StorageSecurityContext

A StorageSecurityContext custom resource (CR) represents pod security context settings to access target storage to execute backup and restore operations. Once the StorageSecurityContext is created and bound to specific storage using StorageSecurityContextBinding, K10 will use the parameters set in the StorageSecurityContext for its internal pods, which access bound storage.

Note

If the target storage type is NFS and a StorageSecurityContext is used for restoration, the owner of the restored files and directories will be set to the UID and GID specified in the StorageSecurityContext.

StorageSecurityContextBinding

StorageSecurityContextBinding binds a StorageSecurityContext to a storage.

Warning

Only a single binding of a particular type can be created for a storage. If multiple bindings with the same type are found, K10 will stop execution with an error.

Bindings might be one of three types:

  • Volume - binds StorageSecurityContext to a PV.

  • StorageClass - binds StorageSecurityContext to a StorageClass.

  • Provisioner - binds StorageSecurityContext to a Provisioner.

Example of StorageSecurityContext and StorageSecurityContextBindings Usage

As an example, an NFS storage with the filestore.csi.storage.gke.io StorageClass is used.

To enable snapshotting for NFS storage in rootless mode, two requirements must be met:
  • NFS CSI driver should support VolumeSnapshots

  • NFS CSI driver should support fsGroup

Note

If you have a lost+found directory on the target volume, you can either remove it or change the owner's GID to match the GID set for the other files on the volume. This adjustment will allow K10 to read the directory. By default, the lost+found directory has UID=root and GID=root, making it unreadable in rootless mode.

In this example, only UID and GID are set in the StorageSecurityContext. However, if a target storage contains files or directories owned by several different GIDs, SupplementalGroup should also be used to enable K10 to read all the data. Please note that after the restore, the owner of files and directories will be set to the UID and GID specified in the StorageSecurityContext.

Create a StorageSecurityContext

The following example illustrates how to create a StorageSecurityContext for NFS storage:

$ cat > sample-storage-security-context.yaml << EOF
apiVersion: config.kio.kasten.io/v1alpha1
kind: StorageSecurityContext
metadata:
  name: "sample-storage-security-context"
  namespace: kasten-io
spec:
  security:
    userId: 1005
    groupId: 1006
    supplementalGroups: []
EOF

$ kubectl apply -f sample-storage-security-context.yaml
storagesecuritycontext.config.kio.kasten.io/sample-storage-security-context added

# make sure it initializes and validates properly
$ kubectl get storagesecuritycontext.config.kio.kasten.io --namespace kasten-io

For complete documentation of StorageSecurityContext CR, please refer to StorageSecurityContext API Type.

When the StorageSecurityContext is applied, K10 will start a pod that reads the target storage with UID=1005 and GID=1006. If the target storage contains files owned by other users, which cannot be accessed by the provided UID and GID, K10 will fail to complete the Export process.

Create a StorageSecurityContextBinding

The following example illustrates how to create a StorageSecurityContextBinding to bind the StorageSecurityContext named "sample-storage-security-context" to all storages created with filestore.csi.storage.gke.io Provisioner.

Warning

When creating a StorageSecurityContextBinding, make sure to create a StorageSecurityContext first. Otherwise, the validation of the StorageSecurityContextBinding will fail.
$ cat > sample-storage-security-context-binding.yaml << EOF
apiVersion: config.kio.kasten.io/v1alpha1
kind: StorageSecurityContextBinding
metadata:
  name: sample-storage-security-context-binding
spec:
  storageSecurityContextRef:
    name: sample-storage-security-context
  subjects:
    - kind: Provisioner
      name: "filestore.csi.storage.gke.io"
EOF

$ kubectl apply -f sample-storage-security-context-binding.yaml
storagesecuritycontextbinding.config.kio.kasten.io/sample-storage-security-context-binding added

# make sure it initializes and validates properly
$ kubectl get storagesecuritycontextbinding.config.kio.kasten.io --namespace kasten-io

For complete documentation of StorageSecurityContextBinding CR, please refer to StorageSecurityContextBinding API Type.

StorageSecurityContext API Type

# Standard Kubernetes API Version declaration. Required.
apiVersion: config.kio.kasten.io/v1alpha1
# Standard Kubernetes Kind declaration. Required.
kind: StorageSecurityContext
# Standard Kubernetes metadata. Required.
metadata:
  # StorageSecurityContext name. May be any valid Kubernetes object name. Required.
  # StorageSecurityContext name is not mutable once created.
  name: "sample-storagesecuritycontext"
  # StorageSecurityContext namespace. Required. Must be the namespace where K10 is installed.
  namespace: "kasten-io"
# StorageSecurityContext parameters. Required
spec:
  # Security-related parmaeters for StorageSecurityContext. Required
  security:
    # Internal pods which work with the storage will use this field as UID
    # Optional
    userId: 0
    # Internal pods which work with the storage will use this field as GID
    # Optional
    groupId: 0
    # Groups set in this field will be added to the internal pods which work with the storage
    # Optional
    supplementalGroups: []

StorageSecurityContextBinding API Type

# Standard Kubernetes API Version declaration. Required.
apiVersion: config.kio.kasten.io/v1alpha1
# Standard Kubernetes Kind declaration. Required.
kind: StorageSecurityContextBinding
# Standard Kubernetes metadata. Required.
metadata:
  # StorageSecurityContextBinding name. May be any valid Kubernetes object name. Required.
  # StorageSecurityContextBinding name is not mutable once created.
  name: sample-storagesecuritycontextbinding
  # StorageSecurityContextBinding namespace. Required. Must be the namespace where K10 is installed.
  namespace: kasten-io
# StorageSecurityContext parameters. Required
spec:
  # Reference to StorageSecurityContext which will be applied to subjects
  storageSecurityContextRef:
    name: sample-storagesecuritycontext
  # List of selectors to select storages where StorageSecurityContext will be applied to
  subjects:
      # Possible values Volume, StorageClass, Provisioner
    - kind: StorageClass
      name: "sample-storageclass"
      # Namespace is used only in a case when kind=Volume
      namespace: ""