NVIDIA-477: Add ownership validation before deleting resources

linoyaslan · tsorya · commit c30411a1aa37 · 2026-03-10T10:16:24.000-04:00
diff --git a/internal/common/ownership.go b/internal/common/ownership.go
@@ -0,0 +1,27 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package common
+
+// IsOwnedByProvisioner checks if a resource's labels indicate ownership by the given DPFHCPProvisioner.
+// Used for cross-namespace resources where OwnerReferences cannot be used.
+func IsOwnedByProvisioner(labels map[string]string, provisionerName, provisionerNamespace string) bool {
+	if len(labels) == 0 {
+		return false
+	}
+	return labels[LabelDPFHCPProvisionerName] == provisionerName &&
+		labels[LabelDPFHCPProvisionerNamespace] == provisionerNamespace
+}
diff --git a/internal/controller/hostedcluster/cleanup_handler.go b/internal/controller/hostedcluster/cleanup_handler.go
@@ -25,6 +25,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/tools/record"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -163,7 +164,15 @@ func (h *CleanupHandler) deleteResource(
 		return false, fmt.Errorf("failed to get %s: %w", resourceKind, err)
 	}
 
-	// Resource still exists
+	// Verify ownership before deleting
+	if !metav1.IsControlledBy(obj, cr) {
+		log.Info(fmt.Sprintf("Skipping %s deletion - not owned by this DPFHCPProvisioner", resourceKind),
+			resourceKind, key.Name,
+			"namespace", key.Namespace)
+		return true, nil
+	}
+
+	// Resource still exists and is owned by us
 	deletionTimestamp := obj.GetDeletionTimestamp()
 	if deletionTimestamp == nil {
 		// Resource not yet marked for deletion, delete it now
@@ -205,7 +214,7 @@ func (h *CleanupHandler) deleteSecrets(ctx context.Context, cr *provisioningv1al
 	}
 
 	for _, secretName := range secretNames {
-		if err := h.deleteSecret(ctx, cr.Namespace, secretName); err != nil {
+		if err := h.deleteSecret(ctx, cr, secretName); err != nil {
 			log.Error(err, "Failed to delete secret",
 				"secret", secretName,
 				"namespace", cr.Namespace)
@@ -220,14 +229,14 @@ func (h *CleanupHandler) deleteSecrets(ctx context.Context, cr *provisioningv1al
 	return nil
 }
 
-// deleteSecret deletes a single secret
-func (h *CleanupHandler) deleteSecret(ctx context.Context, namespace, secretName string) error {
+// deleteSecret deletes a single secret after verifying ownership
+func (h *CleanupHandler) deleteSecret(ctx context.Context, cr *provisioningv1alpha1.DPFHCPProvisioner, secretName string) error {
 	log := logf.FromContext(ctx)
 
 	secret := &corev1.Secret{}
 	secretKey := types.NamespacedName{
 		Name:      secretName,
-		Namespace: namespace,
+		Namespace: cr.Namespace,
 	}
 
 	err := h.client.Get(ctx, secretKey, secret)
@@ -236,16 +245,24 @@ func (h *CleanupHandler) deleteSecret(ctx context.Context, namespace, secretName
 			// Secret already deleted
 			log.V(1).Info("Secret already deleted",
 				"secret", secretName,
-				"namespace", namespace)
+				"namespace", cr.Namespace)
 			return nil
 		}
 		return fmt.Errorf("failed to get secret %s: %w", secretName, err)
 	}
 
+	// Verify ownership before deleting
+	if !metav1.IsControlledBy(secret, cr) {
+		log.Info("Skipping secret deletion - not owned by this DPFHCPProvisioner",
+			"secret", secretName,
+			"namespace", cr.Namespace)
+		return nil
+	}
+
 	// Delete secret
 	log.V(1).Info("Deleting secret",
 		"secret", secretName,
-		"namespace", namespace)
+		"namespace", cr.Namespace)
 
 	if err := h.client.Delete(ctx, secret); err != nil {
 		if apierrors.IsNotFound(err) {
@@ -257,7 +274,7 @@ func (h *CleanupHandler) deleteSecret(ctx context.Context, namespace, secretName
 
 	log.Info("Secret deleted successfully",
 		"secret", secretName,
-		"namespace", namespace)
+		"namespace", cr.Namespace)
 
 	return nil
 }
diff --git a/internal/controller/kubeconfiginjection/cleanup_handler.go b/internal/controller/kubeconfiginjection/cleanup_handler.go
@@ -93,7 +93,7 @@ func (h *CleanupHandler) Cleanup(ctx context.Context, cr *provisioningv1alpha1.D
 		return nil
 	}
 
-	// Delete found secrets
+	// Delete found secrets (ownership verified via label selector above)
 	deletedCount := 0
 	for i := range secretList.Items {
 		secret := &secretList.Items[i]
diff --git a/internal/controller/metallb/cleanup_handler.go b/internal/controller/metallb/cleanup_handler.go
@@ -88,23 +88,27 @@ func (h *CleanupHandler) Cleanup(ctx context.Context, cr *provisioningv1alpha1.D
 			return fmt.Errorf("getting IPAddressPool: %w", err)
 		}
 	} else {
-		// Resource still exists, initiate deletion
-		log.Info("Deleting IPAddressPool",
-			"name", pool.Name,
-			"namespace", pool.Namespace)
-
-		if err := h.client.Delete(ctx, pool); err != nil {
-			if !apierrors.IsNotFound(err) {
-				// Deletion failed with non-NotFound error
-				log.Error(err, "Failed to delete IPAddressPool")
-				return fmt.Errorf("deleting IPAddressPool: %w", err)
+		// Verify ownership via labels before deleting
+		if !common.IsOwnedByProvisioner(pool.Labels, cr.Name, cr.Namespace) {
+			log.Info("Skipping IPAddressPool deletion - not owned by this DPFHCPProvisioner",
+				"name", pool.Name,
+				"namespace", pool.Namespace)
+		} else {
+			// Resource still exists and is owned by us, initiate deletion
+			log.Info("Deleting IPAddressPool",
+				"name", pool.Name,
+				"namespace", pool.Namespace)
+
+			if err := h.client.Delete(ctx, pool); err != nil {
+				if !apierrors.IsNotFound(err) {
+					log.Error(err, "Failed to delete IPAddressPool")
+					return fmt.Errorf("deleting IPAddressPool: %w", err)
+				}
 			}
-			// Resource was deleted between GET and DELETE (race condition - this is OK)
-		}
 
-		// Resource deletion initiated, wait for it to complete
-		log.V(1).Info("Waiting for IPAddressPool deletion to complete")
-		return fmt.Errorf("waiting for IPAddressPool deletion")
+			log.V(1).Info("Waiting for IPAddressPool deletion to complete")
+			return fmt.Errorf("waiting for IPAddressPool deletion")
+		}
 	}
 
 	// Step 2: Delete L2Advertisement
@@ -115,32 +119,33 @@ func (h *CleanupHandler) Cleanup(ctx context.Context, cr *provisioningv1alpha1.D
 	}, advert)
 
 	if err != nil {
-		// Check if resource was already deleted (NotFound is success)
 		if apierrors.IsNotFound(err) {
 			log.V(1).Info("L2Advertisement already deleted or never existed")
 		} else {
-			// Unexpected error (permission denied, network issue, etc.)
 			log.Error(err, "Failed to get L2Advertisement")
 			return fmt.Errorf("getting L2Advertisement: %w", err)
 		}
 	} else {
-		// Resource still exists, initiate deletion
-		log.Info("Deleting L2Advertisement",
-			"name", advert.Name,
-			"namespace", advert.Namespace)
-
-		if err := h.client.Delete(ctx, advert); err != nil {
-			if !apierrors.IsNotFound(err) {
-				// Deletion failed with non-NotFound error
-				log.Error(err, "Failed to delete L2Advertisement")
-				return fmt.Errorf("deleting L2Advertisement: %w", err)
+		// Verify ownership via labels before deleting
+		if !common.IsOwnedByProvisioner(advert.Labels, cr.Name, cr.Namespace) {
+			log.Info("Skipping L2Advertisement deletion - not owned by this DPFHCPProvisioner",
+				"name", advert.Name,
+				"namespace", advert.Namespace)
+		} else {
+			log.Info("Deleting L2Advertisement",
+				"name", advert.Name,
+				"namespace", advert.Namespace)
+
+			if err := h.client.Delete(ctx, advert); err != nil {
+				if !apierrors.IsNotFound(err) {
+					log.Error(err, "Failed to delete L2Advertisement")
+					return fmt.Errorf("deleting L2Advertisement: %w", err)
+				}
 			}
-			// Resource was deleted between GET and DELETE (race condition - this is OK)
-		}
 
-		// Resource deletion initiated, wait for it to complete
-		log.V(1).Info("Waiting for L2Advertisement deletion to complete")
-		return fmt.Errorf("waiting for L2Advertisement deletion")
+			log.V(1).Info("Waiting for L2Advertisement deletion to complete")
+			return fmt.Errorf("waiting for L2Advertisement deletion")
+		}
 	}
 
 	// All resources cleaned up successfully
diff --git a/internal/controller/metallb/metallb.go b/internal/controller/metallb/metallb.go
@@ -151,7 +151,7 @@ func (m *MetalLBManager) ensureIPAddressPool(ctx context.Context, provisioner *p
 
 	op, err := controllerutil.CreateOrUpdate(ctx, m.client, pool, func() error {
 		// Verify ownership if resource already exists (ResourceVersion is set by API server on existing resources)
-		if pool.ResourceVersion != "" && !m.isOwnedByProvisioner(pool, provisioner) {
+		if pool.ResourceVersion != "" && !common.IsOwnedByProvisioner(pool.Labels, provisioner.Name, provisioner.Namespace) {
 			return fmt.Errorf("IPAddressPool %s/%s exists but is not owned by DPFHCPProvisioner %s/%s (missing ownership labels)",
 				pool.Namespace, pool.Name, provisioner.Namespace, provisioner.Name)
 		}
@@ -211,7 +211,7 @@ func (m *MetalLBManager) ensureL2Advertisement(ctx context.Context, provisioner
 
 	op, err := controllerutil.CreateOrUpdate(ctx, m.client, advert, func() error {
 		// Verify ownership if resource already exists (ResourceVersion is set by API server on existing resources)
-		if advert.ResourceVersion != "" && !m.isOwnedByProvisioner(advert, provisioner) {
+		if advert.ResourceVersion != "" && !common.IsOwnedByProvisioner(advert.Labels, provisioner.Name, provisioner.Namespace) {
 			return fmt.Errorf("L2Advertisement %s/%s exists but is not owned by DPFHCPProvisioner %s/%s (missing ownership labels)",
 				advert.Namespace, advert.Name, provisioner.Namespace, provisioner.Name)
 		}
@@ -249,19 +249,3 @@ func (m *MetalLBManager) ensureL2Advertisement(ctx context.Context, provisioner
 
 	return nil
 }
-
-// isOwnedByProvisioner checks if a resource has the correct ownership labels for the given DPFHCPProvisioner.
-// This prevents taking ownership of resources created by other operators or users.
-func (m *MetalLBManager) isOwnedByProvisioner(obj client.Object, provisioner *provisioningv1alpha1.DPFHCPProvisioner) bool {
-	labels := obj.GetLabels()
-	if labels == nil {
-		return false
-	}
-
-	provisionerName, hasProvisionerName := labels[common.LabelDPFHCPProvisionerName]
-	provisionerNamespace, hasProvisionerNamespace := labels[common.LabelDPFHCPProvisionerNamespace]
-
-	return hasProvisionerName && hasProvisionerNamespace &&
-		provisionerName == provisioner.Name &&
-		provisionerNamespace == provisioner.Namespace
-}
diff --git a/internal/controller/metallb/metallb_test.go b/internal/controller/metallb/metallb_test.go
@@ -390,6 +390,10 @@ var _ = Describe("MetalLB Manager", func() {
 					ObjectMeta: metav1.ObjectMeta{
 						Name:      "test-provisioner",
 						Namespace: common.OpenshiftOperatorsNamespace,
+						Labels: map[string]string{
+							common.LabelDPFHCPProvisionerName:      "test-provisioner",
+							common.LabelDPFHCPProvisionerNamespace: "test-ns",
+						},
 					},
 					Spec: metallbv1beta1.IPAddressPoolSpec{
 						Addresses: []string{"192.168.1.100/32"},
@@ -400,6 +404,10 @@ var _ = Describe("MetalLB Manager", func() {
 					ObjectMeta: metav1.ObjectMeta{
 						Name:      "advertise-test-provisioner",
 						Namespace: common.OpenshiftOperatorsNamespace,
+						Labels: map[string]string{
+							common.LabelDPFHCPProvisionerName:      "test-provisioner",
+							common.LabelDPFHCPProvisionerNamespace: "test-ns",
+						},
 					},
 					Spec: metallbv1beta1.L2AdvertisementSpec{
 						IPAddressPools: []string{"test-provisioner"},
@@ -477,6 +485,10 @@ var _ = Describe("MetalLB Manager", func() {
 					ObjectMeta: metav1.ObjectMeta{
 						Name:      "test-provisioner",
 						Namespace: common.OpenshiftOperatorsNamespace,
+						Labels: map[string]string{
+							common.LabelDPFHCPProvisionerName:      "test-provisioner",
+							common.LabelDPFHCPProvisionerNamespace: "test-ns",
+						},
 					},
 				}
 
@@ -516,6 +528,10 @@ var _ = Describe("MetalLB Manager", func() {
 					ObjectMeta: metav1.ObjectMeta{
 						Name:      "advertise-test-provisioner",
 						Namespace: common.OpenshiftOperatorsNamespace,
+						Labels: map[string]string{
+							common.LabelDPFHCPProvisionerName:      "test-provisioner",
+							common.LabelDPFHCPProvisionerNamespace: "test-ns",
+						},
 					},
 				}
 

Original file line number	Diff line number	Diff line change
`@@ -93,7 +93,7 @@ func (h CleanupHandler) Cleanup(ctx context.Context, cr provisioningv1alpha1.D`
`93`	`93`	`return nil`
`94`	`94`	`}`
`95`	`95`
`96`		`- // Delete found secrets`
	`96`	`+ // Delete found secrets (ownership verified via label selector above)`
`97`	`97`	`deletedCount := 0`
`98`	`98`	`for i := range secretList.Items {`
`99`	`99`	`secret := &secretList.Items[i]`