chore: add policy to prevent changing personal organization display name

scotwells · scotwells · commit 912eb90f5997 · 2025-07-09T12:58:54.000-05:00
diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
@@ -18,6 +18,7 @@ resources:
 #- ../crd
 - ../rbac
 - ../manager
+- ../policies
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
 # crd/kustomization.yaml
 #- ../webhook
diff --git a/config/policies/kustomization.yaml b/config/policies/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+  - validation/
diff --git a/config/policies/validation/kustomization.yaml b/config/policies/validation/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+  - organization-update-policy.yaml
diff --git a/config/policies/validation/organization-update-policy.yaml b/config/policies/validation/organization-update-policy.yaml
@@ -0,0 +1,15 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "organization-update-policy.miloapis.com"
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   ["resourcemanager.miloapis.com"]
+      apiVersions: ["v1alpha1"]
+      operations:  ["UPDATE"]
+      resources:   ["organizations"]
+  validations:
+  - expression: "object.spec.type != 'Personal' || oldObject.metadata.annotations.get('kubernetes.io/display-name', '') == object.metadata.annotations.get('kubernetes.io/display-name', '')"
+    message: "The display name of a personal organization cannot be changed."

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+resources:`
	`2`	`+ - organization-update-policy.yaml`