Disallow authoritativeAPI swap when CAPI Machine is deleting or its Infra is not ready

theobarberbany · theobarberbany · commit 2d0b6f4f3bc9 · 2025-11-18T17:33:27.000Z
diff --git a/manifests/0000_30_cluster-api_09_admission-policies.yaml b/manifests/0000_30_cluster-api_09_admission-policies.yaml
@@ -108,7 +108,7 @@ data:
                 ? p[1].hasValue() && p[0].value() == p[1].value()
                 : !p[1].hasValue()
             )
-    
+
       # All validations must evaluate to TRUE
       validations:
         # Only spec.authoritativeAPI may change
@@ -479,6 +479,83 @@ data:
       policyName: openshift-provide-warning-when-not-synchronized
       validationActions:
           - Warn
+    ---
+    apiVersion: admissionregistration.k8s.io/v1
+    kind: ValidatingAdmissionPolicyBinding
+    metadata:
+      name: mapi-authapi-transition-requires-capi-ready
+    spec:
+      matchResources:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: openshift-machine-api
+      paramRef:
+        namespace: openshift-cluster-api
+        # We 'Allow' here as we don't want to block MAPI Machine
+        # functionality when no CAPI machine (param) exists.
+        # This might happen when the synchronisation controller first
+        # is installed or when an unmigrateable machine is encountered.
+        parameterNotFoundAction: Allow
+        selector: {}
+      policyName: mapi-authapi-transition-requires-capi-ready
+      validationActions: [Deny]
+    ---
+    apiVersion: admissionregistration.k8s.io/v1
+    kind: ValidatingAdmissionPolicy
+    metadata:
+      name: mapi-authapi-transition-requires-capi-ready
+    spec:
+      failurePolicy: Fail
+
+      paramKind:
+        apiVersion: cluster.x-k8s.io/v1beta1
+        kind: Machine
+
+      matchConstraints:
+        resourceRules:
+        - apiGroups:   ["machine.openshift.io"]
+          apiVersions: ["v1beta1"]
+          operations:  ["UPDATE"]
+          resources:   ["machines"]
+
+      # Requests must satisfy every matchCondition to reach the validations
+      matchConditions:
+        - name: check-only-non-service-account-requests
+          expression: >-
+            !(request.userInfo.username in [
+                "system:serviceaccount:openshift-machine-api:machine-api-controllers",
+                "system:serviceaccount:openshift-cluster-api:cluster-capi-operator"
+            ])
+        - name: check-param-match
+          expression: 'object.metadata.name == params.metadata.name'
+
+      variables:
+        - name: authAPIChanged
+          expression: oldObject.spec.authoritativeAPI != object.spec.authoritativeAPI
+
+        - name: capiInfraReady
+          expression: params.status?.infrastructureReady == true
+
+        - name: capiDeleting
+          expression: has(params.metadata.deletionTimestamp)
+
+      # All validations must evaluate to TRUE
+      validations:
+        # Don't allow changing the AuthoritativeAPI if the CAPI Machine mirror infrastructureReady is not true
+        - name: block-when-not-infraReady
+          expression: >
+            !(variables.authAPIChanged && !variables.capiInfraReady)
+          message: |
+            spec.authoritativeAPI may only be updated when the Cluster API Machine’s
+            status.infrastructureReady is true.
+
+        # Don't allow changing the AuthoritativeAPI if the CAPI Machine mirror is deleting
+        - name: block-when-capi-deleting
+          expression: >
+            !(variables.authAPIChanged && variables.capiDeleting)
+          message: |
+            spec.authoritativeAPI cannot be modified while the corresponding
+            CAPI Machine is being deleted (metadata.deletionTimestamp is set).
 ---
 apiVersion: v1
 kind: ConfigMap
