Modified logic for validation

miyadav · miyadav · commit cbb5d059ffe3 · 2025-01-23T17:32:40.000+05:30
diff --git a/pkg/cloud/azure/assets/validating-admission-service-annotation-policy.yaml b/pkg/cloud/azure/assets/validating-admission-service-annotation-policy.yaml
@@ -11,10 +11,14 @@ spec:
         resources: ["services"]
   validations:
     - expression: |
-        (!has(object.metadata.annotations) || 
         !('service.beta.kubernetes.io/azure-load-balancer-tcp-idle-timeout' in object.metadata.annotations) ||
-        (object.metadata.annotations['service.beta.kubernetes.io/azure-load-balancer-tcp-idle-timeout'].matches('^[0-9]+$') &&
-        int(object.metadata.annotations['service.beta.kubernetes.io/azure-load-balancer-tcp-idle-timeout']) >= 4 &&
-        int(object.metadata.annotations['service.beta.kubernetes.io/azure-load-balancer-tcp-idle-timeout']) <= 100))
-      message: "The annotation 'service.beta.kubernetes.io/azure-load-balancer-tcp-idle-timeout', if specified, must have a value between 4 and 100."
-     
+        (
+          object.metadata.annotations['service.beta.kubernetes.io/azure-load-balancer-tcp-idle-timeout'].matches('^[0-9]+$') &&
+          int(object.metadata.annotations['service.beta.kubernetes.io/azure-load-balancer-tcp-idle-timeout']) >= 4 &&
+          int(object.metadata.annotations['service.beta.kubernetes.io/azure-load-balancer-tcp-idle-timeout']) <= 100
+        ) ||
+        (
+          oldObject != null &&
+          oldObject.metadata.annotations['service.beta.kubernetes.io/azure-load-balancer-tcp-idle-timeout'] == object.metadata.annotations['service.beta.kubernetes.io/azure-load-balancer-tcp-idle-timeout']
+        )
+      message: "The annotation 'service.beta.kubernetes.io/azure-load-balancer-tcp-idle-timeout', if specified, must have a value between 4 and 100. Changes to an invalid value are not allowed."
diff --git a/pkg/cloud/gcp/assets/validating-admission-policy.yaml b/pkg/cloud/gcp/assets/validating-admission-policy.yaml
@@ -10,8 +10,13 @@ spec:
         operations: ["CREATE", "UPDATE"]
         resources: ["services"]
   validations:
-    - expression: "(!has(object.metadata.annotations) || !('cloud.google.com/network-tier' in object.metadata.annotations) ||
-                   (object.metadata.annotations['cloud.google.com/network-tier'] == 'Standard' || object.metadata.annotations['cloud.google.com/network-tier'] == 'Premium') ||
-                   (has(oldObject.metadata.annotations) && oldObject.metadata.annotations['cloud.google.com/network-tier'] == object.metadata.annotations['cloud.google.com/network-tier']))"
-      message: "The annotation 'cloud.google.com/network-tier', if specified, must be either 'Standard' or 'Premium'."
-
+    - expression: "!(
+                     has(object.metadata.annotations['cloud.google.com/network-tier']) &&
+                     !(object.metadata.annotations['cloud.google.com/network-tier'] in ['Standard', 'Premium']) &&
+                     (
+                       oldObject == null || 
+                       !has(oldObject.metadata.annotations['cloud.google.com/network-tier']) || 
+                       oldObject.metadata.annotations['cloud.google.com/network-tier'] != object.metadata.annotations['cloud.google.com/network-tier']
+                     )
+                   )"
+      message: "The annotation 'cloud.google.com/network-tier', if specified, must be either 'Standard' or 'Premium', and changes to invalid values are not allowed."
