Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Limit kubectl commands #183

Closed
IngussNeilands opened this issue Sep 25, 2019 · 8 comments · Fixed by #284
Closed

Limit kubectl commands #183

IngussNeilands opened this issue Sep 25, 2019 · 8 comments · Fixed by #284
Assignees
@girishg4t
Labels
enhancement New feature or request

Comments

@IngussNeilands
Copy link

I would like to suggest adding option to limit specific kubectl commands.

For example - I would like to disable describe secret command, because it could reveal some sensitive data.
@IngussNeilands IngussNeilands added the enhancement New feature or request label Sep 25, 2019
@PrasadG193
Copy link
Collaborator

@IngussNeilands we can restrict BotKube to access only specific resources by adding rules to in Clusterrole which is used by botkube-sa service account
https://github.com/infracloudio/botkube/blob/develop/helm/botkube/templates/clusterrole.yaml

@PrasadG193
Copy link
Collaborator

We are also adding a support to restrict command execution from a configured channel only #235

@cookandy
Copy link

cookandy commented Feb 5, 2020

Would it also be possible to restrict who can run kubectl commands by slack username?

@fliphess
Copy link

fliphess commented Feb 27, 2020
edited
Loading

Using @botkube get secret <someverysecretsecret> -o yaml will result in a dataleak, I'd love to use get pods and get ns etc, but prefer to keep my passwords out of slack :)

@girishg4t girishg4t self-assigned this May 26, 2020
@girishg4t
Copy link
Contributor

@PrasadG193 i can take a look on this

@PrasadG193
Copy link
Collaborator

@girishg4t let's finalize the BotKube configuration format before you start

@PrasadG193
Copy link
Collaborator

The straight forward way would be to add one more section in settings.kubectl section in resource configuration. Something like:

settings:
  kubectl:
    # Set true to enable kubectl commands execution
    enabled: true
    # List of allowed commands
    commands:
      # method which are allowed
      verbs: ["get", "logs"]
      # resource configuration which is allowed
      resources: ["deployments", "pods"]

@PrasadG193
Copy link
Collaborator

@girishg4t let me know what you think

@girishg4t girishg4t mentioned this issue May 30, 2020
Merged
@mergify mergify bot closed this as completed in #284 Jun 21, 2020
mergify bot pushed a commit that referenced this issue Jun 21, 2020
@girishg4t
Make allowed kubectl commands configurable (#284)
51f0f3d 
##### ISSUE TYPE
<!--- Pick one below and delete the rest: -->
 - Feature Pull Request

##### SUMMARY
Added configuration in resource_config.yaml for limiting kubectl commands as per the discussion given in ticket 183

The configuration added is used in 
slack.go and mattermost.go to pass it to executor.go and used to limit the commands execution

Fixes #183
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@girishg4t girishg4t

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Make allowed kubectl commands configurable kubeshop/botkube
5 participants
@IngussNeilands @fliphess @cookandy @PrasadG193 @girishg4t