kubernetes-sigs · k8s-ci-robot · Mar 10, 2025 · Mar 5, 2025 · Mar 10, 2025 · sbueringer
diff --git a/.golangci-kal.yml b/.golangci-kal.yml
@@ -74,10 +74,25 @@ issues:
     text: "field Prefix should not use an int, int8 or int16. Use int32 or int64 depending on bounding requirements"
     linters:
       - kal
-  - path: "api/v1alpha1/*|api/v1alpha3/*|api/v1beta1/*"
+  - path: "api/v1alpha1/*|api/v1alpha3/*"
     text: "maxlength"
     linters:
       - kal
+  - path: "api/v1beta1/*"
+    text: "must have a maximum length, add (kubebuilder:validation:MaxLength|kubebuilder:validation:items:MaxLength) marker"
+    linters:
+      - kal
+  # controller-gen does not allow to add MaxItems to Schemaless fields
+  - path: "api/v1beta1/*"
+    text: "maxlength: field (AllOf|OneOf|AnyOf) must have a maximum items, add kubebuilder:validation:MaxItems marker"
+    linters:
+      - kal
+  # It does not make sense to add a maxItems marker on the *List structs as they are not used to generate CRD YAMLs.
+  # This exclude will  be removed once https://github.com/JoelSpeed/kal/issues/38 is resolved.
+  - path: "api/v1beta1/*"
+    text: "maxlength: field Items must have a maximum items, add kubebuilder:validation:MaxItems marker"
+    linters:
+      - kal
   - path: "api/v1alpha1/*|api/v1beta1/*"
     text: "nobools"
     linters:

diff --git a/api/v1beta1/cluster_types.go b/api/v1beta1/cluster_types.go
@@ -556,6 +556,7 @@ type Topology struct {
 	// +optional
 	// +listType=map
 	// +listMapKey=name
+	// +kubebuilder:validation:MaxItems=1000
 	Variables []ClusterVariable `json:"variables,omitempty"`
 }
 
@@ -624,12 +625,14 @@ type WorkersTopology struct {
 	// +optional
 	// +listType=map
 	// +listMapKey=name
+	// +kubebuilder:validation:MaxItems=2000
 	MachineDeployments []MachineDeploymentTopology `json:"machineDeployments,omitempty"`
 
 	// machinePools is a list of machine pools in the cluster.
 	// +optional
 	// +listType=map
 	// +listMapKey=name
+	// +kubebuilder:validation:MaxItems=2000
 	MachinePools []MachinePoolTopology `json:"machinePools,omitempty"`
 }
 
@@ -758,6 +761,7 @@ type MachinePoolTopology struct {
 	// failureDomains is the list of failure domains the machine pool will be created in.
 	// Must match a key in the FailureDomains map stored on the cluster object.
 	// +optional
+	// +kubebuilder:validation:MaxItems=100
 	FailureDomains []string `json:"failureDomains,omitempty"`
 
 	// nodeDrainTimeout is the total amount of time that the controller will spend on draining a node.
@@ -825,6 +829,7 @@ type ControlPlaneVariables struct {
 	// +optional
 	// +listType=map
 	// +listMapKey=name
+	// +kubebuilder:validation:MaxItems=1000
 	Overrides []ClusterVariable `json:"overrides,omitempty"`
 }
 
@@ -834,6 +839,7 @@ type MachineDeploymentVariables struct {
 	// +optional
 	// +listType=map
 	// +listMapKey=name
+	// +kubebuilder:validation:MaxItems=1000
 	Overrides []ClusterVariable `json:"overrides,omitempty"`
 }
 
@@ -843,6 +849,7 @@ type MachinePoolVariables struct {
 	// +optional
 	// +listType=map
 	// +listMapKey=name
+	// +kubebuilder:validation:MaxItems=1000
 	Overrides []ClusterVariable `json:"overrides,omitempty"`
 }
 
@@ -878,6 +885,7 @@ type ClusterNetwork struct {
 // NetworkRanges represents ranges of network addresses.
 type NetworkRanges struct {
 	// cidrBlocks is a list of CIDR blocks.
+	// +kubebuilder:validation:MaxItems=100
 	CIDRBlocks []string `json:"cidrBlocks"`
 }
 

diff --git a/api/v1beta1/clusterclass_types.go b/api/v1beta1/clusterclass_types.go
@@ -122,12 +122,14 @@ type ClusterClassSpec struct {
 	// variables defines the variables which can be configured
 	// in the Cluster topology and are then used in patches.
 	// +optional
+	// +kubebuilder:validation:MaxItems=1000
 	Variables []ClusterClassVariable `json:"variables,omitempty"`
 
 	// patches defines the patches which are applied to customize
 	// referenced templates of a ClusterClass.
 	// Note: Patches will be applied in the order of the array.
 	// +optional
+	// +kubebuilder:validation:MaxItems=1000
 	Patches []ClusterClassPatch `json:"patches,omitempty"`
 }
 
@@ -235,13 +237,15 @@ type WorkersClass struct {
 	// +optional
 	// +listType=map
 	// +listMapKey=class
+	// +kubebuilder:validation:MaxItems=100
 	MachineDeployments []MachineDeploymentClass `json:"machineDeployments,omitempty"`
 
 	// machinePools is a list of machine pool classes that can be used to create
 	// a set of worker nodes.
 	// +optional
 	// +listType=map
 	// +listMapKey=class
+	// +kubebuilder:validation:MaxItems=100
 	MachinePools []MachinePoolClass `json:"machinePools,omitempty"`
 }
 
@@ -356,6 +360,7 @@ type MachineHealthCheckClass struct {
 	// logical OR, i.e. if any of the conditions is met, the node is unhealthy.
 	//
 	// +optional
+	// +kubebuilder:validation:MaxItems=100
 	UnhealthyConditions []UnhealthyCondition `json:"unhealthyConditions,omitempty"`
 
 	// maxUnhealthy specifies the maximum number of unhealthy machines allowed.
@@ -415,6 +420,7 @@ type MachinePoolClass struct {
 	// Must match a key in the FailureDomains map stored on the cluster object.
 	// NOTE: This value can be overridden while defining a Cluster.Topology using this MachinePoolClass.
 	// +optional
+	// +kubebuilder:validation:MaxItems=100
 	FailureDomains []string `json:"failureDomains,omitempty"`
 
 	// namingStrategy allows changing the naming pattern used when creating the MachinePool.
@@ -586,6 +592,7 @@ type JSONSchemaProps struct {
 	// required specifies which fields of an object are required.
 	// NOTE: Can only be set if type is object.
 	// +optional
+	// +kubebuilder:validation:MaxItems=1000
 	Required []string `json:"required,omitempty"`
 
 	// items specifies fields of an array.
@@ -667,6 +674,7 @@ type JSONSchemaProps struct {
 	// enum is the list of valid values of the variable.
 	// NOTE: Can be set for all types.
 	// +optional
+	// +kubebuilder:validation:MaxItems=100
 	Enum []apiextensionsv1.JSON `json:"enum,omitempty"`
 
 	// default is the default value of the variable.
@@ -678,6 +686,7 @@ type JSONSchemaProps struct {
 	// +optional
 	// +listType=map
 	// +listMapKey=rule
+	// +kubebuilder:validation:MaxItems=100
 	XValidations []ValidationRule `json:"x-kubernetes-validations,omitempty"`
 
 	// x-metadata is the metadata of a variable or a nested field within a variable.
@@ -879,6 +888,7 @@ type ClusterClassPatch struct {
 	// Note: Patches will be applied in the order of the array.
 	// Note: Exactly one of Definitions or External must be set.
 	// +optional
+	// +kubebuilder:validation:MaxItems=100
 	Definitions []PatchDefinition `json:"definitions,omitempty"`
 
 	// external defines an external patch.
@@ -895,6 +905,7 @@ type PatchDefinition struct {
 	// jsonPatches defines the patches which should be applied on the templates
 	// matching the selector.
 	// Note: Patches will be applied in the order of the array.
+	// +kubebuilder:validation:MaxItems=100
 	JSONPatches []JSONPatch `json:"jsonPatches"`
 }
 
@@ -944,6 +955,7 @@ type PatchSelectorMatch struct {
 type PatchSelectorMatchMachineDeploymentClass struct {
 	// names selects templates by class names.
 	// +optional
+	// +kubebuilder:validation:MaxItems=100
 	Names []string `json:"names,omitempty"`
 }
 
@@ -952,6 +964,7 @@ type PatchSelectorMatchMachineDeploymentClass struct {
 type PatchSelectorMatchMachinePoolClass struct {
 	// names selects templates by class names.
 	// +optional
+	// +kubebuilder:validation:MaxItems=100
 	Names []string `json:"names,omitempty"`
 }
 
@@ -1035,6 +1048,7 @@ type LocalObjectTemplate struct {
 type ClusterClassStatus struct {
 	// variables is a list of ClusterClassStatusVariable that are defined for the ClusterClass.
 	// +optional
+	// +kubebuilder:validation:MaxItems=1000
 	Variables []ClusterClassStatusVariable `json:"variables,omitempty"`
 
 	// conditions defines current observed state of the ClusterClass.
@@ -1072,6 +1086,7 @@ type ClusterClassStatusVariable struct {
 	DefinitionsConflict bool `json:"definitionsConflict"`
 
 	// definitions is a list of definitions for a variable.
+	// +kubebuilder:validation:MaxItems=100
 	Definitions []ClusterClassStatusVariableDefinition `json:"definitions"`
 }
 

diff --git a/api/v1beta1/machinehealthcheck_types.go b/api/v1beta1/machinehealthcheck_types.go
@@ -63,6 +63,7 @@ type MachineHealthCheckSpec struct {
 	// logical OR, i.e. if any of the conditions is met, the node is unhealthy.
 	//
 	// +optional
+	// +kubebuilder:validation:MaxItems=100
 	UnhealthyConditions []UnhealthyCondition `json:"unhealthyConditions,omitempty"`
 
 	// maxUnhealthy specifies the maximum number of unhealthy machines allowed.
@@ -165,6 +166,7 @@ type MachineHealthCheckStatus struct {
 
 	// targets shows the current list of machines the machine health check is watching
 	// +optional
+	// +kubebuilder:validation:MaxItems=10000
 	Targets []string `json:"targets,omitempty"`
 
 	// conditions defines current service state of the MachineHealthCheck.

diff --git a/bootstrap/kubeadm/api/v1beta1/kubeadm_types.go b/bootstrap/kubeadm/api/v1beta1/kubeadm_types.go
@@ -38,6 +38,7 @@ type InitConfiguration struct {
 	// bootstrapTokens is respected at `kubeadm init` time and describes a set of Bootstrap Tokens to create.
 	// This information IS NOT uploaded to the kubeadm cluster configmap, partly because of its sensitive nature
 	// +optional
+	// +kubebuilder:validation:MaxItems=100
 	BootstrapTokens []BootstrapToken `json:"bootstrapTokens,omitempty"`
 
 	// nodeRegistration holds fields that relate to registering the new control-plane node to the cluster.
@@ -59,6 +60,7 @@ type InitConfiguration struct {
 	// The list of phases can be obtained with the "kubeadm init --help" command.
 	// This option takes effect only on Kubernetes >=1.22.0.
 	// +optional
+	// +kubebuilder:validation:MaxItems=50
 	SkipPhases []string `json:"skipPhases,omitempty"`
 
 	// patches contains options related to applying patches to components deployed by kubeadm during
@@ -156,12 +158,14 @@ type ControlPlaneComponent struct {
 
 	// extraVolumes is an extra set of host volumes, mounted to the control plane component.
 	// +optional
+	// +kubebuilder:validation:MaxItems=100
 	ExtraVolumes []HostPathMount `json:"extraVolumes,omitempty"`
 
 	// extraEnvs is an extra set of environment variables to pass to the control plane component.
 	// Environment variables passed using ExtraEnvs will override any existing environment variables, or *_proxy environment variables that kubeadm adds by default.
 	// This option takes effect only on Kubernetes >=1.31.0.
 	// +optional
+	// +kubebuilder:validation:MaxItems=100
 	ExtraEnvs []EnvVar `json:"extraEnvs,omitempty"`
 }
 
@@ -171,6 +175,7 @@ type APIServer struct {
 
 	// certSANs sets extra Subject Alternative Names for the API Server signing cert.
 	// +optional
+	// +kubebuilder:validation:MaxItems=100
 	CertSANs []string `json:"certSANs,omitempty"`
 
 	// timeoutForControlPlane controls the timeout that we use for API server to appear
@@ -245,6 +250,7 @@ type NodeRegistrationOptions struct {
 	// it will be defaulted to []v1.Taint{'node-role.kubernetes.io/master=""'}. If you don't want to taint your control-plane node, set this field to an
 	// empty slice, i.e. `taints: []` in the YAML file. This field is solely used for Node registration.
 	// +optional
+	// +kubebuilder:validation:MaxItems=100
 	Taints []corev1.Taint `json:"taints,omitempty"`
 
 	// kubeletExtraArgs passes through extra arguments to the kubelet. The arguments here are passed to the kubelet command line via the environment file
@@ -255,6 +261,7 @@ type NodeRegistrationOptions struct {
 
 	// ignorePreflightErrors provides a slice of pre-flight errors to be ignored when the current node is registered.
 	// +optional
+	// +kubebuilder:validation:MaxItems=50
 	IgnorePreflightErrors []string `json:"ignorePreflightErrors,omitempty"`
 
 	// imagePullPolicy specifies the policy for image pulling
@@ -361,10 +368,12 @@ type BootstrapToken struct {
 	// usages describes the ways in which this token can be used. Can by default be used
 	// for establishing bidirectional trust, but that can be changed here.
 	// +optional
+	// +kubebuilder:validation:MaxItems=100
 	Usages []string `json:"usages,omitempty"`
 	// groups specifies the extra groups that this token will authenticate as when/if
 	// used for authentication
 	// +optional
+	// +kubebuilder:validation:MaxItems=100
 	Groups []string `json:"groups,omitempty"`
 }
 
@@ -401,20 +410,25 @@ type LocalEtcd struct {
 	// Environment variables passed using ExtraEnvs will override any existing environment variables, or *_proxy environment variables that kubeadm adds by default.
 	// This option takes effect only on Kubernetes >=1.31.0.
 	// +optional
+	// +kubebuilder:validation:MaxItems=100
 	ExtraEnvs []EnvVar `json:"extraEnvs,omitempty"`
 
 	// serverCertSANs sets extra Subject Alternative Names for the etcd server signing cert.
 	// +optional
+	// +kubebuilder:validation:MaxItems=100
 	ServerCertSANs []string `json:"serverCertSANs,omitempty"`
+
 	// peerCertSANs sets extra Subject Alternative Names for the etcd peer signing cert.
 	// +optional
+	// +kubebuilder:validation:MaxItems=100
 	PeerCertSANs []string `json:"peerCertSANs,omitempty"`
 }
 
 // ExternalEtcd describes an external etcd cluster.
 // Kubeadm has no knowledge of where certificate files live and they must be supplied.
 type ExternalEtcd struct {
 	// endpoints of etcd members. Required for ExternalEtcd.
+	// +kubebuilder:validation:MaxItems=50
 	Endpoints []string `json:"endpoints"`
 
 	// caFile is an SSL Certificate Authority file used to secure etcd communication.
@@ -463,6 +477,7 @@ type JoinConfiguration struct {
 	// The list of phases can be obtained with the "kubeadm init --help" command.
 	// This option takes effect only on Kubernetes >=1.22.0.
 	// +optional
+	// +kubebuilder:validation:MaxItems=50
 	SkipPhases []string `json:"skipPhases,omitempty"`
 
 	// patches contains options related to applying patches to components deployed by kubeadm during
@@ -520,6 +535,7 @@ type BootstrapTokenDiscovery struct {
 	// ASN.1. These hashes can be calculated using, for example, OpenSSL:
 	// openssl x509 -pubkey -in ca.crt openssl rsa -pubin -outform der 2>&/dev/null | openssl dgst -sha256 -hex
 	// +optional
+	// +kubebuilder:validation:MaxItems=100
 	CACertHashes []string `json:"caCertHashes,omitempty"`
 
 	// unsafeSkipCAVerification allows token-based discovery
@@ -636,12 +652,14 @@ type KubeConfigAuthExec struct {
 
 	// args is the arguments to pass to the command when executing it.
 	// +optional
+	// +kubebuilder:validation:MaxItems=100
 	Args []string `json:"args,omitempty"`
 
 	// env defines additional environment variables to expose to the process. These
 	// are unioned with the host's environment, as well as variables client-go uses
 	// to pass argument to the plugin.
 	// +optional
+	// +kubebuilder:validation:MaxItems=100
 	Env []KubeConfigAuthExecEnv `json:"env,omitempty"`
 
 	// apiVersion is preferred input version of the ExecInfo. The returned ExecCredentials MUST use