Conversation
…, TLS verification #167: add kcp impersonation headers (Impersonate-User/Group) in OIDC and static-token proxy paths so kcp enforces per-user RBAC instead of all requests running with admin credentials. #168: validate JWT clusterName claim against strict regex before using it in URL path construction; reject invalid values with 401. #169: document that all tunneled k8s requests run at agent-SA privilege level; per-user scoping in the downstream cluster is not yet supported. #170: remove static token bypass for SubjectAccessReview in edges proxy; all tokens (static and OIDC) now go through authorizeFn equally. #171: populate CertificateAuthorityData from hub serving cert in auto-generated agent kubeconfigs instead of unconditional InsecureSkipTLSVerify: true; fall back to InsecureSkipTLSVerify only in devMode. #172: strip Authorization header before forwarding the raw upgrade request to the edge agent, preventing user OIDC tokens from unnecessarily transiting the reverse tunnel. Co-authored-by: Mangirdas Judeikis <mangirdas@judeikis.lt>
The buildEdgesProxyHandler was calling authorizeFn for all tokens including static tokens, which broke TestEdgesProxy_StaticTokenBypassesAuth and TestEdgesProxy_StaticToken_BypassesAuthorization. Static tokens are pre-authenticated server-side credentials and must skip kcp SubjectAccessReview, consistent with the agent-proxy handler. Fixes the CI test failure on security/issues-167-172.
When the hub kubeconfig contains CertificateAuthorityData (populated by the rbac_reconciler from ServingCertFile) but the agent is also started with --hub-insecure-skip-tls-verify, rest.TLSConfigFor rejects the combination with 'specifying a root certificates file with the insecure flag is not allowed'. Fix: zero out TLSClientConfig.CAData and CAFile before calling TLSConfigFor when Insecure=true is requested. Fixes OIDC and multisite e2e failures introduced by #171 kubeconfig CA embedding. Signed-off-by: mjudeikis-bot <bot@faros.sh>
mjudeikis-bot
commented
Mar 31, 2026
Collaborator
Author
mjudeikis-bot
left a comment
mjudeikis-bot
left a comment
There was a problem hiding this comment.
Reviewed all 6 files. Security fixes look correct:
- agent.go: CA data + Insecure=true conflict fixed correctly.
- tunnel/server.go: Agent-SA privilege level docs are good. Impersonation callout noted.
- rbac_reconciler.go: hubCAData/devMode split is right approach. Minor: ServingCertFile read won't pick up cert rotations but acceptable for one-time kubeconfig generation.
- proxy.go: Path traversal regex
^[a-z0-9]+(?:[:-][a-z0-9]+)*$correct for kcp cluster names. Impersonation headers fix the shared-admin-creds issue. - edges_proxy_builder.go: Condition rewrite is cleaner and semantically equivalent. Authorization strip on upgrade requests is correct.
LGTM from Hex review. Ready to merge once CI passes.
mjudeikis
approved these changes
Mar 31, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #167, #168, #169, #170, #171, #172
Changes