Add Cluster Type Detection to Prevent Dev Mode on Non-Minikube Clusters #323
Description
Overview
Priority: 🟡 MAJOR
Effort: 30 minutes
Related PR: #246
Related Issue: #322
Mentioned in: 4/6 code reviews
Add detection to verify dev mode only activates on actual Minikube clusters.
Problem
Dev mode can currently activate on ANY Kubernetes cluster if:
- DISABLE_AUTH=true
- ENVIRONMENT=local
- Namespace in allow-list
Risk Scenario:
Someone accidentally deploys minikube manifests to a real cluster and dev mode activates.
Solution
Add cluster type detection by checking for Minikube-specific nodes:
func isMinikubeCluster() bool {
// Check for minikube node by name
node, err := server.K8sClient.CoreV1().Nodes().Get(
context.Background(),
"minikube",
v1.GetOptions{},
)
if err == nil && node != nil {
return true
}
// Check for minikube node labels
nodes, err := server.K8sClient.CoreV1().Nodes().List(
context.Background(),
v1.ListOptions{
LabelSelector: "minikube.k8s.io/name=minikube",
},
)
return err == nil && len(nodes.Items) > 0
}
func isLocalDevEnvironment() bool {
// ... existing checks ...
// NEW: Require actual minikube cluster
if !isMinikubeCluster() {
log.Printf("Refusing dev mode: not running in minikube cluster")
return false
}
return true
}Acceptance Criteria
-
isMinikubeCluster()function implemented - Integrated into
isLocalDevEnvironment()check - Dev mode only activates on actual Minikube
- Error logging explains why dev mode refused
- Unit tests for cluster detection logic
- Integration test verifies rejection on non-Minikube
Testing
# Positive test (on minikube)
make local-up
# Should work
# Negative test (simulate non-minikube)
# Mock K8s cluster without minikube labels
# Should refuse dev modeReferences
docs/SECURITY_DEV_MODE.md:135-174components/backend/handlers/middleware.go:295-321- PR feat: Local Dev with MiniKube #246 reviews (4/6 mentioned this)
Timeline: Can be completed in follow-up PR (defense-in-depth layer)