Expand description
Strict allow-list validators for user-supplied Volume and VolumeMount
entries on Bind9Instance / Bind9Cluster CRDs.
§Why
Bind9Instance.spec.volumes, Bind9Instance.spec.volumeMounts, and the
same fields on Bind9ClusterCommonSpec are typed as the full
k8s_openapi::api::core::v1::Volume / VolumeMount. Without filtering, a
namespace-tenant who can create a Bind9Instance could mount the host
filesystem (hostPath), an arbitrary Secret in the target namespace
(secret), or other dangerous volume sources into a Pod the operator
stamps with cluster-wide RBAC. This module enforces an allow-list so the
reconciler can refuse the CR with a clear status condition before any
Pod is built.
Closes audit finding F-001.
§Allow-list
- Volume sources:
emptyDir,configMap(name must start withcrate::constants::ALLOWED_USER_CONFIGMAP_PREFIX),secret(name must start withcrate::constants::ALLOWED_USER_SECRET_PREFIX),persistentVolumeClaim(name must start withcrate::constants::ALLOWED_USER_PVC_PREFIX). - VolumeMount.mountPath: must begin with one of
crate::constants::ALLOWED_USER_MOUNT_PREFIXES. - VolumeMount.subPath / subPathExpr: must not contain
...
Everything else is rejected. This is an allow-list, not a block-list, so future Volume variants added by Kubernetes are rejected by default.
Enums§
- Volume
Rejection - Rejection reasons returned by
validate_user_volumesandvalidate_user_volume_mounts.
Functions§
- validate_
optional_ user_ volume_ mounts - Validate the
Option<&Vec<VolumeMount>>that the resource builder passes around. Convenience wrapper. - validate_
optional_ user_ volumes - Validate the
Option<&Vec<Volume>>that the resource builder passes around. Convenience wrapper so callers can skip theif let Somedance. - validate_
user_ volume_ mounts - Validate a slice of user-supplied [
VolumeMount] entries against the allow-list. Returns the first rejection encountered. - validate_
user_ volumes - Validate a slice of user-supplied [
Volume] entries against the allow-list. Returns the first rejection encountered.