Summary

Implement RBAC for Velero UI (VUI) by leveraging Kubernetes impersonation capabilities and enabling upstream proxies to inject authentication headers for fine-grained access control.

Implementation Details

1. Kubernetes Impersonation Support

• Utilize native Kubernetes user RBAC mechanisms to enforce permissions on Velero resources (list, get, create, edit)
• Ensure users can only perform actions permitted by their assigned Kubernetes roles
• Validate all operations against user's RBAC profile before execution

2. Header Injection for Upstream Authentication

• Accept and process standard authentication headers from ingress controllers and authentication proxies:

  • Impersonate-User: User to impersonate
  • Impersonate-Group: Groups to impersonate
  • Authorization: Bearer token (if direct authentication is used)

• Support integration with common authentication proxies:

  • oauth2-proxy
  • Heimdall
  • NGINX Ingress Controller with auth modules
  • Other OIDC/OAuth2 compatible solutions

• Enable tenant-specific access control based on the injected headers

• Support multi-tenant environments where external identity providers determine user permissions

Reference Implementations

• Kubernetes Dashboard provides a proven model for this approach: https://github.com/kubernetes/dashboard/blob/master/docs/user/README.md
• Headlamp is also implementing similar functionality: Secure access to in-cluster headlamp with a reverse proxy kubernetes-sigs/headlamp#2207

Use Cases

• Secure multi-tenant Velero environments by restricting users to specific backup resources
• Seamlessly integrate with existing authentication/authorization infrastructures
• Support enterprise environments with complex identity management requirements
• Enable granular permissions without requiring modifications to Kubernetes clusters