make pni immutable

aranta-rokade · aranta-rokade · commit 11c98723cb18 · 2025-11-24T12:24:12.000Z
diff --git a/crd/multitenancy/api/v1alpha1/podnetworkinstance.go b/crd/multitenancy/api/v1alpha1/podnetworkinstance.go
@@ -17,6 +17,15 @@ import (
 // +kubebuilder:metadata:labels=managed=
 // +kubebuilder:metadata:labels=owner=
 // +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.status`
+//
+// Enforce immutability of .spec once reconcile is complete (status becomes Ready).
+// Rule semantics:
+//   - Allow CREATE.
+//   - Do not allow UPDATE require self.spec == oldSelf.spec (no spec changes).
+//
+// This compiles to a CRD-level x-kubernetes-validations transition rule using oldSelf.
+// Requires Kubernetes versions that support CEL transition rules.
+// +kubebuilder:validation:XValidation:rule="self.spec == oldSelf.spec",message="Spec is immutable."
 type PodNetworkInstance struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
diff --git a/crd/multitenancy/manifests/multitenancy.acn.azure.com_podnetworkinstances.yaml b/crd/multitenancy/manifests/multitenancy.acn.azure.com_podnetworkinstances.yaml
@@ -26,8 +26,16 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: PodNetworkInstance is the Schema for the PodNetworkInstances
-          API
+        description: |-
+          PodNetworkInstance is the Schema for the PodNetworkInstances API
+
+          Enforce immutability of .spec once reconcile is complete (status becomes Ready).
+          Rule semantics:
+            - Allow CREATE.
+            - Do not allow UPDATE require self.spec == oldSelf.spec (no spec changes).
+
+          This compiles to a CRD-level x-kubernetes-validations transition rule using oldSelf.
+          Requires Kubernetes versions that support CEL transition rules.
         properties:
           apiVersion:
             description: |-
@@ -109,6 +117,9 @@ spec:
                 type: string
             type: object
         type: object
+        x-kubernetes-validations:
+        - message: Spec is immutable.
+          rule: self.spec == oldSelf.spec
     served: true
     storage: true
     subresources:
