Security fixes, Azure annotation guard, and version command

- Bump Go from 1.25.0 to 1.25.8 (fixes 8 stdlib CVEs in crypto/tls,
  crypto/x509, net/url, html/template, os)
- Bump go.opentelemetry.io/otel/sdk from v1.36.0 to v1.40.0
  (fixes CVE-2026-24051 HIGH: arbitrary code execution via PATH hijacking)
- Fix directory permissions: 0666/os.ModePerm -> 0750 in deploy/deploy.go
  and topo/node/node.go
- Harden Dockerfiles: pin base images, add non-root USER, use
  --no-install-recommends, multi-stage distroless build for wire/forward
  and webhook
- Only apply Azure LB annotations on AKS clusters (was unconditional,
  causing unnecessary 10-min polling on non-Azure setups)
- Add 'kne version' subcommand with git commit/tag injected via ldflags
- Update CI: Go 1.25, migrate golangci-lint config to v2 format

Made-with: Cursor

Author: msupinodn

.github/linters/.golangci.yml

@@ -1,52 +1,76 @@
 ---
-#########################
-#########################
-## Golang Linter rules ##
-#########################
-#########################
+version: "2"
 
-# configure golangci-lint
-# see https://github.com/golangci/golangci-lint/blob/master/.golangci.example.yml
 run:
   timeout: 10m
-issues:
-  exclude-rules:
-    - path: _test\.go
-      linters:
-        - dupl
-        - gosec
-        - goconst
-    - linters:
-      - revive
-      text: "var-naming: don't use leading k"
-    - linters:
-      - staticcheck
-      text: "SA1019:"
+
 linters:
-  disable-all: true
+  default: none
   enable:
     - gosec
     - unconvert
-    - goimports
-    - gofmt
     - gocritic
     - govet
     - revive
     - staticcheck
-    - unconvert
     - unparam
     - unused
     - wastedassign
     - whitespace
-linters-settings:
-  errcheck:
-    # report about assignment of errors to blank identifier: `num, _ := strconv.Atoi(numStr)`;
-    # default is false: such cases aren't reported by default.
-    check-blank: true
-  gocritic:
-    disabled-checks:
-      - singleCaseSwitch
-      - appendAssign
-  revive:
-    ignore-generated-header: true
-    severity: warning
+  settings:
+    errcheck:
+      check-blank: true
+    gocritic:
+      disabled-checks:
+        - singleCaseSwitch
+        - appendAssign
+    revive:
+      rules:
+        - name: blank-imports
+          disabled: true
+        - name: context-as-argument
+          disabled: true
+        - name: error-strings
+          disabled: true
+        - name: exported
+          disabled: true
+        - name: package-comments
+          disabled: true
+        - name: redefines-builtin-id
+          disabled: true
+        - name: unexported-return
+          disabled: true
+        - name: unused-parameter
+          disabled: true
+        - name: var-declaration
+          disabled: true
+    staticcheck:
+      checks:
+        - "all"
+        - "-QF*"
+        - "-ST1005"
+        - "-ST1003"
+        - "-S1030"
+  exclusions:
+    rules:
+      - path: _test\.go
+        linters:
+          - dupl
+          - gosec
+          - goconst
+      - linters:
+          - revive
+        text: "var-naming: don't use leading k"
+      - linters:
+          - staticcheck
+        text: "SA1019:"
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+
+formatters:
+  enable:
+    - goimports
+    - gofmt

.github/workflows/go.yml

@@ -15,7 +15,7 @@ jobs:
       tests-excludes-regex: /cloudbuild
       race-tests-excludes-regex: /cloudbuild
       skip-race-tests: true
-      go-versions: "['1.21']"
+      go-versions: "['1.25']"
 
   linter:
     uses: openconfig/common-ci/.github/workflows/linter.yml@v0.2.0

Makefile

@@ -29,10 +29,14 @@ up: kind-start
 ## Destroy test environment
 down: kind-stop
 
+LDFLAGS := -s -w \
+	-X github.com/openconfig/kne/version.Version=$(TAG) \
+	-X github.com/openconfig/kne/version.Commit=$(COMMIT)
+
 .PHONY: build
 ## Build kne
 build:
-	CGO_ENABLED=0 go build -o $(KNE_CLI_BIN) -ldflags="-s -w" kne_cli/main.go
+	CGO_ENABLED=0 go build -o $(KNE_CLI_BIN) -ldflags="$(LDFLAGS)" kne_cli/main.go
 
 .PHONY: install
 ## Install kne cli binary to user's local bin dir

cmd/root.go

@@ -23,6 +23,7 @@ import (
 	"github.com/openconfig/kne/cmd/deploy"
 	"github.com/openconfig/kne/cmd/topology"
 	"github.com/openconfig/kne/topo"
+	"github.com/openconfig/kne/version"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 	"k8s.io/client-go/util/homedir"
@@ -64,9 +65,20 @@ environment.`,
 	root.AddCommand(topology.New())
 	root.AddCommand(deploy.NewDeploy())
 	root.AddCommand(deploy.NewTeardown())
+	root.AddCommand(newVersionCmd())
 	return root
 }
 
+func newVersionCmd() *cobra.Command {
+	return &cobra.Command{
+		Use:   "version",
+		Short: "Print the version",
+		Run: func(cmd *cobra.Command, _ []string) {
+			fmt.Fprintln(cmd.OutOrStdout(), version.String())
+		},
+	}
+}
+
 func defaultCfgFile() string {
 	if home := homedir.HomeDir(); home != "" {
 		return filepath.Join(home, ".config", "kne", "config.yaml")

deploy/deploy.go

@@ -633,7 +633,7 @@ func (k *KindSpec) checkDependencies() error {
 
 func (k *KindSpec) create() error {
 	// Create a KNE dir under /tmp intended to hold files to be mounted into the kind cluster.
-	if err := os.MkdirAll("/tmp/kne", os.ModePerm); err != nil {
+	if err := os.MkdirAll("/tmp/kne", 0750); err != nil {
 		return err
 	}
 	if k.Recycle {

deploy/gobgp/Dockerfile

@@ -1,5 +1,14 @@
-FROM hfam/ubuntu:latest
+FROM ubuntu:24.04
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+  curl \
+  ca-certificates \
+  && rm -rf /var/lib/apt/lists/*
 
 RUN curl -LO "https://github.com/osrg/gobgp/releases/download/v2.31.0/gobgp_2.31.0_linux_amd64.tar.gz" \
-&& tar -xzf gobgp_2.31.0_linux_amd64.tar.gz && chmod +x gobgpd  && chmod +x gobgp \
-&& mv gobgpd /usr/local/bin/gobgpd && mv gobgp /usr/local/bin/gobgp
+&& tar -xzf gobgp_2.31.0_linux_amd64.tar.gz && chmod +x gobgpd && chmod +x gobgp \
+&& mv gobgpd /usr/local/bin/gobgpd && mv gobgp /usr/local/bin/gobgp \
+&& rm -f gobgp_2.31.0_linux_amd64.tar.gz
+
+RUN groupadd -r kne && useradd -r -g kne -s /sbin/nologin kne
+USER kne

deploy/ubuntu/Dockerfile

@@ -1,15 +1,19 @@
-FROM ubuntu:latest
+FROM ubuntu:24.04
 
-RUN apt-get update && apt-get install -y \
+RUN apt-get update && apt-get install -y --no-install-recommends \
   curl \
   wget \
   iproute2 \
   iputils-ping \
   tcpdump \
   telnet \
   traceroute \
+  ca-certificates \
   && rm -rf /var/lib/apt/lists/*
 
 RUN curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" \
 && chmod +x kubectl \
 && mv kubectl /usr/local/bin/kubectl
+
+RUN groupadd -r kne && useradd -r -g kne -s /sbin/nologin kne
+USER kne