kubernetes-sigs · moko-poi · Nov 18, 2025 · Nov 23, 2025
diff --git a/.golangci-kal.yml b/.golangci-kal.yml
@@ -22,7 +22,7 @@ linters:
               #- "integers" # Ensure only int32 and int64 are used for integers.
               #- "jsontags" # Ensure every field has a json tag.
               #- "maxlength" # Ensure all strings and arrays have maximum lengths/maximum items.
-              #- "nobools" # Bools do not evolve over time, should use enums instead.
+              - "nobools" # Bools do not evolve over time, should use enums instead.
               #- "nofloats" # Ensure floats are not used.
               #- "optionalorrequired" # Every field should be marked as `+optional` or `+required`.
               # - "requiredfields" # Required fields should not be pointers, and should not have `omitempty`.

diff --git a/api/v1beta1/awscluster_types.go b/api/v1beta1/awscluster_types.go
@@ -131,12 +131,12 @@ type Bastion struct {
 	// Enabled allows this provider to create a bastion host instance
 	// with a public ip to access the VPC private network.
 	// +optional
-	Enabled bool `json:"enabled"`
+	Enabled bool `json:"enabled"` //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 
 	// DisableIngressRules will ensure there are no Ingress rules in the bastion host's security group.
 	// Requires AllowedCIDRBlocks to be empty.
 	// +optional
-	DisableIngressRules bool `json:"disableIngressRules,omitempty"`
+	DisableIngressRules bool `json:"disableIngressRules,omitempty"` //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 
 	// AllowedCIDRBlocks is a list of CIDR blocks allowed to access the bastion host.
 	// They are set as ingress rules for the Bastion host's Security Group (defaults to 0.0.0.0/0).
@@ -180,7 +180,7 @@ type AWSLoadBalancerSpec struct {
 	//
 	// Defaults to false.
 	// +optional
-	CrossZoneLoadBalancing bool `json:"crossZoneLoadBalancing"`
+	CrossZoneLoadBalancing bool `json:"crossZoneLoadBalancing"` //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 
 	// Subnets sets the subnets that should be applied to the control plane load balancer (defaults to discovered subnets for managed VPCs or an empty set for unmanaged VPCs)
 	// +optional
@@ -200,7 +200,7 @@ type AWSLoadBalancerSpec struct {
 // AWSClusterStatus defines the observed state of AWSCluster.
 type AWSClusterStatus struct {
 	// +kubebuilder:default=false
-	Ready          bool                          `json:"ready"`
+	Ready          bool                          `json:"ready"` //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 	Network        NetworkStatus                 `json:"networkStatus,omitempty"`
 	FailureDomains clusterv1beta1.FailureDomains `json:"failureDomains,omitempty"`
 	Bastion        *Instance                     `json:"bastion,omitempty"`

diff --git a/api/v1beta1/awsmachine_types.go b/api/v1beta1/awsmachine_types.go
@@ -95,7 +95,7 @@ type AWSMachineSpec struct {
 	// 2. Cluster/flavor setting
 	// 3. Subnet default
 	// +optional
-	PublicIP *bool `json:"publicIP,omitempty"`
+	PublicIP *bool `json:"publicIP,omitempty"` //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 
 	// AdditionalSecurityGroups is an array of references to security groups that should be applied to the
 	// instance. These security groups would be set in addition to any security groups defined
@@ -137,7 +137,7 @@ type AWSMachineSpec struct {
 	// user data stored in aws secret manager is always gzip-compressed.
 	//
 	// +optional
-	UncompressedUserData *bool `json:"uncompressedUserData,omitempty"`
+	UncompressedUserData *bool `json:"uncompressedUserData,omitempty"` //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 
 	// CloudInit defines options related to the bootstrapping systems where
 	// CloudInit is used.
@@ -165,7 +165,7 @@ type CloudInit struct {
 	// or AWS Systems Manager Parameter Store to ensure privacy of userdata.
 	// By default, a cloud-init boothook shell script is prepended to download
 	// the userdata from Secrets Manager and additionally delete the secret.
-	InsecureSkipSecretsManager bool `json:"insecureSkipSecretsManager,omitempty"`
+	InsecureSkipSecretsManager bool `json:"insecureSkipSecretsManager,omitempty"` //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 
 	// SecretCount is the number of secrets used to form the complete secret
 	// +optional
@@ -199,12 +199,12 @@ type Ignition struct {
 type AWSMachineStatus struct {
 	// Ready is true when the provider resource is ready.
 	// +optional
-	Ready bool `json:"ready"`
+	Ready bool `json:"ready"` //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 
 	// Interruptible reports that this machine is using spot instances and can therefore be interrupted by CAPI when it receives a notice that the spot instance is to be terminated by AWS.
 	// This will be set to true when SpotMarketOptions is not nil (i.e. this machine is using a spot instance).
 	// +optional
-	Interruptible bool `json:"interruptible,omitempty"`
+	Interruptible bool `json:"interruptible,omitempty"` //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 
 	// Addresses contains the AWS instance associated addresses.
 	Addresses []clusterv1beta1.MachineAddress `json:"addresses,omitempty"`

diff --git a/api/v1beta1/network_types.go b/api/v1beta1/network_types.go
@@ -125,7 +125,7 @@ type ClassicELBAttributes struct {
 
 	// CrossZoneLoadBalancing enables the classic load balancer load balancing.
 	// +optional
-	CrossZoneLoadBalancing bool `json:"crossZoneLoadBalancing,omitempty"`
+	CrossZoneLoadBalancing bool `json:"crossZoneLoadBalancing,omitempty"` //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 }
 
 // ClassicELBListener defines an AWS classic load balancer listener.
@@ -258,12 +258,12 @@ type SubnetSpec struct {
 
 	// IsPublic defines the subnet as a public subnet. A subnet is public when it is associated with a route table that has a route to an internet gateway.
 	// +optional
-	IsPublic bool `json:"isPublic"`
+	IsPublic bool `json:"isPublic"` //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 
 	// IsIPv6 defines the subnet as an IPv6 subnet. A subnet is IPv6 when it is associated with a VPC that has IPv6 enabled.
 	// IPv6 is only supported in managed clusters, this field cannot be set on AWSCluster object.
 	// +optional
-	IsIPv6 bool `json:"isIpv6,omitempty"`
+	IsIPv6 bool `json:"isIpv6,omitempty"` //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 
 	// RouteTableID is the routing table id associated with the subnet.
 	// +optional

diff --git a/api/v1beta1/types.go b/api/v1beta1/types.go
@@ -174,10 +174,10 @@ type Instance struct {
 	PublicIP *string `json:"publicIp,omitempty"`
 
 	// Specifies whether enhanced networking with ENA is enabled.
-	ENASupport *bool `json:"enaSupport,omitempty"`
+	ENASupport *bool `json:"enaSupport,omitempty"` //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 
 	// Indicates whether the instance is optimized for Amazon EBS I/O.
-	EBSOptimized *bool `json:"ebsOptimized,omitempty"`
+	EBSOptimized *bool `json:"ebsOptimized,omitempty"` //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 
 	// Configuration options for the root storage volume.
 	// +optional
@@ -233,7 +233,7 @@ type Volume struct {
 
 	// Encrypted is whether the volume should be encrypted or not.
 	// +optional
-	Encrypted *bool `json:"encrypted,omitempty"`
+	Encrypted *bool `json:"encrypted,omitempty"` //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 
 	// EncryptionKey is the KMS key to use to encrypt the volume. Can be either a KMS key ID or ARN.
 	// If Encrypted is set and this is omitted, the default AWS key will be used.

diff --git a/api/v1beta2/awscluster_types.go b/api/v1beta2/awscluster_types.go
@@ -143,12 +143,12 @@ type Bastion struct {
 	// Enabled allows this provider to create a bastion host instance
 	// with a public ip to access the VPC private network.
 	// +optional
-	Enabled bool `json:"enabled"`
+	Enabled bool `json:"enabled"` //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 
 	// DisableIngressRules will ensure there are no Ingress rules in the bastion host's security group.
 	// Requires AllowedCIDRBlocks to be empty.
 	// +optional
-	DisableIngressRules bool `json:"disableIngressRules,omitempty"`
+	DisableIngressRules bool `json:"disableIngressRules,omitempty"` //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 
 	// AllowedCIDRBlocks is a list of CIDR blocks allowed to access the bastion host.
 	// They are set as ingress rules for the Bastion host's Security Group (defaults to 0.0.0.0/0).
@@ -208,7 +208,7 @@ type AWSLoadBalancerSpec struct {
 	//
 	// Defaults to false.
 	// +optional
-	CrossZoneLoadBalancing bool `json:"crossZoneLoadBalancing"`
+	CrossZoneLoadBalancing bool `json:"crossZoneLoadBalancing"` //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 
 	// Subnets sets the subnets that should be applied to the control plane load balancer (defaults to discovered subnets for managed VPCs or an empty set for unmanaged VPCs)
 	// +optional
@@ -247,11 +247,11 @@ type AWSLoadBalancerSpec struct {
 
 	// DisableHostsRewrite disabled the hair pinning issue solution that adds the NLB's address as 127.0.0.1 to the hosts
 	// file of each instance. This is by default, false.
-	DisableHostsRewrite bool `json:"disableHostsRewrite,omitempty"`
+	DisableHostsRewrite bool `json:"disableHostsRewrite,omitempty"` //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 
 	// PreserveClientIP lets the user control if preservation of client ips must be retained or not.
 	// If this is enabled 6443 will be opened to 0.0.0.0/0.
-	PreserveClientIP bool `json:"preserveClientIP,omitempty"`
+	PreserveClientIP bool `json:"preserveClientIP,omitempty"` //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 }
 
 // AdditionalListenerSpec defines the desired state of an
@@ -276,7 +276,7 @@ type AdditionalListenerSpec struct {
 // AWSClusterStatus defines the observed state of AWSCluster.
 type AWSClusterStatus struct {
 	// +kubebuilder:default=false
-	Ready          bool                          `json:"ready"`
+	Ready          bool                          `json:"ready"` //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 	Network        NetworkStatus                 `json:"networkStatus,omitempty"`
 	FailureDomains clusterv1beta1.FailureDomains `json:"failureDomains,omitempty"`
 	Bastion        *Instance                     `json:"bastion,omitempty"`
@@ -312,7 +312,7 @@ type S3Bucket struct {
 
 	// BestEffortDeleteObjects defines whether access/permission errors during object deletion should be ignored.
 	// +optional
-	BestEffortDeleteObjects *bool `json:"bestEffortDeleteObjects,omitempty"`
+	BestEffortDeleteObjects *bool `json:"bestEffortDeleteObjects,omitempty"` //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 }
 
 // +kubebuilder:object:root=true

diff --git a/api/v1beta2/awscluster_webhook_test.go b/api/v1beta2/awscluster_webhook_test.go
@@ -50,7 +50,7 @@ func TestAWSClusterValidateCreate(t *testing.T) {
 	tests := []struct {
 		name    string
 		cluster *AWSCluster
-		wantErr bool
+		wantErr bool //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 		expect  func(g *WithT, res *AWSLoadBalancerSpec)
 	}{
 		{
@@ -789,7 +789,7 @@ func TestAWSClusterValidateUpdate(t *testing.T) {
 		name       string
 		oldCluster *AWSCluster
 		newCluster *AWSCluster
-		wantErr    bool
+		wantErr    bool //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 	}{
 		{
 			name: "Control Plane LB type is immutable when switching from disabled to any",
@@ -1343,7 +1343,7 @@ func TestAWSClusterValidateAllowedCIDRBlocks(t *testing.T) {
 	tests := []struct {
 		name    string
 		awsc    *AWSCluster
-		wantErr bool
+		wantErr bool //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 	}{
 		{
 			name: "allow valid CIDRs",

diff --git a/api/v1beta2/awsclustercontrolleridentity_webhook_test.go b/api/v1beta2/awsclustercontrolleridentity_webhook_test.go
@@ -30,7 +30,7 @@ func TestAWSClusterControllerIdentityCreationValidation(t *testing.T) {
 	tests := []struct {
 		name      string
 		identity  *AWSClusterControllerIdentity
-		wantError bool
+		wantError bool //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 	}{
 		{
 			name: "only allow AWSClusterControllerIdentity creation with name default",
@@ -71,7 +71,7 @@ func TestAWSClusterControllerIdentityLabelSelectorAsSelectorValidation(t *testin
 	tests := []struct {
 		name      string
 		selectors map[string]string
-		wantError bool
+		wantError bool //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 	}{
 		{
 			name:      "should not return error for valid selector",
@@ -140,7 +140,7 @@ func TestAWSClusterControllerValidateUpdate(t *testing.T) {
 	tests := []struct {
 		name      string
 		identity  *AWSClusterControllerIdentity
-		wantError bool
+		wantError bool //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 	}{
 		{
 			name: "do not allow any spec changes",
@@ -211,7 +211,7 @@ func TestAWSClusterControllerIdentityUpdateValidation(t *testing.T) {
 	tests := []struct {
 		name      string
 		identity  *AWSClusterControllerIdentity
-		wantError bool
+		wantError bool //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 	}{
 		{
 			name:      "should not return error for valid selector",

diff --git a/api/v1beta2/awsclusterroleidentity_webhook_test.go b/api/v1beta2/awsclusterroleidentity_webhook_test.go
@@ -30,7 +30,7 @@ func TestAWSClusterRoleValidateCreate(t *testing.T) {
 	tests := []struct {
 		name      string
 		identity  *AWSClusterRoleIdentity
-		wantError bool
+		wantError bool //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 	}{
 		{
 			name: "do not allow nil sourceIdentityRef",
@@ -77,7 +77,7 @@ func TestCreateAWSClusterRoleIdentityLabelSelectorAsSelectorValidation(t *testin
 	tests := []struct {
 		name      string
 		selectors map[string]string
-		wantError bool
+		wantError bool //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 	}{
 		{
 			name:      "should not return error for valid selector",
@@ -184,7 +184,7 @@ func TestAWSClusterRoleIdentityUpdateValidation(t *testing.T) {
 	tests := []struct {
 		name      string
 		identity  *AWSClusterRoleIdentity
-		wantError bool
+		wantError bool //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 	}{
 		{
 			name:      "should not return error for valid selector",

diff --git a/api/v1beta2/awsclusterstaticidentity_webhook_test.go b/api/v1beta2/awsclusterstaticidentity_webhook_test.go
@@ -30,7 +30,7 @@ func TestCreateAWSClusterStaticIdentityValidation(t *testing.T) {
 	tests := []struct {
 		name      string
 		selectors map[string]string
-		wantError bool
+		wantError bool //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 	}{
 		{
 			name:      "should not return error for valid selector",
@@ -98,7 +98,7 @@ func TestAWSClusterStaticValidateUpdate(t *testing.T) {
 	tests := []struct {
 		name      string
 		identity  *AWSClusterStaticIdentity
-		wantError bool
+		wantError bool //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 	}{
 		{
 			name: "do not allow any spec changes",
@@ -162,7 +162,7 @@ func TestAWSClusterStaticIdentityUpdateLabelSelectorValidation(t *testing.T) {
 	tests := []struct {
 		name      string
 		identity  *AWSClusterStaticIdentity
-		wantError bool
+		wantError bool //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 	}{
 		{
 			name:      "should not return error for valid selector",

diff --git a/api/v1beta2/awsmachine_types.go b/api/v1beta2/awsmachine_types.go
@@ -137,7 +137,7 @@ type AWSMachineSpec struct {
 	// 2. Cluster/flavor setting
 	// 3. Subnet default
 	// +optional
-	PublicIP *bool `json:"publicIP,omitempty"`
+	PublicIP *bool `json:"publicIP,omitempty"` //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 
 	// ElasticIPPool is the configuration to allocate Public IPv4 address (Elastic IP/EIP) from user-defined pool.
 	//
@@ -190,7 +190,7 @@ type AWSMachineSpec struct {
 	// user data stored in aws secret manager is always gzip-compressed.
 	//
 	// +optional
-	UncompressedUserData *bool `json:"uncompressedUserData,omitempty"`
+	UncompressedUserData *bool `json:"uncompressedUserData,omitempty"` //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 
 	// CloudInit defines options related to the bootstrapping systems where
 	// CloudInit is used.
@@ -290,7 +290,7 @@ type CloudInit struct {
 	// or AWS Systems Manager Parameter Store to ensure privacy of userdata.
 	// By default, a cloud-init boothook shell script is prepended to download
 	// the userdata from Secrets Manager and additionally delete the secret.
-	InsecureSkipSecretsManager bool `json:"insecureSkipSecretsManager,omitempty"`
+	InsecureSkipSecretsManager bool `json:"insecureSkipSecretsManager,omitempty"` //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 
 	// SecretCount is the number of secrets used to form the complete secret
 	// +optional
@@ -406,12 +406,12 @@ type IgnitionProxy struct {
 type AWSMachineStatus struct {
 	// Ready is true when the provider resource is ready.
 	// +optional
-	Ready bool `json:"ready"`
+	Ready bool `json:"ready"` //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 
 	// Interruptible reports that this machine is using spot instances and can therefore be interrupted by CAPI when it receives a notice that the spot instance is to be terminated by AWS.
 	// This will be set to true when SpotMarketOptions is not nil (i.e. this machine is using a spot instance).
 	// +optional
-	Interruptible bool `json:"interruptible,omitempty"`
+	Interruptible bool `json:"interruptible,omitempty"` //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 
 	// Addresses contains the AWS instance associated addresses.
 	Addresses []clusterv1beta1.MachineAddress `json:"addresses,omitempty"`

diff --git a/api/v1beta2/awsmachine_webhook_test.go b/api/v1beta2/awsmachine_webhook_test.go
@@ -44,7 +44,7 @@ func TestAWSMachineCreate(t *testing.T) {
 	tests := []struct {
 		name    string
 		machine *AWSMachine
-		wantErr bool
+		wantErr bool //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 	}{
 		{
 			name: "ensure IOPS exists if type equal to io1",
@@ -620,7 +620,7 @@ func TestAWSMachineUpdate(t *testing.T) {
 		name       string
 		oldMachine *AWSMachine
 		newMachine *AWSMachine
-		wantErr    bool
+		wantErr    bool //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 	}{
 		{
 			name: "change in providerid, cloudinit, tags, securitygroups",

diff --git a/api/v1beta2/awsmachinetemplate_webhook_test.go b/api/v1beta2/awsmachinetemplate_webhook_test.go
@@ -29,7 +29,7 @@ func TestAWSMachineTemplateValidateCreate(t *testing.T) {
 	tests := []struct {
 		name          string
 		inputTemplate *AWSMachineTemplate
-		wantError     bool
+		wantError     bool //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 	}{
 		{
 			name: "don't allow providerID",
@@ -120,7 +120,7 @@ func TestAWSMachineTemplateValidateUpdate(t *testing.T) {
 	tests := []struct {
 		name             string
 		modifiedTemplate *AWSMachineTemplate
-		wantError        bool
+		wantError        bool //nolint:kubeapilinter // nobools: Existing API field, not changing to preserve backwards compatibility.
 	}{
 		{
 			name: "don't allow updates",