Add VAP to reject duplicate MCPServerRegistration targetRef

[maleck13]

Summary

Add a ValidatingAdmissionPolicy (VAP) to give users early feedback when multiple MCPServerRegistrations in the same namespace target the same HTTPRoute.

The controller already detects this conflict (oldest wins, newest marked conflicted), but users only see this after reconciliation. A VAP shifts feedback to admission time.

Approach

Use VAP paramKind referencing a controller-managed ConfigMap that tracks claimed targetRefs per namespace.

• Static: cluster-scoped ValidatingAdmissionPolicy with CEL expression checking object.spec.targetRef.name against params.data
• Dynamic: controller creates per-namespace ValidatingAdmissionPolicyBinding + ConfigMap during MCPServerRegistration reconciliation, cleans up when namespace has no registrations

This is best-effort — there's a race window between admission and the controller updating the ConfigMap. The controller's conflict detection remains authoritative. failurePolicy: Ignore and parameterNotFoundAction: Allow ensure the VAP never blocks when state is unavailable.

References

• ValidatingAdmissionPolicy docs
• CEL in Kubernetes
• CNCF blog: Policy Enforcement with CEL

Acceptance Criteria

• Static ValidatingAdmissionPolicy in config/
• Controller manages per-namespace binding and ConfigMap
• Clear admission-time error message on duplicate targetRef
• Best-effort limitation documented
• E2E test for rejection scenario