chore(deps): bump the k8s group across 1 directory with 4 updates

[dependabot]

Bumps the k8s group with 3 updates in the / directory: k8s.io/api, k8s.io/client-go and sigs.k8s.io/controller-runtime.

Updates k8s.io/api from 0.32.3 to 0.33.1

Commits

• 04f698e Update dependencies to v0.33.1 tag
• 16cedc7 Merge pull request #131088 from atiratree/rename-terminating-replicas-fg
• dc88679 Merge pull request #131103 from ahrtr/etcd_sdk_20250328
• 4a456a2 bump etcd 3.5.21 sdk
• 96e38c9 rename DeploymentPodReplacementPolicy FG to DeploymentReplicaSetTerminatingRe...
• c21a017 Merge pull request #129970 from mortent/AddResourceV1beta2API
• d0673db Run make update
• 118546d Merge pull request #130556 from sreeram-venkitesh/kep-4960-container-stop-sig...
• f9401a3 Merge pull request #130797 from jm-franc/configurable-tolerance
• 9b3e544 Generated UPDATE_COMPATIBILITY_FIXTURE_DATA
• Additional commits viewable in compare view

Updates k8s.io/apimachinery from 0.32.3 to 0.33.1

Commits

• 173776a Merge pull request #131708tigrato/automated-cherry-pick-of-#131702
• a3d1fde fix: fixes a possible panic in NewYAMLToJSONDecoder
• 955939f bump etcd 3.5.21 sdk
• e8a77bd Merge pull request #130910 from googs1025/fix/datarace
• 7e8c77e Merge pull request #130906 from serathius/streaming-validation
• 27fd396 flake: fix data race for func TestBackoff_Step
• 8bcc6f1 Update kube-openapi and integrate streaming tags validation
• 6ce776c Merge pull request #130857 from thockin/kk_small_vg_diffs
• f2c94d6 Comment on origin and JSON schema
• b63ba07 Use origin in validateFalse's own test
• Additional commits viewable in compare view

Updates k8s.io/client-go from 0.32.3 to 0.33.1

Commits

• e7397e5 Update dependencies to v0.33.1 tag
• ecbbb06 bump etcd 3.5.21 sdk
• 2086688 Merge pull request #129970 from mortent/AddResourceV1beta2API
• dba34c7 Run make update
• e359642 Merge pull request #130556 from sreeram-venkitesh/kep-4960-container-stop-sig...
• 3bf0a05 Merge pull request #130797 from jm-franc/configurable-tolerance
• 7a03a3b Generated files
• 1676beb Refresh autogenerated files following the configurable tolerance updates.
• 387edb8 Merge pull request #130967 from aojea/listers
• 21dc3b4 benchmark to show inefficient linear search lookup
• Additional commits viewable in compare view

Updates sigs.k8s.io/controller-runtime from 0.20.4 to 0.21.0

Release notes

Sourced from sigs.k8s.io/controller-runtime's releases.

v0.21.0

Highlights

• Bump to Kubernetes v1.33 libraries
• Improvements for priority queue (#2374)
• envtest now has an option to download envtest binaries (can be used to replace setup-envtest depending on use case)
• Metric improvements: native histograms, all Go runtime metrics are enabled now
• Various bug fixes
• New reviewers: @​troy0820, @​JoelSpeed!!

⚠️ Breaking Changes

• Bump to k8s.io/* v0.33.0 and Go 1.24 (#3104 #3142 #3161 #3204 #3215)
• config: Stop enabling client-side ratelimiter by default (#3119)
  • Previous behavior can be preserved by setting QPS 20 and Burst 30 on the rest.Config
• controller: NewUnmanaged/NewTypedUnmanaged: Stop requiring a manager (#3141)
• reconcile: Deprecate Result.Requeue (#3107)

✨ New Features

• controller: priority queue:
  • Add debug logging for the state of the priority queue (#3075)
  • Add priority label to queue depth metric (#3156)
  • Leverage IsInInitialList (#3162)
  • Remove redundant WithLowPriorityWhenUnchanged in builder (#3168)
  • Retain the priority after Reconcile (#3167)
  • Set priority automatically in handlers (#3111 #3152 #3160 #3174)
• envtest: Add Environment.KubeConfig field (#2278)
• envtest: Add option to download envtest binaries (#3135 #3137)
• events: Add IsInInitialList to TypedCreateEvent (#3162)
• log/zap: Enable panic log level (#3186)
• logging: Adopt WarningHandlerWithContext (#3176)
• logging: Improve logging by adopting contextual logging (#3149)
• metrics: Adopt native histograms (#3165)
• metrics: Expose all Go runtime metrics (#3070)

🐛 Bug Fixes

• apiutil: restmapper: Respect preferred version (#3151)
• builder: webhook: Fix custom path for webhook conflicts (#3102)
• cache: Clone maps to prevent data races when concurrently creating caches using the same options (#3078)
• cache: Stop accumulating lists in multi-namespace cache implementation (#3195)
• cache: List out of global cache when present and necessary (#3126)
• client: Return error if pagination is used with the cached client (#3134)
• controller: Support WaitForSync in TypedSyncingSource (#3084)
• controller: priority queue: Fix behavior of rate limit option in priorityqueue.AddWithOpts (#3103)
• controller: priority queue: Yet another queue_depth metric fix (#3085)
• controllerutil: CreateOrUpdate: Avoid panic when the MutateFn is nil (#2828)
• envtest: Fix nil pointer exception in Stop() (#3153)
• fake client: Fix data races when writing to the scheme (#3143)

... (truncated)

Commits

• 71f7db5 Merge pull request #3225 from troy0820/troy0820/prepare-for-0.21-release
• 52d8779 update README with go version
• ab37f74 Merge pull request #3223 from troy0820/troy0820/return-warnings-on-webhooks
• 250a88f return warnings on webhooks
• 85ee7a9 Merge pull request #3217 from kubernetes-sigs/dependabot/github_actions/all-g...
• 81f1fae 🌱 Bump the all-github-actions group across 1 directory with 3 updates
• d9a2274 Merge pull request #3187 from dongjiang1989/update-golangci-lint-v2
• 9c38211 update golangci-lint to v2
• 9b5f6a7 Merge pull request #3208 from troy0820/troy0820/api-machinery-marshal
• b3278df use sigs.k8s.io/json to unmarshal in fakeclient
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 5 package(s) with unknown licenses.

See the Details below.

License Issues

go.mod

Package	Version	License	Issue Type
golang.org/x/net	0.38.0	Null	Unknown License
golang.org/x/oauth2	0.27.0	Null	Unknown License
golang.org/x/sys	0.31.0	Null	Unknown License
golang.org/x/term	0.30.0	Null	Unknown License
golang.org/x/time	0.9.0	Null	Unknown License

Allowed Licenses: Apache-2.0, BSD-2-Clause, BSD-3-Clause, BSL-1.0, CC0-1.0, ISC, MIT, MPL-2.0, Unlicense

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
gomod/github.com/blang/semver/v4	4.0.0	🟢 3.7	Details Check Score Reason Dangerous-Workflow ⚠️ -1 no workflows found Packaging ⚠️ -1 packaging workflow not detected Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Token-Permissions ⚠️ -1 No tokens found Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review 🟢 5 Found 15/26 approved changesets -- score normalized to 5 Pinned-Dependencies ⚠️ -1 no dependencies found CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected
gomod/github.com/google/gnostic-models	0.6.9	🟢 5.1	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Code-Review 🟢 5 Found 6/12 approved changesets -- score normalized to 5 Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 2 dependency not pinned by hash detected -- score normalized to 2 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Security-Policy 🟢 10 security policy file detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected
gomod/github.com/prometheus/client_golang	1.22.0	🟢 7.8	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Code-Review 🟢 7 Found 10/13 approved changesets -- score normalized to 7 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 10 30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 9 security policy file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 SAST 🟢 10 SAST tool is run on all commits Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 10 20 out of 20 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 38 contributing companies or organizations
gomod/golang.org/x/net	0.38.0	Unknown	Unknown
gomod/golang.org/x/oauth2	0.27.0	Unknown	Unknown
gomod/golang.org/x/sys	0.31.0	Unknown	Unknown
gomod/golang.org/x/term	0.30.0	Unknown	Unknown
gomod/golang.org/x/time	0.9.0	Unknown	Unknown
gomod/k8s.io/api	0.33.1	🟢 5.8	Details Check Score Reason Dangerous-Workflow ⚠️ -1 no workflows found Code-Review ⚠️ 0 Found 0/30 approved changesets -- score normalized to 0 Token-Permissions ⚠️ -1 No tokens found Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 28 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 SAST ⚠️ 0 no SAST tool detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Pinned-Dependencies ⚠️ -1 no dependencies found Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Security-Policy 🟢 10 security policy file detected Vulnerabilities 🟢 9 1 existing vulnerabilities detected
gomod/k8s.io/apiextensions-apiserver	0.33.0	🟢 4.9	Details Check Score Reason Dangerous-Workflow ⚠️ -1 no workflows found Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ -1 No tokens found Code-Review ⚠️ 0 Found 0/30 approved changesets -- score normalized to 0 SAST ⚠️ 0 no SAST tool detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 10 security policy file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Vulnerabilities 🟢 6 4 existing vulnerabilities detected
gomod/k8s.io/apimachinery	0.33.1	🟢 6	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Code-Review ⚠️ 0 Found 0/30 approved changesets -- score normalized to 0 Token-Permissions ⚠️ -1 No tokens found Dangerous-Workflow ⚠️ -1 no workflows found Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 SAST ⚠️ 0 no SAST tool detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ -1 no dependencies found License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Security-Policy 🟢 10 security policy file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected
gomod/k8s.io/client-go	0.33.1	🟢 5.3	Details Check Score Reason Code-Review ⚠️ 0 Found 0/30 approved changesets -- score normalized to 0 Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ -1 No tokens found Dangerous-Workflow ⚠️ -1 no workflows found CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected SAST ⚠️ 0 no SAST tool detected Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy 🟢 10 security policy file detected Vulnerabilities 🟢 9 1 existing vulnerabilities detected
gomod/k8s.io/kube-openapi	0.0.0-20250318190949-c8a335a9a2ff	🟢 6.2	Details Check Score Reason Maintained 🟢 4 2 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 4 Security-Policy 🟢 10 security policy file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 6 4 existing vulnerabilities detected
gomod/sigs.k8s.io/controller-runtime	0.21.0	🟢 7.1	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Dependency-Update-Tool 🟢 10 update tool detected Code-Review 🟢 10 all changesets reviewed Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 10 30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10 Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected SAST ⚠️ 2 SAST tool is not run on all commits -- score normalized to 2 Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration License 🟢 10 license file detected Security-Policy 🟢 10 security policy file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected CI-Tests 🟢 10 17 out of 17 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 47 contributing companies or organizations
gomod/sigs.k8s.io/randfill	1.0.0	Unknown	Unknown
gomod/sigs.k8s.io/structured-merge-diff/v4	4.6.0	🟢 6.5	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 8 9 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 8 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow ⚠️ -1 no workflows found Token-Permissions ⚠️ -1 No tokens found Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Security-Policy 🟢 10 security policy file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• go.mod