Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Block actions with ChannelName executors #1065

Merged
merged 3 commits into from
May 16, 2023
Merged

Block actions with ChannelName executors #1065

merged 3 commits into from
May 16, 2023

Conversation

josefkarasek
Copy link

@josefkarasek josefkarasek commented May 15, 2023
edited
Loading

Description

Changes proposed in this pull request:

  • Block actions with ChannelName executors

Testing

Define a executor with ChannelName RBAC policy:

executors:
  k8s-default-tools:
    botkube/helm:
      enabled: true
      config:
        defaultNamespace: "default"
        helmDriver: "secret"
        helmConfigDir: "/tmp/helm/"
        helmCacheDir: "/tmp/helm/.cache"
      context: &default-plugin-context
        defaultNamespace: "default"
        rbac:
          group:
            type: ChannelName

actions:
  'describe-created-resource':
    enabled: true
    displayName: "Describe created resource"
    command: "kubectl describe {{ .Event.Kind | lower }}{{ if .Event.Namespace }} -n {{ .Event.Namespace }}{{ end }} {{ .Event.Name }}"
    bindings:
      sources:
        - k8s-create-events
      executors:
        - k8s-default-tools

Such action config should be blocked by config validator.

Related issue(s)

#1045

@josefkarasek josefkarasek requested a review from a team May 15, 2023 12:59
@josefkarasek josefkarasek requested a review from PrasadG193 as a code owner May 15, 2023 12:59
@josefkarasek josefkarasek requested a review from huseyinbabal May 15, 2023 12:59
mszostok
mszostok reviewed May 15, 2023
View reviewed changes
Copy link
Collaborator

@mszostok mszostok left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall LGTM but I will leave final testing and approving for selected reviewer 👍

pkg/config/validator.go Outdated Show resolved Hide resolved
@mszostok
Update pkg/config/validator.go
dddd0c0 
Co-authored-by: Mateusz Szostok <[email protected]>
@josefkarasek
Copy link
Author

Example faulty actions:

2023/05/15 14:53:51 while merging app configuration: found critical validation errors: 4 errors occurred:
	* Key: 'Config.Actions[describe-created-resource].Bindings.k8s-default-tools' Plugin botkube/kubectl has 'ChannelName' RBAC policy. This is not supported for actions.
	* Key: 'Config.Actions[describe-created-resource].Bindings.k8s-default-tools' Plugin botkube/helm has 'ChannelName' RBAC policy. This is not supported for actions.
	* Key: 'Config.Actions[show-logs-on-error].Bindings.k8s-default-tools' Plugin botkube/kubectl has 'ChannelName' RBAC policy. This is not supported for actions.
	* Key: 'Config.Actions[show-logs-on-error].Bindings.k8s-default-tools' Plugin botkube/helm has 'ChannelName' RBAC policy. This is not supported for actions.

@huseyinbabal
Copy link
Contributor

As a general comment, so user just saw that message after they use actions with executors with channel RBAC, then what to do next? If they duplicate that without channel RBAC to use with actions, it will be a security concern for them. If we will introduce a support for actions then better to state that maybe? Any valuable link to our existing actions page would be valuable, of course we need to have a scenario for this.

@josefkarasek josefkarasek merged commit 17bb734 into kubeshop:main May 16, 2023
@josefkarasek josefkarasek added the bug Something isn't working label Jun 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mszostok mszostok mszostok left review comments

@huseyinbabal huseyinbabal huseyinbabal approved these changes

@PrasadG193 PrasadG193 Awaiting requested review from PrasadG193 PrasadG193 is a code owner

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@josefkarasek @huseyinbabal @mszostok