allow plugins to write arbitrary data to 'plugins/' directory inside backup storage location #2344
Comments
|
I'm in general in favor of this. I wonder if there are security implications to giving plugins full access to each other's subdirectory. Some more questions:
|
Plugins can already make use of the credentials mounted into the Velero pod, so they're already able to write/delete arbitrary data from the Velero bucket. This proposal wouldn't really change that. We could look at doing further segregation down the road but I think that's probably independent of this change.
Any plugin could write data here; to be clear, any plugin can already write data to this location, it's just that currently it will cause Velero to crashloop on the next restart, since the contents of the Velero BSL would no longer be "valid".
In theory yes, if that's something that's useful for users. The current use case doesn't require this. |
|
True - given that the plugins could just access the BSLs and the credentials if they wanted to do something nefarious anyway, I think for now scoping this to giving them a logical place to put their data makes sense. |
Describe the problem/challenge you have
Some plugins would like to be able to directly write additional data to the object storage bucket used by Velero. However, there's not necessarily a natural place to put this data today.
Describe the solution you'd like
Allow a
plugins/top-level directory within the Velero backup storage location. Plugins can then write data to subdirectories within this directory.Environment:
velero version): v1.3.xkubectl version): n/a/etc/os-release): n/aThe text was updated successfully, but these errors were encountered: