Validation admission policy

[GunaKKIBM]

#326

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: GunaKKIBM
Once this PR has been reviewed and has the lgtm label, please assign ahrtr for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

Hi @GunaKKIBM. Thanks for your PR.

I'm waiting for a etcd-io member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[Copilot]

Pull request overview

This PR introduces a Kubernetes ValidatingAdmissionPolicy (VAP) and ValidatingAdmissionPolicyBinding to prevent end-users from updating or deleting operator-managed secondary resources (StatefulSets/Services/ConfigMaps) that are owned by an EtcdCluster, addressing issue #326.

Changes:

• Add a ValidatingAdmissionPolicy that matches UPDATE/DELETE on StatefulSets/Services/ConfigMaps and restricts those operations to the etcd-operator controller manager identity.
• Add a ValidatingAdmissionPolicyBinding to bind/enforce the policy (Deny).
• Wire the policy into the config/default kustomize overlay via vars + a patch so the allowed service account username is derived from the deployed namespace/name.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
config/rbac/validating_admission_policy.yaml	Adds the core ValidatingAdmissionPolicy targeting operator-owned secondary resources.
config/rbac/validating_admission_policy_binding.yaml	Adds the binding intended to enforce the policy with Deny.
config/rbac/kustomization.yaml	Includes the new VAP/VAPBinding resources in the RBAC kustomization.
config/default/validating_admission_policy_patch.yaml	Patches the policy so the allowed username matches the installed service account identity.
config/default/kustomizeconfig.yaml	Adds kustomize varReference configuration for substitutions inside the policy expression.
config/default/kustomization.yaml	Adds vars/configurations/patch wiring to apply the policy patch in the default overlay.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[ahrtr]

/ok-to-test

[ahrtr]

@GunaKKIBM pls discuss with @hakman offline, thx

[hakman]

I am reviewing this in the next few days, sorry for the delay.