From 2e7cfa1623cd2e22eb4993a8c07d91857c309e63 Mon Sep 17 00:00:00 2001
From: Shruti Deshpande <shdeshpa@redhat.com>
Date: Thu, 21 Aug 2025 17:33:08 +0530
Subject: [PATCH] OADP-5959-node-agent-non-root

Signed-off-by: Shruti Deshpande <shdeshpa@redhat.com>
---
 .../installing/installing-oadp-aws.adoc       |   1 +
 .../installing/installing-oadp-azure.adoc     |   1 +
 .../installing/installing-oadp-gcp.adoc       |   1 +
 .../installing/installing-oadp-kubevirt.adoc  |   2 +
 .../installing/installing-oadp-mcg.adoc       |   1 +
 .../installing/installing-oadp-ocs.adoc       |   1 +
 .../oadp-configuring-node-agent-non-root.adoc | 121 ++++++++++++++++++
 7 files changed, 128 insertions(+)
 create mode 100644 modules/oadp-configuring-node-agent-non-root.adoc

diff --git a/backup_and_restore/application_backup_and_restore/installing/installing-oadp-aws.adoc b/backup_and_restore/application_backup_and_restore/installing/installing-oadp-aws.adoc
index ff83c18990..d3b2250563 100644
--- a/backup_and_restore/application_backup_and_restore/installing/installing-oadp-aws.adoc
+++ b/backup_and_restore/application_backup_and_restore/installing/installing-oadp-aws.adoc
@@ -55,6 +55,7 @@ include::modules/oadp-configuring-node-agents.adoc[leveloffset=+2]
 include::modules/oadp-configuring-aws-md5sum.adoc[leveloffset=+1]
 include::modules/oadp-configuring-client-burst-qps.adoc[leveloffset=+1]
 include::modules/oadp-configuring-node-agent-load-concurrency.adoc[leveloffset=+1]
+include::modules/oadp-configuring-node-agent-non-root.adoc[leveloffset=+1]
 include::modules/oadp-configuring-imagepullpolicy.adoc[leveloffset=+1]
 include::modules/oadp-configuring-dpa-multiple-bsl.adoc[leveloffset=+1]
 include::modules/oadp-enabling-csi-dpa.adoc[leveloffset=+2]
diff --git a/backup_and_restore/application_backup_and_restore/installing/installing-oadp-azure.adoc b/backup_and_restore/application_backup_and_restore/installing/installing-oadp-azure.adoc
index 31d720dec2..e53ce59b4d 100644
--- a/backup_and_restore/application_backup_and_restore/installing/installing-oadp-azure.adoc
+++ b/backup_and_restore/application_backup_and_restore/installing/installing-oadp-azure.adoc
@@ -42,6 +42,7 @@ include::modules/oadp-using-ca-certificates-with-velero-command.adoc[leveloffset
 include::modules/oadp-installing-dpa-1-3.adoc[leveloffset=+1]
 include::modules/oadp-configuring-client-burst-qps.adoc[leveloffset=+1]
 include::modules/oadp-configuring-node-agent-load-concurrency.adoc[leveloffset=+1]
+include::modules/oadp-configuring-node-agent-non-root.adoc[leveloffset=+1]
 include::modules/oadp-configuring-imagepullpolicy.adoc[leveloffset=+1]
 include::modules/oadp-configuring-node-agents.adoc[leveloffset=+2]
 include::modules/oadp-enabling-csi-dpa.adoc[leveloffset=+2]
diff --git a/backup_and_restore/application_backup_and_restore/installing/installing-oadp-gcp.adoc b/backup_and_restore/application_backup_and_restore/installing/installing-oadp-gcp.adoc
index 30b052d138..1e8a760dd2 100644
--- a/backup_and_restore/application_backup_and_restore/installing/installing-oadp-gcp.adoc
+++ b/backup_and_restore/application_backup_and_restore/installing/installing-oadp-gcp.adoc
@@ -43,6 +43,7 @@ include::modules/oadp-gcp-wif-cloud-authentication.adoc[leveloffset=+1]
 include::modules/oadp-installing-dpa-1-3.adoc[leveloffset=+1]
 include::modules/oadp-configuring-client-burst-qps.adoc[leveloffset=+1]
 include::modules/oadp-configuring-node-agent-load-concurrency.adoc[leveloffset=+1]
+include::modules/oadp-configuring-node-agent-non-root.adoc[leveloffset=+1]
 include::modules/oadp-configuring-imagepullpolicy.adoc[leveloffset=+1]
 include::modules/oadp-configuring-node-agents.adoc[leveloffset=+2]
 include::modules/oadp-enabling-csi-dpa.adoc[leveloffset=+2]
diff --git a/backup_and_restore/application_backup_and_restore/installing/installing-oadp-kubevirt.adoc b/backup_and_restore/application_backup_and_restore/installing/installing-oadp-kubevirt.adoc
index 13f0630fc8..bcd4c0821f 100644
--- a/backup_and_restore/application_backup_and_restore/installing/installing-oadp-kubevirt.adoc
+++ b/backup_and_restore/application_backup_and_restore/installing/installing-oadp-kubevirt.adoc
@@ -49,6 +49,8 @@ include::modules/oadp-backup-single-vm.adoc[leveloffset=+1]
 include::modules/oadp-restore-single-vm.adoc[leveloffset=+1]
 include::modules/oadp-restore-single-vm-from-multiple-vm-backup.adoc[leveloffset=+1]
 include::modules/oadp-configuring-client-burst-qps.adoc[leveloffset=+1]
+include::modules/oadp-configuring-node-agent-load-concurrency.adoc[leveloffset=+1]
+include::modules/oadp-configuring-node-agent-non-root.adoc[leveloffset=+1]
 include::modules/oadp-configuring-imagepullpolicy.adoc[leveloffset=+1]
 include::modules/oadp-configuring-node-agents.adoc[leveloffset=+2]
 include::modules/oadp-incremental-backup-support.adoc[leveloffset=+1]
diff --git a/backup_and_restore/application_backup_and_restore/installing/installing-oadp-mcg.adoc b/backup_and_restore/application_backup_and_restore/installing/installing-oadp-mcg.adoc
index bd98c5c27e..7ff9dbc8ca 100644
--- a/backup_and_restore/application_backup_and_restore/installing/installing-oadp-mcg.adoc
+++ b/backup_and_restore/application_backup_and_restore/installing/installing-oadp-mcg.adoc
@@ -47,6 +47,7 @@ include::modules/oadp-using-ca-certificates-with-velero-command.adoc[leveloffset
 include::modules/oadp-installing-dpa-1-3.adoc[leveloffset=+1]
 include::modules/oadp-configuring-client-burst-qps.adoc[leveloffset=+1]
 include::modules/oadp-configuring-node-agent-load-concurrency.adoc[leveloffset=+1]
+include::modules/oadp-configuring-node-agent-non-root.adoc[leveloffset=+1]
 include::modules/oadp-configuring-imagepullpolicy.adoc[leveloffset=+1]
 include::modules/oadp-configuring-node-agents.adoc[leveloffset=+2]
 include::modules/oadp-enabling-csi-dpa.adoc[leveloffset=+2]
diff --git a/backup_and_restore/application_backup_and_restore/installing/installing-oadp-ocs.adoc b/backup_and_restore/application_backup_and_restore/installing/installing-oadp-ocs.adoc
index 1a7aae960c..ffb947b231 100644
--- a/backup_and_restore/application_backup_and_restore/installing/installing-oadp-ocs.adoc
+++ b/backup_and_restore/application_backup_and_restore/installing/installing-oadp-ocs.adoc
@@ -52,6 +52,7 @@ include::modules/oadp-using-ca-certificates-with-velero-command.adoc[leveloffset
 include::modules/oadp-installing-dpa-1-3.adoc[leveloffset=+1]
 include::modules/oadp-configuring-client-burst-qps.adoc[leveloffset=+1]
 include::modules/oadp-configuring-node-agent-load-concurrency.adoc[leveloffset=+1]
+include::modules/oadp-configuring-node-agent-non-root.adoc[leveloffset=+1]
 include::modules/oadp-configuring-imagepullpolicy.adoc[leveloffset=+1]
 include::modules/oadp-configuring-node-agents.adoc[leveloffset=+2]
 include::modules/oadp-creating-object-bucket-claim.adoc[leveloffset=+2]
diff --git a/modules/oadp-configuring-node-agent-non-root.adoc b/modules/oadp-configuring-node-agent-non-root.adoc
new file mode 100644
index 0000000000..91e40fe1a3
--- /dev/null
+++ b/modules/oadp-configuring-node-agent-non-root.adoc
@@ -0,0 +1,121 @@
+// Module included in the following assemblies:
+//
+// * backup_and_restore/application_backup_and_restore/installing/installing-oadp-aws.adoc
+// * backup_and_restore/application_backup_and_restore/installing/installing-oadp-azure.adoc
+// * backup_and_restore/application_backup_and_restore/installing/installing-oadp-gcp.adoc
+// * backup_and_restore/application_backup_and_restore/installing/installing-oadp-mcg.adoc
+// * backup_and_restore/application_backup_and_restore/installing/installing-oadp-ocs.adoc
+// * backup_and_restore/application_backup_and_restore/installing/installing-oadp-kubevirt.adoc
+
+
+:_mod-docs-content-type: PROCEDURE
+[id="oadp-configuring-node-agent-non-root_{context}"]
+= Configuring the node agent as a non-root and non-privileged user
+
+[role="_abstract"]
+To enhance the node agent security, you can configure the {oadp-short} Operator node agent daemonset to run as a non-root and non-privileged user by using the `spec.configuration.velero.disableFsBackup` setting in the `DataProtectionApplication` (DPA) custom resource (CR).
+
+By setting the `spec.configuration.velero.disableFsBackup` setting to `true`, the node agent security context sets the root file system to read-only and sets the `privileged` flag to `false`.
+
+[NOTE]
+====
+Setting `spec.configuration.velero.disableFsBackup` to `true` enhances the node agent security by removing the need for privileged containers and enforcing a read-only root file system. 
+
+However, it also disables File System Backup (FSB) with Kopia. If your workloads rely on FSB for backing up volumes that do not support native snapshots, then you should evaluate whether the `disableFsBackup` configuration fits your use case.
+====
+
+.Prerequisites
+
+* You have installed the {oadp-short} Operator.
+
+.Procedure
+
+* Configure the `disableFsBackup` field in the DPA as shown in the following example:
++
+[source,yaml]
+----
+apiVersion: oadp.openshift.io/v1alpha1
+kind: DataProtectionApplication
+metadata:
+  name: ts-dpa
+  namespace: openshift-adp
+spec:
+  backupLocations:
+  - velero:
+      credential:
+        key: cloud
+        name: cloud-credentials
+      default: true
+      objectStorage:
+        bucket: <bucket_name>
+        prefix: velero
+      provider: gcp
+  configuration:
+    nodeAgent: # <1>
+      enable: true
+      uploaderType: kopia
+    velero:
+      defaultPlugins:
+      - csi
+      - gcp
+      - openshift
+      disableFsBackup: true # <2>
+----
+<1> Enable the node agent in the DPA.
+<2> Set the `disableFsBackup` field to `true`.
+
+
+.Verification
+
+. Verify that the node agent security context is set to run as non-root and the root file system is `readOnly` by running the following command:
++
+[source,terminal]
+----
+$ oc get daemonset node-agent -o yaml
+----
++
+The example output is as following:
++
+[source,yaml]
+----
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  ...
+  name: node-agent
+  namespace: openshift-adp
+  ...
+spec:
+  ...
+  template:
+    metadata:
+      ...
+    spec:
+      containers:
+      ...
+        securityContext:
+          allowPrivilegeEscalation: false # <1>
+          capabilities:
+            drop:
+            - ALL
+          privileged: false # <2>
+          readOnlyRootFilesystem: true # <3>
+        ...
+      nodeSelector:
+        kubernetes.io/os: linux
+      os:
+        name: linux
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      securityContext:
+        runAsNonRoot: true # <4>
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccount: velero
+      serviceAccountName: velero
+      ....
+----
+<1> The `allowPrivilegeEscalation` field is false.
+<2> The `privileged` field is false.
+<3> The root file system is read-only.
+<4> The node agent is run as a non-root user.