Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Why do velero role require wildcard access to all resources. #558

Open
dsai1 opened this issue Mar 14, 2024 · 5 comments
Open

Why do velero role require wildcard access to all resources. #558

dsai1 opened this issue Mar 14, 2024 · 5 comments
Labels
question Further information is requested velero

Comments

@dsai1
Copy link

dsai1 commented Mar 14, 2024

What steps did you take and what happened:
[A clear and concise description of what the bug is, and what commands you ran.)
Our security team have reported security issues with existing velero role.
AVD-KSV-0044 - No wildcard verb and resource roles
AVD-KSV-0045 - No wildcard verb and resource roles

What did you expect to happen:
Can't we limit access to verds and resources it requires.

The output of the following commands will help us better understand what's going on:
(Pasting long output into a GitHub gist or other pastebin is fine.)

Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]

Environment:

  • helm version (use helm version): velero-2.29.6
  • helm chart version and app version (use helm list -n <YOUR NAMESPACE>):
  • Kubernetes version (use kubectl version):
  • Kubernetes installer & version:
  • Cloud provider or hardware configuration:
  • OS (e.g. from /etc/os-release):
@siegenthalerroger
Copy link

I mean velero needs to be capable of reading (backups) and writing (restoring) every resource (-type) in the cluster. So by default it needs wildcard access to everything. Assuming you don't backup and restore everything (for example only PV/PVCs) then ofcourse you can limit the role that velero has to match and improve your security posture.

@dsai1
Copy link
Author

dsai1 commented Mar 15, 2024

I have actually restricted the permissions for velero role with all required permissions, i'm getting below error, not sure where exactly it's going wrong.

time="2024-03-15T09:13:40Z" level=error msg="Error patching backup location's last-synced time" backupLocation=aws controller=backup-sync error="backupstoragelocations.velero.io "aws" is forbidden: User "system:serviceaccount:system:velero-extras-1-server" cannot patch resource "backupstoragelocations/status" in API group "velero.io" in the namespace "system"" error.file="/go/src/github.com/vmware-tanzu/velero/pkg/controller/backup_sync_controller.go:318" error.function="github.com/vmware-tanzu/velero/pkg/controller.(*backupSyncController).run" logSource="pkg/controller/backup_sync_controller.go:318"

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: velero-extras-1-server
namespace: system
rules:

  • apiGroups:
    • "*"
      resources:
    • persistentvolumes
    • volumeattachments
    • persistentvolumeclaims
    • persistentvolumeclaims/status
    • storageclasses
    • namespaces
    • nodes
    • pods
    • daemonsets
    • customresourcedefinitions
    • backups
    • schedules
    • volumesnapshotlocations
    • resticrepositories
    • deletebackuprequests
    • podvolumebackups
    • restores
    • serverstatusrequests
    • backupstoragelocations
    • downloadrequests
      verbs:
    • get
    • list
    • create
    • update
    • delete
    • patch
    • watch

@sseago
Copy link
Contributor

sseago commented Mar 19, 2024

It sounds like you've restricted Velero permissions to the point that Velero can't modify Velero CRs such as BackupStorageLocations.

@dsai1
Copy link
Author

dsai1 commented May 2, 2024

@sseago currently we are running velero on eks 1.29 and we need to backup resources to s3 buckets, what are limited permissions that i can give to cluster-role and also need to restrict access to particular resources being used, our security team has raised issue with velero cluster-role having excessive permissions as cluster-admin.

@sseago
Copy link
Contributor

sseago commented May 6, 2024

@dsai1 I don't think anyone has gone through and found a minimal set of permissions that still works. It's possible that there is a more restricted set that will still allow all velero functions to work properly, but I don't think we have a specific list. Note that velero will still need to create/modify velero CRs, have access to any namespace being backed up for reading/creating/modifying, as well as for cluster-scoped resources as needed.

@jenting jenting added question Further information is requested velero labels May 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested velero
Projects
None yet
Development

No branches or pull requests

4 participants