User Request
Type: bug
Target: Console Application
Submitted by: @mrhapile
Console Request ID: 83b66963-72ae-4fe5-b3d8-169e6ba6acd9
Description
Category: Security/Authz. Severity: Critical.
Location: pkg/api/handlers/exec.go#L134.
Description: The exec WebSocket validates JWTs but performs no role, namespace, or Kubernetes permission check before opening PodExecOptions. Steps: Authenticate as a low-privilege console user and connect to /ws/exec with a valid pod/namespace/cluster. Expected: Exec should require explicit RBAC/console authorization. Actual: Any authenticated user can attempt pod shell access. Root Cause: Authentication is implemented, authorization is not.
Suggested Fix: Check console role and Kubernetes can-i permissions before creating the exec session.
This issue was automatically created from the KubeStellar Console.
User Request
Type: bug
Target: Console Application
Submitted by: @mrhapile
Console Request ID: 83b66963-72ae-4fe5-b3d8-169e6ba6acd9
Description
Category: Security/Authz. Severity: Critical.
Location: pkg/api/handlers/exec.go#L134.
Description: The exec WebSocket validates JWTs but performs no role, namespace, or Kubernetes permission check before opening PodExecOptions. Steps: Authenticate as a low-privilege console user and connect to /ws/exec with a valid pod/namespace/cluster. Expected: Exec should require explicit RBAC/console authorization. Actual: Any authenticated user can attempt pod shell access. Root Cause: Authentication is implemented, authorization is not.
Suggested Fix: Check console role and Kubernetes can-i permissions before creating the exec session.
This issue was automatically created from the KubeStellar Console.