Idea is to create privilege for the user who created NonAdminBackup that resulted with VeleroBackup creation.
K8s doesn't allow to obtain information about the requester (owner) of the NonAdminBackup within the Reconcile loop.
In the current implementation we know:
About the name of the VeleroBackup that will be created (we own the function to calculate that name)
The namespace in which VeleroBackup object will get created
The NonAdminBackup that was used to create VeleroBackup
In order to add permissions for the user who requested VeleroBackup via NonAdminBackup we need to create Role and RoleBinding within the namespace where the VeleroBackup will live, below is an example of viewer Role that gives explicit permissions to the nab-nacproject-c3499c2729730a object. Then the RoleBinding which adds that Role to the user nacuser. Everything happens in the openshift-adp namespece where currently VeleroBackup objects are created:
In order to achieve this in automated fashion we need to create RoleBinding and possibly as well Role in advance before our original VeleroBackup is created as admission Webhook that is aware of the user who is requesting VeleroBackup via NonAdminBackup and then associate the VeleroBackup as an owner, so the Role and RoleBinding is cleaned up after VeleroBackup is removed.
Idea is to create privilege for the user who created NonAdminBackup that resulted with VeleroBackup creation.
K8s doesn't allow to obtain information about the requester (owner) of the NonAdminBackup within the Reconcile loop.
In the current implementation we know:
In order to add permissions for the user who requested VeleroBackup via NonAdminBackup we need to create Role and RoleBinding within the namespace where the VeleroBackup will live, below is an example of viewer Role that gives explicit permissions to the
nab-nacproject-c3499c2729730a
object. Then the RoleBinding which adds that Role to the usernacuser
. Everything happens in theopenshift-adp
namespece where currently VeleroBackup objects are created:In order to achieve this in automated fashion we need to create RoleBinding and possibly as well Role in advance before our original VeleroBackup is created as admission Webhook that is aware of the user who is requesting VeleroBackup via NonAdminBackup and then associate the VeleroBackup as an owner, so the Role and RoleBinding is cleaned up after VeleroBackup is removed.