AWS S3 Target Permissions

Permissions required to add S3 as a target to T4K

To add AWS S3 (object storage) as a Target within T4K, users need specific access permissions on the bucket.

Implementation Step

Create the following Policy in AWS

Note: replace bucketname with name of the s3 bucket name

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::bucketname",
                "arn:aws:s3:::bucketname/*"
            ]
        },
        {
            "Effect": "Deny",
            "NotAction": "s3:*",
            "NotResource": [
                "arn:aws:s3:::bucketname",
                "arn:aws:s3:::bucketname/*"
            ]
        }
    ]
}

Attach policy to a user and collect the Access key ID ,Secret access key which the user has to provide while adding an AWS target.

Optional: In case an AWS policy has been attached to a bucket then the bucket policy should be as follows:

Note: Alice is user in root account 111122223333

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
            "AWS": [
                    "arn:aws:iam::111122223333:user/Alice",
            ]
            },
            "Action": [                        
                "s3:ListBucket",
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
               ],
            "Resource": [
                "arn:aws:s3:::my_bucket",
                "arn:aws:s3:::my_bucket/*"
            ]
        }
    ]
}

Security Settings:
Note: T4K’s privilege escalation is scoped exclusively to the trilio-systems namespace; elevated privileges are not required in other namespaces and is required for the Data Upload and Metadata Upload states.
1. To perform target browsing, privileged containers are required for both object storage and NFS storage. Refer to the official documentation: Pod Security Context
2. If user has restricted privileged containers across backup and/or restore namespaces. PodSecurityPolicy should be edited to allow privileged containers. Create or edit the PodSecurityPolicy with the necessary privileges. Save this configuration in a YAML file, for example, allow-privileged-psp.yaml:
```
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: allow-privileged
spec:
  privileged: true
```
1. Apply or update the PodSecurityPolicy in your cluster:
```
kubectl apply -f allow-privileged-psp.yaml
```
1. Next, create a ClusterRole that allows the use of the PodSecurityPolicy:
```
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: use-allow-privileged-psp
rules:
- apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs: ['use']
  resourceNames: ['allow-privileged']  # Use the name of your PSP
```
1. Apply the ClusterRole to your cluster:
```
kubectl apply -f cluster-role.yaml
```
1. Create a ClusterRoleBinding to bind the ClusterRole to the backup-namespace where you want to allow privileged containers:
```
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: bind-allow-privileged-psp
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: use-allow-privileged-psp  # Use the name of your ClusterRole
subjects:
- kind: ServiceAccount
  name: default  # Use the appropriate ServiceAccount name or account that you want to apply the PSP to
  namespace: backup-namespace  # Specify the target namespace
```
1. Apply the ClusterRoleBinding to your cluster:
```
kubectl apply -f cluster-role-binding.yaml
```

Make sure to adapt the configuration to your specific use case and security requirements. Please consult your system administrator before updating the PodSecurityPolicy.

PreviousCustom Resource Definition - Application NextDedicated Backup Networks in OpenShift Virtualization

Last updated 10 days ago

Was this helpful?