Build with go 1.24

.github/workflows/ci.yml

@@ -15,11 +15,9 @@ on:
     - prep-v[1-9].*
 
 env:
-  BUILDTIME_BASE: "golang:1.23.6-alpine3.21"
-  # Do not bump past Alpine 3.18 until upstream netfilter problems in iptables v1.8.10 are resolved. See:
-  # https://github.com/cloudnativelabs/kube-router/issues/1676
+  BUILDTIME_BASE: "golang:1.24.1-alpine3.21"
   RUNTIME_BASE: "alpine:3.21"
-  GO_VERSION: "~1.23.6"
+  GO_VERSION: "~1.24.1"
   GO_CACHE: "/home/runner/.cache/go-build"
   GO_MOD_CACHE: "/home/runner/go/pkg/mod"
 

.golangci.yml

@@ -1,5 +1,10 @@
-run:
-  timeout: 5m
+version: "2"
+output:
+  formats:
+    tab:
+      path: stdout
+      print-linter-name: true
+      colors: false
 linters:
   enable:
     - bodyclose
@@ -11,66 +16,77 @@ linters:
     - gochecknoinits
     - goconst
     - gocritic
-    - gofmt
-    - goimports
     - gosec
-    - govet
     - lll
     - misspell
     - mnd
     - nakedret
     - noctx
     - nolintlint
-    - stylecheck
+    - staticcheck
     - unconvert
     - unparam
-linters-settings:
-  goconst:
-    # Exclude few word constants
-    min-len: 20
-    # Don't use goconst to check test files
-    ignore-tests: true
+  settings:
+    goconst:
+      min-len: 20
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    rules:
+      - linters:
+          - mnd
+        # Excluding single digits from magic number detector because it produces too many obvious results (like klog)  
+        text: 'Magic number: [0-9]{1},'
+      - linters:
+          - mnd
+        # Exclude file masks from magic number detector because these numbers are obvious
+        text: 'Magic number: 0[0-7]{3},'
+      - linters:
+          - mnd
+        path: pkg/controllers/proxy/network_services_controller.go
+        # Exclude IP masks netmasks as substituting them for constants only makes these less obvious
+        text: 'Magic number: 255,'
+      - linters:
+          - mnd
+        # Exclude IP netmasks from magic number detector because these numbers are obvious
+        text: 'Magic number: 32,'
+      - linters:
+          - mnd
+        # Exclude decimal bases from magic number detector because these numbers are obvious
+        text: 'Magic number: 10,'
+      - linters:
+          - gosec
+        # Exclude file mask security findings as we are always intentional about the file masks we use
+        text: 'G306:'
+      - linters:
+          - lll
+        # Exclude tests from long line linter
+        path: _test\.go
+      - linters:
+          - dupl
+        # Exclude tests from duplicate linter
+        path: _test\.go
+      - linters:
+          - goconst
+        path: (.+)_test\.go
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
 issues:
-  exclude-rules:
-    # Excluding single digits from magic number detector because it produces too many obvious results (like klog)
-    - text: "Magic number: [0-9]{1},"
-      linters:
-        - mnd
-    # Exclude file masks from magic number detector because these numbers are obvious
-    - text: "Magic number: 0[0-7]{3},"
-      linters:
-        - mnd
-    # Exlude IP masks netmasks as substituting them for constants only makes these less obvious
-    - text: "Magic number: 255,"
-      linters:
-        - mnd
-      path: pkg/controllers/proxy/network_services_controller.go
-    # Exclude IP netmasks from magic number detector because these numbers are obvious
-    - text: "Magic number: 32,"
-      linters:
-        - mnd
-    # Exclude decimal bases from magic number detector because these numbers are obvious
-    - text: "Magic number: 10,"
-      linters:
-        - mnd
-    # Exclude file mask security findings as we are always intentional about the file masks we use
-    - text: "G306:"
-      linters:
-        - gosec
-    # Exclude tests from long line linter
-    - linters:
-        - lll
-      path: _test\.go
-    # Exclude tests from duplicate linter
-    - linters:
-        - dupl
-      path: _test\.go
-  # always show all issues rather than only showing 50 at a time
   max-issues-per-linter: 0
-  # always show all issues of a type rather than showing 3
   max-same-issues: 0
-output:
-  formats:
-    - format: tab
-  print-issued-lines: true
-  print-linter-name: true
+formatters:
+  enable:
+    - gofmt
+    - goimports
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$

Makefile

@@ -17,16 +17,14 @@ DOCKER=$(if $(or $(IN_DOCKER_GROUP),$(IS_ROOT),$(OSX)),docker,sudo docker)
 MAKEFILE_DIR=$(dir $(realpath $(firstword $(MAKEFILE_LIST))))
 UPSTREAM_IMPORT_PATH=$(GOPATH)/src/github.com/cloudnativelabs/kube-router/
 BUILD_IN_DOCKER?=true
-DOCKER_BUILD_IMAGE?=golang:1.23.6-alpine3.21
+DOCKER_BUILD_IMAGE?=golang:1.24.1-alpine3.21
 ## These variables are used by the Dockerfile as the bases for building and creating the runtime container
 ## During CI these come from .github/workflows/ci.yaml below we define for local builds as well
 GO_CACHE?=$(shell go env GOCACHE)
 GO_MOD_CACHE?=$(shell go env GOMODCACHE)
 BUILDTIME_BASE?=$(DOCKER_BUILD_IMAGE)
-# Do not bump past Alpine 3.18 until upstream netfilter problems in iptables v1.8.10 are resolved. See:
-# https://github.com/cloudnativelabs/kube-router/issues/1676
 RUNTIME_BASE?=alpine:3.21
-DOCKER_LINT_IMAGE?=golangci/golangci-lint:v1.63.4
+DOCKER_LINT_IMAGE?=golangci/golangci-lint:v2.0.2
 DOCKER_MARKDOWNLINT_IMAGE?=tmknom/markdownlint:0.39.0
 GOBGP_VERSION=v3.29.0
 QEMU_IMAGE?=multiarch/qemu-user-static

go.mod

@@ -127,6 +127,6 @@ require (
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )
 
-go 1.23.0
+go 1.24.0
 
-toolchain go1.23.6
+toolchain go1.24.1

pkg/cmd/kube-router.go

@@ -80,7 +80,7 @@ func (kr *KubeRouter) Run() error {
 	var ipsetMutex sync.Mutex
 	var wg sync.WaitGroup
 
-	if !(kr.Config.RunFirewall || kr.Config.RunServiceProxy || kr.Config.RunRouter) {
+	if !kr.Config.RunFirewall && !kr.Config.RunServiceProxy && !kr.Config.RunRouter {
 		klog.Info("Router, Firewall or Service proxy functionality must be specified. Exiting!")
 		os.Exit(0)
 	}

pkg/controllers/netpol/network_policy_controller.go

@@ -877,7 +877,7 @@ func NewNetworkPolicyController(clientset kubernetes.Interface,
 				netutils.IsIPv4CIDR(&npc.serviceClusterIPRanges[1])
 			ipv6Provided := netutils.IsIPv6CIDR(&npc.serviceClusterIPRanges[0]) ||
 				netutils.IsIPv6CIDR(&npc.serviceClusterIPRanges[1])
-			if !(ipv4Provided && ipv6Provided) {
+			if !ipv4Provided || !ipv6Provided {
 				return nil, fmt.Errorf("failed to get parse --service-cluster-ip-range parameter: " +
 					"dual-stack is enabled, both IPv4 and IPv6 addresses should be provided")
 			}

pkg/controllers/netpol/pod.go

@@ -329,9 +329,9 @@ func (npc *NetworkPolicyController) getLocalPods(localPods map[string]podInfo, n
 		localPods[pod.Status.PodIP] = podInfo{
 			ip:        pod.Status.PodIP,
 			ips:       pod.Status.PodIPs,
-			name:      pod.ObjectMeta.Name,
-			namespace: pod.ObjectMeta.Namespace,
-			labels:    pod.ObjectMeta.Labels}
+			name:      pod.Name,
+			namespace: pod.Namespace,
+			labels:    pod.Labels}
 	}
 }
 

pkg/controllers/netpol/policy.go

@@ -550,9 +550,9 @@ func (npc *NetworkPolicyController) buildNetworkPoliciesInfo() ([]networkPolicyI
 					continue
 				}
 				newPolicy.targetPods[matchingPod.Status.PodIP] = podInfo{ips: matchingPod.Status.PodIPs,
-					name:      matchingPod.ObjectMeta.Name,
-					namespace: matchingPod.ObjectMeta.Namespace,
-					labels:    matchingPod.ObjectMeta.Labels}
+					name:      matchingPod.Name,
+					namespace: matchingPod.Namespace,
+					labels:    matchingPod.Labels}
 				npc.grabNamedPortFromPod(matchingPod, &namedPort2IngressEps)
 			}
 		}
@@ -587,9 +587,9 @@ func (npc *NetworkPolicyController) buildNetworkPoliciesInfo() ([]networkPolicyI
 							}
 							ingressRule.srcPods = append(ingressRule.srcPods,
 								podInfo{ips: peerPod.Status.PodIPs,
-									name:      peerPod.ObjectMeta.Name,
-									namespace: peerPod.ObjectMeta.Namespace,
-									labels:    peerPod.ObjectMeta.Labels})
+									name:      peerPod.Name,
+									namespace: peerPod.Namespace,
+									labels:    peerPod.Labels})
 						}
 					}
 					peerIPBlock := npc.evalIPBlockPeer(peer)
@@ -661,9 +661,9 @@ func (npc *NetworkPolicyController) buildNetworkPoliciesInfo() ([]networkPolicyI
 							}
 							egressRule.dstPods = append(egressRule.dstPods,
 								podInfo{ips: peerPod.Status.PodIPs,
-									name:      peerPod.ObjectMeta.Name,
-									namespace: peerPod.ObjectMeta.Namespace,
-									labels:    peerPod.ObjectMeta.Labels})
+									name:      peerPod.Name,
+									namespace: peerPod.Namespace,
+									labels:    peerPod.Labels})
 							npc.grabNamedPortFromPod(peerPod, &namedPort2EgressEps)
 						}
 

pkg/controllers/netpol/utils_test.go

@@ -56,7 +56,7 @@ func Test_isPodUpdateNetPolRelevant(t *testing.T) {
 	})
 	t.Run("Pod Label change should be detected as NetworkPolicy relevant", func(t *testing.T) {
 		newPod := fakePod.DeepCopy()
-		newPod.ObjectMeta.Labels = map[string]string{"bar": "foo"}
+		newPod.Labels = map[string]string{"bar": "foo"}
 		assert.True(t, isPodUpdateNetPolRelevant(&fakePod, newPod))
 	})
 	t.Run("Pod Host IP change should be detected as NetworkPolicy relevant", func(t *testing.T) {
@@ -71,7 +71,7 @@ func Test_isPodUpdateNetPolRelevant(t *testing.T) {
 	})
 	t.Run("Pod Name change should NOT be detected as NetworkPolicy relevant", func(t *testing.T) {
 		newPod := fakePod.DeepCopy()
-		newPod.ObjectMeta.Name = "otherpod"
+		newPod.Name = "otherpod"
 		assert.False(t, isPodUpdateNetPolRelevant(&fakePod, newPod))
 	})
 }

pkg/controllers/proxy/linux_networking.go

@@ -157,7 +157,7 @@ func (ln *linuxNetworking) ipAddrAdd(iface netlink.Link, ip string, nodeIP strin
 	naddr := &netlink.Addr{IPNet: &net.IPNet{IP: parsedIP, Mask: netMask}, Scope: syscall.RT_SCOPE_LINK}
 	err := netlink.AddrAdd(iface, naddr)
 	if err != nil && err.Error() != IfaceHasAddr {
-		klog.Errorf("failed to assign cluster ip %s to dummy interface: %s", naddr.IPNet.IP.String(), err.Error())
+		klog.Errorf("failed to assign cluster ip %s to dummy interface: %s", naddr.IP.String(), err.Error())
 		return err
 	}
 
@@ -522,8 +522,8 @@ func (ln *linuxNetworking) setupRoutesForExternalIPForDSR(serviceInfoMap service
 				err)
 		}
 
-		if !(strings.Contains(string(out), externalIPRouteTableName) ||
-			strings.Contains(string(out), externalIPRouteTableID)) {
+		if !strings.Contains(string(out), externalIPRouteTableName) &&
+			!strings.Contains(string(out), externalIPRouteTableID) {
 			err = runIPCommandsWithArgs(ipArgs, "rule", "add", "prio", "32765", "from", "all", "lookup",
 				externalIPRouteTableID).Run()
 			if err != nil {

pkg/controllers/proxy/network_services_controller.go

@@ -941,36 +941,36 @@ func (nsc *NetworkServicesController) buildServicesInfo() serviceInfoMap {
 				targetPort:          port.TargetPort.String(),
 				protocol:            strings.ToLower(string(port.Protocol)),
 				nodePort:            int(port.NodePort),
-				name:                svc.ObjectMeta.Name,
-				namespace:           svc.ObjectMeta.Namespace,
+				name:                svc.Name,
+				namespace:           svc.Namespace,
 				externalIPs:         make([]string, len(svc.Spec.ExternalIPs)),
 				intTrafficPolicy:    &intClusterPolicyDefault,
 				extTrafficPolicy:    &extClusterPolicyDefault,
 				healthCheckNodePort: int(svc.Spec.HealthCheckNodePort),
 			}
-			dsrMethod, ok := svc.ObjectMeta.Annotations[svcDSRAnnotation]
+			dsrMethod, ok := svc.Annotations[svcDSRAnnotation]
 			if ok {
 				svcInfo.directServerReturn = true
 				svcInfo.directServerReturnMethod = dsrMethod
 			}
 			svcInfo.scheduler = ipvs.RoundRobin
-			schedulingMethod, ok := svc.ObjectMeta.Annotations[svcSchedulerAnnotation]
+			schedulingMethod, ok := svc.Annotations[svcSchedulerAnnotation]
 			if ok {
-				switch {
-				case schedulingMethod == ipvs.RoundRobin:
+				switch schedulingMethod {
+				case ipvs.RoundRobin:
 					svcInfo.scheduler = ipvs.RoundRobin
-				case schedulingMethod == ipvs.LeastConnection:
+				case ipvs.LeastConnection:
 					svcInfo.scheduler = ipvs.LeastConnection
-				case schedulingMethod == ipvs.DestinationHashing:
+				case ipvs.DestinationHashing:
 					svcInfo.scheduler = ipvs.DestinationHashing
-				case schedulingMethod == ipvs.SourceHashing:
+				case ipvs.SourceHashing:
 					svcInfo.scheduler = ipvs.SourceHashing
-				case schedulingMethod == IpvsMaglevHashing:
+				case IpvsMaglevHashing:
 					svcInfo.scheduler = IpvsMaglevHashing
 				}
 			}
 
-			flags, ok := svc.ObjectMeta.Annotations[svcSchedFlagsAnnotation]
+			flags, ok := svc.Annotations[svcSchedFlagsAnnotation]
 			if ok && svcInfo.scheduler == IpvsMaglevHashing {
 				svcInfo.flags = parseSchedFlags(flags)
 			}
@@ -990,17 +990,17 @@ func (nsc *NetworkServicesController) buildServicesInfo() serviceInfoMap {
 				// https://github.com/kubernetes/kubernetes/blob/master/pkg/apis/core/v1/defaults.go#L106
 				svcInfo.sessionAffinityTimeoutSeconds = *svc.Spec.SessionAffinityConfig.ClientIP.TimeoutSeconds
 			}
-			_, svcInfo.hairpin = svc.ObjectMeta.Annotations[svcHairpinAnnotation]
-			_, svcInfo.hairpinExternalIPs = svc.ObjectMeta.Annotations[svcHairpinExternalIPsAnnotation]
-			_, svcInfo.skipLbIps = svc.ObjectMeta.Annotations[svcSkipLbIpsAnnotation]
+			_, svcInfo.hairpin = svc.Annotations[svcHairpinAnnotation]
+			_, svcInfo.hairpinExternalIPs = svc.Annotations[svcHairpinExternalIPsAnnotation]
+			_, svcInfo.skipLbIps = svc.Annotations[svcSkipLbIpsAnnotation]
 			svcInfo.intTrafficPolicy = svc.Spec.InternalTrafficPolicy
 			svcInfo.extTrafficPolicy = &svc.Spec.ExternalTrafficPolicy
 
 			// The kube-router.io/service.local annotation has the ability to override the internal and external traffic
 			// policy that is set in the spec. Previously, when this was active set both to local when the annotation is
 			// true so that previous functionality of the annotation is best preserved. However, this has proved to not
 			// be a good fit for ClusterIP traffic, so we retain cluster for internal traffic policy.
-			if svc.ObjectMeta.Annotations[svcLocalAnnotation] == "true" {
+			if svc.Annotations[svcLocalAnnotation] == "true" {
 				intTrafficPolicyLocal := v1.ServiceInternalTrafficPolicyCluster
 				extTrafficPolicyLocal := v1.ServiceExternalTrafficPolicyLocal
 				svcInfo.intTrafficPolicy = &intTrafficPolicyLocal

pkg/controllers/proxy/nodeport_healthcheck.go

@@ -153,7 +153,7 @@ func (npHandler *nphcHandler) Handler(w http.ResponseWriter, r *http.Request) {
 
 	if endpointsOnNode && numActiveEndpoints > 0 {
 		w.WriteHeader(http.StatusOK)
-		_, err := w.Write([]byte(fmt.Sprintf("%d Service Endpoints found\n", numActiveEndpoints)))
+		_, err := fmt.Fprintf(w, "%d Service Endpoints found\n", numActiveEndpoints)
 		if err != nil {
 			klog.Errorf("failed to write body: %s", err)
 		}