained edge devices, these calls can block indefinitely through the loopback client, deadlocking KAS on restart
• Upstream: [-]poststarthook/rbac/bootstrap-roles failed: reason withheld kubernetes/kubernetes#86715, Optimize rbac/bootstrap-roles post-startup-hook kubernetes/kubernetes#97119

Summary by CodeRabbit

• Chores

  • Improve RBAC post-start initialization by using per-attempt, timeout-bound operation contexts for readiness checks and role/role-binding priming, ensuring timeouts don’t fail the whole process and enabling retries.
  • Ensure priming of aggregated roles and split role bindings respects these operation timeouts.

• Tests

  • Updated the RBAC benchmark to propagate the operation context and to fail when initialization does not complete as expected.

[openshift-ci-robot]

@copejon: This pull request references USHIFT-6401 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target either version "5.0." or "openshift-5.0.", but it targets "openshift-4.22" instead.

Details

In response to this:

Replace context.TODO() with the hook's cancelable context in the RBAC bootstrap post-start hook helpers (primeAggregatedClusterRoles, primeSplitClusterRoleBindings)

• On resource-constrained edge devices, these calls can block indefinitely through the loopback client, deadlocking KAS on restart
• Upstream: [-]poststarthook/rbac/bootstrap-roles failed: reason withheld kubernetes/kubernetes#86715, Optimize rbac/bootstrap-roles post-startup-hook kubernetes/kubernetes#97119

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 8378f027-1bca-498d-9258-e6621a5927af

📥 Commits

Reviewing files that changed from the base of the PR and between 13c8c28 and c00b0c4.

⛔ Files ignored due to path filters (1)

• vendor/k8s.io/kubernetes/pkg/registry/rbac/rest/storage_rbac.go is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (3)

• deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac.go
• deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac_test.go
• scripts/auto-rebase/rebase_patches/0040-rbac-bootstrap-hook-context-threading.patch

🚧 Files skipped from review as they are similar to previous changes (3)

• deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac_test.go
• scripts/auto-rebase/rebase_patches/0040-rbac-bootstrap-hook-context-threading.patch
• deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac.go

---

Walkthrough

RBAC bootstrap now creates a timeout-bound context per poll attempt, uses it for readiness checks, forwards it into RBAC priming, and updates the benchmark to pass and validate a context.

Changes

RBAC bootstrap context threading

Layer / File(s)	Summary
Per-attempt timeout context scripts/auto-rebase/rebase_patches/0040-rbac-bootstrap-hook-context-threading.patch, deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac.go	The post-start hook derives a timeout-bound context for each poll attempt and passes it into RBAC initialization.
Readiness checks and retry scripts/auto-rebase/rebase_patches/0040-rbac-bootstrap-hook-context-threading.patch, deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac.go	ensureRBACPolicy accepts context.Context, uses it for cluster role and cluster role binding readiness List calls, and returns a retry when the context times out.
Aggregated ClusterRoles priming scripts/auto-rebase/rebase_patches/0040-rbac-bootstrap-hook-context-threading.patch, deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac.go	primeAggregatedClusterRoles now takes the context and uses it for ClusterRoles().Get and ClusterRoles().Create calls.
Split ClusterRoleBindings priming scripts/auto-rebase/rebase_patches/0040-rbac-bootstrap-hook-context-threading.patch, deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac.go	primeSplitClusterRoleBindings now takes the context and uses it for ClusterRoleBindings().Get and ClusterRoleBindings().Create calls.
Benchmark update deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac_test.go	The benchmark passes context.Background() into ensureRBACPolicy and checks both the error and completion result.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

ready-for-human-review

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the context-timeout fix for the RBAC pre-hook deadlock.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	No Ginkgo-style test titles were added; the only test symbol is a static benchmark name, so there are no dynamic or unstable test names.
Test Structure And Quality	✅ Passed	Only a benchmark changed; no Ginkgo tests, cluster waits, or cleanup patterns are involved, and the benchmark uses a clear failure message.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added; only RBAC helper context threading and a benchmark change were touched.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added; the only test change is a benchmark, so SNO-specific skipping isn’t applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	Only RBAC bootstrap context plumbing changed; no manifests, replicas, affinity, selectors, or topology-aware scheduling logic was added.
Ote Binary Stdout Contract	✅ Passed	No init/TestMain/suite setup or stdout writes were added; the PR only threads context through hook helpers and updates a benchmark.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added; the only test change is a fake-client benchmark with no IPv4 or external-network assumptions.
No-Weak-Crypto	✅ Passed	Touched RBAC files only thread context and add benchmark plumbing; no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB or custom crypto found.
Container-Privileges	✅ Passed	Patch only updates RBAC Go helpers and benchmark; no container/K8s manifests or privileged settings are present.
No-Sensitive-Data-In-Logs	✅ Passed	PASS: The touched RBAC logs are generic timeouts and object-name messages; no passwords, tokens, PII, hostnames, or customer data are logged.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

level=warning msg="The linter 'gomodguard' is deprecated (since v2.12.0) due to: new major version. Replaced by gomodguard_v2."
level=warning msg="Suggested new configuration:\nlinters:\n enable:\n - gomodguard_v2\n"
level=error msg="Running error: context loading failed: failed to load packages: failed to load packages: failed to load with go/packages: err: exit status 1: stderr: go: inconsistent vendoring in :\n\tgithub.com/apparentlymart/go-cidr@v1.1.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/coreos/go-systemd@v0.0.0-20190321100706-95778dfbb74e: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/google/go-cmp@v0.7.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/miekg/dns@v1.1.63: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/openshift/api@v0.0.0-20260511191110-9b69e5fa27e9: is

... [truncated 31032 characters] ...

elet: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\tk8s.io/metrics: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\tk8s.io/mount-utils: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\tk8s.io/pod-security-admission: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\tk8s.io/sample-apiserver: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\tk8s.io/sample-cli-plugin: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\tk8s.io/sample-controller: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\n\tTo ignore the vendor directory, use -mod=readonly or -mod=mod.\n\tTo sync the vendor directory, run:\n\t\tgo mod vendor\n"

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

🧹 Nitpick comments (1)

deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac.go (1)

166-173: ⚡ Quick win

wait.Poll loop is not context-aware — cancellation won't short-circuit it.

The hook context is now correctly threaded into the inner function, so individual API calls will fail fast when the context is cancelled. However, wait.Poll itself has no awareness of the context; if the context is cancelled mid-poll-interval, the loop continues blocking for up to 30 more seconds before the next iteration observes the error. Replacing it with wait.PollWithContext (or wait.PollUntilContextTimeout) fully honors the shutdown signal.

♻️ Proposed refactor

-		err := wait.Poll(1*time.Second, 30*time.Second, func() (done bool, err error) {
+		err := wait.PollUntilContextTimeout(hookContext.Context, 1*time.Second, 30*time.Second, true, func(ctx context.Context) (done bool, err error) {
 			client, err := clientset.NewForConfig(hookContext.LoopbackClientConfig)
 			if err != nil {
 				utilruntime.HandleError(fmt.Errorf("unable to initialize client set: %v", err))
 				return false, nil
 			}
-			return ensureRBACPolicy(hookContext, p, client)
+			return ensureRBACPolicy(ctx, p, client)
 		})

Note: adjust hookContext.Context to hookContext if PostStartHookContext embeds context.Context.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac.go`
around lines 166 - 173, The wait.Poll call in the RBAC setup loop is not
context-aware and can block after cancellation; replace the wait.Poll invocation
in storage_rbac.go with a context-aware variant (e.g., wait.PollWithContext or
wait.PollUntilContextTimeout) so the loop short-circuits on hookContext
cancellation; pass the hookContext (or hookContext.Context if
PostStartHookContext embeds context.Context) as the context argument and keep
the same polling interval and timeout while preserving the existing
ensureRBACPolicy(hookContext, p, client) call and error handling.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac.go`:
- Around line 166-173: The wait.Poll call in the RBAC setup loop is not
context-aware and can block after cancellation; replace the wait.Poll invocation
in storage_rbac.go with a context-aware variant (e.g., wait.PollWithContext or
wait.PollUntilContextTimeout) so the loop short-circuits on hookContext
cancellation; pass the hookContext (or hookContext.Context if
PostStartHookContext embeds context.Context) as the context argument and keep
the same polling interval and timeout while preserving the existing
ensureRBACPolicy(hookContext, p, client) call and error handling.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 9f88f2a4-91ab-409f-bd6c-6d75d87351ef

📥 Commits

Reviewing files that changed from the base of the PR and between e98bbde and d255cf8.

⛔ Files ignored due to path filters (1)

• vendor/k8s.io/kubernetes/pkg/registry/rbac/rest/storage_rbac.go is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (2)

• deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac.go
• deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac_test.go

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac_test.go`:
- Line 38: The benchmark currently ignores the error return from
ensureRBACPolicy; change the call to capture the error and fail the benchmark on
error (e.g., call b.Fatalf or b.Fatal with an explanatory message and the error)
so that ensureRBACPolicy(policy, coreClientSet, context.Background()) failures
are reported instead of being swallowed; reference ensureRBACPolicy, policy and
coreClientSet to locate the call and replace the ignored error with an if err !=
nil check that fails the test/benchmark.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 3303d4e4-2601-44ac-987c-eafc2eb27940

📥 Commits

Reviewing files that changed from the base of the PR and between 1d08a19 and 9efba0f.

⛔ Files ignored due to path filters (1)

• vendor/k8s.io/kubernetes/pkg/registry/rbac/rest/storage_rbac.go is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (3)

• deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac.go
• deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac_test.go
• scripts/auto-rebase/rebase_patches/0040-rbac-bootstrap-hook-context-threading.patch

🚧 Files skipped from review as they are similar to previous changes (1)

• deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac.go

[copejon]

/test test-rebase

[coderabbitai]

♻️ Duplicate comments (1)

deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac_test.go (1)

38-40: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Also check the done return value.

The benchmark currently discards the done return value from ensureRBACPolicy. If done == false (but err == nil), the RBAC policy setup did not complete, which would invalidate the benchmark results.

Proposed fix

-		if _, err := ensureRBACPolicy(context.Background(), policy, coreClientSet); err != nil {
+		done, err := ensureRBACPolicy(context.Background(), policy, coreClientSet)
+		if err != nil {
 			b.Fatalf("ensureRBACPolicy failed: %v", err)
 		}
+		if !done {
+			b.Fatalf("ensureRBACPolicy did not complete")
+		}

As per coding guidelines, Go security (prodsec-skills): Never ignore error returns.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac_test.go`
around lines 38 - 40, The benchmark is ignoring the boolean "done" returned by
ensureRBACPolicy; update the call in the test to capture both returns (done, err
:= ensureRBACPolicy(...)) and if err != nil or done == false, call b.Fatalf with
an explanatory message (e.g., "ensureRBACPolicy failed or did not complete:
done=%v err=%v") so a nil error but incomplete setup is treated as a failure;
locate the call to ensureRBACPolicy in storage_rbac_test.go and modify the
b.Fatalf checks accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In
`@deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac_test.go`:
- Around line 38-40: The benchmark is ignoring the boolean "done" returned by
ensureRBACPolicy; update the call in the test to capture both returns (done, err
:= ensureRBACPolicy(...)) and if err != nil or done == false, call b.Fatalf with
an explanatory message (e.g., "ensureRBACPolicy failed or did not complete:
done=%v err=%v") so a nil error but incomplete setup is treated as a failure;
locate the call to ensureRBACPolicy in storage_rbac_test.go and modify the
b.Fatalf checks accordingly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 32dc0bb5-f181-4e30-b94d-68d80d05caff

📥 Commits

Reviewing files that changed from the base of the PR and between 9efba0f and c25ec4d.

⛔ Files ignored due to path filters (1)

• vendor/k8s.io/kubernetes/pkg/registry/rbac/rest/storage_rbac_test.go is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (1)

• deps/github.com/openshift/kubernetes/pkg/registry/rbac/rest/storage_rbac_test.go

[openshift-ci]

@copejon: you cannot LGTM your own PR.

Details

In response to this:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[copejon]

/cherrypick release-4.22

[openshift-cherrypick-robot]

@copejon: once the present PR merges, I will cherry-pick it on top of release-4.22 in a new PR and assign it to you.

Details

In response to this:

/cherrypick release-4.22

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[pmtk]

/lgtm

[copejon]

/test e2e-aws-tests-bootc-arm-el9

[ggiguash]

/test e2e-aws-tests-bootc-arm-el9

[ggiguash]

/test periodics-e2e-aws-tests-bootc-release-arm-periodic-el9

[ggiguash]

/test e2e-aws-tests-bootc-release-arm-el9

[ggiguash]

/test e2e-aws-tests-bootc-release-arm-el9

[ggiguash]

/test e2e-aws-tests-bootc-release-arm-el9

[ggiguash]

/test e2e-aws-tests-bootc-release-arm-el9

[copejon]

/test e2e-aws-tests-bootc-release-arm-el9

[copejon]

CI failure analysis: e2e-aws-tests-bootc-release-arm-el9 (run 2063615533986615296)

22/23 scenarios passed. The sole failure was el98-lrel@dual-stack-configuration1 — 6/8 Dns-Resource-Configuration tests failed with resource value mismatches (50m != 100m, setup errors 0 != 1). Unrelated to this PR's RBAC bootstrap hook changes (storage_rbac.go).

Retested.

[copejon]

Retest failure analysis (run 2064018858921955328)

3/23 scenarios failed, all unrelated to this PR:

1. el98-lrel@dual-stack-configuration1 — same 6/8 DNS resource config test failures as previous run (deterministic pre-existing bug)
2. el98-lrel@nightly-brew-standard1 — greenboot healthcheck failed at boot (greenboot-healthcheck.service: Main process exited, code=exited, status=1/FAILURE)
3. el98-lrel@nightly-brew-standard2 — identical greenboot healthcheck failure

The nightly-brew failures are transient (brew image availability). Retesting.

/test e2e-aws-tests-bootc-release-arm-el9

[openshift-ci]

@copejon: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-tests-bootc-release-arm-el9	b9495d6	link	true	/test e2e-aws-tests-bootc-release-arm-el9

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[copejon]

ISO build failures across multiple jobs

/retest

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: copejon, pmtk

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [copejon,pmtk]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment