Description of problem: Velero is assigned wide open permissions. This was done because we need access to pretty much any resource we need to back up. However, the verb list is probably way less restrictive than it can be. https://github.com/konveyor/mig-operator/blob/master/deploy/olm-catalog/konveyor-operator/v1.2.0/konveyor-operator.v1.2.0.clusterserviceversion.yaml#L679-L688 Version-Release number of selected component (if applicable): CAM <= 1.1.1 How reproducible: Steps to Reproduce: 1. Create an SCC that allows running privileged pods as root but restricts filesystem write access to the container. 2. Install CAM Actual results: Failures because of the missing permission Expected results: Velero/Restic use the correct SCC. Additional info: At a mimimum we can probably remove the use verb for (almost?) all resources and give ourselves the ability to use just the one SCC. https://github.com/konveyor/mig-operator/pull/257/files We may even be able to reduce this to just get/list in the clusterrole and provide wider permissions in a role scoped to the namespace so we velero can watch, create, update, patch, and delete its resources. That may take more time to figure out accurately than the above though.
*** Bug 1813289 has been marked as a duplicate of this bug. ***
Created attachment 1688032 [details] SCC resource
Verfied using CAM 1.2 stage After deploying the attached SCC, we were able to create velero and restic without any problem.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2020:2328