Skip to content

Commit b316101

Browse files
Lyndon-LiLyndon-Li
authored
Merge pull request #6927 from blackpiglet/restricted_rbac
Add an working example for rbac.md.
2 parents 5f71a66 + 98a383d commit b316101

File tree

1 file changed

+50
-5
lines changed

1 file changed

+50
-5
lines changed

site/content/docs/main/rbac.md

Lines changed: 50 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -9,9 +9,9 @@ By default Velero runs with an RBAC policy of ClusterRole `cluster-admin`. This
99

1010
For more information about RBAC and access control generally in Kubernetes, see the Kubernetes documentation about [access control][1], [managing service accounts][2], and [RBAC authorization][3].
1111

12-
## Set up Roles and RoleBindings
12+
## Set up with restricted RBAC permissions
1313

14-
Here's a sample Role and RoleBinding pair.
14+
Here's a sample of restricted permission setting.
1515

1616
```yaml
1717
apiVersion: rbac.authorization.k8s.io/v1
@@ -28,23 +28,68 @@ rules:
2828
- "*"
2929
resources:
3030
- "*"
31-
```
32-
33-
```yaml
31+
---
3432
apiVersion: rbac.authorization.k8s.io/v1
3533
kind: RoleBinding
3634
metadata:
3735
name: ROLEBINDING_NAME_HERE
36+
namespace: YOUR_NAMESPACE_HERE
3837
subjects:
3938
- kind: ServiceAccount
4039
name: YOUR_SERVICEACCOUNT_HERE
4140
roleRef:
4241
kind: Role
4342
name: ROLE_NAME_HERE
4443
apiGroup: rbac.authorization.k8s.io
44+
---
45+
apiVersion: rbac.authorization.k8s.io/v1
46+
kind: ClusterRole
47+
metadata:
48+
name: velero-clusterrole
49+
rules:
50+
- apiGroups:
51+
- ""
52+
resources:
53+
- persistentvolumes
54+
- namespaces
55+
verbs:
56+
- '*'
57+
- apiGroups:
58+
- '*'
59+
resources:
60+
- '*'
61+
verbs:
62+
- list
63+
- apiGroups:
64+
- 'apiextensions.k8s.io'
65+
resources:
66+
- 'customresourcedefinitions'
67+
verbs:
68+
- get
69+
---
70+
apiVersion: rbac.authorization.k8s.io/v1
71+
kind: ClusterRoleBinding
72+
metadata:
73+
name: velero-clusterrolebinding
74+
roleRef:
75+
apiGroup: rbac.authorization.k8s.io
76+
kind: ClusterRole
77+
name: velero-clusterrole
78+
subjects:
79+
- kind: ServiceAccount
80+
name: YOUR_SERVICEACCOUNT_HERE
81+
namespace: YOUR_NAMESPACE_HERE
4582
```
4683
84+
You can add more permissions into the `Role` setting according to the need.
85+
`velero-clusterrole` ClusterRole is verified to work in most cases.
86+
`Namespaces` resource permission is needed to create namespace during restore. If you don't need that, the `create` permission can be removed, but `list` and `get` permissions of `Namespaces` resource is still needed, because Velero needs to know whether the namespace it's assigned exists in the cluster.
87+
`PersistentVolumes` resource permission is needed for back up and restore volumes. If that is not needed, it can be removed too.
88+
`CustomResourceDefinitions` resource permission is needed to backup CR instances' CRD. It's better to keep them.
89+
It's better to have the `list` permission for all resources, because Velero needs to read some resources during backup, for example, `ClusterRoles` is listed for backing `ServiceAccount` up, and `VolumeSnapshotContent` for CSI `PersistentVolumeClaim`. If you just enable `list` permissions for the resources you want to back up and restore, it's possible that backup or restore end with failure.
90+
4791
[1]: https://kubernetes.io/docs/reference/access-authn-authz/controlling-access/
4892
[2]: https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/
4993
[3]: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
5094
[4]: namespace.md
95+

0 commit comments

Comments
 (0)