Add ValidatingAdmissionPolicy for EgressIP

This commit is to add couple of ValidatingAdmissionPolicy to
take care of following conditions:
- k8s.ovn.org/egressip-mark annotation should not be added while
  creating an EgressIP.
- A regular user should not be able to add k8s.ovn.org/egressip-mark
  annotation. Only a system user is allowed to do so.

Signed-off-by: Arnab Ghosh <arnabghosh89@gmail.com>

Author: arghosh93

bindata/network/ovn-kubernetes/common/egressip-admission-policy.yaml

@@ -0,0 +1,56 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: egressip-update-validation
+spec:
+  failurePolicy: Fail
+  matchConditions:
+  - expression: '("k8s.ovn.org/egressip-mark" in object.metadata.annotations) && (!has(oldObject.metadata.annotations) ||
+       !("k8s.ovn.org/egressip-mark" in oldObject.metadata.annotations))'
+    name: egressip-mark-annotation-update
+  matchConstraints:
+    resourceRules:
+    - apiGroups: ["k8s.ovn.org"]
+      apiVersions: ["v1"]
+      operations: ["UPDATE"]
+      resources: ["egressips"]
+  validations:
+  - expression: '(request.userInfo.username == "system:serviceaccount:openshift-ovn-kubernetes:ovn-kubernetes-control-plane")'
+    message: 'A regular user must not add "k8s.ovn.org/egressip-mark" annotation to an EgressIP custom resource.'
+    reason: Invalid
+
+---    
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: egressip-create-validation
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups: ["k8s.ovn.org"]
+      apiVersions: ["v1"]
+      operations: ["CREATE"]
+      resources: ["egressips"]
+  validations:
+  - expression: '!has(object.metadata.annotations) || !("k8s.ovn.org/egressip-mark" in object.metadata.annotations)'
+    message: 'EgressIP resources cannot be created with the "k8s.ovn.org/egressip-mark" annotation. This annotation is managed by the system.'
+    reason: Invalid
+
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: egressip-update-validation-binding
+spec:
+  policyName: egressip-update-validation
+  validationActions: [Deny]
+
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: egressip-create-validation-binding
+spec:
+  policyName: egressip-create-validation
+  validationActions: [Deny]

pkg/network/ovn_kubernetes_test.go

@@ -4153,7 +4153,7 @@ func Test_renderOVNKubernetes(t *testing.T) {
 				client:          cnofake.NewFakeClient(),
 				featureGates:    noFeatureGates,
 			},
-			expectNumObjs: 38,
+			expectNumObjs: 42,
 		},
 		{
 			name: "render routeadvertisements",
@@ -4168,7 +4168,7 @@ func Test_renderOVNKubernetes(t *testing.T) {
 				client:          cnofake.NewFakeClient(),
 				featureGates:    noFeatureGates,
 			},
-			expectNumObjs: 39,
+			expectNumObjs: 43,
 		},
 		{
 			name: "render with UDN",
@@ -4179,7 +4179,7 @@ func Test_renderOVNKubernetes(t *testing.T) {
 				client:          cnofake.NewFakeClient(),
 				featureGates:    udnFeatureGate,
 			},
-			expectNumObjs: 44,
+			expectNumObjs: 48,
 		},
 		{
 			name: "render with PreconfiguredUDNAddresses, UDN, persistent-IP, and RA",
@@ -4193,7 +4193,7 @@ func Test_renderOVNKubernetes(t *testing.T) {
 				client:       cnofake.NewFakeClient(),
 				featureGates: preDefUDNFeatureGates,
 			},
-			expectNumObjs: 47,
+			expectNumObjs: 51,
 		},
 	}
 	for _, tt := range tests {