Resources and Permissions

This section describes the different resources that Trilio for Kubernetes accesses within the Kubernetes cluster.

Deprecated Documentation

This document is deprecated and no longer supported. For accurate, up-to-date information, please refer to the documentation for the latest version of Trilio.

Resources and Permissions

Job to Pod mapping

The table below helps understand the translation of Trilio for Kubernetes Jobs to corresponding container images or Pods.

Job/Function Name
Images/Pods used

ControlPlane

ControlPlane

Webhook

Webhook

Exporter

Exporter

Target Validation Job

DataAttacher

Snapshot Job

Metamover

DataUpload Job

Datamover

MetaData Upload Job

Metamover

Retention Job

TBD (using alpine image currently)

Backup Cleaner Job

DataAttacher

Cron Job

BackupScheduler

Metamover Validation Job

Metamover

Data Restore Job

Datamover

Metamover Restore Job

Metamover

Resource Cleaner Job

ResourceCleaner

Conversion Server Job

ConversionController

Job Permissions

Please refer to the following tabs for a list of resources and permissions that Trilio for Kubernetes components and jobs access.

API Group
Resources/ResourceName
Verbs

triliovault.trilio.io

*

*

*

*

get, list, watch

apiextensions.k8s.io

customresourcedefinitions

get, list, watch, create

core

serviceaccounts

services

services/finalizers

events

Secrets

persistentvolumeclaims

*

core

pods

services

services/finalizers

endpoints

events

configmaps

secrets

get, list, watch

core

namespaces

get, list, watch, create, update

core

persistentvolumes

get, list, watch, update

admissionregistration.k8s.io

Validatingwebhookconfigurations

mutatingwebhookconfigurations

*

batch

job

*

apps

statefulsets

daemonsets

replicasets

deployments/finalizers

get, list, watch

apps

deployments

get, list, watch, create, update, delete

extensions

cronjobs

*

snapshot.storage.k8s.io

*

*

rbac.authorization.k8s.io

clusterrole

clusterrolebindings

*

Security Context or Security Policy Definitions

Name:						                          privileged
Priority:					                        <none>
Access:						
  Users:					
  Groups:					            
Settings:					
  Allow Privileged:				                true
  Allow Privilege Escalation:			        true
  Default Add Capabilities:			          <none>
  Required Drop Capabilities:			        <none>
  Allowed Capabilities:				              *
  Allowed Seccomp Profiles:			            *
  Allowed Volume Types:				              *
  Allowed Flexvolumes:				            <all>
  Allowed Unsafe Sysctls:			              *
  Forbidden Sysctls:				              <none>
  Allow Host Network:				              true
  Allow Host Ports:			                	true
  Allow Host PID:				                  true
  Allow Host IPC:				                  true
  Read Only Root Filesystem:			        false
  Run As User Strategy:                   RunAsAny		
    UID:					                        <none>
    UID Range Min:				                <none>
    UID Range Max:				                <none>
  SELinux Context Strategy:               RunAsAny		
    User:					                        <none>
    Role:					                        <none>
    Type:					                        <none>
    Level:					                      <none>
  FSGroup Strategy:                       RunAsAny			
    Ranges:					                      <none>
  Supplemental Groups Strategy:           RunAsAny
    Ranges:					                      <none>
Pod
Type
SCC/PSP
Specific Capability

Control-plane

Deploy time

Restricted

KILL

AUDIT_WRITE

Webhook

Deploy time

Restricted

KILL

AUDIT_WRITE

Exporter

Deploy time

Restricted

KILL

AUDIT_WRITE

Metamover

Run-time

Privileged

*

Datamover

Run-time

Privileged

*

DataAttacher

Run-time

Privileged

*

BackupScheduler

Run-time

Restricted

KILL AUDIT_WRITE

ResourceCleaner

Run-time

Restricted

KILL

AUDIT_WRITE

Conversion Deployment

Run-time

Restricted

KILL

AUDIT_WRITE

Last updated