[apiserver] reject status.type tampering via ValidateUpdate

dilyevsky · claude · dilyevsky · commit 0697ab32f153 · 2026-02-26T00:05:47.000-08:00
The statusSubResourceStrategy does not call PrepareForUpdate, so
controllers updating the /status subresource could overwrite
status.type with arbitrary values. Add a ValidateUpdate check that
rejects any update where status.type doesn't match deriveRecordType().

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/api/core/v1alpha3/domainrecord_validate.go b/api/core/v1alpha3/domainrecord_validate.go
@@ -77,6 +77,15 @@ func (r *DomainRecord) ValidateUpdate(ctx context.Context, obj runtime.Object) f
 		))
 	}
 
+	// status.type is server-authoritative; reject updates that tamper with it.
+	if expected := deriveRecordType(r); r.Status.Type != expected {
+		errs = append(errs, field.Invalid(
+			field.NewPath("status", "type"),
+			r.Status.Type,
+			fmt.Sprintf("must be %q (derived from spec)", expected),
+		))
+	}
+
 	return errs
 }
 
diff --git a/api/core/v1alpha3/domainrecord_validate_test.go b/api/core/v1alpha3/domainrecord_validate_test.go
@@ -0,0 +1,206 @@
+package v1alpha3
+
+import (
+	"context"
+	"testing"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func int32Ptr(v int32) *int32 { return &v }
+
+func TestValidateUpdate_StatusTypeServerAuthoritative(t *testing.T) {
+	tests := []struct {
+		name       string
+		old        *DomainRecord
+		updated    *DomainRecord
+		wantErr    bool
+		errField   string
+		errMessage string
+	}{
+		{
+			name: "correct status.type on A record passes",
+			old: &DomainRecord{
+				ObjectMeta: metav1.ObjectMeta{Name: "example--a"},
+				Spec: DomainRecordSpec{
+					Name: "example",
+					TTL:  int32Ptr(60),
+					Target: DomainRecordTarget{
+						DNS: &DomainRecordTargetDNS{
+							A: []string{"1.2.3.4"},
+						},
+					},
+				},
+				Status: DomainRecordStatus{Type: "A"},
+			},
+			updated: &DomainRecord{
+				ObjectMeta: metav1.ObjectMeta{Name: "example--a"},
+				Spec: DomainRecordSpec{
+					Name: "example",
+					TTL:  int32Ptr(60),
+					Target: DomainRecordTarget{
+						DNS: &DomainRecordTargetDNS{
+							A: []string{"5.6.7.8"},
+						},
+					},
+				},
+				Status: DomainRecordStatus{Type: "A"},
+			},
+			wantErr: false,
+		},
+		{
+			name: "correct status.type on Ref record passes",
+			old: &DomainRecord{
+				ObjectMeta: metav1.ObjectMeta{Name: "example--ref"},
+				Spec: DomainRecordSpec{
+					Name: "example",
+					TTL:  int32Ptr(60),
+					Target: DomainRecordTarget{
+						Ref: &LocalObjectReference{
+							Group: "core.apoxy.dev",
+							Kind:  "Proxy",
+							Name:  "my-proxy",
+						},
+					},
+				},
+				Status: DomainRecordStatus{Type: "Ref"},
+			},
+			updated: &DomainRecord{
+				ObjectMeta: metav1.ObjectMeta{Name: "example--ref"},
+				Spec: DomainRecordSpec{
+					Name: "example",
+					TTL:  int32Ptr(60),
+					Target: DomainRecordTarget{
+						Ref: &LocalObjectReference{
+							Group: "core.apoxy.dev",
+							Kind:  "Proxy",
+							Name:  "other-proxy",
+						},
+					},
+				},
+				Status: DomainRecordStatus{Type: "Ref"},
+			},
+			wantErr: false,
+		},
+		{
+			name: "tampered status.type on A record is rejected",
+			old: &DomainRecord{
+				ObjectMeta: metav1.ObjectMeta{Name: "example--a"},
+				Spec: DomainRecordSpec{
+					Name: "example",
+					TTL:  int32Ptr(60),
+					Target: DomainRecordTarget{
+						DNS: &DomainRecordTargetDNS{
+							A: []string{"1.2.3.4"},
+						},
+					},
+				},
+				Status: DomainRecordStatus{Type: "A"},
+			},
+			updated: &DomainRecord{
+				ObjectMeta: metav1.ObjectMeta{Name: "example--a"},
+				Spec: DomainRecordSpec{
+					Name: "example",
+					TTL:  int32Ptr(60),
+					Target: DomainRecordTarget{
+						DNS: &DomainRecordTargetDNS{
+							A: []string{"1.2.3.4"},
+						},
+					},
+				},
+				Status: DomainRecordStatus{Type: "A/AAAA"},
+			},
+			wantErr:    true,
+			errField:   "status.type",
+			errMessage: `must be "A" (derived from spec)`,
+		},
+		{
+			name: "empty status.type on AAAA record is rejected",
+			old: &DomainRecord{
+				ObjectMeta: metav1.ObjectMeta{Name: "example--aaaa"},
+				Spec: DomainRecordSpec{
+					Name: "example",
+					TTL:  int32Ptr(60),
+					Target: DomainRecordTarget{
+						DNS: &DomainRecordTargetDNS{
+							AAAA: []string{"2001:db8::1"},
+						},
+					},
+				},
+				Status: DomainRecordStatus{Type: "AAAA"},
+			},
+			updated: &DomainRecord{
+				ObjectMeta: metav1.ObjectMeta{Name: "example--aaaa"},
+				Spec: DomainRecordSpec{
+					Name: "example",
+					TTL:  int32Ptr(60),
+					Target: DomainRecordTarget{
+						DNS: &DomainRecordTargetDNS{
+							AAAA: []string{"2001:db8::1"},
+						},
+					},
+				},
+				Status: DomainRecordStatus{Type: ""},
+			},
+			wantErr:    true,
+			errField:   "status.type",
+			errMessage: `must be "AAAA" (derived from spec)`,
+		},
+		{
+			name: "tampered status.type on CNAME record is rejected",
+			old: &DomainRecord{
+				ObjectMeta: metav1.ObjectMeta{Name: "example--fqdn"},
+				Spec: DomainRecordSpec{
+					Name: "example",
+					TTL:  int32Ptr(60),
+					Target: DomainRecordTarget{
+						DNS: &DomainRecordTargetDNS{
+							FQDN: strPtr("other.example.com"),
+						},
+					},
+				},
+				Status: DomainRecordStatus{Type: "CNAME"},
+			},
+			updated: &DomainRecord{
+				ObjectMeta: metav1.ObjectMeta{Name: "example--fqdn"},
+				Spec: DomainRecordSpec{
+					Name: "example",
+					TTL:  int32Ptr(60),
+					Target: DomainRecordTarget{
+						DNS: &DomainRecordTargetDNS{
+							FQDN: strPtr("other.example.com"),
+						},
+					},
+				},
+				Status: DomainRecordStatus{Type: "A"},
+			},
+			wantErr:    true,
+			errField:   "status.type",
+			errMessage: `must be "CNAME" (derived from spec)`,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			errs := tt.updated.ValidateUpdate(context.Background(), tt.old)
+			if !tt.wantErr {
+				assert.Empty(t, errs, "expected no validation errors")
+				return
+			}
+			require.NotEmpty(t, errs, "expected validation errors")
+			var found bool
+			for _, e := range errs {
+				if e.Field == tt.errField {
+					found = true
+					assert.Contains(t, e.Detail, tt.errMessage)
+				}
+			}
+			assert.True(t, found, "expected error on field %q, got: %v", tt.errField, errs)
+		})
+	}
+}
+
+func strPtr(s string) *string { return &s }

Original file line number	Diff line number	Diff line change
`@@ -77,6 +77,15 @@ func (r *DomainRecord) ValidateUpdate(ctx context.Context, obj runtime.Object) f`
`77`	`77`	`))`
`78`	`78`	`}`
`79`	`79`
	`80`	`+ // status.type is server-authoritative; reject updates that tamper with it.`
	`81`	`+ if expected := deriveRecordType(r); r.Status.Type != expected {`
	`82`	`+ errs = append(errs, field.Invalid(`
	`83`	`+ field.NewPath("status", "type"),`
	`84`	`+ r.Status.Type,`
	`85`	`+ fmt.Sprintf("must be %q (derived from spec)", expected),`
	`86`	`+ ))`
	`87`	`+ }`
	`88`	`+`
`80`	`89`	`return errs`
`81`	`90`	`}`
`82`	`91`