[x] Run make reviewable to ensure this PR is ready for review.
How has this code been tested
UTs and upstream E2E tests
Special notes for your reviewer
Handle fleet/upstream MC resources differently,
For fleet MC:
Deny normal users from modifying the fleet cluster resource ID annotation (update, delete)
Allow special authenticated users to update all fleet pre-fixed annotations values and delete some fleet pre-fixed annotations (update)
Deny special authenticated users to delete all fleet pre-fixed annotations (we have a hard requirement that at least one annotation should have pre-fix fleet.azure.com)
Only special authenticated users can update ownerReferences, finalizers, spec, status (taints are ignored)
All other changes to objectMeta are allowed for all users
For upstream MC:
Allow all users to CREATE/DELETE upstream MC resource without cluster resource id annotation
Deny normal users from adding the fleet pre-fixed annotation on update
Deny special authenticated users to add the fleet pre-fixed annotation on update
All other changes to objectMeta are allowed for all users
Any user can update spec
Only special authenticated users can update status
Glossary special authenticated users - users in,
system:master group user
whitelistested user (can be provided when installing hub agent on cluster)
Description of your changes
Fixes #
I have:
make reviewableto ensure this PR is ready for review.How has this code been tested
UTs and upstream E2E tests
Special notes for your reviewer
Handle fleet/upstream MC resources differently,
For fleet MC:
For upstream MC:
Allow all users to CREATE/DELETE upstream MC resource without cluster resource id annotation
Glossary special authenticated users - users in,