StorageSecurityContext
A StorageSecurityContext custom resource (CR) represents pod security context settings to access target storage to execute backup and restore operations. Once the StorageSecurityContext is created and bound to specific storage using StorageSecurityContextBinding, Veeam Kasten will use the parameters set in the StorageSecurityContext for its internal pods, which access bound storage.
Note
StorageSecurityContextBinding
StorageSecurityContextBinding binds a StorageSecurityContext to a storage.
Warning
Bindings might be one of three types:
Volume - binds StorageSecurityContext to a PV.
StorageClass - binds StorageSecurityContext to a StorageClass.
Provisioner - binds StorageSecurityContext to a Provisioner.
Example of StorageSecurityContext and StorageSecurityContextBindings Usage
As an example, an NFS storage with the filestore.csi.storage.gke.io StorageClass is used.
- To enable snapshotting for NFS storage in rootless mode, two requirements must be met:
NFS CSI driver should support VolumeSnapshots
NFS CSI driver should support fsGroup
Note
In this example, only UID and GID are set in the StorageSecurityContext. However, if a target storage contains files or directories owned by several different GIDs, SupplementalGroup should also be used to enable Veeam Kasten to read all the data. Please note that after the restore, the owner of files and directories will be set to the UID and GID specified in the StorageSecurityContext.
Create a StorageSecurityContext
The following example illustrates how to create a StorageSecurityContext for NFS storage:
$ cat > sample-storage-security-context.yaml << EOF
apiVersion: config.kio.kasten.io/v1alpha1
kind: StorageSecurityContext
metadata:
name: "sample-storage-security-context"
namespace: kasten-io
spec:
security:
userId: 1005
groupId: 1006
supplementalGroups: []
EOF
$ kubectl apply -f sample-storage-security-context.yaml
storagesecuritycontext.config.kio.kasten.io/sample-storage-security-context added
# make sure it initializes and validates properly
$ kubectl get storagesecuritycontext.config.kio.kasten.io --namespace kasten-io
For complete documentation of StorageSecurityContext CR, please refer to StorageSecurityContext API Type.
When the StorageSecurityContext is applied, Veeam Kasten will start a pod that reads the target storage with UID=1005 and GID=1006. If the target storage contains files owned by other users, which cannot be accessed by the provided UID and GID, Veeam Kasten will fail to complete the Export process.
Create a StorageSecurityContextBinding
The following example illustrates how to create a StorageSecurityContextBinding to bind the StorageSecurityContext named "sample-storage-security-context" to all storages created with filestore.csi.storage.gke.io Provisioner.
Warning
$ cat > sample-storage-security-context-binding.yaml << EOF
apiVersion: config.kio.kasten.io/v1alpha1
kind: StorageSecurityContextBinding
metadata:
name: sample-storage-security-context-binding
namespace: kasten-io
spec:
storageSecurityContextRef:
name: sample-storage-security-context
subjects:
- kind: Provisioner
name: "filestore.csi.storage.gke.io"
EOF
$ kubectl apply -f sample-storage-security-context-binding.yaml
storagesecuritycontextbinding.config.kio.kasten.io/sample-storage-security-context-binding added
# make sure it initializes and validates properly
$ kubectl get storagesecuritycontextbinding.config.kio.kasten.io --namespace kasten-io
For complete documentation of StorageSecurityContextBinding CR, please refer to StorageSecurityContextBinding API Type.
StorageSecurityContext API Type
# Standard Kubernetes API Version declaration. Required.
apiVersion: config.kio.kasten.io/v1alpha1
# Standard Kubernetes Kind declaration. Required.
kind: StorageSecurityContext
# Standard Kubernetes metadata. Required.
metadata:
# StorageSecurityContext name. May be any valid Kubernetes object name. Required.
# StorageSecurityContext name is not mutable once created.
name: sample-storagesecuritycontext
# StorageSecurityContext namespace. Required. Must be the namespace where Veeam Kasten is installed.
namespace: kasten-io
# StorageSecurityContext parameters. Required
spec:
# Security-related parmaeters for StorageSecurityContext. Required
security:
# Internal pods which work with the storage will use this field as UID
# Optional
userId: 0
# Internal pods which work with the storage will use this field as GID
# Optional
groupId: 0
# Groups set in this field will be added to the internal pods which work with the storage
# Optional
supplementalGroups: []
StorageSecurityContextBinding API Type
# Standard Kubernetes API Version declaration. Required.
apiVersion: config.kio.kasten.io/v1alpha1
# Standard Kubernetes Kind declaration. Required.
kind: StorageSecurityContextBinding
# Standard Kubernetes metadata. Required.
metadata:
# StorageSecurityContextBinding name. May be any valid Kubernetes object name. Required.
# StorageSecurityContextBinding name is not mutable once created.
name: sample-storagesecuritycontextbinding
# StorageSecurityContextBinding namespace. Required. Must be the namespace where Veeam Kasten is installed.
namespace: kasten-io
# StorageSecurityContext parameters. Required
spec:
# Reference to StorageSecurityContext which will be applied to subjects
storageSecurityContextRef:
name: sample-storagesecuritycontext
# List of selectors to select storages where StorageSecurityContext will be applied to
subjects:
# Possible values Volume, StorageClass, Provisioner
- kind: StorageClass
name: "sample-storageclass"
# Namespace is used only in a case when kind=Volume
namespace: ""