From 11c98723cb184b4b9911a16c2c1402921ac7b2bd Mon Sep 17 00:00:00 2001
From: Aranta Rokade <arantarokade@microsoft.com>
Date: Mon, 24 Nov 2025 12:24:12 +0000
Subject: [PATCH 1/3] make pni immutable

---
 .../api/v1alpha1/podnetworkinstance.go            |  9 +++++++++
 ...tenancy.acn.azure.com_podnetworkinstances.yaml | 15 +++++++++++++--
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/crd/multitenancy/api/v1alpha1/podnetworkinstance.go b/crd/multitenancy/api/v1alpha1/podnetworkinstance.go
index 3f78dd58e5..ae38accf63 100644
--- a/crd/multitenancy/api/v1alpha1/podnetworkinstance.go
+++ b/crd/multitenancy/api/v1alpha1/podnetworkinstance.go
@@ -17,6 +17,15 @@ import (
 // +kubebuilder:metadata:labels=managed=
 // +kubebuilder:metadata:labels=owner=
 // +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.status`
+//
+// Enforce immutability of .spec once reconcile is complete (status becomes Ready).
+// Rule semantics:
+//   - Allow CREATE.
+//   - Do not allow UPDATE require self.spec == oldSelf.spec (no spec changes).
+//
+// This compiles to a CRD-level x-kubernetes-validations transition rule using oldSelf.
+// Requires Kubernetes versions that support CEL transition rules.
+// +kubebuilder:validation:XValidation:rule="self.spec == oldSelf.spec",message="Spec is immutable."
 type PodNetworkInstance struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
diff --git a/crd/multitenancy/manifests/multitenancy.acn.azure.com_podnetworkinstances.yaml b/crd/multitenancy/manifests/multitenancy.acn.azure.com_podnetworkinstances.yaml
index 432cb5a222..6985254260 100644
--- a/crd/multitenancy/manifests/multitenancy.acn.azure.com_podnetworkinstances.yaml
+++ b/crd/multitenancy/manifests/multitenancy.acn.azure.com_podnetworkinstances.yaml
@@ -26,8 +26,16 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: PodNetworkInstance is the Schema for the PodNetworkInstances
-          API
+        description: |-
+          PodNetworkInstance is the Schema for the PodNetworkInstances API
+
+          Enforce immutability of .spec once reconcile is complete (status becomes Ready).
+          Rule semantics:
+            - Allow CREATE.
+            - Do not allow UPDATE require self.spec == oldSelf.spec (no spec changes).
+
+          This compiles to a CRD-level x-kubernetes-validations transition rule using oldSelf.
+          Requires Kubernetes versions that support CEL transition rules.
         properties:
           apiVersion:
             description: |-
@@ -109,6 +117,9 @@ spec:
                 type: string
             type: object
         type: object
+        x-kubernetes-validations:
+        - message: Spec is immutable.
+          rule: self.spec == oldSelf.spec
     served: true
     storage: true
     subresources:

From aef1a64788c1ade6924baa50512f37fe9755fafc Mon Sep 17 00:00:00 2001
From: Aranta Rokade <arantarokade@microsoft.com>
Date: Wed, 26 Nov 2025 01:29:42 +0000
Subject: [PATCH 2/3] fix comment

---
 crd/multitenancy/api/v1alpha1/podnetworkinstance.go | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/crd/multitenancy/api/v1alpha1/podnetworkinstance.go b/crd/multitenancy/api/v1alpha1/podnetworkinstance.go
index ae38accf63..21af982cd4 100644
--- a/crd/multitenancy/api/v1alpha1/podnetworkinstance.go
+++ b/crd/multitenancy/api/v1alpha1/podnetworkinstance.go
@@ -18,9 +18,8 @@ import (
 // +kubebuilder:metadata:labels=owner=
 // +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.status`
 //
-// Enforce immutability of .spec once reconcile is complete (status becomes Ready).
+// Enforce immutability of .spec.
 // Rule semantics:
-//   - Allow CREATE.
 //   - Do not allow UPDATE require self.spec == oldSelf.spec (no spec changes).
 //
 // This compiles to a CRD-level x-kubernetes-validations transition rule using oldSelf.

From 4024a75760e99e50d597148cfdf4c49b7ccb6c8a Mon Sep 17 00:00:00 2001
From: Aranta Rokade <arantarokade@microsoft.com>
Date: Wed, 26 Nov 2025 01:31:13 +0000
Subject: [PATCH 3/3] update manifest

---
 .../multitenancy.acn.azure.com_podnetworkinstances.yaml        | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/crd/multitenancy/manifests/multitenancy.acn.azure.com_podnetworkinstances.yaml b/crd/multitenancy/manifests/multitenancy.acn.azure.com_podnetworkinstances.yaml
index 6985254260..9f378efcdf 100644
--- a/crd/multitenancy/manifests/multitenancy.acn.azure.com_podnetworkinstances.yaml
+++ b/crd/multitenancy/manifests/multitenancy.acn.azure.com_podnetworkinstances.yaml
@@ -29,9 +29,8 @@ spec:
         description: |-
           PodNetworkInstance is the Schema for the PodNetworkInstances API
 
-          Enforce immutability of .spec once reconcile is complete (status becomes Ready).
+          Enforce immutability of .spec.
           Rule semantics:
-            - Allow CREATE.
             - Do not allow UPDATE require self.spec == oldSelf.spec (no spec changes).
 
           This compiles to a CRD-level x-kubernetes-validations transition rule using oldSelf.