PoC: auto-detect NetworkManager and use nmstatectl kernel mode

[qinqon]

Summary

This is a Proof of Concept — not intended to merge as-is.

Auto-detect NetworkManager presence at handler startup and transparently switch to nmstatectl kernel mode (-k flag) when NM is absent. This enables kubernetes-nmstate to run on nodes without NetworkManager (e.g., kind containers, minimal hosts).

• Handler calls nm.Version() at startup; if NM is unavailable, sets kernelMode = true
• nmstatectl show/apply use -k flag in kernel mode
• Checkpoint/rollback/commit/probes are skipped (not supported without NM)
• NNS reporting works via kernel mode — verified on a kind cluster
• Liveness probe adapts to use -k when /tmp/kernel-mode flag file exists
• E2E tests get feature Label() decorators for mode-based filtering (--label-filter)
• New make test-e2e-handler-kernel target runs only kernel-supported tests
• GitHub Actions workflow added for kernel mode CI on kind

Kernel mode limitations: no checkpoint/rollback, no DHCP, changes are volatile (lost on reboot).

Depends-on:

• poc: OVS bridge support in kernel-only (-k) mode nmstate#3104
• vlan: skip immutable attributes when modifying existing VLAN nispor/nispor#380

Verified on kind

• 3-node kind cluster (no NetworkManager)
• Handler auto-detects kernel mode at startup
• NNS created for all 3 nodes with full network state
• hostNetworkManagerVersion reports N/A (kernel mode)
• All handler pods Running/Ready, liveness probes passing

Test plan

• Unit tests pass (go test ./pkg/... ./controllers/...)
• Operator controller tests pass (liveness probe assertions updated)
• All packages compile
• Manual verification on kind cluster — NNS working
• E2E kernel mode tests on kind (make test-e2e-handler-kernel)
• E2E NM mode tests unchanged (make test-e2e-handler)

🤖 Generated with Claude Code

[kubevirt-bot]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[kubevirt-bot]

Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[kubevirt-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign phoracek for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This Proof of Concept pull request introduces a significant enhancement to kubernetes-nmstate by enabling it to operate effectively in environments lacking NetworkManager. By automatically detecting NetworkManager's absence and transparently switching to nmstatectl's kernel mode, the handler can now manage network configurations on minimal hosts and containerized environments like kind clusters. This change broadens the applicability of kubernetes-nmstate, although it necessitates certain trade-offs, such as the unavailability of checkpointing, rollback, and DHCP functionalities, and the ephemeral nature of network changes in kernel mode.

Highlights

• Automatic NetworkManager Detection: The handler now automatically detects the presence of NetworkManager at startup.
• Transparent Kernel Mode Switching: If NetworkManager is not found, the handler transparently switches to using nmstatectl in kernel mode (with the -k flag).
• Expanded Compatibility: This change enables kubernetes-nmstate to run on nodes without NetworkManager, such as kind containers or minimal hosts.
• nmstatectl Command Adaptation: nmstatectl show and apply commands are modified to automatically include the -k flag when operating in kernel mode.
• Skipped Unsupported Operations: Checkpointing, rollback, commit, and probes are skipped when the handler is running in kernel mode, as these functionalities are not supported without NetworkManager.
• NNS Reporting in Kernel Mode: Node Network State (NNS) reporting has been verified to work correctly even when the handler is in kernel mode.
• Dynamic Liveness Probe: The liveness probe dynamically adapts its command to use nmstatectl show -k if a /tmp/kernel-mode flag file exists, indicating kernel mode operation.
• E2E Test Enhancements: E2E tests have been updated with feature Label() decorators, allowing for mode-based filtering of tests.
• New Kernel Mode E2E Test Target: A new make test-e2e-handler-kernel target has been introduced to specifically run E2E tests that are supported in kernel mode.
• CI for Kernel Mode: A GitHub Actions workflow has been added to enable continuous integration for kernel mode on kind clusters.
• Kernel Mode Limitations: It is noted that kernel mode has limitations, including no checkpoint/rollback, no DHCP support, and network changes being volatile (lost on reboot).

Changelog

• Makefile
  • Defined KERNEL_MODE_FEATURES for kernel-supported E2E tests.
  • Added test-e2e-handler-kernel target to run kernel-mode E2E tests using label filtering.
  • Included the new kernel-mode E2E test target in check-gen.
• cmd/handler/main.go
  • Imported the nm package.
  • Implemented detectAndSetKernelMode to check for NetworkManager and activate kernel mode if it's missing.
  • Integrated detectAndSetKernelMode into the handler's environment setup.
  • Created a /tmp/kernel-mode flag file when operating in kernel mode.
• controllers/handler/node_controller.go
  • Modified getDependencyVersions to report "N/A (kernel mode)" for NetworkManager version when in kernel mode.
• controllers/operator/nmstate_controller_test.go
  • Updated liveness probe test assertions to reflect conditional nmstatectl show -k usage.
• deploy/handler/operator.yaml
  • Adjusted the handler's liveness probe command to dynamically include the -k flag for nmstatectl show if /tmp/kernel-mode exists.
• pkg/client/client.go
  • Implemented conditional logic in ApplyDesiredState to bypass checkpointing, rollback, and probes, directly applying state with nmstatectl -k when in kernel mode.
• pkg/nmstatectl/nmstatectl.go
  • Introduced kernelMode state variable and accessor functions (SetKernelMode, IsKernelMode).
  • Modified ShowWithArgumentsAndOutputs and Show to automatically add the -k flag when in kernel mode.
  • Updated Set to use the -k flag and omit --no-commit and --timeout arguments in kernel mode.
  • Implemented early exit and logging for Commit and Rollback functions when in kernel mode, as these operations are not supported.
• pkg/nmstatectl/nmstatectl_test.go
  • Extended test setup to manage kernelMode state.
  • Added new test cases (TestSetKernelMode, TestShowKernelMode, TestCommitKernelMode, TestRollbackKernelMode) to validate kernel mode behavior for Set, Show, Commit, and Rollback commands.
• test/e2e/handler/bonding_default_interface_test.go
  • Labeled the test suite with "DHCP".
• test/e2e/handler/default_bridged_network_test.go
  • Labeled the test suite with "DHCP".
• test/e2e/handler/default_bridged_network_with_nmpolicy_test.go
  • Labeled the test suite with "DHCP".
• test/e2e/handler/default_ovs_bridged_network_test.go
  • Labeled the test suite with "OVS".
• test/e2e/handler/dns_test.go
  • Labeled the test suite with "DHCP".
• test/e2e/handler/examples_test.go
  • Labeled the test suite with "Examples".
• test/e2e/handler/lldp_with_nmpolicy_test.go
  • Labeled the test suite with "LLDP".
• test/e2e/handler/metrics_test.go
  • Labeled the test suite with "Metrics".
• test/e2e/handler/multiple_policies_for_same_node_test.go
  • Labeled the test suite with "MultiplePolicies".
• test/e2e/handler/nnce_conditions_test.go
  • Labeled the test suite with "EnactmentCondition".
• test/e2e/handler/nnce_desiredstate_test.go
  • Labeled the test suite with "EnactmentDesiredState".
• test/e2e/handler/nncp_cleanup_test.go
  • Labeled the test suite with "PolicyCleanup".
• test/e2e/handler/nncp_parallel_test.go
  • Labeled the test suite with "PolicyParallel".
• test/e2e/handler/nns_dependencies_test.go
  • Labeled the test suite with "NNSDependencies".
• test/e2e/handler/nns_filter_test.go
  • Labeled the test suite with "NNSFilter".
• test/e2e/handler/nns_ovn.go
  • Labeled the test suite with "OVN".
• test/e2e/handler/nns_update_timestamp_test.go
  • Labeled the test suite with "NNSTimestamp".
• test/e2e/handler/node_selector_test.go
  • Labeled the test suite with "NodeSelector".
• test/e2e/handler/nodes_test.go
  • Labeled the test suite with "Nodes".
• test/e2e/handler/pending_checkpoint_test.go
  • Labeled the test suite with "Checkpoint".
• test/e2e/handler/rollback_test.go
  • Labeled the test suite with "Rollback".
• test/e2e/handler/simple_bridge_and_bond_test.go
  • Labeled the test suite with "DHCP".
• test/e2e/handler/simple_ovs_bridge_and_bond_test.go
  • Labeled the test suite with "OVS".
• test/e2e/handler/simple_ovs_bridge_test.go
  • Labeled the test suite with "OVS".
• test/e2e/handler/simple_vlan_and_ip_test.go
  • Labeled the test suite with "VLAN".
• test/e2e/handler/static_addr_and_route_test.go
  • Labeled the test suite with "StaticAddress".
• test/e2e/handler/upgrade_test.go
  • Labeled the test suite with "Upgrade".
• test/e2e/handler/user_guide_test.go
  • Labeled the test suite with "UserGuide".
• test/e2e/handler/vrf_test.go
  • Labeled the test suite with "VRF".
• test/e2e/handler/webhook_test.go
  • Labeled both test suites with "Webhook".

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/e2e-kernel-mode.yml

Activity

• Unit tests for pkg and controllers packages have passed.
• Operator controller tests, including updated liveness probe assertions, have passed.
• All packages successfully compile.
• Manual verification on a kind cluster confirmed NNS functionality.
• E2E kernel mode tests on kind (make test-e2e-handler-kernel) are pending.
• E2E NetworkManager mode tests (make test-e2e-handler) are pending.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a proof-of-concept for running kubernetes-nmstate in a 'kernel mode' when NetworkManager is not available. The changes include auto-detection of NetworkManager at handler startup, a global flag to enable kernel mode, and modifications to nmstatectl commands to use the -k flag and bypass checkpointing features. The liveness probe is also updated to work in both modes. The changes are logical and well-contained for a PoC. I have a few suggestions to improve maintainability and robustness, mainly around the use of a hardcoded flag file path, global state management, and the complexity of the liveness probe command.

[gemini-code-assist]

The file path /tmp/kernel-mode is hardcoded. To improve maintainability and avoid magic strings, it would be better to define this path as a constant in a shared package (e.g., in pkg/environment or a new pkg/constants). This path is also used in the liveness probe definition in deploy/handler/operator.yaml and related tests, so a constant would ensure consistency.

[gemini-code-assist]

The shell command for the liveness probe is complex and is duplicated in tests, which can be brittle and hard to maintain.

if [ -f /tmp/kernel-mode ]; then nmstatectl show -k {{ .HandlerReadinessProbeExtraArg }} 2>&1; else nmstatectl show {{ .HandlerReadinessProbeExtraArg }} 2>&1; fi

Consider adding a small wrapper script to the container image (e.g., /usr/bin/liveness-probe.sh) that encapsulates this logic. The liveness probe would then simply execute this script. This would make the YAML manifest cleaner and centralize the probe logic.

[gemini-code-assist]

The use of global variables kernelMode and debugMode makes this package stateful, which can lead to issues with concurrency and makes testing more complex (requiring state manipulation with defer). While this might be acceptable for a PoC where it's set once at startup, for a production-ready feature, it would be more robust to pass configuration through a context or a configuration struct to the functions in this package. This would make the functions stateless and easier to reason about.