Add a ValidatingAdmissionPolicy blocking ServiceCIDR changes

OCP does not yet support changing the service CIDRs at runtime.

Author: danwinship

bindata/cluster-network-operator/servicecidr-vap.yaml

@@ -0,0 +1,23 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "servicecidrs.openshift.io"
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   ["networking.k8s.io"]
+      apiVersions: ["v1", "v1beta1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["servicecidrs"]
+  validations:
+    - expression: "object.metadata.name == 'kubernetes'"
+      messageExpression: "changing service CIDRs in a running cluster is not supported"
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "servicecidrs-binding"
+spec:
+  policyName: "servicecidrs.openshift.io"
+  validationActions: [Deny]