Update KAL and fix new findings (#4461)

* Update KAL and its configuration

* Fix kal findings on the API

* Fix kal findings on the API - generated files

Author: rikatz

.custom-gcl.yml

@@ -1,6 +1,6 @@
-version: v2.7.0
+version: v2.8.0
 name: golangci-kube-api-linter
 destination: ./bin
 plugins:
 - module: 'sigs.k8s.io/kube-api-linter'
-  version: 'v0.0.0-20251201121224-8e86c463aeb8' # Pin to a commit while there's no tag
+  version: 'v0.0.0-20260123105127-470c3a315f3a' # Pin to a commit while there's no tag

.github/workflows/kal.yml

@@ -23,7 +23,7 @@ jobs:
         with:
           go-version-file: 'go.work'
       - name: Install Golang CI Lint
-        run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.7.0
+        run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.8.0
       - name: Build KAL
         run: golangci-lint custom -v
       - name: run api linter

.golangci-kal.yml

@@ -11,18 +11,50 @@ linters:
         settings:
           linters:
             enable:
-              - "duplicatemarkers" # Ensure there are no exact duplicate markers. for types and fields.
-              - "jsontags" # Ensure every field has a json tag.
-              - "nofloats" # Ensure floats are not used.
-              - "nomaps" # Ensure maps are not used.
+              - "defaultorrequired" # defaultorrequired analyzer checks that fields marked as required do not have default values applied.
+              - "defaults" # defaults is a linter to check that fields with default markers are configured correctly.
+              - "duplicatemarkers" # Ensures there are no exact duplicate markers. for types and fields.
+              - "jsontags" # Ensures every field has a json tag.
+              - "nodurations" # Ensures that fields in the API types do not contain `Duration` type ether from the `time` package or the `k8s.io/apimachinery/pkg/apis/meta/v1` package
+              - "nofloats" # Ensures floats are not used.
+              - "nomaps" # Ensures maps are not used.
+              - "nonullable" # Ensures that types and fields do not have the `nullable` marker
               - "nophase" # Phase fields are discouraged by the Kube API conventions, use conditions instead.
+              - "noreferences" # Ensures that field names use 'Ref'/'Refs' instead of 'Reference'/'References'.
+              - "notimestamp" # Ensures that structs do not contain a TimeStamp field.
               - "optionalorrequired" # Every field should be marked as `+optional` or `+required`.
               - "ssatags" # Ensure proper Server-Side Apply (SSA) tags on array fields.
               - "statussubresource" # All root objects that have a `status` field should have a status subresource.
               - "uniquemarkers" # Ensure that types and fields do not contain more than a single definition of a marker that should only be present once.
             disable:
+              # Enforces that an array of struct has at least one required fields. Disabled because BackendRef and others are already using it
+              # - "arrayofstructs"
+              # Disabled because it is very verbose...
+              # - "commentstart"
+              # Disabled because it changes how conditions are merged and we may need to check impact on existing installations
+              # - "conditions"
+              # Enforces usage of int32 or int64. Disabled because GA APIs are already using it
+              # - "integers"
+              # Disabled because some GA fields do not have a maxlength and this may break
+              # - "maxlength"
+              # Disabled because some GA fields do not have a minlength and this may break.
+              # Must be revisited with VAP
+              # - "minlength"
+              # Ensure no booleans are used - controversial
+              # - "nobools"
+              # Ensure that non pointer structs with no required fields are marked as optional. Breaking change
+              # - "nonpointerstructs"
+              # Ensure that optional fields are pointers - controversial
+              # - "optionalfields"
+              # Ensures that required fields has omitempty tags
+              # - "requiredfields"
+              # Ensures that all first-level children fields within a status struct are marked as optional.
+              # Disabled, breaking change for RouteParentStatus 
+              # - "statusoptional"
               - "*"
-          lintersConfig: {}
+          lintersConfig:
+            defaults:
+              preferredDefaultMarker: "kubebuilder:default"
   exclusions:
     generated: strict
     paths:

apis/v1/backendtlspolicy_types.go

@@ -37,7 +37,7 @@ type BackendTLSPolicy struct {
 
 	// Spec defines the desired state of BackendTLSPolicy.
 	// +required
-	Spec BackendTLSPolicySpec `json:"spec"`
+	Spec BackendTLSPolicySpec `json:"spec,omitzero"`
 
 	// Status defines the current state of BackendTLSPolicy.
 	// +optional
@@ -120,7 +120,7 @@ type BackendTLSPolicySpec struct {
 	// +kubebuilder:validation:MaxItems=16
 	// +kubebuilder:validation:XValidation:message="sectionName must be specified when targetRefs includes 2 or more references to the same target",rule="self.all(p1, self.all(p2, p1.group == p2.group && p1.kind == p2.kind && p1.name == p2.name ? ((!has(p1.sectionName) || p1.sectionName == '') == (!has(p2.sectionName) || p2.sectionName == '')) : true))"
 	// +kubebuilder:validation:XValidation:message="sectionName must be unique when targetRefs includes 2 or more references to the same target",rule="self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind == p2.kind && p1.name == p2.name && (((!has(p1.sectionName) || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName == p2.sectionName))))"
-	TargetRefs []LocalPolicyTargetReferenceWithSectionName `json:"targetRefs"`
+	TargetRefs []LocalPolicyTargetReferenceWithSectionName `json:"targetRefs,omitempty"`
 
 	// Validation contains backend TLS validation configuration.
 	// +required

apis/v1/gateway_types.go

@@ -45,7 +45,7 @@ type Gateway struct {
 	//
 	// +kubebuilder:default={conditions: {{type: "Accepted", status: "Unknown", reason:"Pending", message:"Waiting for controller", lastTransitionTime: "1970-01-01T00:00:00Z"},{type: "Programmed", status: "Unknown", reason:"Pending", message:"Waiting for controller", lastTransitionTime: "1970-01-01T00:00:00Z"}}}
 	// +optional
-	Status GatewayStatus `json:"status,omitempty"`
+	Status GatewayStatus `json:"status,omitempty,omitzero"`
 }
 
 // +kubebuilder:object:root=true

apis/v1/gatewayclass_types.go

@@ -64,7 +64,7 @@ type GatewayClass struct {
 	//
 	// +kubebuilder:default={conditions: {{type: "Accepted", status: "Unknown", message: "Waiting for controller", reason: "Pending", lastTransitionTime: "1970-01-01T00:00:00Z"}}}
 	// +optional
-	Status GatewayClassStatus `json:"status,omitempty"`
+	Status GatewayClassStatus `json:"status,omitempty,omitzero"`
 }
 
 const (

apis/v1/object_reference_types.go

@@ -54,13 +54,13 @@ type SecretObjectReference struct {
 	//
 	// +optional
 	// +kubebuilder:default=""
-	Group *Group `json:"group"`
+	Group *Group `json:"group,omitempty"`
 
 	// Kind is kind of the referent. For example "Secret".
 	//
 	// +optional
 	// +kubebuilder:default=Secret
-	Kind *Kind `json:"kind"`
+	Kind *Kind `json:"kind,omitempty"`
 
 	// Name is the name of the referent.
 	// +required

apis/v1alpha2/tcproute_types.go

@@ -55,7 +55,7 @@ type TCPRouteSpec struct {
 	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:MaxItems=16
 	// <gateway:experimental:validation:XValidation:message="Rule name must be unique within the route",rule="self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) && l1.name == l2.name))">
-	Rules []TCPRouteRule `json:"rules"`
+	Rules []TCPRouteRule `json:"rules,omitempty"`
 }
 
 // TCPRouteStatus defines the observed state of TCPRoute

apisx/v1alpha1/shared_types.go

@@ -47,13 +47,13 @@ type ParentGatewayReference struct {
 	//
 	// +optional
 	// +kubebuilder:default="gateway.networking.k8s.io"
-	Group *Group `json:"group"`
+	Group *Group `json:"group,omitempty"`
 
 	// Kind is kind of the referent. For example "Gateway".
 	//
 	// +optional
 	// +kubebuilder:default=Gateway
-	Kind *Kind `json:"kind"`
+	Kind *Kind `json:"kind,omitempty"`
 
 	// Name is the name of the referent.
 	// +required

apisx/v1alpha1/xlistenerset_types.go

@@ -64,20 +64,20 @@ type XListenerSet struct {
 
 	// Spec defines the desired state of ListenerSet.
 	// +required
-	Spec ListenerSetSpec `json:"spec"`
+	Spec ListenerSetSpec `json:"spec,omitzero"`
 
 	// Status defines the current state of ListenerSet.
 	//
 	// +kubebuilder:default={conditions: {{type: "Accepted", status: "Unknown", reason:"Pending", message:"Waiting for controller", lastTransitionTime: "1970-01-01T00:00:00Z"},{type: "Programmed", status: "Unknown", reason:"Pending", message:"Waiting for controller", lastTransitionTime: "1970-01-01T00:00:00Z"}}}
 	// +optional
-	Status ListenerSetStatus `json:"status,omitempty"`
+	Status ListenerSetStatus `json:"status,omitempty,omitzero"`
 }
 
 // ListenerSetSpec defines the desired state of a ListenerSet.
 type ListenerSetSpec struct {
 	// ParentRef references the Gateway that the listeners are attached to.
 	// +required
-	ParentRef ParentGatewayReference `json:"parentRef"`
+	ParentRef ParentGatewayReference `json:"parentRef,omitempty"`
 
 	// Listeners associated with this ListenerSet. Listeners define
 	// logical endpoints that are bound on this referenced parent Gateway's addresses.
@@ -117,7 +117,7 @@ type ListenerSetSpec struct {
 	// +kubebuilder:validation:XValidation:message="Listener name must be unique within the Gateway",rule="self.all(l1, self.exists_one(l2, l1.name == l2.name))"
 	// +kubebuilder:validation:XValidation:message="Combination of port, protocol and hostname must be unique for each listener",rule="self.all(l1, !has(l1.port) || self.exists_one(l2, has(l2.port) && l1.port == l2.port && l1.protocol == l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))"
 	// +required
-	Listeners []ListenerEntry `json:"listeners"`
+	Listeners []ListenerEntry `json:"listeners,omitempty"`
 }
 
 type ListenerEntry struct {
@@ -128,7 +128,7 @@ type ListenerEntry struct {
 	// Routes can attach to a Listener by having a ListenerSet as a parentRef
 	// and setting the SectionName
 	// +required
-	Name SectionName `json:"name"`
+	Name SectionName `json:"name,omitempty"`
 
 	// Hostname specifies the virtual hostname to match for protocol types that
 	// define this concept. When unspecified, all hostnames are matched. This
@@ -165,11 +165,11 @@ type ListenerEntry struct {
 	// +kubebuilder:validation:Maximum=65535
 	//
 	// +required
-	Port PortNumber `json:"port"`
+	Port PortNumber `json:"port,omitempty"`
 
 	// Protocol specifies the network protocol this listener expects to receive.
 	// +required
-	Protocol ProtocolType `json:"protocol"`
+	Protocol ProtocolType `json:"protocol,omitempty"`
 
 	// TLS is the TLS configuration for the Listener. This field is required if
 	// the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
@@ -245,7 +245,7 @@ type ListenerSetStatus struct {
 type ListenerEntryStatus struct {
 	// Name is the name of the Listener that this status corresponds to.
 	// +required
-	Name SectionName `json:"name"`
+	Name SectionName `json:"name,omitempty"`
 
 	// SupportedKinds is the list indicating the Kinds supported by this
 	// listener. This MUST represent the kinds supported by an implementation for
@@ -260,7 +260,7 @@ type ListenerEntryStatus struct {
 	// +required
 	// +listType=atomic
 	// +kubebuilder:validation:MaxItems=8
-	SupportedKinds []RouteGroupKind `json:"supportedKinds"`
+	SupportedKinds []RouteGroupKind `json:"supportedKinds,omitempty"`
 
 	// AttachedRoutes represents the total number of Routes that have been
 	// successfully attached to this Listener.
@@ -291,7 +291,7 @@ type ListenerEntryStatus struct {
 	// +listMapKey=type
 	// +kubebuilder:validation:MaxItems=8
 	// +required
-	Conditions []metav1.Condition `json:"conditions"`
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
 }
 
 // ListenerSetConditionType is a type of condition associated with a