Understanding the Kubernetes nodes/proxy GET RCE “Vulnerability” (And Why It’s Working as Intended)
When you think of a "security bug," you usually imagine something getting fixed — patches, CVEs, frantic updates… But what if the behavior you're calling a bug is actually working exactly the way the project maintainers intended? That's the situation with an interesting Kubernetes authorization behavior involving the nodes/proxy GET permission. What looks like a Remote Code Execution (RCE) vector is actually a side-effect of how Kubernetes implements authorization for certain API paths — particularly the Kubelet's exec interfaces over WebSockets. Let's unpack what's happening, why it matters, and most importantly: how it works. What Does nodes/proxy GET Actually Allow? Kubernetes Role-Based Access Control (RBAC) permissions are defined with resources and verbs. For example: pods/exec CREATE - permits creating an exec session in a pod pods/log GET - permits reading logs But the nodes/proxy resource is a bit different: it's used t...