enforce immutability in pn and pni

Signed-off-by: GitHub <noreply@github.com>
Azure · Aug 7, 2024 · 3ce4730 · 3ce4730
1 parent a264574
commit 3ce4730
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 2 deletions.
diff --git a/crd/multitenancy/api/v1beta1/podnetwork.go b/crd/multitenancy/api/v1beta1/podnetwork.go
@@ -25,6 +25,7 @@ type PodNetwork struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Spec is immutable"
 	Spec   PodNetworkSpec   `json:"spec,omitempty"`
 	Status PodNetworkStatus `json:"status,omitempty"`
 }

diff --git a/crd/multitenancy/api/v1beta1/podnetworkinstance.go b/crd/multitenancy/api/v1beta1/podnetworkinstance.go
@@ -37,9 +37,10 @@ type PodNetworkInstanceList struct {
 }
 
 // PodNetworkConfig describes a template for how to attach a PodNetwork to a Pod
-// +kubebuilder:validation:XValidation:rule="self.policyBasedRouting || self.routes.size() > 0",message="Routes list shouldn't be empty if policybasedRouting is disabled."
+// +kubebuilder:validation:XValidation:rule="self.policyBasedRouting || self.routes.size() > 0",message="routes list shouldn't be empty if policybasedRouting is disabled."
 type PodNetworkConfig struct {
 	// PodNetwork is the name of a PodNetwork resource
+	// +kubebuilder:validation:MaxLength=100
 	PodNetwork string `json:"podNetwork"`
 	// PodIPReservationSize is the number of IP address to statically reserve
 	// +kubebuilder:default=0
@@ -68,6 +69,9 @@ type PodNetworkInstanceSpec struct {
 	// ClusterNetworkConfig describes how to attach the infra network to a Pod
 	ClusterNetworkConfig ClusterNetworkConfig `json:"clusterNetworkConfig"`
 	// PodNetworkConfigs describes each PodNetwork to attach to a single Pod
+	// +kubebuilder:validation:MaxItems=10
+	// +kubebuilder:validation:XValidation:rule="self.size() == oldSelf.size()",message="Count of PodNetworkConfigs is immutable"
+	// +kubebuilder:validation:XValidation:rule="self.all(podNetworkConfig, oldSelf.exists(oldPodNetworkConfig, oldPodNetworkConfig.podNetwork == podNetworkConfig.podNetwork && oldPodNetworkConfig.podIPReservationSize == podNetworkConfig.podIPReservationSize))",message="podNetwork and podIPReservationSize in podNetworkConfig are immutable"
 	PodNetworkConfigs []PodNetworkConfig `json:"podNetworkConfigs"`
 }
 

diff --git a/crd/multitenancy/manifests/multitenancy.acn.azure.com_podnetworkinstances.yaml b/crd/multitenancy/manifests/multitenancy.acn.azure.com_podnetworkinstances.yaml
@@ -166,6 +166,7 @@ spec:
                       type: integer
                     podNetwork:
                       description: PodNetwork is the name of a PodNetwork resource
+                      maxLength: 100
                       type: string
                     policyBasedRouting:
                       default: true
@@ -182,10 +183,19 @@ spec:
                   - podNetwork
                   type: object
                   x-kubernetes-validations:
-                  - message: Routes list shouldn't be empty if policybasedRouting
+                  - message: routes list shouldn't be empty if policybasedRouting
                       is disabled.
                     rule: self.policyBasedRouting || self.routes.size() > 0
+                maxItems: 10
                 type: array
+                x-kubernetes-validations:
+                - message: Count of PodNetworkConfigs is immutable
+                  rule: self.size() == oldSelf.size()
+                - message: podNetwork and podIPReservationSize in podNetworkConfig
+                    are immutable
+                  rule: self.all(podNetworkConfig, oldSelf.exists(oldPodNetworkConfig,
+                    oldPodNetworkConfig.podNetwork == podNetworkConfig.podNetwork
+                    && oldPodNetworkConfig.podIPReservationSize == podNetworkConfig.podIPReservationSize))
             required:
             - clusterNetworkConfig
             - podNetworkConfigs

diff --git a/crd/multitenancy/manifests/multitenancy.acn.azure.com_podnetworks.yaml b/crd/multitenancy/manifests/multitenancy.acn.azure.com_podnetworks.yaml
@@ -162,6 +162,9 @@ spec:
                 description: customer subnet id
                 type: string
             type: object
+            x-kubernetes-validations:
+            - message: Spec is immutable
+              rule: self == oldSelf
           status:
             description: PodNetworkStatus defines the observed state of PodNetwork
             properties: