Fix error handling in admission controller validation.

anuj087 · anuj087 · commit e12cbba7a33c · 2026-05-27T10:05:26.000+05:30
Remove inappropriate fallback logic that silently downgraded to weaker
validation when Kubernetes API calls failed. Now properly returns errors
when client creation or cluster listing fails, ensuring fail-secure behavior.

Also removed unused validateBasicProviderServiceAccountPattern function
to keep code clean.
diff --git a/pkg/syncer/admissionhandler/validate_cnsfileaccessconfig.go b/pkg/syncer/admissionhandler/validate_cnsfileaccessconfig.go
@@ -360,15 +360,13 @@ func getExpectedProviderServiceAccountName(ctx context.Context) (string, error)
 func validateAgainstAllClusters(ctx context.Context, serviceAccountName string) (bool, error) {
 	k8sClient, err := getClusterAPIClient(ctx)
 	if err != nil {
-		// Fall back to basic validation if we can't get client
-		return validateBasicProviderServiceAccountPattern(serviceAccountName), nil
+		return false, fmt.Errorf("failed to create cluster API client: %w", err)
 	}
 	
 	// Get all CAPI clusters
 	clusterList := &ccV1beta2.ClusterList{}
 	if err := k8sClient.List(ctx, clusterList); err != nil {
-		// Fall back to basic validation if we can't list clusters
-		return validateBasicProviderServiceAccountPattern(serviceAccountName), nil
+		return false, fmt.Errorf("failed to list clusters: %w", err)
 	}
 	
 	// Check if the service account name matches any cluster's expected ProviderServiceAccount name
@@ -383,15 +381,3 @@ func validateAgainstAllClusters(ctx context.Context, serviceAccountName string)
 	// Service account name doesn't match any existing cluster
 	return false, nil
 }
-
-// validateBasicProviderServiceAccountPattern provides fallback validation when cluster API is not available
-func validateBasicProviderServiceAccountPattern(serviceAccountName string) bool {
-	// Basic validation: must end with -pvcsi, not be empty, and not contain colons (format confusion attack prevention)
-	if !strings.HasSuffix(serviceAccountName, "-pvcsi") {
-		return false
-	}
-	
-	clusterName := strings.TrimSuffix(serviceAccountName, "-pvcsi")
-	// Cluster name should not be empty and not contain colons
-	return len(clusterName) > 0 && !strings.Contains(clusterName, ":")
-}
