Skip to content

Fix pprof broad exposition#2821

Merged
jotak merged 3 commits into
netobserv:mainfrom
jotak:pprof
Jun 25, 2026
Merged

Fix pprof broad exposition#2821
jotak merged 3 commits into
netobserv:mainfrom
jotak:pprof

Conversation

@jotak

@jotak jotak commented Jun 25, 2026

Copy link
Copy Markdown
Member

Description

When pprof was enabled on FLP or the agent, it was exposed on ":(port)" which stands for all net interfaces. FLP and agent configs are modified to accept the full listening address, not just the port (breaking changes).

For FLP, the pprof config is exposed in FlowCollector. Force using "localhost" (which stands for 127.0.0.1 in ipv4 but also works on ipv6). We don't change the FlowCollector API, only the port is exposed.

For the agent, the pprof config is not explicitely exposed but can be modified through env, so the user may configure whatever they want.

Raise 3 warnings through the webhook:

  • when pprof is enbaled on FLP
  • when pprof is enabled on the agent
  • when the agent pprof uses broad interface exposition

Add more info to the pprof doc about security.

Dependencies

Checklist

  • Does the changes in PR need specific configuration or environment set up for testing?
    • if so please describe it in PR description.
  • I have added thorough unit tests for the change.
  • QE requirements (check 1 from the list):
    • Standard QE validation, with pre-merge tests unless stated otherwise.
    • Regression tests only (e.g. refactoring with no user-facing change).
    • No QE (e.g. trivial change with high reviewer's confidence, or per agreement with the QE team).

Summary by CodeRabbit

  • New Features

    • Added support for a configurable request size limit for trace exports.
    • Introduced QUIC tracking mode settings for the agent.
    • Profiling can now be configured with an address-based setting.
  • Bug Fixes

    • Health and profiling addresses are now handled more consistently.
    • Added warnings when profiling is enabled in ways that may expose it publicly.
    • Improved handling of larger attribute values and slices in telemetry data.
  • Documentation

    • Clarified advanced processor settings and profiling access guidance.
    • Updated versioned reference docs and release metadata.

When pprof was enabled on FLP or the agent, it was exposed on ":(port)" which stands for all net interfaces.
FLP and agent configs are modified to accept the full listening address,
not just the port (breaking changes).

For FLP, the pprof config is exposed in FlowCollector. Force using
"localhost" (which stands for 127.0.0.1 in ipv4 but also works on ipv6).
We don't change the FlowCollector API, only the port is exposed.

For the agent, the pprof config is not explicitely exposed but can be
modified through env, so the user may configure whatever they want.

Raise 3 warnings through the webhook:
- when pprof is enbaled on FLP
- when pprof is enabled on the agent
- when the agent pprof uses broad interface exposition

Add more info to the pprof doc about security.
@coderabbitai

coderabbitai Bot commented Jun 25, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

FlowCollector profiling and health-port configuration, webhook warnings, chart/manifests/docs, and NetObserv agent/pipeline config are updated. The PR also refreshes vendored dependency versions and behavior in fsnotify, grpc-gateway, OpenTelemetry, and x/sys.

Changes

FlowCollector Profiling and QUIC Wiring

Layer / File(s) Summary
Surface contracts and charts
.mk/local.mk, api/flowcollector/v1beta2/flowcollector_types.go, bundle/manifests/..., config/crd/bases/..., docs/FlowCollector.md
FlowCollector advanced processor field comments, CRD/manifests, docs, and the Helm install target are updated.
Dependency config contracts
go.mod, vendor/modules.txt, vendor/github.com/netobserv/flowlogs-pipeline/pkg/{api,config}/*, vendor/github.com/netobserv/netobserv-ebpf-agent/pkg/{config,maps}/*, internal/controller/ebpf/agent_controller_test.go
NetObserv config structs, redacted secret handling, QUIC map names, and related module pin updates are changed.
Runtime wiring and warnings
api/flowcollector/v1beta2/flowcollector_validation_webhook.go, internal/pkg/helper/flowcollector.go, internal/controller/flp/flp_common_objects.go
Helper, controller, and webhook code propagate health and profiling settings into pod config and admission warnings.

Vendored Dependency Updates

Layer / File(s) Summary
Version pins and release metadata
go.mod, vendor/modules.txt, vendor/go.opentelemetry.io/otel/{AGENTS.md,CLAUDE.md,CHANGELOG.md,CONTRIBUTING.md,Makefile,dependencies.Dockerfile,.golangci.yml,version.go,versions.yaml,sdk/version.go,exporters/otlp/otlptrace/version.go,exporters/otlp/otlptrace/otlptracegrpc/internal/version.go}
Module version pins, release notes, and OTel tooling and version files are updated.
fsnotify backend and docs
vendor/github.com/fsnotify/fsnotify/*, vendor/github.com/fsnotify/fsnotify/internal/*
fsnotify release notes, docs, debug helpers, and backend watch handling are updated.
grpc-gateway mux behavior
vendor/github.com/grpc-ecosystem/grpc-gateway/v2/runtime/mux.go
ServeMux gets an option to disable HTTP method override, and malformed sequence handling returns after calling the error handler.
Attribute types and semconv contracts
vendor/go.opentelemetry.io/otel/attribute/*, vendor/go.opentelemetry.io/otel/semconv/v1.37.0/*, vendor/go.opentelemetry.io/otel/semconv/v1.39.0/*, vendor/go.opentelemetry.io/otel/semconv/v1.41.0/{doc.go,error_type.go,exception.go,schema.go,README.md,MIGRATION.md,attribute_group.go}
The attribute type system gains byte-slice and slice values, and semconv docs and attribute definitions are updated for v1.41.0.
Tracing, baggage, metrics, and resource behavior
vendor/go.opentelemetry.io/otel/{baggage,propagation,metric,trace,CONTRIBUTING.md}, vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/..., vendor/go.opentelemetry.io/otel/sdk/{resource,trace}/..., vendor/go.opentelemetry.io/otel/semconv/v1.41.0/otelconv/metric.go
Baggage parsing, OTLP exporter limits, metric and trace option gating, resource detectors, and observability wrappers are updated.
GPIO v2 ABI
vendor/golang.org/x/sys/unix/ztypes_linux*.go
Linux GPIO v2 ioctl constants and payload structs are added to the generated unix bindings.

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~90+ minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 35.87% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and accurately reflects the main change: reducing broad pprof exposure.
Description check ✅ Passed The description matches the template structure and covers the change, dependencies, and checklist sections with enough detail.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

jpinsonneau
jpinsonneau previously approved these changes Jun 25, 2026
@openshift-ci

openshift-ci Bot commented Jun 25, 2026

Copy link
Copy Markdown

New changes are detected. LGTM label has been removed.

@openshift-ci

openshift-ci Bot commented Jun 25, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from jpinsonneau. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 5

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
vendor/go.opentelemetry.io/otel/CONTRIBUTING.md (1)

873-899: 🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win

Keep the nil guard in the pooled-recording helper.

i.counter.Enabled(ctx) will panic if this helper is invoked on a nil or half-initialized instrumentation. Mirror the i == nil || i.inflight == nil pattern used above before touching the pool.

Suggested fix
 func (i *instrumentation) record(ctx context.Context, value int64, baseAttrs ...attribute.KeyValue) {
-    if !i.counter.Enabled(ctx) {
+    if i == nil || i.counter == nil || !i.counter.Enabled(ctx) {
         return
     }
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@vendor/go.opentelemetry.io/otel/CONTRIBUTING.md` around lines 873 - 899, The
pooled-recording helper in instrumentation.record is missing the nil guard, so
it can panic when called on a nil or half-initialized instrumentation. Add the
same early-return check used elsewhere in this type, guarding both the receiver
and the counter state before calling i.counter.Enabled(ctx) or touching
attrPool/addOptPool, and keep the rest of the record flow unchanged.
🧹 Nitpick comments (1)
internal/controller/flp/flp_common_objects.go (1)

287-293: 🎯 Functional Correctness | 🔵 Trivial

pprof localhost binding looks correct; minor condition inconsistency.

Binding pprofAddr to localhost correctly scopes pprof to the loopback. Note the health check uses != 0 here while podTemplate (Line 123) uses > 0; harmless for valid ports but worth aligning for a negative value.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/controller/flp/flp_common_objects.go` around lines 287 - 293, The
port checks in the FLP config setup are inconsistent between the health and
pprof bindings, and the `HealthPort`/`ProfilePort` guards should be aligned to
reject negative values consistently. Update the conditional logic in
`flp_common_objects.go` around `advancedConfig.HealthPort` and
`advancedConfig.ProfilePort` to use the same positive-port validation pattern
already used in `podTemplate`, while keeping the `pprofAddr` localhost binding
behavior in place.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.mk/local.mk:
- Line 10: The helm dependency update step in the local.mk target is swallowing
failures because the trailing cd .. makes the overall shell command succeed even
when helm dependency update fails. Update this recipe so the dependency update
command in the helm context is the only result that determines success, and
ensure the Make target stops on a non-zero exit from helm dependency update
instead of proceeding to later steps.

In `@api/flowcollector/v1beta2/flowcollector_validation_webhook.go`:
- Around line 96-98: The broad-bind warning in flowcollector validation
currently only checks for ":" and "0.0.0.0:" prefixes, so it misses the IPv6
wildcard bind case. Update the warning logic in the validation webhook’s
environment address check to also detect the "[::]:" wildcard pattern alongside
the existing checks, so the profiling warning is emitted whenever PPROF_ADDR
binds all interfaces.

In `@internal/controller/flp/flp_common_objects.go`:
- Around line 123-128: The health probe setup in flp_common_objects.go can still
reference healthPortName even when HealthPort is 0, which leaves
liveness/startup probes pointing at a missing named port. Update the probe
wiring in the same flow that builds ports in the container spec so
EnableKubeProbes only configures probes when HealthPort is present and greater
than 0, or enforce that constraint in the webhook; make sure the logic around
healthPortName, advancedConfig.HealthPort, and the probe constructors stays
consistent.

In `@internal/pkg/helper/flowcollector.go`:
- Around line 156-161: The flow collector port assignment currently accepts
explicit 0 values for HealthPort and ProfilePort, which can disable the
endpoints and break probes. Update the port handling in flowcollector logic to
match the guarded pattern used for Port in flp_common_objects.go by only copying
specConfig.HealthPort and specConfig.ProfilePort into cfg when the pointers are
non-nil and the values are greater than 0. Keep the fix localized around the
existing cfg.HealthPort and cfg.ProfilePort assignments in the flow collector
helper.

In `@vendor/go.opentelemetry.io/otel/CONTRIBUTING.md`:
- Around line 1021-1034: The span export example calls e.inst.Enabled(ctx)
without first confirming e.inst is non-nil, which can panic when instrumentation
is disabled. Update the snippet around e.doExport and the
recordSpanExportStarted/recordSpanExportFailed/recordSpanExportSucceeded calls
to keep the earlier nil guard on e.inst and cache the enabled check once before
using it.

---

Outside diff comments:
In `@vendor/go.opentelemetry.io/otel/CONTRIBUTING.md`:
- Around line 873-899: The pooled-recording helper in instrumentation.record is
missing the nil guard, so it can panic when called on a nil or half-initialized
instrumentation. Add the same early-return check used elsewhere in this type,
guarding both the receiver and the counter state before calling
i.counter.Enabled(ctx) or touching attrPool/addOptPool, and keep the rest of the
record flow unchanged.

---

Nitpick comments:
In `@internal/controller/flp/flp_common_objects.go`:
- Around line 287-293: The port checks in the FLP config setup are inconsistent
between the health and pprof bindings, and the `HealthPort`/`ProfilePort` guards
should be aligned to reject negative values consistently. Update the conditional
logic in `flp_common_objects.go` around `advancedConfig.HealthPort` and
`advancedConfig.ProfilePort` to use the same positive-port validation pattern
already used in `podTemplate`, while keeping the `pprofAddr` localhost binding
behavior in place.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 4d8de08c-b06b-473e-a26a-5f2117f3ceea

📥 Commits

Reviewing files that changed from the base of the PR and between 4890497 and a000bce.

⛔ Files ignored due to path filters (6)
  • go.sum is excluded by !**/*.sum
  • vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/checked.pb.go is excluded by !**/*.pb.go
  • vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/eval.pb.go is excluded by !**/*.pb.go
  • vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/explain.pb.go is excluded by !**/*.pb.go
  • vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/syntax.pb.go is excluded by !**/*.pb.go
  • vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/value.pb.go is excluded by !**/*.pb.go
📒 Files selected for processing (119)
  • .mk/local.mk
  • api/flowcollector/v1beta2/flowcollector_types.go
  • api/flowcollector/v1beta2/flowcollector_validation_webhook.go
  • bundle/manifests/flows.netobserv.io_flowcollectors.yaml
  • config/crd/bases/flows.netobserv.io_flowcollectors.yaml
  • docs/FlowCollector.md
  • go.mod
  • helm/crds/flows.netobserv.io_flowcollectors.yaml
  • internal/controller/ebpf/agent_controller_test.go
  • internal/controller/flp/flp_common_objects.go
  • internal/pkg/helper/flowcollector.go
  • vendor/github.com/fsnotify/fsnotify/.cirrus.yml
  • vendor/github.com/fsnotify/fsnotify/CHANGELOG.md
  • vendor/github.com/fsnotify/fsnotify/CONTRIBUTING.md
  • vendor/github.com/fsnotify/fsnotify/README.md
  • vendor/github.com/fsnotify/fsnotify/backend_fen.go
  • vendor/github.com/fsnotify/fsnotify/backend_inotify.go
  • vendor/github.com/fsnotify/fsnotify/backend_kqueue.go
  • vendor/github.com/fsnotify/fsnotify/backend_windows.go
  • vendor/github.com/fsnotify/fsnotify/fsnotify.go
  • vendor/github.com/fsnotify/fsnotify/internal/darwin.go
  • vendor/github.com/fsnotify/fsnotify/internal/debug_darwin.go
  • vendor/github.com/fsnotify/fsnotify/internal/debug_dragonfly.go
  • vendor/github.com/fsnotify/fsnotify/internal/debug_freebsd.go
  • vendor/github.com/fsnotify/fsnotify/internal/debug_kqueue.go
  • vendor/github.com/fsnotify/fsnotify/internal/debug_netbsd.go
  • vendor/github.com/fsnotify/fsnotify/internal/debug_openbsd.go
  • vendor/github.com/fsnotify/fsnotify/internal/freebsd.go
  • vendor/github.com/fsnotify/fsnotify/internal/unix.go
  • vendor/github.com/fsnotify/fsnotify/internal/unix2.go
  • vendor/github.com/fsnotify/fsnotify/internal/windows.go
  • vendor/github.com/grpc-ecosystem/grpc-gateway/v2/runtime/mux.go
  • vendor/github.com/netobserv/flowlogs-pipeline/pkg/api/encode_s3.go
  • vendor/github.com/netobserv/flowlogs-pipeline/pkg/api/redacted.go
  • vendor/github.com/netobserv/flowlogs-pipeline/pkg/config/config.go
  • vendor/github.com/netobserv/netobserv-ebpf-agent/pkg/config/config.go
  • vendor/github.com/netobserv/netobserv-ebpf-agent/pkg/maps/maps.go
  • vendor/go.opentelemetry.io/otel/.golangci.yml
  • vendor/go.opentelemetry.io/otel/AGENTS.md
  • vendor/go.opentelemetry.io/otel/CHANGELOG.md
  • vendor/go.opentelemetry.io/otel/CLAUDE.md
  • vendor/go.opentelemetry.io/otel/CONTRIBUTING.md
  • vendor/go.opentelemetry.io/otel/Makefile
  • vendor/go.opentelemetry.io/otel/attribute/encoder.go
  • vendor/go.opentelemetry.io/otel/attribute/hash.go
  • vendor/go.opentelemetry.io/otel/attribute/key.go
  • vendor/go.opentelemetry.io/otel/attribute/kv.go
  • vendor/go.opentelemetry.io/otel/attribute/set.go
  • vendor/go.opentelemetry.io/otel/attribute/type_string.go
  • vendor/go.opentelemetry.io/otel/attribute/value.go
  • vendor/go.opentelemetry.io/otel/baggage/baggage.go
  • vendor/go.opentelemetry.io/otel/dependencies.Dockerfile
  • vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/tracetransform/attribute.go
  • vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/client.go
  • vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/observ/instrumentation.go
  • vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/otlpconfig/options.go
  • vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/version.go
  • vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/options.go
  • vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/version.go
  • vendor/go.opentelemetry.io/otel/metric/asyncfloat64.go
  • vendor/go.opentelemetry.io/otel/metric/asyncint64.go
  • vendor/go.opentelemetry.io/otel/metric/config.go
  • vendor/go.opentelemetry.io/otel/metric/doc.go
  • vendor/go.opentelemetry.io/otel/metric/instrument.go
  • vendor/go.opentelemetry.io/otel/metric/syncfloat64.go
  • vendor/go.opentelemetry.io/otel/metric/syncint64.go
  • vendor/go.opentelemetry.io/otel/propagation/baggage.go
  • vendor/go.opentelemetry.io/otel/sdk/resource/builtin.go
  • vendor/go.opentelemetry.io/otel/sdk/resource/container.go
  • vendor/go.opentelemetry.io/otel/sdk/resource/env.go
  • vendor/go.opentelemetry.io/otel/sdk/resource/host_id.go
  • vendor/go.opentelemetry.io/otel/sdk/resource/host_id_exec.go
  • vendor/go.opentelemetry.io/otel/sdk/resource/os.go
  • vendor/go.opentelemetry.io/otel/sdk/resource/os_unix.go
  • vendor/go.opentelemetry.io/otel/sdk/resource/os_windows.go
  • vendor/go.opentelemetry.io/otel/sdk/resource/process.go
  • vendor/go.opentelemetry.io/otel/sdk/trace/batch_span_processor.go
  • vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/batch_span_processor.go
  • vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/simple_span_processor.go
  • vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/tracer.go
  • vendor/go.opentelemetry.io/otel/sdk/trace/provider.go
  • vendor/go.opentelemetry.io/otel/sdk/trace/sampling.go
  • vendor/go.opentelemetry.io/otel/sdk/trace/span.go
  • vendor/go.opentelemetry.io/otel/sdk/trace/span_limits.go
  • vendor/go.opentelemetry.io/otel/sdk/version.go
  • vendor/go.opentelemetry.io/otel/semconv/v1.37.0/attribute_group.go
  • vendor/go.opentelemetry.io/otel/semconv/v1.39.0/attribute_group.go
  • vendor/go.opentelemetry.io/otel/semconv/v1.39.0/httpconv/metric.go
  • vendor/go.opentelemetry.io/otel/semconv/v1.40.0/README.md
  • vendor/go.opentelemetry.io/otel/semconv/v1.41.0/MIGRATION.md
  • vendor/go.opentelemetry.io/otel/semconv/v1.41.0/README.md
  • vendor/go.opentelemetry.io/otel/semconv/v1.41.0/attribute_group.go
  • vendor/go.opentelemetry.io/otel/semconv/v1.41.0/doc.go
  • vendor/go.opentelemetry.io/otel/semconv/v1.41.0/error_type.go
  • vendor/go.opentelemetry.io/otel/semconv/v1.41.0/exception.go
  • vendor/go.opentelemetry.io/otel/semconv/v1.41.0/otelconv/metric.go
  • vendor/go.opentelemetry.io/otel/semconv/v1.41.0/schema.go
  • vendor/go.opentelemetry.io/otel/trace/auto.go
  • vendor/go.opentelemetry.io/otel/trace/config.go
  • vendor/go.opentelemetry.io/otel/trace/internal/telemetry/span.go
  • vendor/go.opentelemetry.io/otel/version.go
  • vendor/go.opentelemetry.io/otel/versions.yaml
  • vendor/golang.org/x/sys/unix/ztypes_linux.go
  • vendor/golang.org/x/sys/unix/ztypes_linux_386.go
  • vendor/golang.org/x/sys/unix/ztypes_linux_amd64.go
  • vendor/golang.org/x/sys/unix/ztypes_linux_arm.go
  • vendor/golang.org/x/sys/unix/ztypes_linux_arm64.go
  • vendor/golang.org/x/sys/unix/ztypes_linux_loong64.go
  • vendor/golang.org/x/sys/unix/ztypes_linux_mips.go
  • vendor/golang.org/x/sys/unix/ztypes_linux_mips64.go
  • vendor/golang.org/x/sys/unix/ztypes_linux_mips64le.go
  • vendor/golang.org/x/sys/unix/ztypes_linux_mipsle.go
  • vendor/golang.org/x/sys/unix/ztypes_linux_ppc.go
  • vendor/golang.org/x/sys/unix/ztypes_linux_ppc64.go
  • vendor/golang.org/x/sys/unix/ztypes_linux_ppc64le.go
  • vendor/golang.org/x/sys/unix/ztypes_linux_riscv64.go
  • vendor/golang.org/x/sys/unix/ztypes_linux_s390x.go
  • vendor/golang.org/x/sys/unix/ztypes_linux_sparc64.go
  • vendor/modules.txt
💤 Files with no reviewable changes (10)
  • vendor/github.com/fsnotify/fsnotify/.cirrus.yml
  • vendor/go.opentelemetry.io/otel/semconv/v1.40.0/README.md
  • vendor/github.com/fsnotify/fsnotify/internal/debug_dragonfly.go
  • vendor/github.com/fsnotify/fsnotify/internal/debug_darwin.go
  • vendor/github.com/fsnotify/fsnotify/internal/debug_openbsd.go
  • vendor/github.com/fsnotify/fsnotify/internal/windows.go
  • vendor/github.com/fsnotify/fsnotify/internal/debug_netbsd.go
  • vendor/github.com/fsnotify/fsnotify/internal/freebsd.go
  • vendor/github.com/fsnotify/fsnotify/internal/darwin.go
  • vendor/github.com/fsnotify/fsnotify/internal/unix.go

Comment thread .mk/local.mk
VERSION_FOR_HELM := $(word 2,$(subst :, ,${IMAGE}))
.PHONY: helm-install
helm-install: prereqs-helm ## Install the operator and its pre-requisites to a running cluster, using Helm
cd helm && helm dependency update --skip-refresh ; cd ..

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Failed helm dependency update is silently swallowed.

cd helm && helm dependency update --skip-refresh ; cd .. — the trailing ; cd .. always exits 0, masking a non-zero exit from helm dependency update. Make sees a successful step and proceeds to install with potentially stale/missing chart dependencies.

🛠️ Proposed fix
-	cd helm && helm dependency update --skip-refresh ; cd ..
+	cd helm && helm dependency update --skip-refresh && cd ..
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
cd helm && helm dependency update --skip-refresh ; cd ..
cd helm && helm dependency update --skip-refresh && cd ..
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.mk/local.mk at line 10, The helm dependency update step in the local.mk
target is swallowing failures because the trailing cd .. makes the overall shell
command succeed even when helm dependency update fails. Update this recipe so
the dependency update command in the helm context is the only result that
determines success, and ensure the Make target stops on a non-zero exit from
helm dependency update instead of proceeding to later steps.

Comment on lines +96 to +98
if strings.HasPrefix(env, ":") || strings.HasPrefix(env, "0.0.0.0:") {
v.warnings = append(v.warnings, "Profiling is enabled for all network interfaces, make sure access is restricted e.g. with a network policy.")
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

Broad-bind check misses the IPv6 wildcard [::]:.

PPROF_ADDR=[::]:6060 binds all interfaces but slips past the prefix checks, so the "all network interfaces" warning is never emitted for the IPv6 wildcard case.

🛡️ Proposed fix
-			if strings.HasPrefix(env, ":") || strings.HasPrefix(env, "0.0.0.0:") {
+			if strings.HasPrefix(env, ":") || strings.HasPrefix(env, "0.0.0.0:") || strings.HasPrefix(env, "[::]:") {
 				v.warnings = append(v.warnings, "Profiling is enabled for all network interfaces, make sure access is restricted e.g. with a network policy.")
 			}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if strings.HasPrefix(env, ":") || strings.HasPrefix(env, "0.0.0.0:") {
v.warnings = append(v.warnings, "Profiling is enabled for all network interfaces, make sure access is restricted e.g. with a network policy.")
}
if strings.HasPrefix(env, ":") || strings.HasPrefix(env, "0.0.0.0:") || strings.HasPrefix(env, "[::]:") {
v.warnings = append(v.warnings, "Profiling is enabled for all network interfaces, make sure access is restricted e.g. with a network policy.")
}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@api/flowcollector/v1beta2/flowcollector_validation_webhook.go` around lines
96 - 98, The broad-bind warning in flowcollector validation currently only
checks for ":" and "0.0.0.0:" prefixes, so it misses the IPv6 wildcard bind
case. Update the warning logic in the validation webhook’s environment address
check to also detect the "[::]:" wildcard pattern alongside the existing checks,
so the profiling warning is emitted whenever PPROF_ADDR binds all interfaces.

Comment on lines +123 to +128
if advancedConfig.HealthPort != nil && *advancedConfig.HealthPort > 0 {
ports = append(ports, corev1.ContainerPort{
Name: healthPortName,
ContainerPort: *advancedConfig.HealthPort,
})
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major | 🏗️ Heavy lift

Probes can reference a missing named port when HealthPort is 0.

The health ContainerPort (healthPortName) is only appended when HealthPort > 0, but the liveness/startup probes at Lines 178-200 always resolve intstr.FromString(healthPortName). If a user sets HealthPort to 0 (now possible after the helper relaxation) with EnableKubeProbes=true, the named port won't exist and probes will fail, restarting the container. Gate the probes on the same condition or enforce it in the webhook.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/controller/flp/flp_common_objects.go` around lines 123 - 128, The
health probe setup in flp_common_objects.go can still reference healthPortName
even when HealthPort is 0, which leaves liveness/startup probes pointing at a
missing named port. Update the probe wiring in the same flow that builds ports
in the container spec so EnableKubeProbes only configures probes when HealthPort
is present and greater than 0, or enforce that constraint in the webhook; make
sure the logic around healthPortName, advancedConfig.HealthPort, and the probe
constructors stays consistent.

Comment on lines +156 to 161
if specConfig.HealthPort != nil {
cfg.HealthPort = specConfig.HealthPort
}
if specConfig.ProfilePort != nil && *specConfig.ProfilePort > 0 {
if specConfig.ProfilePort != nil {
cfg.ProfilePort = specConfig.ProfilePort
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check for webhook validation guarding HealthPort against 0
rg -nP -C3 '(HealthPort|healthPort)' api/flowcollector/v1beta2/flowcollector_validation_webhook.go

Repository: netobserv/netobserv-operator

Length of output: 166


Explicit 0 for HealthPort or ProfilePort disables endpoints, causing probe failures.

Unlike Port, the code in internal/controller/flp/flp_common_objects.go lacks a > 0 guard:

Verify in `internal/controller/flp/flp_common_objects.go`
if specConfig.Port != nil && *specConfig.Port > 0 {
    cfg.Port = specConfig.Port
}
if specConfig.HealthPort != nil {
    cfg.HealthPort = specConfig.HealthPort
}
if specConfig.ProfilePort != nil {
    cfg.ProfilePort = specConfig.ProfilePort
}

No webhook validation rejects 0. A user can explicitly disable these ports while EnableKubeProbes is active, breaking health checks.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/pkg/helper/flowcollector.go` around lines 156 - 161, The flow
collector port assignment currently accepts explicit 0 values for HealthPort and
ProfilePort, which can disable the endpoints and break probes. Update the port
handling in flowcollector logic to match the guarded pattern used for Port in
flp_common_objects.go by only copying specConfig.HealthPort and
specConfig.ProfilePort into cfg when the pointers are non-nil and the values are
greater than 0. Keep the fix localized around the existing cfg.HealthPort and
cfg.ProfilePort assignments in the flow collector helper.

Comment on lines +1021 to +1034
if e.inst.Enabled(ctx) {
e.inst.recordSpanExportStarted(ctx, len(spans))
}

err := e.doExport(ctx, spans)

if err != nil {
e.inst.recordSpanExportFailed(ctx, len(spans), err)
} else {
e.inst.recordSpanExportSucceeded(ctx, len(spans))
if e.inst.Enabled(ctx) {
if err != nil {
e.inst.recordSpanExportFailed(ctx, len(spans), err)
} else {
e.inst.recordSpanExportSucceeded(ctx, len(spans))
}
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win

Guard e.inst before calling Enabled.

newInstrumentation() can return nil, so this example will panic when observability is off. Cache the enabled check once and keep the nil guard from the earlier snippet.

Suggested fix
 func (e *Exporter) ExportSpans(ctx context.Context, spans []trace.ReadOnlySpan) error {
-    if e.inst.Enabled(ctx) {
+    enabled := e.inst != nil && e.inst.Enabled(ctx)
+    if enabled {
         e.inst.recordSpanExportStarted(ctx, len(spans))
     }

     err := e.doExport(ctx, spans)

-    if e.inst.Enabled(ctx) {
+    if enabled {
         if err != nil {
             e.inst.recordSpanExportFailed(ctx, len(spans), err)
         } else {
             e.inst.recordSpanExportSucceeded(ctx, len(spans))
         }
     }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if e.inst.Enabled(ctx) {
e.inst.recordSpanExportStarted(ctx, len(spans))
}
err := e.doExport(ctx, spans)
if err != nil {
e.inst.recordSpanExportFailed(ctx, len(spans), err)
} else {
e.inst.recordSpanExportSucceeded(ctx, len(spans))
if e.inst.Enabled(ctx) {
if err != nil {
e.inst.recordSpanExportFailed(ctx, len(spans), err)
} else {
e.inst.recordSpanExportSucceeded(ctx, len(spans))
}
}
enabled := e.inst != nil && e.inst.Enabled(ctx)
if enabled {
e.inst.recordSpanExportStarted(ctx, len(spans))
}
err := e.doExport(ctx, spans)
if enabled {
if err != nil {
e.inst.recordSpanExportFailed(ctx, len(spans), err)
} else {
e.inst.recordSpanExportSucceeded(ctx, len(spans))
}
}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@vendor/go.opentelemetry.io/otel/CONTRIBUTING.md` around lines 1021 - 1034,
The span export example calls e.inst.Enabled(ctx) without first confirming
e.inst is non-nil, which can panic when instrumentation is disabled. Update the
snippet around e.doExport and the
recordSpanExportStarted/recordSpanExportFailed/recordSpanExportSucceeded calls
to keep the earlier nil guard on e.inst and cache the enabled check once before
using it.

@openshift-ci

openshift-ci Bot commented Jun 25, 2026

Copy link
Copy Markdown

@jotak: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-operator a000bce link false /test e2e-operator

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@jotak jotak merged commit fe03b4b into netobserv:main Jun 25, 2026
7 of 9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants