Add a ValidatingAdmissionPolicy blocking v1.multus-cni.io/default-network updates

It is not allowed to modify the v1.multus-cni.io/default-network once the pod was created.
The added ValidatingAdmissionPolicy applies to environments with PreconfiguredUDNAddresses featuregate enabled.

Signed-off-by: Patryk Diak <[email protected]>

Author: kyrtapz

bindata/network/ovn-kubernetes/common/default-net-annotation-policy.yaml

@@ -0,0 +1,37 @@
+{{if .OVN_PRE_CONF_UDN_ADDR_ENABLE}}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: default-network-annotation
+spec:
+  matchConstraints:
+    resourceRules:
+      - apiGroups:   [""]
+        apiVersions: ["v1"]
+        operations:  ["UPDATE"]
+        resources:   ["pods"]
+  failurePolicy: Fail
+  validations:
+    # Prevent any changes to the default-network annotation after pod creation:
+    # - If annotation exists in old pod: new pod must have same annotation with identical value
+    # - If annotation doesn't exist in old pod: new pod must also not have it
+    - expression: >
+        ('v1.multus-cni.io/default-network' in oldObject.metadata.annotations)
+        ? ('v1.multus-cni.io/default-network' in object.metadata.annotations) && oldObject.metadata.annotations['v1.multus-cni.io/default-network'] == object.metadata.annotations['v1.multus-cni.io/default-network']
+        : !('v1.multus-cni.io/default-network' in object.metadata.annotations)
+      message: "The 'v1.multus-cni.io/default-network' annotation cannot be changed after the pod was created"
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: default-network-annotation-binding
+spec:
+  policyName: default-network-annotation
+  validationActions: [Deny]
+  matchResources:
+    resourceRules:
+      - apiGroups:   [""]
+        apiVersions: ["v1"]
+        operations:  ["UPDATE"]
+        resources:   ["pods"]
+{{end}}

pkg/network/ovn_kubernetes_test.go

@@ -4187,11 +4187,11 @@ func Test_renderOVNKubernetes(t *testing.T) {
 					config.DefaultNetwork.OVNKubernetesConfig.RouteAdvertisements = operv1.RouteAdvertisementsEnabled
 					return config
 				}, bootstrapResult: fakeBootstrapResultOVN,
-				manifestDir:  manifestDirOvn,
-				client:       cnofake.NewFakeClient(),
-				featureGates: preDefUDNFeatureGates,
+				manifestDir:        manifestDirOvn,
+				client:             cnofake.NewFakeClient(),
+				featureGates:       preDefUDNFeatureGates,
 			},
-			expectNumObjs: 45,
+			expectNumObjs: 47,
 		},
 	}
 	for _, tt := range tests {