Problem
Surfaced by security cross-review on #258 (round 3). `validateTLSSecret` reads the operator-supplied Secret and runs `pem.Decode` + `x509.ParseCertificate` on `tls.crt` bytes with no size or depth bound. kube-apiserver caps Secrets at ~1 MiB, but an actor with Secret-write RBAC in the SeiNode's namespace could craft pathological ASN.1 to consume controller CPU during parse.
Blast radius is limited by Secret-write RBAC (operator-equivalent — same trust level that provisions the cert). Not exploitable from outside the trust boundary. Marked non-blocker by security review; tracked for future hardening.
Proposed scope
- Add a sanity size check on `crtPEM` (e.g., >64 KiB → `ReasonTLSSecretMalformed`) before `pem.Decode`.
- Optionally bound parse time via `context.WithTimeout` around `x509.ParseCertificate`, or run parse in a goroutine with a deadline.
Why deferred from #258
Not exploitable from outside operator trust. Hardening is defense-in-depth, not correctness.
References
Problem
Surfaced by security cross-review on #258 (round 3). `validateTLSSecret` reads the operator-supplied Secret and runs `pem.Decode` + `x509.ParseCertificate` on `tls.crt` bytes with no size or depth bound. kube-apiserver caps Secrets at ~1 MiB, but an actor with Secret-write RBAC in the SeiNode's namespace could craft pathological ASN.1 to consume controller CPU during parse.
Blast radius is limited by Secret-write RBAC (operator-equivalent — same trust level that provisions the cert). Not exploitable from outside the trust boundary. Marked non-blocker by security review; tracked for future hardening.
Proposed scope
Why deferred from #258
Not exploitable from outside operator trust. Hardening is defense-in-depth, not correctness.
References