Summary
In pkg/hub/controllers/edge/rbac_reconciler.go:347, every auto-generated agent kubeconfig has InsecureSkipTLSVerify: true hardcoded unconditionally — not gated on dev mode.
Risk
Every production edge agent skips hub certificate verification. Agents are vulnerable to MitM attacks — an attacker on the network path can impersonate the hub, intercept the agent bootstrap token, and gain access to the downstream cluster.
kubeconfig := clientcmdapi.Config{
Clusters: map[string]*clientcmdapi.Cluster{
"kedge": {
Server: r.hubExternalURL,
InsecureSkipTLSVerify: true, // ALWAYS true, unconditional
},
},Recommendation
- Pass the hub's CA cert to
ensureKubeconfigSecret and populate CertificateAuthorityData
- Or make this conditional on a
devMode flag, matching the pattern used elsewhere in the codebase
Summary
In
pkg/hub/controllers/edge/rbac_reconciler.go:347, every auto-generated agent kubeconfig hasInsecureSkipTLSVerify: truehardcoded unconditionally — not gated on dev mode.Risk
Every production edge agent skips hub certificate verification. Agents are vulnerable to MitM attacks — an attacker on the network path can impersonate the hub, intercept the agent bootstrap token, and gain access to the downstream cluster.
Recommendation
ensureKubeconfigSecretand populateCertificateAuthorityDatadevModeflag, matching the pattern used elsewhere in the codebase