📖 Add KubeStellar Console security self-assessment#2106
📖 Add KubeStellar Console security self-assessment#2106clubanderson wants to merge 2 commits intocncf:mainfrom
Conversation
JustinCappos
left a comment
JustinCappos
left a comment
There was a problem hiding this comment.
I have a few minor clarifications I requested. Nothing super major, but they likely should be fixed before merge.
|
|
||
| ### Goals | ||
|
|
||
| - Provide secure, authenticated access to Kubernetes cluster information |
There was a problem hiding this comment.
What does secure mean here? Is private access important? Are you using HTTPS, etc.?
There was a problem hiding this comment.
Thanks — this bullet has been expanded to specify HTTPS (TLS 1.2+ enforced by Netlify for hosted; user-configured for self-hosted) plus JWT session tokens required on all API endpoints except /health and demo routes. The vague 'secure' has been replaced with concrete mechanisms.
| ### Goals | ||
|
|
||
| - Provide secure, authenticated access to Kubernetes cluster information | ||
| - Never store or transmit Kubernetes credentials beyond the user's local machine |
There was a problem hiding this comment.
Why might we think this would happen? How do you communicate out? Does this change based upon the deployment?
There was a problem hiding this comment.
Expanded in the Goals section with deployment-specific detail: in hosted mode, kc-agent runs locally and sends only JSON-serialized resource data over the WebSocket tunnel — kubeconfig contents (certs, tokens, private keys) never leave the machine. In self-hosted mode, both backend and kc-agent co-locate on the same host. The Deployment Architecture appendix diagrams both flows.
|
|
||
| - Provide secure, authenticated access to Kubernetes cluster information | ||
| - Never store or transmit Kubernetes credentials beyond the user's local machine | ||
| - Enforce principle of least privilege — Console inherits the user's existing kubeconfig RBAC |
There was a problem hiding this comment.
This may be naive, but I would like to hear more about this. What do you mean by inheriting RBAC? Does this mean the service's ability to perform actions only matches the RBAC rules + your view is constrained to this? Is your server more privileged but provides this functionality?
There was a problem hiding this comment.
Great question — Console does not create any ServiceAccount, ClusterRole, or RBAC objects. The kc-agent executes kubectl using the user's own kubeconfig. If a user's kubeconfig only permits get on pods in namespace default, that is the ceiling — there is no privileged server-side component with broader access. The expanded text makes this explicit.
| | Component | Description | | ||
| |-----------|-------------| | ||
| | **GitHub OAuth 2.0** | Primary authentication mechanism; no passwords stored | | ||
| | **JWT Session Tokens** | Short-lived tokens for session management; validated on every API request | |
There was a problem hiding this comment.
JWT has a long and complicated history of security concerns. Can you talk more about how you avoid the common issues?
There was a problem hiding this comment.
Addressed comprehensively in the JWT row of the Critical table: algorithm confusion prevented via jwt.WithValidMethods(["HS256"]) with defense-in-depth keyfunc; production requires JWT_SECRET env var (server refuses to start without it); HttpOnly cookie storage (not localStorage); SameSite=Lax for CSRF; JTI-based two-tier revocation (memory + SQLite) surviving restarts. Code references included for each claim.
|
|
||
| ### Responsible Disclosure Process | ||
|
|
||
| Vulnerability reports should be sent to [kubestellar-security-announce@googlegroups.com](mailto:kubestellar-security-announce@googlegroups.com). See [SECURITY.md](https://github.com/kubestellar/console/blob/main/SECURITY.md) for full details. |
There was a problem hiding this comment.
Maybe use github security advisories or other reporting?
There was a problem hiding this comment.
Agreed and updated — GitHub Security Advisories is now listed as the preferred channel, with the mailing list as fallback. This matches the CNCF-recommended approach for GitHub-hosted projects.
Add TAG-Security self-assessment for the KubeStellar Console project following the CNCF template. Includes actors, actions, security functions, secure development practices, and a Data Storage Summary documenting all persistence layers (backend SQLite, metrics history, browser caches, in-memory SSE cache). Signed-off-by: Andrew Anderson <andy@clubanderson.com>
clubanderson
force-pushed
the
kubestellar-security-self-assessment
branch
from
2cc2d6b to
efa433f
Compare
|
Do/should we delineate this |
Addresses review comments from @JustinCappos and @brandtkeller: - Add scope statement: this covers kubestellar/console only, not KubeStellar Core - Replace vague "secure" with specific mechanisms (HTTPS, OAuth, JWT validation) - Add deployment architecture diagram showing data flow in both modes - Detail kubeconfig isolation: kc-agent binds 127.0.0.1, only JSON crosses network - Explain RBAC inheritance: no ServiceAccount/ClusterRole created, kubectl uses user's kubeconfig as-is, no privilege escalation possible - Expand JWT section: HS256-only via WithValidMethods, none alg rejected, secret management (crypto/rand dev, required env prod), HttpOnly+Secure+SameSite cookies, two-tier JTI revocation, 7-day lifetime with 50% refresh - Add GitHub Security Advisories as primary disclosure channel - Add post-build safety checks and post-merge Playwright verification to practices - Document kc-agent localhost-only kubeconfig import endpoints Signed-off-by: Andrew Anderson <andy@clubanderson.com>
Workflow fixes (addresses Copilot review on #4351): - Fix null PR number: use `// empty` jq fallback, guard against "null" string - Fix whitespace in spec dedup: use printf instead of indented heredoc append - Fix exit code masking: capture Playwright exit code, propagate to job status - Fix result propagation: add job-level outputs mapping - Fix PCRE regex: use -oE (ERE) instead of -oP (PCRE, not available on all CI) - Fix report logic: require both output=passed AND job=success Security self-assessment sync (addresses TAG-Security review on cncf/toc#2106): - Add scope statement: kubestellar/console only, not KubeStellar Core - Add deployment architecture diagram with security boundaries - Expand JWT details: HS256-only, WithValidMethods, revocation, cookie attrs - Explain RBAC inheritance: no privilege escalation, kubeconfig as-is - Add GitHub Security Advisories as primary disclosure channel Signed-off-by: Andrew Anderson <andy@clubanderson.com>
* ✨ Add post-merge Playwright verification against production Runs targeted Playwright E2E tests against console.kubestellar.io after each merge to main. Tests are selected from a JSON mapping based on issue labels and changed file paths — no AI test generation needed. Workflow: 1. Waits for Netlify to deploy (polls app-build-id meta tag) 2. Extracts PR context: linked issue, labels, changed files 3. Maps to spec files via web/e2e/spec-map.json (smoke.spec.ts always runs) 4. Runs Chromium-only Playwright against production URL 5. Reports pass/fail on the merged PR On failure: - Reopens the original issue (if linked via Fixes #NNN) - Creates a regression issue with priority/critical - Assigns Copilot to auto-fix via existing agentic workflow Signed-off-by: Andrew Anderson <andy@clubanderson.com> * 🐛 Fix post-merge workflow bugs + sync security self-assessment Workflow fixes (addresses Copilot review on #4351): - Fix null PR number: use `// empty` jq fallback, guard against "null" string - Fix whitespace in spec dedup: use printf instead of indented heredoc append - Fix exit code masking: capture Playwright exit code, propagate to job status - Fix result propagation: add job-level outputs mapping - Fix PCRE regex: use -oE (ERE) instead of -oP (PCRE, not available on all CI) - Fix report logic: require both output=passed AND job=success Security self-assessment sync (addresses TAG-Security review on cncf/toc#2106): - Add scope statement: kubestellar/console only, not KubeStellar Core - Add deployment architecture diagram with security boundaries - Expand JWT details: HS256-only, WithValidMethods, revocation, cookie attrs - Explain RBAC inheritance: no privilege escalation, kubeconfig as-is - Add GitHub Security Advisories as primary disclosure channel Signed-off-by: Andrew Anderson <andy@clubanderson.com> --------- Signed-off-by: Andrew Anderson <andy@clubanderson.com>
|
Good question @brandtkeller — the scope callout at the top of the document makes this explicit: this assessment covers only |
JustinCappos
left a comment
JustinCappos
left a comment
There was a problem hiding this comment.
Thanks for the fixes. The comments I raised were addressed. Doing a joint assessment would be a fair amount of work, but the team is quite responsive and gave very detailed answers.
3 participants
Summary
projects/kubestellar/security-assessment/cc @JustinCappos for review
References