use CEL for the prevent-mgmt-cluster-delete Kyverno policies

Thomas Morinrequested to merge
rke2-migrate-etcd-certs-kyverno-pol-improve into main

Relates to #1741 (closed)

This issue primary cause is that the Kyverno policy we have in place to prevent deletion of the RKE2ControPlane resource for the mgmt cluster itself may result (specific conditions discussed in the issue) in some updates of this resource by the RKE2 CAPI provider (cabpr) to be prevented.

This MR makes the policy more "fine-grained": having CEL filtering in the webhook definition ensure that no webhook call will be done to Kyverno for actions that are patches/updates/list/get etc., so we're sure that this policy will not trigger this error.

This MR also:

  • changes the policy from a ClusterPolicy with ns matching into a plain Policy (installed only in the mgmt cluster ns)
  • adds a Gitlab CI test to actually verify that the policy works as expected (example run here)
Edited by Thomas Morin

Merge request reports