Kubeconfigs with context names that include special characters brake Busola

[barchw]

Description
When connecting to a cluster with a Kubeconfig which context name includes special characters like @ or singular - the Busola UI breaks, since the context name is used in the URL. The context name can even include path traversal related sequences like ..

e.g. bc-test-context/../../.. works as context name

Expected result
Busola should sanitise the context path

Actual result
UI breaks

Steps to reproduce
You can use this script for Gardener:

#!/usr/bin/env bash
# The script returns a kubeconfig for the ServiceAccount given
# you need to have kubectl on PATH with the context set to the cluster you want to create the config for

######################
# Example: ./token.sh kyma-system istio-controller-manager cluster-admin
######################

set -euo pipefail

# your server address goes here get it via `kubectl cluster-info`
server_http=$(kubectl get cm -n kube-system shoot-info -o "jsonpath={.data['domain']}")
server="https://api.$server_http"
# cosmetics for the created config
clustername=${server_http%%.*}
# the Namespace and ServiceAccount name that is used for the config
namespace=$1
sa_name=$2
crb_name=$3 # clusterrolebindingname_name

######################
#
# Check for existing serviceaccount first
sa_precheck=$(kubectl get sa $sa_name -o jsonpath='{.metadata.name}' -n $namespace) > /dev/null 2>&1

if [ -z "$sa_precheck" ]
then 
    kubectl create serviceaccount $sa_name -n $namespace
else
    echo "serviceacccount/"$sa_precheck" already exists"  
fi

sa_name=$(kubectl get sa $sa_name -o jsonpath='{.metadata.name}' -n $namespace)
sa_uid=$(kubectl get sa $sa_name -o jsonpath='{.metadata.uid}' -n $namespace)

# Check for existing secret/service-account-token, if one does not exist create one but do not output to external file
secret_precheck=$(kubectl get secret $sa_name-token-$sa_uid -o jsonpath='{.metadata.name}' -n $namespace) || true > /dev/null 2>&1

if [ -z "$secret_precheck" ]
then 
    kubectl apply -f - <<EOF
    apiVersion: v1
    kind: Secret
    type: kubernetes.io/service-account-token
    metadata:
      name: $sa_name-token-$sa_uid
      namespace: $namespace
      annotations:
        kubernetes.io/service-account.name: $sa_name
EOF
else
    echo "secret/"$secret_precheck" already exists"
fi

crb_test=$(kubectl get clusterrolebinding $crb_name -o jsonpath='{.metadata.name}') > /dev/null 2>&1
if [ "$crb_name" = "$crb_test" ]
then
    kubectl patch clusterrolebinding $crb_name --type='json' -p='[{"op": "add", "path": "/subjects/-", "value": {"kind": "ServiceAccount", "name": '$sa_name', "namespace": '$namespace' } }]'
else
    echo "clusterrolebinding/"$crb_name" does not exist, please fix"
    exit    
fi

# Create Kube Config and output to config file
ca=$(kubectl get secret $sa_name-token-$sa_uid -o jsonpath='{.data.ca\.crt}' -n $namespace)
token=$(kubectl get secret $sa_name-token-$sa_uid -o jsonpath='{.data.token}' -n $namespace | base64 --decode)

echo "
apiVersion: v1
kind: Config
clusters:
  - name: ${clustername}
    cluster:
      certificate-authority-data: ${ca}
      server: ${server}
contexts:
  - name: ${sa_name}@${clustername}
    context:
      cluster: ${clustername}
      namespace: ${namespace}
      user: ${sa_name}
users:
  - name: ${sa_name}
    user:
      token: ${token}
current-context: ${sa_name}@${clustername}
" | tee $sa_name@${clustername}.yaml

[barchw]

/kind bug