Background

We will need to validate creation requests for Cluster API Machines and MachineSets.

In particular, if a Cluster API resource is created, and there already exists a Machine API equivalent resource:

• And the MAPI resource is authoritative
  • The CAPI resource may only be created as paused
• And the CAPI resource is authoritative
  • The CAPI resource may only be created if the MAPI resource is marked as Paused

Determine if we can leverage ValidatingAdmissionPolicy for this use case, given we need information from a different resource. If we cannot use VAP, a webhook validation must be created for this.

https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/

Behaviours

• If a MAPI resource exists and .status.authoritativeAPI == MachineAPI
  • Only allow creation of CAPI resource if it is paused

• If a MAPI resource exists and .status.authoritativeAPI == ClusterAPI
  • Expect resource has just been created, so allow creation of CAPI resource
  • MAPI resource should be paused to allow creation

Steps

• Determine if we can use VAP
• If we cannot use VAP, ensure or build out webhook for the use case.
• Implement behaviours for CAPI creation as per above description.

Stakeholders

• Cluster Infra

Definition of Done

• When creating a CAPI resource that has an equivalent MAPI resource, above rules on pausing are observed

• Docs

• <Add docs requirements for this card>

• Testing

• <Explain testing that will be added>