KubeadmControlPlane kubeletExtraArgs marked invalid

[muryoutaisuu]

What steps did you take and what happened?

preconditions:

• capi v1.10.3
• a managed k8s cluster with apiVersion: controlplane.cluster.x-k8s.io/v1beta1 and with some kubeletExtraArgs, e.g. in .spec.kubeadmConfigSpec.initConfiguration.nodeRegistration.kubeletExtraArgs

step-by-step:

1. update capi to v1.11.4
2. update managed cluster's KubeadmControlPlane to apiVersion: controlplane.cluster.x-k8s.io/v1beta2
3. migrate KubeadmControlPlane's kubeletExtraArgs to slices (as needed by v1beta2) and apply

result:
for some clusters, we then receive the error message:

KubeadmControlPlane.controlplane.cluster.x-k8s.io "davinci-1" is invalid: [spec.kubeadmConfigSpec.initConfiguration.nodeRegistration.kubeletExtraArgs: Invalid value: "array": kubeletExtraArgs name must be unique, spec.kubeadmConfigSpec.joinConfiguration.nodeRegistration.kubeletExtraArgs: Invalid value: "array": kubeletExtraArgs name must be unique]

What did you expect to happen?

The mentioned kubeletExtraArgs follow the new syntax of being an array. We expect a successful apply.

Cluster API version

v1.11.4

Kubernetes version

v1.33.4
(both, management and managed cluster)

Anything else you would like to add?

KubeadmControlPlane CRD is up2date:

> k explain KubeadmControlPlane.spec.kubeadmConfigSpec.initConfiguration.nodeRegistration.kubeletExtraArgs
GROUP:      controlplane.cluster.x-k8s.io
KIND:       KubeadmControlPlane
VERSION:    v1beta2

FIELD: kubeletExtraArgs <[]Object>

KubeadmControlPlane Object is up2date too, and currently set kubeletExtraArgs:

> k get kubeadmcontrolplane davinci-1 -o yaml | yq '.apiVersion,.spec.kubeadmConfigSpec.initConfiguration.nodeRegistration.kubeletExtraArgs'
controlplane.cluster.x-k8s.io/v1beta2
- name: cloud-provider
  value: external
- name: container-log-max-files
  value: "5"
- name: container-log-max-size
  value: 10Mi
- name: event-qps
  value: "0"
- name: feature-gates
  value: UserNamespacesSupport=true
- name: node-ip
  value: '{{ ds.meta_data.local_ipv4  }}'
- name: protect-kernel-defaults
  value: "true"
- name: tls-cipher-suites
  value: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256

Label(s) to be applied

/kind bug
/area provider/control-plane-kubeadm

[k8s-ci-robot]

This issue is currently awaiting triage.

If CAPI contributors determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[MaxRink]

Ive had a quick look and i think its

cluster-api/api/bootstrap/kubeadm/v1beta2/kubeadm_types.go

Line 414 in ab74f37

// +listMapKey=value

that is the issue.

The composite map key (name, value) means that during server-side apply, two entries are considered the same only if both name AND value match. So when you change a value for an existing arg name:

SSA sees the old entry (name=X, value=OLD) and new entry (name=X, value=NEW) as different map entries (different composite key)
SSA merges both into the result — you now have two entries with the same name
The XValidation rule self.all(x, self.exists_one(y, x.name == y.name)) fires because name is duplicated

[sbueringer]

Can you please try to reproduce with CAPI main + make tilt-up + 2 simple applies with kubectl of KCP objects?

[sbueringer]

I don't know what is happening in your case, but for me this works perfectly fine.
(Note: the same field manager must be used for both applies)

k apply -f ./kcp-v1beta1.yaml --server-side --field-manager=test -o yaml --show-managed-fields > kcp-v1beta1-out.yaml

k apply -f ./kcp-v1beta2.yaml --server-side --field-manager=test -o yaml --show-managed-fields > kcp-v1beta2-out.yaml

kcp-v1beta1.yaml
kcp-v1beta1-out.yaml
kcp-v1beta2.yaml
kcp-v1beta2-out.yaml