diff --git a/openshift/infrastructure-components-openshift.yaml b/openshift/infrastructure-components-openshift.yaml index 7d296c87998..e21a7f46722 100644 --- a/openshift/infrastructure-components-openshift.yaml +++ b/openshift/infrastructure-components-openshift.yaml @@ -11023,3 +11023,126 @@ spec: targetPort: webhook-server selector: cluster.x-k8s.io/provider: infrastructure-azure +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: openshift-cluster-api-protect-azurecluster +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - '*' + operations: + - DELETE + resources: + - azureclusters + paramKind: + apiVersion: config.openshift.io/v1 + kind: Infrastructure + validations: + - expression: '!(oldObject.metadata.name == params.status.infrastructureName)' + message: InfraCluster resources with metadata.name corresponding to the cluster + infrastructureName cannot be deleted. +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: openshift-cluster-api-protect-azurecluster +spec: + matchResources: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: openshift-cluster-api + paramRef: + name: cluster + parameterNotFoundAction: Deny + policyName: openshift-cluster-api-protect-azurecluster + validationActions: + - Deny +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: openshift-cluster-api-protect-azureclusteridentities +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - '*' + operations: + - DELETE + resources: + - azureclusteridentities + paramKind: + apiVersion: config.openshift.io/v1 + kind: Infrastructure + validations: + - expression: '!(oldObject.metadata.name == params.status.infrastructureName)' + message: InfraCluster resources with metadata.name corresponding to the cluster + infrastructureName cannot be deleted. +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: openshift-cluster-api-protect-azureclusteridentities +spec: + matchResources: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: openshift-cluster-api + paramRef: + name: cluster + parameterNotFoundAction: Deny + policyName: openshift-cluster-api-protect-azureclusteridentities + validationActions: + - Deny +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: openshift-cluster-api-protect-azureclustersecrets +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - "" + apiVersions: + - '*' + operations: + - DELETE + resources: + - secret + resourceNames: + - capz-manager-bootstrap-credentials + - capz-manager-cluster-credential + paramKind: + apiVersion: config.openshift.io/v1 + kind: Infrastructure + validations: + - expression: '!(oldObject.metadata.name == params.status.infrastructureName)' + message: InfraCluster resources with metadata.name corresponding to the cluster + infrastructureName cannot be deleted. +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: openshift-cluster-api-protect-azureclustersecrets +spec: + matchResources: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: openshift-cluster-api + paramRef: + name: cluster + parameterNotFoundAction: Deny + policyName: openshift-cluster-api-protect-azureclustersecrets + validationActions: + - Deny diff --git a/openshift/manifests/0000_30_cluster-api_04_cm.infrastructure-azure.yaml b/openshift/manifests/0000_30_cluster-api_04_cm.infrastructure-azure.yaml index e682cfb4fc1..8dd1a743adb 100644 --- a/openshift/manifests/0000_30_cluster-api_04_cm.infrastructure-azure.yaml +++ b/openshift/manifests/0000_30_cluster-api_04_cm.infrastructure-azure.yaml @@ -11025,6 +11025,129 @@ data: targetPort: webhook-server selector: cluster.x-k8s.io/provider: infrastructure-azure + --- + apiVersion: admissionregistration.k8s.io/v1 + kind: ValidatingAdmissionPolicy + metadata: + name: openshift-cluster-api-protect-azurecluster + spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - '*' + operations: + - DELETE + resources: + - azureclusters + paramKind: + apiVersion: config.openshift.io/v1 + kind: Infrastructure + validations: + - expression: '!(oldObject.metadata.name == params.status.infrastructureName)' + message: InfraCluster resources with metadata.name corresponding to the cluster + infrastructureName cannot be deleted. + --- + apiVersion: admissionregistration.k8s.io/v1 + kind: ValidatingAdmissionPolicyBinding + metadata: + name: openshift-cluster-api-protect-azurecluster + spec: + matchResources: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: openshift-cluster-api + paramRef: + name: cluster + parameterNotFoundAction: Deny + policyName: openshift-cluster-api-protect-azurecluster + validationActions: + - Deny + --- + apiVersion: admissionregistration.k8s.io/v1 + kind: ValidatingAdmissionPolicy + metadata: + name: openshift-cluster-api-protect-azureclusteridentities + spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - '*' + operations: + - DELETE + resources: + - azureclusteridentities + paramKind: + apiVersion: config.openshift.io/v1 + kind: Infrastructure + validations: + - expression: '!(oldObject.metadata.name == params.status.infrastructureName)' + message: InfraCluster resources with metadata.name corresponding to the cluster + infrastructureName cannot be deleted. + --- + apiVersion: admissionregistration.k8s.io/v1 + kind: ValidatingAdmissionPolicyBinding + metadata: + name: openshift-cluster-api-protect-azureclusteridentities + spec: + matchResources: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: openshift-cluster-api + paramRef: + name: cluster + parameterNotFoundAction: Deny + policyName: openshift-cluster-api-protect-azureclusteridentities + validationActions: + - Deny + --- + apiVersion: admissionregistration.k8s.io/v1 + kind: ValidatingAdmissionPolicy + metadata: + name: openshift-cluster-api-protect-azureclustersecrets + spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - "" + apiVersions: + - '*' + operations: + - DELETE + resources: + - secrets + resourceNames: + - capz-manager-bootstrap-credentials + - capz-manager-cluster-credential + paramKind: + apiVersion: config.openshift.io/v1 + kind: Infrastructure + validations: + - expression: '!(oldObject.metadata.name == params.status.infrastructureName)' + message: InfraCluster resources with metadata.name corresponding to the cluster + infrastructureName cannot be deleted. + --- + apiVersion: admissionregistration.k8s.io/v1 + kind: ValidatingAdmissionPolicyBinding + metadata: + name: openshift-cluster-api-protect-azureclustersecrets + spec: + matchResources: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: openshift-cluster-api + paramRef: + name: cluster + parameterNotFoundAction: Deny + policyName: openshift-cluster-api-protect-azureclustersecrets + validationActions: + - Deny kind: ConfigMap metadata: annotations: