Regression in drift detection for changes to fields with default values

[p-se]

Fleet does not report drift when a field that is absent (or null) in the bundle is manually changed on the live object to a non-default value.

Affected versions: v0.15, main

Steps to reproduce:

1. Deploy a bundle with imagePullPolicy: null (or left absent). For instance:

apiVersion: fleet.cattle.io/v1alpha1
kind: Bundle
metadata:
  name: drift-test
  namespace: fleet-local
spec:
  targets:
    - clusterSelector: {}

  resources:
    - content: |
        apiVersion: apps/v1
        kind: Deployment
        metadata:
          name: drift-test
          namespace: drift-test
        spec:
          selector:
            matchLabels:
              app: drift-test
          template:
            metadata:
              labels:
                app: drift-test
            spec:
              containers:
                - name: nginx
                  image: nginx:stable-alpine

  defaultNamespace: drift-test

2. Patch the live deployment:

kubectl patch deployment ... -p '{"spec":{"template":{"spec":{"containers":[{"name":"nginx","imagePullPolicy":"Always"}]}}}}'

3. Bundle remains Ready / not modified — drift is not reported

Expected: Fleet detects that the live object differs from the desired state.

Root cause: Commit 6928441 ("chore(deps): bump to kubernetes 1.35", Jan 2026) switched scheme.go from k8s.io/kubernetes's legacyscheme to client-go's scheme on main (and release/v0.15), making Scheme.Default() a no-op. PR #4664 introduced normalizeNullPatch to fix the resulting false-positive drift, but as a side effect it strips all null entries from the diff patch — including nulls that represent a legitimate user change to a field the bundle left unset.

Detailed of the investigation are shared in #4969 (comment).

Workaround: Explicitly set every field you want drift protection on in the bundle or chart.