Details
-
Feature Request
-
Resolution: Done
-
Normal
-
None
-
None
-
False
-
None
-
False
-
Not Selected
-
0
-
0%
Description
1. Proposed title of this feature request
Additional authorization to WebSocket stream
2. What is the nature and description of the request?
Per Solution 6989997 (https://access.redhat.com/solutions/6989997), when a user is granted `get pods/exec`, the user can execute commands in the Pod. This is the expected behaviour. However, customers may be confused by this behaviour as they would expect that "create" is necessary to execute commands in a container (see the above Solution for details). However, since WebSockets are established using HTTP GET, this permission is enough to call `pods/exec` (see https://github.com/kubernetes/kubernetes/issues/78741).
This RFE requests that an additional authorization step is added to the Kubernetes API when `pods/exec` or `pods/attach` is called. This additional authorization step on the WebSocket level should then only allow the actions above when "create" permissions are also given to the calling user.
3. Why does the customer need this? (List the business requirements here)
Developer and admin teams may accidentally grant execution permissions via "get pods/*", not realising that this gives a user the permissions to execute commands in a Pod. Implementing this RFE would strengthen the authorization necessary for WebSockets.
4. List any affected packages or components.
Kubernetes API
Attachments
Issue Links
- is incorporated by
-
-
- Backlog
-
