Veeam Kasten RBAC

For facilitating role-based access for users, Veeam Kasten leverages Kubernetes ClusterRoles and Bindings.

Default Veeam Kasten ClusterRoles

Every Veeam Kasten deployment comes installed with three default Veeam Kasten ClusterRoles: k10-admin, k10-basic, and k10-config-view.

K10-Admin

The k10-admin ClusterRole is useful for administrators who want uninterrupted access to all Veeam Kasten operations.

The k10-admin user is allowed to work with all Veeam Kasten APIs including profiles, policies, policy presets, actions, restore points, transform sets and blueprint bindings.

Note

k10-admin will be installed under the name <release_name>-admin

The following is an example of the k10-admin ClusterRole:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: k10-admin
rules:
- apiGroups:
  - actions.kio.kasten.io
  - apps.kio.kasten.io
  - config.kio.kasten.io
  - reporting.kio.kasten.io
  - vault.kio.kasten.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - cr.kanister.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - create
  - get
  - list

K10-Admin Binding

The k10-admin ClusterRole needs a ClusterRoleBinding. The admin access needs to be cluster-wide.

Veeam Kasten creates a ClusterRoleBinding for a default Group k10:admins. Admin users can be added to this k10:admin Group and will be able to use the above k10-admin ClusterRole.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: k10-k10-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: k10-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: k10:admins

For individual users and service accounts, the k10-admin ClusterRole needs a ClusterRoleBinding. The admin access needs to be cluster-wide.

To bind the k10-admin ClusterRole, use the following command

$ kubectl create clusterrolebinding <name> --clusterrole=k10-admin --user=<name>

The above kubectl command will create the following ClusterRoleBinding object

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: k10-k10-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: k10-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: k10-admin

Alternatively, you can also bind the ClusterRole to a ServiceAccount.

$ kubectl create clusterrolebinding <name> --clusterrole=k10-admin \
    --serviceaccount=<serviceaccount_namespace>:<serviceaccount_name>

The above kubectl command will create the following ClusterRoleBinding object

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: k10-k10-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: k10-admin
subjects:
- kind: ServiceAccount
  name: k10-admin
  namespace: kasten-io

If you want k10-admin access given to existing users and do not want to create new clusterrole bindings, you can add the rules from above k10-admin role to existing cluster roles.

K10-Namespace-Admin

The k10-ns-admin Role is added for secrets, configmaps access in the Veeam Kasten release namespace.

Note

k10-ns-admin will be installed under the name <release_name>-ns-admin

The following is an example of the k10-ns-admin Role:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: k10-ns-admin
  namespace: <release_ns>
rules:
- apiGroups:
  - ""
  - "apps"
  resources:
  - deployments
  - pods
  verbs:
  - get
  - list
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - create
  - delete
  - get
  - list
  - update
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - create
  - delete
  - get
  - list
  - update
- apiGroups:
  - "batch"
  resources:
  - jobs
  verbs:
  - get

The k10-ns-admin Role needs a RoleBinding in the release namespace.

Veeam Kasten creates a RoleBinding for a default Group k10:admins in the Veeam Kasten release namespace. Admin users can be added to this Group and will be able to use the above k10-ns-admin Role.

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: k10-k10-ns-admin
  namespace: kasten-io
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: k10-ns-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: k10:admins

To bind the k10-ns-admin Role, use the following command

$ kubectl create rolebinding <name> --role=k10-ns-admin \
    --namespace=<release_ns> \
    --user=<name>

The above kubectl command will create the following RoleBinding object

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: k10-k10-ns-admin
  namespace: kasten-io
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: k10-ns-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: k10-ns-admin

Alternatively, you can also bind the Role to a ServiceAccount.

$ kubectl create rolebinding <name> --role=k10-ns-admin \
    --namespace=<release_ns> \
    --serviceaccount=<serviceaccount_namespace>:<serviceaccount_name>

The above kubectl command will create the following RoleBinding object

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: k10-k10-ns-admin
  namespace: kasten-io
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: k10-ns-admin
subjects:
- kind: ServiceAccount
  name: k10-ns-admin
  namespace: kasten-io

K10-Basic

K10-Basic ClusterRole

The k10-basic ClusterRole is useful for administrators who want to give some operational Veeam Kasten access to users in specific namespaces.

A user with the k10-basic ClusterRole is allowed to backup and restore applications in the namespaces they have access to. This user can create policies in the application's namespace to backup and export the application. The k10-basic ClusterRole also gives access to view applications, actions, and restore point details in their namespaces. A user with the k10-basic ClusterRole is also allowed to cancel actions in the namespaces they have access to.

Note

k10-basic will be installed under the name <release_name>-basic

The following is an example of the k10-basic ClusterRole:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: k10-basic
rules:
- apiGroups:
  - actions.kio.kasten.io
  resources:
  - backupactions
  - backupactions/details
  - restoreactions
  - restoreactions/details
  - exportactions
  - exportactions/details
  - cancelactions
  - runactions
  - runactions/details
  verbs:
  - '*'
- apiGroups:
  - apps.kio.kasten.io
  resources:
  - restorepoints
  - restorepoints/details
  - applications
  - applications/details
  verbs:
  - '*'
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
- apiGroups:
  - config.kio.kasten.io
  resources:
  - policies
  verbs:
  - '*'

K10-Basic Binding

The k10-basic ClusterRole needs a RoleBinding in the namespace(s) the user needs access to.

To bind the k10-basic ClusterRole, use the following command

$ kubectl create rolebinding <name> --namespace=<namespace> --clusterrole=k10-basic --user=<name>

The above kubectl command will create the following RoleBinding object

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: k10-k10-basic
  namespace: ns
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: k10-basic
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: k10-basic

Alternatively, you can also bind the ClusterRole to a ServiceAccount.

$ kubectl create rolebinding <name> --namespace=<namespace> --clusterrole=k10-basic \
    --serviceaccount=<serviceaccount_namespace>:<serviceaccount_name>

The above kubectl command will create the following RoleBinding object

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: k10-k10-basic
  namespace: ns
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: k10-basic
subjects:
- kind: ServiceAccount
  name: k10-basic
  namespace: kasten-io

If you want k10-basic access given to existing users and do not want to create new role bindings, you can add the rules from above k10-basic role to existing roles.

K10-Basic-Config ClusterRole

The k10-basic-config ClusterRole can be used by administrators to give basic users access to specific location profiles or blueprints in Veeam Kasten's namespace.

An example of the k10-basic-config ClusterRole:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: k10-basic-config
rules:
- apiGroups:
  - config.kio.kasten.io
  resourceNames:
  - profile1
  resources:
  - profiles
  verbs:
  - get
  - list
- apiGroups:
  - cr.kanister.io
  resourceNames:
  - mysql-blueprint
  resources:
  - blueprints
  verbs:
  - get
  - list

K10-Basic-Config Binding

The k10-basic-config ClusterRole needs a RoleBinding in K10's namespace to give access to basic users to specific location profiles or blueprints.

To bind the k10-basic-config ClusterRole, use the following command

$ kubectl create rolebinding <name> --namespace=kasten-io --clusterrole=k10-basic-config --user=<name>

The above kubectl command will create the following RoleBinding object

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: k10-k10-basic-config
  namespace: kasten-io
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: k10-basic-config
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: k10-basic

Alternatively, you can also bind the ClusterRole to a ServiceAccount.

$ kubectl create rolebinding <name> --namespace=kasten-io --clusterrole=k10-basic-config \
    --serviceaccount=<serviceaccount_namespace>:<serviceaccount_name>

The above kubectl command will create the following RoleBinding object

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: k10-k10-basic-config
  namespace: kasten-io
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: k10-basic-config
subjects:
- kind: ServiceAccount
  name: k10-basic
  namespace: kasten-io

K10-Config-View

The k10-config-view ClusterRole is useful for administrators who want to give K10 config view access to some users.

The k10-config-view ClusterRole gives a user read-only access to K10 config information, including profiles, policies, policy presets, transform sets and blueprint bindings on the dashboard.

Note

k10-config-view will be installed under the name <release_name>-config-view

The following is an example of the k10-config-view ClusterRole:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: k10-config-view
rules:
- apiGroups:
  - config.kio.kasten.io
  resources:
  - profiles
  - policies
  - policypresets
  - transformsets
  - blueprintbindings
  - storagesecuritycontext
  - storagesecuritycontextbinding
  verbs:
  - get
  - list

K10-Config-View Binding

The k10-config-view ClusterRole needs a ClusterRoleBinding. The config-view access needs to be cluster-wide.

To bind the k10-config-view ClusterRole, use the following command

$ kubectl create clusterrolebinding <anme> --clusterrole=k10-config-view --user=<name>

The above kubectl command will create the following ClusterRoleBinding object

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: k10-k10-config-view
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: k10-config-view
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: k10-config-view

Alternatively, you can also bind the ClusterRole to a ServiceAccount.

$ kubectl create clusterrolebinding <name>--clusterrole=k10-config-view \
    --serviceaccount=<serviceaccount_namespace>:<serviceaccount_name>

The above kubectl command will create the following ClusterRoleBinding object

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: k10-k10-config-view
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: k10-config-view
subjects:
- kind: ServiceAccount
  name: k10-config-view
  namespace: kasten-io

If you want k10-config-view access given to existing users and do not want to create new clusterrole bindings, you can add the rules from above k10-config-view role to existing cluster roles.

RBAC Permissions

For viewing Kubernetes RBAC objects on the K10 Dashboard UI, additional RBAC permissions are required for users.

The following Cluster Role will give access to list Kubernetes RBAC objects across the cluster.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: rbac-all-cluster-role
rules:
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - '*'
  verbs:
  - list
  - get

Warning

Although you can grant additional verbs such as create, update, and delete this will allow users to escalate their own privileges. This allows them to grant themselves administrative privileges.

Please refer to Kubernetes documentation for more details.

The corresponding Cluster Role Binding is needed to bind the Cluster Role to users and groups.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: rbac-all-cluster-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: rbac-all-cluster-role
subjects:
- kind: User
  name: rbac-user