Skip to content

Commit 77084fb

Browse files
kyrtapzkyrtapz
committed
Add a ValidatingAdmissionPolicy blocking v1.multus-cni.io/default-network updates
It is not allowed to modify the v1.multus-cni.io/default-network once the pod was created. The added ValidatingAdmissionPolicy applies to environments with PreconfiguredUDNAddresses featuregate enabled. Signed-off-by: Patryk Diak <[email protected]>
1 parent 6fa9546 commit 77084fb

File tree

2 files changed

+35
-4
lines changed

2 files changed

+35
-4
lines changed

bindata/network/ovn-kubernetes/common/default-net-annotation-policy.yaml

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
{{if .OVN_PRE_CONF_UDN_ADDR_ENABLE}}
2+
apiVersion: admissionregistration.k8s.io/v1
3+
kind: ValidatingAdmissionPolicy
4+
metadata:
5+
name: default-network-annotation
6+
spec:
7+
matchConstraints:
8+
resourceRules:
9+
- apiGroups: [""]
10+
apiVersions: ["v1"]
11+
operations: ["UPDATE"]
12+
resources: ["pods"]
13+
failurePolicy: Fail
14+
validations:
15+
- expression: "('v1.multus-cni.io/default-network' in oldObject.metadata.annotations) == ('v1.multus-cni.io/default-network' in object.metadata.annotations)"
16+
message: "The 'v1.multus-cni.io/default-network' annotation cannot be changed after the pod was created"
17+
---
18+
apiVersion: admissionregistration.k8s.io/v1
19+
kind: ValidatingAdmissionPolicyBinding
20+
metadata:
21+
name: default-network-annotation-binding
22+
spec:
23+
policyName: default-network-annotation
24+
validationActions: [Deny]
25+
matchResources:
26+
resourceRules:
27+
- apiGroups: [""]
28+
apiVersions: ["v1"]
29+
operations: ["UPDATE"]
30+
resources: ["pods"]
31+
{{end}}

pkg/network/ovn_kubernetes_test.go

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -4182,11 +4182,11 @@ func Test_renderOVNKubernetes(t *testing.T) {
41824182
config.DefaultNetwork.OVNKubernetesConfig.RouteAdvertisements = operv1.RouteAdvertisementsEnabled
41834183
return config
41844184
}, bootstrapResult: fakeBootstrapResultOVN,
4185-
manifestDir: manifestDirOvn,
4186-
client: cnofake.NewFakeClient(),
4187-
featureGates: preDefUDNFeatureGates,
4185+
manifestDir: manifestDirOvn,
4186+
client: cnofake.NewFakeClient(),
4187+
featureGates: preDefUDNFeatureGates,
41884188
},
4189-
expectNumObjs: 45,
4189+
expectNumObjs: 47,
41904190
},
41914191
}
41924192
for _, tt := range tests {

0 commit comments

Comments
 (0)