OCPBUGS-84046: Add restrictions to NIDs git repositories for adding the /verified label

[rhamini3]

This PR adds a restriction to the repositories owned by NI&D team. it blocks people that are not apart of our team to provide the /verified label to get a PR to merge into one of the repositories

Summary by CodeRabbit

This PR adds label restrictions to seven OpenShift network infrastructure repositories owned by the Network Infrastructure & Deployment (NI&D) team. The changes enforce tighter access control over the /verified label, which is used to approve and merge pull requests.

Affected Repositories:

• openshift/aws-load-balancer-operator
• openshift/cluster-dns-operator
• openshift/cluster-ingress-operator
• openshift/coredns
• openshift/external-dns-operator
• openshift/route-controller-manager
• openshift/router

What Changed:
Each repository's Prow plugin configuration file (_pluginconfig.yaml) was updated to add a restricted_labels entry that limits who can apply the verified label. The restriction defines an allowlist of 18 NI&D team members (rhamini3, melvinjoseph86, knobunc, Miciah, frobware, candita, rfredette, alebedev87, miheer, gcs278, Thealisyed, grzpiotrowski, rikatz, davidesalerno, bentito, jcmoraisjr, and aswinsuryan) who are authorized to use the label.

Impact:
This prevents non-NI&D team members from applying the /verified label to bypass the approval process in these repositories, strengthening the team's control over PR merging while still allowing the defined team members to perform their normal workflow.

[openshift-ci-robot]

@rhamini3: This pull request references Jira Issue OCPBUGS-84046, which is invalid:

• expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

This PR adds a restriction to the repositories owned by NI&D team. it blocks people that are not apart of our team to provide the /verified label to get a PR to merge into one of the repositories

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: ab653972-8004-444d-a84a-6eef70f4382f

📥 Commits

Reviewing files that changed from the base of the PR and between d6dc7a7 and 8ba1556.

📒 Files selected for processing (7)

• core-services/prow/02_config/openshift/aws-load-balancer-operator/_pluginconfig.yaml
• core-services/prow/02_config/openshift/cluster-dns-operator/_pluginconfig.yaml
• core-services/prow/02_config/openshift/cluster-ingress-operator/_pluginconfig.yaml
• core-services/prow/02_config/openshift/coredns/_pluginconfig.yaml
• core-services/prow/02_config/openshift/external-dns-operator/_pluginconfig.yaml
• core-services/prow/02_config/openshift/route-controller-manager/_pluginconfig.yaml
• core-services/prow/02_config/openshift/router/_pluginconfig.yaml

---

Walkthrough

This PR extends Prow plugin configurations across seven OpenShift repositories to manage restricted label permissions. It introduces a new approve configuration for aws-load-balancer-operator and expands user allowlists for restricted labels (verified and backport-risk-assessed) across six additional repositories.

Changes

Prow Configuration Updates

Layer / File(s)	Summary
New approve configuration for aws-load-balancer-operator core-services/prow/02_config/openshift/aws-load-balancer-operator/_pluginconfig.yaml	Adds a new approve block with require_self_approval: true and defines restricted labels policy allowing specific users to apply the verified label.
Restricted label allowlist expansion core-services/prow/02_config/openshift/cluster-dns-operator/_pluginconfig.yaml, cluster-ingress-operator/_pluginconfig.yaml, coredns/_pluginconfig.yaml, external-dns-operator/_pluginconfig.yaml, route-controller-manager/_pluginconfig.yaml, router/_pluginconfig.yaml	Expands restricted_labels allowed_users lists for verified and backport-risk-assessed labels across six repositories, adding multiple additional GitHub usernames to control who may apply these restricted labels.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Suggested labels

lgtm, approved

Suggested reviewers

• smg247
• droslean

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly references OCPBUGS-84046 and accurately describes the main change: adding restrictions to NI&D team repositories for the /verified label, which aligns with all modified plugin configuration files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Scanned the PR’s listed _pluginconfig.yaml files for Ginkgo title patterns (It/Describe/Context/When) and found none; no dynamic test titles were introduced.
Test Structure And Quality	✅ Passed	Scan of *_test.go and Go sources found 0 occurrences of ons i ginkgo/Describe/It; PR changes only Prow _pluginconfig.yaml label rules, so Ginkgo test-structure checks are not applicable.
Microshift Test Compatibility	✅ Passed	PR #80450 changes only 7 *_pluginconfig.yaml files (Prow label restrictions) and contains no new Go/Ginkgo e2e tests to evaluate for MicroShift compatibility.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR #80450 only modifies seven _pluginconfig.yaml files (Prow label restrictions) and contains no added/changed Ginkgo e2e test files, so SNO compatibility is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR #80450 changes only Prow _pluginconfig.yaml restricted_labels allowlists for /verified; the files diff contains none of affinity/topologySpread/maxUnavailable/nodeSelector/tolerations keys.
Ote Binary Stdout Contract	✅ Passed	PR #80450 only updates seven Prow _pluginconfig.yaml files for /verified label restrictions; no OTE/openshift-tests binary or main/suite code changes, so stdout contract is unaffected.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR #80450 only updates Prow _pluginconfig.yaml restricted_labels for /verified across 7 repos; no new Ginkgo e2e tests or IPv4/external connectivity assumptions added.
No-Weak-Crypto	✅ Passed	Searched the PR-mentioned _pluginconfig.yaml files and core-services/prow/02_config for MD5/SHA1/DES/RC4/3DES/Blowfish/ECB and constant-/non-constant-time patterns; no matches.
Container-Privileges	✅ Passed	PR changes are Prow _pluginconfig.yaml; scanned those and core-services/prow/02_config/openshift for hostPID/hostNetwork/hostIPC/SYS_ADMIN/allowPrivilegeEscalation/privileged—none found.
No-Sensitive-Data-In-Logs	✅ Passed	Inspected the updated *_pluginconfig.yaml files; they only add approve/restricted_labels with GitHub usernames and label names—no tokens/passwords/PII/secrets present.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rhamini3
Once this PR has been reviewed and has the lgtm label, please assign grzpiotrowski for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• core-services/prow/02_config/openshift/aws-load-balancer-operator/OWNERS
• core-services/prow/02_config/openshift/cluster-dns-operator/OWNERS
• core-services/prow/02_config/openshift/cluster-ingress-operator/OWNERS
• core-services/prow/02_config/openshift/coredns/OWNERS
• core-services/prow/02_config/openshift/external-dns-operator/OWNERS
• core-services/prow/02_config/openshift/route-controller-manager/OWNERS
• core-services/prow/02_config/openshift/router/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[rhamini3]

/jira refresh

[openshift-ci-robot]

@rhamini3: This pull request references Jira Issue OCPBUGS-84046, which is invalid:

• expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@rhamini3: This pull request references Jira Issue OCPBUGS-84046, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @melvinjoseph86

Details

In response to this:

This PR adds a restriction to the repositories owned by NI&D team. it blocks people that are not apart of our team to provide the /verified label to get a PR to merge into one of the repositories

Summary by CodeRabbit

This PR adds label restrictions to seven OpenShift network infrastructure repositories owned by the Network Infrastructure & Deployment (NI&D) team. The changes enforce tighter access control over the /verified label, which is used to approve and merge pull requests.

Affected Repositories:

• openshift/aws-load-balancer-operator
• openshift/cluster-dns-operator
• openshift/cluster-ingress-operator
• openshift/coredns
• openshift/external-dns-operator
• openshift/route-controller-manager
• openshift/router

What Changed:
Each repository's Prow plugin configuration file (_pluginconfig.yaml) was updated to add a restricted_labels entry that limits who can apply the verified label. The restriction defines an allowlist of 18 NI&D team members (rhamini3, melvinjoseph86, knobunc, Miciah, frobware, candita, rfredette, alebedev87, miheer, gcs278, Thealisyed, grzpiotrowski, rikatz, davidesalerno, bentito, jcmoraisjr, and aswinsuryan) who are authorized to use the label.

Impact:
This prevents non-NI&D team members from applying the /verified label to bypass the approval process in these repositories, strengthening the team's control over PR merging while still allowing the defined team members to perform their normal workflow.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[rhamini3]

/jira refresh

[openshift-ci-robot]

@rhamini3: This pull request references Jira Issue OCPBUGS-84046, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @melvinjoseph86

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@rhamini3: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

[openshift-ci]

@rhamini3: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/config	8ba1556	link	true	/test config

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[melvinjoseph86]

@rhamini3 what about https://github.com/openshift/coredns-ocp-dnsnameresolver repo?
Also are we intended to add frobware and miheer also, who are now not with our team?