The machine-api-machine-set-vap and cluster-api-machine-set-vap ValidatingAdmissionPolicies only match resources: ["machinesets"] in their
  matchConstraints.resourceRules. This means requests to the machinesets/scale subresource bypass the VAPs entirely.

  A user can scale a non-authoritative MachineSet via the scale subresource (e.g. kubectl scale) without being blocked at admission. The sync
  controller will revert the change, but there is a window where the scale goes through and could cause unintended machine creation or deletion before
  being corrected.

This is a known issue, the subresource handler does not directly call the admission chain (and therefore the VAPs) for the resource being scaled

https://github.com/kubernetes/kubernetes/issues/84530 

Given the scale subresource has a different structure, we likely want entirely separate VAPs for this.

  Affected VAPs:

  - machine-api-machine-set-vap (manifests/0000_30_cluster-api_09_admission-policies.yaml, line ~192)
  - cluster-api-machine-set-vap (same file, line ~428)

  Consideration:

  The scale subresource passes a Scale object (not a MachineSet), so the existing validation expressions that reference object.spec would evaluate
  against Scale.spec (which contains replicas and selector), not MachineSet.spec. The VAP expressions would need to be adapted or a separate rule added
   for the scale subresource.

  Acceptance criteria:
  - Scaling a non-authoritative MachineSet via the scale subresource is rejected at admission
  - E2e tests added to verify scale subresource rejection