ssa: Detect immutable errors from CEL and custom webhooks

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>

ssa/utils.go

@@ -21,6 +21,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"regexp"
 	"strings"
 
 	"github.com/google/go-cmp/cmp"
@@ -291,6 +292,13 @@ func IsImmutableError(err error) bool {
 	if errors.IsConflict(err) || errors.IsInvalid(err) {
 		return true
 	}
+
+	// Detect immutable errors returned by custom admission webhooks and Kubernetes CEL
+	// https://kubernetes.io/blog/2022/09/29/enforce-immutability-using-cel/#immutablility-after-first-modification
+	if match, _ := regexp.MatchString(`.*is\simmutable.*`, err.Error()); match {
+		return true
+	}
+
 	return false
 }
 

ssa/utils_test.go

@@ -239,3 +239,35 @@ stringData:
 		})
 	}
 }
+
+func TestIsImmutableError(t *testing.T) {
+	testCases := []struct {
+		name  string
+		err   error
+		match bool
+	}{
+		{
+			name:  "CEL immutable error",
+			err:   fmt.Errorf(`the ImmutableSinceFirstWrite "test1" is invalid: value: Invalid value: "string": Value is immutable`),
+			match: true,
+		},
+		{
+			name:  "Custom admission immutable error",
+			err:   fmt.Errorf(`the IAMPolicyMember's spec is immutable: admission webhook "deny-immutable-field-updates.cnrm.cloud.google.com" denied the request: the IAMPolicyMember's spec is immutable`),
+			match: true,
+		},
+		{
+			name:  "Not immutable error",
+			err:   fmt.Errorf(`is not immutable`),
+			match: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			g.Expect(IsImmutableError(tc.err)).To(BeIdenticalTo(tc.match))
+		})
+	}
+}