Why do velero role require wildcard access to all resources.

[dsai1]

What steps did you take and what happened: [A clear and concise description of what the bug is, and what commands you ran.) Our security team have reported security issues with existing velero role. AVD-KSV-0044 - No wildcard verb and resource roles AVD-KSV-0045 - No wildcard verb and resource roles

What did you expect to happen: Can't we limit access to verds and resources it requires.

The output of the following commands will help us better understand what's going on: (Pasting long output into a GitHub gist or other pastebin is fine.)

Anything else you would like to add: [Miscellaneous information that will assist in solving the issue.]

Environment:

• helm version (use helm version): velero-2.29.6
• helm chart version and app version (use helm list -n <YOUR NAMESPACE>):
• Kubernetes version (use kubectl version):
• Kubernetes installer & version:
• Cloud provider or hardware configuration:
• OS (e.g. from /etc/os-release):

[siegenthalerroger]

I mean velero needs to be capable of reading (backups) and writing (restoring) every resource (-type) in the cluster. So by default it needs wildcard access to everything. Assuming you don't backup and restore everything (for example only PV/PVCs) then ofcourse you can limit the role that velero has to match and improve your security posture.

[dsai1]

I have actually restricted the permissions for velero role with all required permissions, i'm getting below error, not sure where exactly it's going wrong.

time="2024-03-15T09:13:40Z" level=error msg="Error patching backup location's last-synced time" backupLocation=aws controller=backup-sync error="backupstoragelocations.velero.io \"aws\" is forbidden: User \"system:serviceaccount:system:velero-extras-1-server\" cannot patch resource \"backupstoragelocations/status\" in API group \"velero.io\" in the namespace \"system\"" error.file="/go/src/github.com/vmware-tanzu/velero/pkg/controller/backup_sync_controller.go:318" error.function="github.com/vmware-tanzu/velero/pkg/controller.(*backupSyncController).run" logSource="pkg/controller/backup_sync_controller.go:318"

apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: velero-extras-1-server namespace: system rules:

• apiGroups:
  • "*" resources:
  • persistentvolumes
  • volumeattachments
  • persistentvolumeclaims
  • persistentvolumeclaims/status
  • storageclasses
  • namespaces
  • nodes
  • pods
  • daemonsets
  • customresourcedefinitions
  • backups
  • schedules
  • volumesnapshotlocations
  • resticrepositories
  • deletebackuprequests
  • podvolumebackups
  • restores
  • serverstatusrequests
  • backupstoragelocations
  • downloadrequests verbs:
  • get
  • list
  • create
  • update
  • delete
  • patch
  • watch

[sseago]

It sounds like you've restricted Velero permissions to the point that Velero can't modify Velero CRs such as BackupStorageLocations.

[dsai1]

@sseago currently we are running velero on eks 1.29 and we need to backup resources to s3 buckets, what are limited permissions that i can give to cluster-role and also need to restrict access to particular resources being used, our security team has raised issue with velero cluster-role having excessive permissions as cluster-admin.

[sseago]

@dsai1 I don't think anyone has gone through and found a minimal set of permissions that still works. It's possible that there is a more restricted set that will still allow all velero functions to work properly, but I don't think we have a specific list. Note that velero will still need to create/modify velero CRs, have access to any namespace being backed up for reading/creating/modifying, as well as for cluster-scoped resources as needed.