vmware-tanzu
/
velero
mirror of https://github.com/vmware-tanzu/velero.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #6927 from blackpiglet/restricted_rbac 

Add an working example for rbac.md.
pull/6939/head
lyndon 2023-10-10 16:52:30 +08:00 committed by GitHub
parent 5f71a662a4 98a383d94a
commit b31610157d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 50 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
site/content/docs/main/rbac.md
View File

@ -9,9 +9,9 @@ By default Velero runs with an RBAC policy of ClusterRole `cluster-admin`. This
For more information about RBAC and access control generally in Kubernetes, see the Kubernetes documentation about [access control][1], [managing service accounts][2], and [RBAC authorization][3].
## Set up Roles and RoleBindings
## Set up with restricted RBAC permissions
Here's a sample Role and RoleBinding pair.
Here's a sample of restricted permission setting.
```yaml
apiVersion: rbac.authorization.k8s.io/v1
@ -28,13 +28,12 @@ rules:
- "*"
resources:
- "*"
```
```yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ROLEBINDING_NAME_HERE
namespace: YOUR_NAMESPACE_HERE
subjects:
- kind: ServiceAccount
name: YOUR_SERVICEACCOUNT_HERE
@ -42,9 +41,55 @@ roleRef:
kind: Role
name: ROLE_NAME_HERE
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: velero-clusterrole
rules:
- apiGroups:
- ""
resources:
- persistentvolumes
- namespaces
verbs:
- '*'
- apiGroups:
- '*'
resources:
- '*'
verbs:
- list
- apiGroups:
- 'apiextensions.k8s.io'
resources:
- 'customresourcedefinitions'
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: velero-clusterrolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: velero-clusterrole
subjects:
- kind: ServiceAccount
name: YOUR_SERVICEACCOUNT_HERE
namespace: YOUR_NAMESPACE_HERE
```
You can add more permissions into the `Role` setting according to the need.
`velero-clusterrole` ClusterRole is verified to work in most cases.
`Namespaces` resource permission is needed to create namespace during restore. If you don't need that, the `create` permission can be removed, but `list` and `get` permissions of `Namespaces` resource is still needed, because Velero needs to know whether the namespace it's assigned exists in the cluster.
`PersistentVolumes` resource permission is needed for back up and restore volumes. If that is not needed, it can be removed too.
`CustomResourceDefinitions` resource permission is needed to backup CR instances' CRD. It's better to keep them.
It's better to have the `list` permission for all resources, because Velero needs to read some resources during backup, for example, `ClusterRoles` is listed for backing `ServiceAccount` up, and `VolumeSnapshotContent` for CSI `PersistentVolumeClaim`. If you just enable `list` permissions for the resources you want to back up and restore, it's possible that backup or restore end with failure.
[1]: https://kubernetes.io/docs/reference/access-authn-authz/controlling-access/
[2]: https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/
[3]: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
[4]: namespace.md