UNCLASSIFIED - NO CUI

Skip to content

Velero default rbac permission

Chukwuka Akagbusi requested to merge velero-default-rbac-permission into main

General MR

Summary

This MR implemented the least privilege Role permission for default rbac. The modified Role ensures that only the necessary permissions are granted for Velero to perform its backup and restore operations efficiently.

Relevant logs/screenshots

rules:
  - apiGroups: [""]
    resources: ["pods", "persistentvolumeclaims", "namespaces", "secrets", "services"]
    verbs: ["get", "list", "watch", "create", "delete"]
  - apiGroups: ["apps"]
    resources: ["daemonsets", "replicasets", "statefulsets", "deployments", "services"]
    verbs: ["get", "list", "watch", "delete"] 
  - apiGroups: ["autoscaling"]
    resources: ["horizontalpodautoscalers"]
    verbs: ["get", "list", "create", "watch", "delete"]
  - apiGroups: ["batch"]
    resources: ["cronjobs", "jobs"]
    verbs: ["get", "list", "create", "watch"]
  - apiGroups: ["velero.io"]
    resources: [""]
    verbs: ["create", "get", "list", "update", "patch", "delete", "watch"]

These rules ensure default velero has the least permission to deploy velero and be able to backup and restore.

Linked Issue

issue

Upgrade Notices

NA

Edited by Chukwuka Akagbusi

Merge request reports

Loading