From 8b6f39b09bf2faff58febcf1244f2d337b691f27 Mon Sep 17 00:00:00 2001
From: Stefan Prodan <stefan.prodan@gmail.com>
Date: Fri, 6 Oct 2023 12:41:11 +0300
Subject: [PATCH] Extend CEL immutable error detection Add match variant to
 capture GCP immutable field behaviour.

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
---
 ssa/utils.go | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/ssa/utils.go b/ssa/utils.go
index 57f257f8..58969830 100644
--- a/ssa/utils.go
+++ b/ssa/utils.go
@@ -285,7 +285,11 @@ func IsKustomization(object *unstructured.Unstructured) bool {
 	return false
 }
 
-var matchImmutableFieldErr = regexp.MustCompile(`.*is\simmutable.*`)
+// Match CEL immutable error variants.
+var matchImmutableFieldErrors = []*regexp.Regexp{
+	regexp.MustCompile(`.*is\simmutable.*`),
+	regexp.MustCompile(`.*immutable\sfield.*`),
+}
 
 // IsImmutableError checks if the given error is an immutable error.
 func IsImmutableError(err error) bool {
@@ -297,8 +301,10 @@ func IsImmutableError(err error) bool {
 
 	// Detect immutable errors returned by custom admission webhooks and Kubernetes CEL
 	// https://kubernetes.io/blog/2022/09/29/enforce-immutability-using-cel/#immutablility-after-first-modification
-	if matchImmutableFieldErr.MatchString(err.Error()) {
-		return true
+	for _, fieldError := range matchImmutableFieldErrors {
+		if fieldError.MatchString(err.Error()) {
+			return true
+		}
 	}
 
 	return false