websmith
Dabbler
- Joined
- Sep 20, 2018
- Messages
- 38
Hi,
I am using democratic-csi to manage storage for my kubernetes cluster - and I finally got it working - which immediately got me worrying that if there is a bug in their code they are capable of destroying all my datasets & pools.
So I immediately unistalled the software.
So I wonder if its possible to allow certain users access to the zfs command, but only allow access to manipulate certain parts of the pool defined by a dataset?.
i.e. output from the zfs list (truncated)
My hope is that I can limit my "k8s" user to only be able to manipulate the pool under the dataset "fast/k8s".
So if it tries to do a
It should fail, etc.
But if it tries to do:
It should succeed.
Basically give it full access to the pool under "fast/k8s" - but limit all other commands on the pool any other places.
I don't know if I am asking too much of ZFS/FreeBSD - but it would be awesome - because then I did not have to fear for my pool
Thanks in advance for any answers
P.S. I am using TrueNAS 12.2-RELEASE-p6
I am using democratic-csi to manage storage for my kubernetes cluster - and I finally got it working - which immediately got me worrying that if there is a bug in their code they are capable of destroying all my datasets & pools.
So I immediately unistalled the software.
So I wonder if its possible to allow certain users access to the zfs command, but only allow access to manipulate certain parts of the pool defined by a dataset?.
i.e. output from the zfs list (truncated)
Code:
fast/iocage/releases/12.2-RELEASE 869M 6.51T 96K /mnt/fast/iocage/releases/12.2-RELEASE fast/iocage/releases/12.2-RELEASE/root 869M 6.51T 869M /mnt/fast/iocage/releases/12.2-RELEASE/root fast/iocage/templates 96K 6.51T 96K /mnt/fast/iocage/templates fast/k8s 1.08M 1.95T 108K /mnt/fast/k8s
My hope is that I can limit my "k8s" user to only be able to manipulate the pool under the dataset "fast/k8s".
So if it tries to do a
Code:
zfs create fast/xxx zfs destroy fast/whatever
It should fail, etc.
But if it tries to do:
Code:
zfs create fast/k8s/xyz zfs destroy fast/k8s/xyz
It should succeed.
Basically give it full access to the pool under "fast/k8s" - but limit all other commands on the pool any other places.
I don't know if I am asking too much of ZFS/FreeBSD - but it would be awesome - because then I did not have to fear for my pool
Thanks in advance for any answers
P.S. I am using TrueNAS 12.2-RELEASE-p6