Copilot Review Comments
PR #8134 (🔐 fix: enforce pods/exec RBAC check before opening exec stream (#8120)) was merged with 3 Copilot review comment(s) that should be addressed in a follow-up:
- pkg/api/handlers/exec_test.go:125: The comment in this test claims a typed-nil interface is distinguishable from an untyped nil by
h.authorizer == nil, but in Go an interface holding a typed-nil pointer is non-nil. This is misleading...
- pkg/api/handlers/exec.go:187:
NewExecHandlers assigns authorizer: k8sClient. If k8sClient is nil, this produces a non-nil interface holding a typed-nil *k8s.MultiClusterClient, so if h.authorizer == nil in HandleExec w...
- pkg/api/handlers/exec.go:452: The new pods/exec RBAC enforcement is security-critical, but there’s no unit test that drives
HandleExec through the new allow/deny/error branches (e.g., asserting a deny/error returns before buildi...
PR: #8134
Auto-generated by copilot-comment-followup workflow
Copilot Review Comments
PR #8134 (🔐 fix: enforce pods/exec RBAC check before opening exec stream (#8120)) was merged with 3 Copilot review comment(s) that should be addressed in a follow-up:
h.authorizer == nil, but in Go an interface holding a typed-nil pointer is non-nil. This is misleading...NewExecHandlersassignsauthorizer: k8sClient. Ifk8sClientis nil, this produces a non-nil interface holding a typed-nil*k8s.MultiClusterClient, soif h.authorizer == nilinHandleExecw...HandleExecthrough the new allow/deny/error branches (e.g., asserting a deny/error returns before buildi...PR: #8134
Auto-generated by copilot-comment-followup workflow