Add a ValidatingAdmissionPolicy blocking ServiceCIDR changes

OCP does not yet support changing the service CIDRs at runtime.
openshift · Dec 13, 2024 · b62995a · b62995a
1 parent de93ea6
commit b62995a
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/bindata/cluster-network-operator/servicecidr-vap.yaml b/bindata/cluster-network-operator/servicecidr-vap.yaml
@@ -0,0 +1,14 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "servicecidrs.openshift.io"
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   ["networking"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["servicecidr"]
+  validations:
+    - expression: "object.name != 'kubernetes'"