New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How can I create botkube without giving "clusterrole" #227
Comments
@daegeun-ha if we use clusterrole, then BotKube won't be able to monitor cluster-scoped resources like - PV, Namespace, Node, etc We should have a field in BotKube config (something like |
We also know about that problem (won't be able to monitor cluster-scoped resources) Can I resolve this problem? (E1216 01:55:23.030699 1 reflector.go:123] pkg/mod/k8s.io/client-go@v0.0.0-20190918160344-1fbdaa4c8d90/tools/cache/reflector.go:96: Failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:monitoring:botkube-sa" cannot list resource "statefulsets" in API group "apps" at the cluster scope |
I hope this problem is solved. If the problem is solved, our team can use botkube to improve work efficiency. |
Hey @daegeun-ha, |
@PrasadG193 Thanks for reply! [role]
[serviceAccount]
[roleBinding]
|
Also, can you send the BotKube resource configuration ? |
And.. I think it's the problem of getting k8s event from api server without clusterrole. Could a dynamic informer solve this problem..? |
Below is botkube resource configuration ! (Currently, for experiment, I removed other resources from configuration) config: |
If you set “default” service account in deployment, you don’t need to create RBAC resources - clusterrrole, clusterrolebindings and serviceaccount. We should support changing service account through helm chart |
If you use role and rolebindings or “default” namespace, setting “all” namespace in resource config won’t work. You will be able to watch only namespace in which BotKube is deployed. Can you try replacing “all” namespaces with appropriate namespace? |
@PrasadG193 OK, I'll try it the day after tomorrow. Happy new year! :> |
I have set include namespaces to one particular namespace and using the default service account, and only watching namespace relevant elements, still I get the message that the account doesn't have cluster scope. | E0213 04:22:50.567085 1 reflector.go:123] pkg/mod/k8s.io/client-go@v0.0.0-20190918160344-1fbdaa4c8d90/tools/cache/reflector.go:96: Failed to list *v1.Node: nodes is forbidden: User "system:serviceaccount:namespace:default" cannot list nodes at the cluster scope: no RBAC policy matched I presume the issue lies in these two being initialized:
Although I don't understand this line: |
@nadilas How are you deploying BotKube? I am assuming you are using deploy-all-in-one.yaml. If you are deploying BotKube in other namespace than |
@PrasadG193 hi, I’m deploying namespace in a dedicated xy namespace, which I want to monitor. It should be namespaced and only look at resources within that namespace. I do not have cluster level access, hence cannot create a ClusterRoleBinding. I want to restrict it to just the one. |
Understood. By default BotKube register informers for all the resources. There should be a check to skip cluster level resources as proposed in this issue. |
@PrasadG193 Should be no issue, although I think I had that initially.. let me try it first thing on Monday. |
Now it is possible to change default rbac rule while installing the BotKube via helm. Please have a look at default values: https://github.com/infracloudio/botkube/blob/develop/helm/botkube/values.yaml#L311 |
Sorry @PrasadG193 ... I eventually got around to test this... it doesn't seem to work at all. I have set the included namespace for every single resource, like: - name: pod
namespaces:
include:
- namespace
events:
- all But on startup it still runs into the same issue: | E0524 11:01:29.849217 1 reflector.go:156] pkg/mod/k8s.io/client-go@v0.17.0/tools/cache/reflector.go:108: Failed to list *v1.Service: services is forbidden: User "system:serviceaccount:namespace:default" cannot list services at the cluster scope: no RBAC policy matched
| E0524 11:01:30.049081 1 reflector.go:156] pkg/mod/k8s.io/client-go@v0.17.0/tools/cache/reflector.go:108: Failed to list *v1.Node: nodes is forbidden: User "system:serviceaccount:namespace:default" cannot list nodes at the cluster scope: no RBAC policy matched
| E0524 11:01:30.249372 1 reflector.go:156] pkg/mod/k8s.io/client-go@v0.17.0/tools/cache/reflector.go:108: Failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:namespace:default" cannot list pods at the cluster scope: no RBAC policy matched |
Fixed with #253 |
Hi @PrasadG193 I did a test and it seem the clusterrole is still needed, and have been using the latest image with tag v0.11.0 as per your merged for fix #253 but no luck
I have follow the same instructions above as well to list all the resources to include namespace
|
Thanks @kelvinwijaya for reporting. I will take a look |
hey @kelvinwijaya Can you please share the role, rolebinding, serviceaccount you used to test. |
@PrasadG193 we are using DynamicInformer which by default takes all namespace https://github.com/infracloudio/botkube/blob/develop/pkg/utils/utils.go#L141 Also, we have ResourceInformer Map https://github.com/infracloudio/botkube/blob/develop/pkg/utils/utils.go#L144 which stores Infomer per resource for all namespace by default. I think we can modify the map and store the informer for a particular namespace for that resource. Let me know your take on it. |
Is this still current? I am trying to deploy botkube in a cluster where we cannot leverage the ClusterRole as low-privileged tenants. I am able to list ressources within my own namespace and have scoped the config to do just that. But I still see botkube trying to list ressources in that namespace at the Cluster scope.
Our service-account manifest
As an example, kubewatch is able to restrict itself to a namespace, without requiring Cluster wide permissions. |
Hi, |
Is your feature request related to a problem? Please describe.
In our company, kubernetes cluster is big, so not every developers has authorization to make 'clusterrole' resource. And if I use just 'role' than 'clusetrrole', lots of error msgs are appear like below.
(pkg/mod/k8s.io/client-go@v0.0.0-20190918160344-1fbdaa4c8d90/tools/cache/reflector.go:96: Failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:test-rbac:botkube-sa" cannot list resource "statefulsets" in API group "apps" at the cluster scope)
Describe the solution you'd like
Can I use different k8s library for getting events from k8s api server?
Describe alternatives you've considered
Can I use different k8s library for getting events from k8s api server? ( I don't have a exact solution...)
Additional context
The text was updated successfully, but these errors were encountered: