+++ This bug was initially created as a clone of Bug #1813067 +++ Description of problem: Velero is assigned wide open permissions. This was done because we need access to pretty much any resource we need to back up. However, the verb list is probably way less restrictive than it can be. https://github.com/konveyor/mig-operator/blob/master/deploy/olm-catalog/konveyor-operator/v1.2.0/konveyor-operator.v1.2.0.clusterserviceversion.yaml#L679-L688 Version-Release number of selected component (if applicable): CAM <= 1.1.1 How reproducible: Steps to Reproduce: 1. Create an SCC that allows running privileged pods as root but restricts filesystem write access to the container. 2. Install CAM Actual results: Failures because of the missing permission Expected results: Velero/Restic use the correct SCC. Additional info: At a mimimum we can probably remove the use verb for (almost?) all resources and give ourselves the ability to use just the one SCC. https://github.com/konveyor/mig-operator/pull/257/files We may even be able to reduce this to just get/list in the clusterrole and provide wider permissions in a role scoped to the namespace so we velero can watch, create, update, patch, and delete its resources. That may take more time to figure out accurately than the above though.
Closing this BZ in favor of it's original that is already aligned to 4.4.0 Closing this to avoid the duplicate situation for 4.4.0 we have now. *** This bug has been marked as a duplicate of bug 1813067 ***