T4K Pod/Job Capabilities

This page covers the permissions for Trilio pods and jobs.

T4K Application :

Operation	Privileged / AllowPrivilegeEscalation	RunAsUser / RunAsNonRoot	ReadOnlyRootFilesystem	Capabilities	Original Kind
Admission-webhook	false, false	1001, true	true	KILL, AUDIT_WRITE	Deployment
Webhook-init	false, false	1001, true	true	KILL, AUDIT_WRITE	Deployment
Control Plane	false, false	1001, true	true	KILL, AUDIT_WRITE	Deployment
Analyzer	false, false	1001, true	true	KILL, AUDIT_WRITE	Deployment
Exporter	false, false	1001, true	true	KILL, AUDIT_WRITE	Deployment
Ingress-nginx-controller	false, true	101, true	false	NET_BIND_SERVICE	Deployment
Web	false, false	1001, true	true	KILL, AUDIT_WRITE	Deployment
Web Backend	false, false	1001, true	true	KILL, AUDIT_WRITE	Deployment
Dex	false, false	1001, true	true	KILL, AUDIT_WRITE	Deployment
Dex-Init	false, false	1001, true	true	KILL, AUDIT_WRITE	Deployment
Manager	For NFS target - false, false For ObjectStore target - true, true	0, false	true	KILL, AUDIT_WRITE	Deployment
Syncer	For NFS target - false, false For ObjectStore target - true, true	0, false	true	KILL, AUDIT_WRITE	Deployment
Watcher	For NFS target - false, false For ObjectStore target - true, true	For NFS target - 1001, true For ObjectStore target - 0, false	false	CHOWN,FOWNER,DAC_OVERRIDE,SETGID,SETUID	Deployment
Continuous Restore Service	For NFS target - false, false For ObjectStore target - true, true	For NFS target - 1001, true For ObjectStore target - 0, false	false	CHOWN,FOWNER,DAC_OVERRIDE,SETGID,SETUID	Deployment
Continuous Restore Responder	For NFS target - false, false For ObjectStore target - true, true	For NFS target - 1001, true For ObjectStore target - 0, false	false	CHOWN,FOWNER,DAC_OVERRIDE,SETGID,SETUID	Deployment
Resource Cleaner	false, false	1001, true	true	KILL, AUDIT_WRITE	Job

Operation

Privileged / AllowPrivilegeEscalation

RunAsUser / RunAsNonRoot

ReadOnlyRootFilesystem

Capabilities

Original Kind

Admission-webhook

false, false

1001, true

true

KILL, AUDIT_WRITE

Deployment

Webhook-init

false, false

1001, true

true

KILL, AUDIT_WRITE

Deployment

Control Plane

false, false

1001, true

true

KILL, AUDIT_WRITE

Deployment

Analyzer

false, false

1001, true

true

KILL, AUDIT_WRITE

Deployment

Exporter

false, false

1001, true

true

KILL, AUDIT_WRITE

Deployment

Ingress-nginx-controller

false, true

101, true

false

NET_BIND_SERVICE

Deployment

Web

false, false

1001, true

true

KILL, AUDIT_WRITE

Deployment

Web Backend

false, false

1001, true

true

KILL, AUDIT_WRITE

Deployment

Dex

false, false

1001, true

true

KILL, AUDIT_WRITE

Deployment

Dex-Init

false, false

1001, true

true

KILL, AUDIT_WRITE

Deployment

Manager

For NFS target - false, false For ObjectStore target - true, true

0, false

true

KILL, AUDIT_WRITE

Deployment

Syncer

For NFS target - false, false For ObjectStore target - true, true

0, false

true

KILL, AUDIT_WRITE

Deployment

Watcher

For NFS target - false, false For ObjectStore target - true, true

For NFS target - 1001, true For ObjectStore target - 0, false

false

CHOWN,FOWNER,DAC_OVERRIDE,SETGID,SETUID

Deployment

Continuous Restore Service

For NFS target - false, false For ObjectStore target - true, true

For NFS target - 1001, true For ObjectStore target - 0, false

false

CHOWN,FOWNER,DAC_OVERRIDE,SETGID,SETUID

Deployment

Continuous Restore Responder

For NFS target - false, false For ObjectStore target - true, true

For NFS target - 1001, true For ObjectStore target - 0, false

false

CHOWN,FOWNER,DAC_OVERRIDE,SETGID,SETUID

Deployment

Resource Cleaner

false, false

1001, true

true

KILL, AUDIT_WRITE

Job

Target :

Operation	Privileged / AllowPrivilegeEscalation	RunAsUser / RunAsNonRoot	ReadOnlyRootFilesystem	Capabilities	Has data-attacher	Original Kind
Validator	For NFS target - false, false For ObjectStore target - true, true	0, false	true	AUDIT_WRITE,KILL	true	Job
Target Browser	For NFS target - true, true For ObjectStore target - true, true	0, false	true	CHOWN,FOWNER,DAC_OVERRIDE,SETGID,SETUID	true	Deployment

Operation

Privileged / AllowPrivilegeEscalation

RunAsUser / RunAsNonRoot

ReadOnlyRootFilesystem

Capabilities

Has data-attacher

Original Kind

Validator

For NFS target - false, false For ObjectStore target - true, true

0, false

true

AUDIT_WRITE,KILL

true

Job

Target Browser

For NFS target - true, true For ObjectStore target - true, true

0, false

true

CHOWN,FOWNER,DAC_OVERRIDE,SETGID,SETUID

true

Deployment

BackupPlan / ClusterBackupPlan :

Operation	Privileged / AllowPrivilegeEscalation	RunAsUser / RunAsNonRoot	ReadOnlyRootFilesystem	Capabilities	Has data-attacher	Original Kind
Backup / ClusterBackup Scheduler	false, false	1001, true	true	KILL, AUDIT_WRITE	false	Job

Operation

Privileged / AllowPrivilegeEscalation

RunAsUser / RunAsNonRoot

ReadOnlyRootFilesystem

Capabilities

Has data-attacher

Original Kind

Backup / ClusterBackup Scheduler

false, false

1001, true

true

KILL, AUDIT_WRITE

false

Job

Backup :

Operation	Privileged / AllowPrivilegeEscalation	RunAsUser / RunAsNonRoot	ReadOnlyRootFilesystem	Capabilities	Has data-attacher	Original Kind
Snapshotting	For NFS target - false, false For ObjectStore target - true, true	0, false	true	CHOWN,FOWNER,DAC_OVERRIDE,SETGID,SETUID	true	Job
Image Backup	For NFS target - false, false For ObjectStore target - true, true	0, false	true	T4K 3.0.3 onwards: CHOWN, FOWNER, DAC_OVERRIDE, SETGID, SETUID T4K < 3.0.3: For NFS target - CHOWN, FOWNER, DAC_OVERRIDE, SETGID, SETUID For ObjectStore target - SYS_ADMIN	true	Job
Metadata Upload	For NFS target - false, false For ObjectStore target - true, true	0, false	true	CHOWN,FOWNER,DAC_OVERRIDE,SETUID,SETGID	true	Job
Retention	For NFS target - false, false For ObjectStore target - true, true	0, false	true	CHOWN,FOWNER,DAC_OVERRIDE,SETUID,SETGID	true	Job
Data Upload	For NFS target - false, false For ObjectStore target - true, true	0, false	true	T4K 3.0.3 onwards: CHOWN, FOWNER, DAC_OVERRIDE, SETGID, SETUID T4K < 3.0.3: For NFS target - CHOWN, FOWNER, DAC_OVERRIDE, SETGID, SETUID For ObjectStore target - SYS_ADMIN	true	Job
Quiesce	false, false	1001, true	true	KILL, AUDIT_WRITE	false	Job
Unquiesce	false, false	1001, true	true	KILL, AUDIT_WRITE	false	Job
Cleaner	For NFS target - false, false For ObjectStore target - true, true	0, false	true	KILL, AUDIT_WRITE	true	Job

Operation

Privileged / AllowPrivilegeEscalation

RunAsUser / RunAsNonRoot

ReadOnlyRootFilesystem

Capabilities

Has data-attacher

Original Kind

Snapshotting

For NFS target - false, false For ObjectStore target - true, true

0, false

true

CHOWN,FOWNER,DAC_OVERRIDE,SETGID,SETUID

true

Job

Image Backup

For NFS target - false, false For ObjectStore target - true, true

0, false

true

T4K 3.0.3 onwards:

CHOWN, FOWNER, DAC_OVERRIDE, SETGID, SETUID

T4K < 3.0.3:

For NFS target - CHOWN, FOWNER, DAC_OVERRIDE, SETGID, SETUID For ObjectStore target - SYS_ADMIN

true

Job

Metadata Upload

For NFS target - false, false For ObjectStore target - true, true

0, false

true

CHOWN,FOWNER,DAC_OVERRIDE,SETUID,SETGID

true

Job

Retention

For NFS target - false, false For ObjectStore target - true, true

0, false

true

CHOWN,FOWNER,DAC_OVERRIDE,SETUID,SETGID

true

Job

Data Upload

For NFS target - false, false For ObjectStore target - true, true

0, false

true

T4K 3.0.3 onwards:

CHOWN, FOWNER, DAC_OVERRIDE, SETGID, SETUID

T4K < 3.0.3:

For NFS target - CHOWN, FOWNER, DAC_OVERRIDE, SETGID, SETUID For ObjectStore target - SYS_ADMIN

true

Job

Quiesce

false, false

1001, true

true

KILL, AUDIT_WRITE

false

Job

Unquiesce

false, false

1001, true

true

KILL, AUDIT_WRITE

false

Job

Cleaner

For NFS target - false, false For ObjectStore target - true, true

0, false

true

KILL, AUDIT_WRITE

true

Job

Restore :

Operation	Privileged / AllowPrivilegeEscalation	RunAsUser / RunAsNonRoot	ReadOnlyRootFilesystem	Capabilities	Has data-attacher	Original Kind
Metadata Validation	For NFS target - false, false For ObjectStore target - true, true	0, false	true	CHOWN,FOWNER,DAC_OVERRIDE,SETUID,SETGID	true	Job
Metadata Restore	For NFS target - false, false For ObjectStore target - true, true	0, false	true	CHOWN,FOWNER,DAC_OVERRIDE,SETUID,SETGID	true	Job
Add Protection	For NFS target - false, false For ObjectStore target - true, true	0, false	true	CHOWN, FOWNER, DAC_OVERRIDE, SETGID, SETUID	true	Job
Data Owner Update	false, false	1001, true	true	CHOWN, FOWNER, DAC_OVERRIDE, SETGID, SETUID	true	Job
Data Restore	For NFS target - false, false For ObjectStore target - true, true	0, false	true	T4K 3.0.3 onwards: CHOWN, FOWNER, DAC_OVERRIDE, SETGID, SETUID T4K < 3.0.3: For NFS target - CHOWN, FOWNER, DAC_OVERRIDE, SETGID, SETUID For ObjectStore target - SYS_ADMIN	true	Job
Quiesce	false, false	1001, true	true	KILL, AUDIT_WRITE	false	Job
Cleanup	false, false	1001, true	true	KILL, AUDIT_WRITE	false	Job

Operation

Privileged / AllowPrivilegeEscalation

RunAsUser / RunAsNonRoot

ReadOnlyRootFilesystem

Capabilities

Has data-attacher

Original Kind

Metadata Validation

For NFS target - false, false For ObjectStore target - true, true

0, false

true

CHOWN,FOWNER,DAC_OVERRIDE,SETUID,SETGID

true

Job

Metadata Restore

For NFS target - false, false For ObjectStore target - true, true

0, false

true

CHOWN,FOWNER,DAC_OVERRIDE,SETUID,SETGID

true

Job

Add Protection

For NFS target - false, false For ObjectStore target - true, true

0, false

true

CHOWN, FOWNER, DAC_OVERRIDE, SETGID, SETUID

true

Job

Data Owner Update

false, false

1001, true

true

CHOWN, FOWNER, DAC_OVERRIDE, SETGID, SETUID

true

Job

Data Restore

For NFS target - false, false For ObjectStore target - true, true

0, false

true

T4K 3.0.3 onwards:

CHOWN, FOWNER, DAC_OVERRIDE, SETGID, SETUID

T4K < 3.0.3:

For NFS target - CHOWN, FOWNER, DAC_OVERRIDE, SETGID, SETUID For ObjectStore target - SYS_ADMIN

true

Job

Quiesce

false, false

1001, true

true

KILL, AUDIT_WRITE

false

Job

Cleanup

false, false

1001, true

true

KILL, AUDIT_WRITE

false

Job

ClusterRestore :

Operation	Privileged / AllowPrivilegeEscalation	RunAsUser / RunAsNonRoot	ReadOnlyRootFilesystem	Capabilities	Has data-attacher	Original Kind
Pre Cluster Restore	For NFS target - false, false For ObjectStore target - true, true	For NFS target - 1001, true For ObjectStore target - 0, false	true	CHOWN,FOWNER,DAC_OVERRIDE,SETUID,SETGID	true	Job
Cleanup	false, false	1001, true	true	KILL, AUDIT_WRITE	false	Job

Operation

Privileged / AllowPrivilegeEscalation

RunAsUser / RunAsNonRoot

ReadOnlyRootFilesystem

Capabilities

Has data-attacher

Original Kind

Pre Cluster Restore

For NFS target - false, false For ObjectStore target - true, true

For NFS target - 1001, true For ObjectStore target - 0, false

true

CHOWN,FOWNER,DAC_OVERRIDE,SETUID,SETGID

true

Job

Cleanup

false, false

1001, true

true

KILL, AUDIT_WRITE

false

Job

ConsistentSet:

Operation	Privileged / AllowPrivilegeEscalation	RunAsUser / RunAsNonRoot	ReadOnlyRootFilesystem	Capabilities	Has data-attacher	Original Kind
Pre Consistent Set	For NFS target - false, false For ObjectStore target - true, true	For NFS target - 1001, true For ObjectStore target - 0, false	true	CHOWN,FOWNER,DAC_OVERRIDE,SETUID,SETGID	true	Job
Data Restore	For NFS target - false, false For ObjectStore target - true, true	For NFS target - 1001, true For ObjectStore target - 0, false	true	CHOWN,FOWNER,DAC_OVERRIDE,SETUID,SETGID	true	Job

Operation

Privileged / AllowPrivilegeEscalation

RunAsUser / RunAsNonRoot

ReadOnlyRootFilesystem

Capabilities

Has data-attacher

Original Kind

Pre Consistent Set

For NFS target - false, false For ObjectStore target - true, true

For NFS target - 1001, true For ObjectStore target - 0, false

true

CHOWN,FOWNER,DAC_OVERRIDE,SETUID,SETGID

true

Job

Data Restore

For NFS target - false, false For ObjectStore target - true, true

For NFS target - 1001, true For ObjectStore target - 0, false

true

CHOWN,FOWNER,DAC_OVERRIDE,SETUID,SETGID

true

Job

PreviousUninstall NextResource Quotas