Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make allowed kubectl commands configurable #284

Merged
merged 7 commits into from
Jun 21, 2020
Merged

Make allowed kubectl commands configurable #284

merged 7 commits into from
Jun 21, 2020

Conversation

girishg4t
Copy link
Contributor

ISSUE TYPE
  • Feature Pull Request
SUMMARY

Added configuration in resource_config.yaml for limiting kubectl commands as per the discussion given in ticket 183

The configuration added is used in
slack.go and mattermost.go to pass it to executor.go and used to limit the commands execution

Fixes #183

@girishg4t girishg4t requested a review from PrasadG193 May 30, 2020 11:21
@PrasadG193
Copy link
Collaborator

@girishg4t could you please resolve the errors in CI build?

@girishg4t
Copy link
Contributor Author

@PrasadG193 fixed the issue in test case

PrasadG193
PrasadG193 reviewed Jun 2, 2020
View reviewed changes
test/resource_config.yaml Outdated
@@ -207,6 +207,13 @@ settings:
kubectl:
# Set true to enable kubectl commands execution
enabled: true
# List of allowed commands
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

extra leading space?

Suggested change
# List of allowed commands
# List of allowed commands

test/resource_config.yaml Outdated
# List of allowed commands
commands:
# method which are allowed
verbs: ["api-resources","api-versions","cluster-info","describe","diff","explain","get","logs","top","auth"]
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
verbs: ["api-resources","api-versions","cluster-info","describe","diff","explain","get","logs","top","auth"]
verbs: ["api-resources", "api-versions", "cluster-info", "describe", "diff", "explain", "get", "logs", "top", "auth"]

@PrasadG193
Copy link
Collaborator

@girishg4t We should also allow if someone uses singular resource name - like @BotKube get pod

@girishg4t
Copy link
Contributor Author

@PrasadG193 i have made the changes as per review comments please check

@girishg4t girishg4t requested a review from PrasadG193 June 3, 2020 09:21
@PrasadG193
Copy link
Collaborator

@girishg4t This is yet to be resolved #284 (comment)

@girishg4t
Copy link
Contributor Author

@girishg4t This is yet to be resolved #284 (comment)

@PrasadG193 is this not the one ?
af7dd4e

@PrasadG193
Copy link
Collaborator

If user configured access with -

    commands:
      # method which are allowed
      verbs: ["get"]
      # resource configuration which is allowed
      resources: ["deployments"]

Will they be able to execute @BotKube get deploy or @BotKube get deployment. I don't think so.
I think what we should do is, we should execute kubectl api-resources (which include singular name as well as short name for the resources https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#APIResource) during init() and store the response. Then for every user's command, get resources name from shortname if passed from that list. We can use Discovery APIs to get the resource list - https://godoc.org/k8s.io/client-go/discovery#ServerGroupsAndResources

@PrasadG193 PrasadG193 force-pushed the enhancement/limitKubectl branch from af7dd4e to f9ac20c Compare June 21, 2020 10:12
@PrasadG193
Copy link
Collaborator

@girishg4t [minor] ideally PR heading should be one-liner summary of what you have done. It should inform reader what is the PR about. Please follow this while creating PR next time 🙂

@PrasadG193
Copy link
Collaborator

@girishg4t I've done a few changes as per the discussion. Going to merge once CI passes. PTAL

@PrasadG193 PrasadG193 changed the title done enhancement of git issue 183 Make allowed kubectl commands configurable Jun 21, 2020
@PrasadG193
Fix e2e tests
8ef642d 
Signed-off-by: Prasad Ghangal <prasad.ghangal@gmail.com>
@PrasadG193 PrasadG193 force-pushed the enhancement/limitKubectl branch from 1e858a2 to 8ef642d Compare June 21, 2020 10:36
@PrasadG193 PrasadG193 requested a review from sanketsudake June 21, 2020 10:37
@PrasadG193
Fix golint issue
96fb808 
Signed-off-by: Prasad Ghangal <prasad.ghangal@gmail.com>
@PrasadG193
Fix e2e tests
9d65d45 
Signed-off-by: Prasad Ghangal <prasad.ghangal@gmail.com>
@mergify mergify bot merged commit 51f0f3d into develop Jun 21, 2020
@PrasadG193 PrasadG193 deleted the enhancement/limitKubectl branch June 21, 2020 16:03
@PrasadG193 PrasadG193 mentioned this pull request Sep 24, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@PrasadG193 PrasadG193 PrasadG193 approved these changes

@sanketsudake sanketsudake Awaiting requested review from sanketsudake

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Limit kubectl commands
3 participants
@girishg4t @PrasadG193 @gtalekar