GoogleCloudPlatform
Block users from modifying system resources
This ensures the gmp-system resources remain consistent across all resources.
The alternative we took before (for very few of the gmp-system resources) was to just re-create the file during reconciliation. This was tricky because we normally only use the controllers to watch for object changes, not deletes. To do this correctly across all resources means the controllers need logic to detect what type of event it was, for each resource. It's also something that may be tricky going forward because today most of our objects are simple clones of gmp-public resources but in the future, they may be built from a variety of objects (e.g. aggregations).
Another alternative would be combining finalizers with the above approach, but this felt hacky (and users could easily get around it by deleting the finalizer).
Blocking users from touching the resources at all is something that's done auto-magically in GKE Autopilot. As such, this change brings that behavior to GKE Standard via our own binary, with a flag so we can disable it in GKE Autopilot since it's already done outside of our control.
