Ensure cross namespace cloning fails without TVR

NetApp · Jan 22, 2025 · c5234c7 · c5234c7
1 parent ecb15b2
commit c5234c7
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/frontend/csi/controller_helpers/kubernetes/helper.go b/frontend/csi/controller_helpers/kubernetes/helper.go
@@ -336,6 +336,11 @@ func (h *helper) getSnapshotCloneSourceInfo(
 		if !h.matchNamespaceToAnnotation(clonePVC.Namespace, sourceCloneToNamespaces) {
 			return "", "", fmt.Errorf("cloning to namespace %s is not allowed, it is not listed in cloneToNamespace annotation", clonePVC.Namespace)
 		}
+		// Get the volume reference CR
+		_, err = h.getCachedVolumeReference(ctx, clonePVC.Namespace, snapSourcePVC.Name, namespace)
+		if err != nil {
+			return "", "", fmt.Errorf("volume reference not found: %v", err)
+		}
 
 	}
 	// If the clone from PVC annotation is also set, ensure it matches the snapshot
@@ -423,6 +428,11 @@ func (h *helper) getCloneSourceInfo(ctx context.Context, clonePVC *v1.Persistent
 		if !h.matchNamespaceToAnnotation(clonePVC.Namespace, sourceCloneToNamespaces) {
 			return "", fmt.Errorf("cloning to namespace %s is not allowed, it is not listed in cloneToNamespace annotation", clonePVC.Namespace)
 		}
+		// Get the volume reference CR
+		_, err := h.getCachedVolumeReference(ctx, clonePVC.Namespace, sourcePVCName, namespace)
+		if err != nil {
+			return "", fmt.Errorf("volume reference not found: %v", err)
+		}
 	}
 
 	// Check that both source and clone PVCs have the same storage class