Resources and Permissions

This section describes the different resources that TrilioVault for Kubernetes accesses within the Kubernetes cluster.

Job to Pod mapping

The table below helps understand the translation of TrilioVault for Kubernetes Jobs to corresponding container images or Pods.

Job/Function Name

Images/Pods used

ControlPlane

ControlPlane

Webhook

Webhook

Exporter

Exporter

Target Browser

Target Browser

Web (UI)

Web

Backend (UI)

Web-backend

Ingress-controller

Ingress-controller

Target Validation Job

DataAttacher

Snapshot Job

Metamover

DataUpload Job

Datamover

MetaData Upload Job

Metamover

Retention Job

Backup-retention

Backup Cleaner Job

DataAttacher

Cron Job

BackupScheduler

Metamover Validation Job

Metamover

Data Restore Job

Datamover

Metamover Restore Job

Metamover

Resource Cleaner Job

ResourceCleaner

Conversion Server Job

ConversionController

Hook Executor Job

Hook-Executor

Job Permissions

Please refer to the following tabs for a list of resources and permissions that TrilioVault for Kubernetes components and jobs access.

ControlPlane/Webhook/Exporter/TargetValidation/BackupCleaner/ResourceCleaner Job/Target Browser/Web-Backend/WebUI/Ingress-Controller
Snapshot/MetaData Upload/Data Upload Job/Hook Execution Job/Retention Job
Metamover Validation/Data Restore/Metamover Restore Job/Hook Execution Job
Conversion Server
ControlPlane/Webhook/Exporter/TargetValidation/BackupCleaner/ResourceCleaner Job/Target Browser/Web-Backend/WebUI/Ingress-Controller

API Group

Resources/ResourceName

Verbs

triliovault.trilio.io

*

*

*

*

get, list, watch

apiextensions.k8s.io

customresourcedefinitions

get, list, watch, create

core

serviceaccounts

services

services/finalizers

events

Secrets

persistentvolumeclaims

*

core

pods

services

services/finalizers

endpoints

events

configmaps

secrets

get, list, watch

core

namespaces

get, list, watch, create, update

core

persistentvolumes

get, list, watch, update

admissionregistration.k8s.io

Validatingwebhookconfigurations

mutatingwebhookconfigurations

*

batch

job

*

apps

statefulsets

daemonsets

replicasets

deployments/finalizers

get, list, watch

apps

deployments

get, list, watch, create, update, delete

extensions

cronjobs

*

snapshot.storage.k8s.io

*

*

rbac.authorization.k8s.io

clusterrole

clusterrolebindings

*

Snapshot/MetaData Upload/Data Upload Job/Hook Execution Job/Retention Job

APIGroup

Resources/Resource Name

*

triliovault.trilio.io

*

*

*

*

get, list, watch

apiextensions.k8s.io

customresourcedefinitions

get, list, watch

core

pods

pods/log

pods/exec

services

services/finalizers

endpoints

events

configmaps

Secrets

persistentvolumeclaims

serviceaccounts

get, list, watch

apps

statefulsets

daemonsets

replicasets

deployments

deployments/finalizers

get, list, watch

security.openshift.io

securitycontextconstraints

privileged

use

Metamover Validation/Data Restore/Metamover Restore Job/Hook Execution Job

APIGroup

Resources/ResourceNames

Verbs

triliovault.trilio.io

*

*

*

*

get, list, watch, create, patch

apiextensions.k8s.io

customresourcedefinitions

get, list, watch, create, patch

core

pods

pods/log

pods/exec

services

services/finalizers

endpoints

events

configmaps

Secrets

Persistentvolumeclaims

serviceaaccounts

get, list, watch, create, patch

apps

statefulsets

daemonsets

replicasets

deployments

deployments/finalizers

get, list, watch, create, patch

security.openshift.io

securitycontextconstraints

privileged

use

Conversion Server

API Group

Resources/ResourceName

Verbs

apiextensions.k8s.io

customresourcedefinitions

get, list, watch, patch, update

core

secrets

get, list, watch, patch, update

Security Context or Security Policy Definitions

Privileged SCC
Restricted SCC
Privileged SCC
Name: privileged
Priority: <none>
Access:
Users:
Groups:
Settings:
Allow Privileged: true
Allow Privilege Escalation: true
Default Add Capabilities: <none>
Required Drop Capabilities: <none>
Allowed Capabilities: *
Allowed Seccomp Profiles: *
Allowed Volume Types: *
Allowed Flexvolumes: <all>
Allowed Unsafe Sysctls: *
Forbidden Sysctls: <none>
Allow Host Network: true
Allow Host Ports: true
Allow Host PID: true
Allow Host IPC: true
Read Only Root Filesystem: false
Run As User Strategy: RunAsAny
UID: <none>
UID Range Min: <none>
UID Range Max: <none>
SELinux Context Strategy: RunAsAny
User: <none>
Role: <none>
Type: <none>
Level: <none>
FSGroup Strategy: RunAsAny
Ranges: <none>
Supplemental Groups Strategy: RunAsAny
Ranges: <none>
Restricted SCC
Name: restricted
Priority: <none>
Access:
Users: <none>
Groups: system:authenticated
Settings:
Allow Privileged: false
Allow Privilege Escalation: true
Default Add Capabilities: <none>
Required Drop Capabilities: KILL,MKNOD,SETUID,SETGID
Allowed Capabilities: <none>
Allowed Seccomp Profiles: <none>
Allowed Volume Types: configMap,downwardAPI,emptyDir,persistentVolumeClaim,projected,secret
Allowed Flexvolumes: <all>
Allowed Unsafe Sysctls: <none>
Forbidden Sysctls: <none>
Allow Host Network: false
Allow Host Ports: false
Allow Host PID: false
Allow Host IPC: false
Read Only Root Filesystem: false
Run As User Strategy: MustRunAsRange
UID: <none>
UID Range Min: <none>
UID Range Max: <none>
SELinux Context Strategy: MustRunAs
User: <none>
Role: <none>
Type: <none>
Level: <none>
FSGroup Strategy: MustRunAs
Ranges: <none>
Supplemental Groups Strategy: RunAsAny
Ranges: <none>
‚Äč

Pod

Type

SCC/PSP

Specific Capability

Control-plane

Deploy time

Restricted

KILL

AUDIT_WRITE

Webhook

Deploy time

Restricted

KILL

AUDIT_WRITE

Exporter

Deploy time

Restricted

KILL

AUDIT_WRITE

Metamover

Run-time

Privileged

*

Datamover

Run-time

Privileged

*

DataAttacher

Run-time

Privileged

*

BackupScheduler

Run-time

Restricted

KILL AUDIT_WRITE

ResourceCleaner

Run-time

Restricted

KILL

AUDIT_WRITE

Conversion Deployment

Run-time

Restricted

KILL

AUDIT_WRITE

Target Browser

Run-time

Privileged

*

WebUI

Deploy time

Restricted

KILL

AUDIT_WRITE

WebBackend

Deploy time

Restricted

KILL

AUDIT_WRITE

HookExecutor

Run-time

Restricted

KILL

AUDIT_WRITE

IngressController

Deploy time

Privileged

SYSADMIN

NET_BIND_SERVICE

Retention

Run-time

Privileged

*