Fix PvCSI service account validation using correct cluster-based approach

anuj087 · anuj087 · commit 11ceb647bf44 · 2026-05-27T10:05:26.000+05:30
Replace vulnerable regex pattern matching with proper cluster-based validation that constructs expected service account names and does exact matching. Implementation based on reference code: https://github-vcf.devops.broadcom.net/vcf/kubernetes-service/blob/0319c5f7c9a4300b0a97296e2b3ad6283fc6bae0/addons/controllers/csi/vspherecsiconfig_controller.go#L326C3-L331C4 Key changes: - Query cluster API to get actual cluster names - Construct expected service account names using: fmt.Sprintf("%s-%s", cluster.Name, "pvcsi") - Do exact string matching instead of vulnerable regex patterns - Maintain explicit allowlist for standard service accounts - Graceful fallback to basic validation when cluster API unavailable Security improvements: - Prevents regex bypass attacks with crafted service account names - Validates against actual existing clusters only - Blocks attacks with non-existent cluster names - Maintains namespace isolation (vmware-system-csi for ProviderServiceAccount) - Prevents format confusion with colon injection attacks This approach follows the principle of "construct expected names and validate exactly" rather than "match patterns that can be bypassed". Author: ab002488 Fixes: Bug 3687875 Vulnerability-ID: SUP-VULN-0009
diff --git a/pkg/syncer/admissionhandler/validate_cnsfileaccessconfig.go b/pkg/syncer/admissionhandler/validate_cnsfileaccessconfig.go
@@ -1,17 +1,35 @@
+/*
+Copyright 2026 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
 package admissionhandler
 
 import (
 	"context"
 	"encoding/json"
 	"fmt"
 	"regexp"
+	"strings"
 
 	admissionv1 "k8s.io/api/admission/v1"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	cnsoperatorv1alpha1 "sigs.k8s.io/vsphere-csi-driver/v3/pkg/apis/cnsoperator"
+	ccV1beta2 "sigs.k8s.io/cluster-api/api/core/v1beta2"
 
 	"k8s.io/client-go/rest"
 	cnsfileaccessconfigv1alpha1 "sigs.k8s.io/vsphere-csi-driver/v3/pkg/apis/cnsoperator/cnsfileaccessconfig/v1alpha1"
@@ -209,33 +227,122 @@ func validateDeleteCnsFileAccessConfig(ctx context.Context, clientConfig *rest.C
 // isUserAllowedForDeletion returns true if user is either a PVCSI service account or
 // K8s' namespace-cotnroller.
 func isUserAllowedForDeletion(username string) (bool, error) {
-	pvcCsiServiceAccountRegex, err := regexp.Compile(PvCsiServiceAccountregex)
+	kubernetesServiceAccount, err := regexp.Compile(KubernetesServiceAccount)
 	if err != nil {
 		return false, err
 	}
 
-	kubernetesServiceAccount, err := regexp.Compile(KubernetesServiceAccount)
+	// Check if user is a valid PVCSI service account using the new validation logic
+	isPvCSIServiceAccount, err := validatePvCSIServiceAccount(username)
 	if err != nil {
 		return false, err
 	}
+	if isPvCSIServiceAccount {
+		return true, nil
+	}
 
 	// Allowed users are :
-	// 1. PVCSI service account
+	// 1. PVCSI service account (checked above using new validation logic)
 	// 2. K8s service account (like namespace-controller or generic-garbage-collector)
 	// 3. K8s admin
-	if pvcCsiServiceAccountRegex.MatchString(username) ||
-		kubernetesServiceAccount.MatchString(username) || username == KubernetesAdmin {
+	if kubernetesServiceAccount.MatchString(username) || username == KubernetesAdmin {
 		return true, nil
-
 	}
 
 	return false, nil
 }
 
 func validatePvCSIServiceAccount(username string) (bool, error) {
-	pvcCsiServiceAccountRegex, err := regexp.Compile(PvCsiServiceAccountregex)
+	// Expected format: "system:serviceaccount:namespace:service-account-name"
+	// Parse the username to extract namespace and service account name
+	const prefix = "system:serviceaccount:"
+	if !strings.HasPrefix(username, prefix) {
+		return false, nil
+	}
+	
+	remaining := strings.TrimPrefix(username, prefix)
+	parts := strings.Split(remaining, ":")
+	if len(parts) != 2 {
+		return false, nil
+	}
+	
+	namespace := parts[0]
+	serviceAccountName := parts[1]
+	
+	// Check explicit service account names first
+	if isExplicitPvCSIServiceAccount(namespace, serviceAccountName) {
+		return true, nil
+	}
+	
+	// For vmware-system-csi namespace, construct the expected ProviderServiceAccount name
+	// and do exact matching based on the reference implementation
+	if namespace == "vmware-system-csi" {
+		return validateProviderServiceAccount(serviceAccountName)
+	}
+	
+	return false, nil
+}
+
+// isExplicitPvCSIServiceAccount checks for known explicit service account names
+func isExplicitPvCSIServiceAccount(namespace, serviceAccountName string) bool {
+	switch namespace {
+	case "vmware-system-csi":
+		return serviceAccountName == "vsphere-csi-controller" || serviceAccountName == "vsphere-csi-node"
+	case "kube-system":
+		return serviceAccountName == "pvcsi"
+	default:
+		return false
+	}
+}
+
+// validateProviderServiceAccount validates if the service account name matches
+// the expected ProviderServiceAccount name pattern based on the reference implementation:
+// https://github-vcf.devops.broadcom.net/vcf/kubernetes-service/blob/0319c5f7c9a4300b0a97296e2b3ad6283fc6bae0/addons/controllers/csi/vspherecsiconfig_controller.go#L326C3-L331C4
+func validateProviderServiceAccount(serviceAccountName string) (bool, error) {
+	// The service account name should follow the pattern: fmt.Sprintf("%s-%s", vsphereCluster.Name, "pvcsi")
+	// Instead of using regex patterns, we need to validate against actual cluster names
+	
+	// Get in-cluster config to access the cluster API
+	config, err := rest.InClusterConfig()
+	if err != nil {
+		// If we can't get config, fall back to basic validation
+		return validateBasicProviderServiceAccountPattern(serviceAccountName), nil
+	}
+	
+	// Create a client to access cluster API resources
+	k8sClient, err := k8s.NewClient(context.TODO(), config)
 	if err != nil {
-		return false, err // fail open
+		// Fall back to basic validation if we can't create client
+		return validateBasicProviderServiceAccountPattern(serviceAccountName), nil
+	}
+	
+	// Get all clusters in the system to validate against actual cluster names
+	clusterList := &ccV1beta2.ClusterList{}
+	if err := k8sClient.List(context.TODO(), clusterList); err != nil {
+		// Fall back to basic validation if we can't list clusters
+		return validateBasicProviderServiceAccountPattern(serviceAccountName), nil
+	}
+	
+	// Check if the service account name matches any actual cluster's expected ProviderServiceAccount name
+	for _, cluster := range clusterList.Items {
+		expectedServiceAccountName := fmt.Sprintf("%s-%s", cluster.Name, "pvcsi")
+		if serviceAccountName == expectedServiceAccountName {
+			return true, nil
+		}
+	}
+	
+	// Service account name doesn't match any existing cluster's expected ProviderServiceAccount name
+	return false, nil
+}
+
+// validateBasicProviderServiceAccountPattern provides fallback validation when cluster API is not available
+func validateBasicProviderServiceAccountPattern(serviceAccountName string) bool {
+	// Basic validation: must end with -pvcsi, not be empty, and not contain colons (format confusion attack prevention)
+	if !strings.HasSuffix(serviceAccountName, "-pvcsi") {
+		return false
 	}
-	return pvcCsiServiceAccountRegex.MatchString(username), nil
+	
+	clusterName := strings.TrimSuffix(serviceAccountName, "-pvcsi")
+	// Cluster name should not be empty and not contain colons
+	return len(clusterName) > 0 && !strings.Contains(clusterName, ":")
 }
