# Resources and Permissions This page describes the different resources that Trilio for Kubernetes (T4K) accesses within the Kubernetes cluster, including the mapping of jobs to pods and the RBAC permissions required by each. ## Job to Pod Mapping The table below shows the translation of T4K Jobs to their corresponding container images or Pods. | Job / Function Name | Images / Pods Used | | ------------------------ | -------------------- | | ControlPlane | ControlPlane | | Webhook | Webhook | | Exporter | Exporter | | Target Validation Job | DataAttacher | | Snapshot Job | Metamover | | DataUpload Job | Datamover | | MetaData Upload Job | Metamover | | Retention Job | Alpine image (TBD) | | Backup Cleaner Job | DataAttacher | | Cron Job | BackupScheduler | | Metamover Validation Job | Metamover | | Data Restore Job | Datamover | | Metamover Restore Job | Metamover | | Resource Cleaner Job | ResourceCleaner | | Conversion Server Job | ConversionController | ## Job Permissions The following tabs list the resources and permissions that T4K components and jobs require. {% tabs %} {% tab title="ControlPlane/Webhook/Exporter/TargetValidation/BackupCleaner/ResourceCleaner Job" %} | API Group | Resources / Resource Name | Verbs | | ---------------------------- | --------------------------------------------------------------------------------------- | ---------------------------------------- | | triliovault.trilio.io | \* | \* | | \* | \* | get, list, watch | | apiextensions.k8s.io | customresourcedefinitions | get, list, watch, create | | core | serviceaccounts, services, services/finalizers, events, secrets, persistentvolumeclaims | \* | | core | pods, services, services/finalizers, endpoints, events, configmaps, secrets | get, list, watch | | core | namespaces | get, list, watch, create, update | | core | persistentvolumes | get, list, watch, update | | admissionregistration.k8s.io | validatingwebhookconfigurations, mutatingwebhookconfigurations | \* | | batch | job | \* | | apps | statefulsets, daemonsets, replicasets, deployments/finalizers | get, list, watch | | apps | deployments | get, list, watch, create, update, delete | | extensions | cronjobs | \* | | snapshot.storage.k8s.io | \* | \* | | rbac.authorization.k8s.io | clusterrole, clusterrolebindings | \* | | {% endtab %} | | | {% tab title="Snapshot/MetaData Upload/Data Upload Job" %} | API Group | Resources / Resource Name | Verbs | | --------------------- | -------------------------------------------------------------------------------------------------------------------- | ---------------- | | triliovault.trilio.io | \* | \* | | \* | \* | get, list, watch | | apiextensions.k8s.io | customresourcedefinitions | get, list, watch | | core | pods, services, services/finalizers, endpoints, events, configmaps, secrets, persistentvolumeclaims, serviceaccounts | get, list, watch | | apps | statefulsets, daemonsets, replicasets, deployments, deployments/finalizers | get, list, watch | | security.openshift.io | securitycontextconstraints, privileged | use | | {% endtab %} | | | {% tab title="Metamover Validation/Data Restore/Metamover Restore Job" %} | API Group | Resources / Resource Name | Verbs | | --------------------- | -------------------------------------------------------------------------------------------------------------------- | ------------------------------- | | triliovault.trilio.io | \* | \* | | \* | \* | get, list, watch, create, patch | | apiextensions.k8s.io | customresourcedefinitions | get, list, watch, create, patch | | core | pods, services, services/finalizers, endpoints, events, configmaps, secrets, persistentvolumeclaims, serviceaccounts | get, list, watch, create, patch | | apps | statefulsets, daemonsets, replicasets, deployments, deployments/finalizers | get, list, watch, create, patch | | security.openshift.io | securitycontextconstraints, privileged | use | | {% endtab %} | | | {% tab title="Conversion Server" %} | API Group | Resources / Resource Name | Verbs | | -------------------- | ------------------------- | ------------------------------- | | apiextensions.k8s.io | customresourcedefinitions | get, list, watch, patch, update | | core | secrets | get, list, watch, patch, update | | {% endtab %} | | | | {% endtabs %} | | | ## Security Context / Security Policy Definitions {% tabs %} {% tab title="Privileged SCC" %} ``` Name: privileged Priority: Access: Users: Groups: Settings: Allow Privileged: true Allow Privilege Escalation: true Default Add Capabilities: Required Drop Capabilities: Allowed Capabilities: * Allowed Seccomp Profiles: * Allowed Volume Types: * Allowed Flexvolumes: Allowed Unsafe Sysctls: * Forbidden Sysctls: Allow Host Network: true Allow Host Ports: true Allow Host PID: true Allow Host IPC: true Read Only Root Filesystem: false Run As User Strategy: RunAsAny UID: UID Range Min: UID Range Max: SELinux Context Strategy: RunAsAny User: Role: Type: Level: FSGroup Strategy: RunAsAny Ranges: Supplemental Groups Strategy: RunAsAny Ranges: ``` {% endtab %} {% tab title="Restricted SCC" %} ``` Name: restricted Priority: Access: Users: Groups: system:authenticated Settings: Allow Privileged: false Allow Privilege Escalation: true Default Add Capabilities: Required Drop Capabilities: KILL,MKNOD,SETUID,SETGID Allowed Capabilities: Allowed Seccomp Profiles: Allowed Volume Types: configMap,downwardAPI,emptyDir,persistentVolumeClaim,projected,secret Allowed Flexvolumes: Allowed Unsafe Sysctls: Forbidden Sysctls: Allow Host Network: false Allow Host Ports: false Allow Host PID: false Allow Host IPC: false Read Only Root Filesystem: false Run As User Strategy: MustRunAsRange UID: UID Range Min: UID Range Max: SELinux Context Strategy: MustRunAs User: Role: Type: Level: FSGroup Strategy: MustRunAs Ranges: Supplemental Groups Strategy: RunAsAny Ranges: ``` {% endtab %} {% endtabs %} ## Pod Security Context Summary | Pod | Type | SCC / PSP | Specific Capability | | --------------------- | ----------- | ---------- | ------------------- | | Control-plane | Deploy time | Restricted | KILL, AUDIT\_WRITE | | Webhook | Deploy time | Restricted | KILL, AUDIT\_WRITE | | Exporter | Deploy time | Restricted | KILL, AUDIT\_WRITE | | Metamover | Run-time | Privileged | \* | | Datamover | Run-time | Privileged | \* | | DataAttacher | Run-time | Privileged | \* | | BackupScheduler | Run-time | Restricted | KILL, AUDIT\_WRITE | | ResourceCleaner | Run-time | Restricted | KILL, AUDIT\_WRITE | | Conversion Deployment | Run-time | Restricted | KILL, AUDIT\_WRITE | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.trilio.io/kubernetes/reference/tvk-pod-job-capabilities/resources-and-permissions.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.