You can create a custom ClusterRole to perform the Commvault backups and restores. The role is then bind to the service account.
Before You Begin
You must have a service account that meets the following requirements:
-
Has, at a minimum, read-only (GET API verb permission) for all the API resources/objects that you want Commvault to protect.
-
Can run the
kubectl api-resourcescommand against the cluster that you want to protect. -
Can create new ClusterRole API resources to create the restricted role on the cluster.
The permissions for resources and sub-resources are as follows:
|
Resources and sub-resources |
Permissions |
|---|---|
|
|
|
|
All resources obtained by the |
|
Procedure
-
Download the following Linux bash script. The script is used to create the Kubernetes role that is required to perform Commvault backups and restores.
-
On a host that has access to the Kubernetes cluster that you want Commvault to protect, run the following command to create the custom ClusterRole definition:
./cvrolescript.sh | kubectl apply -f - -
To confirm that the ClusterRole is created as expected, run the following command:
kubectl describe clusterrole cv-role [-n namespace]
Important
If new Kubernetes API resources are added to your cluster, then you must run the role definition command again to regenerate the custom ClusterRole definition.