GHSA-398h-7f66-3h4p
open-feature-operator: Cross-namespace FeatureFlagSource and InProcessConfiguration resolution exposes spec contents on multi-tenant clusters
Details
## Summary
A namespaced `FeatureFlagSource` or `InProcessConfiguration` resource can be referenced cross-namespace via the `openfeature.dev/featureflagsource` annotation using the documented `{NAMESPACE}/{NAME}` syntax. The operator resolves the referenced resource cluster-wide and materializes its contents (env vars, flagd sidecar arguments including `httpSyncBearerToken`, sync URIs, supporting ConfigMaps) into the referencing workload.
On multi-tenant clusters that treat namespaces as trust boundaries, a tenant who can deploy a controller-owned workload in their own namespace can cause the operator to read another tenant's `FeatureFlagSource` / `InProcessConfiguration` spec contents.
## Impact
- **Single-tenant clusters**: not impacted. - **Multi-tenant clusters using namespaces as trust boundaries**: tenant-to-tenant disclosure of any data placed inline in `FeatureFlagSource` / `InProcessConfiguration` spec, including `spec.envVars` literal values, `spec.httpSyncBearerToken`, and sync URIs.
## Behavior is documented
The cross-namespace `{NAMESPACE}/{NAME}` annotation syntax is intentional and documented in [`docs/annotations.md`](https://github.com/open-feature/open-feature-operator/blob/main/docs/annotations.md) and [`docs/feature_flag_source.md`](https://github.com/open-feature/open-feature-operator/blob/main/docs/feature_flag_source.md). The operator's cluster-wide RBAC scope is intentional. Namespace-as-trust-boundary is not part of the operator's current stated security model.
This advisory makes the tenancy assumption explicit and tracks the architectural change that will eliminate the implicit cross-namespace pattern.
## Corrections to the original report
Two technical points in the original report require correction:
1. **`secretKeyRef` / `configMapKeyRef` cross-namespace disclosure is not possible via this path.** Kubelet resolves these as `LocalObjectReference` against the pod's own namespace; the operator does not bypass that. The actual disclosure surface is `FeatureFlagSource` / `InProcessConfiguration` spec contents the operator itself materializes (inline `envVars` values, `httpSyncBearerToken`, sync URIs). 2. **`create featureflagsources` is not a prerequisite.** The webhook rejects pods without OwnerReferences ([`pod_webhook.go:75-77`](https://github.com/open-feature/open-feature-operator/blob/main/internal/webhook/pod_webhook.go#L75)), so the prerequisite is `create` on a workload controller (`deployments`, `statefulsets`, `daemonsets`, `jobs`, `cronjobs`, `replicasets`) in a namespace the attacker controls. `FeatureFlagSource` create in any namespace is not required.
## Mitigations
As with any Kubernetes CRD, treat the spec content of `FeatureFlagSource` and `InProcessConfiguration` as readable by anyone with read access to the resource, and don't place plaintext secrets in CR spec fields. Fields most likely to bite users:
- `spec.sources[].source`, when the URI embeds credentials (e.g. `https://user:pass@host/repo`) - `spec.sources[].certPath`, if the path itself is sensitive - inline `spec.envVars[].value` (use `valueFrom.secretKeyRef` instead; kubelet enforces same-namespace resolution and the secret value is not stored in the CR)
If developers treat namespaces as trust boundaries:
- restrict `create` on `featureflagsources` / `inprocessconfigurations` via RBAC where feasible,
## Roadmap
A future release will introduce explicit cluster-scoped CRDs (`ClusterFeatureFlagSource`, `ClusterInProcessConfiguration`) and remove implicit cross-namespace resolution. This is a breaking change tracked in [#847](https://github.com/open-feature/open-feature-operator/issues/847).
## Precedent
This class of issue (authenticated namespace tenant abuses an unenforced cluster-wide surface that crosses an assumed namespace boundary) has Kubernetes precedent: CVE-2020-8554 (External IPs) was accepted as documented posture and mitigated via an opt-in admission plugin.
## Credit
Reported by @0xVijay. Thanks for the disclosure. This appears to be an example of https://cwe.mitre.org/data/definitions/668.html. In terms of how it ended up here, it's more of an unimplemented security feature than an "bug". It seems to deviate from reasonable expectations and conventions in the K8s ecosystem. See https://nvd.nist.gov/vuln/detail/cve-2020-8554 as an example of a comparable vulnerability.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 No fixed version published yet for github.com/open-feature/open-feature-operator (go modules). Pin to a known-safe version or switch to an alternative.