RBAC rule "get *" or "get pods/exec" allows exec into Pods in the Web Terminal

Environment

• Red Hat OpenShift Container Platform (RHOCP) 4.11

Issue

• When the following rule is applied to a Role, it is possible to exec into Pods, why is that?

  rules:
      - verbs:
          - get
          - list
          - watch
        apiGroups:
          - '*'
        resources:
          - '*'
  

• Users can exec into pods with the WebSocket endpoint even without pods/exec create privileges.

Resolution

• This is the expected behaviour as outlined in the This page is not included, but the link has been rewritten to point to the nearest parent document.OpenShift Container Platform API documentation and the following upstream Kubernetes issue: Content from github.com is not included.kubernetes/kubernetes/issues/78741. When get is granted on Pod subresources, these subresources may be accessed by the user.
• Apply the principle of least privilege: When users should only be allowed to view resources, it is recommended to use the built-in view role instead of a very broad get * rule.

Root Cause

• When users are granted get permissions for the pods/* endpoints, the users are permitted to use all Pod subresources, including the Web Terminal or port-forwarding. This also applies to the following Pod subresources:
  • pods/attach
  • pods/exec
  • pods/portforward
  • pods/proxy
  • pods/log
  • pods/status
• There is a different behaviour between oc exec and the OpenShift Container Platform Web Console. oc exec uses a HTTP POST request to initiate the connection to the cluster (requiring create pods/exec permissions), while the OpenShift Container Platform Web Console uses WebSockets, which in turn use HTTP GET requests (requiring get pods/exec permissions).

Diagnostic Steps

• Use oc auth can-i to check permissions for a certain user:

  $ oc whoami
  example
  $ oc auth can-i get pods
  yes
  $ oc auth can-i get pods --subresource=exec
  yes
  $ oc auth can-i create pods --subresource=exec
  no
  ## With the above permissions, access to the Terminal via Web Console works
  

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.