Kubernetes provider validation fails on AWS EKS due to SelfSubjectRulesReview API limitations

[xawei]

Describe the bug
The Kubernetes provider validation currently uses SelfSubjectRulesReview to check user permissions for secret access (implemented here) . However, according to the official Kubernetes documentation, this API:

"may return incomplete results depending on the server's authorization mode" and "should NOT be used by external systems to drive authorization decisions."

This can cause validation failures for valid credentials, particularly on managed Kubernetes services like AWS EKS, even when users have appropriate permissions.

To Reproduce

1. Create Environment:

   • ESO version: 0.18.2
   • Kubernetes version: 1.33 (AWS EKS)
   • User credentials: cluster-admin role via AWS IAM

2. Apply Manifest:

   • ClusterSecretStore

     apiVersion: external-secrets.io/v1
     kind: ClusterSecretStore
     metadata:
       name: managed-k8s-cluster-store
     spec:
       provider:
         kubernetes:
           remoteNamespace: argocd
           authRef:
             key: kubeconfig
             name: cluster-admin-auth  # kubeconfig with sufficient permission
             namespace: default
     

   • After applying this ClusterSecretStore, it will be stuack in ValidationFailed
     

Expected behavior
SecretStore/ClusterSecretStore validation should succeed when the kubeconfig has valid permissions to access secrets in the target namespace.

Observed behavior

• SecretStore/ClusterSecretStore validation fails with error: "client is not allowed to get secrets"

• This occurs despite the kubeconfig having valid permissions

Screenshots

Additional context

• This issue particularly affects managed Kubernetes services like AWS EKS that may use authorization modes causing SelfSubjectRulesReview to return incomplete results

• The Kubernetes documentation recommends SelfSubjectAccessReview for authorization decisions

• I noticed that ESO use SelfSubjectAccessReview to validate in v0.5.6, but somehow switched to SelfSubjectRulesReview after that, which is not accurate.

Suggested Enhancement
Consider replacing SelfSubjectRulesReview with SelfSubjectAccessReview in pkg/provider/kubernetes/validate.go for more reliable permission checking:

t := authv1.SelfSubjectAccessReview{
    Spec: authv1.SelfSubjectAccessReviewSpec{
        ResourceAttributes: &authv1.ResourceAttributes{
            Namespace: c.store.RemoteNamespace,
            Verb:      "get",
            Group:     "",
            Resource:  "secrets",
        },
    },
}
accessReview, err := c.userReviewClient.Create(ctx, &t, metav1.CreateOptions{})
if err != nil {
    return esv1.ValidationResultUnknown, fmt.Errorf("could not verify if client is valid: %w", err)
}
if accessReview.Status.Allowed {
    return esv1.ValidationResultReady, nil
}
return esv1.ValidationResultError, errors.New("client is not allowed to get secrets")

The SelfSubjectAccessReview API documentation indicates this is the recommended approach for checking specific permissions.

[gusfcarvalho]

I am pretty sure we had a reason to do this (and I'm pretty sure it had to do with using ServiceAccount to authenticate as opposed to users on a kubeconfig. Whoever implements this fix - please use SelfSubjectAccessReview as a fallback option in case SelfSubjectRulesReview fail.

I can implement it when I have the time - but this is a good issue for people that want to do their first contribution to the project 😄

[alvin-rw]

Hi @gusfcarvalho , can I take this issue?

[gusfcarvalho]

Yes!! Absolutely! Thanks for the disposition!!