-
Notifications
You must be signed in to change notification settings - Fork 290
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Installing botkube with restricted cluster #977
Comments
Hi @gauravwadghule, The code for the "generateUserSubject" method can be found in the "kubeconfig.go" file within the "internal/plugin" directory. func generateUserSubject(rbac config.UserPolicySubject, group config.GroupPolicySubject, input KubeConfigInput) (user string) {
switch rbac.Type {
case config.StaticPolicySubjectType:
user = rbac.Prefix + rbac.Static.Value
case config.ChannelNamePolicySubjectType:
user = rbac.Prefix + input.Channel
default:
if group.Type != config.EmptyPolicySubjectType {
user = "botkube-internal-static-user"
}
}
return
} After examining the value.yaml file that you provided, I noticed that both the "kubectl-read-only" and "helm" executors were not enabled by default. Therefore, it is likely that this error is a runtime error. To address this issue, you may refer to the documentation at https://docs.botkube.io/configuration/rbac/ for guidance on configuring RBAC. Below is my local_config.yaml and RBAC YAML: local_config.yamlexecutors:
"kubectl-write":
botkube/kubectl@v1:
enabled: true
context:
rbac:
user:
type: Static
static:
value: kubectl-read-only
communications:
default-group:
socketSlack:
enabled: true
channels:
default:
name: kubectl-read-only
bindings:
executors:
- kubectl-write
appToken: "xapp-1-A326"
botToken: "xoxb-1FB"
configWatcher:
enabled: false
settings:
clusterName: "labs"
analytics:
# -- If true, sending anonymous analytics is disabled. To learn what date we collect,
# see [Privacy Policy](https://botkube.io/privacy#privacy-policy).
disable: true rbac.yamlapiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubectl-read-only
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubectl-read-only
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubectl-read-only
subjects:
- kind: User
name: kubectl-read-only
apiGroup: rbac.authorization.k8s.io I hope this helps resolve your issue. |
Description
We are trying to install botkube in the restricted cluster where we are having only access to a single namespace even we dont have access to get namespaces.
Getting below error in botkube pod.
cannot get resource "namespaces" in API group "" in the namespace "kube-system"
Steps to reproduce
values.yaml
`# Formatting rules:
#
# | Sign | Description |
# |------|--------------------------------------------------------------------------|
# | # -- | Comment is rendered into README.md. |
# | # | Only if defined after '# --' signifies the continuation of the sentence. |
# | ## | Comment is ignored during README.md rendering. |
#
# Read more at https://github.com/norwoodj/helm-docs
The text was updated successfully, but these errors were encountered: