This message was deleted.

report here: https://github.com/rancher/rancher/security/advisories/GHSA-5m9j-x6v6-v2c3

Hey Winton, Adding here the key points we discussed via the vulnerability disclosure channel: The Rancher Manager Shell is a convenience feature, which enables users to access and manage their clusters from within the Rancher UI. And as any other Kubernetes native application, it abides by the same security primitives, so for example RBAC and

NetworkPolicy

. By default, all

kubectl

operations in the shell impersonate the user's permissions from a control plane perspective. Also, there are no

NetworkPolicy

blocking egress network traffic for the Shell pods. The option to completely disable this feature is already being tracked publicly, so I would recommend you add a comment that this feature is also important to you on that issue, so that the Product team can more effectively prioritise it. However, things you could do in the mean time: • Block egress from Shell pods by using a NetworkPolicy in your local cluster. • Block the scheduling of Shell pods at Admission point. This could be done via ValidatingAdmissionPolicy for example.