Pin k8s.io/kuberenetes + dependency bumps

[dereknola]

#704 is in a broken state and I lack permissions to fix it. Opening this PR instead.

Changes

• Pin k8s.io/kubernetes to match the rest of the k8s dependencies
• Keep go 1.23.0 the above issue was causing go to be bumped when it should not be.

Validation

make works locally

[k8s-ci-robot]

Hi @dereknola. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[dereknola]

Not actually a bump, as most of these are pinned via replacement calls below.

[DamianSawicki]

Could you please change it to v1.30.12?

[DamianSawicki]

I think it would suffice to pin k8s.io/kubernetes and then rely on dependabot, but if it's time sensitive, we can leave it this way for the last time.

Also, I was hoping that we can get rid of pinning entirely and rely on dependabot bumping minor versions of non-k8s dependencies and patch versions of k8s.io dependencies, but the discussion on #709 seems to suggest that we can't get away without pinning if we want to control the kubernetes minor (historically we haven't, but @dereknola seems to be in favor of it recently). CC: @Michcioperz

[DamianSawicki]

Can we get rid of these (or restore them to v.0.30.12)? They seem to be pinned anyway.

  k8s.io/api v0.32.3
  k8s.io/apimachinery v0.32.3
  k8s.io/client-go v0.32.3
...
  k8s.io/kubernetes v1.33.1

[DamianSawicki]

I tried myself restoring them to v.0.30.12/v1.30.12, but go mod tidy bumps api, apimachinery, and client-go back to v0.32.3. It's seems possible to downgrade kubernetes, though.

[dereknola]

@DamianSawicki I'm on board with letting dependabot handle things and moving towards the latest versions of k8s. I would support that once this PR is merged, you open new PR that ensures all currently pinned k8s dependencies are removed, and a move to v1.33.XX/v0.33.XX across the board. Dependabot can then take over any future bumps.

[DamianSawicki]

/ok-to-test

I'm on board with letting dependabot handle things and moving towards the latest versions of k8s.

Cool, thanks a lot for sharing your perspective here!

I would support that once this PR is merged, you open new PR that ensures all currently pinned k8s dependencies are removed, and a move to v1.33.XX/v0.33.XX across the board.

Moving to v1.33.XX/v0.33.XX may involve some non-trivial changes, so we'd need to see who will have time to work on it.

[DamianSawicki]

I tried myself restoring them to v.0.30.12/v1.30.12, but go mod tidy bumps api, apimachinery, and client-go back to v0.32.3. It's seems possible to downgrade kubernetes, though.

[DamianSawicki]

Could you please change it to v1.30.12?

[dereknola]

Explicitly bumped the require dependency versions.

[DamianSawicki]

/lgtm
/approve

Thanks for your patience!

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: DamianSawicki, dereknola

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [DamianSawicki]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment