STATUS and GC are plugin-level commands with no pod context per the
CNI 1.1.0 spec. The thick plugin daemon incorrectly required
CNI_CONTAINERID, CNI_NETNS, and K8S_POD_NAME/K8S_POD_NAMESPACE for
these commands, causing failures when invoked by kubelet.
Signed-off-by: Jason Kary <jkary@redhat.com>
Validate the per-node kubeconfig when a current certificate is
available and fall back to the bootstrap kubeconfig only when the
per-node config is no longer trusted.
Also rebuild the derived per-node rest.Config from the reloaded
bootstrap config so TLS settings are preserved and refreshed
consistently.
Signed-off-by: Peng Liu <pliu@redhat.com>
Listing all pods across all namespaces during bootstrap is expensive
in large clusters and unnecessary since the result is discarded.
Use the lightweight /version endpoint to validate connectivity instead.
Signed-off-by: Peng Liu <pliu@redhat.com>
When a namespace uses a primary User-Defined Network (UDN) with a
device-plugin resource (e.g. SR-IOV), OVN-Kubernetes uses the last
device in the list for the primary interface while Multus assigns
earlier devices to cluster-default/secondary interfaces. The kubelet
and checkpoint paths build the list from map iteration, so order was
non-deterministic and the "last" device could differ between callers.
Sorting ensures both Multus and OVN-K8s see the same order so the
last device is consistently the one reserved for the primary UDN.
Signed-off-by: Yun Zhou <yunz@nvidia.com>
The trivy-action@0.29.0 was trying to install Trivy v0.57.1 which
no longer exists in the GitHub releases. This was causing all PR
builds to fail on the "Image thick plugin" job. Update to v0.35.0
which properly installs the latest Trivy version.
Assisted by Claude Sonnet 4.5
Signed-off-by: Benjamin Pickard <bpickard@redhat.com>
Fix thin auto-config generation to select 00-multus.conflist for
all CNI versions >= 1.0.0 (not only exact 1.0.0)
Signed-off-by: Tim Rozet <trozet@nvidia.com>
Changes-Include:
- Add STATUS handling for delegate requests and single‑plugin
- Invoke STATUS for conf/conflist delegates via libcni
- Preserve CNI error codes/messages through daemon API and shim
- Add tests for STATUS error propagation
Signed-off-by: Tim Rozet <trozet@nvidia.com>
CRI-O 1.34+ enforces short name mode by default, which refuses
to pull images with unqualified names like 'ubuntu:22.04' because they
are ambiguous.
Use the full image docker.io/library/ubuntu:22.04
Fixes#1471
Signed-off-by: Ram Lavi <ralavi@redhat.com>
CRI-O 1.34+ enforces short name mode by default, which refuses
to pull images with unqualified names like 'centos:8' because they
are ambiguous.
Use the full image quay.io/centos/centos:8
Fixes#1471
Signed-off-by: Ram Lavi <ralavi@redhat.com>
CRI-O 1.34+ enforces short name mode by default, which refuses
to pull images with unqualified names like 'alpine' because they
are ambiguous.
Use a full image docker.io/library/alpine
Fixes#1471
Signed-off-by: Ram Lavi <ralavi@redhat.com>
