Summary
In pkg/virtual/builder/edges_proxy_builder.go:68, static token holders skip SubjectAccessReview entirely for edge proxy access. If kcpConfig == nil, the same total bypass applies.
Risk
Any valid static token grants access to ANY edge, any cluster, with no per-edge or per-cluster RBAC check. A shared/leaked static token gives full edge proxy access.
_, isStaticToken := p.staticTokens[token]
if !isStaticToken {
if err := p.authorizeFn(...); err != nil {
http.Error(w, "Forbidden", http.StatusForbidden)
return
}
}
// If isStaticToken: falls through with NO authz check on cluster/nameRecommendation
- Remove the static token bypass for the edges proxy path
- Static tokens should still be validated against allowed edges/clusters
- Keep static token bypass only for the agent registration/join path where it is intentionally permissive
Summary
In
pkg/virtual/builder/edges_proxy_builder.go:68, static token holders skipSubjectAccessReviewentirely for edge proxy access. IfkcpConfig == nil, the same total bypass applies.Risk
Any valid static token grants access to ANY edge, any cluster, with no per-edge or per-cluster RBAC check. A shared/leaked static token gives full edge proxy access.
Recommendation