User Request
Type: bug
Target: Console Application
Submitted by: @aaradhychinche-alt
Console Request ID: 6a3ed2da-b36c-4683-85f8-8901071ee344
Description
What happened:
Several GitOps endpoints (sync, helm upgrade, uninstall, rollback, drift detection, ArgoCD sync) only check authentication but do not enforce role-based authorization. As a result, any authenticated user can trigger cluster-level operations.
What I expected:
Cluster mutation operations should be restricted to admin users or users with appropriate permissions.
Steps to reproduce:
- Login as a non-admin (viewer/editor) user.
- Send a POST request to any of the following endpoints:
- /api/gitops/sync
- /api/gitops/helm-upgrade
- /api/gitops/helm-uninstall
- /api/gitops/helm-rollback
- /api/gitops/detect-drift
- /api/gitops/argocd/sync
- Observe that the request is processed instead of returning 403 Forbidden.
Relevant area:
GitOps handlers (pkg/api/handlers/gitops.go)
Suggested improvement:
Add explicit RBAC checks in all mutation endpoints to ensure only authorized users can perform these operations.
Impact:
Critical. Allows unauthorized users to modify or disrupt cluster state, leading to potential production incidents.
This issue was automatically created from the KubeStellar Console.
User Request
Type: bug
Target: Console Application
Submitted by: @aaradhychinche-alt
Console Request ID: 6a3ed2da-b36c-4683-85f8-8901071ee344
Description
What happened:
Several GitOps endpoints (sync, helm upgrade, uninstall, rollback, drift detection, ArgoCD sync) only check authentication but do not enforce role-based authorization. As a result, any authenticated user can trigger cluster-level operations.
What I expected:
Cluster mutation operations should be restricted to admin users or users with appropriate permissions.
Steps to reproduce:
Relevant area:
GitOps handlers (pkg/api/handlers/gitops.go)
Suggested improvement:
Add explicit RBAC checks in all mutation endpoints to ensure only authorized users can perform these operations.
Impact:
Critical. Allows unauthorized users to modify or disrupt cluster state, leading to potential production incidents.
This issue was automatically created from the KubeStellar Console.