Adjust kubectl docs

docs/configuration/executor/helm.md

@@ -12,7 +12,7 @@ The Helm plugin is hosted by the official Botkube plugin repository. To enable t
 plugins:
   repositories:
     botkube:
-      url: https://github.com/kubeshop/botkube/releases/download/v0.17.0/plugins-index.yaml
+      url: https://github.com/kubeshop/botkube/releases/download/v0.18.0/plugins-index.yaml
 ```
 
 ## Enabling plugin

docs/configuration/executor/index.md

@@ -85,7 +85,7 @@ plugins:
   repositories:
     # This repository serves officially supported Botkube plugins.
     botkube:
-      url: https://github.com/kubeshop/botkube/releases/download/v9.99.9-dev/plugins-index.yaml
+      url: https://github.com/kubeshop/botkube/releases/download/v0.18.0/plugins-index.yaml
     # Other 3rd party repositories.
     repo-name:
       url: https://example.com/plugins-index.yaml

docs/configuration/executor/kubectl.md

@@ -4,20 +4,27 @@ title: Kubectl
 sidebar_position: 2
 ---
 
-The `kubectl` executor allows you to run the `kubectl` command directly in the chat window of each communication platform.
+The Botkube Kubectl executor plugin allows you to run the `kubectl` command directly in the chat window of each communication platform.
+
+The Kubectl plugin is hosted by the official Botkube plugin repository. To enable the Helm plugin, make sure that the `botkube` repository is defined under `plugins` in the [values.yaml](https://github.com/kubeshop/botkube/blob/main/helm/botkube/values.yaml) file.
+
+```yaml
+plugins:
+  repositories:
+    botkube:
+      url: https://github.com/kubeshop/botkube/releases/download/v0.19.0/plugins-index.yaml
+```
 
 ## Enabling plugin
 
-To enable `kubectl` executor, add `--set executors.{configuration-name}.kubectl.enabled: true` to a given Helm install command. By default, just the read-only `kubectl` commands are supported.
+To enable `kubectl` executor, add `--set 'executors.{configuration-name}.botkube/kubectl.enabled=true'` to a given Helm install command. By default, just the read-only `kubectl` commands are supported.
 
 You can change that by adjusting the `rbac` property in the [values.yaml](https://github.com/kubeshop/botkube/blob/main/helm/botkube/values.yaml) file or by using the `--set-json` flag, e.g.:
 
 ```bash
 --set-json 'rbac.rules=[{"apiGroups": ["*"], "resources": ["*"], "verbs": ["get","watch","list","create","delete","update","patch"]}]'
 ```
 
-Additionally, you need to make sure that a given `verbs` and `resources` are allowed by a specific `kubectl` executor configuration.
-
 ## Syntax
 
 ```yaml
@@ -26,53 +33,42 @@ Additionally, you need to make sure that a given `verbs` and `resources` are all
 #
 # Format: executors.{alias}
 executors:
-  "kubectl-read-only":
+  "plugin-based":
     # Kubectl executor configuration.
     kubectl:
-      namespaces:
-        # Include contains a list of allowed Namespaces.
-        # It can also contain a regex expressions:
-        #  - ".*" - to specify all Namespaces.
-        include:
-          - ".*"
-        # Exclude contains a list of Namespaces to be ignored even if allowed by Include.
-        # It can also contain a regex expressions:
-        #  - "test-.*" - to specify all Namespaces with `test-` prefix.
-        #exclude: []
-      # If true, enables `kubectl` commands execution.
       enabled: false
-      # List of allowed `kubectl` commands.
-      commands:
-        # Configures which `kubectl` methods are allowed.
-        verbs:
-          ["api-resources", "api-versions", "cluster-info", "describe", "diff", "explain", "get", "logs", "top", "auth"]
-        # Configures which K8s resource are allowed.
-        resources:
-          ["deployments", "pods", "namespaces", "daemonsets", "statefulsets", "storageclasses", "nodes", "configmaps"]
-      # Configures the default Namespace for executing Botkube `kubectl` commands. If not set, uses 'default'.
-      defaultNamespace: default
-      # If true, enables commands execution from configured channel only.
-      restrictAccess: false
+      config:
+        # Configures the default Namespace for executing Botkube `kubectl` commands. If not set, uses the 'default'.
+        defaultNamespace: "default"
+        # Configures the interactive kubectl command builder.
+        interactiveBuilder:
+          allowed:
+            # Configures which K8s namespace are displayed in namespace dropdown.
+            # If not specified, plugin needs to have access to fetch all Namespaces, otherwise Namespace dropdown won't be visible at all.
+            namespaces: ["default"]
+            # Configures which `kubectl` methods are displayed in commands dropdown.
+            verbs: ["api-resources", "api-versions", "cluster-info", "describe", "explain", "get", "logs", "top"]
+            # Configures which K8s resource are displayed in resources dropdown.
+            resources:
+              [
+                "deployments",
+                "pods",
+                "namespaces",
+                "daemonsets",
+                "statefulsets",
+                "storageclasses",
+                "nodes",
+                "configmaps",
+                "services",
+                "ingresses",
+              ]
 ```
 
 The default configuration for Helm chart can be found in the [values.yaml](https://github.com/kubeshop/botkube/blob/main/helm/botkube/values.yaml) file.
 
 ## Merging strategy
 
-When executing a `kubectl` command, Botkube takes into account only bindings for a given execution Namespace. For example:
-
-- `@Botkube kubectl get po/botkube -n botkube` - collect `kubectl` executor bindings that include `botkube` or `*.` (all) Namespaces.
-- `@Botkube kubectl get po -A` - collect all `kubectl` executor bindings that include `*.` (all) Namespaces.
-- `@Botkube kubectl get po` - first, we resolve the execution Namespace. For that, we collect all enabled `kubectl` executor bindings and check the `defaultNamespace` property. If property is not define, we use the `default` Namespace. With resolved execution Namespace, we run the logic define in the first step.
-
-For all collected `kubectl` executors, we merge properties with the following strategy:
-
-- `commands.verbs` - append
-- `commands.resources` - append
-- `commands.defaultNamespace` - override
-- `commands.restrictAccess` - override
-
-The order of the binding list is important as it impacts properties that are overridden. The priority is given to the last binding specified on the list.
+For all collected `kubectl` executors bindings, configuration properties are overridden based on the order of the binding list. The priority is given to the last binding specified on the list. Empty properties are omitted.
 
 ### Example
 
@@ -87,51 +83,51 @@ communications:
           name: "random"
           bindings:
             executors:
-              - kubectl-pod
-              - kubectl-wait
-              - kubectl-all-ns
-              - kubectl-exec
+              - kubectl-one
+              - kubectl-two
+              - kubectl-three
 
 executors:
-  "kubectl-pod":
-    kubectl:
-      enabled: true
-      namespaces:
-        include: ["botkube", "default"]
-      commands:
-        verbs: ["get"]
-        resources: ["pods"]
-      restrictAccess: false
-  "kubectl-wait":
+  "kubectl-one":
     kubectl:
       enabled: true
-      namespaces:
-        include: ["botkube", "default"]
-      commands:
-        verbs: ["wait"]
-      restrictAccess: true
-  "kubectl-all-ns":
+      config:
+        defaultNamespace: "default"
+        interactiveBuilder:
+          allowed:
+            verbs: ["api-resources", "api-versions", "cluster-info", "describe", "explain", "get", "logs", "top"]
+            resources:
+              [
+                "deployments",
+                "pods",
+                "namespaces",
+                "daemonsets",
+                "statefulsets",
+                "storageclasses",
+                "nodes",
+                "configmaps",
+                "services",
+                "ingresses",
+              ]
+  "kubectl-two":
     kubectl:
       enabled: true
-      namespaces:
-        include:
-          - ".*"
-      commands:
-        verbs: ["get"]
-        resources: ["deployments"]
-  "kubectl-exec":
+      config:
+        interactiveBuilder:
+          allowed:
+            namespaces: ["default"]
+            verbs: ["api-resources", "top"]
+  "kubectl-three":
     kubectl:
       enabled: false
-      namespaces:
-        include: ["botkube", "default"]
-      commands:
-        verbs: ["exec"]
-      restrictAccess: false
+      config:
+        interactiveBuilder:
+          allowed:
+            namespaces: ["kube-system"]
 ```
 
 We can see that:
 
-- For `botkube` and `default` Namespaces, we can execute `get` and `wait` commands for Pods. This is the result of merging `kubectl-pod` and `kubectl-wait`.
-- For all Namespaces we can execute `get` for Deployments, as specified by `kubectl-all-ns`.
-- The `exec` command is not allowed as the `kubectl-exec` binding is disabled (`kubectl.enabled` is set to `false`).
-- The `kubectl` works in a restricted access because the `kubectl-wait` binding is the **last one** which is both enabled and sets the `restrictAccess` property to `true`.
+- Only the `default` namespace is displayed in the interactive command builder. This is a result of merging `kubectl-one` and `kubectl-two`. The `kubectl-three` binding is not take into account as it's disabled.
+- Only the `api-resources` and `top` verbs are displayed in the interactive command builder as they are overridden by the `kubectl-two`.
+- All resources defined in `kubectl-one` are displayed in the interactive command builder as other enabled bindings don't override this property.

docs/usage/executor/kubectl.md

@@ -27,12 +27,24 @@ You can also use any of the [configured aliases](../../configuration/alias.md) -
 
 ![kubectl command builder](./assets/kc-cmd-builder.gif)
 
-The following policies are applied:
+### Limitations
 
-- Verbs, resource types and namespace dropdowns are narrowed down to the `kubectl` permissions in a given channel,
-- The `kubectl` command preview is displayed only if the command that you built is valid,
-- For resources that are namespace-scoped, the Namespace defined in `executors.{alias}.kubectl.defaultNamespace` is used. If not set, the `default` Namespace is selected.
+Keep in mind that the interactive command builder may not support all the commands that you can run just by typing them directly in a chat window. The following policies are applied:
 
-:::info
-Actionable notifications are only available for the [Slack integration](docs/installation/slack/index.md) that supports interactive messages.
-:::
+- Under verbs' dropdown, we display verbs that are defined under the `interactiveBuilder.allowed.verbs` configuration.
+  :::tip
+  By default, the following verbs are allowed: `api-resources`, `api-versions`, `cluster-info`, `describe`, `explain`, `get`, `logs`, `top`.
+
+  If you ServiceAccount allow running other actions such as `delete`, you can add them directly under [`interactiveBuilder.allowed.verbs`](../../configuration/executor/kubectl.md#syntax).
+  :::
+
+- Under resources' dropdown, we display resources that are defined under the `interactiveBuilder.allowed.resources` configuration and are allowed for already selected verb. For example, for the `logs` verb we display only `pods`, `statefulsets`, `deployments`, and `daemonsets`.
+  :::tip
+  By default, the following resources are allowed: `deployments`, `pods`, `namespaces`, `daemonsets`, `statefulsets`, `storageclasses`, `nodes`, `configmaps`, `services`, `ingresses`.
+
+  If you ServiceAccount allow access to more resources, you can add them directly under [`interactiveBuilder.allowed.resources`](../../configuration/executor/kubectl.md#syntax).
+  :::
+
+- For resources that are namespace-scoped, under namespaces' dropdown, we display `interactiveBuilder.allowed.namespaces` if defined. If static namespaces are not specified, plugin needs to have access to fetch all Namespaces, otherwise Namespace dropdown won't be visible at all.
+
+- The `kubectl` command preview is displayed only if the command that you built is valid, and you have permission to run it.