Resources and Permissions
This page describes the different resources that Trilio for Kubernetes (T4K) accesses within the Kubernetes cluster, including the mapping of jobs to pods and the RBAC permissions required by each.
Job to Pod Mapping
The table below shows the translation of T4K Jobs to their corresponding container images or Pods.
ControlPlane
ControlPlane
Webhook
Webhook
Exporter
Exporter
Target Validation Job
DataAttacher
Snapshot Job
Metamover
DataUpload Job
Datamover
MetaData Upload Job
Metamover
Retention Job
Alpine image (TBD)
Backup Cleaner Job
DataAttacher
Cron Job
BackupScheduler
Metamover Validation Job
Metamover
Data Restore Job
Datamover
Metamover Restore Job
Metamover
Resource Cleaner Job
ResourceCleaner
Conversion Server Job
ConversionController
Job Permissions
The following tabs list the resources and permissions that T4K components and jobs require.
triliovault.trilio.io
*
*
*
*
get, list, watch
apiextensions.k8s.io
customresourcedefinitions
get, list, watch, create
core
serviceaccounts, services, services/finalizers, events, secrets, persistentvolumeclaims
*
core
pods, services, services/finalizers, endpoints, events, configmaps, secrets
get, list, watch
core
namespaces
get, list, watch, create, update
core
persistentvolumes
get, list, watch, update
admissionregistration.k8s.io
validatingwebhookconfigurations, mutatingwebhookconfigurations
*
batch
job
*
apps
statefulsets, daemonsets, replicasets, deployments/finalizers
get, list, watch
apps
deployments
get, list, watch, create, update, delete
extensions
cronjobs
*
snapshot.storage.k8s.io
*
*
rbac.authorization.k8s.io
clusterrole, clusterrolebindings
*
triliovault.trilio.io
*
*
*
*
get, list, watch
apiextensions.k8s.io
customresourcedefinitions
get, list, watch
core
pods, services, services/finalizers, endpoints, events, configmaps, secrets, persistentvolumeclaims, serviceaccounts
get, list, watch
apps
statefulsets, daemonsets, replicasets, deployments, deployments/finalizers
get, list, watch
security.openshift.io
securitycontextconstraints, privileged
use
triliovault.trilio.io
*
*
*
*
get, list, watch, create, patch
apiextensions.k8s.io
customresourcedefinitions
get, list, watch, create, patch
core
pods, services, services/finalizers, endpoints, events, configmaps, secrets, persistentvolumeclaims, serviceaccounts
get, list, watch, create, patch
apps
statefulsets, daemonsets, replicasets, deployments, deployments/finalizers
get, list, watch, create, patch
security.openshift.io
securitycontextconstraints, privileged
use
apiextensions.k8s.io
customresourcedefinitions
get, list, watch, patch, update
core
secrets
get, list, watch, patch, update
Security Context / Security Policy Definitions
Pod Security Context Summary
Control-plane
Deploy time
Restricted
KILL, AUDIT_WRITE
Webhook
Deploy time
Restricted
KILL, AUDIT_WRITE
Exporter
Deploy time
Restricted
KILL, AUDIT_WRITE
Metamover
Run-time
Privileged
*
Datamover
Run-time
Privileged
*
DataAttacher
Run-time
Privileged
*
BackupScheduler
Run-time
Restricted
KILL, AUDIT_WRITE
ResourceCleaner
Run-time
Restricted
KILL, AUDIT_WRITE
Conversion Deployment
Run-time
Restricted
KILL, AUDIT_WRITE
Last updated
Was this helpful?