mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 21:46:22 +01:00
122 lines
3.6 KiB
Plaintext
122 lines
3.6 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * backup_and_restore/application_backup_and_restore/installing/installing-oadp-aws.adoc
|
|
// * backup_and_restore/application_backup_and_restore/installing/installing-oadp-azure.adoc
|
|
// * backup_and_restore/application_backup_and_restore/installing/installing-oadp-gcp.adoc
|
|
// * backup_and_restore/application_backup_and_restore/installing/installing-oadp-mcg.adoc
|
|
// * backup_and_restore/application_backup_and_restore/installing/installing-oadp-ocs.adoc
|
|
// * backup_and_restore/application_backup_and_restore/installing/installing-oadp-kubevirt.adoc
|
|
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="oadp-configuring-node-agent-non-root_{context}"]
|
|
= Configuring the node agent as a non-root and non-privileged user
|
|
|
|
[role="_abstract"]
|
|
To enhance the node agent security, you can configure the {oadp-short} Operator node agent daemonset to run as a non-root and non-privileged user by using the `spec.configuration.velero.disableFsBackup` setting in the `DataProtectionApplication` (DPA) custom resource (CR).
|
|
|
|
By setting the `spec.configuration.velero.disableFsBackup` setting to `true`, the node agent security context sets the root file system to read-only and sets the `privileged` flag to `false`.
|
|
|
|
[NOTE]
|
|
====
|
|
Setting `spec.configuration.velero.disableFsBackup` to `true` enhances the node agent security by removing the need for privileged containers and enforcing a read-only root file system.
|
|
|
|
However, it also disables File System Backup (FSB) with Kopia. If your workloads rely on FSB for backing up volumes that do not support native snapshots, then you should evaluate whether the `disableFsBackup` configuration fits your use case.
|
|
====
|
|
|
|
.Prerequisites
|
|
|
|
* You have installed the {oadp-short} Operator.
|
|
|
|
.Procedure
|
|
|
|
* Configure the `disableFsBackup` field in the DPA as shown in the following example:
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: oadp.openshift.io/v1alpha1
|
|
kind: DataProtectionApplication
|
|
metadata:
|
|
name: ts-dpa
|
|
namespace: openshift-adp
|
|
spec:
|
|
backupLocations:
|
|
- velero:
|
|
credential:
|
|
key: cloud
|
|
name: cloud-credentials
|
|
default: true
|
|
objectStorage:
|
|
bucket: <bucket_name>
|
|
prefix: velero
|
|
provider: gcp
|
|
configuration:
|
|
nodeAgent: # <1>
|
|
enable: true
|
|
uploaderType: kopia
|
|
velero:
|
|
defaultPlugins:
|
|
- csi
|
|
- gcp
|
|
- openshift
|
|
disableFsBackup: true # <2>
|
|
----
|
|
<1> Enable the node agent in the DPA.
|
|
<2> Set the `disableFsBackup` field to `true`.
|
|
|
|
|
|
.Verification
|
|
|
|
. Verify that the node agent security context is set to run as non-root and the root file system is `readOnly` by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get daemonset node-agent -o yaml
|
|
----
|
|
+
|
|
The example output is as following:
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: apps/v1
|
|
kind: DaemonSet
|
|
metadata:
|
|
...
|
|
name: node-agent
|
|
namespace: openshift-adp
|
|
...
|
|
spec:
|
|
...
|
|
template:
|
|
metadata:
|
|
...
|
|
spec:
|
|
containers:
|
|
...
|
|
securityContext:
|
|
allowPrivilegeEscalation: false # <1>
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
privileged: false # <2>
|
|
readOnlyRootFilesystem: true # <3>
|
|
...
|
|
nodeSelector:
|
|
kubernetes.io/os: linux
|
|
os:
|
|
name: linux
|
|
restartPolicy: Always
|
|
schedulerName: default-scheduler
|
|
securityContext:
|
|
runAsNonRoot: true # <4>
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
serviceAccount: velero
|
|
serviceAccountName: velero
|
|
....
|
|
----
|
|
<1> The `allowPrivilegeEscalation` field is false.
|
|
<2> The `privileged` field is false.
|
|
<3> The root file system is read-only.
|
|
<4> The node agent is run as a non-root user.
|