Skip to content

Updated rbac based on the vmfr project #2040

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mpryc wants to merge 1 commit into
base: oadp-dev
Choose a base branch
from
+955 −41
Open

Updated rbac based on the vmfr project #2040

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -907,6 +907,34 @@ endif
$(SED) -i "s%resources:%resources:\n- $$file_name%" $(shell pwd)/config/samples/kustomization.yaml;done
@make bundle

.PHONY: update-vmfr-manifests
update-vmfr-manifests: VMFR_CONTROLLER_IMG?=quay.io/konveyor/oadp-vm-file-restore:latest
update-vmfr-manifests: VMFR_ACCESS_IMG?=quay.io/konveyor/oadp-vmfr-access:latest
update-vmfr-manifests: VMFR_SSH_IMG?=quay.io/konveyor/oadp-vmfr-access-sshd:latest
update-vmfr-manifests: VMFR_BROWSER_IMG?=quay.io/konveyor/oadp-vmfr-access-filebrowser:latest
update-vmfr-manifests: yq ## Update VM File Restore (VMFR) manifests shipped with OADP, from VMFR_CONTROLLER_PATH
ifeq ($(VMFR_CONTROLLER_PATH),)
$(error You must set VMFR_CONTROLLER_PATH to run this command)
endif
@for file_name in $(shell ls $(VMFR_CONTROLLER_PATH)/config/crd/bases);do \
cp $(VMFR_CONTROLLER_PATH)/config/crd/bases/$$file_name $(shell pwd)/config/crd/bases/$$file_name && \
grep -q "\- bases/$$file_name" $(shell pwd)/config/crd/kustomization.yaml || \
$(SED) -i "s%resources:%resources:\n- bases/$$file_name%" $(shell pwd)/config/crd/kustomization.yaml;done
$(YQ) -i 'select(.kind == "Deployment")|= .spec.template.spec.containers[0].env |= .[] |= select(.name == "RELATED_IMAGE_VM_FILE_RESTORE_CONTROLLER") |= .value="$(VMFR_CONTROLLER_IMG)"' config/manager/manager.yaml
$(YQ) -i 'select(.kind == "Deployment")|= .spec.template.spec.containers[0].env |= .[] |= select(.name == "RELATED_IMAGE_VM_FILE_RESTORE_ACCESS") |= .value="$(VMFR_ACCESS_IMG)"' config/manager/manager.yaml
$(YQ) -i 'select(.kind == "Deployment")|= .spec.template.spec.containers[0].env |= .[] |= select(.name == "RELATED_IMAGE_VM_FILE_RESTORE_SSH") |= .value="$(VMFR_SSH_IMG)"' config/manager/manager.yaml
$(YQ) -i 'select(.kind == "Deployment")|= .spec.template.spec.containers[0].env |= .[] |= select(.name == "RELATED_IMAGE_VM_FILE_RESTORE_BROWSER") |= .value="$(VMFR_BROWSER_IMG)"' config/manager/manager.yaml
@mkdir -p $(shell pwd)/config/vm-file-restore-controller_rbac
@for file_name in $(shell grep -I '^\-' $(VMFR_CONTROLLER_PATH)/config/rbac/kustomization.yaml | awk -F'- ' '{print $$2}');do \
cp $(VMFR_CONTROLLER_PATH)/config/rbac/$$file_name $(shell pwd)/config/vm-file-restore-controller_rbac/$$file_name;done
@cp $(VMFR_CONTROLLER_PATH)/config/rbac/kustomization.yaml $(shell pwd)/config/vm-file-restore-controller_rbac/kustomization.yaml
@$(SED) -i '1i namePrefix: oadp-vm-file-restore-' $(shell pwd)/config/vm-file-restore-controller_rbac/kustomization.yaml
@for file_name in $(shell grep -I '^\-' $(VMFR_CONTROLLER_PATH)/config/samples/kustomization.yaml | awk -F'- ' '{print $$2}');do \
cp $(VMFR_CONTROLLER_PATH)/config/samples/$$file_name $(shell pwd)/config/samples/$$file_name && \
grep -q "\- $$file_name" $(shell pwd)/config/samples/kustomization.yaml || \
$(SED) -i "s%resources:%resources:\n- $$file_name%" $(shell pwd)/config/samples/kustomization.yaml;done
@make bundle

.PHONY: build-must-gather
build-must-gather: check-go ## Build OADP Must-gather binary must-gather/oadp-must-gather
ifeq ($(SKIP_MUST_GATHER),true)
Expand Down
8 changes: 8 additions & 0 deletions bundle/manifests/controller-manager_v1_serviceaccount.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: null
labels:
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: oadp-vm-file-restore
name: controller-manager
40 changes: 40 additions & 0 deletions bundle/manifests/leader-election-role_rbac.authorization.k8s.io_v1_role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: null
labels:
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: oadp-vm-file-restore
name: leader-election-role
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
16 changes: 16 additions & 0 deletions bundle/manifests/leader-election-rolebinding_rbac.authorization.k8s.io_v1_rolebinding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: null
labels:
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: oadp-vm-file-restore
name: leader-election-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: leader-election-role
subjects:
- kind: ServiceAccount
name: controller-manager
namespace: system
142 changes: 142 additions & 0 deletions bundle/manifests/manager-role_rbac.authorization.k8s.io_v1_clusterrole.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,142 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: manager-role
rules:
- apiGroups:
- ""
resources:
- namespaces
- pods
- secrets
Copy link
Contributor

@coderabbitai coderabbitai bot Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

find . -path "*/bundle/manifests*" -name "*role*" -type f

Repository: openshift/oadp-operator

Length of output: 190

🌐 Web query:

OADP operator Velero controller RBAC permissions requirements secrets services routes

💡 Result:

Summary — OADP (Velero via the OADP operator) RBAC, Secrets, Services and Routes (concise)

  • Namespace / ServiceAccount

    • Velero runs in the OADP namespace (commonly openshift-adp or velero-*) and uses a Velero ServiceAccount; bind that SA to required Roles/ClusterRoles. [2][3]

  • RBAC (recommended permissions)

    • OADP/Velero needs a ClusterRole (or cluster-admin by default) that grants:
      • CRUD/list/get on PersistentVolumes, PersistentVolumeClaims, Namespaces (create/list/get), Secrets, ConfigMaps, ServiceAccounts, Roles/RoleBindings, ClusterRoles/ClusterRoleBindings, StorageClasses, VolumeSnapshot* CRs, CustomResourceDefinitions as needed.
      • list/read across many API groups (Velero reads many cluster-scoped resources during backup). Example manifests and guidance are in Velero docs (you can restrict further per your backup surface). [1][2]
    • Bind the ClusterRole to the Velero ServiceAccount with a ClusterRoleBinding. [1][2]

  • Secrets (names and behavior)

    • You must provide object-storage credentials in a default Secret named cloud-credentials (or provider-specific names like cloud-credentials-gcp) in the OADP namespace; if backup and snapshot locations use different credentials, create separate Secrets and reference them appropriately in the DataProtectionApplication CR. A default Secret is required for install (can be empty credentials-velero file if you defer configuration). [2][4]
    • Velero creates velero-repo-credentials in the OADP namespace for the backup repository password (you may replace the password before first backup). [2]

  • Services & Routes

    • Velero runs as a Deployment and exposes internal Services; OADP installs OpenShift-specific Velero plugins that may create or use Routes for registry access in migration workflows. The openshift-velero-plugin handles image/registry routing and can affect Route host restoration behavior during restores. Restoring Projects/Routes may change host values — the plugin includes logic to strip/adjust host during restore. Monitor Velero/openshift-velero-plugin behavior when restoring Route objects. [4][5]

  • Practical notes / links

    • Default install often uses broad cluster permissions; for least-privilege, follow Velero’s “Run Velero more securely” RBAC guidance and craft a ClusterRole that grants only required verbs/resources for your backup/restore scope. Test PV/CSI snapshot and namespace restore workflows after tightening RBAC. [1][2]

Sources
[1] Velero docs — RBAC guidance.
[2] Red Hat / OpenShift docs — OADP install, required Secrets and behavior (openshift-adp namespace, cloud-credentials, velero-repo-credentials).
[3] Red Hat / OpenShift backup & restore docs (version matrix, Velero access).
[4] openshift-velero-plugin (GitHub) — plugin behavior for OpenShift (registry, routes).
[5] Red Hat KB — route restore behavior with OADP / openshift-velero-plugin.

Would you like: (A) example ClusterRole/ClusterRoleBinding and Role/RoleBinding YAML tuned for OADP, or (B) step-by-step commands to create the required Secrets and bind RBAC in your cluster?

🌐 Web query:

Velero OADP ClusterRole least privilege verbs secrets services routes example

💡 Result:

Below is a minimal ClusterRole example for Velero / OADP that follows least-privilege principles for secrets, services, and OpenShift routes. Key ideas: avoid broad verbs on secrets (don’t grant get/list/watch unless absolutely required), grant only the verbs Velero needs for backup/restore operations on services and routes, and keep other rules narrow. Adjust namespaces, serviceAccount, and any additional Velero resources you need.

ClusterRole (example)
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: velero-oadp-minimal
rules:

core resources Velero commonly needs (narrow verbs)

  • apiGroups: [""]
    resources:
    • namespaces
    • persistentvolumes
    • persistentvolumeclaims
      verbs: ["get","list","watch"]
  • apiGroups: [""]
    resources:
    • services
      verbs: ["get","list","watch"]

Secrets: avoid read verbs unless required — here only "create" and "patch" for credential injection (no get/list/watch)

  • apiGroups: [""]
    resources:
    • secrets
      verbs: ["create","patch","update"]

ConfigMaps used by Velero (restricted verbs)

  • apiGroups: [""]
    resources:
    • configmaps
      verbs: ["get","list","watch","create","update","patch"]

OpenShift routes (route.openshift.io) — only read/list/watch needed for discovery; add update/create only if Velero plugin modifies routes

  • apiGroups: ["route.openshift.io"]
    resources:
    • routes
      verbs: ["get","list","watch"]

CRDs Velero operates on (narrowed to specific names where possible)

  • apiGroups: ["velero.io"]
    resources:
    • backups
    • restores
    • backupstoragelocations
    • volumesnapshots
      verbs: ["get","list","create","update","patch","delete","watch"]

ClusterRoleBinding (bind service account)
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: velero-oadp-minimal-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: velero-oadp-minimal
subjects:

  • kind: ServiceAccount
    name: velero
    namespace: openshift-adp

Notes / recommendations

  • If your environment requires Velero to read backup location credentials, you may need to allow "get" on a specific Secret — prefer creating a dedicated Secret in the Velero namespace and grant get only for that Secret (use a Role scoped to that namespace instead of ClusterRole when possible). See guidance on restrictive RBAC for Velero. [1]
  • On OpenShift, routes are in the route.openshift.io API group; include only verbs Velero requires (most plugins only need read verbs). [2]
  • Consider policy controls (Kyverno/Gatekeeper) that prohibit get/list/watch on Secrets in ClusterRoles to enforce least privilege. [3]

Sources

  • Velero documentation — guidance on using restrictive RBAC for Velero. [1]
  • OKD / OADP (OpenShift Data Protection) docs — secrets and OADP installation guidance (routing/plugins). [2]
  • Kyverno example policy restricting Secrets verbs in Roles/ClusterRoles. [3]

References
[1] Velero docs: Run Velero more securely with restrictive RBAC settings.
[2] OKD OADP docs: Configuring OADP (secrets, routes).
[3] Kyverno policy: restrict-secret-role-verbs (example).

Major: Overly broad permissions on secrets, services, and routes.

While Velero/OADP does require access to these resources for backup/restore operations, the permissions should follow least-privilege principles. Industry best practices and the Velero security documentation recommend:

  • Secrets: Grant only create, patch, update (avoid get, list, watch unless retrieving specific backup location credentials, which should be in a dedicated Secret with namespace-scoped Role)
  • Services: Grant only get, list, watch (read-only)
  • Routes: Grant only get, list, watch (read-only unless the openshift-velero-plugin explicitly modifies routes)

Full CRUD on these resources is unnecessary and violates least-privilege. Verify the manifest grants only the minimum verbs required and update accordingly.

- serviceaccounts
- services
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- deployments
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- oadp.openshift.io
resources:
- virtualmachinebackupsdiscoveries
- virtualmachinefilerestores
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- oadp.openshift.io
resources:
- virtualmachinebackupsdiscoveries/finalizers
- virtualmachinefilerestores/finalizers
verbs:
- update
- apiGroups:
- oadp.openshift.io
resources:
- virtualmachinebackupsdiscoveries/status
- virtualmachinefilerestores/status
verbs:
- get
- patch
- update
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- route.openshift.io
resources:
- routes
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- security.openshift.io
resourceNames:
- privileged
resources:
- securitycontextconstraints
verbs:
- use
- apiGroups:
- velero.io
resources:
- backups
verbs:
- get
- list
- watch
- apiGroups:
- velero.io
resources:
- datadownloads
verbs:
- get
- list
- patch
- watch
- apiGroups:
- velero.io
resources:
- downloadrequests
verbs:
- create
- delete
- get
- list
- watch
- apiGroups:
- velero.io
resources:
- restores
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
10 changes: 10 additions & 0 deletions bundle/manifests/metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: metrics-reader
rules:
- nonResourceURLs:
- /metrics
verbs:
- get
95 changes: 82 additions & 13 deletions bundle/manifests/oadp-operator.clusterserviceversion.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -172,6 +172,35 @@ metadata:
}
}
},
{
"apiVersion": "oadp.openshift.io/v1alpha1",
"kind": "VirtualMachineBackupsDiscovery",
"metadata": {
"labels": {
"app.kubernetes.io/managed-by": "kustomize",
"app.kubernetes.io/name": "oadp-vm-file-restore"
},
"name": "virtualmachinebackupsdiscovery-sample"
},
"spec": {
"endTime": "2024-12-31T23:59:59Z",
"startTime": "2024-01-01",
"virtualMachineName": "test-vm",
"virtualMachineNamespace": "test-namespace"
}
},
{
"apiVersion": "oadp.openshift.io/v1alpha1",
"kind": "VirtualMachineFileRestore",
"metadata": {
"labels": {
"app.kubernetes.io/managed-by": "kustomize",
"app.kubernetes.io/name": "oadp-vm-file-restore"
},
"name": "virtualmachinefilerestore-sample"
},
"spec": null
},
{
"apiVersion": "velero.io/v1",
"kind": "Backup",
Expand Down Expand Up @@ -845,7 +874,6 @@ spec:
- apiGroups:
- ""
resources:
- events
- namespaces
- pods
- secrets
Expand Down Expand Up @@ -879,18 +907,6 @@ spec:
- patch
- update
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- oadp.openshift.io
resources:
Expand Down Expand Up @@ -944,6 +960,14 @@ spec:
- patch
- update
- watch
- apiGroups:
- security.openshift.io
resourceNames:
- privileged
resources:
- securitycontextconstraints
verbs:
- use
Comment on lines +963 to +970
Copy link
Contributor

@coderabbitai coderabbitai bot Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's understand the repository structure
cd /tmp && find . -type f \( -name 'README*' -o -name '*.md' \) -maxdepth 3 2>/dev/null | head -10
git ls-files | grep -E '(README|readme)' | head -5

Repository: openshift/oadp-operator

Length of output: 190

🏁 Script executed:

git ls-files | head -30

Repository: openshift/oadp-operator

Length of output: 190

🏁 Script executed:

# Check the file in question
cat -n bundle/manifests/oadp-operator.clusterserviceversion.yaml | sed -n '960,980p'

Repository: openshift/oadp-operator

Length of output: 190

🏁 Script executed:

# Search for context about VM File Restore and privileged SCC
rg -i "vm file restore|privileged" --type yaml --type md -B 2 -A 2

Repository: openshift/oadp-operator

Length of output: 190

🏁 Script executed:

# Look for any documentation or comments explaining SCC requirements
rg -i "securitycontextconstraint|scc" --type yaml -B 3 -A 3 | head -100

Repository: openshift/oadp-operator

Length of output: 190

🏁 Script executed:

# Check if there's any documentation folder
git ls-files | grep -i -E '(doc|readme|install|quickstart)'

Repository: openshift/oadp-operator

Length of output: 190

🌐 Web query:

OADP OpenShift API Data Protection VM File Restore security requirements

💡 Result:

Summary — key security requirements and considerations for OADP (OpenShift API for Data Protection) VM file-level restore:

  1. RBAC and service accounts — ensure OADP/Velero service accounts have required cluster and namespace RBAC to read/write backups, restore CRs, create/delete PVCs and namespaces. [1]

  2. Namespace security context / UID/GID mapping — restored namespaces may get different SCC annotations and UID ranges; this can break file ownership inside VMs. Either allow OADP to create the namespace on the destination, remove pre‑existing namespaces before restore, or follow Red Hat's UID/GID-fix steps after restore. [2]

  3. Pod Security / SCC / SELinux — workloads and helper pods must run with the SCC and SELinux labels needed to access restored files; file permissions/SELinux contexts inside the VM must permit pre/post hook operations (fsfreeze, scripts). Ensure scripts and files have correct SELinux and UNIX permissions. [3]

  4. QEMU guest agent & VM hooks for consistent FS state — for file-level restores you typically need the guest agent and configured pre-freeze/post-thaw hooks (fsfreeze-hook.d) so the filesystem can be quiesced and safe file-level snapshots taken/restored. Scripts must be executable and have proper permissions/SELinux labeling. [3]

  5. Backup store credentials & security — protect object-store (S3) credentials/secrets used by Velero/OADP (use Secrets, short-lived credentials where supported such as STS/WIF). Ensure TLS to object storage and least-privilege creds for the BSL. [1][4]

  6. Network and transport security — ensure secure, reliable network path to object store (TLS, firewall rules, adequate bandwidth/latency), and open required ports between cluster nodes and storage endpoints. [4]

  7. Volume snapshot / CSI prerequisites — underlying CSI driver and snapshot capabilities must be supported and correctly permissioned; restores may require deletion of existing PVCs and creation of new PVCs (RBAC required). [1][5]

  8. Restore workflow security checks — OADP/Velero may skip or alter namespace annotations and labels during restore; confirm label selectors, BSL/VolumeSnapshotLocation names and shared credentials across clusters when migrating. [2]

  9. Audit, logs, and secrets handling — enable cluster/audit logging for backup/restore operations and rotate/limit access to Velero/OADP secrets. Use restricted access for operators and admins. [1][2]

  10. Vendor/platform-specific requirements — follow vendor docs (OpenShift Virtualization, storage plugin) for any additional security requirements (Trident/ONTAP, NetApp, Ceph, etc.). [5]

Sources:

  • OpenShift OADP / Velero application backup & restore documentation (OpenShift docs). [1]
  • Red Hat OADP FAQ — UID/GID, namespace and restore guidance. [2]
  • OADP VM pre-backup hooks and permission/SELinux guidance (Red Hat Developer article). [3]
  • OADP recommended network settings and backup-store credential guidance (OpenShift docs). [4]
  • OpenShift Virtualization / VM backup & restore guidance (Red Hat Developer). [5]

If you want, I can extract exact RBAC rules, required SCC annotations, sample Secrets (BSL) and example pre-freeze hook scripts with SELinux labels.

🌐 Web query:

OADP operator clusterserviceversion privileged SCC documentation

💡 Result:

Short answer — grant the OADP operator’s service account permission to "use" the privileged SecurityContextConstraints in the operator CSV (install.spec.clusterPermissions) and document why in the CSV description.

How-to (minimal):

  1. In the operator ClusterServiceVersion YAML (install.spec of the CSV) add a clusterPermissions entry that allows apiGroup security.openshift.io, resource securitycontextconstraints, resourceName privileged, verbs: ["use"] for the operator serviceAccount. Example snippet:

    • rules:
      • apiGroups: ["security.openshift.io"]
        resources: ["securitycontextconstraints"]
        resourceNames: ["privileged"]
        verbs: ["use"]
        serviceAccountName:
        (Place under install.spec.clusterPermissions).
        This is the standard method recommended for Operators that need escalated SCCs. [1][2]

  2. Ensure the CSV’s spec.description explains why the operator requires the privileged SCC (audit justification). [1][2]

References:

  • OpenShift Operators / Developing Operators — managing pod security admission, CSV clusterPermissions example (shows securitycontextconstraints privileged use and CSV description recommendation). [1]
  • OADP operator (project repo/README) — OADP is the OpenShift API for Data Protection operator (use this when applying the CSV change for OADP specifically). [2]

Sources:
[1] Red Hat / OpenShift Operators — Developing Operators: Managing pod security admission (CSV clusterPermissions example). (docs.redhat.com)
[2] openshift/oadp-operator GitHub (OADP operator project). (github.com)

Citations:

🌐 Web query:

OADP operator CSV "spec.description" security context constraints VM backup restore documentation

💡 Result:

Short answer — what to put in the OADP CSV "spec.description" and related CSV fields for SCCs plus where to find VM backup/restore docs:

  • CSV spec.description: explicitly state why the operator needs escalated permissions (e.g., to use a SecurityContextConstraints such as "privileged" or to run pods that require specific runAsUser/fsGroup settings) and what actions require them (Velero/kubevirt plugins taking VM snapshots, restoring VM objects, attaching volumes, etc.). This description is required by OLM when an operator requests SCC/use of elevated privileges. [1][2]

  • CSV install spec (required in addition to description):

    • Add clusterPermissions that grant the operator service account verbs: use on securitycontextconstraints (resource securitycontextconstraints, apiGroup security.openshift.io) and any other needed SCC names (e.g., "privileged"). Example pattern shown in OpenShift docs. [1][2]
    • Set container securityContext in the CSV to document requested capabilities and runAsUser/fsGroup as needed. [1]

  • Why for VM backup/restore: OADP (Velero + kubevirt plugin) may need SCCs when backing up/restoring VM resources, taking/restoring CSI snapshots or using node-level agents (restic/kopia) that require elevated volume or host access. Refer to OADP/Velero & KubeVirt plugin docs for VM-specific behavior and supported backup methods (CSI snapshots, Kopia/Restic, kubevirt plugin notes). [3][4]

Key references:

  • OpenShift operator CSV / managing operator SCC and examples (edit CSV description + clusterPermissions for securitycontextconstraints). [1][2]
  • OADP (OpenShift API for Data Protection) backup/restore and kubevirt plugin (VM backup/restore behavior and requirements). [3][4]

If you want, I can:

  • produce exact YAML snippets for spec.description, clusterPermissions and container securityContext for OADP CSV tailored to OADP/kubevirt; and
  • point to the specific OADP CSV in a released OADP package (I can search the operator CSV file for the OADP version you use). Which OADP version/cluster version are you on?

Ensure the CSV description documents why the privileged SCC grant is required.

The privileged SCC permission is necessary for OADP's VM File Restore controller to handle file access and security context restoration during VM backup and restore operations. Per OpenShift Operator guidelines, the CSV spec.description must explicitly justify this escalated privilege grant and explain the specific use cases (Velero/kubevirt plugin VM operations, CSI snapshot handling, volume attachment). This documentation is required by OLM when an operator requests privileged SCC access.

- apiGroups:
- velero.io
resources:
Expand Down Expand Up @@ -983,6 +1007,18 @@ spec:
- patch
- update
- watch
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
serviceAccountName: oadp-vm-file-restore-controller-manager
- rules:
- apiGroups:
Expand Down Expand Up @@ -1348,6 +1384,39 @@ spec:
- emptyDir: {}
name: tmp-dir
permissions:
- rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
serviceAccountName: oadp-vm-file-restore-controller-manager
- rules:
- apiGroups:
- ""
Expand Down
Loading