Creating a Kubernetes Custom ClusterRole

You can create a custom ClusterRole to perform the Commvault backups and restores. The role is then bind to the service account.

Before You Begin

You must have a service account that meets the following requirements:

  • Has, at a minimum, read-only (GET API verb permission) for all the API resources/objects that you want Commvault to protect.

  • Can run the kubectl api-resources command against the cluster that you want to protect.

  • Can create new ClusterRole API resources to create the restricted role on the cluster.

The permissions for resources and sub-resources are as follows:

Resources and sub-resources



* [All]

All resources obtained by the kubectl api-resources command

* [All]


  1. Download the following Linux bash script. The script is used to create the Kubernetes role that is required to perform Commvault backups and restores.

  2. On a host that has access to the Kubernetes cluster that you want Commvault to protect, run the following command to create the custom ClusterRole definition:

    ./ | kubectl apply -f -
  3. To confirm that the ClusterRole is created as expected, run the following command:

    kubectl describe clusterrole cv-role [-n namespace]


If new Kubernetes API resources are added to your cluster, then you must run the role definition command again to regenerate the custom ClusterRole definition.