fix(security): harden backup and restore helper inputs (#474)

Author: dc-tec

charts/openbao-operator/templates/admission/validate-openbaocluster.yaml

@@ -347,12 +347,32 @@ spec:
         object.spec.profile != "Hardened" ||
         object.spec.replicas >= 3
       message: "Hardened profile requires at least 3 replicas for Raft quorum HA. Use Profile=Development for non-HA deployments."
+    # Confused-deputy protection: custom backup helper images run with backup credentials.
+    - expression: >-
+        !has(object.spec.backup) ||
+        !has(object.spec.backup.image) ||
+        object.spec.backup.image == "" ||
+        (request.operation == "UPDATE" &&
+          oldObject != null &&
+          has(oldObject.spec.backup) &&
+          has(oldObject.spec.backup.image) &&
+          oldObject.spec.backup.image == object.spec.backup.image) ||
+        authorizer.group("openbao.org").resource("openbaoclusters").namespace(request.namespace).name(object.metadata.name).check("usehelperimages").allowed()
+      message: "Users configuring custom backup helper images must be authorized to use helper image overrides on this OpenBaoCluster."
     # Confused-deputy protection: users configuring unseal Secret credentials must be able to read that Secret.
     - expression: >-
         !has(object.spec.unseal) ||
         !has(object.spec.unseal.credentialsSecretRef) ||
         authorizer.group("").resource("secrets").namespace(request.namespace).name(object.spec.unseal.credentialsSecretRef.name).check("get").allowed()
       message: "Users configuring unseal credentials must be authorized to get spec.unseal.credentialsSecretRef."
+    # Confused-deputy protection: users configuring backup Secret credentials must be able to read those Secrets.
+    - expression: >-
+        !has(object.spec.backup) ||
+        ((!has(object.spec.backup.target.credentialsSecretRef) ||
+          authorizer.group("").resource("secrets").namespace(request.namespace).name(object.spec.backup.target.credentialsSecretRef.name).check("get").allowed()) &&
+        (!has(object.spec.backup.tokenSecretRef) ||
+          authorizer.group("").resource("secrets").namespace(request.namespace).name(object.spec.backup.tokenSecretRef.name).check("get").allowed()))
+      message: "Users configuring backup credentials must be authorized to get referenced backup Secrets."
     # Block references to system secrets in unseal/backup/upgrade
     - expression: >-
         (!has(object.spec.unseal) || !has(object.spec.unseal.credentialsSecretRef) ||

charts/openbao-operator/templates/admission/validate-openbaorestore.yaml

@@ -50,6 +50,23 @@ spec:
         object.spec.source.target.endpoint.startsWith("s3://") ||
         object.spec.source.target.endpoint.matches("^http://[^/]+\\.svc(\\.|:|/|$).*")
       message: "Restore endpoint must use HTTPS or S3 scheme, unless it targets an in-cluster Service (*.svc)."
+    # Confused-deputy protection: custom restore helper images run with restore credentials.
+    - expression: >-
+        !has(object.spec.image) ||
+        object.spec.image == "" ||
+        (request.operation == "UPDATE" &&
+          oldObject != null &&
+          has(oldObject.spec.image) &&
+          oldObject.spec.image == object.spec.image) ||
+        authorizer.group("openbao.org").resource("openbaoclusters").namespace(request.namespace).name(object.spec.cluster).check("usehelperimages").allowed()
+      message: "Users configuring custom restore helper images must be authorized to use helper image overrides on the target OpenBaoCluster."
+    # Confused-deputy protection: users configuring restore Secret credentials must be able to read those Secrets.
+    - expression: >-
+        (!has(object.spec.source.target.credentialsSecretRef) ||
+          authorizer.group("").resource("secrets").namespace(request.namespace).name(object.spec.source.target.credentialsSecretRef.name).check("get").allowed()) &&
+        (!has(object.spec.tokenSecretRef) ||
+          authorizer.group("").resource("secrets").namespace(request.namespace).name(object.spec.tokenSecretRef.name).check("get").allowed())
+      message: "Users configuring restore credentials must be authorized to get referenced restore Secrets."
     # Confused-deputy protection: Block references to system secrets (restore auth + object store credentials)
     - expression: >-
         (!has(object.spec.source.target.credentialsSecretRef) ||

charts/openbao-operator/templates/rbac/aggregated-clusterroles.yaml

@@ -47,6 +47,22 @@ rules:
       - get
 ---
 
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    {{- include "openbao-operator.labels" . | nindent 4 }}
+  name: {{ include "openbao-operator.fullname" . }}-openbaocluster-helper-image
+rules:
+  - apiGroups:
+      - openbao.org
+    resources:
+      - openbaoclusters
+    verbs:
+      - get
+      - usehelperimages
+---
+
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:

config/policy/openbao-validate-openbaocluster.yaml

@@ -344,12 +344,32 @@ spec:
         object.spec.profile != "Hardened" ||
         object.spec.replicas >= 3
       message: "Hardened profile requires at least 3 replicas for Raft quorum HA. Use Profile=Development for non-HA deployments."
+    # Confused-deputy protection: custom backup helper images run with backup credentials.
+    - expression: >-
+        !has(object.spec.backup) ||
+        !has(object.spec.backup.image) ||
+        object.spec.backup.image == "" ||
+        (request.operation == "UPDATE" &&
+          oldObject != null &&
+          has(oldObject.spec.backup) &&
+          has(oldObject.spec.backup.image) &&
+          oldObject.spec.backup.image == object.spec.backup.image) ||
+        authorizer.group("openbao.org").resource("openbaoclusters").namespace(request.namespace).name(object.metadata.name).check("usehelperimages").allowed()
+      message: "Users configuring custom backup helper images must be authorized to use helper image overrides on this OpenBaoCluster."
     # Confused-deputy protection: users configuring unseal Secret credentials must be able to read that Secret.
     - expression: >-
         !has(object.spec.unseal) ||
         !has(object.spec.unseal.credentialsSecretRef) ||
         authorizer.group("").resource("secrets").namespace(request.namespace).name(object.spec.unseal.credentialsSecretRef.name).check("get").allowed()
       message: "Users configuring unseal credentials must be authorized to get spec.unseal.credentialsSecretRef."
+    # Confused-deputy protection: users configuring backup Secret credentials must be able to read those Secrets.
+    - expression: >-
+        !has(object.spec.backup) ||
+        ((!has(object.spec.backup.target.credentialsSecretRef) ||
+          authorizer.group("").resource("secrets").namespace(request.namespace).name(object.spec.backup.target.credentialsSecretRef.name).check("get").allowed()) &&
+        (!has(object.spec.backup.tokenSecretRef) ||
+          authorizer.group("").resource("secrets").namespace(request.namespace).name(object.spec.backup.tokenSecretRef.name).check("get").allowed()))
+      message: "Users configuring backup credentials must be authorized to get referenced backup Secrets."
     # Block references to system secrets in unseal/backup/upgrade
     - expression: >-
         (!has(object.spec.unseal) || !has(object.spec.unseal.credentialsSecretRef) ||

config/policy/openbao-validate-openbaorestore.yaml

@@ -47,6 +47,23 @@ spec:
         object.spec.source.target.endpoint.startsWith("s3://") ||
         object.spec.source.target.endpoint.matches("^http://[^/]+\\.svc(\\.|:|/|$).*")
       message: "Restore endpoint must use HTTPS or S3 scheme, unless it targets an in-cluster Service (*.svc)."
+    # Confused-deputy protection: custom restore helper images run with restore credentials.
+    - expression: >-
+        !has(object.spec.image) ||
+        object.spec.image == "" ||
+        (request.operation == "UPDATE" &&
+          oldObject != null &&
+          has(oldObject.spec.image) &&
+          oldObject.spec.image == object.spec.image) ||
+        authorizer.group("openbao.org").resource("openbaoclusters").namespace(request.namespace).name(object.spec.cluster).check("usehelperimages").allowed()
+      message: "Users configuring custom restore helper images must be authorized to use helper image overrides on the target OpenBaoCluster."
+    # Confused-deputy protection: users configuring restore Secret credentials must be able to read those Secrets.
+    - expression: >-
+        (!has(object.spec.source.target.credentialsSecretRef) ||
+          authorizer.group("").resource("secrets").namespace(request.namespace).name(object.spec.source.target.credentialsSecretRef.name).check("get").allowed()) &&
+        (!has(object.spec.tokenSecretRef) ||
+          authorizer.group("").resource("secrets").namespace(request.namespace).name(object.spec.tokenSecretRef.name).check("get").allowed())
+      message: "Users configuring restore credentials must be authorized to get referenced restore Secrets."
     # Confused-deputy protection: Block references to system secrets (restore auth + object store credentials)
     - expression: >-
         (!has(object.spec.source.target.credentialsSecretRef) ||

config/rbac/kustomization.yaml

@@ -35,5 +35,6 @@ resources:
   # if you do not want those helpers be installed with your Project.
   - openbaocluster_admin_role.yaml
   - openbaocluster_editor_role.yaml
+  - openbaocluster_helper_image_role.yaml
   - openbaocluster_maintenance_role.yaml
   - openbaocluster_viewer_role.yaml

config/rbac/namespace_scoped_example.yaml

@@ -110,6 +110,47 @@ subjects:
     name: team-a-break-glass # Change to actual group name
     apiGroup: rbac.authorization.k8s.io
 ---
+# Example: Grant custom backup/restore helper image selection on one cluster
+#
+# This namespaced Role grants the custom `usehelperimages` verb only for a
+# single OpenBaoCluster object. Grant it only to operators trusted to choose
+# executor images, because those images run with backup/restore credentials.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: openbaocluster-helper-image-team-a-example
+  namespace: team-a-prod # Change to target namespace
+  labels:
+    app.kubernetes.io/name: openbao-operator
+    app.kubernetes.io/managed-by: kustomize
+rules:
+  - apiGroups:
+      - openbao.org
+    resources:
+      - openbaoclusters
+    resourceNames:
+      - example-cluster # Change to target OpenBaoCluster name
+    verbs:
+      - get
+      - usehelperimages
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: openbaocluster-helper-image-team-a-example
+  namespace: team-a-prod # Change to target namespace
+  labels:
+    app.kubernetes.io/name: openbao-operator
+    app.kubernetes.io/managed-by: kustomize
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: openbaocluster-helper-image-team-a-example
+subjects:
+  - kind: Group
+    name: team-a-platform-operators # Change to actual group name
+    apiGroup: rbac.authorization.k8s.io
+---
 # Example: Grant admin permissions to platform team (cluster-wide)
 #
 # This ClusterRoleBinding grants platform administrators full access

config/rbac/openbaocluster_helper_image_role.yaml

@@ -0,0 +1,24 @@
+# This rule is not used by the project openbao-operator itself.
+# It is provided to allow cluster administrators to delegate custom
+# backup/restore helper image selection without granting full
+# OpenBaoCluster admin permissions.
+#
+# Multi-tenancy: This ClusterRole can be bound via RoleBinding for
+# namespace-scoped helper image permissions, or copied into a namespaced
+# Role with resourceNames for one explicitly trusted OpenBaoCluster.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: openbao-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: openbaocluster-helper-image-role
+rules:
+  - apiGroups:
+      - openbao.org
+    resources:
+      - openbaoclusters
+    verbs:
+      - get
+      - usehelperimages

hack/helmchart/main.go

@@ -664,16 +664,24 @@ subjects:
 
 // syncAggregatedRBAC syncs aggregated ClusterRoles.
 func syncAggregatedRBAC(opts options) error {
-	parts := make([]string, 0, 4) // 3 cluster roles + 1 tenant role
-
-	// OpenBaoCluster admin/editor/viewer roles
-	for _, suffix := range []string{"admin", "editor", "viewer"} {
-		filename := fmt.Sprintf("openbaocluster_%s_role.yaml", suffix)
+	parts := make([]string, 0, 5) // 4 cluster roles + 1 tenant role
+
+	// OpenBaoCluster admin/editor/viewer and helper-image delegation roles.
+	for _, role := range []struct {
+		filename   string
+		nameSuffix string
+	}{
+		{filename: "openbaocluster_admin_role.yaml", nameSuffix: "openbaocluster-admin"},
+		{filename: "openbaocluster_editor_role.yaml", nameSuffix: "openbaocluster-editor"},
+		{filename: "openbaocluster_helper_image_role.yaml", nameSuffix: "openbaocluster-helper-image"},
+		{filename: "openbaocluster_viewer_role.yaml", nameSuffix: "openbaocluster-viewer"},
+	} {
+		filename := role.filename
 		content, err := readFile(filepath.Join(opts.rbacInputDir, filename))
 		if err != nil {
 			return fmt.Errorf("read %s: %w", filename, err)
 		}
-		content = transformRBACToHelm(content, fmt.Sprintf("openbaocluster-%s", suffix), false)
+		content = transformRBACToHelm(content, role.nameSuffix, false)
 		parts = append(parts, content)
 	}
 

hack/helmchart/main_test.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"bytes"
+	"os"
 	"os/exec"
 	"path/filepath"
 	"runtime"
@@ -66,6 +67,58 @@ rules:
 	}
 }
 
+func TestSyncAggregatedRBAC_IncludesHelperImageDelegationRole(t *testing.T) {
+	inputDir := t.TempDir()
+	outputDir := t.TempDir()
+
+	writeRole := func(filename, name string, verbs ...string) {
+		t.Helper()
+
+		var builder strings.Builder
+		builder.WriteString("apiVersion: rbac.authorization.k8s.io/v1\n")
+		builder.WriteString("kind: ClusterRole\n")
+		builder.WriteString("metadata:\n")
+		builder.WriteString("  name: " + name + "\n")
+		builder.WriteString("rules:\n")
+		builder.WriteString("  - apiGroups:\n")
+		builder.WriteString("      - openbao.org\n")
+		builder.WriteString("    resources:\n")
+		builder.WriteString("      - openbaoclusters\n")
+		builder.WriteString("    verbs:\n")
+		for _, verb := range verbs {
+			builder.WriteString("      - " + verb + "\n")
+		}
+
+		if err := os.WriteFile(filepath.Join(inputDir, filename), []byte(builder.String()), 0o600); err != nil {
+			t.Fatalf("write %s: %v", filename, err)
+		}
+	}
+
+	writeRole("openbaocluster_admin_role.yaml", "openbaocluster-admin-role", "*")
+	writeRole("openbaocluster_editor_role.yaml", "openbaocluster-editor-role", "create", "update")
+	writeRole("openbaocluster_helper_image_role.yaml", "openbaocluster-helper-image-role", "get", "usehelperimages")
+	writeRole("openbaocluster_viewer_role.yaml", "openbaocluster-viewer-role", "get", "list")
+	writeRole("openbaotenant_editor_role.yaml", "openbaotenant-editor-role", "create", "update")
+
+	if err := syncAggregatedRBAC(options{rbacInputDir: inputDir, rbacOutputDir: outputDir}); err != nil {
+		t.Fatalf("syncAggregatedRBAC() failed: %v", err)
+	}
+
+	got, err := os.ReadFile(filepath.Join(outputDir, "aggregated-clusterroles.yaml"))
+	if err != nil {
+		t.Fatalf("read generated aggregated roles: %v", err)
+	}
+	output := string(got)
+	for _, want := range []string{
+		`{{ include "openbao-operator.fullname" . }}-openbaocluster-helper-image`,
+		"usehelperimages",
+	} {
+		if !strings.Contains(output, want) {
+			t.Fatalf("generated aggregated RBAC missing %q:\n%s", want, output)
+		}
+	}
+}
+
 func TestAddNamespacePodSecurityLabelRBACMode_ConditionsNamespaceMutationVerbs(t *testing.T) {
 	input := `apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole