Skip to content

fix(backups): rbac actualized#2145

Merged
androndo merged 1 commit intomainfrom
fix/backups-rbac
Mar 3, 2026
Merged

fix(backups): rbac actualized#2145
androndo merged 1 commit intomainfrom
fix/backups-rbac

Conversation

@androndo
Copy link
Contributor

@androndo androndo commented Mar 3, 2026
edited by coderabbitai bot
Loading

What this PR does

Release note

- fixed rbac for backup controllers

Summary by CodeRabbit

  • Chores
    • Updated backup controller permissions to focus on core backup operations.
    • Expanded backup strategy controller permissions to support enhanced backup and restore capabilities, including Velero integration and status management.

@androndo
fix(backups): rbac actualized
9ac8b2d 
Signed-off-by: Andrey Kolkov <[email protected]>
@dosubot dosubot bot added size:M This PR changes 30-99 lines, ignoring generated files. bug Something isn't working labels Mar 3, 2026
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Mar 3, 2026
edited
Loading

📝 Walkthrough

Walkthrough

Two RBAC files are modified to adjust permissions for backup-related controllers. The backup-controller narrows its scope by removing cross-addon permissions and consolidating to backups.cozystack.io resources. The backupstrategy-controller gains expanded permissions across backup strategies, classes, jobs, applications, Velero resources, and leader election.

Changes

Cohort / File(s) Summary
Backup Controller RBAC Narrowing
packages/system/backup-controller/templates/rbac.yaml		 Restricts permissions to backups.cozystack.io scope only; removes access to external API groups (apps.cozystack.io, objectstorage, kubevirt, velero). Refocuses Plan access to plans/status endpoints.
BackupStrategy Controller RBAC Expansion
packages/system/backupstrategy-controller/templates/rbac.yaml		 Adds comprehensive permissions for backup strategies, classes, jobs/restores, backups, application references, Velero resources (backups/restores), and coordinator leases for leader election.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

Poem

🐰 A rabbit's tale of keys refined,
Backup guards now better aligned,
One focuses tight on tasks near,
One gains the tools to manage clear,
With strategies broad and control in sight,
The backup realm now feels just right! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name Status Explanation Resolution
Title check ❓ Inconclusive The title 'fix(backups): rbac actualized' is partially related to the changeset. It correctly identifies the domain (backups) and type (fix), but uses vague terminology ('actualized') that doesn't clearly convey what was changed in the RBAC rules. Consider a more specific title like 'fix(backups): narrow backup-controller RBAC and expand backupstrategy-controller permissions' to clearly describe the actual RBAC changes made.
✅ Passed checks (2 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch fix/backups-rbac

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@gemini-code-assist
Copy link
Contributor

gemini-code-assist bot commented Mar 3, 2026

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refines the Role-Based Access Control (RBAC) configurations for the backup-controller and backupstrategy-controller within the Cozystack backup system. The changes aim to actualize permissions, ensuring each controller operates with the principle of least privilege by granting only the necessary access to Kubernetes resources required for their specific functions.

Highlights

  • Backup Controller RBAC Refinement: Permissions for the backup-controller were significantly narrowed, removing broad access to various resources like backups, buckets, secrets, and Velero objects, focusing its roles on plans and backupjobs.
  • Backup Strategy Controller RBAC Expansion: Permissions for the backupstrategy-controller were expanded to include necessary access for managing backupclasses, updating job statuses, interacting with Velero resources, and handling leader election.
  • Role Clarification: Comments were added to both RBAC configurations to clarify the specific responsibilities and required permissions for each controller, enhancing readability and maintainability.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog
  • packages/system/backup-controller/templates/rbac.yaml
    • Removed extensive permissions for backupjobs, backups, apps.cozystack.io resources (buckets, bucketaccesses, virtualmachines), objectstorage.k8s.io resources, secrets, kubevirt.io virtualmachines, and velero.io resources.
    • Retained permissions for plans (get, list, watch) and plans/status (get, update, patch).
    • Retained permissions for backupjobs (create, get, list, watch).
    • Added comments to clarify the purpose of remaining rules.
  • packages/system/backupstrategy-controller/templates/rbac.yaml
    • Added permissions for backupclasses (get, list, watch).
    • Added permissions for backupjobs/status and restorejobs/status (get, update, patch).
    • Added permissions for backups (create, get, list, watch).
    • Added broad permissions for apps.cozystack.io resources (get, list, watch).
    • Added permissions for velero.io backups and restores (create, get, list, watch, update, patch).
    • Added permissions for coordination.k8s.io/leases for leader election.
    • Added comments to clarify the purpose of new and existing rules.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Mar 3, 2026
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request refactors the RBAC permissions for the backup controllers, which is a great improvement for security and separation of concerns. I've identified a couple of opportunities to further tighten the permissions to more strictly follow the principle of least privilege. My comments below provide specific suggestions.

packages/system/backup-controller/templates/rbac.yaml
- apiGroups: ["backups.cozystack.io"]
resources: ["backups"]
resources: ["backupjobs"]
verbs: ["create", "get", "list", "watch"]
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The plan-controller only creates BackupJob resources. The get, list, and watch permissions are not necessary according to the controller's implementation in internal/backupcontroller/plan_controller.go. To adhere to the principle of least privilege, it's best to only grant the create verb.

  verbs: ["create"]

packages/system/backupstrategy-controller/templates/rbac.yaml
# Velero Backup/Restore in cozy-velero namespace
- apiGroups: ["velero.io"]
resources: ["backups", "restores"]
verbs: ["create", "get", "list", "watch", "update", "patch"]
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The backupstrategy-controller creates and lists Velero Backup and Restore resources, but it does not appear to watch, update, or patch them based on the logic in internal/backupcontroller/velerostrategy_controller.go. The controller polls for status by re-listing after a requeue, so watch permission is not used. To follow the principle of least privilege, the unused watch, update, and patch verbs should be removed.

  verbs: ["create", "get", "list"]

coderabbitai[bot]
coderabbitai bot reviewed Mar 3, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
packages/system/backupstrategy-controller/templates/rbac.yaml (1)

34-36: Scope lease permissions to the fixed leader-election lease.

The controller uses the hardcoded LeaderElectionID strategy.backups.cozystack.io (see cmd/backupstrategy-controller/main.go:138). Add resourceNames to restrict access to that specific lease instead of all leases.

Suggested RBAC tightening 
 - apiGroups: ["coordination.k8s.io"]
   resources: ["leases"]
+  resourceNames: ["strategy.backups.cozystack.io"]
   verbs: ["get", "list", "watch", "create", "update", "patch"]
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@packages/system/backupstrategy-controller/templates/rbac.yaml` around lines
34 - 36, The RBAC rule currently grants verbs on all coordination.k8s.io leases;
restrict it to the controller's hardcoded leader lease by adding resourceNames:
["strategy.backups.cozystack.io"] under the leases rule in templates/rbac.yaml
so the permissions only apply to the LeaderElectionID used by the controller
(LeaderElectionID "strategy.backups.cozystack.io").
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/system/backupstrategy-controller/templates/rbac.yaml`:
- Around line 7-9: Update the RBAC templates to replace wildcard resources with
explicit lists: in the Role where apiGroups is "strategy.backups.cozystack.io"
replace resources: ["*"] with resources: ["veleroes", "jobs"] to limit read
access, and in the Role for apiGroups "apps.cozystack.io" remove the "*" and
enumerate only the application kinds the controller truly needs (for example
VMInstance, VirtualMachine, etc.) so verbs: ["get","list","watch"] apply to a
concrete resources array rather than a wildcard; adjust any Role/RoleBinding
entries that reference the same wildcard to use the new explicit resource names.

---

Nitpick comments:
In `@packages/system/backupstrategy-controller/templates/rbac.yaml`:
- Around line 34-36: The RBAC rule currently grants verbs on all
coordination.k8s.io leases; restrict it to the controller's hardcoded leader
lease by adding resourceNames: ["strategy.backups.cozystack.io"] under the
leases rule in templates/rbac.yaml so the permissions only apply to the
LeaderElectionID used by the controller (LeaderElectionID
"strategy.backups.cozystack.io").
ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 772fb43 and 9ac8b2d.

📒 Files selected for processing (2)
  • packages/system/backup-controller/templates/rbac.yaml
  • packages/system/backupstrategy-controller/templates/rbac.yaml

packages/system/backupstrategy-controller/templates/rbac.yaml
Comment on lines 7 to 9
- apiGroups: ["strategy.backups.cozystack.io"]
resources: ["*"]
verbs: ["get", "list", "watch"]
Copy link
Contributor

@coderabbitai coderabbitai bot Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, verify the file exists and show the RBAC rules
cat -n packages/system/backupstrategy-controller/templates/rbac.yaml | head -40

Repository: cozystack/cozystack

Length of output: 1676

🏁 Script executed:

# Search for CRD definitions in the codebase for the mentioned API groups
rg -n "group:\s*strategy\.backups\.cozystack\.io|group:\s*apps\.cozystack\.io" -A 10 --type yaml

Repository: cozystack/cozystack

Length of output: 16714

🏁 Script executed:

# Find plural resource names in CRD definitions
rg -n "plural:" --type yaml -B 3 -A 1 | grep -E "(strategy\.backups|apps\.cozystack|plural)"

Repository: cozystack/cozystack

Length of output: 42260

🏁 Script executed:

# Check for backupstrategy-controller configuration or deployment to understand its scope
find packages/system/backupstrategy-controller -name "*.yaml" -o -name "*.go" | head -20

Repository: cozystack/cozystack

Length of output: 680

Replace wildcard RBAC resources with explicit resource lists.

Line 8 grants read access to all resources in the strategy.backups.cozystack.io API group, but only two custom resources are defined: veleroes and jobs. This can be safely narrowed to resources: ["veleroes", "jobs"].

Line 27 grants read access to all resources in apps.cozystack.io for application reference handling. While this is broader than line 8, consider whether enumerating specific application resource kinds (e.g., VMInstance, VirtualMachine, etc.) would satisfy the controller's actual requirements without the wildcard.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@packages/system/backupstrategy-controller/templates/rbac.yaml` around lines 7
- 9, Update the RBAC templates to replace wildcard resources with explicit
lists: in the Role where apiGroups is "strategy.backups.cozystack.io" replace
resources: ["*"] with resources: ["veleroes", "jobs"] to limit read access, and
in the Role for apiGroups "apps.cozystack.io" remove the "*" and enumerate only
the application kinds the controller truly needs (for example VMInstance,
VirtualMachine, etc.) so verbs: ["get","list","watch"] apply to a concrete
resources array rather than a wildcard; adjust any Role/RoleBinding entries that
reference the same wildcard to use the new explicit resource names.

@dosubot dosubot bot added the lgtm This PR has been approved by a maintainer label Mar 3, 2026
@androndo androndo enabled auto-merge March 3, 2026 14:57
@androndo androndo merged commit 1429b94 into main Mar 3, 2026
14 of 15 checks passed
@androndo androndo deleted the fix/backups-rbac branch March 3, 2026 15:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@lllamnyp lllamnyp lllamnyp approved these changes

@kvaps kvaps Awaiting requested review from kvaps kvaps is a code owner

@lexfrei lexfrei Awaiting requested review from lexfrei lexfrei is a code owner

@IvanHunters IvanHunters Awaiting requested review from IvanHunters IvanHunters is a code owner

@sircthulhu sircthulhu Awaiting requested review from sircthulhu sircthulhu is a code owner

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

bug Something isn't working lgtm This PR has been approved by a maintainer size:M This PR changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@androndo @lllamnyp