Add ValidatingAdmissionPolicy for EgressIP

arghosh93 · arghosh93 · commit 8c93e4ec7294 · 2025-11-14T20:30:36.000+05:30
This commit is to add couple of ValidatingAdmissionPolicy to
take care of following conditions:
- k8s.ovn.org/egressip-mark annotation should not be added while
  creating an EgressIP.
- A regular user should not be able to add k8s.ovn.org/egressip-mark
  annotation. Only a system user is allowed to do so.

Signed-off-by: Arnab Ghosh &lt;arnabghosh89@gmail.com&gt;
diff --git a/bindata/network/ovn-kubernetes/common/egressip-admission-policy.yaml b/bindata/network/ovn-kubernetes/common/egressip-admission-policy.yaml
@@ -0,0 +1,56 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: egressip-update-validation
+spec:
+  failurePolicy: Fail
+  matchConditions:
+  - expression: 'request.operation == "UPDATE" && ("k8s.ovn.org/egressip-mark" in object.metadata.annotations)
+      && (!has(oldObject.metadata.annotations) || !("k8s.ovn.org/egressip-mark" in oldObject.metadata.annotations))'
+    name: egressip-mark-annotation-update
+  matchConstraints:
+    resourceRules:
+    - apiGroups: ["k8s.ovn.org"]
+      apiVersions: ["v1"]
+      operations: ["UPDATE"]
+      resources: ["egressips"]
+  validations:
+  - expression: '!(request.userInfo.username == "system:serviceaccount:ovn-kubernetes:ovnkube-cluster-manager")'
+    message: 'A regular user must not add "k8s.ovn.org/egressip-mark" annotation to an EgressIP custom resource.'
+    reason: Invalid
+
+---    
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: egressip-create-validation
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups: ["k8s.ovn.org"]
+      apiVersions: ["v1"]
+      operations: ["CREATE"]
+      resources: ["egressips"]
+  validations:
+  - expression: '!has(object.metadata.annotations) || !("k8s.ovn.org/egressip-mark" in object.metadata.annotations)'
+    message: 'EgressIP resources cannot be created with the "k8s.ovn.org/egressip-mark" annotation. This annotation is managed by the system.'
+    reason: Invalid
+
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: egressip-update-validation-binding
+spec:
+  policyName: egressip-update-validation
+  validationActions: [Deny]
+
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: egressip-create-validation-binding
+spec:
+  policyName: egressip-create-validation
+  validationActions: [Deny]
