OCPBUGS-60670: Add ValidatingAdmissionPolicy for EgressIP

[arghosh93]

This commit is to add couple of ValidatingAdmissionPolicy to take care of following conditions:

• k8s.ovn.org/egressip-mark annotation should not be added while creating an EgressIP.
• A regular user should not be able to add k8s.ovn.org/egressip-mark annotation. Only a system user is allowed to do so.

[coderabbitai]

Walkthrough

Adds two ValidatingAdmissionPolicy and two ValidatingAdmissionPolicyBinding resources in a YAML file to restrict the k8s.ovn.org/egressip-mark annotation on EgressIP CREATE and UPDATE operations (with an exception for the ovn-kubernetes/ovnkube-cluster-manager service account), and updates unit test expected object counts.

Changes

Cohort / File(s)	Summary
Kubernetes Admission Policy Configuration bindata/network/ovn-kubernetes/common/egressip-admission-policy.yaml	Adds two ValidatingAdmissionPolicy resources (egressip-update-validation, egressip-create-validation) and two ValidatingAdmissionPolicyBinding resources (egressip-update-validation-binding, egressip-create-validation-binding). CREATE policy denies EgressIP creation when the k8s.ovn.org/egressip-mark annotation is present; UPDATE policy denies updates that introduce or retain the annotation improperly while allowing the ovn-kubernetes/ovnkube-cluster-manager service account. Bindings link policies to Deny actions.
Unit test expectations pkg/network/ovn_kubernetes_test.go	Updates expected rendered object counts in multiple test cases: "default" 38 → 42, "render routeadvertisements" 39 → 43, "render with UDN" 44 → 48, "render with PreconfiguredUDNAddresses, UDN, persistent-IP, and RA" 47 → 51.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20–30 minutes

• Inspect CEL expressions for correct use of object vs oldObject and logic separating CREATE vs UPDATE.
• Verify policy Binding subjects, referenced policy names, and failureAction/matchConstraints.
• Confirm updated test expectations correspond to the added manifest objects and rendering behavior.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between c228ecb and deb1808.

📒 Files selected for processing (2)

• bindata/network/ovn-kubernetes/common/egressip-admission-policy.yaml (1 hunks)
• pkg/network/ovn_kubernetes_test.go (4 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• bindata/network/ovn-kubernetes/common/egressip-admission-policy.yaml
• pkg/network/ovn_kubernetes_test.go

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: arghosh93
Once this PR has been reviewed and has the lgtm label, please assign pliurh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@arghosh93: This pull request references Jira Issue OCPBUGS-60670, which is invalid:

• expected the bug to target the "4.21.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

This commit is to add couple of ValidatingAdmissionPolicy to take care of following conditions:

• k8s.ovn.org/egressip-mark annotation should not be added while creating an EgressIP.
• A regular user should not be able to add k8s.ovn.org/egressip-mark annotation. Only a system user is allowed to do so.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[arghosh93]

/jira refresh

[openshift-ci-robot]

@arghosh93: This pull request references Jira Issue OCPBUGS-60670, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.0) matches configured target version for branch (4.21.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @anuragthehatter

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between d1321fa and 8c93e4e.

📒 Files selected for processing (1)

• bindata/network/ovn-kubernetes/common/egressip-admission-policy.yaml (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• bindata/network/ovn-kubernetes/common/egressip-admission-policy.yaml

🔇 Additional comments (2)

bindata/network/ovn-kubernetes/common/egressip-admission-policy.yaml (2)

23-39: CREATE policy validation logic is correct.

The expression !has(object.metadata.annotations) || !("k8s.ovn.org/egressip-mark" in object.metadata.annotations) correctly denies creation only when the egressip-mark annotation is explicitly set in the request, while allowing all other CREATE operations. This aligns with the objective to prevent unauthorized creation with the managed annotation.

---

41-56: Bindings are correctly structured.

Both ValidatingAdmissionPolicyBinding resources properly reference their policies and apply cluster-wide Deny enforcement without exceptions. This is appropriate for governing a system-managed annotation.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between d1321fa and 8c93e4e.

📒 Files selected for processing (1)

• bindata/network/ovn-kubernetes/common/egressip-admission-policy.yaml (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• bindata/network/ovn-kubernetes/common/egressip-admission-policy.yaml

🔇 Additional comments (1)

bindata/network/ovn-kubernetes/common/egressip-admission-policy.yaml (1)

8-10: Verify UPDATE policy doesn't allow modification of existing annotations.

The matchCondition only triggers when the annotation is being added to an EgressIP (present in new object, absent in old). If a regular user attempts to modify an existing annotation value, the condition won't match, and the policy won't apply. Confirm whether this is intentional or if the policy should also prevent modification of pre-existing annotations by non-system users.

[arghosh93]

/retest-required

[arghosh93]

/retest-required

[arghosh93]

/retest-required

[openshift-ci]

@arghosh93: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/security	deb1808	link	false	/test security

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[arghosh93]

/retest-required