# T4K Pod/Job Capabilities
> Note: Privilege escalation for T4K components is limited to the `trilio-system` namespace and is required for the Data Upload and Metadata Upload states.
#### T4K Application :
| Operation | Privileged / AllowPrivilegeEscalation | RunAsUser / RunAsNonRoot | ReadOnlyRootFilesystem | Capabilities | Original Kind |
| ------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------- | ---------------------- | ---------------------------------------- | -------------- |
| Control Plane | false, false | 1001, true | true | KILL, AUDIT\_WRITE | Deployment |
| Webhook-init | false, false | 1001, true | true | KILL, AUDIT\_WRITE | Deployment |
| Exporter | false, false | 1001, true | true | KILL, AUDIT\_WRITE | Deployment |
| Ingress-nginx-controller | false, true | 101, true | false | NET\_BIND\_SERVICE | Deployment |
| Web | false, false | 1001, true | true | KILL, AUDIT\_WRITE | Deployment |
| Web Backend | false, false | 1001, true | true | KILL, AUDIT\_WRITE | Deployment |
| Dex | false, false | 1001, true | true | KILL, AUDIT\_WRITE | Deployment |
| Dex-Init | false, false | 1001, true | true | KILL, AUDIT\_WRITE | Deployment |
| Manager | For NFS target - false, false
For ObjectStore target - true, true
| 0, false | true | KILL, AUDIT\_WRITE | Deployment |
| Syncer | For NFS target - false, false
For ObjectStore target - true, true
| 0, false | true | KILL, AUDIT\_WRITE | Deployment |
| Watcher | For NFS target - false, false
For ObjectStore target - true, true
| For NFS target - 1001, true
For ObjectStore target - 0, false
| false | CHOWN,FOWNER,DAC\_OVERRIDE,SETGID,SETUID | Deployment |
| Continuous Restore Service | For NFS target - false, false
For ObjectStore target - true, true
| For NFS target - 1001, true
For ObjectStore target - 0, false
| false | CHOWN,FOWNER,DAC\_OVERRIDE,SETGID,SETUID | Deployment |
| Continuous Restore Responder | For NFS target - false, false
For ObjectStore target - true, true
| For NFS target - 1001, true
For ObjectStore target - 0, false
| false | CHOWN,FOWNER,DAC\_OVERRIDE,SETGID,SETUID | Deployment |
| Resource Cleaner | false, false | 1001, true | true | KILL, AUDIT\_WRITE | Job |
| Admission-webhook
(NA from 5.0.3)
| ~~false, false~~ | ~~1001, true~~ | ~~true~~ | ~~KILL, AUDIT\_WRITE~~ | ~~Deployment~~ |
| Analyzer
(NA from 5.0.3)
| ~~false, false~~ | ~~1001, true~~ | ~~true~~ | ~~KILL, AUDIT\_WRITE~~ | ~~Deployment~~ |
#### Target :
| Operation | Privileged / AllowPrivilegeEscalation | RunAsUser / RunAsNonRoot | ReadOnlyRootFilesystem | Capabilities | Has data-attacher | Original Kind |
| -------------- | ----------------------------------------------------------------------------------------------------------------- | ------------------------ | ---------------------- | ---------------------------------------- | ----------------- | ------------- |
| Validator | For NFS target - false, false
For ObjectStore target - true, true
| 0, false | true | AUDIT\_WRITE,KILL | true | Job |
| Target Browser | For NFS target - true, true
For ObjectStore target - true, true
| 0, false | true | CHOWN,FOWNER,DAC\_OVERRIDE,SETGID,SETUID | true | Deployment |
#### BackupPlan / ClusterBackupPlan :
| Operation | Privileged / AllowPrivilegeEscalation | RunAsUser / RunAsNonRoot | ReadOnlyRootFilesystem | Capabilities | Has data-attacher | Original Kind |
| -------------------------------- | ------------------------------------- | ------------------------ | ---------------------- | ------------------ | ----------------- | ------------- |
| Backup / ClusterBackup Scheduler | false, false | 1001, true | true | KILL, AUDIT\_WRITE | false | Job |
#### Backup :
| Operation | Privileged / AllowPrivilegeEscalation | RunAsUser / RunAsNonRoot | ReadOnlyRootFilesystem | Capabilities | Has data-attacher | Original Kind |
| --------------- | ----------------------------------------------------------------------------------------------------------------- | ------------------------ | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- | ------------- |
| Snapshotting | For NFS target - false, false
For ObjectStore target - true, true
| 0, false | true | CHOWN,FOWNER,DAC\_OVERRIDE,SETGID,SETUID | true | Job |
| Image Backup | For NFS target - false, false
For ObjectStore target - true, true
| 0, false | true | T4K 3.0.3 onwards:
CHOWN, FOWNER, DAC\_OVERRIDE, SETGID, SETUID
T4K < 3.0.3:
For NFS target - CHOWN, FOWNER, DAC\_OVERRIDE, SETGID, SETUID
For ObjectStore target - SYS\_ADMIN
| true | Job |
| Metadata Upload | For NFS target - false, false
For ObjectStore target - true, true
| 0, false | true | CHOWN,FOWNER,DAC\_OVERRIDE,SETUID,SETGID | true | Job |
| Retention | For NFS target - false, false
For ObjectStore target - true, true
| 0, false | true | CHOWN,FOWNER,DAC\_OVERRIDE,SETUID,SETGID | true | Job |
| Data Upload | For NFS target - false, false
For ObjectStore target - true, true
| 0, false | true | T4K 3.0.3 onwards:
CHOWN, FOWNER, DAC\_OVERRIDE, SETGID, SETUID
T4K < 3.0.3:
For NFS target - CHOWN, FOWNER, DAC\_OVERRIDE, SETGID, SETUID
For ObjectStore target - SYS\_ADMIN
| true | Job |
| Quiesce | false, false | 1001, true | true | KILL, AUDIT\_WRITE | false | Job |
| Unquiesce | false, false | 1001, true | true | KILL, AUDIT\_WRITE | false | Job |
| Cleaner | For NFS target - false, false
For ObjectStore target - true, true
| 0, false | true | KILL, AUDIT\_WRITE | true | Job |
#### Restore :
| Operation | Privileged / AllowPrivilegeEscalation | RunAsUser / RunAsNonRoot | ReadOnlyRootFilesystem | Capabilities | Has data-attacher | Original Kind |
| ------------------- | ----------------------------------------------------------------------------------------------------------------- | ------------------------ | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- | ------------- |
| Metadata Validation | For NFS target - false, false
For ObjectStore target - true, true
| 0, false | true | CHOWN,FOWNER,DAC\_OVERRIDE,SETUID,SETGID | true | Job |
| Metadata Restore | For NFS target - false, false
For ObjectStore target - true, true
| 0, false | true | CHOWN,FOWNER,DAC\_OVERRIDE,SETUID,SETGID | true | Job |
| Add Protection | For NFS target - false, false
For ObjectStore target - true, true
| 0, false | true | CHOWN, FOWNER, DAC\_OVERRIDE, SETGID, SETUID | true | Job |
| Data Owner Update | false, false | 1001, true | true | CHOWN, FOWNER, DAC\_OVERRIDE, SETGID, SETUID | true | Job |
| Data Restore | For NFS target - false, false
For ObjectStore target - true, true
| 0, false | true | T4K 3.0.3 onwards:
CHOWN, FOWNER, DAC\_OVERRIDE, SETGID, SETUID
T4K < 3.0.3:
For NFS target - CHOWN, FOWNER, DAC\_OVERRIDE, SETGID, SETUID
For ObjectStore target - SYS\_ADMIN
| true | Job |
| Quiesce | false, false | 1001, true | true | KILL, AUDIT\_WRITE | false | Job |
| Cleanup | false, false | 1001, true | true | KILL, AUDIT\_WRITE | false | Job |
#### ClusterRestore :
| Operation | Privileged / AllowPrivilegeEscalation | RunAsUser / RunAsNonRoot | ReadOnlyRootFilesystem | Capabilities | Has data-attacher | Original Kind |
| ------------------- | ----------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------- | ---------------------- | ---------------------------------------- | ----------------- | ------------- |
| Pre Cluster Restore | For NFS target - false, false
For ObjectStore target - true, true
| For NFS target - 1001, true
For ObjectStore target - 0, false
| true | CHOWN,FOWNER,DAC\_OVERRIDE,SETUID,SETGID | true | Job |
| Cleanup | false, false | 1001, true | true | KILL, AUDIT\_WRITE | false | Job |
#### ConsistentSet:
| Operation | Privileged / AllowPrivilegeEscalation | RunAsUser / RunAsNonRoot | ReadOnlyRootFilesystem | Capabilities | Has data-attacher | Original Kind |
| ------------------ | ----------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------- | ---------------------- | ---------------------------------------- | ----------------- | ------------- |
| Pre Consistent Set | For NFS target - false, false
For ObjectStore target - true, true
| For NFS target - 1001, true
For ObjectStore target - 0, false
| true | CHOWN,FOWNER,DAC\_OVERRIDE,SETUID,SETGID | true | Job |
| Data Restore | For NFS target - false, false
For ObjectStore target - true, true
| For NFS target - 1001, true
For ObjectStore target - 0, false
| true | CHOWN,FOWNER,DAC\_OVERRIDE,SETUID,SETGID | true | Job |