Describe the bug
There are two interconnected issues with the "Debug Node" (Node Shell) feature:
Pod Accumulation / Leakage: Every time a user clicks the "Debug" button on a node, Headlamp spawns a new ephemeral pod (e.g., node-debugger-xxx), even if a debug pod for that node already exists. Crucially, when the terminal dialog/session is closed, the corresponding pod is not deleted and remains in the cluster. Over time, this leads to a massive accumulation of dangling debug pods.
Security Risk with Default Namespace: The DEFAULT_NODE_SHELL_NAMESPACE is currently hardcoded to default. The spawned debug pod requires extreme privileges (hostPID: true, hostNetwork: true, hostIPC: true, and a hostPath volume mounting /). Defaulting to the default namespace forces administrators to label the entire default namespace as privileged under Pod Security Standards (PSS), which is a significant security anti-pattern.
Expected outcome:
Headlamp should either reuse an existing active debug pod for the node or reliably delete/clean up the pod when the terminal connection/dialog is closed.
The default namespace for the node shell should be changed to a dedicated, isolated namespace (e.g., headlamp-debug) rather than abusing default.
To Reproduce
Steps to reproduce the bug:
- Go to the Nodes list view and select a node.
- Click on the Debug button to open the Node Shell terminal.
- Close the terminal dialog.
- Run kubectl get pods -n default (or view via UI); the node-debugger-xxx pod is still there in Running or Completed state.
- Click Debug on the same node again, and observe that another new pod is created, compounding the leakage.
Environment (please provide info about your environment):
Installation type: [e.g., Helm / Carvel Package / In-Cluster]
In-Cluster
Headlamp Version: [e.g., v0.42.0 or current version you are using]
0.42.0
Other: Kubernetes cluster with Pod Security Admission (PSA) enabled.
Additional Context
The hardcoded values can be traced back to the frontend helpers:
TypeScript
export const DEFAULT_NODE_SHELL_LINUX_IMAGE = 'docker.io/library/busybox:latest';
export const DEFAULT_NODE_SHELL_NAMESPACE = 'default';
Since the pod spec explicitly breaks baseline and restricted PSS profiles via hostPID/Network/IPC and root host path mounts, isolating this feature into a dedicated default namespace by default would vastly improve Headlamp's out-of-the-box security posture.
Describe the bug
There are two interconnected issues with the "Debug Node" (Node Shell) feature:
Pod Accumulation / Leakage: Every time a user clicks the "Debug" button on a node, Headlamp spawns a new ephemeral pod (e.g., node-debugger-xxx), even if a debug pod for that node already exists. Crucially, when the terminal dialog/session is closed, the corresponding pod is not deleted and remains in the cluster. Over time, this leads to a massive accumulation of dangling debug pods.
Security Risk with Default Namespace: The DEFAULT_NODE_SHELL_NAMESPACE is currently hardcoded to default. The spawned debug pod requires extreme privileges (hostPID: true, hostNetwork: true, hostIPC: true, and a hostPath volume mounting /). Defaulting to the default namespace forces administrators to label the entire default namespace as privileged under Pod Security Standards (PSS), which is a significant security anti-pattern.
Expected outcome:
Headlamp should either reuse an existing active debug pod for the node or reliably delete/clean up the pod when the terminal connection/dialog is closed.
The default namespace for the node shell should be changed to a dedicated, isolated namespace (e.g., headlamp-debug) rather than abusing default.
To Reproduce
Steps to reproduce the bug:
Environment (please provide info about your environment):
Installation type: [e.g., Helm / Carvel Package / In-Cluster]
In-Cluster
Headlamp Version: [e.g., v0.42.0 or current version you are using]
0.42.0
Other: Kubernetes cluster with Pod Security Admission (PSA) enabled.
Additional Context
The hardcoded values can be traced back to the frontend helpers:
TypeScript
Since the pod spec explicitly breaks baseline and restricted PSS profiles via hostPID/Network/IPC and root host path mounts, isolating this feature into a dedicated default namespace by default would vastly improve Headlamp's out-of-the-box security posture.