RBAC
Botkube allows users to restrict plugins by defining RBAC rules as part of plugin configuration.
Based on this configuration Botkube generates a temporary kubeconfig file with user/group impersonation.
This kubeconfig is available to plugins in the Execute and Stream contexts. If you're a plugin developer and want to learn more, refer to Plugin Development docs.
kubeconfig files are generated on-demand. Plugins have to define an rbac section in the configuration to enable
kubeconfig generation.
Architecture
Botkube uses its own cluster credentials to generate a temporary kubeconfig, and the temporary kubeconfig only impersonates the requested user/group.
For source plugins, the kubeconfig is generated once - during plugin startup. For executor plugins, the kubeconfig is generated every time a command is sent to the plugin, which allows for greater flexibility, such as including the name of the channel the command was sent from in the kubeconfig generation.
Configuration
Each executor and source plugin can provide a context section with rbac config.
This config is used to generate a dedicated kube config.
Supported mapping:
- Static mapping - user or group impersonation, always the same subject for given plugin
- Channel mapping - name of the channel is used as subject for group impersonation, only available for executor plugins
Automated actions only support Static mapping.
Example - kubectl executor with read-only RBAC
In this example a single executor plugin is defined with static RBAC that maps to user kubectl-read-only.
- ClusterRole and ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubectl-read-only
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubectl-read-only
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubectl-read-only
subjects:
- kind: User
name: kubectl-read-only
apiGroup: rbac.authorization.k8s.io
Here we define a plugin with Static mapping to User.rbac.authorization.k8s.io kubectl-read-only.
- Executor definition with RBAC
executors:
"kubectl-read-only":
botkube/kubectl@v1:
enabled: true
context:
rbac:
user:
type: Static
static:
value: kubectl-read-only
When this executor plugin is invoked, a kubeconfig impersonating user kubectl-read-only is generated by Botkube
and passed to the plugin. The plugin then can authenticate with the API server with identity of user kubectl-read-only.
Example: Kubernetes source plugin with static mapping
In this example a single source plugin is defined with static RBAC that maps to user kubernetes-read-only.
- Botkube config:
sources:
"kubernetes":
botkube/kubernetes@v1:
context:
rbac:
user:
type: Static
static:
value: kubernetes-read-only
- Kubernetes RBAC
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: reader
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: reader
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: reader
subjects:
- kind: User
name: kubernetes-read-only
apiGroup: rbac.authorization.k8s.io
Example: kubectl executor plugin with channel name mapping
In this example kubectl executor plugin is configured with channel name mapping and bound to two channels,
ch-1 and ch-2.
In Kubernetes RBAC Group ch-1 is given write access, while Group ch-2 is given only read access.
Therefore users in channel ch-2 cannot create/update/delete resources, while users in ch-1 can.
- Botkube config:
executors:
"kubectl":
botkube/kubectl@v1:
context:
rbac:
group:
type: ChannelName
communications:
"default-group":
socketSlack:
channels:
"ch-1":
name: ch-1
bindings:
executors:
- kubectl
"ch-2":
name: ch-2
bindings:
executors:
- kubectl
- Kubernetes RBAC
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: editor
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: editor
subjects:
- kind: Group
name: ch-1
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: editor
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["get", "watch", "list", "update", "create", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: read-only
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: read-only
subjects:
- kind: Group
name: ch-2
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: read-only
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["get", "watch", "list"]
You can use extraObjects section in helm values.yaml for the ClusterRoles and ClusterRoleBindings.
Limitations
Shared file system
Botkube executes plugin in the same pod and container - plugins share resources. If you're a plugin developer and decide to write kubeconfig to the file system, be aware that it will be accessible by all plugins in the container.
Merging of RBAC config
Plugins of the same type but with unique RBAC config cannot be bound to the same channel.
Troubleshooting
In most cases troubleshooting Botkube RBAC issues means troubleshooting Kubernetes RBAC - kubectl auth can help.
- Forbidden
Error: create: failed to create: secrets is forbidden: User "botkube-internal-static-user" cannot create resource "secrets" in API group "" in the namespace "default"
To see what the a user/group can do, use:
$ kubectl auth can-i --list
To see if user/group can do:
$ kubectl auth can-i get pod -n botkube --as user-1 --as-group group-1