CVE-2026-55225: Strimzi: Cross-namespace privilege escalation via `Kafka.spec.entityOperator`

Having the Topic and User operators to watch different namespaces than the one where the Kafka cluster is deployed, is a fully documented feature.

When the watchedNamespace field is used within the Topic or User operator (as part of the Kafka.spec.entityOperator field), the Cluster Operator creates a Role granting full CRUD on Secrets into the specified namespace. It also creates a RoleBinding to bind such Role to the entity operator ServiceAccount within the namespace where the Kafka cluster runs.

An attacker can craft a Kafka custom resource (in an attacker’s namespace) with the watchedNamespace field set to a target namespace and then they can mint a token for the ServiceAccount (in the attacker’s namespace) to read/write Secrets in that target. This is valid with any target namespace for which the Cluster Operator has the rights (regardless the value of the STRIMZI_NAMESPACE environment variable). The at-risk target namespaces are the namespaces which the user has given permissions to the Cluster Operator for, by creating related RoleBinding(s).