villebro opened a new pull request, #108: URL: https://github.com/apache/superset-kubernetes-operator/pull/108
## Summary We did a thorough security review of the operator against the documented threat well-aligned — no gaps or misalignments — but several flagship guarantees were enforced only by code structure or by the slow e2e tier, with no fast test that would fail if a future refactor broke them. This PR adds those regression guards, keeps the threat model and its tests in lockstep going forward, and clarifies the security posture of the experimental websocket component. No production code changes. ## Details **Regression-guard tests** - **ConfigMap no-secret-leak guard** (`internal/controller/security_test.go`) — reconciles a dev-mode CR with sentinel secrets and asserts no sentinel appears in any ConfigMap, that the rendered config references the values via `os.environ[...]` (positive control), and that secrets flow through the pod environment. Locks the "secrets never touch ConfigMaps" guarantee. - **Operator override protection** (`internal/resolution/override_protection_test.go`) — a user-supplied `podTemplate` cannot override `SUPERSET_OPERATOR__*` env vars or operator-managed labels (`superset.apache.org/parent`). - **RBAC scope guard** (`security_test.go`) — asserts the generated ClusterRole grants no access to `secrets` and uses no `*` wildcards, catching an accidental `+kubebuilder:rbac` marker that would broaden scope. **Test-pyramid refactor for inline-secret validation** - Moved the comprehensive inline-secret rejection matrix (`secretKey`, `metastore.uri`, `metastore.password`, `valkey.password`) to the integration tier (`cel_validation_test.go`), where CEL validation belongs. Added the previously untested `websocketServer.config` dev-only rejection and `config`/`configFrom` mutual-exclusivity rules. - Trimmed the e2e suite to a single representative smoke case (plus the cross-namespace `SecretKeySelector` check) to confirm the rules ship in the installed CRD without duplicating the full matrix on a Kind cluster. **Websocket component flagged as experimental / pending hardening** - Added a caveat to the threat model (`docs/reference/security.md`), strengthened the CRD godoc (propagated to `docs/reference/api-reference.md` via `make codegen`), and aligned the configuration-guide warning. Notes that the dev-mode inline `websocketServer.config` is written to a ConfigMap (the one documented place an inline secret legitimately lands there) and that Staging/Production require `configFrom`. **Developer guidance** - Added a "Security and the threat model" subsection to the development guidelines: update security regression tests when the threat model changes, and verify/extend both when adding features. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
