From cb8fadb8bc87e35ba31f3e02a2501bf38bb67daf Mon Sep 17 00:00:00 2001
From: Dimitri Koshkin <dimitri.koshkin@nutanix.com>
Date: Tue, 9 Apr 2024 08:29:58 -0700
Subject: [PATCH] fix: use a LocalObjectReference for credentials Secret (#37)

Using a cross-namespace objectRef in the cluster API
can lead to privilege escalation.
A user with RBAC to read Secrets in one namespace can create a cluster,
and copy any Secret from any other namespace to their workload cluster.
---
 api/v1alpha1/addon_types.go                               | 5 +----
 api/v1alpha1/zz_generated.deepcopy.go                     | 2 +-
 pkg/handlers/generic/lifecycle/csi/nutanix-csi/handler.go | 4 ++--
 3 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/api/v1alpha1/addon_types.go b/api/v1alpha1/addon_types.go
index 6f524159d..05c0d9145 100644
--- a/api/v1alpha1/addon_types.go
+++ b/api/v1alpha1/addon_types.go
@@ -164,7 +164,7 @@ type CSIProvider struct {
 	Strategy AddonStrategy `json:"strategy"`
 
 	// +optional
-	Credentials *corev1.SecretReference `json:"credentials,omitempty"`
+	Credentials *corev1.LocalObjectReference `json:"credentials,omitempty"`
 }
 
 type StorageClassConfig struct {
@@ -257,9 +257,6 @@ func (CSIProvider) VariableSchema() clusterv1.VariableSchema {
 						"name": {
 							Type: "string",
 						},
-						"namespace": {
-							Type: "string",
-						},
 					},
 				},
 				"storageClassConfig": {
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index a98f87d08..fe954a016 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -290,7 +290,7 @@ func (in *CSIProvider) DeepCopyInto(out *CSIProvider) {
 	}
 	if in.Credentials != nil {
 		in, out := &in.Credentials, &out.Credentials
-		*out = new(v1.SecretReference)
+		*out = new(v1.LocalObjectReference)
 		**out = **in
 	}
 }
diff --git a/pkg/handlers/generic/lifecycle/csi/nutanix-csi/handler.go b/pkg/handlers/generic/lifecycle/csi/nutanix-csi/handler.go
index 142189b47..5682f1a6d 100644
--- a/pkg/handlers/generic/lifecycle/csi/nutanix-csi/handler.go
+++ b/pkg/handlers/generic/lifecycle/csi/nutanix-csi/handler.go
@@ -87,8 +87,8 @@ func (n *NutanixCSI) Apply(
 				Kind:       "Secret",
 			},
 			ObjectMeta: metav1.ObjectMeta{
-				Namespace: provider.Credentials.Name,
-				Name:      provider.Credentials.Namespace,
+				Name:      provider.Credentials.Name,
+				Namespace: req.Cluster.Namespace,
 			},
 		}
 		err := n.client.Get(