Skip to content

PCP-6916 : CAPI - Cherry pick upstream PR#279

Open
Anusha-sc wants to merge 1 commit into
spectro-masterfrom
PCP-6916
Open

PCP-6916 : CAPI - Cherry pick upstream PR#279
Anusha-sc wants to merge 1 commit into
spectro-masterfrom
PCP-6916

Conversation

@Anusha-sc

@Anusha-sc Anusha-sc commented Jun 13, 2026

Copy link
Copy Markdown

🐛 What this PR does / why we need it

Starting with Kubernetes v1.36, the ControlPlaneKubeletLocalMode feature gate has graduated to GA and no longer needs to be explicitly enabled in kubeadm configurations.

This PR updates CAPI to:

  • Only set ControlPlaneKubeletLocalMode for Kubernetes versions >= 1.31 and < 1.36.
  • Add unit test coverage verifying the feature gate is not added for Kubernetes v1.36.
  • Update KCP adoption e2e tests to remove the feature gate from templates when testing Kubernetes v1.36+.
  • Document the behavior change in the version-specific notes.

This ensures generated kubeadm configurations remain compatible with Kubernetes v1.36+, where the feature gate has been removed.

Which issue(s) this PR fixes

Fixes #

/area control-plane
/area testing
/documentation

@Anusha-sc Anusha-sc changed the title PCP-6916 CAPI - Cherry pick upstream PR PCP-6916 : CAPI - Cherry pick upstream PR Jun 13, 2026
bulwark-spectrocloud[bot]
bulwark-spectrocloud Bot requested changes Jun 13, 2026
View reviewed changes

@bulwark-spectrocloud bulwark-spectrocloud Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ GoSec scan found code issues:

  1. G115: integer overflow conversion int64 -> int32, Severity: HIGH
      1. File: /home/runner/_work/bulwark/bulwark/target-repo/internal/controllers/cluster/cluster_controller_status.go:107:63
      1. File: /home/runner/_work/bulwark/bulwark/target-repo/internal/controllers/cluster/cluster_controller_status.go:104:70
      1. File: /home/runner/_work/bulwark/bulwark/target-repo/internal/contract/types.go:129:22
      1. File: /home/runner/_work/bulwark/bulwark/target-repo/internal/test/envtest/environment.go:89:47
      1. File: /home/runner/_work/bulwark/bulwark/target-repo/internal/controllers/machineset/machineset_controller_status.go:189:26
      1. File: /home/runner/_work/bulwark/bulwark/target-repo/internal/controllers/machineset/machineset_controller_status.go:123:26
      1. File: /home/runner/_work/bulwark/bulwark/target-repo/internal/controllers/machineset/machineset_controller.go:1204:28
      1. File: /home/runner/_work/bulwark/bulwark/target-repo/internal/controllers/machinehealthcheck/machinehealthcheck_controller.go:690:26
      1. File: /home/runner/_work/bulwark/bulwark/target-repo/internal/controllers/machinehealthcheck/machinehealthcheck_controller.go:678:27
      1. File: /home/runner/_work/bulwark/bulwark/target-repo/internal/controllers/machinehealthcheck/machinehealthcheck_controller.go:253:33
      1. File: /home/runner/_work/bulwark/bulwark/target-repo/internal/controllers/machinehealthcheck/machinehealthcheck_controller.go:238:35
      1. File: /home/runner/_work/bulwark/bulwark/target-repo/internal/controllers/machinedeployment/mdutil/util.go:726:14
      1. File: /home/runner/_work/bulwark/bulwark/target-repo/internal/controllers/machinedeployment/mdutil/util.go:655:58
      1. File: /home/runner/_work/bulwark/bulwark/target-repo/internal/controllers/machinedeployment/machinedeployment_sync.go:623:15
      1. File: /home/runner/_work/bulwark/bulwark/target-repo/internal/controllers/machinedeployment/machinedeployment_rollout_ondelete.go:122:29
    • ... (truncated), run gosec locally to capture all failure for the rule G115
  2. G404: Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand), Severity: HIGH
      1. File: /home/runner/_work/bulwark/bulwark/target-repo/util/util.go:61:8
      1. File: /home/runner/_work/bulwark/bulwark/target-repo/util/conversion/conversion.go:160:18
  3. G402: TLS InsecureSkipVerify set to true., Severity: HIGH
      1. File: /home/runner/_work/bulwark/bulwark/target-repo/controlplane/kubeadm/internal/workload_cluster.go:481:62

Please review these findings and fix the issues before merging.

bulwark-spectrocloud[bot]
bulwark-spectrocloud Bot requested changes Jun 14, 2026
View reviewed changes

@bulwark-spectrocloud bulwark-spectrocloud Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ GoSec scan found code issues:

  1. G115: integer overflow conversion int64 -> int32, Severity: HIGH
      1. File: /home/runner/_work/bulwark/bulwark/target-repo/internal/controllers/cluster/cluster_controller_status.go:107:63
      1. File: /home/runner/_work/bulwark/bulwark/target-repo/internal/controllers/cluster/cluster_controller_status.go:104:70
      1. File: /home/runner/_work/bulwark/bulwark/target-repo/internal/contract/types.go:129:22
      1. File: /home/runner/_work/bulwark/bulwark/target-repo/internal/test/envtest/environment.go:89:47
      1. File: /home/runner/_work/bulwark/bulwark/target-repo/internal/controllers/machineset/machineset_controller_status.go:189:26
      1. File: /home/runner/_work/bulwark/bulwark/target-repo/internal/controllers/machineset/machineset_controller_status.go:123:26
      1. File: /home/runner/_work/bulwark/bulwark/target-repo/internal/controllers/machineset/machineset_controller.go:1204:28
      1. File: /home/runner/_work/bulwark/bulwark/target-repo/internal/controllers/machinehealthcheck/machinehealthcheck_controller.go:690:26
      1. File: /home/runner/_work/bulwark/bulwark/target-repo/internal/controllers/machinehealthcheck/machinehealthcheck_controller.go:678:27
      1. File: /home/runner/_work/bulwark/bulwark/target-repo/internal/controllers/machinehealthcheck/machinehealthcheck_controller.go:253:33
      1. File: /home/runner/_work/bulwark/bulwark/target-repo/internal/controllers/machinehealthcheck/machinehealthcheck_controller.go:238:35
      1. File: /home/runner/_work/bulwark/bulwark/target-repo/internal/controllers/machinedeployment/mdutil/util.go:726:14
      1. File: /home/runner/_work/bulwark/bulwark/target-repo/internal/controllers/machinedeployment/mdutil/util.go:655:58
      1. File: /home/runner/_work/bulwark/bulwark/target-repo/internal/controllers/machinedeployment/machinedeployment_sync.go:623:15
      1. File: /home/runner/_work/bulwark/bulwark/target-repo/internal/controllers/machinedeployment/machinedeployment_rollout_ondelete.go:122:29
    • ... (truncated), run gosec locally to capture all failure for the rule G115
  2. G404: Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand), Severity: HIGH
      1. File: /home/runner/_work/bulwark/bulwark/target-repo/util/util.go:61:8
      1. File: /home/runner/_work/bulwark/bulwark/target-repo/util/conversion/conversion.go:160:18
  3. G402: TLS InsecureSkipVerify set to true., Severity: HIGH
      1. File: /home/runner/_work/bulwark/bulwark/target-repo/controlplane/kubeadm/internal/workload_cluster.go:478:62

Please review these findings and fix the issues before merging.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bulwark-spectrocloud bulwark-spectrocloud[bot] bulwark-spectrocloud[bot] requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Anusha-sc