Skip to content

Validate GitRepo defaults from GitRepoRestriction and Policy against allow-lists#5285

Open
p-se wants to merge 2 commits into
rancher:mainfrom
p-se:policy-inconsistency
Open

Validate GitRepo defaults from GitRepoRestriction and Policy against allow-lists#5285
p-se wants to merge 2 commits into
rancher:mainfrom
p-se:policy-inconsistency

Conversation

@p-se

@p-se p-se commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

The current implementation of GitRepoRestriction (and therefore also for Policy, they share the code path) is that a defaultServiceAccount can be used that is not in allowedServiceAccounts (if allowedServiceAccounts is not empty). This is different from how Policy behaves for HelmOp and Bundle. This PR addresses this inconsistency. It breaks the following setup:

kind: GitRepoRestriction
apiVersion: fleet.cattle.io/v1alpha1
metadata:
  name: default
  namespace: fleet-default
defaultServiceAccount: "foo"
allowedServiceAccounts:
  - bar

Release Notes

defaultServiceAccount is no longer implicitly allowed but needs to be explicitly mentioned in allowedServiceAccounts. Make sure the defaultSerivceAccount is included in allowedServiceAccounts.

Additional Information

Checklist

  • I have updated the documentation via a pull request in the fleet-product-docs repository.

p-se added 2 commits June 15, 2026 08:49
Defaults like defaultServiceAccount and defaultClientSecretName were
applied via isAllowed's fallback before being checked against the
allow-list, silently accepting disallowed values. Resolve defaults
first, then validate — consistent with HelmOp and Bundle paths.
Defaults are now resolved by the caller before validation, so the
defaultValue parameter and string return are dead code.
Copilot AI review requested due to automatic review settings June 15, 2026 13:52
@p-se p-se requested a review from a team as a code owner June 15, 2026 13:52

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens restriction enforcement for GitRepo by ensuring defaults coming from GitRepoRestriction and Policy are validated against allow-lists (matching existing HelmOp/Bundle behavior), instead of being silently accepted.

Changes:

  • Resolve serviceAccount / clientSecretName defaults before allow-list validation so disallowed defaults are rejected.
  • Simplify isAllowed to a validation-only helper (no defaulting), and adjust call sites accordingly.
  • Update/add unit tests to cover the “default not in allow-list is denied” behavior for GitRepoRestriction.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
internal/cmd/controller/gitops/reconciler/restrictions.go Apply defaults before allow-list checks; refactor allow-list helper to validate-only.
internal/cmd/controller/gitops/reconciler/restrictions_test.go Update defaulting test data and add coverage for rejecting disallowed defaults (GitRepoRestriction path).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

},
expectedErr: "disallowed clientSecretName.*",
},
{
p-se added a commit to p-se/fleet-product-docs that referenced this pull request Jun 15, 2026
p-se added a commit to p-se/fleet-product-docs that referenced this pull request Jun 15, 2026
p-se added a commit to p-se/fleet-product-docs that referenced this pull request Jun 15, 2026

repo, err := isAllowedByRepo(gitrepo.Spec.Repo, grr.AllowedRepoPatterns, pol.GitAllowedRepoPatterns)
if err != nil {
if _, err := isAllowedByRepo(gitrepo.Spec.Repo, grr.AllowedRepoPatterns, pol.GitAllowedRepoPatterns); err != nil {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: isAllowedByRepo seems to only be used here, so we could refactor it to return a single value.

// Apply defaults before validation, so a default that is not in the allow-list
// is rejected rather than silently accepted. This keeps the GitRepo path
// consistent with the HelmOp and Bundle paths.
serviceAccount := firstNonEmpty(gitrepo.Spec.ServiceAccount, defaultSA)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: if the target namespace validation fails, we don't even need to compute these.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants