Replicated Secrets can pick up secrets from outside of their own namespace

[Miles-Garnsey]

What happened?

ReplicatedSecrets currently pick up secrets from outside their own namespace. For example, a ReplicatedSecret like this:

repSecret := api.ReplicatedSecret{
		ObjectMeta: metav1.ObjectMeta{
			Namespace: localNamespaceLocalCluster,
			Name:      "replicated-secret",
		},
		Spec: api.ReplicatedSecretSpec{
			Selector: &metav1.LabelSelector{
				MatchLabels: map[string]string{
					"pickme": "true",
				},
			},
			ReplicationTargets: []api.ReplicationTarget{
				{
					//Local cluster local namespace
					TargetPrefix: "targetprefix-",
					Namespace:    localNamespaceLocalCluster,
					DropLabels:   []string{"dropme", "pickme"},
					AddLabels: map[string]string{
						"addMe": "true",
					},
				},
			},
		},
	}

Would feasibly pick up secrets from both the namespace localNamespaceLocalCluster but also from all other namespaces within the control plane cluster.

Did you expect to see something different?

Yes. ReplicatedSecrets are not supposed to replicate secrets from outside their own namespace. This is a unexpected behaviour from a security perspective, since it means that a user permissioned to create a ReplicatedSecret in any namespace gets access to all secrets throughout the cluster (because they can replicate them to any namespace that they are permissioned for.)

How to reproduce it (as minimally and precisely as possible):

Environment

• K8ssandra Operator version:

  Insert image tag or Git SHA here

• Kubernetes version information:

  kubectl version

• Kubernetes cluster kind:

  insert how you created your cluster: kops, bootkube, etc.

• Manifests:

insert manifests relevant to the issue

• K8ssandra Operator Logs:

insert K8ssandra Operator logs relevant to the issue here

Anything else we need to know?: