fix(advance deploy): EE-1141 A standard user can escalate to cluster administrator privileges on Kubernetes (#5325)

* fix(advance deploy): EE-1141 A standard user can escalate to cluster administrator privileges on Kubernetes * fix(advance deploy): EE-1141 reuse existing token cache when do deployment * fix: EE-1141 use user's SA token to exec pod command * fix: EE-1141 stop advanced-deploy or pod-exec if user's SA token is empty * fix: EE-1141 resolve merge conflicts Co-authored-by: Simon Meng <simon.meng@portainer.io>
2025-11-26 14:06:05 +08:00 · 2021-08-04 11:11:24 +12:00
parent 5652bac004
commit 51ef2c2aa9
13 changed files with 155 additions and 43 deletions
--- a/api/http/handler/websocket/handler.go
+++ b/api/http/handler/websocket/handler.go
@@ -5,6 +5,7 @@ import (
 	"github.com/gorilla/websocket"
 	httperror "github.com/portainer/libhttp/error"
 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/http/proxy/factory/kubernetes"
 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/kubernetes/cli"
 )
@@ -12,20 +13,22 @@ import (
 // Handler is the HTTP handler used to handle websocket operations.
 type Handler struct {
 	*mux.Router
-	DataStore               portainer.DataStore
-	SignatureService        portainer.DigitalSignatureService
-	ReverseTunnelService    portainer.ReverseTunnelService
-	KubernetesClientFactory *cli.ClientFactory
-	requestBouncer          *security.RequestBouncer
-	connectionUpgrader      websocket.Upgrader
+	DataStore                   portainer.DataStore
+	SignatureService            portainer.DigitalSignatureService
+	ReverseTunnelService        portainer.ReverseTunnelService
+	KubernetesClientFactory     *cli.ClientFactory
+	requestBouncer              *security.RequestBouncer
+	connectionUpgrader          websocket.Upgrader
+	kubernetesTokenCacheManager *kubernetes.TokenCacheManager
 }

 // NewHandler creates a handler to manage websocket operations.
-func NewHandler(bouncer *security.RequestBouncer) *Handler {
+func NewHandler(kubernetesTokenCacheManager *kubernetes.TokenCacheManager, bouncer *security.RequestBouncer) *Handler {
 	h := &Handler{
 		Router:             mux.NewRouter(),
 		connectionUpgrader: websocket.Upgrader{},
 		requestBouncer:     bouncer,
+		kubernetesTokenCacheManager: kubernetesTokenCacheManager,
 	}
 	h.PathPrefix("/websocket/exec").Handler(
 		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.websocketExec)))