metis: add glibc floor qualification test target to Makefile

.github/workflows/metis-glibc-floor-test.yml

@@ -0,0 +1,18 @@
+name: Metis GLIBC Floor Test
+
+on:
+  pull_request:
+    paths:
+      - 'metis/**'
+
+jobs:
+  native-execution-test:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Test GLIBC compatibility
+        run: |
+          cd metis
+          make test-glibc-floor

metis/Makefile

@@ -3,10 +3,10 @@
 # Variables for local development
 IMAGE_REGISTRY ?= gcr.io/$(USER)-gke-dev
 IMAGE_NAME ?= metis
-TAG ?= $(shell git describe --tags --match "metis-v*" --always --dirty | sed 's|.*/||')
+TAG ?= $(shell git describe --tags --always --dirty | sed 's|.*/||')
 
 # Get version metadata from git for version injection
-GIT_VERSION ?= $(shell git describe --tags --match "metis-v*" --always --dirty)
+GIT_VERSION ?= $(shell git describe --tags --always --dirty)
 GIT_COMMIT  ?= $(shell git rev-parse HEAD)
 BUILD_DATE  ?= $(shell date -u +'%Y-%m-%dT%H:%M:%SZ')
 
@@ -19,6 +19,20 @@ VERSION_LDFLAGS := \
 # Platforms for multi-arch container builds
 PLATFORMS ?= linux/amd64,linux/arm64
 
+# GLIBC Compatibility Test Image
+#
+# Context: Across GKE fleet nodes, the CGO Metis CNI binary executes natively
+# inside the host OS space (via the Kubelet) rather than within a container.
+# This rigidly binds its link constraints to the host's C standard library.
+#
+# Baseline: During the GKE release baseline of 1.30.14-gke.2250000, the
+# lowest available GLIBC version across the active fleet OS footprints
+# (Ubuntu 22.04 LTS and COS Milestone 117) was precisely GLIBC 2.35.
+#
+# WARNING: Do not link this binary against newer GLIBC symbols. Doing so
+# will cause immediate runtime panics when scheduled on baseline fleet nodes.
+GLIBC_FLOOR_IMAGE := ubuntu:22.04
+
 ##@ Development
 
 .PHONY: tidy
@@ -52,15 +66,34 @@ clean: ## Clean up build artifacts.
 
 ##@ Docker
 
+DOCKER_BUILD_ARGS := \
+	--build-arg GIT_VERSION=$(GIT_VERSION) \
+	--build-arg GIT_COMMIT=$(GIT_COMMIT) \
+	--build-arg BUILD_DATE=$(BUILD_DATE)
+
 .PHONY: push-image
 push-image: ## Build and push the multi-arch image independently.
 	@echo "Building and Pushing multi-arch image: $(IMAGE_REGISTRY)/$(IMAGE_NAME):$(TAG)..."
-	docker buildx build --platform $(PLATFORMS) \
-		--build-arg GIT_VERSION=$(GIT_VERSION) \
-		--build-arg GIT_COMMIT=$(GIT_COMMIT) \
-		--build-arg BUILD_DATE=$(BUILD_DATE) \
+	docker buildx build --platform $(PLATFORMS) $(DOCKER_BUILD_ARGS) \
 		-t $(IMAGE_REGISTRY)/$(IMAGE_NAME):$(TAG) --push .
 
+.PHONY: build-image-local
+build-image-local:
+	docker build $(DOCKER_BUILD_ARGS) -t metis-candidate .
+
+_tmp/metis-candidate: build-image-local
+	@mkdir -p _tmp
+	-docker rm -f temp-metis 2>/dev/null
+	docker create --name temp-metis metis-candidate
+	docker cp temp-metis:/metis _tmp/metis-candidate
+	docker rm temp-metis
+
+.ONESHELL:
+.PHONY: test-glibc-floor
+test-glibc-floor: _tmp/metis-candidate ## Build image and test glibc floor locally in container
+	# Verify symbol compatibility by running natively within the configured floor environment.
+	docker run --rm -v $(CURDIR)/_tmp/metis-candidate:/metis $(GLIBC_FLOOR_IMAGE) /metis --help
+
 ##@ Help
 
 .PHONY: help