Fix PvCSI service account regex security vulnerability (SUP-VULN-0009) by anuj087 · Pull Request #4024 · kubernetes-sigs/vsphere-csi-driver

anuj087 · 2026-05-07T06:49:06Z

The original regex ^system:serviceaccount.*-pvcsi$ was vulnerable to colon injection attacks. A malicious user could create a service account named 'evil-pvcsi' in their namespace and bypass webhook security checks by having their username appear as:
system:serviceaccount:malicious-namespace:evil-pvcsi

This would match the regex and be treated as a trusted PvCSI service account.

Fixed by replacing the overly broad .* pattern with matching the username with the service account name which is "vsphereClusterName"-pvcsi

This prevents colon injection while maintaining compatibility with legitimate PvCSI service accounts.

Added comprehensive test coverage to prevent regression.

Security Impact: MEDIUM - Prevents authentication bypass for CnsFileAccessConfig operations.

Testing done: Both VKS and WCP precheckins are passed
https://jenkins-vcf-csifvt.devops.broadcom.net/view/instapp/job/vks-instapp-e2e-pre-checkin/1207/
https://jenkins-vcf-csifvt.devops.broadcom.net/job/wcp-instapp-e2e-pre-checkin/1621/

linux-foundation-easycla · 2026-05-07T06:49:16Z

The committers listed above are authorized under a signed CLA.

✅ login: anuj087 / name: ab002488 (11ceb64, 1ec70a9, 208a4c3, 427897e, 9276e71, 998c1b6, 9d9dc5b, c5ce575, e12cbba)

k8s-ci-robot · 2026-05-07T06:49:18Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: anuj087
Once this PR has been reviewed and has the lgtm label, please assign deepakkinni for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

k8s-ci-robot · 2026-05-07T06:49:18Z

Hi @anuj087. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Tip

We noticed you've done this a few times! Consider joining the org to skip this step and gain /lgtm and other bot rights. We recommend asking approvers on your previous PRs to sponsor you.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

skogta · 2026-05-07T07:24:20Z

/ok-to-test

deepakkinni · 2026-05-08T11:30:17Z

Triggering CSI-WCP Pre-checkin Pipeline for this PR... Job takes approximately an hour to complete
Jenkins Build #1471

deepakkinni · 2026-05-08T13:00:54Z

FAILED --- Jenkins Build #1471

deepakkinni · 2026-05-14T17:45:50Z

Triggering CSI-WCP Pre-checkin Pipeline for this PR... Job takes approximately an hour to complete
Jenkins Build #1517

deepakkinni · 2026-05-14T18:29:36Z

SUCCESS --- Jenkins Build #1517

deepakkinni · 2026-06-03T07:02:27Z

Triggering CSI-TKG Pre-checkin Pipeline for this PR... Job takes approximately an hour to complete
Jenkins Build #1226

deepakkinni · 2026-06-03T07:39:27Z

SUCCESS --- Jenkins Build #1226

deepakkinni · 2026-06-03T10:24:28Z

Triggering CSI-TKG Pre-checkin Pipeline for this PR... Job takes approximately an hour to complete
Jenkins Build #1229

deepakkinni · 2026-06-03T10:45:09Z

FAILED --- Jenkins Build #1229

deepakkinni · 2026-06-03T11:00:19Z

Triggering CSI-TKG Pre-checkin Pipeline for this PR... Job takes approximately an hour to complete
Jenkins Build #1225

deepakkinni · 2026-06-03T11:10:39Z

Triggering CSI-TKG Pre-checkin Pipeline for this PR... Job takes approximately an hour to complete
Jenkins Build #1231

deepakkinni · 2026-06-03T11:28:00Z

FAILED --- Jenkins Build #1225

deepakkinni · 2026-06-03T11:32:29Z

FAILED --- Jenkins Build #1231

deepakkinni · 2026-06-03T16:44:27Z

Triggering CSI-TKG Pre-checkin Pipeline for this PR... Job takes approximately an hour to complete
Jenkins Build #1233

deepakkinni · 2026-06-03T16:55:19Z

FAILED --- Jenkins Build #1233

deepakkinni · 2026-06-03T17:09:19Z

Triggering CSI-WCP Pre-checkin Pipeline for this PR... Job takes approximately an hour to complete
Jenkins Build #1619

deepakkinni · 2026-06-03T17:16:57Z

FAILED --- Jenkins Build #1619

deepakkinni · 2026-06-03T17:18:14Z

Triggering CSI-TKG Pre-checkin Pipeline for this PR... Job takes approximately an hour to complete
Jenkins Build #1234

deepakkinni · 2026-06-03T17:34:43Z

FAILED --- Jenkins Build #1234

deepakkinni · 2026-06-03T17:43:40Z

Triggering CSI-WCP Pre-checkin Pipeline for this PR... Job takes approximately an hour to complete
Jenkins Build #1621

deepakkinni · 2026-06-03T17:51:30Z

Triggering CSI-TKG Pre-checkin Pipeline for this PR... Job takes approximately an hour to complete
Jenkins Build #1235

k8s-ci-robot · 2026-06-03T18:06:37Z

@anuj087: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-vsphere-csi-driver-verify-markdown	`04e70d3`	link	true	`/test pull-vsphere-csi-driver-verify-markdown`
pull-vsphere-csi-driver-verify-shell	`04e70d3`	link	true	`/test pull-vsphere-csi-driver-verify-shell`

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

deepakkinni · 2026-06-03T18:08:00Z

FAILED --- Jenkins Build #1235

deepakkinni · 2026-06-03T19:03:28Z

SUCCESS --- Jenkins Build #1621

The original regex ^system:serviceaccount.*-pvcsi$ was vulnerable to colon injection attacks. A malicious user could create a service account named 'evil-pvcsi' in their namespace and bypass webhook security checks by having their username appear as: system:serviceaccount:malicious-namespace:evil-pvcsi This would match the regex and be treated as a trusted PvCSI service account. Fixed by replacing the overly broad .* pattern with a more restrictive regex that: 1. Uses [^:]+ for namespace (no colons allowed) 2. Explicitly allows legitimate service accounts: - vsphere-csi-controller - vsphere-csi-node - pvcsi - Any service account ending with -pvcsi (but no colons in name) New regex: ^system:serviceaccount:[^:]+:(vsphere-csi-controller|vsphere-csi-node|pvcsi|[^:]*-pvcsi)$ This prevents colon injection while maintaining compatibility with legitimate PvCSI service accounts. Added comprehensive test coverage to prevent regression. Security Impact: MEDIUM - Prevents authentication bypass for CnsFileAccessConfig operations. Signed-off-by: ab002488

deepakkinni · 2026-06-04T13:36:42Z

Triggering CSI-TKG Pre-checkin Pipeline for this PR... Job takes approximately an hour to complete
Jenkins Build #1244

deepakkinni · 2026-06-04T13:55:48Z

FAILED --- Jenkins Build #1244

skogta · 2026-06-05T10:18:43Z

+	// Extract expected vsphere cluster name from service account name
+	// serviceAccountName format: "{vsphere-cluster-name}-pvcsi"
+	if !strings.HasSuffix(serviceAccountName, "-pvcsi") {
+		log.Infof("Service account '%s' does not follow cluster pattern (missing -pvcsi suffix)", serviceAccountName)


Why do we have this validation twice?

skogta · 2026-06-05T10:19:41Z

+			return false, nil
+		}
+
+		if errors.IsForbidden(err) {


Why is this check required? Why can't we club it with the rest of the other errors?

skogta · 2026-06-05T10:22:11Z

+	log.Infof("Parsed service account parts: %v (count: %d)", parts, len(parts))
+
+	if len(parts) != 2 {
+		log.Infof("Invalid service account format - expected 2 parts, got %d, returning false", len(parts))


skogta · 2026-06-05T10:22:27Z

+	// For any namespace, check if service account follows guest cluster PvCSI pattern
+	// Guest cluster PvCSI service accounts follow the pattern: {cluster-name}-pvcsi
+	if strings.HasSuffix(serviceAccountName, "-pvcsi") {
+		log.Infof("Service account ends with -pvcsi, validating as guest cluster PvCSI account")


skogta · 2026-06-05T10:23:14Z


 func validatePvCSIServiceAccount(username string) (bool, error) {
-	pvcCsiServiceAccountRegex, err := regexp.Compile(PvCsiServiceAccountregex)
+	ctx := context.TODO()


Use the existing ctx

skogta · 2026-06-05T10:24:08Z

+	vsphereCluster := &unstructured.Unstructured{}
+	vsphereCluster.SetGroupVersionKind(schema.GroupVersionKind{
+		Group:   "vmware.infrastructure.cluster.x-k8s.io",
+		Version: "v1beta2", // Use the version we saw in kubectl api-resources


@nikhilbarge is this the correct version to use?

skogta · 2026-06-05T10:24:47Z


 	// Allowed users are :
-	// 1. PVCSI service account
+	// 1. PVCSI service account (checked above using new validation logic)


This check no longer validates if it is a PVCSI service account. We already return at line 242. So this comment is outdated.

k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label May 7, 2026

k8s-ci-robot requested review from akankshapanse and deepakkinni May 7, 2026 06:49

k8s-ci-robot added cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels May 7, 2026

anuj087 force-pushed the fix_pvcsi_service_account_regex_vulnerability branch from 909d1c8 to c111ba8 Compare May 7, 2026 06:54

k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels May 7, 2026

anuj087 force-pushed the fix_pvcsi_service_account_regex_vulnerability branch from c111ba8 to 4321bd1 Compare May 7, 2026 07:28

k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels May 7, 2026

anuj087 force-pushed the fix_pvcsi_service_account_regex_vulnerability branch from 4321bd1 to 04e70d3 Compare May 8, 2026 11:27

anuj087 force-pushed the fix_pvcsi_service_account_regex_vulnerability branch from 04e70d3 to 016ae28 Compare May 8, 2026 11:28

k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels May 8, 2026

anuj087 force-pushed the fix_pvcsi_service_account_regex_vulnerability branch 2 times, most recently from 88dd9e5 to 2a77623 Compare May 14, 2026 06:52

anuj087 force-pushed the fix_pvcsi_service_account_regex_vulnerability branch from 7516465 to f65d7b4 Compare May 18, 2026 07:06

k8s-ci-robot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jun 3, 2026

k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 3, 2026

k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Jun 3, 2026

anuj087 force-pushed the fix_pvcsi_service_account_regex_vulnerability branch from c9108d6 to f104084 Compare June 4, 2026 09:50

skogta reviewed Jun 5, 2026

View reviewed changes

Conversation

anuj087 commented May 7, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

linux-foundation-easycla Bot commented May 7, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

k8s-ci-robot commented May 7, 2026

Uh oh!

k8s-ci-robot commented May 7, 2026

Uh oh!

skogta commented May 7, 2026

Uh oh!

deepakkinni commented May 8, 2026

Uh oh!

deepakkinni commented May 8, 2026

Uh oh!

deepakkinni commented May 14, 2026

Uh oh!

deepakkinni commented May 14, 2026

Uh oh!

deepakkinni commented Jun 3, 2026

Uh oh!

deepakkinni commented Jun 3, 2026

Uh oh!

deepakkinni commented Jun 3, 2026

Uh oh!

deepakkinni commented Jun 3, 2026

Uh oh!

deepakkinni commented Jun 3, 2026

Uh oh!

deepakkinni commented Jun 3, 2026

Uh oh!

deepakkinni commented Jun 3, 2026

Uh oh!

deepakkinni commented Jun 3, 2026

Uh oh!

deepakkinni commented Jun 3, 2026

Uh oh!

deepakkinni commented Jun 3, 2026

Uh oh!

deepakkinni commented Jun 3, 2026

Uh oh!

deepakkinni commented Jun 3, 2026

Uh oh!

deepakkinni commented Jun 3, 2026

Uh oh!

deepakkinni commented Jun 3, 2026

Uh oh!

deepakkinni commented Jun 3, 2026

Uh oh!

deepakkinni commented Jun 3, 2026

Uh oh!

k8s-ci-robot commented Jun 3, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

deepakkinni commented Jun 3, 2026

Uh oh!

deepakkinni commented Jun 3, 2026

Uh oh!

deepakkinni commented Jun 4, 2026

Uh oh!

deepakkinni commented Jun 4, 2026

Uh oh!

skogta Jun 5, 2026

Choose a reason for hiding this comment

Uh oh!

skogta Jun 5, 2026

Choose a reason for hiding this comment

Uh oh!

skogta Jun 5, 2026

Choose a reason for hiding this comment

Uh oh!

skogta Jun 5, 2026

Choose a reason for hiding this comment

Uh oh!

skogta Jun 5, 2026

Choose a reason for hiding this comment

Uh oh!

skogta Jun 5, 2026

anuj087 commented May 7, 2026 •

edited

Loading

linux-foundation-easycla Bot commented May 7, 2026 •

edited

Loading

k8s-ci-robot commented Jun 3, 2026 •

edited

Loading