Describe the bug

pkg/api/handlers/exec.go checks that the user has a valid JWT, but it does not check if the user is actually allowed to exec into the pod. After the token is accepted, the code opens the exec session without asking Kubernetes RBAC if the user has permission to create pods/exec for that pod, namespace, or cluster.

This is a security problem because kubectl exec gives shell access inside a running workload. So, any logged-in user who can reach this handler may be able to enter pods they should not access. That can expose secrets, environment variables, mounted credentials, and app internals.

Environment

• Browser: N/A (backend issue)
• OS: Linux

Steps To Reproduce

1. Log in to the console with a valid JWT.
2. Try to open exec for a pod you should not be allowed to access.
3. Send the auth message that HandleExec expects.
4. Notice that the token is accepted, but no RBAC check is made.
5. The exec session still opens, even without pods/exec permission.

Expected Behavior

Before starting an exec session, the backend should check Kubernetes RBAC rules for the target pod. For example, it should verify that the user can create pods/exec in the right namespace and cluster. If not, the request should be denied.

Browser Console / Backend Logs

Want to contribute?

• I would like to work on this issue.

Additional Context

This is a privilege-escalation bug. Just checking the login token is not enough for pod exec; Kubernetes authorization must also be checked. The comment in HandleExec already says authorization is missing, so the gap is known and should be fixed.