kubesphere 3.0 terminal 未做权限认证,任何一个人只要拥有登录权限,就可以拼接出URL,然后进入终端。

使用拼接方式后,可以成功进入 https://demo.kubesphere.io/

拥有 kubectl 权限后,可以通过某种方式拿到主机权限

感谢反馈,Github 上已经提交 fix 了, demo 环境也做了修复, 通过终端连接时会检查容器的实际控制权。

    5 个月 后

    aimuz 3.1 做了修复(kubesphere/kubesphere#3042), demo.kubesphere.io 之前fix过镜像不小心又被退回 3.0 了 , 3.0 环境中可以这么自定义角色

    apiVersion: iam.kubesphere.io/v1alpha2
    kind: GlobalRole
    metadata:
      annotations:
        iam.kubesphere.io/aggregation-roles: '["role-template-view-clusters","role-template-view-roles","role-template-view-users","role-template-view-workspaces","role-template-manage-platform-settings","role-template-view-basic","role-template-view-app-templates"]'
        iam.kubesphere.io/rego-override: |-
          package authz
          default allow = false
          allow = true {
            input.APIGroup != "terminal.kubesphere.io"
            allowedVerbs := ["get","list","watch"]
            allowedVerbs[_] == input.Verb
          }
        kubesphere.io/creator: admin
      labels:
        kubefed.io/managed: "false"
      name: viewer
    rules: []