Claiming any existing composite resources would break multi tenancy and lead to security issue #783
Description
URL
https://docs.crossplane.io/v1.16/concepts/claims/#claiming-existing-composite-resources
What's Wrong?
The existing wording in the documentation implicitly tells that an existing composite resource can be claimed in any namespace just by referencing its name. This would be an important threat scenario to add to https://github.com/crossplane/crossplane/blob/master/security/ADA-security-audit-23.pdf section "Crossplane Claims" page 10
Doc should detail that there is a protection mechanism in place to maintain multi-tenancy :
- https://github.com/phisco/crossplane/blob/ec5a09fe5a518a431446578375f1853b93c66949/internal/controller/apiextensions/claim/reconciler.go#L370-L386
Return early if the claim references an XR that doesn't reference it.
- https://github.com/phisco/crossplane/blob/ec5a09fe5a518a431446578375f1853b93c66949/internal/controller/apiextensions/claim/reconciler_test.go#L177-L204
The reconcile should fail if the referenced XR is bound to another claim
crossplane/crossplane#5423 Multiple claims on a single composite resource
I'm unable to make multiple claims on the same CompositeResource object, whichever Claim object grabs it first wins.
Also doc should be detail whether a claim is vulnerable to a race condition attacks:
- an attacker tries to take over an existing composite when a claim is being deleted
- an attacker tries to take over an composite being created
Threat scenario if doc is correct
Given a platform consumer using namespaces to distinguish different roles (e.g. prod vs non-prod)
Given actor-1 in namespace-prod provisions "prod-confidential-db" claim, and writes confidential to it. Let's call prod-composite-1 the name of the associated composite object.
Given actor-2 learns or guesses the name of the prod-composite-1 resource, and creates a claim using resourceRef in namespace non-prod
apiVersion: example.org/v1alpha1
kind: database
metadata:
name: claiming-another-team-database
spec:
resourceRef:
apiVersion: example.org/v1alpha1
kind: XMyDatabase
name: prod-composite-1Then, a connection secret in the namespace would provide access to the production database from the non-prod namespace