OCPBUGS-60670: Add ValidatingAdmissionPolicy for EgressIP

[arghosh93]

This commit is to add couple of ValidatingAdmissionPolicy to take care of following conditions:

• k8s.ovn.org/egressip-mark annotation should not be added while creating an EgressIP.
• A regular user should not be able to add k8s.ovn.org/egressip-mark annotation. Only a system user is allowed to do so.

[coderabbitai]

Walkthrough

Adds a single YAML containing four Kubernetes ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding resources that enforce creation and update constraints for the k8s.ovn.org/egressip-mark annotation on EgressIP objects, with explicit service-account exceptions and Deny failure actions.

Changes

Cohort / File(s)	Summary
Kubernetes Admission Policy Configuration bindata/network/ovn-kubernetes/common/egressip-admission-policy.yaml	Adds two ValidatingAdmissionPolicy resources (egressip-update-validation, egressip-create-validation) and two corresponding ValidatingAdmissionPolicyBinding resources. CREATE policy forbids presence of k8s.ovn.org/egressip-mark on new EgressIP objects; UPDATE policy requires the annotation to be absent in the new object or present in the old object and denies specific service account actors.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify CEL expressions correctly express "annotation absent on create" and the update allow/deny logic comparing object vs oldObject.
• Confirm bindings reference correct policy names, subjects, and set failurePolicy/action as intended.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 8c93e4e and 8808de0.

📒 Files selected for processing (1)

• bindata/network/ovn-kubernetes/common/egressip-admission-policy.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• bindata/network/ovn-kubernetes/common/egressip-admission-policy.yaml

Tip

📝 Customizable high-level summaries are now available in beta!

You can now customize how CodeRabbit generates the high-level summary in your pull requests — including its content, structure, tone, and formatting.

• Provide your own instructions using the high_level_summary_instructions setting.
• Format the summary however you like (bullet lists, tables, multi-section layouts, contributor stats, etc.).
• Use high_level_summary_in_walkthrough to move the summary from the description to the walkthrough section.

Example instruction:

"Divide the high-level summary into five sections:

1. 📝 Description — Summarize the main change in 50–60 words, explaining what was done.
2. 📓 References — List relevant issues, discussions, documentation, or related PRs.
3. 📦 Dependencies & Requirements — Mention any new/updated dependencies, environment variable changes, or configuration updates.
4. 📊 Contributor Summary — Include a Markdown table showing contributions:
   | Contributor | Lines Added | Lines Removed | Files Changed |
5. ✔️ Additional Notes — Add any extra reviewer context.
   Keep each section concise (under 200 words) and use bullet or numbered lists for clarity."

Note: This feature is currently in beta for Pro-tier users, and pricing will be announced later.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: arghosh93
Once this PR has been reviewed and has the lgtm label, please assign pliurh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@arghosh93: This pull request references Jira Issue OCPBUGS-60670, which is invalid:

• expected the bug to target the "4.21.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

This commit is to add couple of ValidatingAdmissionPolicy to take care of following conditions:

• k8s.ovn.org/egressip-mark annotation should not be added while creating an EgressIP.
• A regular user should not be able to add k8s.ovn.org/egressip-mark annotation. Only a system user is allowed to do so.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[arghosh93]

/jira refresh

[openshift-ci-robot]

@arghosh93: This pull request references Jira Issue OCPBUGS-60670, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.0) matches configured target version for branch (4.21.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @anuragthehatter

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between d1321fa and 8c93e4e.

📒 Files selected for processing (1)

• bindata/network/ovn-kubernetes/common/egressip-admission-policy.yaml (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• bindata/network/ovn-kubernetes/common/egressip-admission-policy.yaml

🔇 Additional comments (2)

bindata/network/ovn-kubernetes/common/egressip-admission-policy.yaml (2)

23-39: CREATE policy validation logic is correct.

The expression !has(object.metadata.annotations) || !("k8s.ovn.org/egressip-mark" in object.metadata.annotations) correctly denies creation only when the egressip-mark annotation is explicitly set in the request, while allowing all other CREATE operations. This aligns with the objective to prevent unauthorized creation with the managed annotation.

---

41-56: Bindings are correctly structured.

Both ValidatingAdmissionPolicyBinding resources properly reference their policies and apply cluster-wide Deny enforcement without exceptions. This is appropriate for governing a system-managed annotation.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: Inverted validation logic denies the intended system account.

The validation expression uses negation which produces opposite behavior: it denies the system service account from adding the annotation and allows regular users—the inverse of the design intent.

In ValidatingAdmissionPolicy, when an expression evaluates to FALSE, the validation fails and the request is denied. The current expression:

• System account (request.userInfo.username == "system:serviceaccount:ovn-kubernetes:ovnkube-cluster-manager"): !(true) → FALSE → DENIED ❌
• Regular user: !(false) → TRUE → ALLOWED ❌

Remove the negation operator to allow only the system service account.

-  - expression: '!(request.userInfo.username == "system:serviceaccount:ovn-kubernetes:ovnkube-cluster-manager")'
+  - expression: 'request.userInfo.username == "system:serviceaccount:ovn-kubernetes:ovnkube-cluster-manager"'
     message: 'A regular user must not add "k8s.ovn.org/egressip-mark" annotation to an EgressIP custom resource.'
     reason: Invalid

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- expression: '!(request.userInfo.username == "system:serviceaccount:ovn-kubernetes:ovnkube-cluster-manager")'
	message: 'A regular user must not add "k8s.ovn.org/egressip-mark" annotation to an EgressIP custom resource.'
	reason: Invalid
	- expression: 'request.userInfo.username == "system:serviceaccount:ovn-kubernetes:ovnkube-cluster-manager"'
	message: 'A regular user must not add "k8s.ovn.org/egressip-mark" annotation to an EgressIP custom resource.'
	reason: Invalid

🤖 Prompt for AI Agents

In bindata/network/ovn-kubernetes/common/egressip-admission-policy.yaml around
lines 18 to 20, the validation expression is negated, which incorrectly denies
the system service account and allows regular users; remove the negation so the
expression simply checks request.userInfo.username ==
"system:serviceaccount:ovn-kubernetes:ovnkube-cluster-manager" to ensure only
that service account is allowed to add the k8s.ovn.org/egressip-mark annotation
and update the message/reason if necessary to reflect the corrected logic.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between d1321fa and 8c93e4e.

📒 Files selected for processing (1)

• bindata/network/ovn-kubernetes/common/egressip-admission-policy.yaml (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• bindata/network/ovn-kubernetes/common/egressip-admission-policy.yaml

🔇 Additional comments (1)

bindata/network/ovn-kubernetes/common/egressip-admission-policy.yaml (1)

8-10: Verify UPDATE policy doesn't allow modification of existing annotations.

The matchCondition only triggers when the annotation is being added to an EgressIP (present in new object, absent in old). If a regular user attempts to modify an existing annotation value, the condition won't match, and the policy won't apply. Confirm whether this is intentional or if the policy should also prevent modification of pre-existing annotations by non-system users.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: CREATE validation logic appears inverted.

The validation expression !has(object.metadata.annotations) || !("k8s.ovn.org/egressip-mark" in object.metadata.annotations) evaluates to true when the annotation is absent, but with validationActions: [Deny], this causes denial when no annotation is present—the opposite of the intended behavior.

According to the message and PR objectives, creation should be denied when the annotation is present. The expression should be:

has(object.metadata.annotations) && ("k8s.ovn.org/egressip-mark" in object.metadata.annotations)

This ensures requests are rejected only when the annotation exists on the new object.

Apply this diff to fix the logic:

  validations:
-  - expression: '!has(object.metadata.annotations) || !("k8s.ovn.org/egressip-mark" in object.metadata.annotations)'
+  - expression: 'has(object.metadata.annotations) && ("k8s.ovn.org/egressip-mark" in object.metadata.annotations)'
    message: 'EgressIP resources cannot be created with the "k8s.ovn.org/egressip-mark" annotation. This annotation is managed by the system.'
    reason: Invalid

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- expression: '!has(object.metadata.annotations) || !("k8s.ovn.org/egressip-mark" in object.metadata.annotations)'
	message: 'EgressIP resources cannot be created with the "k8s.ovn.org/egressip-mark" annotation. This annotation is managed by the system.'
	reason: Invalid
	- expression: 'has(object.metadata.annotations) && ("k8s.ovn.org/egressip-mark" in object.metadata.annotations)'
	message: 'EgressIP resources cannot be created with the "k8s.ovn.org/egressip-mark" annotation. This annotation is managed by the system.'
	reason: Invalid

🤖 Prompt for AI Agents

In bindata/network/ovn-kubernetes/common/egressip-admission-policy.yaml around
lines 36 to 38, the CREATE validation expression is inverted and currently
denies requests when the annotation is absent; change the expression so it only
denies creation when the annotation exists by replacing the current expression
with one that checks for the presence of annotations and the specific key (i.e.,
use a logical AND: has(object.metadata.annotations) &&
("k8s.ovn.org/egressip-mark" in object.metadata.annotations)), leaving the
message and reason intact.

[openshift-ci]

@arghosh93: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn-upgrade	8808de0	link	true	/test e2e-aws-ovn-upgrade
ci/prow/4.21-upgrade-from-stable-4.20-e2e-gcp-ovn-upgrade	8808de0	link	false	/test 4.21-upgrade-from-stable-4.20-e2e-gcp-ovn-upgrade
ci/prow/unit	8808de0	link	true	/test unit
ci/prow/e2e-aws-ovn-windows	8808de0	link	true	/test e2e-aws-ovn-windows
ci/prow/4.21-upgrade-from-stable-4.20-e2e-aws-ovn-upgrade	8808de0	link	false	/test 4.21-upgrade-from-stable-4.20-e2e-aws-ovn-upgrade
ci/prow/e2e-aws-ovn-serial-1of2	8808de0	link	true	/test e2e-aws-ovn-serial-1of2
ci/prow/4.21-upgrade-from-stable-4.20-e2e-azure-ovn-upgrade	8808de0	link	false	/test 4.21-upgrade-from-stable-4.20-e2e-azure-ovn-upgrade
ci/prow/security	8808de0	link	false	/test security

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.