T4K Pod/Job Capabilities

This page covers the permissions for Trilio pods and jobs.

T4K Application :

OperationPrivileged / AllowPrivilegeEscalationRunAsUser / RunAsNonRootReadOnlyRootFilesystemCapabilitiesOriginal Kind

Admission-webhook

false, false

1001, true

true

KILL, AUDIT_WRITE

Deployment

Webhook-init

false, false

1001, true

true

KILL, AUDIT_WRITE

Deployment

Control Plane

false, false

1001, true

true

KILL, AUDIT_WRITE

Deployment

Analyzer

false, false

1001, true

true

KILL, AUDIT_WRITE

Deployment

Exporter

false, false

1001, true

true

KILL, AUDIT_WRITE

Deployment

Ingress-nginx-controller

false, true

101, true

false

NET_BIND_SERVICE

Deployment

Web

false, false

1001, true

true

KILL, AUDIT_WRITE

Deployment

Web Backend

false, false

1001, true

true

KILL, AUDIT_WRITE

Deployment

Dex

false, false

1001, true

true

KILL, AUDIT_WRITE

Deployment

Dex-Init

false, false

1001, true

true

KILL, AUDIT_WRITE

Deployment

Manager

For NFS target - false, false For ObjectStore target - true, true

0, false

true

KILL, AUDIT_WRITE

Deployment

Syncer

For NFS target - false, false For ObjectStore target - true, true

0, false

true

KILL, AUDIT_WRITE

Deployment

Watcher

For NFS target - false, false For ObjectStore target - true, true

For NFS target - 1001, true For ObjectStore target - 0, false

false

CHOWN,FOWNER,DAC_OVERRIDE,SETGID,SETUID

Deployment

Continuous Restore Service

For NFS target - false, false For ObjectStore target - true, true

For NFS target - 1001, true For ObjectStore target - 0, false

false

CHOWN,FOWNER,DAC_OVERRIDE,SETGID,SETUID

Deployment

Continuous Restore Responder

For NFS target - false, false For ObjectStore target - true, true

For NFS target - 1001, true For ObjectStore target - 0, false

false

CHOWN,FOWNER,DAC_OVERRIDE,SETGID,SETUID

Deployment

Resource Cleaner

false, false

1001, true

true

KILL, AUDIT_WRITE

Job

Target :

OperationPrivileged / AllowPrivilegeEscalationRunAsUser / RunAsNonRootReadOnlyRootFilesystemCapabilitiesHas data-attacherOriginal Kind

Validator

For NFS target - false, false For ObjectStore target - true, true

0, false

true

AUDIT_WRITE,KILL

true

Job

Target Browser

For NFS target - true, true For ObjectStore target - true, true

0, false

true

CHOWN,FOWNER,DAC_OVERRIDE,SETGID,SETUID

true

Deployment

BackupPlan / ClusterBackupPlan :

OperationPrivileged / AllowPrivilegeEscalationRunAsUser / RunAsNonRootReadOnlyRootFilesystemCapabilitiesHas data-attacherOriginal Kind

Backup / ClusterBackup Scheduler

false, false

1001, true

true

KILL, AUDIT_WRITE

false

Job

Backup :

OperationPrivileged / AllowPrivilegeEscalationRunAsUser / RunAsNonRootReadOnlyRootFilesystemCapabilitiesHas data-attacherOriginal Kind

Snapshotting

For NFS target - false, false For ObjectStore target - true, true

0, false

true

CHOWN,FOWNER,DAC_OVERRIDE,SETGID,SETUID

true

Job

Image Backup

For NFS target - false, false For ObjectStore target - true, true

0, false

true

T4K 3.0.3 onwards:

CHOWN, FOWNER, DAC_OVERRIDE, SETGID, SETUID

T4K < 3.0.3:

For NFS target - CHOWN, FOWNER, DAC_OVERRIDE, SETGID, SETUID For ObjectStore target - SYS_ADMIN

true

Job

Metadata Upload

For NFS target - false, false For ObjectStore target - true, true

0, false

true

CHOWN,FOWNER,DAC_OVERRIDE,SETUID,SETGID

true

Job

Retention

For NFS target - false, false For ObjectStore target - true, true

0, false

true

CHOWN,FOWNER,DAC_OVERRIDE,SETUID,SETGID

true

Job

Data Upload

For NFS target - false, false For ObjectStore target - true, true

0, false

true

T4K 3.0.3 onwards:

CHOWN, FOWNER, DAC_OVERRIDE, SETGID, SETUID

T4K < 3.0.3:

For NFS target - CHOWN, FOWNER, DAC_OVERRIDE, SETGID, SETUID For ObjectStore target - SYS_ADMIN

true

Job

Quiesce

false, false

1001, true

true

KILL, AUDIT_WRITE

false

Job

Unquiesce

false, false

1001, true

true

KILL, AUDIT_WRITE

false

Job

Cleaner

For NFS target - false, false For ObjectStore target - true, true

0, false

true

KILL, AUDIT_WRITE

true

Job

Restore :

OperationPrivileged / AllowPrivilegeEscalationRunAsUser / RunAsNonRootReadOnlyRootFilesystemCapabilitiesHas data-attacherOriginal Kind

Metadata Validation

For NFS target - false, false For ObjectStore target - true, true

0, false

true

CHOWN,FOWNER,DAC_OVERRIDE,SETUID,SETGID

true

Job

Metadata Restore

For NFS target - false, false For ObjectStore target - true, true

0, false

true

CHOWN,FOWNER,DAC_OVERRIDE,SETUID,SETGID

true

Job

Add Protection

For NFS target - false, false For ObjectStore target - true, true

0, false

true

CHOWN, FOWNER, DAC_OVERRIDE, SETGID, SETUID

true

Job

Data Owner Update

false, false

1001, true

true

CHOWN, FOWNER, DAC_OVERRIDE, SETGID, SETUID

true

Job

Data Restore

For NFS target - false, false For ObjectStore target - true, true

0, false

true

T4K 3.0.3 onwards:

CHOWN, FOWNER, DAC_OVERRIDE, SETGID, SETUID

T4K < 3.0.3:

For NFS target - CHOWN, FOWNER, DAC_OVERRIDE, SETGID, SETUID For ObjectStore target - SYS_ADMIN

true

Job

Quiesce

false, false

1001, true

true

KILL, AUDIT_WRITE

false

Job

Cleanup

false, false

1001, true

true

KILL, AUDIT_WRITE

false

Job

ClusterRestore :

OperationPrivileged / AllowPrivilegeEscalationRunAsUser / RunAsNonRootReadOnlyRootFilesystemCapabilitiesHas data-attacherOriginal Kind

Pre Cluster Restore

For NFS target - false, false For ObjectStore target - true, true

For NFS target - 1001, true For ObjectStore target - 0, false

true

CHOWN,FOWNER,DAC_OVERRIDE,SETUID,SETGID

true

Job

Cleanup

false, false

1001, true

true

KILL, AUDIT_WRITE

false

Job

ConsistentSet:

OperationPrivileged / AllowPrivilegeEscalationRunAsUser / RunAsNonRootReadOnlyRootFilesystemCapabilitiesHas data-attacherOriginal Kind

Pre Consistent Set

For NFS target - false, false For ObjectStore target - true, true

For NFS target - 1001, true For ObjectStore target - 0, false

true

CHOWN,FOWNER,DAC_OVERRIDE,SETUID,SETGID

true

Job

Data Restore

For NFS target - false, false For ObjectStore target - true, true

For NFS target - 1001, true For ObjectStore target - 0, false

true

CHOWN,FOWNER,DAC_OVERRIDE,SETUID,SETGID

true

Job

Last updated