Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix kubectl builder perms checker #1380

Merged
merged 2 commits into from
Feb 13, 2024
Merged

Fix kubectl builder perms checker #1380

merged 2 commits into from
Feb 13, 2024

Conversation

mszostok
Copy link
Contributor

@mszostok mszostok commented Feb 12, 2024
edited

Description

Changes proposed in this pull request:

  • Fix kubectl builder perms checker

Testing

Demo recording uploaded to Slack as it doesn't fit GitHub limits: https://kubeshop.slack.com/archives/C03MRCX7UE9/p1707757327981479?thread_ts=1707493295.011349&cid=C03MRCX7UE9

Screenshot 2024-02-12 at 18 07 25 Screenshot 2024-02-12 at 18 07 39 Screenshot 2024-02-12 at 18 08 26

Here is the config that I used for testing:

YAML Config 

communications:
  default-group:
    socketSlack:
      enabled: true
      channels:
        default:
          name: no-rbac
          bindings:
            sources: []
            executors: 
              - kc-missing-rbac
        reader:
          name: reader
          bindings:
            executors:
              - kc-reader
        deleter:
          name: deleter
          bindings:
            executors:
              - kc-deleter
      appToken: "xapp-1-"
      botToken: "xoxb-"

executors:
  kc-missing-rbac:
    botkube/kubectl:
      enabled: true
      context:
        rbac:
          group:
            type: Static
            static:
              values: [ "not-found" ]
      config:
        defaultNamespace: "default"
        interactiveBuilder:
          allowed:
            verbs: [ "api-resources", "api-versions", "cluster-info", "describe", "explain", "get", "logs", "top", "delete" ]
            resources: [ "deployments", "pods", "namespaces", "daemonsets", "statefulsets", "storageclasses", "nodes", "configmaps", "services", "ingresses", "replicasets", "secrets", "cronjobs", "jobs" ]

  kc-reader:
    botkube/kubectl:
      enabled: true
      context:
        rbac:
          group:
            type: Static
            static:
              values: [ "botkube-plugins-default" ]
      config:
        defaultNamespace: "default"
        interactiveBuilder:
          allowed:
            verbs: [ "api-resources", "api-versions", "cluster-info", "describe", "explain", "get", "logs", "top", "delete" ]
            resources: [ "deployments", "pods", "namespaces", "daemonsets", "statefulsets", "storageclasses", "nodes", "configmaps", "services", "ingresses", "replicasets", "secrets", "cronjobs", "jobs" ]

  kc-deleter:
    botkube/kubectl:
      enabled: true
      context:
        rbac:
          group:
            type: Static
            static:
              values: [ "flux-write" ]
      config:
        defaultNamespace: "default"
        interactiveBuilder:
          allowed:
            verbs: [ "api-resources", "api-versions", "cluster-info", "describe", "explain", "get", "logs", "top", "delete" ]
            resources: [ "deployments", "pods", "namespaces", "daemonsets", "statefulsets", "storageclasses", "nodes", "configmaps", "services", "ingresses", "replicasets", "secrets", "cronjobs", "jobs" ]

plugins:
  cacheDir: "/tmp/plugins"
  repositories:
    botkube:
      url: http://host.k3d.internal:3010/botkube.yaml

settings:
  log:
    level: "debug"
    formatter: text
  kubeconfig: "/Users/mszostok/.kube/config"
  clusterName: "labs"
  upgradeNotifier: false

analytics:
  disable: true

Related issue(s)

Fix #1379

@mszostok mszostok added the bug Something isn't working label Feb 12, 2024
@mszostok mszostok marked this pull request as ready for review February 12, 2024 22:01
@mszostok mszostok requested review from PrasadG193 and a team as code owners February 12, 2024 22:01
@mszostok
Copy link
Contributor Author

CI tests are failing in the same way on main so it's not related to do PR itself: https://github.com/kubeshop/botkube/actions/runs/7870841341/job/21473234766

We need to investigate that.

pkosiec
pkosiec approved these changes Feb 13, 2024
View reviewed changes
Copy link
Member

@pkosiec pkosiec left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code and demo LGTM 🚀 didn't test it personally, but I'll try it out after releasing the latest main plugins 👍

test/helpers/plugin_server.go
@@ -26,7 +26,7 @@ func main() {
portInt, err := strconv.Atoi(port)
loggerx.ExitOnError(err, "while starting server")

binDir := filepath.Join(dir, "plugin-dist")
binDir := filepath.Join(dir, "../plugin-dist")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the reason if this change?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tests no have own go.mod you need to run server from tests folder and it breaks the flow as the dir is taken from the current path 🙂

@mszostok mszostok merged commit 3535efc into kubeshop:main Feb 13, 2024
16 checks passed
@mszostok mszostok deleted the fix-kc-auth branch February 13, 2024 10:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pkosiec pkosiec pkosiec approved these changes

@PrasadG193 PrasadG193 Awaiting requested review from PrasadG193 PrasadG193 is a code owner

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Handle non-native k8s verbs in kubectl auth service
2 participants
@mszostok @pkosiec