From c5234c7d5a8f3219dcdcd255923a83771b55bece Mon Sep 17 00:00:00 2001
From: emmahardison <106281452+emmahardison@users.noreply.github.com>
Date: Tue, 21 Jan 2025 17:04:53 -0700
Subject: [PATCH] Ensure cross namespace cloning fails without TVR

---
 frontend/csi/controller_helpers/kubernetes/helper.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/frontend/csi/controller_helpers/kubernetes/helper.go b/frontend/csi/controller_helpers/kubernetes/helper.go
index 9f748cd7e..64c4da52d 100644
--- a/frontend/csi/controller_helpers/kubernetes/helper.go
+++ b/frontend/csi/controller_helpers/kubernetes/helper.go
@@ -336,6 +336,11 @@ func (h *helper) getSnapshotCloneSourceInfo(
 		if !h.matchNamespaceToAnnotation(clonePVC.Namespace, sourceCloneToNamespaces) {
 			return "", "", fmt.Errorf("cloning to namespace %s is not allowed, it is not listed in cloneToNamespace annotation", clonePVC.Namespace)
 		}
+		// Get the volume reference CR
+		_, err = h.getCachedVolumeReference(ctx, clonePVC.Namespace, snapSourcePVC.Name, namespace)
+		if err != nil {
+			return "", "", fmt.Errorf("volume reference not found: %v", err)
+		}
 
 	}
 	// If the clone from PVC annotation is also set, ensure it matches the snapshot
@@ -423,6 +428,11 @@ func (h *helper) getCloneSourceInfo(ctx context.Context, clonePVC *v1.Persistent
 		if !h.matchNamespaceToAnnotation(clonePVC.Namespace, sourceCloneToNamespaces) {
 			return "", fmt.Errorf("cloning to namespace %s is not allowed, it is not listed in cloneToNamespace annotation", clonePVC.Namespace)
 		}
+		// Get the volume reference CR
+		_, err := h.getCachedVolumeReference(ctx, clonePVC.Namespace, sourcePVCName, namespace)
+		if err != nil {
+			return "", fmt.Errorf("volume reference not found: %v", err)
+		}
 	}
 
 	// Check that both source and clone PVCs have the same storage class