fix: use a LocalObjectReference for credentials Secret (#37)

dkoshkin · jimmidyson · commit 5dbf4607491b · 2024-04-11T09:09:46.000+01:00
Using a cross-namespace objectRef in the cluster API
can lead to privilege escalation.
A user with RBAC to read Secrets in one namespace can create a cluster,
and copy any Secret from any other namespace to their workload cluster.
diff --git a/api/v1alpha1/addon_types.go b/api/v1alpha1/addon_types.go
@@ -164,7 +164,7 @@ type CSIProvider struct {
 	Strategy AddonStrategy `json:"strategy"`
 
 	// +optional
-	Credentials *corev1.SecretReference `json:"credentials,omitempty"`
+	Credentials *corev1.LocalObjectReference `json:"credentials,omitempty"`
 }
 
 type StorageClassConfig struct {
@@ -257,9 +257,6 @@ func (CSIProvider) VariableSchema() clusterv1.VariableSchema {
 						"name": {
 							Type: "string",
 						},
-						"namespace": {
-							Type: "string",
-						},
 					},
 				},
 				"storageClassConfig": {
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/pkg/handlers/generic/lifecycle/csi/nutanix-csi/handler.go b/pkg/handlers/generic/lifecycle/csi/nutanix-csi/handler.go
@@ -87,8 +87,8 @@ func (n *NutanixCSI) Apply(
 				Kind:       "Secret",
 			},
 			ObjectMeta: metav1.ObjectMeta{
-				Namespace: provider.Credentials.Name,
-				Name:      provider.Credentials.Namespace,
+				Name:      provider.Credentials.Name,
+				Namespace: req.Cluster.Namespace,
 			},
 		}
 		err := n.client.Get(
