search

vmware-tanzu / velero

Backup and migrate Kubernetes applications and their persistent volumes
https://velero.io
Apache License 2.0
8.76k stars 1.41k forks source link

Manage resources from other namespaces #1217

Open renat1sakenov opened 5 years ago

renat1sakenov commented 5 years ago

Hello everyone,

I have a question/feature request. Would it be possible to enable Velero to listen across all namespaces for new backup/restore/schedule resources? Teams working on different projects could manage their backup routines themselves, without having to ask the cluster admin / having access to the heptio-ark namespace.

Or is there already a solution for this case? Currently I create templates that start an ark-pod, from another namespace, with a given task. However, this still gives everyone the possibility to change/add to the template and mess with backups of others.

Thank you.

rosskukulinski commented 5 years ago

Hi @renat1sakenov. We've explicitly locked down Velero to only listen in one namespace because it functions as root in the cluster. Any user that can create backup/restore objects could have an escalation attack against the cluster.

That said, the workflow you're describing (teams should have the ability to do backup/restores inside their namespace) is a good one. This likely won't happen for our 1.0 release, but I could see Velero borrowing from Contour's Delegation/DAG model to enable safe multi-team backup/restore behaviors.

ncdc commented 5 years ago

Dupe of #18?

skriss commented 4 years ago

see #2415 for another instance of this request.

marccampbell commented 4 years ago

Our use case is a slight variation on the above. We have an application that manages applications in multiple namespaces. The application manager exists in namespace A, and it might be managing applications in namespaces B and C. If we require that the application manager have write access to the velero namespace, that's work for the user to configure that RBAC policy. If instead, the application manager was able to write Backup resources to its own namespace ("A" in this case), then the application manager only needs RBAC permissions for itself and the namespaces that it manages.

Additionally, if we currently deploy a Backup resource to a different namespace, it's hard to debug. Nothing happens and there's nothing happening in the cluster, leaving users a little confused about what happened.

mateuszkula1 commented 1 year ago

Hello, Are there any plans to enable this feature? We have similar idea that it would be great for teams to be able to define backup schedule in app namespace with Schedule object.

cjvirtucio87 commented 8 months ago

this feature would be great for allowing teams to self-service their backup schedules