fix(k8s): block kubectl auth reconcile in readonly mode#377
Merged
Conversation
The mcp-kubernetes validator classifies the entire "auth" verb as a
read-only operation because the common subcommands ("auth can-i",
"auth whoami") are queries. However, "kubectl auth reconcile" creates
or updates RBAC Role / RoleBinding / ClusterRole / ClusterRoleBinding
objects from a manifest, so the broad "auth" classification leaks a
write capability into readonly access level.
Add a defense-in-depth guard in the executor adapter that runs before
delegation, so it covers both the default mcp-kubernetes path and the
token-auth-only RunCommand path. The guard tokenizes via shlex (matching
the executor) and walks positional tokens past flags, so quoting and
tab-separated forms cannot bypass a literal substring scan, and content
after a free-standing "--" (subprocess args of `kubectl exec ... --`)
is correctly ignored.
Tests cover the readonly block (plain, no-prefix, with leading flag,
tab-separated), readonly allow for can-i/whoami, readwrite/admin allow
for reconcile, and the tokenizer edge cases directly.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The mcp-kubernetes validator classifies the entire
authverb as a read-only kubectl operation because the common subcommands (auth can-i,auth whoami) are queries. However,kubectl auth reconcilecreates or updates RBACRole/RoleBinding/ClusterRole/ClusterRoleBindingobjects from a manifest, so the broadauthclassification leaks a write capability into readonly access level.This adds a defense-in-depth guard in the executor adapter that runs before delegation, so it covers both the default mcp-kubernetes path and the token-auth-only RunCommand path. It fails closed even if the dependency is downgraded or its classification regresses. The matching upstream fix is in Azure/mcp-kubernetes#146.
The guard tokenizes via shlex (matching the executor) and walks positional tokens past flags, so quoting and tab-separated forms cannot bypass a literal substring scan, and content after a free-standing
--(subprocess args ofkubectl exec ... --) is correctly ignored.Test plan
make vet— cleanmake lint— 0 issuesgo test ./internal/k8s/...— all greenkubectl auth reconcile(plain, nokubectlprefix, with leading global flag-v=2, tab-separated whitespace)auth can-i/auth whoamiauth reconcileisKubectlAuthReconcile(empty input, barekubectl,kubectl exec ... -- auth reconcilecorrectly NOT matched)