Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ability for non-admin users to create BackupStorageLocations(BSL) #36

Open
shubham-pampattiwar opened this issue Apr 9, 2024 · 3 comments
Open

Ability for non-admin users to create BackupStorageLocations(BSL) #36

shubham-pampattiwar opened this issue Apr 9, 2024 · 3 comments
Assignees
@mpryc
Labels
priority-high

Comments

@shubham-pampattiwar
Copy link
Member

Add the the functionality of providing the non-admin users the ability to create their own BackupStorageLocations. In other words BYOB (Bring your own Bucket/BSL). The task would entail:

  • Introduction of a Non-Admin NackupStorageLocation CRD (NABSL)
  • NABSL controller
    • The NABSL controller would cascade the BSL request to Velero controller
    • Validation that the NABSL CR is appropriate and relevant secrets from non-admin user are also obtained (note that authenticating the access keys will not be the NABSL controller's responsiblity)
    • The NABSL request can be create/update/view/delete BSL type requests
    • NABSL controller would be responsible of gathering the status Velero BSL and updating the status of NABSL CR, keeping them in sync
    • Every BSL needs user access keys and storage credentials, NABSL controller will be responsible for provisioning them in Velero NS, once they are provided by the non-admin user
  • Addition of Validating Webhooks to ensure that only give Velero CLI/OC access is available to the non-admin user's relevant BSL CRs
  • Control over general Velero BSL Spec that gets exposed or allow listed via NABSL CRD spec.
@weshayutin weshayutin moved this to New / Design in OADP Apr 9, 2024
@shubham-pampattiwar
Copy link
Member Author

shubham-pampattiwar commented Apr 9, 2024
edited
Loading

Lets target for this phase 1 with an optional cluster-wide BSL usage flag.

@shubham-pampattiwar
Copy link
Member Author

Additional responsibilities of the controller:

  • Ensure non-sharing of Non-Admin BSL
  • Non-BSL Sync could be another responsibility
  • Types of Authentication supported

@weshayutin weshayutin moved this from New / Design to Todo in OADP Apr 9, 2024
@mateusoliveira43
Copy link
Contributor

Velero Backup spec has the field storageLocation (and current NonAdminBackup also has it). Should we put some validation or even remove that field from NonAdminBackup ❓ My fear is that non admin user can use a admin BSL for backups.

I think this is not #37 responsibility, because this should be a always active check, and not only admin user turns it on.

Maybe add to OADP DPA which BSL NAC will use (bad UX if NAC is used by many non admin users ❓) or with this feature, only allow NonAdminBackups if a NonAdminBackupStorageLocation exists and add a field in NonAdminBackup spec and remove storageLocation from backupSpec.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mpryc mpryc

Labels
priority-high
Projects
OADP
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mpryc @shubham-pampattiwar @mateusoliveira43