Skip to content

OCPCLOUD-3288: Bump to k8s 1.35 dependencies #1474

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
nrb wants to merge 7 commits into
base: main
Choose a base branch
from
+141,797 −97,261
Open

OCPCLOUD-3288: Bump to k8s 1.35 dependencies #1474

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
6616640
bump k8s 1.35: update go.mod to Kubernetes 1.35.1
nrb Mar 9, 2026
46af0fa
bump k8s 1.35: vendor updated dependencies
nrb Mar 9, 2026
6560b79
bump k8s 1.35: replace Requeue with RequeueAfter in machineset contro…
nrb Mar 9, 2026
f341d75
bump k8s 1.35: migrate WithCustomValidator to typed admission.Validat…
nrb Mar 10, 2026
8cfc8fe
bump k8s 1.35: fix lint failures from controller-runtime v0.23 deprec…
nrb Mar 10, 2026
10f2315
Update vendor for ginkgowrapper
nrb Mar 10, 2026
fb765ac
Use new NewClientset instead of deprecated
nrb Mar 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
The diff you're trying to view is too large. We only load the first 3000 changed files.
2 changes: 1 addition & 1 deletion cmd/machineset/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,7 +112,7 @@ func main() {

// Sets up feature gates
defaultMutableGate := feature.DefaultMutableFeatureGate
gateOpts, err := features.NewFeatureGateOptions(defaultMutableGate, apifeatures.SelfManaged, apifeatures.FeatureGateMachineAPIMigration, apifeatures.FeatureGateVSphereHostVMGroupZonal, apifeatures.FeatureGateVSphereMultiDisk)
gateOpts, err := features.NewFeatureGateOptions(defaultMutableGate, 4, apifeatures.SelfManaged, apifeatures.FeatureGateMachineAPIMigration, apifeatures.FeatureGateVSphereHostVMGroupZonal, apifeatures.FeatureGateVSphereMultiDisk)
if err != nil {
klog.Fatalf("Error setting up feature gates: %v", err)
}
Expand Down
4 changes: 2 additions & 2 deletions cmd/vsphere/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@ func main() {

// Sets up feature gates
defaultMutableGate := feature.DefaultMutableFeatureGate
gateOpts, err := features.NewFeatureGateOptions(defaultMutableGate, apifeatures.SelfManaged, apifeatures.FeatureGateMachineAPIMigration, apifeatures.FeatureGateVSphereHostVMGroupZonal, apifeatures.FeatureGateVSphereMultiDisk)
gateOpts, err := features.NewFeatureGateOptions(defaultMutableGate, 4, apifeatures.SelfManaged, apifeatures.FeatureGateMachineAPIMigration, apifeatures.FeatureGateVSphereHostVMGroupZonal, apifeatures.FeatureGateVSphereMultiDisk)
if err != nil {
klog.Fatalf("Error setting up feature gates: %v", err)
}
Expand Down Expand Up @@ -170,7 +170,7 @@ func main() {
machineActuator := machine.NewActuator(machine.ActuatorParams{
Client: mgr.GetClient(),
APIReader: mgr.GetAPIReader(),
EventRecorder: mgr.GetEventRecorderFor("vspherecontroller"),
EventRecorder: mgr.GetEventRecorderFor("vspherecontroller"), //nolint:staticcheck
TaskIDCache: taskIDCache,
FeatureGates: defaultMutableGate,
OpenshiftConfigNamespace: vsphere.OpenshiftConfigNamespace,
Expand Down
138 changes: 69 additions & 69 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,15 @@
module github.com/openshift/machine-api-operator

go 1.24.0
go 1.25.0

// These are needed for the OTE tests. Due to how we get the kubeconfig from the command line, there doesn't seem to be
// an API yet we can leverage so that I do not have to copy what openshift/kubernetes/openshift-hack/cmd/k8s-tests-ext did to initialize.
replace (
github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1
k8s.io/apiserver => github.com/openshift/kubernetes/staging/src/k8s.io/apiserver v0.0.0-20251015171918-61114aa5a292 // openshift kubernetes has very old copy of k8s.io/kubernetes/pkg/kubelet/server/server.go
k8s.io/kubelet => github.com/openshift/kubernetes/staging/src/k8s.io/kubelet v0.0.0-20251015171918-61114aa5a292 // openshift kubernetes has very old copy of k8s.io/kubernetes/cmd/kubelet/app/options/options.go
k8s.io/kubernetes => github.com/openshift/kubernetes v1.30.1-0.20251027205255-4e0347881cbd
github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20260303184444-1cc650aa0565

k8s.io/apiserver => github.com/openshift/kubernetes/staging/src/k8s.io/apiserver v0.0.0-20260305123649-d18f3f005eaa // openshift kubernetes has very old copy of k8s.io/kubernetes/pkg/kubelet/server/server.go
k8s.io/kubelet => github.com/openshift/kubernetes/staging/src/k8s.io/kubelet v0.0.0-20260305123649-d18f3f005eaa // openshift kubernetes has very old copy of k8s.io/kubernetes/cmd/kubelet/app/options/options.go
k8s.io/kubernetes => github.com/openshift/kubernetes v1.30.1-0.20260305123649-d18f3f005eaa
)

require (
Expand All @@ -18,38 +19,38 @@ require (
github.com/google/uuid v1.6.0
github.com/onsi/ginkgo/v2 v2.27.2
github.com/onsi/gomega v1.38.2
github.com/openshift-eng/openshift-tests-extension v0.0.0-20251105193959-75a0be5d9bd7
github.com/openshift/api v0.0.0-20260213204242-d34f11c515b3
github.com/openshift/client-go v0.0.0-20251202151200-fb4471581cf8
github.com/openshift-eng/openshift-tests-extension v0.0.0-20260127124016-0fed2b824818
github.com/openshift/api v0.0.0-20260305140000-0790d2957f54
github.com/openshift/client-go v0.0.0-20260305144912-aba4b273812d
github.com/openshift/cluster-api-actuator-pkg/testutils v0.0.0-20250910145856-21d03d30056d
github.com/openshift/cluster-control-plane-machine-set-operator v0.0.0-20251029084908-344babe6a957
github.com/openshift/library-go v0.0.0-20251107090138-0de9712313a5
github.com/openshift/library-go v0.0.0-20260303171201-5d9eb6295ff6
github.com/prometheus/client_golang v1.23.2
github.com/spf13/cobra v1.10.1
github.com/spf13/pflag v1.0.10
github.com/stretchr/testify v1.11.1
github.com/vmware/govmomi v0.52.0
golang.org/x/net v0.46.0
golang.org/x/net v0.47.0 // indirect
golang.org/x/time v0.14.0
gopkg.in/gcfg.v1 v1.2.3 // indirect
k8s.io/api v0.34.1
k8s.io/apimachinery v0.34.1
k8s.io/apiserver v0.34.1
k8s.io/client-go v0.34.1
k8s.io/api v0.35.1
k8s.io/apimachinery v0.35.1
k8s.io/apiserver v0.35.1
k8s.io/client-go v0.35.1
k8s.io/cloud-provider-vsphere v1.32.2
k8s.io/component-base v0.34.1
k8s.io/cri-client v0.34.1 // indirect
k8s.io/csi-translation-lib v0.34.1 // indirect
k8s.io/dynamic-resource-allocation v0.34.1 // indirect
k8s.io/component-base v0.35.1
k8s.io/cri-client v0.35.1 // indirect
k8s.io/csi-translation-lib v0.35.1 // indirect
k8s.io/dynamic-resource-allocation v0.35.1 // indirect
k8s.io/klog/v2 v2.130.1
k8s.io/kube-scheduler v0.34.1 // indirect
k8s.io/kubectl v0.34.1
k8s.io/kubernetes v1.34.1
k8s.io/mount-utils v0.34.1 // indirect
k8s.io/sample-apiserver v0.34.1 // indirect
k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
k8s.io/kube-scheduler v0.35.1 // indirect
k8s.io/kubectl v0.35.1
k8s.io/kubernetes v1.35.1
k8s.io/mount-utils v0.35.1 // indirect
k8s.io/sample-apiserver v0.35.1 // indirect
k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
sigs.k8s.io/cluster-api v1.11.3
sigs.k8s.io/controller-runtime v0.22.3
sigs.k8s.io/controller-runtime v0.23.3
sigs.k8s.io/controller-runtime/tools/setup-envtest v0.0.0-20240923090159-236e448db12c
sigs.k8s.io/kube-storage-version-migrator v0.0.6-0.20230721195810-5c8923c5ff96
sigs.k8s.io/yaml v1.6.0
Expand All @@ -61,6 +62,7 @@ require (
4d63.com/gocheckcompilerdirectives v1.3.0 // indirect
4d63.com/gochecknoglobals v0.2.2 // indirect
cel.dev/expr v0.24.0 // indirect
cyphar.com/go-pathrs v0.2.1 // indirect
github.com/4meepo/tagalign v1.4.2 // indirect
github.com/Abirdcfly/dupword v0.1.3 // indirect
github.com/Antonboom/errname v1.0.0 // indirect
Expand All @@ -75,7 +77,7 @@ require (
github.com/MakeNowJust/heredoc v1.0.0 // indirect
github.com/Masterminds/semver/v3 v3.4.0 // indirect
github.com/Microsoft/go-winio v0.6.2 // indirect
github.com/Microsoft/hnslib v0.1.1 // indirect
github.com/Microsoft/hnslib v0.1.2 // indirect
github.com/NYTimes/gziphandler v1.1.1 // indirect
github.com/OpenPeeDeeP/depguard/v2 v2.2.1 // indirect
github.com/alecthomas/go-check-sumtype v0.3.1 // indirect
Expand Down Expand Up @@ -105,21 +107,20 @@ require (
github.com/chavacava/garif v0.1.0 // indirect
github.com/ckaznocha/intrange v0.3.0 // indirect
github.com/container-storage-interface/spec v1.9.0 // indirect
github.com/containerd/containerd/api v1.8.0 // indirect
github.com/containerd/containerd/api v1.9.0 // indirect
github.com/containerd/errdefs v1.0.0 // indirect
github.com/containerd/errdefs/pkg v0.3.0 // indirect
github.com/containerd/log v0.1.0 // indirect
github.com/containerd/ttrpc v1.2.6 // indirect
github.com/containerd/typeurl/v2 v2.2.2 // indirect
github.com/containerd/ttrpc v1.2.7 // indirect
github.com/containerd/typeurl/v2 v2.2.3 // indirect
github.com/coreos/go-semver v0.3.1 // indirect
github.com/coreos/go-systemd/v22 v22.5.0 // indirect
github.com/curioswitch/go-reassign v0.3.0 // indirect
github.com/cyphar/filepath-securejoin v0.4.1 // indirect
github.com/cyphar/filepath-securejoin v0.6.0 // indirect
github.com/daixiang0/gci v0.13.5 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/denis-tingaikin/go-header v0.5.0 // indirect
github.com/distribution/reference v0.6.0 // indirect
github.com/docker/docker v27.1.2+incompatible // indirect
github.com/docker/go-units v0.5.0 // indirect
github.com/emicklei/go-restful/v3 v3.12.2 // indirect
github.com/ettle/strcase v0.2.0 // indirect
Expand Down Expand Up @@ -167,7 +168,7 @@ require (
github.com/golangci/revgrep v0.8.0 // indirect
github.com/golangci/unconvert v0.0.0-20240309020433-c5143eacb3ed // indirect
github.com/google/btree v1.1.3 // indirect
github.com/google/cadvisor v0.52.1 // indirect
github.com/google/cadvisor v0.53.0 // indirect
github.com/google/cel-go v0.26.0 // indirect
github.com/google/gnostic-models v0.7.0 // indirect
github.com/google/go-cmp v0.7.0 // indirect
Expand Down Expand Up @@ -240,9 +241,8 @@ require (
github.com/opencontainers/cgroups v0.0.3 // indirect
github.com/opencontainers/go-digest v1.0.0 // indirect
github.com/opencontainers/image-spec v1.1.1 // indirect
github.com/opencontainers/runc v1.2.5 // indirect
github.com/opencontainers/runtime-spec v1.2.0 // indirect
github.com/opencontainers/selinux v1.11.1 // indirect
github.com/opencontainers/runtime-spec v1.2.1 // indirect
github.com/opencontainers/selinux v1.13.0 // indirect
github.com/pelletier/go-toml/v2 v2.2.3 // indirect
github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
Expand All @@ -258,6 +258,7 @@ require (
github.com/raeperd/recvcheck v0.2.0 // indirect
github.com/rivo/uniseg v0.4.7 // indirect
github.com/robfig/cron v1.2.0 // indirect
github.com/robfig/cron/v3 v3.0.1 // indirect
github.com/rogpeppe/go-internal v1.14.1 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
github.com/ryancurrah/gomodguard v1.3.5 // indirect
Expand Down Expand Up @@ -301,69 +302,68 @@ require (
gitlab.com/bosi/decorder v0.4.2 // indirect
go-simpler.org/musttag v0.13.0 // indirect
go-simpler.org/sloglint v0.9.0 // indirect
go.etcd.io/etcd/api/v3 v3.6.4 // indirect
go.etcd.io/etcd/client/pkg/v3 v3.6.4 // indirect
go.etcd.io/etcd/client/v3 v3.6.4 // indirect
go.etcd.io/etcd/api/v3 v3.6.5 // indirect
go.etcd.io/etcd/client/pkg/v3 v3.6.5 // indirect
go.etcd.io/etcd/client/v3 v3.6.5 // indirect
go.opentelemetry.io/auto/sdk v1.1.0 // indirect
go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful v0.44.0 // indirect
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 // indirect
go.opentelemetry.io/otel v1.35.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
go.opentelemetry.io/otel v1.36.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 // indirect
go.opentelemetry.io/otel/metric v1.35.0 // indirect
go.opentelemetry.io/otel/sdk v1.34.0 // indirect
go.opentelemetry.io/otel/trace v1.35.0 // indirect
go.opentelemetry.io/otel/metric v1.36.0 // indirect
go.opentelemetry.io/otel/sdk v1.36.0 // indirect
Comment on lines +312 to +316
Copy link

@coderabbitai coderabbitai bot Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

GO-2026-4394 GHSA-9h8m-3fm2-qjrq opentelemetry otel sdk vulnerability

💡 Result:

GO-2026-4394 (aliases: GHSA-9h8m-3fm2-qjrq, CVE-2026-24051) is an arbitrary code execution issue in the OpenTelemetry Go SDK affecting go.opentelemetry.io/otel/sdk (specifically the sdk/resource host ID detection on macOS/Darwin). It runs the ioreg command via the system PATH, so an attacker who can influence PATH can cause execution of a malicious ioreg binary in the application’s context. (github.com)

  • Affected versions: >= 1.21.0 and < 1.40.0 (GitHub advisory also lists <= 1.39.0). (github.com)
  • Fixed version: 1.40.0. (github.com)
  • Fix details: change to call ioreg via full path (/usr/sbin/ioreg) instead of relying on PATH. (github.com)

Recommended action: upgrade go.opentelemetry.io/otel/sdk to v1.40.0 or later. (github.com)

Citations:

🏁 Script executed:

# Also check if there's any local Go module information
cd go.mod 2>/dev/null || echo "go.mod is a file, not a directory"
head -1 go.mod
# Get context around the flagged lines
sed -n '309,317p' go.mod

Repository: openshift/machine-api-operator

Length of output: 744

Upgrade go.opentelemetry.io/otel/sdk to v1.40.0 or later.

go.opentelemetry.io/otel/sdk v1.36.0 is vulnerable to GO-2026-4394 (GHSA-9h8m-3fm2-qjrq / CVE-2026-24051), an arbitrary code execution issue affecting macOS/Darwin environments. The vulnerability exists in versions >= 1.21.0 and < 1.40.0 due to unsafe PATH-based invocation of the ioreg command. Upgrade to v1.40.0 or later, which calls ioreg via its full path (/usr/sbin/ioreg).

🧰 Tools
🪛 OSV Scanner (2.3.3)

[HIGH] 315-315: go.opentelemetry.io/otel/sdk 1.36.0: OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk

(GO-2026-4394)

[HIGH] 315-315: go.opentelemetry.io/otel/sdk 1.36.0: OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking

(GHSA-9h8m-3fm2-qjrq)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@go.mod` around lines 311 - 315, The go.opentelemetry.io/otel/sdk dependency
is pinned at v1.36.0 which is vulnerable (CVE/GO-2026-4394); update the SDK
module version in go.mod by replacing the entry "go.opentelemetry.io/otel/sdk
v1.36.0" with "go.opentelemetry.io/otel/sdk v1.40.0" (or any later patch >=
v1.40.0) and run `go get`/`go mod tidy` to ensure the new version is resolved;
also verify compatibility/consistency with other otel modules (e.g.,
go.opentelemetry.io/otel, otlptrace, metric) after the upgrade.

go.opentelemetry.io/otel/trace v1.36.0 // indirect
go.opentelemetry.io/proto/otlp v1.5.0 // indirect
go.uber.org/atomic v1.11.0 // indirect
go.uber.org/automaxprocs v1.6.0 // indirect
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.27.0 // indirect
go.yaml.in/yaml/v2 v2.4.2 // indirect
go.yaml.in/yaml/v2 v2.4.3 // indirect
go.yaml.in/yaml/v3 v3.0.4 // indirect
golang.org/x/crypto v0.43.0 // indirect
golang.org/x/crypto v0.45.0 // indirect
golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 // indirect
golang.org/x/exp/typeparams v0.0.0-20250210185358-939b2ce775ac // indirect
golang.org/x/mod v0.28.0 // indirect
golang.org/x/mod v0.29.0 // indirect
golang.org/x/oauth2 v0.30.0 // indirect
golang.org/x/sync v0.17.0 // indirect
golang.org/x/sys v0.37.0 // indirect
golang.org/x/term v0.36.0 // indirect
golang.org/x/text v0.30.0 // indirect
golang.org/x/tools v0.37.0 // indirect
golang.org/x/sync v0.18.0 // indirect
golang.org/x/sys v0.38.0 // indirect
golang.org/x/term v0.37.0 // indirect
golang.org/x/text v0.31.0 // indirect
golang.org/x/tools v0.38.0 // indirect
golang.org/x/tools/go/expect v0.1.1-deprecated // indirect
golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated // indirect
gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb // indirect
google.golang.org/grpc v1.72.1 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a // indirect
google.golang.org/grpc v1.72.2 // indirect
google.golang.org/protobuf v1.36.8 // indirect
gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
gopkg.in/warnings.v0 v0.1.2 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
honnef.co/go/tools v0.6.1 // indirect
k8s.io/apiextensions-apiserver v0.34.1 // indirect
k8s.io/cli-runtime v0.34.1 // indirect
k8s.io/cloud-provider v0.32.0 // indirect
k8s.io/cluster-bootstrap v0.33.3 // indirect
k8s.io/component-helpers v0.34.1 // indirect
k8s.io/controller-manager v0.32.1 // indirect
k8s.io/cri-api v0.34.1 // indirect
k8s.io/kms v0.34.1 // indirect
k8s.io/kube-aggregator v0.34.1 // indirect
k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect
k8s.io/kubelet v0.34.1 // indirect
k8s.io/pod-security-admission v0.32.2 // indirect
k8s.io/apiextensions-apiserver v0.35.1 // indirect
k8s.io/cli-runtime v0.35.1 // indirect
k8s.io/cloud-provider v0.35.1 // indirect
k8s.io/cluster-bootstrap v0.35.1 // indirect
k8s.io/component-helpers v0.35.1 // indirect
k8s.io/controller-manager v0.35.1 // indirect
k8s.io/cri-api v0.35.1 // indirect
k8s.io/kms v0.35.1 // indirect
k8s.io/kube-aggregator v0.35.1 // indirect
k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
k8s.io/kubelet v0.35.1 // indirect
k8s.io/pod-security-admission v0.35.1 // indirect
mvdan.cc/gofumpt v0.7.0 // indirect
mvdan.cc/unparam v0.0.0-20240528143540-8a5130ca722f // indirect
sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 // indirect
sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
sigs.k8s.io/kustomize/api v0.20.1 // indirect
sigs.k8s.io/kustomize/kyaml v0.20.1 // indirect
sigs.k8s.io/randfill v1.0.0 // indirect
sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
sigs.k8s.io/structured-merge-diff/v6 v6.3.2-0.20260122202528-d9cc6641c482 // indirect
)
Loading