feat: check for AnnotationInternal immutability

Kamil Przybyl · Kamil Przybyl · commit 8be6e84d8d8e · 2026-05-20T10:49:46.000+02:00
diff --git a/pkg/alb/ingress/ingressclass_webhook.go b/pkg/alb/ingress/ingressclass_webhook.go
@@ -77,6 +77,13 @@ func (v *IngressClassValidator) handleUpdate(ctx context.Context, req admission.
 		return resp
 	}
 
+	// Check immutability for AnnotationInternal
+	oldInternal := oldClass.Annotations[AnnotationInternal]
+	newInternal := newClass.Annotations[AnnotationInternal]
+	if oldInternal != newInternal {
+		return admission.Denied(fmt.Sprintf("The annotation '%s' is immutable and cannot be changed after creation.", AnnotationInternal))
+	}
+
 	if resp := v.validateIPUpdate(ctx, oldClass, newClass); !resp.Allowed {
 		return resp
 	}
@@ -92,6 +99,13 @@ func (v *IngressClassValidator) validateBaseAnnotations(ingressClass *networking
 		}
 	}
 
+	// Check if AnnotationInternal is a boolean.
+	if val, ok := ingressClass.Annotations[AnnotationInternal]; ok {
+		if _, err := strconv.ParseBool(val); err != nil {
+			return admission.Denied(fmt.Sprintf("Annotation '%s' must be a valid boolean (true or false).", AnnotationInternal))
+		}
+	}
+
 	// Network Mode Check.
 	mode, exists := ingressClass.Annotations[AnnotationNetworkMode]
 	if !exists {
