Prevent deletion of local cluster

It prevents deletion of both clusters.provisioning.cattle.io and cluster.management.cattle.io of the name `local`. Signed-off-by: Dharmit Shah <[email protected]>
rancher · Dec 17, 2024 · e55d06d · e55d06d
1 parent 12879d9
commit e55d06d
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 3 deletions.
diff --git a/pkg/resources/management.cattle.io/v3/cluster/validator.go b/pkg/resources/management.cattle.io/v3/cluster/validator.go
@@ -26,6 +26,8 @@ import (
 
 var parsedRangeLessThan123 = semver.MustParseRange("< 1.23.0-rancher0")
 
+const localCluster = "local"
+
 // NewValidator returns a new validator for management clusters.
 func NewValidator(
 	sar authorizationv1.SubjectAccessReviewInterface,
@@ -81,6 +83,10 @@ func (a *admitter) Admit(request *admission.Request) (*admissionv1.AdmissionResp
 		return nil, fmt.Errorf("failed get old and new clusters from request: %w", err)
 	}
 
+	if request.Operation == admissionv1.Delete && request.Name == localCluster {
+		return admission.ResponseBadRequest("bad idea; nope, nope"), nil
+	}
+
 	response, err := a.validateFleetPermissions(request, oldCluster, newCluster)
 	if err != nil {
 		return nil, fmt.Errorf("failed to validate fleet permissions: %w", err)
@@ -112,7 +118,7 @@ func (a *admitter) Admit(request *admission.Request) (*admissionv1.AdmissionResp
 	if request.Operation == admissionv1.Create || request.Operation == admissionv1.Update {
 		// no need to validate the PodSecurityAdmissionConfigurationTemplate on a local cluster,
 		// or imported cluster which represents a KEv2 cluster (GKE/EKS/AKS) or v1 Provisioning Cluster
-		if newCluster.Name == "local" || newCluster.Spec.RancherKubernetesEngineConfig == nil {
+		if newCluster.Name == localCluster || newCluster.Spec.RancherKubernetesEngineConfig == nil {
 			return admission.ResponseAllowed(), nil
 		}
 

diff --git a/pkg/resources/provisioning.cattle.io/v1/cluster/validator.go b/pkg/resources/provisioning.cattle.io/v1/cluster/validator.go
@@ -35,6 +35,7 @@ import (
 
 const (
 	globalNamespace         = "cattle-global-data"
+	localCluster            = "local"
 	systemAgentVarDirEnvVar = "CATTLE_AGENT_VAR_DIR"
 	failureStatus           = "Failure"
 )
@@ -92,6 +93,10 @@ func (p *provisioningAdmitter) Admit(request *admission.Request) (*admissionv1.A
 	listTrace := trace.New("provisioningClusterValidator Admit", trace.Field{Key: "user", Value: request.UserInfo.Username})
 	defer listTrace.LogIfLong(admission.SlowTraceDuration)
 
+	if request.Operation == admissionv1.Delete && request.Name == localCluster {
+		return admission.ResponseBadRequest("bad idea; nope, nope"), nil
+	}
+
 	oldCluster, cluster, err := objectsv1.ClusterOldAndNewFromRequest(&request.AdmissionRequest)
 	if err != nil {
 		return nil, err
@@ -416,7 +421,7 @@ func (p *provisioningAdmitter) validateMachinePoolNames(request *admission.Reque
 
 // validatePSACT validate if the cluster and underlying secret are configured properly when PSACT is enabled or disabled
 func (p *provisioningAdmitter) validatePSACT(request *admission.Request, response *admissionv1.AdmissionResponse, cluster *v1.Cluster) error {
-	if cluster.Name == "local" || cluster.Spec.RKEConfig == nil {
+	if cluster.Name == localCluster || cluster.Spec.RKEConfig == nil {
 		return nil
 	}
 
@@ -664,7 +669,7 @@ func validateACEConfig(cluster *v1.Cluster) *metav1.Status {
 
 func isValidName(clusterName, clusterNamespace string, clusterExists bool) bool {
 	// A provisioning cluster with name "local" is only expected to be created in the "fleet-local" namespace.
-	if clusterName == "local" {
+	if clusterName == localCluster {
 		return clusterNamespace == "fleet-local"
 	}