From a984a49fc73d95b97e5c4c184ec27dc0976efc9e Mon Sep 17 00:00:00 2001
From: Dan Winship <danwinship@redhat.com>
Date: Fri, 13 Dec 2024 15:00:17 -0500
Subject: [PATCH] Add a ValidatingAdmissionPolicy blocking ServiceCIDR changes

OCP does not yet support changing the service CIDRs at runtime.
---
 .../servicecidr-vap.yaml                      | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 bindata/cluster-network-operator/servicecidr-vap.yaml

diff --git a/bindata/cluster-network-operator/servicecidr-vap.yaml b/bindata/cluster-network-operator/servicecidr-vap.yaml
new file mode 100644
index 0000000000..debe9d3321
--- /dev/null
+++ b/bindata/cluster-network-operator/servicecidr-vap.yaml
@@ -0,0 +1,25 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "servicecidrs.openshift.io"
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   ["networking.k8s.io"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["servicecidrs"]
+  validations:
+    # Allow apiserver to change the 'kubernetes' ServiceCIDR (when doing single/dual-stack
+    # migration). Reject all other changes with the given message.
+    - expression: "request.userInfo.username == 'system:apiserver' && 'system:masters' in request.userInfo.groups"
+      message: "changing service CIDRs in a running cluster is not supported"
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "servicecidrs-binding"
+spec:
+  policyName: "servicecidrs.openshift.io"
+  validationActions: [Deny]