What happened?

After a CRD DELETE, while the CRD finalizer is deleting all custom resource objects of that type, and the Terminating=True status condition is set, it should not be possible to create objects of that type, but it is with server-side apply, because the creation prevention implementation blocks by method type and there's no check in the PATCH handler.

• CREATE is blocked: https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/customresource_handler.go#L373
• PATCH is not blocked: https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/customresource_handler.go#L390

In the Patch Apply handler, the forceAllowCreate flag is set to true: https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/patch.go#L646 This allows patching to always create objects.

What did you expect to happen?

When the CRD is terminating, SSA should not be able to create new objects.

How can we reproduce it (as minimally and precisely as possible)?

1. apply a CRD
2. apply a CR with a manual finalizer to block CRD termination
3. delete the CRD
4. create a new CR with SSA

Anything else we need to know?

There is another race condition allowing creation, but it's otherwise unrelated to this bug, which is not a race condition: #99181

Kubernetes version

$ kubectl version
Client Version: v1.28.2
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.27.4-gke.900

Cloud provider

ANY

OS version

ANY

Install tools

ANY

Container runtime (CRI) and version (if applicable)

ANY

Related plugins (CNI, CSI, ...) and versions (if applicable)

ANY