openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
20a0bafa76384ccfa1824293afc2c00b5b5930e5
openshift-docs/modules/oadp-configuring-node-agent-non-root.adoc
Shruti Deshpande ab7ef76d70 fix callouts and dits errors in AWS 
Signed-off-by: Shruti Deshpande <shdeshpa@redhat.com>
2026-01-20 11:22:15 +05:30

129 lines
3.8 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * backup_and_restore/application_backup_and_restore/installing/installing-oadp-aws.adoc
// * backup_and_restore/application_backup_and_restore/installing/installing-oadp-azure.adoc
// * backup_and_restore/application_backup_and_restore/installing/installing-oadp-gcp.adoc
// * backup_and_restore/application_backup_and_restore/installing/installing-oadp-mcg.adoc
// * backup_and_restore/application_backup_and_restore/installing/installing-oadp-ocs.adoc
// * backup_and_restore/application_backup_and_restore/installing/installing-oadp-kubevirt.adoc
:_mod-docs-content-type: PROCEDURE
[id="oadp-configuring-node-agent-non-root_{context}"]
= Configuring the node agent as a non-root and non-privileged user
[role="_abstract"]
To enhance the node agent security, you can configure the {oadp-short} Operator node agent daemonset to run as a non-root and non-privileged user by using the `spec.configuration.velero.disableFsBackup` setting in the `DataProtectionApplication` (DPA) custom resource (CR).
By setting the `spec.configuration.velero.disableFsBackup` setting to `true`, the node agent security context sets the root file system to read-only and sets the `privileged` flag to `false`.
[NOTE]
====
Setting `spec.configuration.velero.disableFsBackup` to `true` enhances the node agent security by removing the need for privileged containers and enforcing a read-only root file system.
However, it also disables File System Backup (FSB) with Kopia. If your workloads rely on FSB for backing up volumes that do not support native snapshots, then you should evaluate whether the `disableFsBackup` configuration fits your use case.
====
.Prerequisites
* You have installed the {oadp-short} Operator.
.Procedure
* Configure the `disableFsBackup` field in the DPA as shown in the following example:
+
[source,yaml]
----
apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
name: ts-dpa
namespace: openshift-adp
spec:
backupLocations:
- velero:
credential:
key: cloud
name: cloud-credentials
default: true
objectStorage:
bucket: <bucket_name>
prefix: velero
provider: gcp
configuration:
nodeAgent:
enable: true
uploaderType: kopia
velero:
defaultPlugins:
- csi
- gcp
- openshift
disableFsBackup: true
----
+
where:
+
`nodeAgent`:: Specifies to enable the node agent in the DPA.
`disableFsBackup`:: Specifies to set the `disableFsBackup` field to `true`.
.Verification
. Verify that the node agent security context is set to run as non-root and the root file system is `readOnly` by running the following command:
+
[source,terminal]
----
$ oc get daemonset node-agent -o yaml
----
+
The example output is as following:
+
[source,yaml]
----
apiVersion: apps/v1
kind: DaemonSet
metadata:
...
name: node-agent
namespace: openshift-adp
...
spec:
...
template:
metadata:
...
spec:
containers:
...
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
...
nodeSelector:
kubernetes.io/os: linux
os:
name: linux
restartPolicy: Always
schedulerName: default-scheduler
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccount: velero
serviceAccountName: velero
....
----
+
where:
+
`allowPrivilegeEscalation`:: Specifies that the `allowPrivilegeEscalation` field is false.
`privileged`:: Specifies that the `privileged` field is false.
`readOnlyRootFilesystem`:: Specifies that the root file system is read-only.
`runAsNonRoot`:: Specifies that the node agent is run as a non-root user.
View Git Blame Copy Permalink