Velero: Consider broadening ark service account permissions to cluster admin

Created on 7 Sep 2017  路  3Comments  路  Source: vmware-tanzu/velero

The service account we use is currently allowed to list/watch/create all resources in all namespaces. While this is sufficient for all backup operations, it is only partially so for restore operations.

While most restore operations will succeed, attempting to restore roles and/or clusterroles that have greater privileges than the ark service account fail.

We might want to broaden the privileges to cluster-admin. WDYT @mattmoyer @jbeda @skriss?

Help wanted P1 - Important
Source
picture ncdc

Most helpful comment

I think as part of #18 we will need to revisit this, but for now, it's a short-term win.

picture ncdc on 11 Sep 2017
👍2

All 3 comments

xref #23

ncdc picture ncdc on 7 Sep 2017

Would this be necessary if #18 were addressed? As I understood that, the goal was to have Ark simply impersonate the credentials of the given user.

In the short term I do think that it would be more straightforward to increase the scope of to ClusterAdmin so that the tool works as the user would expect. One of the unfortunate things about the current model would be that an operator would not know it wasn't working properly until they were trying to test the restore process itself and a few of theses services may not be immediately apparent that they were not restored properly.

jrnt30 picture jrnt30 on 11 Sep 2017

I think as part of #18 we will need to revisit this, but for now, it's a short-term win.

ncdc picture ncdc on 11 Sep 2017
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

iblackman picture iblackman  路  4Comments
concaf picture concaf  路  3Comments
Yggdrasil picture Yggdrasil  路  3Comments
Berndinox picture Berndinox  路  3Comments
totemcaf picture totemcaf  路  4Comments