Query Commands

The Bacula Enterprise Kubernetes Plugin supports the “query command”. This type of command allows the plugin to display useful information about something beyond its main function, such as:

  • User permissions on cluster

The feature uses the special .query command on bconsole.

This type of commands require the following parameters to be set:

client=<client>

A Bacula Client name with the Kubernetes plugin installed.

plugin=”<plugin>”

A Plugin name, which would be kubernetes: in this case, with optional plugin parameters as described in section Generic Plugin Parameters or Estimate and Backup Plugin Parameters. It depends on the function.

parameter=<function>

The functions will be explained in the following sections.

Note

We can change the output to JSON format. To do that, we write json before function and separated them with |, like: json|<function>.

user_permissions

This function allows us to know if the indicated user in k8s config file has correct permissions to work with this plugin or if this user misses some permission.

In this command, the more important parameters are:

config=<path>

Path to k8s config file connection.

namespace=<namespace>

We indicate a namespace if we want to know permissions that the user has inside in that namespace. If you don’t use this parameter, you only query for cluster permissions.

Note

We can define several namespace in the same command

Examples:

Example of the function without namespace
*.query client=kubernetes-fd plugin="kubernetes:" parameter=user_permissions
Allowed to: Cluster list clusterroles -> True
Allowed to: Cluster get clusterroles -> True
Allowed to: Cluster create clusterroles -> True
Allowed to: Cluster update clusterroles -> True
Allowed to: Cluster list clusterrolebindings -> True
Allowed to: Cluster get clusterrolebindings -> True
Allowed to: Cluster create clusterrolebindings -> True
Allowed to: Cluster list namespaces -> True
Allowed to: Cluster get namespaces -> True
Allowed to: Cluster create namespaces -> True
Allowed to: Cluster list storageclasses -> True
Allowed to: Cluster get storageclasses -> True
Allowed to: Cluster create storageclasses -> True
Allowed to: Cluster list volumesnapshotclasses -> True
Allowed to: Cluster get volumesnapshotclasses -> True
Allowed to: Cluster create volumesnapshotclasses -> True
Summary:
Your user has all necessary permissions
Example of the function with some misses permissions
*.query client=kubernetes-fd plugin="kubernetes:" parameter=user_permissions
Allowed to: Cluster list clusterroles -> False
Allowed to: Cluster get clusterroles -> False
Allowed to: Cluster create clusterroles -> False
Allowed to: Cluster update clusterroles -> False
Allowed to: Cluster list clusterrolebindings -> True
Allowed to: Cluster get clusterrolebindings -> True
Allowed to: Cluster create clusterrolebindings -> True
Allowed to: Cluster list namespaces -> True
Allowed to: Cluster get namespaces -> True
Allowed to: Cluster create namespaces -> True
Allowed to: Cluster list storageclasses -> True
Allowed to: Cluster get storageclasses -> True
Allowed to: Cluster create storageclasses -> True
Allowed to: Cluster list volumesnapshotclasses -> True
Allowed to: Cluster get volumesnapshotclasses -> True
Allowed to: Cluster create volumesnapshotclasses -> True
You must grant your user to the next permissions:
- Scope: `Cluster` Resource: `clusterroles` Action: `list`
- Scope: `Cluster` Resource: `clusterroles` Action: `get`
- Scope: `Cluster` Resource: `clusterroles` Action: `create`
- Scope: `Cluster` Resource: `clusterroles` Action: `update`
Example of the function with a namespace
*.query client=kubernetes-fd plugin="kubernetes: debug=1 namespace=\"namespace-1\"" parameter=user_permissions
Allowed to: Cluster list clusterroles -> True
Allowed to: Cluster get clusterroles -> True
Allowed to: Cluster create clusterroles -> True
Allowed to: Cluster update clusterroles -> True
Allowed to: Cluster list clusterrolebindings -> True
Allowed to: Cluster get clusterrolebindings -> True
Allowed to: Cluster create clusterrolebindings -> True
Allowed to: Cluster list namespaces -> True
Allowed to: Cluster get namespaces -> True
Allowed to: Cluster create namespaces -> True
Allowed to: Cluster list storageclasses -> True
Allowed to: Cluster get storageclasses -> True
Allowed to: Cluster create storageclasses -> True
Allowed to: Cluster list volumesnapshotclasses -> True
Allowed to: Cluster get volumesnapshotclasses -> True
Allowed to: Cluster create volumesnapshotclasses -> True
Allowed to: namespace/namespace-1 list configmaps -> True
Allowed to: namespace/namespace-1 get configmaps -> True
Allowed to: namespace/namespace-1 create configmaps -> True
Allowed to: namespace/namespace-1 update configmaps -> True
Allowed to: namespace/namespace-1 list daemonsets -> True
Allowed to: namespace/namespace-1 get daemonsets -> True
Allowed to: namespace/namespace-1 create daemonsets -> True
Allowed to: namespace/namespace-1 update daemonsets -> True
Allowed to: namespace/namespace-1 list deployments -> True
Allowed to: namespace/namespace-1 get deployments -> True
Allowed to: namespace/namespace-1 create deployments -> True
Allowed to: namespace/namespace-1 update deployments -> True
Allowed to: namespace/namespace-1 list endpoints -> True
Allowed to: namespace/namespace-1 get endpoints -> True
Allowed to: namespace/namespace-1 create endpoints -> True
Allowed to: namespace/namespace-1 list ingresses -> True
Allowed to: namespace/namespace-1 get ingresses -> True
Allowed to: namespace/namespace-1 create ingresses -> True
Allowed to: namespace/namespace-1 list limitranges -> True
Allowed to: namespace/namespace-1 get limitranges -> True
Allowed to: namespace/namespace-1 create limitranges -> True
Allowed to: namespace/namespace-1 list persistentvolumes -> True
Allowed to: namespace/namespace-1 get persistentvolumes -> True
Allowed to: namespace/namespace-1 create persistentvolumes -> True
Allowed to: namespace/namespace-1 list persistentvolumeclaims -> True
Allowed to: namespace/namespace-1 get persistentvolumeclaims -> True
Allowed to: namespace/namespace-1 create persistentvolumeclaims -> True
Allowed to: namespace/namespace-1 list pods -> True
Allowed to: namespace/namespace-1 get pods -> True
Allowed to: namespace/namespace-1 create pods -> True
Allowed to: namespace/namespace-1 delete pods -> True
Allowed to: namespace/namespace-1 list podtemplates -> True
Allowed to: namespace/namespace-1 get podtemplates -> True
Allowed to: namespace/namespace-1 create podtemplates -> True
Allowed to: namespace/namespace-1 list replicasets -> True
Allowed to: namespace/namespace-1 get replicasets -> True
Allowed to: namespace/namespace-1 create replicasets -> True
Allowed to: namespace/namespace-1 update replicasets -> True
Allowed to: namespace/namespace-1 list replicationcontrollers -> True
Allowed to: namespace/namespace-1 get replicationcontrollers -> True
Allowed to: namespace/namespace-1 create replicationcontrollers -> True
Allowed to: namespace/namespace-1 list resourcequotas -> True
Allowed to: namespace/namespace-1 get resourcequotas -> True
Allowed to: namespace/namespace-1 create resourcequotas -> True
Allowed to: namespace/namespace-1 update resourcequotas -> True
Allowed to: namespace/namespace-1 list roles -> True
Allowed to: namespace/namespace-1 get roles -> True
Allowed to: namespace/namespace-1 create roles -> True
Allowed to: namespace/namespace-1 list rolebindings -> True
Allowed to: namespace/namespace-1 get rolebindings -> True
Allowed to: namespace/namespace-1 create rolebindings -> True
Allowed to: namespace/namespace-1 list secrets -> True
Allowed to: namespace/namespace-1 get secrets -> True
Allowed to: namespace/namespace-1 create secrets -> True
Allowed to: namespace/namespace-1 list services -> True
Allowed to: namespace/namespace-1 get services -> True
Allowed to: namespace/namespace-1 create services -> True
Allowed to: namespace/namespace-1 list serviceaccounts -> True
Allowed to: namespace/namespace-1 get serviceaccounts -> True
Allowed to: namespace/namespace-1 create serviceaccounts -> True
Allowed to: namespace/namespace-1 list statefulsets -> True
Allowed to: namespace/namespace-1 get statefulsets -> True
Allowed to: namespace/namespace-1 create statefulsets -> True
Allowed to: namespace/namespace-1 list volumesnapshots -> True
Allowed to: namespace/namespace-1 get volumesnapshots -> True
Allowed to: namespace/namespace-1 create volumesnapshots -> True
Allowed to: namespace/namespace-1 delete volumesnapshots -> True
Summary:
Your user has all necessary permissions
Same command that before but with json output format
*.query client=kubernetes-fd plugin="kubernetes: namespace=\"namespace-1\"" parameter=json|user_permissions
{"cluster": {"clusterrolebindings":
{"create": true, "get": true, "list": true},
"clusterroles": {"create": true,
"get": true, "list": true, "update": true},
"namespaces": {"create": true, "get": true, "list": true},
"storageclasses": {"create": true, "get": true, "list": true},
"volumesnapshotclasses": {"create": true, "get": true, "list": true}},
"namespaced": {"namespace-1": {
"configmaps": {"create": true, "get": true, "list": true, "update": true},
"daemonsets": {"create": true, "get": true, "list": true, "update": true},
"deployments": {"create": true, "get": true, "list": true, "update": true},
"endpoints": {"create": true, "get": true, "list": true},
"ingresses": {"create": true, "get": true, "list": true},
"limitranges": {"create": true, "get": true, "list": true},
"persistentvolumeclaims": {"create": true, "get": true, "list": true},
"persistentvolumes": {"create": true, "get": true, "list": true},
"pods": {"create": true, "delete": true, "get": true, "list": true},
"podtemplates": {"create": true, "get": true, "list": true},
"replicasets": {"create": true, "get": true, "list": true, "update": true},
"replicationcontrollers": {"create": true, "get": true, "list": true},
"resourcequotas": {"create": true, "get": true, "list": true, "update": true},
"rolebindings": {"create": true, "get": true, "list": true},
"roles": {"create": true, "get": true, "list": true},
"secrets": {"create": true, "get": true, "list": true},
"serviceaccounts": {"create": true, "get": true, "list": true},
"services": {"create": true, "get": true, "list": true},
"statefulsets": {"create": true, "get": true, "list": true},
"volumesnapshots": {"create": true, "delete": true, "get": true, "list": true}
}}}

See also

Go back to:

Go back to the Kubernetes Operations page.

Go back to the main Kubernetes Plugin page.