Fix pdp-tester CI job for K8s-based refactor (PER-13630)

[EliMoshkovich]

Summary

The pdp-tester was refactored from Docker-based to Kubernetes-based (permitio/pdp-tester#80). The old CI used Docker directly to run PDP containers, but the new code requires a Kubernetes cluster. This PR fixes the pdp-tester CI job.

Changes

• Add k3d cluster setup (same approach as pdp-tester's own CI)
• Import both PDP image (permitio/pdp-v2:next) and pdp-tester image into k3d
• Deploy via Helm chart in job mode with tag next (the PR's PDP build)
• Wait for Job completion and check test results from logs
• Teardown k3d cluster on completion

Why it broke

The pdp-tester refactor (permitio/pdp-tester#80) removed Docker-based container management (aiodocker, PdpCluster) and replaced it with Kubernetes-native Pod management (kubernetes_asyncio, KubernetesRuntime). The old LOCAL_TAGS, AUTO_REMOVE, and Docker socket approach no longer exists.

Test plan

• CI pipeline runs successfully with the k3d cluster
• PDP image built from PR is tested via pdp-tester
• Test results are correctly reported in CI logs

🤖 Generated with Claude Code

[linear]

PER-13630 [PDP Tester] Refactor to use k8s APIs

[github-actions]

🔍 Vulnerabilities of permitio/pdp-v2:next

📦 Image Reference permitio/pdp-v2:next

digest	sha256:65aa1b3d2192e32c5d86f659708eb381451e66db78271d0ec73eaa96454d6e5a
vulnerabilities
platform	linux/amd64
size	215 MB
packages	253

📦 Base Image python:3.10-alpine3.22

also known as	3.10.20-alpine3.22 b259d89e26fbe01d956a4834260c0e5a7c7b305ecda39ae3b59e208e5a03a2aa
digest	sha256:a7b85667f5c4e8db146b494344e4a3826e695185c7260bddab7ec9667a2406e3
vulnerabilities

openssl 3.5.5-r0 (apk) pkg:apk/alpine/openssl@3.5.5-r0?os_name=alpine&os_version=3.22 Affected range <3.5.6-r0 Fixed version 3.5.6-r0 EPSS Score 0.018% EPSS Percentile 5th percentile Description Affected range <3.5.6-r0 Fixed version 3.5.6-r0 EPSS Score 0.049% EPSS Percentile 15th percentile Description Affected range <3.5.6-r0 Fixed version 3.5.6-r0 EPSS Score 0.049% EPSS Percentile 15th percentile Description Affected range <3.5.6-r0 Fixed version 3.5.6-r0 EPSS Score 0.023% EPSS Percentile 6th percentile Description Affected range <3.5.6-r0 Fixed version 3.5.6-r0 EPSS Score 0.045% EPSS Percentile 14th percentile Description Affected range <3.5.6-r0 Fixed version 3.5.6-r0 EPSS Score 0.009% EPSS Percentile 1st percentile Description Affected range <3.5.6-r0 Fixed version 3.5.6-r0 EPSS Score 0.017% EPSS Percentile 4th percentile Description

musl 1.2.5-r10 (apk) pkg:apk/alpine/musl@1.2.5-r10?os_name=alpine&os_version=3.22 Affected range <1.2.5-r12 Fixed version 1.2.5-r12 EPSS Score 0.014% EPSS Percentile 2nd percentile Description Affected range <1.2.5-r11 Fixed version 1.2.5-r11 EPSS Score 0.013% EPSS Percentile 2nd percentile Description

go.opentelemetry.io/otel/sdk 1.42.0 (golang) pkg:golang/go.opentelemetry.io/otel/sdk@1.42.0 Untrusted Search Path Affected range >=1.15.0 <=1.42.0 Fixed version 1.43.0 CVSS Score 7.3 CVSS Vector CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N EPSS Score 0.006% EPSS Percentile 0th percentile Description Summary The fix for GHSA-9h8m-3fm2-qjrq (CVE-2026-24051) changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. Root Cause sdk/resource/host_id.go line 42: if result, err := r.execCommand("kenv", "-q", "smbios.system.uuid"); err == nil { Compare with the fixed Darwin path at line 58: result, err := r.execCommand("/usr/sbin/ioreg", "-rd1", "-c", "IOPlatformExpertDevice") The execCommand helper at sdk/resource/host_id_exec.go uses exec.Command(name, arg...) which searches $PATH when the command name contains no path separator. Affected platforms (per build tag in host_id_bsd.go:4): DragonFly BSD, FreeBSD, NetBSD, OpenBSD, Solaris. The kenv path is reached when /etc/hostid does not exist (line 38-40), which is common on FreeBSD systems. Attack Attacker has local access to a system running a Go application that imports go.opentelemetry.io/otel/sdk Attacker places a malicious kenv binary earlier in $PATH Application initializes OpenTelemetry resource detection at startup hostIDReaderBSD.read() calls exec.Command("kenv", ...) which resolves to the malicious binary Arbitrary code executes in the context of the application Same attack vector and impact as CVE-2026-24051. Suggested Fix Use the absolute path: if result, err := r.execCommand("/bin/kenv", "-q", "smbios.system.uuid"); err == nil { On FreeBSD, kenv is located at /bin/kenv.

sqlparse 0.5.0 (pypi) pkg:pypi/sqlparse@0.5.0 Allocation of Resources Without Limits or Throttling Affected range <=0.5.3 Fixed version 0.5.4 CVSS Score 6.9 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Description Summary The below gist hangs while attempting to format a long list of tuples. This was found while drafting a regression test for Dja ngo 5.2's composite primary key feature, which allows querying composite fields with tuples.

go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp 1.42.0 (golang) pkg:golang/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@1.42.0 Memory Allocation with Excessive Size Value Affected range <1.43.0 Fixed version 1.43.0 CVSS Score 5.3 CVSS Vector CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.016% EPSS Percentile 3rd percentile Description overview: this report shows that the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap. this is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection). severity HIGH not claiming: this is a remote dos against every default deployment. claiming: if the exporter sends traces to an untrusted collector endpoint (or over a network segment where mitm is realistic), that endpoint can crash the process via a large response body. callsite (pinned): exporters/otlp/otlptrace/otlptracehttp/client.go:199 exporters/otlp/otlptrace/otlptracehttp/client.go:230 exporters/otlp/otlpmetric/otlpmetrichttp/client.go:170 exporters/otlp/otlpmetric/otlpmetrichttp/client.go:201 exporters/otlp/otlplog/otlploghttp/client.go:190 exporters/otlp/otlplog/otlploghttp/client.go:221 permalinks (pinned): https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlptrace/otlptracehttp/client.go#L199 https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlptrace/otlptracehttp/client.go#L230 https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlpmetric/otlpmetrichttp/client.go#L170 https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlpmetric/otlpmetrichttp/client.go#L201 https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlplog/otlploghttp/client.go#L190 https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlplog/otlploghttp/client.go#L221 root cause: each exporter client reads resp.Body using io.Copy(&respData, resp.Body) into a bytes.Buffer on both success and error paths, with no upper bound. impact: a malicious collector can force large transient heap allocations during export (peak memory scales with attacker-chosen response size) and can potentially crash the instrumented process (oom). affected component: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp repro (local-only): unzip poc.zip -d poc cd poc make canonical resp_bytes=33554432 chunk_delay_ms=0 expected output contains: [CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body) [PROOF_MARKER]: resp_bytes=33554432 peak_alloc_bytes=118050512 control (same env, patched target): unzip poc.zip -d poc cd poc make control resp_bytes=33554432 chunk_delay_ms=0 expected control output contains: [CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body) [NC_MARKER]: resp_bytes=33554432 peak_alloc_bytes=512232 attachments: poc.zip (attached) PR_DESCRIPTION.md attack_scenario.md poc.zip Fixed in: open-telemetry/opentelemetry-go#8108

busybox 1.37.0-r20 (apk) pkg:apk/alpine/busybox@1.37.0-r20?os_name=alpine&os_version=3.22 Affected range <=1.37.0-r20 Fixed version Not Fixed EPSS Score 0.043% EPSS Percentile 13th percentile Description

zlib 1.3.1-r2 (apk) pkg:apk/alpine/zlib@1.3.1-r2?os_name=alpine&os_version=3.22 Affected range <=1.3.1-r2 Fixed version Not Fixed EPSS Score 0.007% EPSS Percentile 1st percentile Description

[github-actions]

🔍 Vulnerabilities of permitio/pdp-v2:next

📦 Image Reference permitio/pdp-v2:next

digest	sha256:65aa1b3d2192e32c5d86f659708eb381451e66db78271d0ec73eaa96454d6e5a
vulnerabilities
platform	linux/amd64
size	215 MB
packages	253

📦 Base Image python:3.10-alpine3.22

also known as	3.10.20-alpine3.22 b259d89e26fbe01d956a4834260c0e5a7c7b305ecda39ae3b59e208e5a03a2aa
digest	sha256:a7b85667f5c4e8db146b494344e4a3826e695185c7260bddab7ec9667a2406e3
vulnerabilities

openssl 3.5.5-r0 (apk) pkg:apk/alpine/openssl@3.5.5-r0?os_name=alpine&os_version=3.22 Affected range <3.5.6-r0 Fixed version 3.5.6-r0 EPSS Score 0.018% EPSS Percentile 5th percentile Description Affected range <3.5.6-r0 Fixed version 3.5.6-r0 EPSS Score 0.049% EPSS Percentile 15th percentile Description Affected range <3.5.6-r0 Fixed version 3.5.6-r0 EPSS Score 0.049% EPSS Percentile 15th percentile Description Affected range <3.5.6-r0 Fixed version 3.5.6-r0 EPSS Score 0.023% EPSS Percentile 6th percentile Description Affected range <3.5.6-r0 Fixed version 3.5.6-r0 EPSS Score 0.045% EPSS Percentile 14th percentile Description

go.opentelemetry.io/otel/sdk 1.42.0 (golang) pkg:golang/go.opentelemetry.io/otel/sdk@1.42.0 Untrusted Search Path Affected range >=1.15.0 <=1.42.0 Fixed version 1.43.0 CVSS Score 7.3 CVSS Vector CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N EPSS Score 0.006% EPSS Percentile 0th percentile Description Summary The fix for GHSA-9h8m-3fm2-qjrq (CVE-2026-24051) changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. Root Cause sdk/resource/host_id.go line 42: if result, err := r.execCommand("kenv", "-q", "smbios.system.uuid"); err == nil { Compare with the fixed Darwin path at line 58: result, err := r.execCommand("/usr/sbin/ioreg", "-rd1", "-c", "IOPlatformExpertDevice") The execCommand helper at sdk/resource/host_id_exec.go uses exec.Command(name, arg...) which searches $PATH when the command name contains no path separator. Affected platforms (per build tag in host_id_bsd.go:4): DragonFly BSD, FreeBSD, NetBSD, OpenBSD, Solaris. The kenv path is reached when /etc/hostid does not exist (line 38-40), which is common on FreeBSD systems. Attack Attacker has local access to a system running a Go application that imports go.opentelemetry.io/otel/sdk Attacker places a malicious kenv binary earlier in $PATH Application initializes OpenTelemetry resource detection at startup hostIDReaderBSD.read() calls exec.Command("kenv", ...) which resolves to the malicious binary Arbitrary code executes in the context of the application Same attack vector and impact as CVE-2026-24051. Suggested Fix Use the absolute path: if result, err := r.execCommand("/bin/kenv", "-q", "smbios.system.uuid"); err == nil { On FreeBSD, kenv is located at /bin/kenv.

musl 1.2.5-r10 (apk) pkg:apk/alpine/musl@1.2.5-r10?os_name=alpine&os_version=3.22 Affected range <1.2.5-r12 Fixed version 1.2.5-r12 EPSS Score 0.014% EPSS Percentile 2nd percentile Description