4.0.X
Search
K

AWS S3 Target Permissions

Permissions required to add S3 as a target to T4K
To add AWS S3 (object storage) as a Target within T4K, users need specific access permissions on the bucket.
  • Implementation Step
    1. 1.
      Create the following Policy in AWS
      • Note: replace bucketname with name of the s3 bucket name
      {
      "Version": "2012-10-17",
      "Statement": [
      {
      "Effect": "Allow",
      "Action": [
      "s3:ListBucket",
      "s3:PutObject",
      "s3:GetObject",
      "s3:DeleteObject"
      ],
      "Resource": [
      "arn:aws:s3:::bucketname",
      "arn:aws:s3:::bucketname/*"
      ]
      },
      {
      "Effect": "Deny",
      "NotAction": "s3:*",
      "NotResource": [
      "arn:aws:s3:::bucketname",
      "arn:aws:s3:::bucketname/*"
      ]
      }
      ]
      }
    2. 2.
      Attach policy to a user and collect the Access key ID ,Secret access key which the user has to provide while adding an AWS target.
    3. 3.
      Optional: In case an AWS policy has been attached to a bucket then the bucket policy should be as follows:
      • Note: Alice is user in root account 111122223333
      {
      "Version": "2012-10-17",
      "Statement": [
      {
      "Effect": "Allow",
      "Principal": {
      "AWS": [
      "arn:aws:iam::111122223333:user/Alice",
      ]
      },
      "Action": [
      "s3:ListBucket",
      "s3:PutObject",
      "s3:GetObject",
      "s3:DeleteObject"
      ],
      "Resource": [
      "arn:aws:s3:::my_bucket",
      "arn:aws:s3:::my_bucket/*"
      ]
      }
      ]
      }
  • Security Settings:
    1. 1.
      To perform target browsing, privileged containers are required for both object storage and NFS storage. Refer to the official documentation: Pod Security Context
    2. 2.
      If user has restricted privileged containers across backup and/or restore namespaces. PodSecurityPolicy should be edited to allow privileged containers. Create or edit the PodSecurityPolicy with the necessary privileges. Save this configuration in a YAML file, for example, allow-privileged-psp.yaml:
    apiVersion: policy/v1beta1
    kind: PodSecurityPolicy
    metadata:
    name: allow-privileged
    spec:
    privileged: true
    1. 3.
      Apply or update the PodSecurityPolicy in your cluster:
    kubectl apply -f allow-privileged-psp.yaml
    1. 4.
      Next, create a ClusterRole that allows the use of the PodSecurityPolicy:
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
    name: use-allow-privileged-psp
    rules:
    - apiGroups: ['policy']
    resources: ['podsecuritypolicies']
    verbs: ['use']
    resourceNames: ['allow-privileged'] # Use the name of your PSP
    1. 5.
      Apply the ClusterRole to your cluster:
    kubectl apply -f cluster-role.yaml
    1. 6.
      Create a ClusterRoleBinding to bind the ClusterRole to the backup-namespace where you want to allow privileged containers:
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
    name: bind-allow-privileged-psp
    roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: use-allow-privileged-psp # Use the name of your ClusterRole
    subjects:
    - kind: ServiceAccount
    name: default # Use the appropriate ServiceAccount name or account that you want to apply the PSP to
    namespace: backup-namespace # Specify the target namespace
    1. 7.
      Apply the ClusterRoleBinding to your cluster:
    kubectl apply -f cluster-role-binding.yaml
Make sure to adapt the configuration to your specific use case and security requirements. Please consult your system administrator before updating the PodSecurityPolicy.