HNC: Prevent updating annotations on propagated objects

[yiqigao217]

The webhook does prevent editing the propagated object itself or labels but doesn't prevent updating annotations:

# I'm annotating a propagated object:

$ kubectl annotate role -n b rl propagate.hnc.x-k8s.io/select=abc
role.rbac.authorization.k8s.io/rl annotated

$ kubectl get role -n b -oyaml
apiVersion: v1
items:
- apiVersion: rbac.authorization.k8s.io/v1
  kind: Role
  metadata:
    annotations:
      propagate.hnc.x-k8s.io/select: abc
    creationTimestamp: "2021-04-29T21:02:29Z"
    labels:
      app.kubernetes.io/managed-by: hnc.x-k8s.io
      hnc.x-k8s.io/inherited-from: a
    name: rl
    namespace: b
    resourceVersion: "5297867"
    selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/b/roles/rl
    uid: 2fc22fd7-7a34-492c-b823-79dd9383b2f8
  rules:
  - apiGroups:
    - apps
    resources:
    - deployments
    verbs:
    - update
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""

[adrianludwin]

Replaced by kubernetes-sigs/hierarchical-namespaces#10
/close

[k8s-ci-robot]

@adrianludwin: Closing this issue.

In response to this:

Replaced by kubernetes-sigs/hierarchical-namespaces#10
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.