API Restrict User Email Updates to Linked Identities

### Problem
Users can currently update their email address to any value. This bypasses the security requirement that a user's email should be verified and backed by an external identity provider (OIDC).

### Requirement
Implement a **Validating Admission Webhook** for the [User](https://github.com/datum-cloud/milo/blob/main/pkg/apis/iam/v1alpha1/user_types.go) resource. 

The webhook must enforce the following logic during an `UPDATE` request:
* **Validate** that the new email address exists within the user's current `UserIdentities`.
* **Reject** the update if the new email does not match any available linked identity.
* **Allow** the update only if a match is found.

### Goals
* Ensure data integrity between `User` records and external identity providers.
* Prevent manual email spoofing or unauthorized changes.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

API Restrict User Email Updates to Linked Identities #476

Problem

Requirement

Goals

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

API Restrict User Email Updates to Linked Identities #476

Description

Problem

Requirement

Goals

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions