Skip to main content

Botkube

This page details the deployment of Botkube in HMCTS, where it comes from, how its used and integration with Slack.

Deployment

Botkube is deployed via Flux using the upstream Helm Chart from Botkube.

The Flux configuration covers all environments that we deploy Botkube to:

  • CFT Sandbox
  • CFT AAT
  • CFT Production

Values

We have override values in Flux that customise the default deployment of Botkube to our own use case including command aliases, rbac, slack channel setup and tokens (encrypted via SOPS).

Note: We do not pin the version of Botkube Helm chart so its possible for changes upstream to be automatically added to our deployment. This can cause unexpected changes to values, templates and/or dependencies.

RBAC

The values we have are overrides for the upstream Helm Chart and include RBAC to control what users can do from Slack.

The RBAC configuration is designed as a specific allow rule because Kubernetes RBAC is additive so we start with no permissions and then allow what we want.

    rbac:
      groups:
        botkube-plugins-default:
          create: true
          rules:
            - apiGroups: ["*"]
              resources: ["namespaces", "pods", "services", "daemonsets", "deployments", "ingresses", "replicasets", "jobs", "configmaps", "helmreleases"]
              verbs: ["get", "watch", "list"]

In our case we allow the shown resources and commands and only those i.e. users cannot access pod logs, secrets or any other resource types not listed above.

Without this configuration the Botkube Helm Chart provides completely open access to all resources in the cluster.

Slack integration

Deployment via Flux includes multiple encrypted secrets that contain Slack tokens for OAuth and App integration. The creation of the Slack Apps was carried out manually and followed the official guidance from Botkube.

When integrated with Slack the App can be added to channels (namely the aks-monitoring-x channels) and called to send commands to Botkube which are then run against the cluster that it is installed in:

botkube-slack

In this screenshot you can see the use of Botkube to send commands to the Sbox-00 cluster and also the use of the alias kgp which translates to kubectl get pods via the Botkube configuration.

You can find all Botkube Slack apps by searching the currently installed apps in the HMCTS Reform Slack workspace management section.

This page was last reviewed on 10 April 2025. It needs to be reviewed again on 10 April 2026 by the page owner platops-build-notices .
This page was set to be reviewed before 10 April 2026 by the page owner platops-build-notices. This might mean the content is out of date.