Kubernetes v1.36 support (#214)

neoaggelos · web-flow · commit e3a79d8280b5 · 2026-06-06T15:19:37.000+03:00
* Kubernetes v1.36 support
* Bump to kind v1.35.0 for e2e tests
* Update load balancer after Machines become Running. This addresses two critical issues:

1. Issues with OVN load balancer, which becomes temporarily
unavailable when updating the backends, which translated
into control plane machines failing to join the cluster because
the control plane endpoint was getting updated at the same time

2. DOA machines were getting added to the load balancer without
ever becoming healthy, adding more flakiness and delays to the
process.

---------

Signed-off-by: Angelos Kolaitis &lt;neoaggelos@gmail.com&gt;
diff --git a/docs/book/src/howto/developer-guide.md b/docs/book/src/howto/developer-guide.md
@@ -25,7 +25,7 @@ chmod +x ./clusterctl
 sudo mv ./clusterctl /usr/local/bin/clusterctl
 
 # kubectl
-curl -L --remote-name-all "https://dl.k8s.io/release/v1.34.0/bin/linux/amd64/kubectl" -o ./kubectl
+curl -L --remote-name-all "https://dl.k8s.io/release/v1.36.1/bin/linux/amd64/kubectl" -o ./kubectl
 chmod +x ./kubectl
 sudo mv ./kubectl /usr/local/bin/kubectl
 ```
@@ -125,7 +125,7 @@ On a separate window, generate a cluster manifest and deploy:
 ```bash
 export LOAD_BALANCER="lxc: {}"
 export LXC_SECRET_NAME="lxc-secret"
-export KUBERNETES_VERSION="v1.34.0"
+export KUBERNETES_VERSION="v1.36.1"
 export CONTROL_PLANE_MACHINE_COUNT=1
 export WORKER_MACHINE_COUNT=1
 
diff --git a/docs/book/src/reference/default-simplestreams-server.md b/docs/book/src/reference/default-simplestreams-server.md
@@ -38,6 +38,8 @@ The following images are currently provided:
 | kubeadm/v1.33.5 | Ubuntu 24.04 | Kubeadm image for Kubernetes v1.33.5   | X     | X     |
 | kubeadm/v1.34.0 | Ubuntu 24.04 | Kubeadm image for Kubernetes v1.34.0   | X     | X     |
 | kubeadm/v1.35.0 | Ubuntu 24.04 | Kubeadm image for Kubernetes v1.35.0   | X     | X     |
+| kubeadm/v1.35.5 | Ubuntu 24.04 | Kubeadm image for Kubernetes v1.35.5   | X     | X     |
+| kubeadm/v1.36.1 | Ubuntu 24.04 | Kubeadm image for Kubernetes v1.36.1   | X     | X     |
 
 Note that the table above might be out of date. See [streams/v1/index.json] and [streams/v1/images.json] for the list of versions currently available.
 
diff --git a/docs/book/src/tutorial/quick-start.md b/docs/book/src/tutorial/quick-start.md
@@ -32,7 +32,7 @@ chmod +x ./clusterctl
 sudo mv ./clusterctl /usr/local/bin/clusterctl
 
 # kubectl
-curl -L --remote-name-all "https://dl.k8s.io/release/v1.34.0/bin/linux/amd64/kubectl" -o ./kubectl
+curl -L --remote-name-all "https://dl.k8s.io/release/v1.36.1/bin/linux/amd64/kubectl" -o ./kubectl
 chmod +x ./kubectl
 sudo mv ./kubectl /usr/local/bin/kubectl
 ```
@@ -250,7 +250,7 @@ Then generate a cluster manifest for a cluster with 1 control plane and 1 worker
 ```bash
 # generate manifest in 'cluster.yaml'
 clusterctl generate cluster c1 -i incus \
-  --kubernetes-version v1.34.0 \
+  --kubernetes-version v1.36.1 \
   --control-plane-machine-count 1 \
   --worker-machine-count 1 \
   > cluster.yaml
@@ -299,14 +299,14 @@ Cluster/c1                                     False  Info      Bootstrapping @
 
 # kubectl get cluster,lxccluster,machine,lxcmachine
 NAME                          CLUSTERCLASS   PHASE         AGE   VERSION
-cluster.cluster.x-k8s.io/c1   capn-v1beta2   Provisioned   22s   v1.34.0
+cluster.cluster.x-k8s.io/c1   capn-v1beta2   Provisioned   22s   v1.36.1
 
 NAME                                                  CLUSTER   LOAD BALANCER   READY   AGE
 lxccluster.infrastructure.cluster.x-k8s.io/c1-vtf7d   c1        10.130.1.162    true    22s
 
 NAME                                                 CLUSTER   NODENAME   PROVIDERID   PHASE          AGE   VERSION
-machine.cluster.x-k8s.io/c1-6n84z-lxj6v              c1                                Provisioning   17s   v1.34.0
-machine.cluster.x-k8s.io/c1-md-0-v42br-vh2wd-7sn5p   c1                                Pending        6s    v1.34.0
+machine.cluster.x-k8s.io/c1-6n84z-lxj6v              c1                                Provisioning   17s   v1.36.1
+machine.cluster.x-k8s.io/c1-md-0-v42br-vh2wd-7sn5p   c1                                Pending        6s    v1.36.1
 
 NAME                                                                   CLUSTER   MACHINE                     PROVIDERID   READY   AGE
 lxcmachine.infrastructure.cluster.x-k8s.io/c1-6n84z-lxj6v              c1        c1-6n84z-lxj6v                                   17s
@@ -328,14 +328,14 @@ Cluster/c1                                     True                     23s
 
 # kubectl get cluster,lxccluster,machine,lxcmachine
 NAME                          CLUSTERCLASS   PHASE         AGE   VERSION
-cluster.cluster.x-k8s.io/c1   capn-v1beta2   Provisioned   59s   v1.34.0
+cluster.cluster.x-k8s.io/c1   capn-v1beta2   Provisioned   59s   v1.36.1
 
 NAME                                                  CLUSTER   LOAD BALANCER   READY   AGE
 lxccluster.infrastructure.cluster.x-k8s.io/c1-vtf7d   c1        10.130.1.162    true    59s
 
 NAME                                                 CLUSTER   NODENAME                    PROVIDERID                         PHASE     AGE   VERSION
-machine.cluster.x-k8s.io/c1-6n84z-lxj6v              c1        c1-6n84z-lxj6v              lxc:///c1-6n84z-lxj6v              Running   54s   v1.34.0
-machine.cluster.x-k8s.io/c1-md-0-v42br-vh2wd-7sn5p   c1        c1-md-0-v42br-vh2wd-7sn5p   lxc:///c1-md-0-v42br-vh2wd-7sn5p   Running   43s   v1.34.0
+machine.cluster.x-k8s.io/c1-6n84z-lxj6v              c1        c1-6n84z-lxj6v              lxc:///c1-6n84z-lxj6v              Running   54s   v1.36.1
+machine.cluster.x-k8s.io/c1-md-0-v42br-vh2wd-7sn5p   c1        c1-md-0-v42br-vh2wd-7sn5p   lxc:///c1-md-0-v42br-vh2wd-7sn5p   Running   43s   v1.36.1
 
 NAME                                                                   CLUSTER   MACHINE                     PROVIDERID                         READY   AGE
 lxcmachine.infrastructure.cluster.x-k8s.io/c1-6n84z-lxj6v              c1        c1-6n84z-lxj6v              lxc:///c1-6n84z-lxj6v              true    54s
@@ -413,8 +413,8 @@ kube-system    pod/kube-proxy-zkwcc                         1/1     Running   0
 kube-system    pod/kube-scheduler-c1-6n84z-lxj6v            1/1     Running   0          2m16s   10.130.1.97    c1-6n84z-lxj6v              <none>           <none>
 
 NAMESPACE   NAME                             STATUS   ROLES           AGE     VERSION   INTERNAL-IP    EXTERNAL-IP   OS-IMAGE             KERNEL-VERSION     CONTAINER-RUNTIME
-            node/c1-6n84z-lxj6v              Ready    control-plane   2m18s   v1.34.0   10.130.1.97    <none>        Ubuntu 24.04.3 LTS   6.8.0-83-generic   containerd://2.1.4
-            node/c1-md-0-v42br-vh2wd-7sn5p   Ready    <none>          112s    v1.34.0   10.130.1.195   <none>        Ubuntu 24.04.3 LTS   6.8.0-83-generic   containerd://2.1.4
+            node/c1-6n84z-lxj6v              Ready    control-plane   2m18s   v1.36.1   10.130.1.97    <none>        Ubuntu 24.04.3 LTS   6.8.0-83-generic   containerd://2.3.0
+            node/c1-md-0-v42br-vh2wd-7sn5p   Ready    <none>          112s    v1.36.1   10.130.1.195   <none>        Ubuntu 24.04.3 LTS   6.8.0-83-generic   containerd://2.3.0
 ```
 
 ## Delete cluster
diff --git a/hack/infra/images.yaml b/hack/infra/images.yaml
@@ -72,3 +72,33 @@ images:
     type: virtual-machine
     alias: [kubeadm/v1.35.0, kubeadm/v1.35.0/ubuntu]
     source: https://github.com/lxc/cluster-api-provider-incus/releases/download/kubeadm-images/kubeadm-v1.35.0-virtual-machine-ubuntu-amd64.tar.gz
+
+  kubeadm-v1.35.5-container-amd64:
+    type: container
+    alias: [kubeadm/v1.35.5, kubeadm/v1.35.5/ubuntu]
+    source: https://github.com/lxc/cluster-api-provider-incus/releases/download/kubeadm-images/kubeadm-v1.35.5-container-ubuntu-amd64.tar.gz
+    checksum: sha256:0a6c0d07c22864d3ccd01689aca9a31fd6e8da001672165997f19f7f552dcbb3
+  kubeadm-v1.35.5-container-arm64:
+    type: container
+    alias: [kubeadm/v1.35.5, kubeadm/v1.35.5/ubuntu]
+    source: https://github.com/lxc/cluster-api-provider-incus/releases/download/kubeadm-images/kubeadm-v1.35.5-container-ubuntu-arm64.tar.gz
+    checksum: sha256:32cd7f73ee14780febc533539fa3dd0b6eef9d15fcd7d3e069c2977e910f9bfe
+  kubeadm-v1.35.5-virtual-machine-amd64:
+    type: virtual-machine
+    alias: [kubeadm/v1.35.5, kubeadm/v1.35.5/ubuntu]
+    source: https://github.com/lxc/cluster-api-provider-incus/releases/download/kubeadm-images/kubeadm-v1.35.5-virtual-machine-ubuntu-amd64.tar.gz
+
+  kubeadm-v1.36.1-container-amd64:
+    type: container
+    alias: [kubeadm/v1.36.1, kubeadm/v1.36.1/ubuntu]
+    source: https://github.com/lxc/cluster-api-provider-incus/releases/download/kubeadm-images/kubeadm-v1.36.1-container-ubuntu-amd64.tar.gz
+    checksum: sha256:241075592fa5d280d6d952a0eb8aa434069d27746675ac22a587ac469a57078b
+  kubeadm-v1.36.1-container-arm64:
+    type: container
+    alias: [kubeadm/v1.36.1, kubeadm/v1.36.1/ubuntu]
+    source: https://github.com/lxc/cluster-api-provider-incus/releases/download/kubeadm-images/kubeadm-v1.36.1-container-ubuntu-arm64.tar.gz
+    checksum: sha256:a658ebfd4775e94cb6c3391e6aa2d52089b6ba4df562eb4f39e1ecc7ee80c28c
+  kubeadm-v1.36.1-virtual-machine-amd64:
+    type: virtual-machine
+    alias: [kubeadm/v1.36.1, kubeadm/v1.36.1/ubuntu]
+    source: https://github.com/lxc/cluster-api-provider-incus/releases/download/kubeadm-images/kubeadm-v1.36.1-virtual-machine-ubuntu-amd64.tar.gz
diff --git a/internal/controller/lxcmachine/controller_normal.go b/internal/controller/lxcmachine/controller_normal.go
@@ -50,6 +50,21 @@ func (r *LXCMachineReconciler) reconcileNormal(ctx context.Context, cluster *clu
 		conditions.Set(lxcMachine, metav1.Condition{Type: infrav1.InstanceProvisionedCondition, Status: metav1.ConditionTrue, Reason: infrav1.InstanceProvisionedReason})
 		r.setLXCMachineAddresses(lxcMachine, lxc.ParseHostAddresses(state))
 
+		// Handle control plane load balancer configuration
+		if util.IsControlPlaneMachine(machine) && !lxcMachine.Status.LoadBalancerConfigured {
+			machinePhase := machine.Status.GetTypedPhase()
+			if cluster.Spec.ControlPlaneRef.IsDefined() && ptr.Deref(cluster.Status.Initialization.ControlPlaneInitialized, false) && machinePhase != clusterv1.MachinePhaseRunning {
+				log.FromContext(ctx).Info("ControlPlane is initialized, waiting for Machine to become Running before updating control plane load balancer", "phase", machinePhase)
+				return ctrl.Result{RequeueAfter: 10 * time.Second}, nil
+			}
+
+			log.FromContext(ctx).Info("Updating control plane load balancer")
+			if err := loadbalancer.ManagerForCluster(cluster, lxcCluster, lxcClient).Reconfigure(ctx); err != nil {
+				return ctrl.Result{}, fmt.Errorf("failed to update loadbalancer configuration: %w", err)
+			}
+			lxcMachine.Status.LoadBalancerConfigured = true
+		}
+
 		// Handle cloud provider node patch
 		if lxcCluster.Spec.CloudProviderNodePatch && !lxcMachine.Status.CloudProviderNodePatchConfigured {
 			// If the Cluster is using a control plane and the control plane is not yet initialized, there is no API server
@@ -131,16 +146,6 @@ func (r *LXCMachineReconciler) reconcileNormal(ctx context.Context, cluster *clu
 	r.setLXCMachineAddresses(lxcMachine, addresses)
 	conditions.Set(lxcMachine, metav1.Condition{Type: infrav1.InstanceProvisionedCondition, Status: metav1.ConditionTrue, Reason: infrav1.InstanceProvisionedReason})
 
-	// update load balancer
-	if util.IsControlPlaneMachine(machine) && !lxcMachine.Status.LoadBalancerConfigured {
-		log.FromContext(ctx).Info("Updating control plane load balancer")
-
-		if err := loadbalancer.ManagerForCluster(cluster, lxcCluster, lxcClient).Reconfigure(ctx); err != nil {
-			return ctrl.Result{}, fmt.Errorf("failed to update loadbalancer configuration: %w", err)
-		}
-		lxcMachine.Status.LoadBalancerConfigured = true
-	}
-
 	lxcMachine.Spec.ProviderID = lxcMachine.GetExpectedProviderID()
 	lxcMachine.Status.Initialization.Provisioned = new(true)
 
diff --git a/internal/lxc/consts.go b/internal/lxc/consts.go
@@ -9,6 +9,9 @@ const (
 	// DefaultStagingSimplestreamsServer is the default staging simplestreams server for fetching images.
 	DefaultStagingSimplestreamsServer = "https://images-stg.capn.open-cloud.xyz/capn/staging/"
 
+	// DefaultDevelopmentSimplestreamsServer is the default development simplestreams server for fetching images.
+	DefaultDevelopmentSimplestreamsServer = "https://images-stg.capn.open-cloud.xyz/capn/testing/"
+
 	// DefaultIncusSimplestreamsServer is the default simplestreams server for Incus.
 	DefaultIncusSimplestreamsServer = "https://images.linuxcontainers.org"
 
diff --git a/internal/lxc/images_parse.go b/internal/lxc/images_parse.go
@@ -14,6 +14,7 @@ var (
 		"images":   DefaultImage,
 		"capi":     func(in string) ImageFamily { return CapnImage(in) },
 		"capi-stg": func(in string) ImageFamily { return CapnStagingImage(in) },
+		"capi-dev": func(in string) ImageFamily { return CapnDevelopmentImage(in) },
 		"kind":     func(in string) ImageFamily { return KindestNodeImage(in) },
 	}
 )
diff --git a/internal/lxc/images_parse_test.go b/internal/lxc/images_parse_test.go
@@ -44,6 +44,7 @@ func TestParseImage(t *testing.T) {
 		{server: "incus", image: "images:almalinux/9/cloud", expectParse: true, expectImageSource: simplestreamsImage("https://images.linuxcontainers.org", "almalinux/9/cloud")},
 		{server: "incus", image: "capi:kubeadm/v1.33.0", expectParse: true, expectImageSource: simplestreamsImage("https://images.linuxcontainers.org/capn/", "kubeadm/v1.33.0")},
 		{server: "incus", image: "capi-stg:kubeadm/v1.33.0", expectParse: true, expectImageSource: simplestreamsImage("https://images-stg.capn.open-cloud.xyz/capn/staging/", "kubeadm/v1.33.0")},
+		{server: "incus", image: "capi-dev:kubeadm/v1.33.0", expectParse: true, expectImageSource: simplestreamsImage("https://images-stg.capn.open-cloud.xyz/capn/testing/", "kubeadm/v1.33.0")},
 		{server: "incus", image: "kind:v1.33.0", expectParse: true, expectImageSource: ociImage("https://docker.io", "kindest/node:v1.33.0")},
 		// verify lxd prefixes
 		{server: "lxd", image: "image-name"},
@@ -53,6 +54,7 @@ func TestParseImage(t *testing.T) {
 		{server: "lxd", image: "images:almalinux/9/cloud", expectParse: true, expectImageSource: simplestreamsImage("https://images.lxd.canonical.com", "almalinux/9/cloud")},
 		{server: "lxd", image: "capi:kubeadm/v1.33.0", expectParse: true, expectImageSource: simplestreamsImage("https://images.linuxcontainers.org/capn/", "kubeadm/v1.33.0")},
 		{server: "lxd", image: "capi-stg:kubeadm/v1.33.0", expectParse: true, expectImageSource: simplestreamsImage("https://images-stg.capn.open-cloud.xyz/capn/staging/", "kubeadm/v1.33.0")},
+		{server: "lxd", image: "capi-dev:kubeadm/v1.33.0", expectParse: true, expectImageSource: simplestreamsImage("https://images-stg.capn.open-cloud.xyz/capn/testing/", "kubeadm/v1.33.0")},
 		{server: "lxd", image: "kind:v1.33.0", expectParse: true, expectImageSource: ociImage("https://docker.io", "kindest/node:v1.33.0")},
 		// verify prefixes for unknown
 		{server: "unknown", image: "image-name"},
diff --git a/internal/lxc/images_sources.go b/internal/lxc/images_sources.go
@@ -74,6 +74,14 @@ func CapnStagingImage(image string) Image {
 	}
 }
 
+func CapnDevelopmentImage(image string) Image {
+	return Image{ // "capi-dev:IMAGE" -> "IMAGE" from "https://images-stg.capn.open-cloud.xyz/capn/testing/"
+		Protocol: Simplestreams,
+		Server:   DefaultDevelopmentSimplestreamsServer,
+		Alias:    image,
+	}
+}
+
 func KindestNodeImage(version string) Image {
 	return Image{ // "kind:VERSION" -> "kindest/node:VERSION" from "https://docker.io"
 		Protocol: OCI,
diff --git a/internal/static/embed/cloud-init-launch.service b/internal/static/embed/cloud-init-launch.service
@@ -5,7 +5,7 @@ ConditionPathExists=!/hack/cloud-init.success
 
 [Service]
 Type=oneshot
-ExecStart=/bin/bash -xe -c 'python3 /hack/cloud-init.py && touch /hack/cloud-init.success'
+ExecStart=/bin/bash -xe -c 'crictl ps -a && python3 /hack/cloud-init.py && touch /hack/cloud-init.success'
 Restart=on-failure
 RestartSec=5s
 StartLimitInterval=60
diff --git a/templates/cluster-template-development.rc b/templates/cluster-template-development.rc
@@ -1,5 +1,5 @@
 # Cluster version and size
-export KUBERNETES_VERSION=v1.34.0
+export KUBERNETES_VERSION=v1.36.1
 export CONTROL_PLANE_MACHINE_COUNT=1
 export WORKER_MACHINE_COUNT=1
 
diff --git a/templates/cluster-template-kube-vip.rc b/templates/cluster-template-kube-vip.rc
@@ -1,5 +1,5 @@
 # Cluster version and size
-export KUBERNETES_VERSION=v1.34.0
+export KUBERNETES_VERSION=v1.36.1
 export CONTROL_PLANE_MACHINE_COUNT=1
 export WORKER_MACHINE_COUNT=1
 
diff --git a/templates/cluster-template-ovn.rc b/templates/cluster-template-ovn.rc
@@ -1,5 +1,5 @@
 # Cluster version and size
-export KUBERNETES_VERSION=v1.34.0
+export KUBERNETES_VERSION=v1.36.1
 export CONTROL_PLANE_MACHINE_COUNT=1
 export WORKER_MACHINE_COUNT=1
 
diff --git a/templates/cluster-template-ubuntu.rc b/templates/cluster-template-ubuntu.rc
@@ -1,5 +1,5 @@
 # Cluster version and size
-export KUBERNETES_VERSION=v1.34.0
+export KUBERNETES_VERSION=v1.36.1
 export CONTROL_PLANE_MACHINE_COUNT=1
 export WORKER_MACHINE_COUNT=1
 
diff --git a/templates/cluster-template.rc b/templates/cluster-template.rc
@@ -1,5 +1,5 @@
 ## Cluster version and size
-export KUBERNETES_VERSION=v1.34.0
+export KUBERNETES_VERSION=v1.36.1
 export CONTROL_PLANE_MACHINE_COUNT=1
 export WORKER_MACHINE_COUNT=1
 
diff --git a/test/e2e/data/config.yaml b/test/e2e/data/config.yaml
@@ -124,9 +124,10 @@ providers:
 # allowing the same e2e config file to be re-used in different prow jobs e.g. each one with a K8s version permutation
 variables:
   KUBE_CONTEXT: kind-capn-e2e
-  KUBERNETES_VERSION: v1.34.0
-  KUBERNETES_VERSION_UPGRADE_FROM: v1.33.5
-  KUBERNETES_VERSION_UPGRADE_TO: v1.34.0
+  KUBERNETES_VERSION: v1.36.1
+  KUBERNETES_VERSION_UPGRADE_FROM: v1.35.5
+  KUBERNETES_VERSION_UPGRADE_TO: v1.36.1
+  KUBERNETES_VERSION_KIND: v1.35.0 # override version for Kind e2e tests
 
   CNI: ../../data/cni/kube-flannel.yaml
 
diff --git a/test/e2e/shared/defaults.go b/test/e2e/shared/defaults.go
@@ -34,6 +34,7 @@ const (
 	KubernetesVersion            = "KUBERNETES_VERSION"
 	KubernetesVersionUpgradeFrom = "KUBERNETES_VERSION_UPGRADE_FROM"
 	KubernetesVersionUpgradeTo   = "KUBERNETES_VERSION_UPGRADE_TO"
+	KubernetesVersionKind        = "KUBERNETES_VERSION_KIND"
 
 	// Load LXC server credentials from local config file
 	LXCLoadConfigFile = "LXC_LOAD_CONFIG_FILE"
diff --git a/test/e2e/shared/hack_images.go b/test/e2e/shared/hack_images.go
@@ -23,7 +23,7 @@ func defaultImages(e2eCtx *E2EContext, serverName string) []string {
 		fmt.Sprintf("capi:kubeadm/%s", e2eCtx.E2EConfig.MustGetVariable(KubernetesVersionUpgradeTo)),
 	}
 	if serverName == lxc.Incus {
-		images = append(images, fmt.Sprintf("kind:%s", e2eCtx.E2EConfig.MustGetVariable(KubernetesVersion)))
+		images = append(images, fmt.Sprintf("kind:%s", e2eCtx.E2EConfig.MustGetVariable(KubernetesVersionKind)))
 	}
 	return images
 }
diff --git a/test/e2e/shared/hack_unprivileged.go b/test/e2e/shared/hack_unprivileged.go
@@ -0,0 +1,53 @@
+//go:build e2e
+
+package shared
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/lxc/cluster-api-provider-incus/internal/lxc"
+	"github.com/lxc/incus/v6/shared/api"
+
+	. "github.com/onsi/gomega"
+)
+
+// UnprivilegedContainersClusterVariables returns cluster template variables to launch unprivileged containers.
+//
+// Also attempts (best-effort) to account for well-known Kubernetes limitations.
+//
+// Current well-known issues:
+//
+// ## VERSION: v1.36.0
+// ## ISSUE: kubelet does not start when kubelet folder is on ZFS filesystem because of missing cadvisor plugin in 1.36.0
+// ## GITHUB LINK: https://github.com/kubernetes/kubernetes/issues/138556
+// ## MITIGATION: Do not use a ZFS filesystem.
+// ## EXAMPLE ERROR: Apr 23 21:45:14 strike01 kubelet[326484]: I0423 21:45:14.680361  326484 fs.go:406] no plugin found for filesystem type: zfs
+//
+// ## VERSION: v1.36.1+
+// ## ISSUE: kubelet does not work in privileged containers when using a ZFS filesystem
+// ## GITHUB LINK: <TODO>
+// ## MITIGATION: Do not use a ZFS filesystem for unprivileged containers.
+// ## EXAMPLE ERROR: 09:10:26 capn-default-unprivileged-2fnr-47zq6-cbrt2 kubelet[697]: E0518 09:10:26.166372     697 container_manager_linux.go:987] "Unable to get rootfs data from cAdvisor interface" err="cannot find filesystem info for device \"zfs/containers/capn-default-unprivileged-2fnr-47zq6-cbrt2\""
+func (e2eCtx *E2EContext) UnprivilegedContainersClusterVariables() map[string]string {
+	lxcClient, err := lxc.New(context.TODO(), e2eCtx.Settings.LXCClientOptions)
+	Expect(err).ToNot(HaveOccurred(), "Failed to initialize client")
+
+	d := map[string]string{
+		"PRIVILEGED": "false",
+	}
+
+	// if possible, use a storage pool of type "dir", to work around Kubernetes v1.36+ issues with zfs on unprivileged containers
+	pools, err := lxcClient.GetStoragePools()
+	Expect(err).ToNot(HaveOccurred(), "Failed to list storage pools")
+	for _, pool := range pools {
+		if pool.Status == api.StoragePoolStatusCreated && pool.Driver == "dir" {
+			Logf("Use storage pool %q (dir) for unprivileged instances", pool)
+			d["CONTROL_PLANE_MACHINE_DEVICES"] = fmt.Sprintf("['root,type=disk,path=/,pool=%s']", pool.Name)
+			d["WORKER_MACHINE_DEVICES"] = fmt.Sprintf("['root,type=disk,path=/,pool=%s']", pool.Name)
+			break
+		}
+	}
+
+	return d
+}
diff --git a/test/e2e/suites/e2e/quick_start_debian_test.go b/test/e2e/suites/e2e/quick_start_debian_test.go
@@ -58,7 +58,7 @@ var _ = Describe("QuickStart", func() {
 					WorkerMachineCount:       new(int64(1)),
 					ClusterName:              new(fmt.Sprintf("capn-debian-unprivileged-%s", util.RandomString(4))),
 
-					ClusterctlVariables: map[string]string{"PRIVILEGED": "false"},
+					ClusterctlVariables: e2eCtx.UnprivilegedContainersClusterVariables(),
 				}
 			})
 		})
diff --git a/test/e2e/suites/e2e/quick_start_default_test.go b/test/e2e/suites/e2e/quick_start_default_test.go
@@ -51,7 +51,7 @@ var _ = Describe("QuickStart", func() {
 					WorkerMachineCount:       new(int64(3)),
 					ClusterName:              new(fmt.Sprintf("capn-default-unprivileged-%s", util.RandomString(4))),
 
-					ClusterctlVariables: map[string]string{"PRIVILEGED": "false"},
+					ClusterctlVariables: e2eCtx.UnprivilegedContainersClusterVariables(),
 				}
 			})
 		})
diff --git a/test/e2e/suites/e2e/quick_start_kind_test.go b/test/e2e/suites/e2e/quick_start_kind_test.go
diff --git a/test/e2e/suites/e2e/quick_start_kube_vip_test.go b/test/e2e/suites/e2e/quick_start_kube_vip_test.go
diff --git a/test/e2e/suites/e2e/quick_start_ubuntu_test.go b/test/e2e/suites/e2e/quick_start_ubuntu_test.go

Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,7 @@ var (`
`14`	`14`	`"images": DefaultImage,`
`15`	`15`	`"capi": func(in string) ImageFamily { return CapnImage(in) },`
`16`	`16`	`"capi-stg": func(in string) ImageFamily { return CapnStagingImage(in) },`
	`17`	`+ "capi-dev": func(in string) ImageFamily { return CapnDevelopmentImage(in) },`
`17`	`18`	`"kind": func(in string) ImageFamily { return KindestNodeImage(in) },`
`18`	`19`	`}`
`19`	`20`	`)`
Original file line number	Diff line number	Diff line change
`@@ -74,6 +74,14 @@ func CapnStagingImage(image string) Image {`
`74`	`74`	`}`
`75`	`75`	`}`
`76`	`76`
	`77`	`+func CapnDevelopmentImage(image string) Image {`
	`78`	`+ return Image{ // "capi-dev:IMAGE" -> "IMAGE" from "https://images-stg.capn.open-cloud.xyz/capn/testing/"`
	`79`	`+ Protocol: Simplestreams,`
	`80`	`+ Server: DefaultDevelopmentSimplestreamsServer,`
	`81`	`+ Alias: image,`
	`82`	`+ }`
	`83`	`+}`
	`84`	`+`
`77`	`85`	`func KindestNodeImage(version string) Image {`
`78`	`86`	`return Image{ // "kind:VERSION" -> "kindest/node:VERSION" from "https://docker.io"`
`79`	`87`	`Protocol: OCI,`