Skip to content

updateconfig: Add ACL support for ConfigMap updates #577

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
midnightconman wants to merge 2 commits into
base: main
Choose a base branch
from
Open

updateconfig: Add ACL support for ConfigMap updates #577

midnightconman wants to merge 2 commits into from
+544 −3

Conversation

@midnightconman
Copy link
Contributor

@midnightconman midnightconman commented Dec 17, 2025

This enhancement adds Access Control List (ACL) functionality to the updateconfig plugin, allowing administrators to control which organizations and repositories can trigger ConfigMap updates.

New Features

  • AllowedRepos: A list of org or org/repo entries that are permitted to update a configmap. If specified, only PRs from these sources will trigger updates. When empty, all repos are allowed (unless explicitly denied).

  • DeniedRepos: A list of org or org/repo entries that are blocked from updating a configmap. Deny rules take precedence over allow rules.

Configuration Format

Entries can be specified in two formats:

  • Org-level: "kubernetes" (matches all repos in the kubernetes org)
  • Repo-level: "kubernetes/test-infra" (matches only this specific repo)

Example configuration:

config_updater:
  maps:
    prow/config.yaml:
      name: config
      allowed_repos:
        - kubernetes           # Allow entire org
        - istio/istio          # Allow specific repo
      denied_repos:
        - kubernetes/fork      # Block specific repo within allowed org

ACL Precedence Rules

  1. If repo is in denied list (exact match) → denied
  2. If org is in denied list → denied
  3. If allow lists exist, repo must match an allowed entry
  4. If no allow lists specified → allowed (unless denied above)

Implementation Details

  • Added AllowedRepos and DeniedRepos fields to ConfigMapSpec
  • Added IsAllowed(repo string) bool method to ConfigMapSpec
  • Updated FilterChanges to accept repo parameter and filter updates
  • Updated config-bootstrapper to pass empty repo (bypasses ACL checks)
  • Uses config.SplitRepoName for org/repo parsing

Testing

  • Added TestConfigMapSpecIsAllowed with 14 test cases covering:

    • No ACLs configured
    • Org-level and repo-level allow/deny entries
    • Mixed org and org/repo entries
    • Deny precedence over allow
    • Empty repo handling for config-bootstrapper

  • Added TestFilterChangesWithACLs with 7 test cases covering:

    • End-to-end filtering with various ACL configurations
    • Multiple configmaps with different ACLs

@midnightconman
updateconfig: Add ACL support for ConfigMap updates
1bb6081 
This enhancement adds Access Control List (ACL) functionality to the
updateconfig plugin, allowing administrators to control which organizations
and repositories can trigger ConfigMap updates.

## New Features

- **AllowedRepos**: A list of org or org/repo entries that are permitted to
  update a configmap. If specified, only PRs from these sources will trigger
  updates. When empty, all repos are allowed (unless explicitly denied).

- **DeniedRepos**: A list of org or org/repo entries that are blocked from
  updating a configmap. Deny rules take precedence over allow rules.

## Configuration Format

Entries can be specified in two formats:
- Org-level: "kubernetes" (matches all repos in the kubernetes org)
- Repo-level: "kubernetes/test-infra" (matches only this specific repo)

Example configuration:
```yaml
config_updater:
  maps:
    prow/config.yaml:
      name: config
      allowed_repos:
        - kubernetes           # Allow entire org
        - istio/istio          # Allow specific repo
      denied_repos:
        - kubernetes/fork      # Block specific repo within allowed org
```

## ACL Precedence Rules

1. If repo is in denied list (exact match) → denied
2. If org is in denied list → denied
3. If allow lists exist, repo must match an allowed entry
4. If no allow lists specified → allowed (unless denied above)

## Implementation Details

- Added `AllowedRepos` and `DeniedRepos` fields to `ConfigMapSpec`
- Added `IsAllowed(repo string) bool` method to `ConfigMapSpec`
- Updated `FilterChanges` to accept `repo` parameter and filter updates
- Updated `config-bootstrapper` to pass empty repo (bypasses ACL checks)
- Uses `config.SplitRepoName` for org/repo parsing

## Testing

- Added `TestConfigMapSpecIsAllowed` with 14 test cases covering:
  - No ACLs configured
  - Org-level and repo-level allow/deny entries
  - Mixed org and org/repo entries
  - Deny precedence over allow
  - Empty repo handling for config-bootstrapper

- Added `TestFilterChangesWithACLs` with 7 test cases covering:
  - End-to-end filtering with various ACL configurations
  - Multiple configmaps with different ACLs
@netlify
Copy link

netlify bot commented Dec 17, 2025
edited
Loading

Deploy Preview for k8s-prow ready!

Name Link
🔨 Latest commit 63cbfe6
🔍 Latest deploy log https://app.netlify.com/projects/k8s-prow/deploys/69434b3d7b2bc90008fd734d
😎 Deploy Preview https://deploy-preview-577--k8s-prow.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Dec 17, 2025
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Dec 17, 2025

Hi @midnightconman. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the area/plugins Issues or PRs related to prow's plugins for the hook component label Dec 17, 2025
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Dec 17, 2025
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Dec 17, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: midnightconman
Once this PR has been reviewed and has the lgtm label, please assign stevekuznetsov for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Dec 17, 2025
@midnightconman midnightconman force-pushed the update-config-acls-20251217 branch from e8fe35d to 63cbfe6 Compare December 18, 2025 00:30
@Prucek
Copy link
Member

Prucek commented Dec 19, 2025

I would like this not to be a breaking change, so I would like to see a passing test, when the config-updater uses the old version of the config, without AllowedRepos and DeniedRepos.

@midnightconman
Copy link
Contributor Author

midnightconman commented Dec 19, 2025

@Prucek Sounds good to me 👍 Can you add /ok-to-test, so we can test that?

@petr-muller
Copy link
Contributor

petr-muller commented Dec 22, 2025

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Dec 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chases2 chases2 Awaiting requested review from chases2

@cjwagner cjwagner Awaiting requested review from cjwagner

@MadhavJivrajani MadhavJivrajani Awaiting requested review from MadhavJivrajani

@Priyankasaggu11929 Priyankasaggu11929 Awaiting requested review from Priyankasaggu11929

Assignees

No one assigned

Labels

area/plugins Issues or PRs related to prow's plugins for the hook component cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@midnightconman @k8s-ci-robot @Prucek @petr-muller