Skip to content

kubectl: check rule in exec command is insecurity #1745

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
hunshcn opened this issue Apr 17, 2025 · 6 comments · May be fixed by kubernetes/kubernetes#131353
Open

kubectl: check rule in exec command is insecurity #1745

hunshcn opened this issue Apr 17, 2025 · 6 comments · May be fixed by kubernetes/kubernetes#131353
Assignees
@mbergo @hunshcn
Labels
kind/bug Categorizes issue or PR as related to a bug. sig/cli Categorizes an issue or PR as relevant to SIG CLI. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@hunshcn
Copy link

hunshcn commented Apr 17, 2025

What happened?

https://github.com/kubernetes/kubernetes/blob/b53b9fb5573323484af9a19cf3f5bfe80760abba/staging/src/k8s.io/kubectl/pkg/cmd/exec/exec.go#L208-L215

kubectl exec -it resource asd asd asd -- bash will be like kubectl exec -it resource -- bash but no error

This can lead to unexpected behavior of command with --

What did you expect to happen?

raise error error: exec [POD] [COMMAND] is not supported anymore.

How can we reproduce it (as minimally and precisely as possible)?

kubectl exec -it resource asd asd asd -- bash

Anything else we need to know?

No response

Kubernetes version

$ kubectl version
v1.32.3

Cloud provider

-

OS version

# On Linux:
$ cat /etc/os-release
# paste output here
$ uname -a
# paste output here

# On Windows:
C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture
# paste output here

Install tools

Container runtime (CRI) and version (if applicable)

Related plugins (CNI, CSI, ...) and versions (if applicable)
@hunshcn hunshcn added the kind/bug Categorizes issue or PR as related to a bug. label Apr 17, 2025
@k8s-ci-robot k8s-ci-robot added needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Apr 17, 2025
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@hunshcn hunshcn linked a pull request Apr 17, 2025 that will close this issue
Open
@hunshcn
Copy link
Author

hunshcn commented Apr 17, 2025

/sig cli

@k8s-ci-robot k8s-ci-robot added sig/cli Categorizes an issue or PR as relevant to SIG CLI. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Apr 17, 2025
@github-project-automation github-project-automation bot moved this to Needs Triage in SIG CLI Apr 17, 2025
@hunshcn
Copy link
Author

hunshcn commented Apr 17, 2025

/assign

mbergo referenced this issue in mbergo/kubernetes Apr 18, 2025
@mbergo
kubectl: fix exec command to properly check for arguments between res…
3115318 
…ource and dash

Fixes #131352

The current implementation doesn't properly check for arguments between the resource name and the dash separator. This can lead to unexpected behavior when using commands like 'kubectl exec -it resource asd asd asd -- bash', which should raise an error but doesn't.

This fix adds a check to ensure that when a dash separator (--) is used, there are no extra arguments between the resource name and the dash. If there are extra arguments, it will raise an error with the message 'exec [POD] [COMMAND] is not supported anymore. Use exec [POD] -- [COMMAND] instead'.

Added a test case to verify the fix.
@mbergo mbergo mentioned this issue Apr 18, 2025
Closed
@mbergo
Copy link

mbergo commented Apr 19, 2025

/assign

hunshcn referenced this issue in hunshcn/kubernetes Apr 19, 2025
@hunshcn
kubectl: strict check for exec command
0f54468 
Fix https://github.com/kubernetes/kubernetes/issues/131352
hunshcn referenced this issue in hunshcn/kubernetes Apr 24, 2025
@hunshcn
kubectl: strict check for exec command
f784e81 
Fix https://github.com/kubernetes/kubernetes/issues/131352
hunshcn referenced this issue in hunshcn/kubernetes Apr 28, 2025
@hunshcn
kubectl: strict check for exec command
4435e92 
Fix https://github.com/kubernetes/kubernetes/issues/131352
@ardaguclu
Copy link
Member

/translate kubernetes

@mpuckett159
Copy link
Contributor

/triage accepted

/transfer-issue kubectl

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels May 21, 2025
@k8s-ci-robot k8s-ci-robot transferred this issue from kubernetes/kubernetes May 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mbergo mbergo

@hunshcn hunshcn

Labels
kind/bug Categorizes issue or PR as related to a bug. sig/cli Categorizes an issue or PR as relevant to SIG CLI. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG CLI
Status: Needs Triage
Milestone
No milestone
5 participants
@mbergo @ardaguclu @hunshcn @mpuckett159 @k8s-ci-robot