Validate ServerRef via Admission Webhook

[debuggerchen]

It seems that the S3Buckets/User/Policy can reference S3Server in any namespaces, which probably enables namespace-scoped users to use S3 storage outside their authorized namespaces. Perhaps an admission webhook would help check whether the user has permission of the referenced S3 server.

[nicolaiort]

Thank you for the suggestion, sounds like a good idea.
If you want to/are able to implement this i'd be happy to accept a PR - otherwise I'll add it to the "TODO" list and implement it whenever I have time.

A small addition: It should be implemented in a way that makes the "allow cross namespace" toggleable via a flag or env. In some of the clusters I deployed this to, the cross namespace reference is a feature by design to allow shared access to shared S3 servers.

[nicolaiort]

So.... it's been a while (and that's an understatement).

Long story short: I ran into a similar requirement in another controller, implemented it and then remembered this issue still exists.
I guess better late then never, therefor the next release will include toggleable hooks for cross-namespace verification.