New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
forbidden message may include RBAC information #124406
Comments
This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/sig-auth |
/sig auth |
As a mitigation: don't misconfigure your Kubernetes cluster; specifically, don't bind unauthenticated users to a missing ClusterRole. |
From the slack thread: |
I will leave this open for a while to get more community feedback, but I don't see us making any changes to address this. |
My general concern is that there may be additional error messages leaked that may be of more value. I agree that this specific example is not very impactful. |
Any error comes from the kubernetes/pkg/registry/rbac/validation/rule.go Lines 179 to 237 in f3a7aa7
They all boil down to "failed to get/list one of the 4 RBAC resources." |
What happened?
Kubernetes API server may include extra RBAC information on forbidden error messages. An authenticated user could gain unexpected knowledge of possible Kubernetes RBAC configuration problems.
What did you expect to happen?
Error message does not include RBAC information.
How can we reproduce it (as minimally and precisely as possible)?
Test 1
Example Results for Test 1:
Test 2 with Results: Kubernetes API server updated with
--anonymous-auth=false
.Anything else we need to know?
This issue was originally filed at https://hackerone.com but was closed. I was told to open an issue here.
Kubernetes version
Cloud provider
OS version
Install tools
Container runtime (CRI) and version (if applicable)
Related plugins (CNI, CSI, ...) and versions (if applicable)
The text was updated successfully, but these errors were encountered: