Add a ValidatingAdmissionPolicy blocking v1.multus-cni.io/default-network updates

It is not allowed to modify the v1.multus-cni.io/default-network once the pod was created.
The added ValidatingAdmissionPolicy applies to environments with PreconfiguredUDNAddresses featuregate enabled.

Signed-off-by: Patryk Diak <[email protected]>

Author: kyrtapz

bindata/network/ovn-kubernetes/common/default-net-annotation-policy.yaml

@@ -0,0 +1,31 @@
+  {{if .OVN_PRE_CONF_UDN_ADDR_ENABLE}}
+  apiVersion: admissionregistration.k8s.io/v1
+  kind: ValidatingAdmissionPolicy
+  metadata:
+    name: default-network-annotation
+  spec:
+    matchConstraints:
+      resourceRules:
+        - apiGroups:   [""]
+          apiVersions: ["v1"]
+          operations:  ["UPDATE"]
+          resources:   ["pods"]
+    failurePolicy: Fail
+    validations:
+      - expression: "('v1.multus-cni.io/default-network' in oldObject.metadata.annotations) == ('v1.multus-cni.io/default-network' in object.metadata.annotations)"
+        message: "The 'v1.multus-cni.io/default-network' annotation cannot be changed after the pod was created"
+  ---
+  apiVersion: admissionregistration.k8s.io/v1
+  kind: ValidatingAdmissionPolicyBinding
+  metadata:
+    name: default-network-annotation-binding
+  spec:
+    policyName: default-network-annotation
+    validationActions: [Deny]
+    matchResources:
+      resourceRules:
+        - apiGroups:   [""]
+          apiVersions: ["v1"]
+          operations:  ["UPDATE"]
+          resources:   ["pods"]
+{{end}}