metis: add glibc floor qualification test target to Makefile

metis/Dockerfile

@@ -38,7 +38,13 @@ RUN if [ "${TARGETARCH}" = "amd64" ]; then \
               -X 'k8s.io/component-base/version.buildDate=${BUILD_DATE}'" \
     ./cmd
 
-# Use ubuntu as base image to package the binary
+# CAUTION: The Metis binary leverages CGO and links against the host's C library.
+# To prevent runtime panics on baseline GKE fleet nodes, this image must remain
+# compatible with the active GLIBC floor constraint defined in the Makefile.
+#
+# Always verify any base image upgrades by running `make test-glibc-floor`.
+#
+# See metis/Makefile for the full historical context and version baseline.
 FROM ubuntu:22.04
 RUN apt-get update && apt-get install -y \
     sqlite3 \

metis/Makefile

@@ -3,10 +3,10 @@
 # Variables for local development
 IMAGE_REGISTRY ?= gcr.io/$(USER)-gke-dev
 IMAGE_NAME ?= metis
-TAG ?= $(shell git describe --tags --match "metis-v*" --always --dirty | sed 's|.*/||')
+TAG ?= $(shell git describe --tags --always --dirty | sed 's|.*/||')
 
 # Get version metadata from git for version injection
-GIT_VERSION ?= $(shell git describe --tags --match "metis-v*" --always --dirty)
+GIT_VERSION ?= $(shell git describe --tags --always --dirty | sed 's|.*/||')
 GIT_COMMIT  ?= $(shell git rev-parse HEAD)
 BUILD_DATE  ?= $(shell date -u +'%Y-%m-%dT%H:%M:%SZ')
 
@@ -19,6 +19,20 @@ VERSION_LDFLAGS := \
 # Platforms for multi-arch container builds
 PLATFORMS ?= linux/amd64,linux/arm64
 
+# GLIBC Compatibility Test Image
+#
+# Context: Across GKE fleet nodes, the CGO Metis CNI binary executes natively
+# inside the host OS space (via the Kubelet) rather than within a container.
+# This rigidly binds its link constraints to the host's C standard library.
+#
+# Baseline: During the GKE release baseline of 1.30.14-gke.2250000, the
+# lowest available GLIBC version across the active fleet OS footprints
+# (Ubuntu 22.04 LTS and COS Milestone 117) was precisely GLIBC 2.35.
+#
+# WARNING: Do not link this binary against newer GLIBC symbols. Doing so
+# will cause immediate runtime panics when scheduled on baseline fleet nodes.
+GLIBC_FLOOR_IMAGE := ubuntu:22.04
+
 ##@ Development
 
 .PHONY: tidy
@@ -56,15 +70,33 @@ clean: ## Clean up build artifacts.
 
 ##@ Docker
 
+DOCKER_BUILD_ARGS := \
+	--build-arg GIT_VERSION=$(GIT_VERSION) \
+	--build-arg GIT_COMMIT=$(GIT_COMMIT) \
+	--build-arg BUILD_DATE=$(BUILD_DATE)
+
 .PHONY: push-image
 push-image: ## Build and push the multi-arch image independently.
 	@echo "Building and Pushing multi-arch image: $(IMAGE_REGISTRY)/$(IMAGE_NAME):$(TAG)..."
-	docker buildx build --platform $(PLATFORMS) \
-		--build-arg GIT_VERSION=$(GIT_VERSION) \
-		--build-arg GIT_COMMIT=$(GIT_COMMIT) \
-		--build-arg BUILD_DATE=$(BUILD_DATE) \
+	docker buildx build --platform $(PLATFORMS) $(DOCKER_BUILD_ARGS) \
 		-t $(IMAGE_REGISTRY)/$(IMAGE_NAME):$(TAG) --push .
 
+.PHONY: build-image-local
+build-image-local:
+	docker build $(DOCKER_BUILD_ARGS) -t metis-candidate .
+
+_tmp/metis-candidate: build-image-local
+	@mkdir -p _tmp
+	-docker rm -f temp-metis 2>/dev/null
+	docker create --name temp-metis metis-candidate
+	docker cp temp-metis:/metis _tmp/metis-candidate
+	docker rm temp-metis
+
+.PHONY: test-glibc-floor
+test-glibc-floor: _tmp/metis-candidate ## Build image and test glibc floor locally in container
+	# Verify symbol compatibility by running natively within the configured floor environment.
+	docker run --rm -v $(CURDIR)/_tmp/metis-candidate:/metis $(GLIBC_FLOOR_IMAGE) /metis --help
+
 ##@ Help
 
 .PHONY: help