Support ChannelName RBAC mapping for executors #1023
Conversation
|
You have successfully added a new Trivy configuration |
helm/botkube/values.yaml
Outdated
| defaultNamespace: "default" | ||
| # -- RBAC configuration for this plugin. | ||
| rbac: | ||
| # -- Static impersonation for a given username and groups. | ||
| group: | ||
| user: |
There was a problem hiding this comment.
Moved user before group. I find it more readable this way.
There was a problem hiding this comment.
Let's comment out the user mapping completely from the default configuration.
So the default configuration will be only group mapping (botkube-plugins-read-only) and that's it. And we'll use the "internal" user for impersonation.
josefkarasek
force-pushed
the
generate-kubeconfig
branch
from
27f4004 to
8a63cba
Compare
There was a problem hiding this comment.
Code looks good, just minor comments. Please clean up the Helm chart according to the comments.
Also, can you provide an instruction in this PR how to test it with multiple channels? So that means just a very quick instruction what (Cluster)Role+(Cluster)RoleBinding resources create for two channels, and see that one command is possible on one, and a different one on the other one.
This will be a good basegroud for working on the RBAC doc. Thanks a lot!
helm/botkube/values.yaml
Outdated
| # default channel in slack & discord is called "general" | ||
| channelGroupName: &channel-group-name "general" |
There was a problem hiding this comment.
This is just for testing purposes, right? We shouldn't expose such option as it is up to the user to create proper resources. Of course we should document how to create (Cluster)Role + (Cluster)RoleBinding manually as a part of docs.
| # --- | ||
| # apiVersion: rbac.authorization.k8s.io/v1 | ||
| # kind: ClusterRole | ||
| # metadata: | ||
| # name: {{ .Values.rbac.channelGroupName }} | ||
| # labels: | ||
| # app.kubernetes.io/name: {{ include "botkube.name" . }} | ||
| # helm.sh/chart: {{ include "botkube.chart" . }} | ||
| # app.kubernetes.io/instance: {{ .Release.Name }} | ||
| # app.kubernetes.io/managed-by: {{ .Release.Service }} | ||
| # rules: | ||
| # {{- with .Values.rbac.rules }} | ||
| # {{- toYaml . | nindent 2 }} | ||
| # {{- end }} |
There was a problem hiding this comment.
As I wrote before, please remove it.
| # --- | ||
| # apiVersion: rbac.authorization.k8s.io/v1 | ||
| # kind: ClusterRoleBinding | ||
| # metadata: | ||
| # name: {{ .Values.rbac.channelGroupName }} | ||
| # labels: | ||
| # app.kubernetes.io/name: {{ include "botkube.name" . }} | ||
| # helm.sh/chart: {{ include "botkube.chart" . }} | ||
| # app.kubernetes.io/instance: {{ .Release.Name }} | ||
| # app.kubernetes.io/managed-by: {{ .Release.Service }} | ||
| # roleRef: | ||
| # apiGroup: rbac.authorization.k8s.io | ||
| # kind: ClusterRole | ||
| # name: {{ .Values.rbac.channelGroupName }} | ||
| # subjects: | ||
| # - kind: Group | ||
| # name: {{ .Values.rbac.channelGroupName }} | ||
| # apiGroup: rbac.authorization.k8s.io |
There was a problem hiding this comment.
As I wrote before, please remove it.
helm/botkube/values.yaml
Outdated
| defaultNamespace: "default" | ||
| # -- RBAC configuration for this plugin. | ||
| rbac: | ||
| # -- Static impersonation for a given username and groups. | ||
| group: | ||
| user: |
There was a problem hiding this comment.
Let's comment out the user mapping completely from the default configuration.
So the default configuration will be only group mapping (botkube-plugins-read-only) and that's it. And we'll use the "internal" user for impersonation.
helm/botkube/values.yaml
Outdated
| # -- Name of user.rbac.authorization.k8s.io the plugin will be bound to. | ||
| value: *static-group-name | ||
| # -- Name of group.rbac.authorization.k8s.io the plugin will be bound to. | ||
| values: [*static-group-name] # "botkube-plugins-read-only" is the default |
There was a problem hiding this comment.
Please remove the comment:
| values: [*static-group-name] # "botkube-plugins-read-only" is the default | |
| values: [*static-group-name] |
Apply it everywhere 👍
| @@ -116,25 +116,25 @@ sources: | |||
| # -- Describes Kubernetes source configuration. | |||
| # @default -- See the `values.yaml` file for full object. | |||
| botkube/kubernetes: | |||
| context: &defaultPluginContext | |||
| context: &default-plugin-context | |||
| defaultNamespace: "default" | |||
There was a problem hiding this comment.
Just FYI, @mszostok will be removing that as this is a part of Helm + Kubectl plugin config, which is already handled. So this field is redundant. You don't need to do anything, but just FYI 🙂
Co-authored-by: Pawel Kosiec <[email protected]>
|
FYI I used the following config for channel-name based mapping: communications:
"default-group":
socketSlack:
enabled: true
appToken: "xapp-"
botToken: "xoxb-"
notification:
type: "short"
channels:
"default":
name: botkube-demo
bindings:
executors:
- helm-3
sources:
- k8s-all-events
- k8s-recommendation-events
"secondary":
name: priv-channel
bindings:
executors:
- helm-3
sources:
- k8s-recommendation-events
- k8s-err-events
executors:
'helm-3':
botkube/helm@v1:
enabled: true
context:
defaultNamespace: "default"
rbac:
group:
type: ChannelName
botkube/kubectl:
enabled: true
# -- Custom kubectl configuration.
# @default -- See the `values.yaml` file for full object including optional properties related to interactive builder.
context:
defaultNamespace: "default"
rbac:
group:
type: ChannelName
plugins:
repositories:
botkube:
url: https://storage.googleapis.com/botkube-plugins-latest/plugins-index.yamlhelm install botkube -n botkube --create-namespace \
--set image.repository=kubeshop/pr/botkube \
--set image.tag=1023-PR \
-f ~/rbac-testing.values.yaml ./helm/botkubeResources: |
pkosiec
changed the title
Description
Changes proposed in this pull request:
Testing
Use executors:
Sources:
Self-host plugins
Install botkube:
channelNameRBAC config to your plugins.Values.rbac.channelGroupNameis your slack channel name, in which you intend to test this PR.During testing add create/update/delete verbs to ClusterRole
{{ .Values.rbac.channelGroupName }}.Check that you don't have permissions when running botkube in a different channel.
Scenario: 2 channels with different RBAC
Create two socketSlack channels and invite Botkube
Define helm executors
helm-1uses default read only configuration.helm-2uses a custom rbac definitionhelm-editor:In channel
ch-1list helm targets@Botkube helm list- this should work, ashelm-1has read scope.Try to apply a target
@Botkube helm install --repo https://charts.bitnami.com/bitnami psql postgresql- this should not work.Try the same in
ch-2- it should work, becausehelm2has create scope.With
@Botkube helm listinch-1you should see the postgresql target.Related issue(s)
#934