ci(operator): centralize Kubernetes test versions

Signed-off-by: AnouarMohamed <m.anouar@mundiapolis.ma>

Author: AnouarMohamed

.github/workflows/agent-ci.yaml

@@ -24,6 +24,7 @@ on:
       - '!agent/go/**'
       - containers/agent.Dockerfile
       - .github/actions/**
+      - operator/k8s-test-versions.mk
       - .github/workflows/agent-ci.yaml
   push:
     branches:
@@ -35,6 +36,7 @@ on:
       - '!agent/go/**'
       - containers/agent.Dockerfile
       - .github/actions/**
+      - operator/k8s-test-versions.mk
       - .github/workflows/agent-ci.yaml
 env:
   REGISTRY: ghcr.io
@@ -322,20 +324,31 @@ jobs:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Load Kubernetes test versions
+        id: k8s-versions
+        run: |
+          cd operator
+          make print-k8s-test-versions-github-output >> "$GITHUB_OUTPUT"
+
+      - name: Validate KinD node image
+        run: |
+          cd operator
+          make validate-kind-node-image KIND_NODE_IMAGE_VERSION=${{ steps.k8s-versions.outputs.kind-node-image-version }}
       
       - name: Create Kubernetes KinD Cluster
         uses: helm/kind-action@v1.14.0
         with:
-          version: v0.31.0
-          node_image: kindest/node:v1.35.0
+          version: ${{ steps.k8s-versions.outputs.kind-binary-version }}
+          node_image: kindest/node:v${{ steps.k8s-versions.outputs.kind-node-image-version }}
           config: operator/config/local-dev/kind-config.yaml
           cluster_name: kind
 
       - name: Restore cached Binaries
         id: cached-binaries
         uses: actions/cache/restore@v5
         with:
-          key: ${{ env.GO_VERSION }}-${{ runner.os }}-${{ runner.arch }}-bin-${{ hashFiles('operator/deps.mk') }}
+          key: ${{ env.GO_VERSION }}-${{ runner.os }}-${{ runner.arch }}-bin-${{ hashFiles('operator/deps.mk', 'operator/k8s-test-versions.mk') }}
           restore-keys: ${{ env.GO_VERSION }}-${{ runner.os }}-${{ runner.arch }}-bin-
           path: |
             ${{ github.workspace }}/operator/bin
@@ -351,7 +364,7 @@ jobs:
         if: steps.cached-binaries.outputs.cache-hit != 'true'
         uses: actions/cache/save@v5
         with:
-          key: ${{ env.GO_VERSION }}-${{ runner.os }}-${{ runner.arch }}-bin-${{ hashFiles('operator/deps.mk') }}
+          key: ${{ env.GO_VERSION }}-${{ runner.os }}-${{ runner.arch }}-bin-${{ hashFiles('operator/deps.mk', 'operator/k8s-test-versions.mk') }}
           path: |
             ${{ github.workspace }}/operator/bin
             ~/.cache/go-build

.github/workflows/operator-ci.yaml

@@ -25,6 +25,7 @@ on:
       - operator/go.mod
       - operator/go.sum
       - operator/deps.mk
+      - operator/k8s-test-versions.mk
       - operator/config/**
       - containers/operator.Dockerfile
       - .github/actions/**
@@ -41,6 +42,7 @@ on:
       - operator/go.mod
       - operator/go.sum
       - operator/deps.mk
+      - operator/k8s-test-versions.mk
       - operator/config/**
       - containers/operator.Dockerfile
       - .github/actions/**
@@ -59,11 +61,30 @@ env:
   # waiting for each action (checkout/setup-go/cache/upload-artifact) to
   # publish a Node 24 release.
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-  KIND_BINARY_VERSION: v0.31.0
   PLATFORMS: linux/amd64,linux/arm64
   PUSH_TO_REGISTRY: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
 
 jobs:
+  k8s-test-versions:
+    name: Load Kubernetes Test Versions
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    outputs:
+      envtest-k8s-version: ${{ steps.versions.outputs.envtest-k8s-version }}
+      kind-version: ${{ steps.versions.outputs.kind-version }}
+      kind-node-image-version: ${{ steps.versions.outputs.kind-node-image-version }}
+      kind-binary-version: ${{ steps.versions.outputs.kind-binary-version }}
+      ci-kind-node-image-versions-json: ${{ steps.versions.outputs.ci-kind-node-image-versions-json }}
+      ci-primary-kind-node-image-version: ${{ steps.versions.outputs.ci-primary-kind-node-image-version }}
+    steps:
+      - uses: actions/checkout@v6
+      - name: Load versions
+        id: versions
+        run: |
+          cd operator
+          make print-k8s-test-versions-github-output >> "$GITHUB_OUTPUT"
+
   fetch-distroless-versions:
     name: Fetch Latest Distroless Versions
     runs-on: ubuntu-latest
@@ -85,27 +106,28 @@ jobs:
   # Test operator across supported Kubernetes versions and test suites
   tests:
     runs-on: ubuntu-latest
+    needs: [k8s-test-versions]
     strategy:
       matrix:
         # Standard E2E tests on all supported K8s versions
-        k8s-version: ["1.32.11", "1.33.7", "1.34.3", "1.35.0"]
+        k8s-version: ${{ fromJson(needs.k8s-test-versions.outputs.ci-kind-node-image-versions-json) }}
         test-suite: ["e2e"]
         pool: ["core", "interrupt", "uninstall", "lifecycle"]
         make-targets: ["setup-kind-cluster e2e-tests"]
         include:
-          # Deployment policy tests on 15-node cluster (K8s 1.35 only)
-          - k8s-version: "1.35.0"
+          # Deployment policy tests on 15-node cluster use the primary Kind node image.
+          - k8s-version: ${{ needs.k8s-test-versions.outputs.ci-primary-kind-node-image-version }}
             test-suite: deployment-policy
             kind-config: k8s-tests/chainsaw/deployment-policy/kind-config.yaml
             make-targets: "setup-kind-cluster deployment-policy-tests"
-          # CLI e2e tests on K8s 1.34 only
-          - k8s-version: "1.35.0"
+          # Focus the heavier suites on the primary Kind node image.
+          - k8s-version: ${{ needs.k8s-test-versions.outputs.ci-primary-kind-node-image-version }}
             test-suite: cli-e2e
             make-targets: "setup-kind-cluster cli-e2e-tests"
-          - k8s-version: "1.35.0"
+          - k8s-version: ${{ needs.k8s-test-versions.outputs.ci-primary-kind-node-image-version }}
             test-suite: unit-tests
             make-targets: "vet lint unit-tests"
-          - k8s-version: "1.35.0"
+          - k8s-version: ${{ needs.k8s-test-versions.outputs.ci-primary-kind-node-image-version }}
             test-suite: helm-tests
             make-targets: "helm-tests"
       fail-fast: false  # Continue testing other versions if one fails
@@ -132,7 +154,7 @@ jobs:
         id: cached-binaries
         uses: actions/cache/restore@v5
         with:
-          key: ${{ env.GO_VERSION }}-${{ runner.os }}-${{ runner.arch }}-bin-${{ hashFiles('operator/deps.mk') }}
+          key: ${{ env.GO_VERSION }}-${{ runner.os }}-${{ runner.arch }}-bin-${{ hashFiles('operator/deps.mk', 'operator/k8s-test-versions.mk') }}
           restore-keys: ${{ env.GO_VERSION }}-${{ runner.os }}-${{ runner.arch }}-bin-
           path: |
             ${{ github.workspace }}/operator/bin
@@ -147,34 +169,38 @@ jobs:
         if: steps.cached-binaries.outputs.cache-hit != 'true'
         uses: actions/cache/save@v5
         with:
-          key: ${{ env.GO_VERSION }}-${{ runner.os }}-${{ runner.arch }}-bin-${{ hashFiles('operator/deps.mk') }}
+          key: ${{ env.GO_VERSION }}-${{ runner.os }}-${{ runner.arch }}-bin-${{ hashFiles('operator/deps.mk', 'operator/k8s-test-versions.mk') }}
           path: |
             ${{ github.workspace }}/operator/bin
             ~/.cache/go-build
+      - name: Validate KinD node image v${{ matrix.k8s-version }}
+        if: matrix.test-suite != 'unit-tests' # unit tests don't need a cluster
+        run: |
+          cd operator
+          make validate-kind-node-image KIND_NODE_IMAGE_VERSION=${{ matrix.k8s-version }}
       - name: Create Kubernetes KinD Cluster v${{ matrix.k8s-version }}
         if: matrix.test-suite != 'unit-tests' && matrix.test-suite != 'helm-tests' # unit tests don't need a cluster; helm-tests uses ctlptl
         id: kind
         uses: helm/kind-action@v1.14.0
         with:
-          version: ${{ env.KIND_BINARY_VERSION }}
+          version: ${{ needs.k8s-test-versions.outputs.kind-binary-version }}
           node_image: kindest/node:v${{ matrix.k8s-version }}
           config: ${{ matrix.kind-config || 'operator/config/local-dev/kind-config.yaml' }}
           cluster_name: kind
       - name: Install kind
         if: matrix.test-suite == 'helm-tests'
+        env:
+          KIND_BINARY_VERSION: ${{ needs.k8s-test-versions.outputs.kind-binary-version }}
         run: |
           curl -fsSL -o /tmp/kind-linux-amd64 https://kind.sigs.k8s.io/dl/${KIND_BINARY_VERSION}/kind-linux-amd64
           curl -fsSL -o /tmp/kind-linux-amd64.sha256sum https://kind.sigs.k8s.io/dl/${KIND_BINARY_VERSION}/kind-linux-amd64.sha256sum
           cd /tmp && sha256sum -c kind-linux-amd64.sha256sum
           sudo install /tmp/kind-linux-amd64 /usr/local/bin/kind
       - name: Create ctlptl KinD Cluster
-        if: matrix.test-suite == 'helm-tests'
-        run: ./operator/bin/ctlptl apply -f operator/config/local-dev/ctlptl-config.yaml
-      - name: Set up ctlptl KinD Cluster
         if: matrix.test-suite == 'helm-tests'
         run: |
           cd operator
-          make setup-kind-cluster
+          make create-kind-cluster KIND_NODE_IMAGE_VERSION=${{ matrix.k8s-version }}
       # Run test suite
       - name: Run ${{ matrix.test-suite }} tests
         env:

docs/README.md

@@ -33,6 +33,9 @@ This directory contains user and operator documentation for Skyhook. Here you'll
   - [Webhook Bootstrap Lease](designs/webhook-bootstrap-lease.md): Why the admission-webhook cert bootstrap runs on a dedicated leader-election lease, and the runbook for upgrading from v0.7.x (where the new lease does not yet exist).
 
 - **Process**
+  - [Local Development](development.md):
+      Developer workflow notes, including local kind clusters and Kubernetes test version ownership.
+
   - [Releases](releases.md):
       Release notes and upgrade information for Skyhook.
 

docs/development.md

@@ -18,6 +18,24 @@ brew install tilt-dev/tap/ctlptl
 
 Keep manual installs in sync with `CTLPTL_VERSION` in `operator/deps.mk`.
 
+## Kubernetes Test Versions
+
+`operator/k8s-test-versions.mk` is the source of truth for Kubernetes versions used by envtest, local kind clusters, and GitHub Actions test matrices.
+
+- `ENVTEST_K8S_VERSION` controls `setup-envtest` binary assets under `operator/bin/k8s/`.
+- `KIND_NODE_IMAGE_VERSION` controls the default `kindest/node` image for local kind clusters. `KIND_VERSION` remains as a backward-compatible alias for local overrides.
+- `KIND_BINARY_VERSION` controls the Kind CLI/action version and is intentionally separate from Kubernetes node image versions.
+- `CI_KIND_NODE_IMAGE_VERSIONS_JSON` and `CI_PRIMARY_KIND_NODE_IMAGE_VERSION` feed the GitHub Actions matrix.
+
+These versions often match, but they are allowed to diverge. Kind does not publish every Kubernetes patch version as a `kindest/node` image, so validate a new node image before using it:
+
+```bash
+cd operator
+make validate-kind-node-image KIND_NODE_IMAGE_VERSION=1.35.0
+```
+
+When updating supported test versions, edit `operator/k8s-test-versions.mk` first, then run the validation target and the relevant tests.
+
 ## Local Cluster
 
 Bring up the kind cluster and local registry:
@@ -27,7 +45,9 @@ cd operator
 make create-kind-cluster
 ```
 
-`make create-kind-cluster` applies `config/local-dev/ctlptl-config.yaml`, which creates the kind cluster and a local registry at `localhost:5005`. It also runs `make setup-kind-cluster`, which is idempotent and labels the test node and creates the `skyhook` namespace pull secret.
+`make create-kind-cluster` renders `config/local-dev/ctlptl-config.yaml` into `reporting/ctlptl-config.yaml`, deletes any existing cluster defined by that rendered config, and then creates the kind cluster plus a local registry at `localhost:5005`. It also runs `make setup-kind-cluster`, which is idempotent and labels the test node and creates the `skyhook` namespace pull secret.
+
+Do not run `ctlptl apply -f config/local-dev/ctlptl-config.yaml` directly; the tracked file is a Make-rendered template.
 
 ## Webhook Iteration
 
@@ -42,7 +62,7 @@ The local registry removes the need for `kind load docker-image` or registry-pin
 
 ## Teardown
 
-Delete the cluster and registry with the same ctlptl config:
+Delete the cluster and registry with the rendered ctlptl config:
 
 ```bash
 cd operator

docs/kubernetes-support.md

@@ -41,7 +41,7 @@ This document outlines Skyhook's approach to supporting different Kubernetes ver
 **For new Kubernetes releases:**
 
 1. Wait **4+ weeks** after K8s release for ecosystem stability
-2. Add to our CI testing matrix
+2. Add to the CI testing matrix in `operator/k8s-test-versions.mk`
 3. Include in next Skyhook release
 
 **For EOL Kubernetes versions:**
@@ -120,13 +120,12 @@ Waiting 4+ weeks lets the ecosystem stabilize and gives us confidence in support
 ### How do you test compatibility?
 
 For each Skyhook release, we test against all supported Kubernetes versions using:
-
-- GitHub Actions matrix builds with multiple K8s versions (currently 1.31, 1.32, 1.33, 1.34, 1.35)
+- GitHub Actions matrix builds with multiple K8s versions. The exact tested patch versions are owned by `CI_KIND_NODE_IMAGE_VERSIONS_JSON` in `operator/k8s-test-versions.mk`.
 - Local testing with [kind](https://kind.sigs.k8s.io/)
 - Basic functionality and integration tests
 
 ## Notes
 
 This is a living document that will evolve as the project grows. Our current approach supports all actively maintained Kubernetes versions (typically 3 versions) while providing reasonable predictability for users.
 
-For questions about Kubernetes support, please open an issue in our [GitHub repository](https://github.com/NVIDIA/skyhook). 
+For questions about Kubernetes support, please open an issue in our [GitHub repository](https://github.com/NVIDIA/skyhook).

operator/Makefile

@@ -27,9 +27,6 @@ IMG ?= $(IMG_REPO)/operator
 LOCAL_REGISTRY ?= localhost:5005
 LOCAL_OPERATOR_IMG ?= $(LOCAL_REGISTRY)/skyhook-operator:testing
 
-## default Kubernetes version for kind-based development clusters
-KIND_VERSION ?= 1.36.0
-
 PLATFORM := $(shell uname -s 2>/dev/null || echo unknown)
 SKYHOOK_NAMESPACE ?= skyhook
 
@@ -154,6 +151,44 @@ reporting: $(REPORTING)
 $(REPORTING):
 	mkdir -p $@
 
+CTLPTL_CONFIG_TEMPLATE ?= config/local-dev/ctlptl-config.yaml
+CTLPTL_CONFIG_RENDERED ?= $(REPORTING)/ctlptl-config.yaml
+
+.PHONY: print-k8s-test-versions-github-output
+print-k8s-test-versions-github-output: ## Print Kubernetes test versions in GitHub Actions output format.
+	@printf 'envtest-k8s-version=%s\n' '$(ENVTEST_K8S_VERSION)'
+	@printf 'kind-version=%s\n' '$(KIND_VERSION)'
+	@printf 'kind-node-image-version=%s\n' '$(KIND_NODE_IMAGE_VERSION)'
+	@printf 'kind-binary-version=%s\n' '$(KIND_BINARY_VERSION)'
+	@printf 'ci-kind-node-image-versions-json=%s\n' '$(CI_KIND_NODE_IMAGE_VERSIONS_JSON)'
+	@printf 'ci-primary-kind-node-image-version=%s\n' '$(CI_PRIMARY_KIND_NODE_IMAGE_VERSION)'
+
+.PHONY: validate-kind-node-image
+validate-kind-node-image: ## Check that the configured kindest/node image tag exists before creating a cluster.
+	@echo "Validating kindest/node:v$(KIND_NODE_IMAGE_VERSION)"
+	@if command -v $(DOCKER_CMD) >/dev/null 2>&1; then \
+		if [ "$(DOCKER_CMD)" = "podman" ]; then \
+			$(DOCKER_CMD) manifest inspect docker://kindest/node:v$(KIND_NODE_IMAGE_VERSION) >/dev/null; \
+		else \
+			$(DOCKER_CMD) manifest inspect kindest/node:v$(KIND_NODE_IMAGE_VERSION) >/dev/null; \
+		fi; \
+	elif command -v docker >/dev/null 2>&1; then \
+		docker manifest inspect kindest/node:v$(KIND_NODE_IMAGE_VERSION) >/dev/null; \
+	elif command -v podman >/dev/null 2>&1; then \
+		podman manifest inspect docker://kindest/node:v$(KIND_NODE_IMAGE_VERSION) >/dev/null; \
+	else \
+		curl -fsSL https://hub.docker.com/v2/repositories/kindest/node/tags/v$(KIND_NODE_IMAGE_VERSION) >/dev/null; \
+	fi || { \
+		echo "kindest/node:v$(KIND_NODE_IMAGE_VERSION) is not published or cannot be inspected."; \
+		echo "Update KIND_NODE_IMAGE_VERSION in k8s-test-versions.mk, or override it with a published kindest/node tag."; \
+		exit 1; \
+	}
+
+.PHONY: render-ctlptl-config
+render-ctlptl-config: reporting ## Render local ctlptl config using KIND_NODE_IMAGE_VERSION.
+	sed 's|@@KIND_NODE_IMAGE_VERSION@@|$(KIND_NODE_IMAGE_VERSION)|g' $(CTLPTL_CONFIG_TEMPLATE) > $(CTLPTL_CONFIG_RENDERED)
+	@echo "$(CTLPTL_CONFIG_RENDERED)"
+
 .PHONY: test
 test:: reporting manifests generate fmt vet lint build-cli unit-tests e2e-tests cli-e2e-tests helm-tests operator-agent-tests ## Run all tests.
 
@@ -267,8 +302,8 @@ rollout-local: push-local-image ## push locally-built operator and restart the d
 
 
 .PHONY: delete-kind-cluster
-delete-kind-cluster: ctlptl ## delete the local ctlptl kind cluster and registry
-	$(CTLPTL) delete -f config/local-dev/ctlptl-config.yaml
+delete-kind-cluster: ctlptl render-ctlptl-config ## delete the local ctlptl kind cluster and registry
+	$(CTLPTL) delete -f $(CTLPTL_CONFIG_RENDERED)
 
 operator-agent-tests: chainsaw install ## Run operator agent tests.
 	@if [ -z "$(AGENT_IMAGE)" ]; then \
@@ -292,7 +327,7 @@ deployment-policy-tests: chainsaw install run ensure-test-symlinks ## Run all de
 	go tool covdata textfmt -i=$(REPORTING)/int -o reporting/int.coverprofile
 
 .PHONY: create-deployment-policy-cluster
-create-deployment-policy-cluster: ## Create a 15-node Kind cluster for deployment policy tests.
+create-deployment-policy-cluster: validate-kind-node-image ## Create a 15-node Kind cluster for deployment policy tests.
 	@echo "🔧 Creating 15-node Kind cluster for deployment policy tests..."
 	@# Fix for Podman: increase kernel keyring quota
 	@if command -v podman >/dev/null 2>&1; then \
@@ -306,7 +341,7 @@ create-deployment-policy-cluster: ## Create a 15-node Kind cluster for deploymen
 		fi; \
 	fi
 	kind delete cluster --name skyhook-dp-test 2>/dev/null || true
-	kind create cluster --name skyhook-dp-test --config ../k8s-tests/chainsaw/deployment-policy/kind-config.yaml --image=kindest/node:v$(KIND_VERSION)
+	kind create cluster --name skyhook-dp-test --config ../k8s-tests/chainsaw/deployment-policy/kind-config.yaml --image=kindest/node:v$(KIND_NODE_IMAGE_VERSION)
 
 .PHONY: delete-deployment-policy-cluster
 delete-deployment-policy-cluster: ## Delete the 15-node Kind cluster for deployment policy tests.
@@ -331,9 +366,9 @@ setup-kind-cluster: ## setup kind cluster with local docker creds and skyhook na
 	fi
 
 
-create-kind-cluster: ctlptl ## deletes any existing kind cluster from ctlptl-config.yaml and creates a fresh one.
-	$(CTLPTL) delete -f config/local-dev/ctlptl-config.yaml || true
-	$(CTLPTL) apply -f config/local-dev/ctlptl-config.yaml
+create-kind-cluster: ctlptl validate-kind-node-image render-ctlptl-config ## creates or updates a kind cluster.
+	$(CTLPTL) delete -f $(CTLPTL_CONFIG_RENDERED) || true
+	$(CTLPTL) apply -f $(CTLPTL_CONFIG_RENDERED)
 	$(MAKE) setup-kind-cluster
 
 podman-create-machine: ## creates a podman machine

operator/README.md

@@ -163,7 +163,7 @@ Development
   watch-tests      watch unit tests and auto run on changes.
   unit-tests       Run unit tests.
   e2e-tests        Run end to end tests.
-  create-kind-cluster  deletes and creates a new kind cluster. versions is set via KIND_VERSION
+  create-kind-cluster  deletes and creates a new kind cluster. versions are set via KIND_NODE_IMAGE_VERSION
   podman-create-machine  creates a podman machine
   lint             Run golangci-lint linter & yamllint
   lint-fix         Run golangci-lint linter and perform fixes