Define Cluster Role and Role permissions
Users without the Kubernetes administrator permissions need to define a Cluster Role (cluster-level) and a Role (namespace specific) to allow PX-Backup to backup and restore the namespace resources.
Users need the following minimum permissions:
Cluster Role
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: user1-cr
rules:
- apiGroups: ["*"]
resources: ["namespaces", "clusterrolebindings", "persistentvolumes", "clusterroles", "nodes"]
verbs: ["get", "list", "watch", "create"]
- apiGroups: ["stork.libopenstorage.org"]
resources: ["schedulepolicies"]
verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["stork.libopenstorage.org"] # for controller support
resources: ["*"]
verbs: ["list", "get", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: user1-clusterrolebinding
subjects:
- kind: ServiceAccount
name: mynamespace-user
namespace: mynamespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: user1-cr
---
Role
apiVersion: v1
kind: ServiceAccount
metadata:
name: mynamespace-user
namespace: mynamespace
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: mynamespace-user-full-access
namespace: mynamespace
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["batch"]
resources:
- jobs
- cronjobs
verbs: ["*"]
- apiGroups:
- stork.libopenstorage.org
resources: ["*"]
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
---
Last edited: Friday, Aug 20, 2021
Questions? Visit the Portworx forum.