-
Notifications
You must be signed in to change notification settings - Fork 362
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Why do velero role require wildcard access to all resources. #558
Comments
I mean velero needs to be capable of reading (backups) and writing (restoring) every resource (-type) in the cluster. So by default it needs wildcard access to everything. Assuming you don't backup and restore everything (for example only PV/PVCs) then ofcourse you can limit the role that velero has to match and improve your security posture. |
I have actually restricted the permissions for velero role with all required permissions, i'm getting below error, not sure where exactly it's going wrong. time="2024-03-15T09:13:40Z" level=error msg="Error patching backup location's last-synced time" backupLocation=aws controller=backup-sync error="backupstoragelocations.velero.io "aws" is forbidden: User "system:serviceaccount:system:velero-extras-1-server" cannot patch resource "backupstoragelocations/status" in API group "velero.io" in the namespace "system"" error.file="/go/src/github.com/vmware-tanzu/velero/pkg/controller/backup_sync_controller.go:318" error.function="github.com/vmware-tanzu/velero/pkg/controller.(*backupSyncController).run" logSource="pkg/controller/backup_sync_controller.go:318" apiVersion: rbac.authorization.k8s.io/v1
|
It sounds like you've restricted Velero permissions to the point that Velero can't modify Velero CRs such as BackupStorageLocations. |
@sseago currently we are running velero on eks 1.29 and we need to backup resources to s3 buckets, what are limited permissions that i can give to cluster-role and also need to restrict access to particular resources being used, our security team has raised issue with velero cluster-role having excessive permissions as cluster-admin. |
@dsai1 I don't think anyone has gone through and found a minimal set of permissions that still works. It's possible that there is a more restricted set that will still allow all velero functions to work properly, but I don't think we have a specific list. Note that velero will still need to create/modify velero CRs, have access to any namespace being backed up for reading/creating/modifying, as well as for cluster-scoped resources as needed. |
What steps did you take and what happened:
[A clear and concise description of what the bug is, and what commands you ran.)
Our security team have reported security issues with existing velero role.
AVD-KSV-0044 - No wildcard verb and resource roles
AVD-KSV-0045 - No wildcard verb and resource roles
What did you expect to happen:
Can't we limit access to verds and resources it requires.
The output of the following commands will help us better understand what's going on:
(Pasting long output into a GitHub gist or other pastebin is fine.)
Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]
Environment:
helm version
): velero-2.29.6helm list -n <YOUR NAMESPACE>
):kubectl version
):/etc/os-release
):The text was updated successfully, but these errors were encountered: