Skip to content

Commit

Permalink
admission: protect apibindings created by initializer against updates…
Browse files Browse the repository at this point in the history 
… or deletion

Signed-off-by: Nabarun Pal <[email protected]>
  • Loading branch information
@palnabarun
palnabarun committed Mar 15, 2024
1 parent 0901e2d commit 5b70b3d
Showing 1 changed file with 7 additions and 0 deletions.
7 changes: 7 additions & 0 deletions pkg/admission/apibinding/apibinding_admission.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ import (
kcpinitializers "github.com/kcp-dev/kcp/pkg/admission/initializers"
"github.com/kcp-dev/kcp/pkg/authorization/delegated"
"github.com/kcp-dev/kcp/pkg/indexers"
"github.com/kcp-dev/kcp/pkg/reconciler/tenancy/initialization"
apisv1alpha1 "github.com/kcp-dev/kcp/sdk/apis/apis/v1alpha1"
"github.com/kcp-dev/kcp/sdk/apis/apis/v1alpha1/permissionclaims"
"github.com/kcp-dev/kcp/sdk/apis/core"
Expand Down Expand Up @@ -159,6 +160,12 @@ func (o *apiBindingAdmission) Admit(ctx context.Context, a admission.Attributes,
exportClusterName,
apiBinding.Spec.Reference.Export.Name,
)
case a.GetOperation() == admission.Update || a.GetOperation() == admission.Delete:
if val, ok := apiBinding.Annotations[initialization.KcpAPIBindingCreationReasonAnnotationKey]; ok {
if val == initialization.KcpAPIBindingCreationReasonDefaultAPIBindings {
return admission.NewForbidden(a, fmt.Errorf("unable to %s APIBinding: protected due to creation from workspace types", a.GetOperation()))
}
}
}

// write back
Expand Down

0 comments on commit 5b70b3d

Please sign in to comment.