Skip to content

CORENET-7134: Add ovn-kubernetes toolset skeleton#315

Open
mattedallo wants to merge 4 commits into
openshift:mainfrom
mattedallo:corenet-7134-ovnk-toolset
Open

CORENET-7134: Add ovn-kubernetes toolset skeleton#315
mattedallo wants to merge 4 commits into
openshift:mainfrom
mattedallo:corenet-7134-ovnk-toolset

Conversation

@mattedallo

@mattedallo mattedallo commented May 19, 2026

Copy link
Copy Markdown

Summary

Registers a new ovn-kubernetes toolset as scaffolding for OVN-Kubernetes networking diagnostics integration (enhancements#2002).

  • Adds pkg/toolsets/ovnkubernetes/toolset.go — empty toolset implementing api.Toolset, registered via init()
  • Adds blank import in pkg/mcp/modules.go
  • Adds ovn-kubernetes to the TestGranularToolsetsTools snapshot test with an empty [] snapshot

The toolset ships with zero tools — sibling stories CORENET-7135 (OVS tools) and CORENET-7136 (OVN tools) will add tool handlers on top of this framework.

Verification

  • make build — binary compiles with the new toolset
  • make test — all tests pass (including the new snapshot test)
  • make lint — no lint violations

What is NOT in this PR

  • No tool implementations (deferred to CORENET-7135/7136/7137/7138)
  • No ovn-kubernetes-mcp Go dependency (arrives with tool implementations)
  • No execution adapter / pod-exec changes (depends on CORENET-7133)
  • No README/docs update (zero tools means empty generated sections)

Summary by CodeRabbit

Release Notes

  • New Features

    • Added an OVN-Kubernetes troubleshooting toolset with MCP tools for ovn_show, ovn_get, ovn_lflow_list, and ovn_trace, including Kubernetes-backed execution.
  • Tests

    • Expanded automated tests to cover the OVN-Kubernetes toolset end-to-end, including container/tool routing, stderr-to-error behavior, and required-parameter validation.
  • Evaluation

    • Added new OVN-Kubernetes evaluation tasks and updated evaluation configs to exercise ovn_get, ovn_lflow_list, ovn_show, and ovn_trace scenarios.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label May 19, 2026
@openshift-ci-robot

openshift-ci-robot commented May 19, 2026

Copy link
Copy Markdown

@mattedallo: This pull request references CORENET-7134 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

Registers a new ovn-kubernetes toolset as scaffolding for OVN-Kubernetes networking diagnostics integration (enhancements#2002).

  • Adds pkg/toolsets/ovnkubernetes/toolset.go — empty toolset implementing api.Toolset, registered via init()
  • Adds blank import in pkg/mcp/modules.go
  • Adds ovn-kubernetes to the TestGranularToolsetsTools snapshot test with an empty [] snapshot

The toolset ships with zero tools — sibling stories CORENET-7135 (OVS tools) and CORENET-7136 (OVN tools) will add tool handlers on top of this framework.

Verification

  • make build — binary compiles with the new toolset
  • make test — all tests pass (including the new snapshot test)
  • make lint — no lint violations

What is NOT in this PR

  • No tool implementations (deferred to CORENET-7135/7136/7137/7138)
  • No ovn-kubernetes-mcp Go dependency (arrives with tool implementations)
  • No execution adapter / pod-exec changes (depends on CORENET-7133)
  • No README/docs update (zero tools means empty generated sections)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented May 19, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: bb7fa714-5bd1-47aa-acc9-29c90788bd1b

📥 Commits

Reviewing files that changed from the base of the PR and between 61cd5d3 and 69aece9.

📒 Files selected for processing (19)
  • evals/claude-code/eval.yaml
  • evals/gemini-agent/eval.yaml
  • evals/openai-agent/eval.yaml
  • evals/tasks/ovn-kubernetes/ovn-get/ovn-get-list-logical-routers.yaml
  • evals/tasks/ovn-kubernetes/ovn-get/ovn-get-pattern-with-columns.yaml
  • evals/tasks/ovn-kubernetes/ovn-get/ovn-get-southbound-chassis.yaml
  • evals/tasks/ovn-kubernetes/ovn-get/ovn-get-specific-router.yaml
  • evals/tasks/ovn-kubernetes/ovn-get/ovn-get-switch-with-columns.yaml
  • evals/tasks/ovn-kubernetes/ovn-get/setup.sh
  • evals/tasks/ovn-kubernetes/ovn-lflow-list/ovn-lflow-list-datapath-with-pattern.yaml
  • evals/tasks/ovn-kubernetes/ovn-lflow-list/ovn-lflow-list-for-datapath.yaml
  • evals/tasks/ovn-kubernetes/ovn-lflow-list/setup.sh
  • evals/tasks/ovn-kubernetes/ovn-show/ovn-show-northbound.yaml
  • evals/tasks/ovn-kubernetes/ovn-show/ovn-show-southbound.yaml
  • evals/tasks/ovn-kubernetes/ovn-show/setup.sh
  • evals/tasks/ovn-kubernetes/ovn-trace/ovn-trace-detailed.yaml
  • evals/tasks/ovn-kubernetes/ovn-trace/ovn-trace-summary.yaml
  • evals/tasks/ovn-kubernetes/ovn-trace/ovn-trace-with-pattern.yaml
  • evals/tasks/ovn-kubernetes/ovn-trace/setup.sh
✅ Files skipped from review due to trivial changes (2)
  • evals/tasks/ovn-kubernetes/ovn-get/ovn-get-switch-with-columns.yaml
  • evals/gemini-agent/eval.yaml
🚧 Files skipped from review as they are similar to previous changes (15)
  • evals/tasks/ovn-kubernetes/ovn-show/setup.sh
  • evals/tasks/ovn-kubernetes/ovn-get/ovn-get-southbound-chassis.yaml
  • evals/tasks/ovn-kubernetes/ovn-get/ovn-get-specific-router.yaml
  • evals/tasks/ovn-kubernetes/ovn-lflow-list/setup.sh
  • evals/tasks/ovn-kubernetes/ovn-lflow-list/ovn-lflow-list-datapath-with-pattern.yaml
  • evals/openai-agent/eval.yaml
  • evals/tasks/ovn-kubernetes/ovn-get/ovn-get-pattern-with-columns.yaml
  • evals/tasks/ovn-kubernetes/ovn-get/ovn-get-list-logical-routers.yaml
  • evals/tasks/ovn-kubernetes/ovn-get/setup.sh
  • evals/claude-code/eval.yaml
  • evals/tasks/ovn-kubernetes/ovn-show/ovn-show-southbound.yaml
  • evals/tasks/ovn-kubernetes/ovn-trace/ovn-trace-with-pattern.yaml
  • evals/tasks/ovn-kubernetes/ovn-trace/ovn-trace-detailed.yaml
  • evals/tasks/ovn-kubernetes/ovn-trace/ovn-trace-summary.yaml
  • evals/tasks/ovn-kubernetes/ovn-show/ovn-show-northbound.yaml

📝 Walkthrough

Walkthrough

This PR adds the OVN-Kubernetes MCP toolset, registers it for loading, expands MCP test coverage, and adds OVN-Kubernetes eval tasks and setup scripts.

Changes

OVN-Kubernetes Toolset and Integration

Layer / File(s) Summary
Toolset registration and exports
go.mod, pkg/mcp/modules.go, pkg/toolsets/ovnkubernetes/toolset.go
Adds the OVN-Kubernetes dependency, loads the toolset on import, and registers the new ovnkubernetes toolset.
OVN tool handlers
pkg/toolsets/ovnkubernetes/ovn.go
Defines the four OVN tools (ovn_show, ovn_get, ovn_lflow_list, ovn_trace) and their OVN pod execution helpers.
MCP toolset tests
pkg/mcp/toolsets_test.go, pkg/mcp/ovn_kubernetes_test.go, pkg/mcp/testdata/toolsets-ovn-kubernetes-tools.json
Adds OVN-Kubernetes snapshot coverage and mock-server tests for routing, stderr handling, missing parameters, and successful output.
OVN-Kubernetes eval tasks
evals/**/ovn-kubernetes/*, evals/*/eval.yaml
Adds OVN-Kubernetes eval task sets, task definitions, and setup scripts for ovn_get, ovn_lflow_list, ovn_show, and ovn_trace flows.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Suggested reviewers

  • matzew
  • Cali0707
  • Kaustubh-pande

Poem

🐇 I hop through OVN with a twitchy nose,
Four new tools bloom where the network flows.
Snapshots, tests, and tasks line up in a row,
Hop-hop—now the rabbit knows where packets go!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 18.18% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly names the new ovn-kubernetes toolset and matches the overall theme of the changes.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 19, 2026
@openshift-ci

openshift-ci Bot commented May 19, 2026

Copy link
Copy Markdown

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci

openshift-ci Bot commented May 19, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mattedallo
Once this PR has been reviewed and has the lgtm label, please assign cali0707 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@mattedallo

Copy link
Copy Markdown
Author

/test all

@mattedallo

Copy link
Copy Markdown
Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented May 20, 2026

Copy link
Copy Markdown
✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@mattedallo mattedallo marked this pull request as ready for review May 20, 2026 09:29
@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 20, 2026
@openshift-ci openshift-ci Bot requested review from Cali0707 and Kaustubh-pande May 20, 2026 09:32
@@ -0,0 +1,38 @@
package ovnkubernetes

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seems pretty empty

why not land this with actual tools (e.g. as go module)?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @matzew, thanks for reviewing!

Yep, we have a followup PRs coming for the tools.
But If you prefer I may add some of them into this PR directly.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes - I'd think we do not land empty toolsets here

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 let's at least try to land the first tool in this PR. If you want to then incrementally add some more tools in future PRs that is cool

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @matzew and @Cali0707 for the feedback.
I will update the PR to include the first tools

@mattedallo mattedallo Jun 9, 2026

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @matzew and @Cali0707, While adding the tools I am considering this approach:

the upstream exports tool definitions using gosdk.Tool from the go-sdk (a type both repos already depend on), paired with a type-erased execution function. In here we just iterates and converts (From gosdk.Tool to api.Tool) , no manual schema duplication. When upstream adds a new tool, downstream would have the tool automatically with version bump.

The benefit is that we don't duplicate the schema definition and we get the new tools automatically with version bump.
Is this something desired or you see problems with this approach?

@matzew

matzew commented May 27, 2026

Copy link
Copy Markdown
Member

@mattedallo also, if this new toolset is directly mapping to "upstream" ovn-k8s, I think the right address for PRs like that might be the actual upstream repo. Here, on OCP downstream, we might want to have mostly OCP specifics.

That said, see recent discussion on #122 that for some CRUD tools, it might be also just fine to provide evals and see if those are passing already w/ our core toolset

@mattedallo mattedallo marked this pull request as draft June 5, 2026 11:29
@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 5, 2026
@arkadeepsen

Copy link
Copy Markdown
Member

@mattedallo also, if this new toolset is directly mapping to "upstream" ovn-k8s, I think the right address for PRs like that might be the actual upstream repo. Here, on OCP downstream, we might want to have mostly OCP specifics.

That said, see recent discussion on #122 that for some CRUD tools, it might be also just fine to provide evals and see if those are passing already w/ our core toolset

Hey @matzew, one of the reasons not to add these tools to upstream is because some of the ovnk tools need the node-debug functionality and as per some existing conversations it seems that adding that tool upstream is not in current plans. Additionally, upstream k8s-mcp-server might want to be CNI agnostic whereas for openshift-mcp-server these tools will be very useful as most customers use ovnk as the CNI. We already have a separate upstream repo for ovnk mcp server (https://github.com/ovn-kubernetes/ovn-kubernetes-mcp) and thus adding these tools in k8s-mcp-server will mean that 2 separate upstream projects have the same tools, which probably is not ideal.

I have created an EP (openshift/enhancements#2002) where we can have further discussions on this topic. PTAL.
cc @tssurya

@mattedallo mattedallo force-pushed the corenet-7134-ovnk-toolset branch from 1124f8a to 39da71e Compare June 8, 2026 11:55
@mattedallo mattedallo force-pushed the corenet-7134-ovnk-toolset branch from 39da71e to b430132 Compare June 16, 2026 15:21
@openshift-ci openshift-ci Bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 16, 2026
mattedallo and others added 3 commits June 24, 2026 22:10
Register an empty ovn-kubernetes toolset so sibling stories (CORENET-7135/7136)
can land OVN/OVS tool handlers on top of this framework.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Matteo Dallaglio <mdallagl@redhat.com>
Import the ovn-kubernetes-mcp library which provides OVN network
analysis tools (show, get, lflow-list, trace) as an MCP server.

Signed-off-by: Matteo Dallaglio <mdallagl@redhat.com>
Add 4 OVN troubleshooting tools to the ovn-kubernetes toolset:
ovn_show, ovn_get, ovn_lflow_list, ovn_trace.

Each tool is defined explicitly with its own InputSchema, handler,
and annotations. Handlers are thin wrappers that call upstream
ovn-kubernetes-mcp methods directly.

Signed-off-by: Matteo Dallaglio <mdallagl@redhat.com>
@arghosh93 arghosh93 force-pushed the corenet-7134-ovnk-toolset branch from a5b89b1 to 61cd5d3 Compare June 24, 2026 18:48
@openshift-ci openshift-ci Bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 24, 2026
@mattedallo mattedallo marked this pull request as ready for review June 24, 2026 19:13
@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 24, 2026
@openshift-ci openshift-ci Bot requested a review from matzew June 24, 2026 19:14

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 6

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@evals/tasks/ovn-kubernetes/ovn-get/ovn-get-switch-with-columns.yaml`:
- Line 23: The judge reasoning text contains a typo in the Logical_Switch output
description; update the wording in the evaluation YAML so “speceific” is
corrected to “specific” in the reasoning string used by
ovn-get-switch-with-columns, keeping the eval text clear and unambiguous.

In
`@evals/tasks/ovn-kubernetes/ovn-lflow-list/ovn-lflow-list-datapath-with-pattern.yaml`:
- Line 25: Fix the typo in the expected-output text for the ovn-lflow-list
datapath pattern by updating the string containing “Comprisd” to the correct
spelling “Comprised”; locate the affected expected text in the YAML entry and
adjust only that literal so the validation matches the intended output.

In `@evals/tasks/ovn-kubernetes/ovn-lflow-list/setup.sh`:
- Around line 4-7: The setup check in the pod lookup currently relies on
grepping human-readable kubectl output, which is brittle. Update the
ovnkube-node readiness check in setup.sh to use kubectl’s machine-readable
filtering with a field selector for Running pods and output names directly, then
keep the existing failure path if no pod names are returned. Use the existing
pod query block as the place to switch from grep-based matching to direct status
filtering.

In `@evals/tasks/ovn-kubernetes/ovn-trace/ovn-trace-detailed.yaml`:
- Line 48: The ovn-trace-detailed.yaml task uses mutable container image tags,
which can make evals drift and fail nondeterministically. Replace the `image`
values in the affected task entries with pinned references using a fixed tag or
digest instead of `:latest`, and update both occurrences noted in the comment so
the task always pulls the same container version.

In `@evals/tasks/ovn-kubernetes/ovn-trace/ovn-trace-with-pattern.yaml`:
- Line 85: The prompt in the ovn-trace task has conflicting filter instructions,
so make the wording consistent across the affected steps. Update the task
description and the later pattern assignment in the ovn-trace-with-pattern YAML
so both reference the same output filter, using the unique prompt text and
pattern field together to avoid ambiguity in the expected behavior.

In `@go.mod`:
- Line 74: Upgrade the containerd dependency to remove the affected version:
update the github.com/containerd/containerd entry in go.mod to v1.7.33 or newer,
then refresh the vendored dependencies so the lockstep module set matches the
new version. Make sure any references in the module graph that resolve through
containerd are also updated consistently.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 593624a7-cd41-44bc-91da-1c4860509d7b

📥 Commits

Reviewing files that changed from the base of the PR and between 1124f8a and 61cd5d3.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (25)
  • evals/claude-code/eval.yaml
  • evals/gemini-agent/eval.yaml
  • evals/openai-agent/eval.yaml
  • evals/tasks/ovn-kubernetes/ovn-get/ovn-get-list-logical-routers.yaml
  • evals/tasks/ovn-kubernetes/ovn-get/ovn-get-pattern-with-columns.yaml
  • evals/tasks/ovn-kubernetes/ovn-get/ovn-get-southbound-chassis.yaml
  • evals/tasks/ovn-kubernetes/ovn-get/ovn-get-specific-router.yaml
  • evals/tasks/ovn-kubernetes/ovn-get/ovn-get-switch-with-columns.yaml
  • evals/tasks/ovn-kubernetes/ovn-get/setup.sh
  • evals/tasks/ovn-kubernetes/ovn-lflow-list/ovn-lflow-list-datapath-with-pattern.yaml
  • evals/tasks/ovn-kubernetes/ovn-lflow-list/ovn-lflow-list-for-datapath.yaml
  • evals/tasks/ovn-kubernetes/ovn-lflow-list/setup.sh
  • evals/tasks/ovn-kubernetes/ovn-show/ovn-show-northbound.yaml
  • evals/tasks/ovn-kubernetes/ovn-show/ovn-show-southbound.yaml
  • evals/tasks/ovn-kubernetes/ovn-show/setup.sh
  • evals/tasks/ovn-kubernetes/ovn-trace/ovn-trace-detailed.yaml
  • evals/tasks/ovn-kubernetes/ovn-trace/ovn-trace-summary.yaml
  • evals/tasks/ovn-kubernetes/ovn-trace/ovn-trace-with-pattern.yaml
  • go.mod
  • pkg/mcp/modules.go
  • pkg/mcp/ovn_kubernetes_test.go
  • pkg/mcp/testdata/toolsets-ovn-kubernetes-tools.json
  • pkg/mcp/toolsets_test.go
  • pkg/toolsets/ovnkubernetes/ovn.go
  • pkg/toolsets/ovnkubernetes/toolset.go
💤 Files with no reviewable changes (2)
  • pkg/toolsets/ovnkubernetes/toolset.go
  • pkg/toolsets/ovnkubernetes/ovn.go
✅ Files skipped from review due to trivial changes (4)
  • evals/tasks/ovn-kubernetes/ovn-get/ovn-get-pattern-with-columns.yaml
  • evals/claude-code/eval.yaml
  • evals/tasks/ovn-kubernetes/ovn-get/ovn-get-specific-router.yaml
  • evals/tasks/ovn-kubernetes/ovn-get/ovn-get-southbound-chassis.yaml
🚧 Files skipped from review as they are similar to previous changes (2)
  • pkg/mcp/modules.go
  • pkg/mcp/toolsets_test.go

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Inline review comments failed to post. This is likely due to GitHub's internal server error or limits when posting large numbers of comments. If you are seeing this consistently it is likely a permissions issue. Please check "Moderation" -> "Code review limits" under your organization settings.

Actionable comments posted: 6

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@evals/tasks/ovn-kubernetes/ovn-get/ovn-get-switch-with-columns.yaml`:
- Line 23: The judge reasoning text contains a typo in the Logical_Switch output
description; update the wording in the evaluation YAML so “speceific” is
corrected to “specific” in the reasoning string used by
ovn-get-switch-with-columns, keeping the eval text clear and unambiguous.

In
`@evals/tasks/ovn-kubernetes/ovn-lflow-list/ovn-lflow-list-datapath-with-pattern.yaml`:
- Line 25: Fix the typo in the expected-output text for the ovn-lflow-list
datapath pattern by updating the string containing “Comprisd” to the correct
spelling “Comprised”; locate the affected expected text in the YAML entry and
adjust only that literal so the validation matches the intended output.

In `@evals/tasks/ovn-kubernetes/ovn-lflow-list/setup.sh`:
- Around line 4-7: The setup check in the pod lookup currently relies on
grepping human-readable kubectl output, which is brittle. Update the
ovnkube-node readiness check in setup.sh to use kubectl’s machine-readable
filtering with a field selector for Running pods and output names directly, then
keep the existing failure path if no pod names are returned. Use the existing
pod query block as the place to switch from grep-based matching to direct status
filtering.

In `@evals/tasks/ovn-kubernetes/ovn-trace/ovn-trace-detailed.yaml`:
- Line 48: The ovn-trace-detailed.yaml task uses mutable container image tags,
which can make evals drift and fail nondeterministically. Replace the `image`
values in the affected task entries with pinned references using a fixed tag or
digest instead of `:latest`, and update both occurrences noted in the comment so
the task always pulls the same container version.

In `@evals/tasks/ovn-kubernetes/ovn-trace/ovn-trace-with-pattern.yaml`:
- Line 85: The prompt in the ovn-trace task has conflicting filter instructions,
so make the wording consistent across the affected steps. Update the task
description and the later pattern assignment in the ovn-trace-with-pattern YAML
so both reference the same output filter, using the unique prompt text and
pattern field together to avoid ambiguity in the expected behavior.

In `@go.mod`:
- Line 74: Upgrade the containerd dependency to remove the affected version:
update the github.com/containerd/containerd entry in go.mod to v1.7.33 or newer,
then refresh the vendored dependencies so the lockstep module set matches the
new version. Make sure any references in the module graph that resolve through
containerd are also updated consistently.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 593624a7-cd41-44bc-91da-1c4860509d7b

📥 Commits

Reviewing files that changed from the base of the PR and between 1124f8a and 61cd5d3.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (25)
  • evals/claude-code/eval.yaml
  • evals/gemini-agent/eval.yaml
  • evals/openai-agent/eval.yaml
  • evals/tasks/ovn-kubernetes/ovn-get/ovn-get-list-logical-routers.yaml
  • evals/tasks/ovn-kubernetes/ovn-get/ovn-get-pattern-with-columns.yaml
  • evals/tasks/ovn-kubernetes/ovn-get/ovn-get-southbound-chassis.yaml
  • evals/tasks/ovn-kubernetes/ovn-get/ovn-get-specific-router.yaml
  • evals/tasks/ovn-kubernetes/ovn-get/ovn-get-switch-with-columns.yaml
  • evals/tasks/ovn-kubernetes/ovn-get/setup.sh
  • evals/tasks/ovn-kubernetes/ovn-lflow-list/ovn-lflow-list-datapath-with-pattern.yaml
  • evals/tasks/ovn-kubernetes/ovn-lflow-list/ovn-lflow-list-for-datapath.yaml
  • evals/tasks/ovn-kubernetes/ovn-lflow-list/setup.sh
  • evals/tasks/ovn-kubernetes/ovn-show/ovn-show-northbound.yaml
  • evals/tasks/ovn-kubernetes/ovn-show/ovn-show-southbound.yaml
  • evals/tasks/ovn-kubernetes/ovn-show/setup.sh
  • evals/tasks/ovn-kubernetes/ovn-trace/ovn-trace-detailed.yaml
  • evals/tasks/ovn-kubernetes/ovn-trace/ovn-trace-summary.yaml
  • evals/tasks/ovn-kubernetes/ovn-trace/ovn-trace-with-pattern.yaml
  • go.mod
  • pkg/mcp/modules.go
  • pkg/mcp/ovn_kubernetes_test.go
  • pkg/mcp/testdata/toolsets-ovn-kubernetes-tools.json
  • pkg/mcp/toolsets_test.go
  • pkg/toolsets/ovnkubernetes/ovn.go
  • pkg/toolsets/ovnkubernetes/toolset.go
💤 Files with no reviewable changes (2)
  • pkg/toolsets/ovnkubernetes/toolset.go
  • pkg/toolsets/ovnkubernetes/ovn.go
✅ Files skipped from review due to trivial changes (4)
  • evals/tasks/ovn-kubernetes/ovn-get/ovn-get-pattern-with-columns.yaml
  • evals/claude-code/eval.yaml
  • evals/tasks/ovn-kubernetes/ovn-get/ovn-get-specific-router.yaml
  • evals/tasks/ovn-kubernetes/ovn-get/ovn-get-southbound-chassis.yaml
🚧 Files skipped from review as they are similar to previous changes (2)
  • pkg/mcp/modules.go
  • pkg/mcp/toolsets_test.go
🛑 Comments failed to post (6)
evals/tasks/ovn-kubernetes/ovn-get/ovn-get-switch-with-columns.yaml (1)

23-23: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Fix typo in judge reasoning text.

Line 23 has “speceific”; use “specific” to keep eval text clean and unambiguous.

Suggested patch
-        reasoning: "Output should show Logical_Switch entries with name and ports columns including join, transit, and node speceific switches"
+        reasoning: "Output should show Logical_Switch entries with name and ports columns including join, transit, and node specific switches"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

        reasoning: "Output should show Logical_Switch entries with name and ports columns including join, transit, and node specific switches"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@evals/tasks/ovn-kubernetes/ovn-get/ovn-get-switch-with-columns.yaml` at line
23, The judge reasoning text contains a typo in the Logical_Switch output
description; update the wording in the evaluation YAML so “speceific” is
corrected to “specific” in the reasoning string used by
ovn-get-switch-with-columns, keeping the eval text clear and unambiguous.
evals/tasks/ovn-kubernetes/ovn-lflow-list/ovn-lflow-list-datapath-with-pattern.yaml (1)

25-25: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Correct typo in expected-output text.

Line 25 has “Comprisd”; replace with “Comprised”.

Suggested patch
-        contains: "Comprisd of routing information from ovn_cluster_router to upstream or downstream switches"
+        contains: "Comprised of routing information from ovn_cluster_router to upstream or downstream switches"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

        contains: "Comprised of routing information from ovn_cluster_router to upstream or downstream switches"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@evals/tasks/ovn-kubernetes/ovn-lflow-list/ovn-lflow-list-datapath-with-pattern.yaml`
at line 25, Fix the typo in the expected-output text for the ovn-lflow-list
datapath pattern by updating the string containing “Comprisd” to the correct
spelling “Comprised”; locate the affected expected text in the YAML entry and
adjust only that literal so the validation matches the intended output.
evals/tasks/ovn-kubernetes/ovn-lflow-list/setup.sh (1)

4-7: 🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win

Use machine-readable pod status filtering for setup checks.

Grepping table output is fragile. Query running pods directly (--field-selector + -o name) to avoid format-dependent false negatives.

Suggested diff
-kubectl get pods -n openshift-ovn-kubernetes -l app=ovnkube-node | grep Running || {
+kubectl get pods -n openshift-ovn-kubernetes -l app=ovnkube-node \
+  --field-selector=status.phase=Running -o name | grep -q . || {
   echo "ERROR: No running ovnkube-node pods found"
   exit 1
 }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

kubectl get pods -n openshift-ovn-kubernetes -l app=ovnkube-node \
  --field-selector=status.phase=Running -o name | grep -q . || {
  echo "ERROR: No running ovnkube-node pods found"
  exit 1
}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@evals/tasks/ovn-kubernetes/ovn-lflow-list/setup.sh` around lines 4 - 7, The
setup check in the pod lookup currently relies on grepping human-readable
kubectl output, which is brittle. Update the ovnkube-node readiness check in
setup.sh to use kubectl’s machine-readable filtering with a field selector for
Running pods and output names directly, then keep the existing failure path if
no pod names are returned. Use the existing pod query block as the place to
switch from grep-based matching to direct status filtering.
evals/tasks/ovn-kubernetes/ovn-trace/ovn-trace-detailed.yaml (1)

48-48: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Pin container images instead of using :latest.

Mutable tags make eval behavior drift over time and can cause nondeterministic failures. Use a fixed tag or digest.

Also applies to: 62-62

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@evals/tasks/ovn-kubernetes/ovn-trace/ovn-trace-detailed.yaml` at line 48, The
ovn-trace-detailed.yaml task uses mutable container image tags, which can make
evals drift and fail nondeterministically. Replace the `image` values in the
affected task entries with pinned references using a fixed tag or digest instead
of `:latest`, and update both occurrences noted in the comment so the task
always pulls the same container version.
evals/tasks/ovn-kubernetes/ovn-trace/ovn-trace-with-pattern.yaml (1)

85-85: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Fix contradictory filtering instructions in the prompt.

The task says to filter for lines containing "output" but later instructs pattern="acl". Keep these consistent so the expected behavior is unambiguous.

Suggested fix
-      Trace a TCP packet from source-pod to dest-pod in namespace ovn-trace-test and filter output to show only lines containing "output".
+      Trace a TCP packet from source-pod to dest-pod in namespace ovn-trace-test and filter output to show only lines containing "acl".

Also applies to: 95-95

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@evals/tasks/ovn-kubernetes/ovn-trace/ovn-trace-with-pattern.yaml` at line 85,
The prompt in the ovn-trace task has conflicting filter instructions, so make
the wording consistent across the affected steps. Update the task description
and the later pattern assignment in the ovn-trace-with-pattern YAML so both
reference the same output filter, using the unique prompt text and pattern field
together to avoid ambiguity in the expected behavior.
go.mod (1)

74-74: 🔒 Security & Privacy | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

sed -n '60,90p' go.mod

Repository: openshift/openshift-mcp-server

Length of output: 1834


🏁 Script executed:

sed -n '60,90p' go.mod

Repository: openshift/openshift-mcp-server

Length of output: 1834


🌐 Web query:

containerd v1.7.32 advisories fixed release CRI logger path DoS host-root command execution

💡 Result:

Containerd v1.7.32 was released on May 20, 2026, primarily to address a security vulnerability regarding user ID handling [1][2]. Regarding the specific concerns mentioned in your query: 1. User ID Handling Bypass (Fixed in v1.7.32): CVE-2026-46680 affects containerd versions >= 1.7.27 and < 1.7.32 [2][3]. It involves an issue where a numeric User directive in a container configuration that cannot be parsed as a 32-bit integer is incorrectly treated as a username. If a malicious image provides an /etc/passwd file mapping this value to UID 0 (root), it can bypass Kubernetes runAsNonRoot restrictions and allow the container to run as root [2][4]. This was fixed in v1.7.32 [2][3]. 2. Host-Root Command Execution & Denial of Service (DoS): Recent advisories have identified vulnerabilities affecting versions up to v1.7.32 (inclusive), which were subsequently fixed in v1.7.33: - Host-Root Command Execution (CVE-2026-53488): The CRI plugin incorrectly propagates LABEL instructions from image configs without validation. This can lead to arbitrary command execution on the host when using certain binary loggers [5][6]. - Runtime Denial of Service (CVE-2026-47262): A maliciously crafted image can cause memory exhaustion, leading to an Out Of Memory (OOM) kill of the containerd process, rendering the runtime API unavailable [7]. 3. Arbitrary Log File Read: CVE-2026-53489 involves a path traversal/symlink vulnerability in the CRI plugin when restoring container.log from a checkpoint, which could allow unauthorized reading of arbitrary host files [8][9]. This is also fixed in v1.7.33 [8][10]. In summary, while v1.7.32 fixed the runAsNonRoot bypass (CVE-2026-46680), it remains vulnerable to the host-root command execution, runtime DoS, and arbitrary log file read vulnerabilities mentioned, which require updating to v1.7.33 or later [5][7][8][2].

Citations:


🏁 Script executed:

rg -n "github\.com/containerd/containerd|containerd/" -S .

Repository: openshift/openshift-mcp-server

Length of output: 16658


🏁 Script executed:

rg -n "github\.com/containerd/containerd|containerd/" -S .

Repository: openshift/openshift-mcp-server

Length of output: 16658


Upgrade github.com/containerd/containerd to v1.7.33 or later. v1.7.32 is still affected by CRI logger path command-execution, DoS, and arbitrary log-file-read advisories; update the vendored modules as well.

🧰 Tools
🪛 OSV Scanner (2.4.0)

[HIGH] 74-74: github.com/containerd/containerd 1.7.32: containerd image-triggered runtime DoS via unbounded group parsing

(GHSA-jpcc-p29g-p8mq)


[HIGH] 74-74: github.com/containerd/containerd 1.7.32: containerd CRI — image-config LABEL flows to restart-monitor binary:// logger: host-root command execution from an image pull

(GHSA-xhf5-7wjv-pqxp)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 74, Upgrade the containerd dependency to remove the affected
version: update the github.com/containerd/containerd entry in go.mod to v1.7.33
or newer, then refresh the vendored dependencies so the lockstep module set
matches the new version. Make sure any references in the module graph that
resolve through containerd are also updated consistently.

Source: Linters/SAST tools

@arghosh93

Copy link
Copy Markdown

@matzew @Cali0707, can anyone please review this PR?

Add comprehensive evaluation tasks for the OVN-Kubernetes toolset
covering four main tool categories:

- ovn_get: List and query OVN database objects (routers, switches,
  chassis) with column selection and pattern filtering
- ovn_lflow_list: List logical flows for specific datapaths with
  pattern matching
- ovn_show: Display Northbound and Southbound database configurations
- ovn_trace: Trace packets through OVN logical network with detailed,
  summary, and pattern-filtered output modes

Update all three eval configurations (claude-code, gemini-agent,
openai-agent) to include the new ovn-kubernetes task set.

Signed-off-by: Arnab Ghosh <arnabghosh89@gmail.com>
@arghosh93 arghosh93 force-pushed the corenet-7134-ovnk-toolset branch from 61cd5d3 to 69aece9 Compare June 25, 2026 09:58
@openshift-ci

openshift-ci Bot commented Jun 25, 2026

Copy link
Copy Markdown

@mattedallo: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants