Skip to content

Commit e6b0e94

Browse files
openshift-merge-bot[bot]openshift-merge-bot[bot]
authored
Merge pull request #334 from racheljpg/vap-2714
OCPCLOUD-2714: Add VAPs to prevent setting of CAPI fields that are not supported by MAPI
2 parents efc784d + 0d2fe39 commit e6b0e94

File tree

2 files changed

+264
-164
lines changed

2 files changed

+264
-164
lines changed

manifests/0000_30_cluster-api_09_admission-policies.yaml

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -151,6 +151,42 @@ data:
151151
variables.newLabels[?k].orValue(null) == variables.paramLabels[k]
152152
)
153153
message: "Cannot modify a Cluster API controlled label except to match the Cluster API mirrored machine. This is because status.authoritativeAPI is set to Cluster API."
154+
---
155+
apiVersion: admissionregistration.k8s.io/v1
156+
kind: ValidatingAdmissionPolicy
157+
metadata:
158+
name: openshift-cluster-api-prevent-setting-of-capi-fields-unsupported-by-mapi
159+
spec:
160+
failurePolicy: Fail
161+
matchConstraints:
162+
resourceRules:
163+
- apiGroups: ["cluster.x-k8s.io"]
164+
apiVersions: ["*"]
165+
operations: ["CREATE", "UPDATE"]
166+
resources: ["machines", "machinesets"]
167+
variables:
168+
- name: machineSpec
169+
expression: "object.kind == 'Machine' ? object.spec : object.spec.template.spec"
170+
- name: specPath
171+
expression: "object.kind == 'Machine' ? 'spec' : 'spec.template.spec'"
172+
validations:
173+
- expression: "!has(variables.machineSpec.version)"
174+
messageExpression: "variables.specPath + '.version is a forbidden field'"
175+
- expression: "!has(variables.machineSpec.readinessGates)"
176+
messageExpression: "variables.specPath + '.readinessGates is a forbidden field'"
177+
---
178+
apiVersion: admissionregistration.k8s.io/v1
179+
kind: ValidatingAdmissionPolicyBinding
180+
metadata:
181+
name: openshift-cluster-api-prevent-setting-of-capi-fields-unsupported-by-mapi
182+
spec:
183+
matchResources:
184+
namespaceSelector:
185+
matchLabels:
186+
kubernetes.io/metadata.name: openshift-cluster-api
187+
policyName: openshift-cluster-api-prevent-setting-of-capi-fields-unsupported-by-mapi
188+
validationActions:
189+
- Deny
154190
---
155191
apiVersion: v1
156192
kind: ConfigMap

0 commit comments

Comments
 (0)