feat: add CEL validation for CRO placement scope

Signed-off-by: Wantong Jiang <[email protected]>

Author: jwtty

CLAUDE.md

@@ -154,6 +154,7 @@ cmd/memberagent/        # Member agent main and setup
 - Use existing patterns from similar controllers when adding new functionality
 - Property providers should implement the `PropertyProvider` interface
 - PR titles must use prefixes: `feat:`, `fix:`, `docs:`, `test:`, `chore:`, `ci:`, `perf:`, `refactor:`, `revert:`
+- When creating new files, always add an empty line at the end
 
 ## Testing Patterns
 

apis/placement/v1alpha1/override_types.go

@@ -27,6 +27,7 @@ import (
 // +genclient:nonNamespaced
 // +kubebuilder:object:root=true
 // +kubebuilder:resource:scope="Cluster",categories={fleet,fleet-placement}
+// +kubebuilder:validation:XValidation:rule="!has(self.spec.placement) || self.spec.placement.scope != 'Namespaced'",message="clusterResourceOverride placement reference cannot be Namespaced scope"
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 // ClusterResourceOverride defines a group of override policies about how to override the selected cluster scope resources

apis/placement/v1beta1/override_types.go

@@ -26,6 +26,7 @@ import (
 // +kubebuilder:object:root=true
 // +kubebuilder:storageversion
 // +kubebuilder:resource:scope="Cluster",categories={fleet,fleet-placement}
+// +kubebuilder:validation:XValidation:rule="!has(self.spec.placement) || self.spec.placement.scope != 'Namespaced'",message="clusterResourceOverride placement reference cannot be Namespaced scope"
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 // ClusterResourceOverride defines a group of override policies about how to override the selected cluster scope resources

config/crd/bases/placement.kubernetes-fleet.io_clusterresourceoverrides.yaml

@@ -727,6 +727,9 @@ spec:
         required:
         - spec
         type: object
+        x-kubernetes-validations:
+        - message: clusterResourceOverride placement reference cannot be Namespaced scope
+          rule: '!has(self.spec.placement) || self.spec.placement.scope != ''Namespaced'''
     served: true
     storage: false
   - name: v1beta1
@@ -1088,5 +1091,8 @@ spec:
         required:
         - spec
         type: object
+        x-kubernetes-validations:
+        - message: clusterResourceOverride placement reference cannot be Namespaced scope
+          rule: '!has(self.spec.placement) || self.spec.placement.scope != ''Namespaced'''
     served: true
     storage: true

config/crd/bases/placement.kubernetes-fleet.io_clusterresourceplacements.yaml

@@ -2086,8 +2086,8 @@ spec:
                   N placement statuses where N = ClusterNames.
                   In these cases, some of them may not have assigned clusters when we cannot fill the required number of clusters.
                 items:
-                  description: ResourcePlacementStatus represents the placement status
-                    of selected resources for one target cluster.
+                  description: PerClusterPlacementStatus represents the placement
+                    status of selected resources for one target cluster.
                   properties:
                     applicableClusterResourceOverrides:
                       description: |-

config/crd/bases/placement.kubernetes-fleet.io_resourceplacements.yaml

@@ -1016,8 +1016,8 @@ spec:
                   N placement statuses where N = ClusterNames.
                   In these cases, some of them may not have assigned clusters when we cannot fill the required number of clusters.
                 items:
-                  description: ResourcePlacementStatus represents the placement status
-                    of selected resources for one target cluster.
+                  description: PerClusterPlacementStatus represents the placement
+                    status of selected resources for one target cluster.
                   properties:
                     applicableClusterResourceOverrides:
                       description: |-