fix: refuse to overwrite foreign services

[dervoeti]

Description

TLDR: Write access on Listener allows write access for any Service in the same namespace.

The Listener reconciler writes its output Service using the Listener CR's own name and applies it via server-side apply with force=true (through ClusterResources::add). Combined with the operator's cluster-wide write permissions on Services, this lets any principal who can create a Listener in a namespace cause the operator to overwrite the contents of any pre-existing same-named Service in that namespace, stealing ownership and attaching a controller OwnerReference that links the hijacked object to the Listener CR for cascade delete.

A tenant with create on listeners.listeners.stackable.tech in their namespace can create a Listener named after an existing Service and:

• a) redirect that Service's traffic by overwriting its spec.selector and spec.ports (the selector is derived from the
  attacker-controlled spec.extraPodSelectorLabels), pointing it at attacker pods, and
• b) cascade-delete the victim Service by deleting the Listener.

This is the same class of issue as the TrustStore hijack fixed in stackabletech/secret-operator#707. The reach is bounded to namespaces where the principal can create Listeners (normally their own), since the output Service is always created in the Listener's own namespace.

Fix

Before applying, look up the existing target Service. If the object already exists and is not owned by the current Listener (no
controller OwnerReference matching this Listener's kind, API group and UID), refuse the reconciliation.

Definition of Done Checklist

• Not all of these items are applicable to all PRs, the author should update this template to only leave the boxes in that are relevant
• Please make sure all these things are done and tick the boxes

Author

• Changes are OpenShift compatible
• CRD changes approved
• CRD documentation for all fields, following the style guide.
• Helm chart can be installed and deployed operator works
• Integration tests passed (for non trivial changes)
• Changes need to be "offline" compatible
• Links to generated (nightly) docs added
• Release note snippet added

Reviewer

• Code contains useful comments
• Code contains useful logging statements
• (Integration-)Test cases added
• Documentation added or updated. Follows the style guide.
• Changelog updated
• Cargo.toml only contains references to git tags (not specific commits or branches)

Acceptance

• Feature Tracker has been updated
• Proper release label has been added
• Links to generated (nightly) docs added
• Release note snippet added
• Add type/deprecation label & add to the deprecation schedule
• Add type/experimental label & add to the experimental features tracker