fix: block cluster-scoped resources from being wrapped in an envelope

[michaelawyu]

Description of your changes

This PR blocks cluster-scoped resources from being wrapped in an envelope to address a security concern.

I have:

• Run make reviewable to ensure this PR is ready for review.

How has this code been tested

• Unit tests

Special notes for your reviewer

[codecov]

Welcome to Codecov 🎉

Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests.

ℹ️ You can also turn on project coverage checks and project coverage reporting on Pull Request comment

Thanks for integrating Codecov - We've got you covered ☂️

[Copilot]

Pull Request Overview

This PR prevents cluster‐scoped resources from being wrapped in an envelope to address a security concern and updates related tests and manifests accordingly.

• Removed the webhook configuration block from the test envelope configmap and updated related tests.
• Changed test helper calls and expectations (e.g. using checkEnvelopQuotaPlacement and expecting errors when cluster‐scoped resources are wrapped) to align with the new validation.
• Updated manifests and integration tests to use ResourceQuota instead of the removed webhook configuration.

Reviewed Changes

Copilot reviewed 10 out of 11 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
test/e2e/resources/test-envelop-configmap.yaml	Removed the webhook configuration block from the envelope.
test/e2e/join_and_leave_test.go	Updated CRP status check parameter from false to true and renamed helper calls.
test/e2e/enveloped_object_placement_test.go	Adjusted test expectations and helper function call names.
pkg/controllers/workgenerator/suite_test.go	Removed references to the webhook manifest and added new manifest for resourcequota2.
pkg/controllers/workgenerator/manifests/*	Updated the envelope configmap manifest and added a new ResourceQuota manifest.
pkg/controllers/workgenerator/controller_test.go	Changed test expectation—now expecting failure for an envelope with cluster‐scoped resources.
pkg/controllers/workgenerator/controller_integration_test.go	Updated integration test to use resourcequota2 manifest instead of webhook manifest.
pkg/controllers/workgenerator/controller.go	Added validation to block wrapping cluster‐scoped resources with a clear error message.

Files not reviewed (1)

• pkg/controllers/workgenerator/manifests/test-envelop-configmap.yaml: Language not supported

Comments suppressed due to low confidence (2)

test/e2e/join_and_leave_test.go:102

• The parameter change from 'false' to 'true' in customizedCRPStatusUpdatedActual likely reflects new validation behavior. It may be beneficial to update the inline comment to clarify why the expectation has changed and to ensure the test aligns with the intended security concern.

crpStatusUpdatedActual := customizedCRPStatusUpdatedActual(crpName, wantSelectedResources, allMemberClusterNames, nil, "0", true)

pkg/controllers/workgenerator/controller_test.go:246

• The expected outcome for this test case has been updated to fail when a cluster-scoped resource is wrapped in an envelope. Verify that the test description and expected behavior clearly convey this new policy.

"config map with cluster and namespace scoped data in the correct namespace should fail": {

[Copilot]

The new check preventing wrapping of cluster-scoped resources is correctly implemented with a clear error message. Consider adding a dedicated unit test case to explicitly verify that cluster-scoped objects are blocked.

[ryanzhang-oss]

with the new condition added, this is just

Suggested change

	if len(uManifest.GetNamespace()) != 0 && uManifest.GetNamespace() != configMap.Namespace {
	if uManifest.GetNamespace() != configMap.Namespace {