✨ clean up leftover override secrets when spaceId is removed and add warning for space-scoped service accounts

Author: slntopp

pkg/utils/k8s/space_config.go

@@ -44,6 +44,12 @@ func SyncConfigOverrideSecret(
 	m *v1alpha2.MondooAuditConfig,
 ) error {
 	if m.Spec.SpaceID == "" {
+		// Clean up any leftover override secret from when spaceId was previously set
+		derivedSecret := &corev1.Secret{}
+		key := client.ObjectKey{Name: m.Name + ConfigOverrideSecretSuffix, Namespace: m.Namespace}
+		if err := kubeClient.Get(ctx, key, derivedSecret); err == nil {
+			_ = kubeClient.Delete(ctx, derivedSecret)
+		}
 		return nil
 	}
 

pkg/utils/k8s/space_config_test.go

@@ -79,6 +79,35 @@ func TestSyncConfigOverrideSecret(t *testing.T) {
 		assert.NoError(t, err)
 	})
 
+	t.Run("cleans up override secret when spaceId is removed", func(t *testing.T) {
+		leftoverSecret := &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "test" + ConfigOverrideSecretSuffix,
+				Namespace: "default",
+			},
+			Data: map[string][]byte{
+				constants.MondooCredsSecretServiceAccountKey: []byte(`{"scope_mrn":"old"}`),
+			},
+		}
+
+		m := &v1alpha2.MondooAuditConfig{
+			ObjectMeta: metav1.ObjectMeta{Name: "test", Namespace: "default"},
+			Spec:       v1alpha2.MondooAuditConfigSpec{},
+		}
+
+		kubeClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(leftoverSecret).Build()
+		err := SyncConfigOverrideSecret(context.Background(), kubeClient, m)
+		require.NoError(t, err)
+
+		// Verify the override secret was deleted
+		deletedSecret := &corev1.Secret{}
+		err = kubeClient.Get(context.Background(), client.ObjectKey{
+			Name:      "test" + ConfigOverrideSecretSuffix,
+			Namespace: "default",
+		}, deletedSecret)
+		assert.Error(t, err, "override secret should have been deleted")
+	})
+
 	t.Run("creates derived secret with scope_mrn", func(t *testing.T) {
 		origSecret := &corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{Name: "org-creds", Namespace: "default"},

pkg/utils/mondoo/gc.go

@@ -118,6 +118,11 @@ func DeleteStaleAssets(
 	// SA MRN format: //agents.api.mondoo.app/spaces/<id>/serviceaccounts/<id>
 	if spaceMrn := k8s.SpaceMrnForAuditConfig(*mondoo); spaceMrn != "" {
 		req.SpaceMrn = spaceMrn
+		// Warn if SA appears to be space-scoped (not org-level) and targets a different space
+		if saSpaceMrn := sa.SpaceMrn; saSpaceMrn != "" && saSpaceMrn != spaceMrn {
+			logger.Info("WARNING: spaceId targets a different space than the service account; ensure the SA has org-level access",
+				"saSpaceMrn", saSpaceMrn, "targetSpaceMrn", spaceMrn)
+		}
 	} else {
 		req.SpaceMrn = sa.SpaceMrn
 		if req.SpaceMrn == "" {

tests/e2e/scripts/apply-mondoo-config-space-splitting.sh

@@ -30,6 +30,7 @@ if [[ -n "${MONDOO_CONFIG_PATH:-}" ]]; then
     --dry-run=client -o yaml | kubectl apply -f -
 elif [[ -n "${ORG_CREDS_B64:-}" ]]; then
   info "Using credentials from ORG_CREDS_B64"
+  trap 'rm -f /tmp/mondoo-creds.json' EXIT
   echo "${ORG_CREDS_B64}" | base64 -d > /tmp/mondoo-creds.json
   kubectl create secret generic mondoo-client \
     --from-file=config=/tmp/mondoo-creds.json \