Remove namespace field from secrets used by BMH API
Opened this issue · 2 comments
What steps did you take and what happened:
The BareMetalHost CRD allows the userData, metaData, and networkData for
the provisioned host to be specified as links to k8s Secrets. There are
fields for both the Name and Namespace of the Secret, meaning that the
baremetal-operator will read a Secret from any namespace. A user with
access to create or edit a BareMetalHost can thus exfiltrate a Secret
from another namespace by using it as e.g. the userData for provisioning
some host (note that this need not be a real host, it could be a VM
somewhere).
What did you expect to happen:
We should fail with an error when a namespace is specified in the Secret
reference and it does not match the namespace of the BMH itself. We
should reject attempts to set such a configuration in the validating
webhook. And we should remove the namespace field in the next revision
of the API.
Anything else you would like to add:
GHSA-pqfh-xh7w-7h3p is limiting the secrets to same namespace now so API cleanup and validating webhook are just improvements/cleanup to the issue.
Environment:
- Baremetal Operator version: 0.8.0
- Environment (metal3-dev-env or other): any
/triage accepted
/kind bug
/assign