Chukwuka Akagbusi requested to merge velero-default-rbac-permission into main Aug 01, 2024

General MR

Summary

This MR implemented the least privilege Role permission for default rbac. The modified Role ensures that only the necessary permissions are granted for Velero to perform its backup and restore operations efficiently.

Relevant logs/screenshots

rules:
  - apiGroups: [""]
    resources: ["pods", "persistentvolumeclaims", "namespaces", "secrets", "services"]
    verbs: ["get", "list", "watch", "create", "delete"]
  - apiGroups: ["apps"]
    resources: ["daemonsets", "replicasets", "statefulsets", "deployments", "services"]
    verbs: ["get", "list", "watch", "delete"] 
  - apiGroups: ["autoscaling"]
    resources: ["horizontalpodautoscalers"]
    verbs: ["get", "list", "create", "watch", "delete"]
  - apiGroups: ["batch"]
    resources: ["cronjobs", "jobs"]
    verbs: ["get", "list", "create", "watch"]
  - apiGroups: ["velero.io"]
    resources: [""]
    verbs: ["create", "get", "list", "update", "patch", "delete", "watch"]

These rules ensure default velero has the least permission to deploy velero and be able to backup and restore.

Linked Issue

issue

Upgrade Notices

Edited Nov 18, 2024 by Chukwuka Akagbusi

Admin message

Velero default rbac permission

General MR

Summary

Relevant logs/screenshots

Linked Issue

Upgrade Notices

Merge request reports