rancher · ericpromislow · Sep 18, 2025 · Aug 14, 2025 · Sep 17, 2025 · Sep 17, 2025
@@ -1,17 +1,45 @@
 {
+	"version": "2",
+	"formatters": {
+		"enable": [
+			"goimports",
+			"gofmt"
+		],
+		"exclusions": {
+			"paths": [
+				"pkg/generated/objects/auditlog.cattle.io/v1/objects.go",
+				"pkg/generated/objects/catalog.cattle.io/v1/objects.go",
+				"pkg/generated/objects/core/v1/objects.go",
+				"pkg/generated/objects/management.cattle.io/v3/objects.go",
+				"pkg/generated/objects/provisioning.cattle.io/v1/objects.go",
+				"pkg/generated/objects/rbac.authorization.k8s.io/v1/objects.go"
+			]
+		}
+	},
 	"linters": {
 		"disable-all": true,
 		"enable": [
 			"govet",
-			"revive",
-			"goimports",
 			"misspell",
-			"ineffassign",
-			"gofmt"
+			"ineffassign"
+		],
+		"disable": [
+			"revive"
 		]
 	},
-	"run": {
-		"deadline": "5m"
+	"linters-settings": {
+		"revive": {
+				"rules": [
+					{
+			"name" : "exported",
+			"disabled": true
+			}
+				]
+			},
+			"comment": [
+				"This next block doesn't suppress the comment-requirement for exported names",
+				"so disable revive until it does."
+				]
 	},
 	"issues": {
 		"exclude-rules": [
@@ -24,4 +52,4 @@
 			"pkg/generated"
 		]
 	}
-}
+}
@@ -11,7 +11,7 @@ RUN zypper -n install git docker vim less file curl wget awk
 RUN curl -sL https://get.helm.sh/helm-${HELM_VERSION}-linux-${ARCH}.tar.gz | tar xvzf - -C /usr/local/bin --strip-components=1
 
 RUN if [ "${ARCH}" = "amd64" ]; then \
-        curl -sSfL https://github.com/___raw___/golangci/golangci-lint/master/install.sh | sh -s v1.64.8; \
+        curl -sSfL https://github.com/___raw___/golangci/golangci-lint/master/install.sh | sh -s v2.4.0; \
         helm plugin install https://github.com/helm-unittest/helm-unittest.git --version ${HELM_UNITTEST_VERSION}>/out.txt 2>&1; \
     fi
 

@@ -14,22 +14,20 @@ type GlobalRoleResolver struct {
 	globalRoles          controllerv3.GlobalRoleCache
 }
 
-const ownerRT = "cluster-owner"
-
-// NewRoleTemplateResolver creates a newly allocated RoleTemplateResolver from the provided caches
+// NewGlobalRoleResolver creates a newly allocated RoleTemplateResolver from the provided caches
 func NewGlobalRoleResolver(roleTemplateResolver *RoleTemplateResolver, grCache controllerv3.GlobalRoleCache) *GlobalRoleResolver {
 	return &GlobalRoleResolver{
 		roleTemplateResolver: roleTemplateResolver,
 		globalRoles:          grCache,
 	}
 }
 
-// GlobalRoleCache allows caller to retrieve the globalRoleCache used by the resolver.
+// GlobalRoleCache allows the caller to retrieve the globalRoleCache used by the resolver.
 func (g *GlobalRoleResolver) GlobalRoleCache() controllerv3.GlobalRoleCache {
 	return g.globalRoles
 }
 
-// GlobalRulesFromRole finds all rules which apply globally - meaning valid for escalation checks at the cluster scope
+// GlobalRulesFromRole finds all rules that apply globally - meaning valid for escalation checks at the cluster scope
 // in the local cluster.
 func (g *GlobalRoleResolver) GlobalRulesFromRole(gr *v3.GlobalRole) []rbacv1.PolicyRule {
 	// no rules on a nil role
@@ -39,7 +37,7 @@ func (g *GlobalRoleResolver) GlobalRulesFromRole(gr *v3.GlobalRole) []rbacv1.Pol
 	return gr.Rules
 }
 
-// ClusterRulesFromRole finds all rules which this gr gives on downstream clusters.
+// ClusterRulesFromRole finds all rules that this gr gives on downstream clusters.
 func (g *GlobalRoleResolver) ClusterRulesFromRole(gr *v3.GlobalRole) ([]rbacv1.PolicyRule, error) {
 	if gr == nil {
 		return nil, nil
@@ -89,7 +87,7 @@ func (g *GlobalRoleResolver) FleetWorkspacePermissionsWorkspaceVerbsFromRole(gr
 	return nil
 }
 
-// GetRoleTemplate allows the caller to retrieve the roleTemplates in use by a given global role. Does not
+// GetRoleTemplatesForGlobalRole allows the caller to retrieve the roleTemplates in use by a given global role. Does not
 // recursively evaluate roleTemplates - only returns the top-level resources.
 func (g *GlobalRoleResolver) GetRoleTemplatesForGlobalRole(gr *v3.GlobalRole) ([]*v3.RoleTemplate, error) {
 	if gr == nil {

@@ -66,27 +66,6 @@ var (
 			},
 		},
 	}
-	adminRTRules = []rbacv1.PolicyRule{
-		{
-			APIGroups: []string{
-				"*",
-			},
-			Resources: []string{
-				"*",
-			},
-			Verbs: []string{
-				"*",
-			},
-		},
-		{
-			NonResourceURLs: []string{
-				"*",
-			},
-			Verbs: []string{
-				"*",
-			},
-		},
-	}
 
 	noInhertRT = &v3.RoleTemplate{
 		ObjectMeta: metav1.ObjectMeta{
@@ -107,12 +86,6 @@ var (
 		},
 		Rules: secondRTRules,
 	}
-	adminRT = &v3.RoleTemplate{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: "cluster-owner",
-		},
-		Rules: adminRTRules,
-	}
 )
 
 func TestGlobalRulesFromRole(t *testing.T) {

@@ -26,7 +26,7 @@ type typeInfo struct {
 }
 
 func main() {
-	os.Unsetenv("GOPATH")
+	_ = os.Unsetenv("GOPATH")
 	err := generateDocs("pkg/resources", "docs.md")
 	if err != nil {
 		panic(err)
@@ -137,7 +137,7 @@ func generateObjectsFromRequest(outputDir string, groups map[string]args.Group)
 			}
 			if rt.Kind() == reflect.Ptr {
 				// PkgPath returns an empty string for pointers
-				// Elem returns a Type associated to the dereferenced type.
+				// Elem returns a Type associated with the dereferenced type.
 				rt = rt.Elem()
 			}
 			ti.Package = rt.PkgPath()
@@ -178,7 +178,9 @@ func gofmtAndWriteToFile(path string, content []byte) error {
 	if err != nil {
 		return err
 	}
-	defer f.Close()
+	defer func() {
+		_ = f.Close()
+	}()
 
 	_, err = f.Write(formatted)
 	return err

@@ -57,14 +57,12 @@ func NewUserInfo(username string, groups ...string) *user.DefaultInfo {
 	}
 }
 
-// copySlices copies multiple rule list into one large list.
-// this is used instead of append so that the original list are not modified.
+// copySlices copies multiple rule lists into one large list.
+// this is used instead of append so that the original list is not modified.
 func copySlices(slices ...[]rbacv1.PolicyRule) []rbacv1.PolicyRule {
 	ret := []rbacv1.PolicyRule{}
 	for _, slice := range slices {
-		for _, rule := range slice {
-			ret = append(ret, rule)
-		}
+		ret = append(ret, slice...)
 	}
 	return ret
 }
@@ -14,7 +14,7 @@ import (
 	authenticationv1 "k8s.io/api/authentication/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/utils/pointer"
+	"k8s.io/utils/ptr"
 )
 
 type ClusterAuthTokenFieldsSuite struct {
@@ -37,7 +37,7 @@ type tokenFieldsTest struct {
 }
 
 func (t *tokenFieldsTest) name() string {
-	return pointer.StringDeref(t.lastUsedAt, "nil")
+	return ptr.Deref(t.lastUsedAt, "nil")
 }
 
 func (t *tokenFieldsTest) toToken() ([]byte, error) {
@@ -51,23 +51,23 @@ var tokenFieldsTests = []tokenFieldsTest{
 		allowed: true,
 	},
 	{
-		lastUsedAt: pointer.String(time.Now().Format(time.RFC3339)),
+		lastUsedAt: ptr.To(time.Now().Format(time.RFC3339)),
 		allowed:    true,
 	},
 	{
-		lastUsedAt: pointer.String("2024-03-25T21:2:45Z"), // Not a valid RFC3339 time.
+		lastUsedAt: ptr.To("2024-03-25T21:2:45Z"), // Not a valid RFC3339 time.
 	},
 	{
-		lastUsedAt: pointer.String("1w"),
+		lastUsedAt: ptr.To("1w"),
 	},
 	{
-		lastUsedAt: pointer.String("1d"),
+		lastUsedAt: ptr.To("1d"),
 	},
 	{
-		lastUsedAt: pointer.String("-1h"),
+		lastUsedAt: ptr.To("-1h"),
 	},
 	{
-		lastUsedAt: pointer.String(""),
+		lastUsedAt: ptr.To(""),
 	},
 }
 

@@ -373,11 +373,12 @@ func TestValidatePSALabels(t *testing.T) {
 		spec := review.Spec
 
 		// simulate SAR not allowed
-		if spec.User == failSarUser {
+		switch spec.User {
+		case failSarUser:
 			review.Status.Allowed = false
 			review.Status.Reason = fmt.Sprintf("%s %s", "Can not update project PSA for:", spec.User)
 			return true, review, nil
-		} else if spec.User == sarErrorUser {
+		case sarErrorUser:
 			return true, nil, fmt.Errorf("SAR creation failed for user #{spec.User}")
 		}
 		review.Status.Allowed = true

@@ -79,7 +79,7 @@ func TestRequestLimitAdmitter(t *testing.T) {
 		{
 			name:             "create ns within only memory req and cpu limit",
 			operationType:    v1.Create,
-			limitsAnnotation: `{"limitsMemory": "256Mi", "limitssCpu": "100m"}`,
+			limitsAnnotation: `{"limitsMemory": "256Mi", "limitsCpu": "100m"}`,
 			wantAllowed:      true,
 		},
 		{
@@ -109,7 +109,7 @@ func TestRequestLimitAdmitter(t *testing.T) {
 			admitter := requestLimitAdmitter{}
 			request, err := createRequestLimitRequest(test.limitsAnnotation, test.operationType)
 			if test.operationType == v1.Update {
-				request.AdmissionRequest.OldObject.Raw, err = json.Marshal(corev1.Namespace{
+				request.OldObject.Raw, err = json.Marshal(corev1.Namespace{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: testNs,
 					},

@@ -72,7 +72,8 @@ func TestValidatingWebhook(t *testing.T) {
 		assert.Equal(t, v1.ClusterScope, *rule.Scope)
 
 		assert.Contains(t, []v1.OperationType{v1.Create, v1.Update, v1.Delete}, operation, "only expected webhooks for create, update and delete")
-		if operation == v1.Update {
+		switch operation {
+		case v1.Update:
 			assert.False(t, hasAllUpdateWebhook, "had more than one webhook validating update calls, exepcted only one")
 			hasAllUpdateWebhook = true
 			assert.Nil(t, webhook.NamespaceSelector)
@@ -81,7 +82,7 @@ func TestValidatingWebhook(t *testing.T) {
 				// failure policy defaults to fail, but if we specify one it needs to be fail
 				assert.Equal(t, v1.Fail, *webhook.FailurePolicy)
 			}
-		} else if operation == v1.Create {
+		case v1.Create:
 			assert.NotNil(t, webhook.NamespaceSelector)
 			matchExpressions := webhook.NamespaceSelector.MatchExpressions
 			assert.Len(t, matchExpressions, 1)

@@ -93,10 +93,9 @@ func (a *admitter) Admit(request *admission.Request) (*admissionv1.AdmissionResp
 	if err != nil {
 		return nil, fmt.Errorf("unable to unmarshal delete options %w", err)
 	}
-	hasOrphanDependents := deleteOpts.OrphanDependents != nil && *deleteOpts.OrphanDependents
 	hasOrphanPolicy := deleteOpts.PropagationPolicy != nil && *deleteOpts.PropagationPolicy == metav1.DeletePropagationOrphan
 	// we are only concerned with requests that attempt to orphan resources
-	if !hasOrphanDependents && !hasOrphanPolicy {
+	if !hasOrphanPolicy {
 		return admission.ResponseAllowed(), nil
 	}
 	secret, err := objectsv1.SecretFromRequest(&request.AdmissionRequest)

@@ -24,7 +24,6 @@ func TestAdmit(t *testing.T) {
 		name                       string
 		hasRoleRefs                bool
 		hasRoleBindingRefs         bool
-		hasOrphanDelete            bool
 		hasOrphanPropagationDelete bool
 		secretDecodeError          bool
 		optionsDecodeError         bool
@@ -38,11 +37,6 @@ func TestAdmit(t *testing.T) {
 			name:      "no refs, can delete",
 			wantAdmit: true,
 		},
-		{
-			name:            "no refs, can orphan",
-			hasOrphanDelete: true,
-			wantAdmit:       true,
-		},
 		{
 			name:                       "no refs, can orphan through propagation",
 			hasOrphanPropagationDelete: true,
@@ -53,12 +47,6 @@ func TestAdmit(t *testing.T) {
 			hasRoleRefs: true,
 			wantAdmit:   true,
 		},
-		{
-			name:            "role refs, cannot orphan",
-			hasRoleRefs:     true,
-			hasOrphanDelete: true,
-			wantAdmit:       false,
-		},
 		{
 			name:                       "role refs, cannot orphan through propagation",
 			hasRoleRefs:                true,
@@ -70,12 +58,6 @@ func TestAdmit(t *testing.T) {
 			hasRoleBindingRefs: true,
 			wantAdmit:          true,
 		},
-		{
-			name:               "role binding refs, cannot orphan",
-			hasRoleBindingRefs: true,
-			hasOrphanDelete:    true,
-			wantAdmit:          false,
-		},
 		{
 			name:                       "role binding refs, cannot orphan through propagation",
 			hasRoleBindingRefs:         true,
@@ -88,13 +70,6 @@ func TestAdmit(t *testing.T) {
 			hasRoleBindingRefs: true,
 			wantAdmit:          true,
 		},
-		{
-			name:               "role and role binding refs, cannot orphan",
-			hasRoleRefs:        true,
-			hasRoleBindingRefs: true,
-			hasOrphanDelete:    true,
-			wantAdmit:          false,
-		},
 		{
 			name:                       "role and role binding refs, cannot orphan through propagation",
 			hasRoleRefs:                true,
@@ -218,10 +193,6 @@ func TestAdmit(t *testing.T) {
 				orphanPolicy := metav1.DeletePropagationOrphan
 				deleteOpts.PropagationPolicy = &orphanPolicy
 			}
-			if test.hasOrphanDelete {
-				orphan := true
-				deleteOpts.OrphanDependents = &orphan
-			}
 
 			req.Options.Raw, err = json.Marshal(deleteOpts)
 			assert.NoError(t, err)