Installing botkube with restricted cluster #977

gauravwadghule · 2023-02-10T10:55:42Z

Description

We are trying to install botkube in the restricted cluster where we are having only access to a single namespace even we dont have access to get namespaces.

Getting below error in botkube pod.

cannot get resource "namespaces" in API group "" in the namespace "kube-system"

Steps to reproduce

values.yaml

`# Formatting rules:
#
# | Sign | Description |
# |------|--------------------------------------------------------------------------|
# | # -- | Comment is rendered into README.md. |
# | # | Only if defined after '# --' signifies the continuation of the sentence. |
# | ## | Comment is ignored during README.md rendering. |
#
# Read more at https://github.com/norwoodj/helm-docs

## Botkube image configuration.
image:
  # -- Botkube container image registry.
  registry: ghcr.io
  # -- Botkube container image repository.
  repository: kubeshop/botkube
  # -- Botkube container image pull policy.
  pullPolicy: IfNotPresent
  # -- Botkube container image tag. Default tag is `appVersion` from Chart.yaml.
  tag: v9.99.9-dev

# -- Configures Pod Security Policy to allow Botkube to run in restricted clusters.
# [Ref doc](https://kubernetes.io/docs/concepts/policy/pod-security-policy/).
podSecurityPolicy:
  enabled: false

# -- Configures security context to manage user Privileges in Pod.
# [Ref doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod).
# @default -- Runs as a Non-Privileged user.
securityContext:
  runAsUser: 101
  runAsGroup: 101

# -- Configures container security context.
# [Ref doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container).
containerSecurityContext:
  privileged: false
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: true

## Kubeconfig settings used by Botkube.
kubeconfig:
  # -- If true, enables overriding the Kubernetes auth.
  enabled: false
  # -- A base64 encoded kubeconfig that will be stored in a Secret, mounted to the Pod, and specified in the KUBECONFIG environment variable.
  base64Config: ""
  # -- A Secret containing a kubeconfig to use.
  ## Secret format:
  ##  data:
  ##    config: {base64_encoded_kubeconfig}
  existingSecret: ""

# -- Map of actions. Action contains configuration for automation based on observed events.
# The property name under `actions` object is an alias for a given configuration. You can define multiple actions configuration with different names.
# @default -- See the `values.yaml` file for full object.
#
## Format: actions.{alias}
actions:
  'describe-created-resource':
    # -- If true, enables the action.
    enabled: false
    # -- Action display name posted in the channels bound to the same source bindings.
    displayName: "Describe created resource"
    # -- Command to execute when the action is triggered. You can use Go template (https://pkg.go.dev/text/template) together with all helper functions defined by Slim-Sprig library (https://go-task.github.io/slim-sprig).
    # You can use the `{{ .Event }}` variable, which contains the event object that triggered the action. See all available event properties on https://github.com/kubeshop/botkube/blob/main/pkg/event/event.go.
    # @default -- See the `values.yaml` file for the command in the Go template form.
    command: "kubectl describe {{ .Event.TypeMeta.Kind | lower }}{{ if .Event.Namespace }} -n {{ .Event.Namespace }}{{ end }} {{ .Event.Name }}"

    # -- Bindings for a given action.
    bindings:
      # -- Event sources that trigger a given action.
      sources:
        - k8s-create-events
      # -- Executors configuration used to execute a configured command.
      executors:
        - kubectl-read-only
  'show-logs-on-error':
    # -- If true, enables the action.
    enabled: false

    # -- Action display name posted in the channels bound to the same source bindings.
    displayName: "Show logs on error"
    # -- Command to execute when the action is triggered. You can use Go template (https://pkg.go.dev/text/template) together with all helper functions defined by Slim-Sprig library (https://go-task.github.io/slim-sprig).
    # You can use the `{{ .Event }}` variable, which contains the event object that triggered the action. See all available event properties on https://github.com/kubeshop/botkube/blob/main/pkg/event/event.go.
    # @default -- See the `values.yaml` file for the command in the Go template form.
    command: "kubectl logs {{ .Event.TypeMeta.Kind | lower }}/{{ .Event.Name }} -n {{ .Event.Namespace }}"

    # -- Bindings for a given action.
    bindings:
      # -- Event sources that trigger a given action.
      sources:
        - k8s-err-with-logs-events
      # -- Executors configuration used to execute a configured command.
      executors:
        - kubectl-read-only

# -- Map of sources. Source contains configuration for Kubernetes events and sending recommendations.
# The property name under `sources` object is an alias for a given configuration. You can define multiple sources configuration with different names.
# Key name is used as a binding reference.
# @default -- See the `values.yaml` file for full object.
#
## Format: sources.{alias}
sources:
  'k8s-recommendation-events':
    displayName: "Kubernetes Recommendations"
    # -- Describes Kubernetes source configuration.
    # @default -- See the `values.yaml` file for full object.
    kubernetes:
      # -- Describes configuration for various recommendation insights.
      recommendations:
        # -- Recommendations for Pod Kubernetes resource.
        pod:
          # -- If true, notifies about Pod containers that use `latest` tag for images.
          noLatestImageTag: true
          # -- If true, notifies about Pod resources created without labels.
          labelsSet: true
        # -- Recommendations for Ingress Kubernetes resource.
        ingress:
          # -- If true, notifies about Ingress resources with invalid backend service reference.
          backendServiceValid: true
          # -- If true, notifies about Ingress resources with invalid TLS secret reference.
          tlsSecretValid: true

  'k8s-all-events':
    displayName: "Kubernetes Info"
    # -- Describes Kubernetes source configuration.
    # @default -- See the `values.yaml` file for full object.
    kubernetes:
      # -- Describes namespaces for every Kubernetes resources you want to watch or exclude.
      # These namespaces are applied to every resource specified in the resources list.
      # However, every specified resource can override this by using its own namespaces object.
      namespaces: &k8s-events-namespaces
        # -- Include contains a list of allowed Namespaces.
        # It can also contain regex expressions:
        #  `- ".*"` - to specify all Namespaces.
        include:
          - "my-namespace"
        # -- Exclude contains a list of Namespaces to be ignored even if allowed by Include.
        # It can also contain regex expressions:
        #  `- "test-.*"` - to specif all Namespaces with `test-` prefix.
        # Exclude list is checked before the Include list.
        exclude: 
          - ".*"

      # -- Describes event constraints for Kubernetes resources.
      # These constraints are applied for every resource specified in the `resources` list, unless they are overridden by the resource's own `events` object.
      event:
        # -- Lists all event types to be watched.
        types:
          - create
          - delete
          - error
        # -- Optional list of exact values or regex patterns to filter events by event reason.
        # Skipped, if both include/exclude lists are empty.
        reason:
          # -- Include contains a list of allowed values. It can also contain regex expressions.
          include: []
          # -- Exclude contains a list of values to be ignored even if allowed by Include. It can also contain regex expressions.
          # Exclude list is checked before the Include list.
          exclude: []
        # -- Optional list of exact values or regex patterns to filter event by event message. Skipped, if both include/exclude lists are empty.
        # If a given event has multiple messages, it is considered a match if any of the messages match the constraints.
        message:
          # -- Include contains a list of allowed values. It can also contain regex expressions.
          include: []
          # -- Exclude contains a list of values to be ignored even if allowed by Include. It can also contain regex expressions.
          # Exclude list is checked before the Include list.
          exclude: []

      # -- Filters Kubernetes resources to watch by annotations. Each resource needs to have all the specified annotations.
      # Regex expressions are not supported.
      annotations: {}
      # -- Filters Kubernetes resources to watch by labels. Each resource needs to have all the specified labels.
      # Regex expressions are not supported.
      labels: {}

      # -- Describes the Kubernetes resources to watch.
      # Resources are identified by its type in `{group}/{version}/{kind (plural)}` format. Examples: `apps/v1/deployments`, `v1/pods`.
      # Each resource can override the namespaces and event configuration by using dedicated `event` and `namespaces` field.
      # Also, each resource can specify its own `annotations`, `labels` and `name` regex.
      # @default -- See the `values.yaml` file for full object.
      resources:
        - type: v1/pods
#          namespaces:             # Overrides 'source'.kubernetes.namespaces
#            include:
#              - ".*"
#            exclude: []
#          annotations: {}         # Overrides 'source'.kubernetes.annotations
#          labels: {}              # Overrides 'source'.kubernetes.labels
#          # Optional resource name constraints.
#          name:
#            # Include contains a list of allowed values. It can also contain regex expressions.
#            include: []
#            # Exclude contains a list of values to be ignored even if allowed by Include. It can also contain regex expressions.
#            # Exclude list is checked before the Include list.
#            exclude: []
#          event:
#            # Overrides 'source'.kubernetes.event.reason
#            reason:
#              include: []
#              exclude: []
#            # Overrides 'source'.kubernetes.event.message
#            message:
#              include: []
#              exclude: []
#            # Overrides 'source'.kubernetes.event.types
#            types:
#              - create

        - type: v1/services
        # - type: networking.k8s.io/v1/ingresses
        # - type: v1/nodes
        # - type: v1/namespaces
        - type: v1/persistentvolumes
        - type: v1/persistentvolumeclaims
        - type: v1/configmaps
        - type: rbac.authorization.k8s.io/v1/roles
        - type: rbac.authorization.k8s.io/v1/rolebindings
        - type: rbac.authorization.k8s.io/v1/clusterrolebindings
        - type: rbac.authorization.k8s.io/v1/clusterroles
        - type: apps/v1/daemonsets
          event: # Overrides 'source'.kubernetes.event
            types:
              - create
              - update
              - delete
              - error
          updateSetting:
            includeDiff: true
            fields:
              - spec.template.spec.containers[*].image
              - status.numberReady
        - type: batch/v1/jobs
          event: # Overrides 'source'.kubernetes.event
            types:
              - create
              - update
              - delete
              - error
          updateSetting:
            includeDiff: true
            fields:
              - spec.template.spec.containers[*].image
              - status.conditions[*].type
        - type: apps/v1/deployments
          event: # Overrides 'source'.kubernetes.event
            types:
              - create
              - update
              - delete
              - error
          updateSetting:
            includeDiff: true
            fields:
              - spec.template.spec.containers[*].image
              - status.availableReplicas
        - type: apps/v1/statefulsets
          event: # Overrides 'source'.kubernetes.event
            types:
              - create
              - update
              - delete
              - error
          updateSetting:
            includeDiff: true
            fields:
              - spec.template.spec.containers[*].image
              - status.readyReplicas
       ## Custom resource example
       # - type: velero.io/v1/backups
       #   namespaces:
       #     include:
       #       - ".*"
       #     exclude:
       #       -
       #   event:
       #     types:
       #       - create
       #       - update
       #       - delete
       #       - error
       #   updateSetting:
       #     includeDiff: true
       #     fields:
       #       - status.phase

  'k8s-err-events':
    displayName: "Kubernetes Errors"

    # -- Describes Kubernetes source configuration.
    # @default -- See the `values.yaml` file for full object.
    kubernetes:
      # -- Describes namespaces for every Kubernetes resources you want to watch or exclude.
      # These namespaces are applied to every resource specified in the resources list.
      # However, every specified resource can override this by using its own namespaces object.
      namespaces: *k8s-events-namespaces

      # -- Describes event constraints for Kubernetes resources.
      # These constraints are applied for every resource specified in the `resources` list, unless they are overridden by the resource's own `events` object.
      event:
        # -- Lists all event types to be watched.
        types:
          - error

      # -- Describes the Kubernetes resources you want to watch.
      # @default -- See the `values.yaml` file for full object.
      resources:
        - type: v1/pods
        - type: v1/services
        # - type: networking.k8s.io/v1/ingresses
        # - type: v1/nodes
        # - type: v1/namespaces
        - type: v1/persistentvolumes
        - type: v1/persistentvolumeclaims
        - type: v1/configmaps
        - type: rbac.authorization.k8s.io/v1/roles
        - type: rbac.authorization.k8s.io/v1/rolebindings
        - type: rbac.authorization.k8s.io/v1/clusterrolebindings
        - type: rbac.authorization.k8s.io/v1/clusterroles
        - type: apps/v1/deployments
        - type: apps/v1/statefulsets
        - type: apps/v1/daemonsets
        - type: batch/v1/jobs
  'k8s-err-with-logs-events':
    displayName: "Kubernetes Errors for resources with logs"

    # -- Describes Kubernetes source configuration.
    # @default -- See the `values.yaml` file for full object.
    kubernetes:
      # -- Describes namespaces for every Kubernetes resources you want to watch or exclude.
      # These namespaces are applied to every resource specified in the resources list.
      # However, every specified resource can override this by using its own namespaces object.
      namespaces: *k8s-events-namespaces

      # -- Describes event constraints for Kubernetes resources.
      # These constraints are applied for every resource specified in the `resources` list, unless they are overridden by the resource's own `events` object.
      event:
        # -- Lists all event types to be watched.
        types:
          - error

      # -- Describes the Kubernetes resources you want to watch.
      # @default -- See the `values.yaml` file for full object.
      resources:
        - type: v1/pods
        - type: apps/v1/deployments
        - type: apps/v1/statefulsets
        - type: apps/v1/daemonsets
        - type: batch/v1/jobs
        # `apps/v1/replicasets` excluded on purpose - to not show logs twice for a given higher-level resource (e.g. Deployment)

  'k8s-create-events':
    displayName: "Kubernetes Resource Created Events"

    # -- Describes Kubernetes source configuration.
    # @default -- See the `values.yaml` file for full object.
    kubernetes:
      # -- Describes namespaces for every Kubernetes resources you want to watch or exclude.
      # These namespaces are applied to every resource specified in the resources list.
      # However, every specified resource can override this by using its own namespaces object.
      namespaces: *k8s-events-namespaces

      # -- Describes event constraints for Kubernetes resources.
      # These constraints are applied for every resource specified in the `resources` list, unless they are overridden by the resource's own `events` object.
      event:
        # -- Lists all event types to be watched.
        types:
          - create

      # -- Describes the Kubernetes resources you want to watch.
      # @default -- See the `values.yaml` file for full object.
      resources:
        - type: v1/pods
        - type: v1/services
        # - type: networking.k8s.io/v1/ingresses
        # - type: v1/nodes
        # - type: v1/namespaces
        - type: v1/configmaps
        - type: apps/v1/deployments
        - type: apps/v1/statefulsets
        - type: apps/v1/daemonsets
        - type: batch/v1/jobs

  'prometheus':
    ## Prometheus source configuration
    ## Plugin name syntax: <repo>/<plugin>[@<version>]. If version is not provided, the latest version from repository is used.
    botkube/prometheus:
      # -- If true, enables `prometheus` source.
      enabled: false
      config:
        # -- Prometheus endpoint without api version and resource.
        url: "http://localhost:9090"
        # -- If set as true, Prometheus source plugin will not send alerts that is created before plugin start time.
        ignoreOldAlerts: true
        # -- Only the alerts that have state provided in this config will be sent as notification. https://pkg.go.dev/github.com/prometheus/prometheus/rules#AlertState
        alertStates: ["firing", "pending", "inactive"]
        # -- Logging configuration
        log:
          # -- Log level
          level: info

# -- Filter settings for various sources.
# Currently, all filters are globally enabled or disabled.
# You can enable or disable filters with `@Botkube enable/disable filters` commands.
# @default -- See the `values.yaml` file for full object.
filters:
  kubernetes:
    # -- If true, enables support for `botkube.io/disable` and `botkube.io/channel` resource annotations.
    objectAnnotationChecker: true
    # -- If true, filters out Node-related events that are not important.
    nodeEventsChecker: true

# -- Map of executors. Executor contains configuration for running `kubectl` commands.
# The property name under `executors` is an alias for a given configuration. You can define multiple executor configurations with different names.
# Key name is used as a binding reference.
# @default -- See the `values.yaml` file for full object.
#
## Format: executors.{alias}
executors:
  'kubectl-read-only':
    ## Kubectl executor configuration.
    kubectl:
      namespaces:
        # -- List of allowed Kubernetes Namespaces for command execution.
        # It can also contain a regex expressions:
        #  `- ".*"` - to specify all Namespaces.
        include:
          - ".*"
        # -- List of ignored Kubernetes Namespace.
        # It can also contain a regex expressions:
        #  `- "test-.*"` - to specify all Namespaces.
        exclude: []
      # -- If true, enables `kubectl` commands execution.
      enabled: false
      ## List of allowed `kubectl` commands.
      commands:
        # -- Configures which `kubectl` methods are allowed.
        verbs: ["api-resources", "api-versions", "cluster-info", "describe", "explain", "get", "logs", "top"]
        # -- Configures which K8s resource are allowed.
        resources: ["deployments", "pods", "namespaces", "daemonsets", "statefulsets", "storageclasses", "nodes", "configmaps", "services", "ingresses"]
      # -- Configures the default Namespace for executing Botkube `kubectl` commands. If not set, uses the 'default'.
      defaultNamespace: my-namespace
      # -- If true, enables commands execution from configured channel only.
      restrictAccess: false

  'helm':
    ## Helm executor configuration
    ## Plugin name syntax: <repo>/<plugin>[@<version>]. If version is not provided, the latest version from repository is used.
    botkube/helm:
      # -- If true, enables `helm` commands execution.
      enabled: false
      config:
        # -- Allowed values are configmap, secret, memory.
        helmDriver: "secret"
        # -- Location for storing Helm configuration.
        helmConfigDir: "/tmp/helm/"
        # -- Location for storing cached files. Must be under the Helm config directory.
        helmCacheDir: "/tmp/helm/.cache"

# -- Custom aliases for given commands.
# The aliases are replaced with the underlying command before executing it.
# Aliases can replace a single word or multiple ones. For example, you can define a `k` alias for `kubectl`, or `kgp` for `kubectl get pods`.
# @default -- See the `values.yaml` file for full object.
#
## Format: aliases.{alias}
aliases:
  kc:
    command: kubectl
    displayName: "Kubectl alias"
  k:
    command: kubectl
    displayName: "Kubectl alias"
## Multi-word alias example:
#  kgp:
#    command: kubectl get pods
#    displayName: "Get pods"

# -- Configures existing Secret with communication settings. It MUST be in the `botkube` Namespace.
# To reload Botkube once it changes, add label `botkube.io/config-watch: "true"`.
## Secret format:
##  stringData:
##    comm_config.yaml: |
##      communications:
##        # Here specify settings for each app, like Slack, Mattermost etc.
##        # NOTE: Use setting format visible below.
existingCommunicationsSecretName: ""

# -- Map of communication groups. Communication group contains settings for multiple communication platforms.
# The property name under `communications` object is an alias for a given configuration group. You can define multiple communication groups with different names.
# @default -- See the `values.yaml` file for full object.
#
## Format: communications.{alias}
communications:
  'default-group':
    ## Settings for Slack with Socket Mode.
    socketSlack:
      # -- If true, enables Slack bot.
      enabled: true
      # -- Map of configured channels. The property name under `channels` object is an alias for a given configuration.
      #
      ## Format: channels.{alias}
      channels:
        'default':
          # -- Slack channel name without '#' prefix where you have added Botkube and want to receive notifications in.
          name: 'test-platform-alerts'
          bindings:
            # -- Executors configuration for a given channel.
            executors:
              - kubectl-read-only
              - helm
            # -- Notification sources configuration for a given channel.
            sources:
              - k8s-err-events
              - k8s-recommendation-events
      # -- Slack bot token for your own Slack app.
      # [Ref doc](https://api.slack.com/authentication/token-types).
      botToken: 'token'
      # -- Slack app-level token for your own Slack app.
      # [Ref doc](https://api.slack.com/authentication/token-types).
      appToken: 'token'
      notification:
        # -- Configures notification type that are sent. Possible values: `short`, `long`.
        type: short
    ## Settings for Mattermost.
    mattermost:
      # -- If true, enables Mattermost bot.
      enabled: false
      # -- User in Mattermost which belongs the specified Personal Access token.
      botName: 'Botkube'
      # -- The URL (including http/https schema) where Mattermost is running. e.g https://example.com:9243
      url: 'MATTERMOST_SERVER_URL'
      # -- Personal Access token generated by Botkube user.
      token: 'MATTERMOST_TOKEN'
      # -- The Mattermost Team name where Botkube is added.
      team: 'MATTERMOST_TEAM'
      # -- Map of configured channels. The property name under `channels` object is an alias for a given configuration.
      #
      ## Format: channels.{alias}
      channels:
        'default':
          # -- The Mattermost channel name for receiving Botkube alerts.
          # The Botkube user needs to be added to it.
          name: 'MATTERMOST_CHANNEL'
          notification:
            # -- If true, the notifications are not sent to the channel. They can be enabled with `@Botkube` command anytime.
            disabled: false
          bindings:
            # -- Executors configuration for a given channel.
            executors:
              - kubectl-read-only
              - helm
            # -- Notification sources configuration for a given channel.
            sources:
              - k8s-err-events
              - k8s-recommendation-events
      notification:
        # -- Configures notification type that are sent. Possible values: `short`, `long`.
        type: short

    ## Settings for MS Teams.
    teams:
      # -- If true, enables MS Teams bot.
      enabled: false
      # -- The Bot name set while registering Bot to MS Teams.
      botName: 'Botkube'
      # -- The Botkube application ID generated while registering Bot to MS Teams.
      appID: 'APPLICATION_ID'
      # -- The Botkube application password generated while registering Bot to MS Teams.
      appPassword: 'APPLICATION_PASSWORD'
      bindings:
        # -- Executor bindings apply to all MS Teams channels where Botkube has access to.
        executors:
          - kubectl-read-only
          - helm
        # -- Source bindings apply to all channels which have notification turned on with `@Botkube enable notifications` command.
        sources:
          - k8s-err-events
          - k8s-recommendation-events
      # -- The path in endpoint URL provided while registering Botkube to MS Teams.
      messagePath: "/bots/teams"
      # -- The Service port for bot endpoint on Botkube container.
      port: 3978

    ## Settings for Discord.
    discord:
      # -- If true, enables Discord bot.
      enabled: false
      # -- Botkube Bot Token.
      token: 'DISCORD_TOKEN'
      # -- Botkube Application Client ID.
      botID: 'DISCORD_BOT_ID'
      # -- Map of configured channels. The property name under `channels` object is an alias for a given configuration.
      #
      ## Format: channels.{alias}
      channels:
        'default':
          # -- Discord channel ID for receiving Botkube alerts.
          # The Botkube user needs to be added to it.
          id: 'DISCORD_CHANNEL_ID'
          notification:
            # -- If true, the notifications are not sent to the channel. They can be enabled with `@Botkube` command anytime.
            disabled: false
          bindings:
            # -- Executors configuration for a given channel.
            executors:
              - kubectl-read-only
              - helm
            # -- Notification sources configuration for a given channel.
            sources:
              - k8s-err-events
              - k8s-recommendation-events
      notification:
        # -- Configures notification type that are sent. Possible values: `short`, `long`.
        type: short

    ## Settings for Elasticsearch.
    elasticsearch:
      # -- If true, enables Elasticsearch.
      enabled: false
      awsSigning:
        # -- If true, enables awsSigning using IAM for Elasticsearch hosted on AWS. Make sure AWS environment variables are set.
        # [Ref doc](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html).
        enabled: false
        # -- AWS region where Elasticsearch is deployed.
        awsRegion: "us-east-1"
        # -- AWS IAM Role arn to assume for credentials, use this only if you don't want to use the EC2 instance role or not running on AWS instance.
        roleArn: ""
      # -- The server URL, e.g https://example.com:9243
      server: 'ELASTICSEARCH_ADDRESS'
      # -- Basic Auth username.
      username: 'ELASTICSEARCH_USERNAME'
      # -- Basic Auth password.
      password: 'ELASTICSEARCH_PASSWORD'
      # -- If true, skips the verification of TLS certificate of the Elastic nodes.
      # It's useful for clusters with self-signed certificates.
      skipTLSVerify: false
      # -- Map of configured indices. The `indices` property name is an alias for a given configuration.
      #
      ## Format: indices.{alias}
      indices:
        'default':
          # -- Configures Elasticsearch index settings.
          name: botkube
          type: botkube-event
          shards: 1
          replicas: 0
          bindings:
            # -- Notification sources configuration for a given index.
            sources:
              - k8s-err-events
              - k8s-recommendation-events

    ## Settings for Webhook.
    webhook:
      # -- If true, enables Webhook.
      enabled: false
      # -- The Webhook URL, e.g.: https://example.com:80
      url: 'WEBHOOK_URL'
      bindings:
        # -- Notification sources configuration for the webhook.
        sources:
          - k8s-err-events
          - k8s-recommendation-events

    # -- Settings for deprecated Slack integration.
    # **DEPRECATED:** Legacy Slack integration has been deprecated and removed from the Slack App Directory.
    # Use `socketSlack` instead. Read more here: https://docs.botkube.io/installation/slack/
    #
    # @default -- See the `values.yaml` file for full object.
    ## This object will be removed as a part of https://github.com/kubeshop/botkube/issues/865.
    slack:
      enabled: false
      channels:
        'default':
          name: 'SLACK_CHANNEL'
          notification:
            disabled: false
          bindings:
            executors:
              - kubectl-read-only
              - helm
            sources:
              - k8s-err-events
              - k8s-recommendation-events
      token: ''
      notification:
        type: short

## Global Botkube configuration.
settings:
  # -- Cluster name to differentiate incoming messages.
  clusterName: my-restricted-cluster

  # -- Server configuration which exposes functionality related to the app lifecycle.
  lifecycleServer:
    enabled: true
    port: 2113
  healthPort: 2114
  # -- If true, notifies about new Botkube releases.
  upgradeNotifier: true
  ## Botkube logging settings.
  log:
    # -- Sets one of the log levels. Allowed values: `info`, `warn`, `debug`, `error`, `fatal`, `panic`.
    level: info
    # -- If true, disable ANSI colors in logging.
    disableColors: false

  # -- Botkube's system ConfigMap where internal data is stored.
  systemConfigMap:
    name: botkube-system

  # -- Persistent config contains ConfigMap where persisted configuration is stored.
  # The persistent configuration is evaluated from both chart upgrade and Botkube commands used in runtime.
  persistentConfig:
    startup:
      configMap:
        name: botkube-startup-config
        annotations: {}
      fileName: "_startup_state.yaml"
    runtime:
      configMap:
        name: botkube-runtime-config
        annotations: {}
      fileName: "_runtime_state.yaml"

## For using custom SSL certificates.
ssl:
  # -- If true, specify cert path in `config.ssl.cert` property or K8s Secret in `config.ssl.existingSecretName`.
  enabled: false

  # -- Using existing SSL Secret. It MUST be in `botkube` Namespace.
  ## Secret format:
  ##  data:
  ##    config: {base64_encoded_kubeconfig}
  existingSecretName: ""

  # -- SSL Certificate file e.g certs/my-cert.crt.
  cert: ""

# -- Configures Service settings for ServiceMonitor CR.
service:
  name: metrics
  port: 2112
  targetPort: 2112

# -- Configures Ingress settings that exposes MS Teams endpoint.
# [Ref doc](https://kubernetes.io/docs/concepts/services-networking/ingress/#the-ingress-resource).
ingress:
  create: false
  annotations:
    kubernetes.io/ingress.class: nginx
  host: 'HOST'
  tls:
    enabled: false
    secretName: ''

# -- Configures ServiceMonitor settings.
# [Ref doc](https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#servicemonitor).
serviceMonitor:
  enabled: false
  interval: 10s
  path: /metrics
  port: metrics
  labels: {}

## Botkube Deployment.
deployment:
  # -- Extra annotations to pass to the Botkube Deployment.
  annotations: {}

# -- Number of Botkube pods to load balance between.
# Currently, Botkube doesn't support HA.
# @ignore
replicaCount: 1
# -- Extra annotations to pass to the Botkube Pod.
extraAnnotations: {}
# -- Extra labels to pass to the Botkube Pod.
extraLabels: {}
# -- Priority class name for the Botkube Pod.
priorityClassName: ""

# -- Fully override "botkube.name" template.
nameOverride: ""
# -- Fully override "botkube.fullname" template.
fullnameOverride: ""

# -- The Botkube Pod resource request and limits. We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube.
# [Ref docs](https://kubernetes.io/docs/user-guide/compute-resources/)
resources: {}
  ## If you do want to specify resources, uncomment the following lines,
  ## adjust them as necessary, and remove the curly braces after 'resources:'.
  # limits:
  #  cpu: 100m
  #  memory: 128Mi
  # requests:
  #  cpu: 100m
  #  memory: 128Mi

# -- Extra environment variables to pass to the Botkube container.
# [Ref docs](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables).
extraEnv: []
#  - name: {key}
#    valueFrom:
#      configMapKeyRef:
#        name: configmap-name
#        key: value_key
#  - name: {key}
#    value: value


# -- Extra volumes to pass to the Botkube container. Mount it later with extraVolumeMounts.
# [Ref docs](https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/volume/#Volume).
extraVolumes: []
# - name: extra-volume-0
#   secret:
#     secretName: {secret-name}
#
## For CSI e.g. Vault:
# - name: secrets-store-inline
#   csi:
#     driver: secrets-store.csi.k8s.io
#     readOnly: true
#     volumeAttributes:
#       secretProviderClass: "vault-database"

# -- Extra volume mounts to pass to the Botkube container.
# [Ref docs](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1).
extraVolumeMounts: []
# - name: extra-volume-0
#   mountPath: /mnt/volume0
#   readOnly: true
# - name: extra-volume-1
#   mountPath: /mnt/volume1
#   readOnly: true
# - name: secret-files
#   mountPath: /etc/secrets
#   subPath: ""
#
## For CSI e.g. Vault:
# - name: secrets-store-inline
#   mountPath: "/mnt/secrets-store"
#   readOnly: true

# -- Node labels for Botkube Pod assignment.
# [Ref doc](https://kubernetes.io/docs/user-guide/node-selection/).
nodeSelector: {}

# -- Tolerations for Botkube Pod assignment.
# [Ref doc](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/).
tolerations: []

# -- Affinity for Botkube Pod assignment.
# [Ref doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity).
affinity: {}

# -- Role Based Access for Botkube Pod.
# [Ref doc](https://kubernetes.io/docs/admin/authorization/rbac/).
rbac:
  create: false
  rules:
    - apiGroups: ["*"]
      resources: ["*"]
      verbs: ["get", "watch", "list"]

serviceAccount:
  # -- If true, a ServiceAccount is automatically created.
  create: false
  # -- The name of the service account to use.
  # If not set, a name is generated using the fullname template.
  name: "my-namespace"
  # -- Extra annotations for the ServiceAccount.
  annotations: {}

# -- Extra Kubernetes resources to create. Helm templating is allowed as it is evaluated before creating the resources.
extraObjects: []
## For example, to create a ClusterRoleBinding resource without creating a dedicated ClusterRole, uncomment the following snippet.
## NOTE: While running Helm install/upgrade with this sample snippet uncommented, make sure to set the following values:
##    1. `rbac.create: false`
##    2.`extraClusterRoleName: {clusterRole}`, where {clusterRole} is a given ClusterRole name (e.g. `cluster-admin`).
#
#    - apiVersion: rbac.authorization.k8s.io/v1
#      kind: ClusterRoleBinding
#      metadata:
#        name: "{{ include \"botkube.fullname\" . }}-clusterrolebinding"
#        labels:
#          app.kubernetes.io/name: "{{ include \"botkube.name\" . }}"
#          helm.sh/chart: "{{ include \"botkube.chart\" . }}"
#          app.kubernetes.io/instance: "{{ .Release.Name }}"
#          app.kubernetes.io/managed-by: "{{ .Release.Service }}"
#      roleRef:
#        apiGroup: rbac.authorization.k8s.io
#        kind: ClusterRole
#        name: "{{ .Values.extraClusterRoleName }}"
#      subjects:
#      - kind: ServiceAccount
#        name: "{{ include \"botkube.serviceAccountName\" . }}"
#        namespace: "{{ .Release.Namespace }}"

## Parameters for anonymous analytics collection.
analytics:
  # -- If true, sending anonymous analytics is disabled. To learn what date we collect,
  # see [Privacy Policy](https://docs.botkube.io/privacy#privacy-policy).
  disable: false

## Parameters for the config watcher container.
configWatcher:
  # -- If true, restarts the Botkube Pod on config changes.
  enabled: true
  # -- Directory, where watched configuration resources are stored.
  tmpDir: "/tmp/watched-cfg/"
  # -- Timeout for the initial Config Watcher sync.
  # If set to 0, waiting for Config Watcher sync will be skipped. In a result, configuration changes may not reload Botkube app during the first few seconds after Botkube startup.
  initialSyncTimeout: 0
  image:
    # -- Config watcher image registry.
    registry: ghcr.io
    # -- Config watcher image repository.
    repository: kubeshop/k8s-sidecar # kiwigrid/k8s-sidecar:1.19.5 - see https://github.com/kubeshop/k8s-sidecar/pull/1
    # -- Config watcher image tag.
    tag: ignore-initial-events
    # -- Config watcher image pull policy.
    pullPolicy: IfNotPresent

# -- Configuration for Botkube executors and sources plugins.
plugins:
  # -- Directory, where downloaded plugins are cached.
  cacheDir: "/tmp"
  # -- List of plugins repositories.
  repositories:
    # -- This repository serves officially supported Botkube plugins.
    botkube:
      url: https://github.com/kubeshop/botkube/releases/download/v9.99.9-dev/plugins-index.yaml

# -- Configuration for remote Botkube settings
config:
  # -- Base provider definition
  provider:
    # -- Unique identifier for remote Botkube settings
    identifier: ""
    # -- Endpoint to fetch Botkube settings from
    endpoint: ""`

The text was updated successfully, but these errors were encountered:

mo-silent · 2023-05-30T03:12:39Z

Hi @gauravwadghule，
I have encountered the same error message ("User 'botkube-internal-static-user' cannot list resource 'pods' in API group '' at the cluster scope logger=stderr plugin=botkube/kubernetes") while using BotKube version 1.0.1. By default, if RBAC users are not configured but RBAC groups are, BotKube 1.0.1 will use the "botkube-internal-static-user" to identify cluster permissions. However, this error should not affect the custom configuration in the local_config.yaml file.

The code for the "generateUserSubject" method can be found in the "kubeconfig.go" file within the "internal/plugin" directory.

func generateUserSubject(rbac config.UserPolicySubject, group config.GroupPolicySubject, input KubeConfigInput) (user string) {
	switch rbac.Type {
	case config.StaticPolicySubjectType:
		user = rbac.Prefix + rbac.Static.Value
	case config.ChannelNamePolicySubjectType:
		user = rbac.Prefix + input.Channel
	default:
		if group.Type != config.EmptyPolicySubjectType {
			user = "botkube-internal-static-user"
		}
	}
	return
}

After examining the value.yaml file that you provided, I noticed that both the "kubectl-read-only" and "helm" executors were not enabled by default. Therefore, it is likely that this error is a runtime error. To address this issue, you may refer to the documentation at https://docs.botkube.io/configuration/rbac/ for guidance on configuring RBAC.

Below is my local_config.yaml and RBAC YAML:

local_config.yaml

executors:
  "kubectl-write":
    botkube/kubectl@v1:
      enabled: true
      context:
        rbac:
          user:
            type: Static
            static:
              value: kubectl-read-only
communications:
  default-group:
    socketSlack:
      enabled: true
      channels:
        default:
          name: kubectl-read-only
          bindings:
            executors:
              - kubectl-write
      appToken: "xapp-1-A326"
      botToken: "xoxb-1FB"
configWatcher:
  enabled: false
settings:
  clusterName: "labs"
analytics:
  # -- If true, sending anonymous analytics is disabled. To learn what date we collect,
  # see [Privacy Policy](https://botkube.io/privacy#privacy-policy).
  disable: true

rbac.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kubectl-read-only
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubectl-read-only
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubectl-read-only
subjects:
  - kind: User
    name: kubectl-read-only
    apiGroup: rbac.authorization.k8s.io

I hope this helps resolve your issue.

gauravwadghule added the bug Something isn't working label Feb 10, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Installing botkube with restricted cluster #977

Installing botkube with restricted cluster #977

gauravwadghule commented Feb 10, 2023 •

edited

mo-silent commented May 30, 2023

Installing botkube with restricted cluster #977

Installing botkube with restricted cluster #977

Comments

gauravwadghule commented Feb 10, 2023 • edited

Description

Steps to reproduce

mo-silent commented May 30, 2023

local_config.yaml

rbac.yaml

gauravwadghule commented Feb 10, 2023 •

edited