From 5b70b3df1add028017e400187893e85d66c21e1c Mon Sep 17 00:00:00 2001 From: Nabarun Pal Date: Fri, 15 Mar 2024 10:40:04 +0530 Subject: [PATCH] admission: protect apibindings created by initializer against updates or deletion Signed-off-by: Nabarun Pal --- pkg/admission/apibinding/apibinding_admission.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/pkg/admission/apibinding/apibinding_admission.go b/pkg/admission/apibinding/apibinding_admission.go index 304b7b69df3..c41c19280a7 100644 --- a/pkg/admission/apibinding/apibinding_admission.go +++ b/pkg/admission/apibinding/apibinding_admission.go @@ -39,6 +39,7 @@ import ( kcpinitializers "github.com/kcp-dev/kcp/pkg/admission/initializers" "github.com/kcp-dev/kcp/pkg/authorization/delegated" "github.com/kcp-dev/kcp/pkg/indexers" + "github.com/kcp-dev/kcp/pkg/reconciler/tenancy/initialization" apisv1alpha1 "github.com/kcp-dev/kcp/sdk/apis/apis/v1alpha1" "github.com/kcp-dev/kcp/sdk/apis/apis/v1alpha1/permissionclaims" "github.com/kcp-dev/kcp/sdk/apis/core" @@ -159,6 +160,12 @@ func (o *apiBindingAdmission) Admit(ctx context.Context, a admission.Attributes, exportClusterName, apiBinding.Spec.Reference.Export.Name, ) + case a.GetOperation() == admission.Update || a.GetOperation() == admission.Delete: + if val, ok := apiBinding.Annotations[initialization.KcpAPIBindingCreationReasonAnnotationKey]; ok { + if val == initialization.KcpAPIBindingCreationReasonDefaultAPIBindings { + return admission.NewForbidden(a, fmt.Errorf("unable to %s APIBinding: protected due to creation from workspace types", a.GetOperation())) + } + } } // write back