Bump k8s.io/apimachinery from 0.27.1 to 0.35.2

[dependabot]

Bumps k8s.io/apimachinery from 0.27.1 to 0.35.2.

Commits

• 72d71ea Merge remote-tracking branch 'origin/master' into release-1.35
• e2a2dbc Bump golang.org/x/crypto to v0.45.0
• 2e9c228 Merge pull request #135131 from Dev1622/sig-storage/mock-expand-flake-fix
• f274aac vendor: update vendor and license metadata after replacing BeTrue usage in cs...
• 9445443 Resolve lint restriction on BeTrue by introducing Succeed() with contextual e...
• 52154f7 Update vendored dependencies
• 5a348c5 KEP-5471: Extend tolerations operators (#134665)
• 6f89492 Merge pull request #133648 from richabanker/merged-discovery
• c77dde2 util/sort: Add MergePreservingRelativeOrder for topological sorting
• 729c13d Merge pull request #134624 from yt2985/podcertificates-beta
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

High Risk
High risk because it upgrades a core Kubernetes dependency (k8s.io/apimachinery) across several major/minor versions while other k8s.io/* modules remain pinned, and it also bumps the project Go version to 1.25.0, which can affect build/tooling compatibility.

Overview
Updates the module to target Go 1.25.0 and upgrades k8s.io/apimachinery from v0.27.1 to v0.35.2.

As part of the upgrade, this refreshes a large set of direct and transitive dependencies (notably k8s.io/klog/v2, golang.org/x/*, google.golang.org/protobuf, and several sigs.k8s.io/* libs) and regenerates go.sum accordingly.

^{Written by Cursor Bugbot for commit b3fd604. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Free Tier Details

Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Incompatible k8s.io package version skew breaks compatibility

High Severity

k8s.io/apimachinery is bumped to v0.35.2 while k8s.io/api, k8s.io/client-go, and k8s.io/apiextensions-apiserver remain at v0.27.1. These Kubernetes Go modules are released in lockstep and designed to be used at matching versions. An 8-minor-version skew will almost certainly cause compilation failures or runtime incompatibilities, as Go's MVS will force the older packages to build against the much newer apimachinery, which was never tested with them. sigs.k8s.io/controller-runtime v0.14.6 is also designed for the 0.27 era.

Additional Locations (1)

• go.mod#L9-L13

 

^{Triggered by project rule: Gemini Project Review Guidelines}