Define Cluster Role and Role permissions


Users without the Kubernetes administrator permissions need to define a Cluster Role (cluster-level) and a Role (namespace specific) to allow PX-Backup to backup and restore the namespace resources.

Users need the following minimum permissions:

Cluster Role

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: user1-cr
rules:
- apiGroups: ["*"]
  resources: ["namespaces", "clusterrolebindings", "persistentvolumes", "clusterroles", "nodes"]
  verbs: ["get", "list", "watch", "create"]
- apiGroups: ["stork.libopenstorage.org"]
  resources: ["schedulepolicies"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["stork.libopenstorage.org"] # for controller support
  resources: ["*"]
  verbs: ["list", "get", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
  resources: ["volumesnapshotclasses"]
  verbs: ["get", "list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: user1-clusterrolebinding
subjects:
- kind: ServiceAccount
  name: mynamespace-user
  namespace: mynamespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: user1-cr
---

Role

apiVersion: v1
kind: ServiceAccount
metadata:
  name: mynamespace-user
  namespace: mynamespace

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: mynamespace-user-full-access
  namespace: mynamespace
rules:
- apiGroups: ["", "extensions", "apps"]
  resources: ["*"]
  verbs: ["*"]
- apiGroups: ["batch"]
  resources:
  - jobs
  - cronjobs
  verbs: ["*"]
- apiGroups:
  - stork.libopenstorage.org
  resources: ["*"]
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch

---

Last edited: Friday, Aug 20, 2021