chore(deps): align k8s.io stack to 0.36.2 and controller-runtime to 0.24.1

[oscerd]

What

Aligns the whole Kubernetes / sigs.k8s.io dependency stack as a single coherent update — something Dependabot can't do because it raises each k8s.io/* module in a separate PR — plus the security follow-ups that fall out of it.

Module	From	To
k8s.io/api / apimachinery / client-go	0.35.3	0.36.2
k8s.io/apiextensions-apiserver (indirect)	0.35.1	0.36.0
k8s.io/klog/v2	2.130.1	2.140.0
sigs.k8s.io/controller-runtime	0.23.1	0.24.1
sigs.k8s.io/structured-merge-diff/v6	6.3.2-(pseudo)	6.4.0
golang.org/x/net (indirect)	0.49.0	0.56.0
go directive	1.25.7	1.26.4

Why

The individual Dependabot k8s bumps (#395, #396, #397) fail to build: client-go 0.35 references API GroupVersions (autoscaling/v2beta1, scheduling/v1alpha1) removed in k8s.io/api 0.36, so the three must move in lockstep. controller-runtime 0.24 is the line that targets k8s 0.36 (0.23.x targets 0.35), superseding #379.

Security (the go.mod findings)

k8s 0.36 / controller-runtime 0.24 require Go 1.26. Two security items surface from that and were fixed here:

• golang.org/x/net → v0.56.0 — govulncheck flagged two reachable CVEs in v0.49.0 (GO-2026-4918 HTTP/2 transport loop, GO-2026-5026 idna), reachable via openshift.IsOpenShift.
• go directive → 1.26.4 — go get set it to the unpatched 1.26.0, which carries ~20 Go stdlib advisories (GO-2026-4599 … GO-2026-5039). Pinning the latest 1.26 patch clears them; osv-scanner and govulncheck both report no vulnerabilities. (Mirrors the repo's 1.25.0 → 1.25.7 convention.)

The builder image moves golang:1.25 → golang:1.26; CI reads go-version-file: go.mod, so both build on the patched toolchain.

Verification

go build / go vet / go test ./pkg/... ./internal/... ✅ · make manifests generate ✅ (no drift) · govulncheck ./... clean · osv-scanner clean. CI: build ✅, e2e ✅, e2e/images ✅.

Note: the security/snyk check reports error (not failure) on the final commit — Snyk's DB does not yet recognize the just-released Go 1.26.4, so it aborts the test. The tree is verifiably clean via govulncheck + osv-scanner.

Supersedes

Replaces #379, #380, #390, #395, #396, #397 with one coherent update.

[coderabbitai]

Warning

Review limit reached

@oscerd, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 33 minutes and 8 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ef651ca2-617c-4a29-8245-8ac576a8773a

📥 Commits

Reviewing files that changed from the base of the PR and between 6c18f2b and a80ba28.

📒 Files selected for processing (1)

• go.mod

📝 Walkthrough

Walkthrough

Upgrades the Go toolchain from 1.25 to 1.26 in the Dockerfile builder image and go.mod directive. Bumps core Kubernetes and controller-runtime direct dependencies, removes the github.com/google/btree indirect dependency, and refreshes versions for a broad set of indirect modules.

Changes

Go 1.26 Toolchain and Dependency Upgrade

Layer / File(s)	Summary
Go 1.26 toolchain version bump Dockerfile, go.mod	Builder stage base image updated from golang:1.25 to golang:1.26; go directive in go.mod updated from 1.25.7 to 1.26.0.
Direct Kubernetes dependency upgrades go.mod	Upgrades k8s.io/api, k8s.io/apimachinery, k8s.io/client-go, k8s.io/klog/v2, sigs.k8s.io/controller-runtime, sigs.k8s.io/structured-merge-diff/v6, and emicklei/go-restful/v3 in the direct require block.
Indirect dependency refresh and removal go.mod	Removes github.com/google/btree indirect entry; bumps prometheus/common, zap, golang.org/x/oauth2, golang.org/x/time, google.golang.org/protobuf, k8s.io/apiextensions-apiserver, k8s.io/kube-openapi, and k8s.io/utils indirect versions.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 Hippity-hop, the toolchain climbs high,
From 1.25 to 1.26 we fly!
The k8s modules all bumped up in line,
Old btree removed — the go.mod looks fine.
A cleaner dependency tree, oh my!
✨ The rabbit approves this upgrade with cheer~

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: coordinated updates to Kubernetes (k8s.io stack to 0.36.2) and controller-runtime (to 0.24.1) dependencies.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[oscerd]

Security: also bumps golang.org/x/net → v0.56.0

The security/snyk check flagged a vulnerability in go.mod. govulncheck confirmed two reachable vulnerabilities in golang.org/x/net@v0.49.0 (reachable via openshift.IsOpenShift → discovery client):

• GO-2026-4918 — infinite loop in HTTP/2 transport on bad SETTINGS_MAX_FRAME_SIZE (fixed in v0.53.0)
• GO-2026-5026 — idna ASCII-only Punycode label handling (fixed in v0.55.0)

This was pre-existing on main (which already pins x/net v0.49.0) but only surfaced now because these are recent CVEs. Bumping to v0.56.0 (plus the x/sys, x/term, x/text deps it pulls) clears both — govulncheck ./... now reports No vulnerabilities found.

[oscerd]

Root cause of the security/snyk go.mod finding: the Go version pin

govulncheck came back clean, so I ran osv-scanner (presence-based, like Snyk). The finding wasn't a dependency at all — it was stdlib at go 1.26.0. The k8s 0.36 / controller-runtime 0.24 bump requires Go 1.26, and go get set the directive to the unpatched 1.26.0, which carries ~20 Go stdlib advisories (GO-2026-4599 … GO-2026-5039, including the same GO-2026-4918 HTTP/2 transport loop).

Pinning the latest 1.26.4 patch (a80ba28) clears all of them — osv-scanner now reports no vulnerabilities. This matches the repo's existing convention of pinning patched Go releases (cf. the earlier 1.25.0 → 1.25.7 bump). CI installs via go-version-file: go.mod and the image builds from golang:1.26, so both use the patched toolchain.