Function get_instances_from_zone 

pub fn get_instances_from_zone(
    dnszone: &DNSZone,
    bind9_instances_store: &Store<Bind9Instance>,
) -> Result<Vec<InstanceReference>>

Get instances from a DNSZone based on bind9_instances_from selectors.

This function:

• Uses the reflector store for O(1) lookups without API calls
• Single source of truth: DNSZone owns the zone-instance relationship

F-003 mitigation: cross-namespace targeting requires platform-admin opt-in

A label selector match is not sufficient to enrol a Bind9Instance in the zone. The instance is included only when either:

1. The instance lives in the same namespace as the DNSZone, or
2. The instance carries the crate::constants::ANNOTATION_ALLOW_ZONE_NAMESPACES annotation whose value contains the zone’s namespace (or the wildcard crate::constants::ALLOW_ZONE_NAMESPACES_WILDCARD).

The annotation is metadata on the Bind9Instance, which is owned by the platform admin (only they have RBAC on the namespace where the instance lives). This preserves the cluster-wide-operator contract: the platform admin keeps full control of who can claim their instances, expressed through a platform-admin-controlled annotation, while still preventing the F-003 hijack — labels on the instance side are not a security boundary (they are discoverable via list/watch and any tenant can write any matchLabels they want), but annotations on the platform-owned instance are.

Arguments

• dnszone - The DNSZone resource to get instances for
• bind9_instances_store - Reflector store of Bind9Instance

Returns

• Ok(Vec<InstanceReference>) - List of instances serving this zone
• Err(_) - If no instances pass both the selector match and the namespace gate

Errors

Returns an error if no instances pass the selector + namespace gate, or if spec.bind9_instances_from is missing or empty.