Skip to content

fix(k8s): block kubectl auth reconcile in readonly mode#377

Merged
feiskyer merged 1 commit into
mainfrom
guwe/block-kubectl-auth-reconcile-readonly
Jun 17, 2026
Merged

fix(k8s): block kubectl auth reconcile in readonly mode#377
feiskyer merged 1 commit into
mainfrom
guwe/block-kubectl-auth-reconcile-readonly

Conversation

@gossion

@gossion gossion commented Jun 11, 2026

Copy link
Copy Markdown
Member

Summary

The mcp-kubernetes validator classifies the entire auth verb as a read-only kubectl operation because the common subcommands (auth can-i, auth whoami) are queries. However, kubectl auth reconcile creates or updates RBAC Role / RoleBinding / ClusterRole / ClusterRoleBinding objects from a manifest, so the broad auth classification leaks a write capability into readonly access level.

This adds a defense-in-depth guard in the executor adapter that runs before delegation, so it covers both the default mcp-kubernetes path and the token-auth-only RunCommand path. It fails closed even if the dependency is downgraded or its classification regresses. The matching upstream fix is in Azure/mcp-kubernetes#146.

The guard tokenizes via shlex (matching the executor) and walks positional tokens past flags, so quoting and tab-separated forms cannot bypass a literal substring scan, and content after a free-standing -- (subprocess args of kubectl exec ... --) is correctly ignored.

Test plan

  • make vet — clean
  • make lint — 0 issues
  • go test ./internal/k8s/... — all green
  • New tests cover:
    • readonly blocks kubectl auth reconcile (plain, no kubectl prefix, with leading global flag -v=2, tab-separated whitespace)
    • readonly allows auth can-i / auth whoami
    • readwrite/admin allow auth reconcile
    • tokenizer edge cases for isKubectlAuthReconcile (empty input, bare kubectl, kubectl exec ... -- auth reconcile correctly NOT matched)

The mcp-kubernetes validator classifies the entire "auth" verb as a
read-only operation because the common subcommands ("auth can-i",
"auth whoami") are queries. However, "kubectl auth reconcile" creates
or updates RBAC Role / RoleBinding / ClusterRole / ClusterRoleBinding
objects from a manifest, so the broad "auth" classification leaks a
write capability into readonly access level.

Add a defense-in-depth guard in the executor adapter that runs before
delegation, so it covers both the default mcp-kubernetes path and the
token-auth-only RunCommand path. The guard tokenizes via shlex (matching
the executor) and walks positional tokens past flags, so quoting and
tab-separated forms cannot bypass a literal substring scan, and content
after a free-standing "--" (subprocess args of `kubectl exec ... --`)
is correctly ignored.

Tests cover the readonly block (plain, no-prefix, with leading flag,
tab-separated), readonly allow for can-i/whoami, readwrite/admin allow
for reconcile, and the tokenizer edge cases directly.

@feiskyer feiskyer left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@feiskyer feiskyer added this pull request to the merge queue Jun 17, 2026
Merged via the queue into main with commit b95315a Jun 17, 2026
9 checks passed
@feiskyer feiskyer deleted the guwe/block-kubectl-auth-reconcile-readonly branch June 17, 2026 02:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants