Add VAP for azurecluster

Author: racheljpg

openshift/infrastructure-components-openshift.yaml

@@ -11023,3 +11023,126 @@ spec:
     targetPort: webhook-server
   selector:
     cluster.x-k8s.io/provider: infrastructure-azure
+---
+    apiVersion: admissionregistration.k8s.io/v1
+    kind: ValidatingAdmissionPolicy
+    metadata:
+      name: openshift-cluster-api-protect-azurecluster
+    spec:
+      failurePolicy: Fail
+      matchConstraints:
+        resourceRules:
+        - apiGroups:
+          - infrastructure.cluster.x-k8s.io
+          apiVersions:
+          - '*'
+          operations:
+          - DELETE
+          resources:
+          - azureclusters
+      paramKind:
+        apiVersion: config.openshift.io/v1
+        kind: Infrastructure
+      validations:
+      - expression: '!(oldObject.metadata.name == params.status.infrastructureName)'
+        message: InfraCluster resources with metadata.name corresponding to the cluster
+          infrastructureName cannot be deleted.
+---
+    apiVersion: admissionregistration.k8s.io/v1beta1
+    kind: ValidatingAdmissionPolicyBinding
+    metadata:
+      name: openshift-cluster-api-protect-azurecluster
+    spec:
+      matchResources:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: openshift-cluster-api
+      paramRef:
+        name: cluster
+        parameterNotFoundAction: Deny
+      policyName: openshift-cluster-api-protect-azurecluster
+      validationActions:
+      - Deny
+---
+    apiVersion: admissionregistration.k8s.io/v1beta1
+    kind: ValidatingAdmissionPolicy
+    metadata:
+      name: openshift-cluster-api-protect-azureclusteridentities
+    spec:
+      failurePolicy: Fail
+      matchConstraints:
+        resourceRules:
+        - apiGroups:
+          - infrastructure.cluster.x-k8s.io
+          apiVersions:
+          - '*'
+          operations:
+          - DELETE
+          resources:
+          - azureclusteridentities
+      paramKind:
+        apiVersion: config.openshift.io/v1
+        kind: Infrastructure
+      validations:
+      - expression: '!(oldObject.metadata.name == params.status.infrastructureName)'
+        message: InfraCluster resources with metadata.name corresponding to the cluster
+          infrastructureName cannot be deleted.
+---
+    apiVersion: admissionregistration.k8s.io/v1
+    kind: ValidatingAdmissionPolicyBinding
+    metadata:
+      name: openshift-cluster-api-protect-azureclusteridentities
+    spec:
+      matchResources:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: openshift-cluster-api
+      paramRef:
+        name: cluster
+        parameterNotFoundAction: Deny
+      policyName: openshift-cluster-api-protect-azureclusteridentities
+      validationActions:
+      - Deny
+---
+    apiVersion: admissionregistration.k8s.io/v1
+    kind: ValidatingAdmissionPolicy
+    metadata:
+      name: openshift-cluster-api-protect-azureclustersecrets
+    spec:
+      failurePolicy: Fail
+      matchConstraints:
+        resourceRules:
+        - apiGroups:
+          - ""
+          apiVersions:
+          - '*'
+          operations:
+          - DELETE
+          resources:
+          - secret
+          resourceNames:
+          - capz-manager-bootstrap-credentials
+          - capz-manager-cluster-credential
+      paramKind:
+        apiVersion: config.openshift.io/v1
+        kind: Infrastructure
+      validations:
+      - expression: '!(oldObject.metadata.name == params.status.infrastructureName)'
+        message: InfraCluster resources with metadata.name corresponding to the cluster
+          infrastructureName cannot be deleted.
+---
+    apiVersion: admissionregistration.k8s.io/v1
+    kind: ValidatingAdmissionPolicyBinding
+    metadata:
+      name: openshift-cluster-api-protect-azureclustersecrets
+    spec:
+      matchResources:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: openshift-cluster-api
+      paramRef:
+        name: cluster
+        parameterNotFoundAction: Deny
+      policyName: openshift-cluster-api-protect-azureclustersecrets
+      validationActions:
+      - Deny

openshift/manifests/0000_30_cluster-api_04_cm.infrastructure-azure.yaml

@@ -11025,6 +11025,129 @@ data:
         targetPort: webhook-server
       selector:
         cluster.x-k8s.io/provider: infrastructure-azure
+    ---
+    apiVersion: admissionregistration.k8s.io/v1beta1
+    kind: ValidatingAdmissionPolicy
+    metadata:
+      name: openshift-cluster-api-protect-azurecluster
+    spec:
+      failurePolicy: Fail
+      matchConstraints:
+        resourceRules:
+        - apiGroups:
+          - infrastructure.cluster.x-k8s.io
+          apiVersions:
+          - '*'
+          operations:
+          - DELETE
+          resources:
+          - azureclusters
+      paramKind:
+        apiVersion: config.openshift.io/v1
+        kind: Infrastructure
+      validations:
+      - expression: '!(oldObject.metadata.name == params.status.infrastructureName)'
+        message: InfraCluster resources with metadata.name corresponding to the cluster
+          infrastructureName cannot be deleted.
+    ---
+    apiVersion: admissionregistration.k8s.io/v1beta1
+    kind: ValidatingAdmissionPolicyBinding
+    metadata:
+      name: openshift-cluster-api-protect-azurecluster
+    spec:
+      matchResources:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: openshift-cluster-api
+      paramRef:
+        name: cluster
+        parameterNotFoundAction: Deny
+      policyName: openshift-cluster-api-protect-azurecluster
+      validationActions:
+      - Deny
+    ---
+    apiVersion: admissionregistration.k8s.io/v1
+    kind: ValidatingAdmissionPolicy
+    metadata:
+      name: openshift-cluster-api-protect-azureclusteridentities
+    spec:
+      failurePolicy: Fail
+      matchConstraints:
+        resourceRules:
+        - apiGroups:
+          - infrastructure.cluster.x-k8s.io
+          apiVersions:
+          - '*'
+          operations:
+          - DELETE
+          resources:
+          - azureclusteridentities
+      paramKind:
+        apiVersion: config.openshift.io/v1
+        kind: Infrastructure
+      validations:
+      - expression: '!(oldObject.metadata.name == params.status.infrastructureName)'
+        message: InfraCluster resources with metadata.name corresponding to the cluster
+          infrastructureName cannot be deleted.
+    ---
+    apiVersion: admissionregistration.k8s.io/v1
+    kind: ValidatingAdmissionPolicyBinding
+    metadata:
+      name: openshift-cluster-api-protect-azureclusteridentities
+    spec:
+      matchResources:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: openshift-cluster-api
+      paramRef:
+        name: cluster
+        parameterNotFoundAction: Deny
+      policyName: openshift-cluster-api-protect-azureclusteridentities
+      validationActions:
+      - Deny
+    ---
+    apiVersion: admissionregistration.k8s.io/v1
+    kind: ValidatingAdmissionPolicy
+    metadata:
+      name: openshift-cluster-api-protect-azureclustersecrets
+    spec:
+      failurePolicy: Fail
+      matchConstraints:
+        resourceRules:
+        - apiGroups:
+          - ""
+          apiVersions:
+          - '*'
+          operations:
+          - DELETE
+          resources:
+          - secret
+          resourceNames:
+          - capz-manager-bootstrap-credentials
+          - capz-manager-cluster-credential
+      paramKind:
+        apiVersion: config.openshift.io/v1
+        kind: Infrastructure
+      validations:
+      - expression: '!(oldObject.metadata.name == params.status.infrastructureName)'
+        message: InfraCluster resources with metadata.name corresponding to the cluster
+          infrastructureName cannot be deleted.
+      ---
+      apiVersion: admissionregistration.k8s.io/v1
+      kind: ValidatingAdmissionPolicyBinding
+      metadata:
+        name: openshift-cluster-api-protect-azureclustersecrets
+      spec:
+        matchResources:
+          namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: openshift-cluster-api
+        paramRef:
+          name: cluster
+          parameterNotFoundAction: Deny
+        policyName: openshift-cluster-api-protect-azureclustersecrets
+        validationActions:
+        - Deny
 kind: ConfigMap
 metadata:
   annotations: