Skip to main content
NetApp Knowledge Base

Is it feasible to restrict the permissions of Trident containers.?

  1. Last updated
    Mar 1, 2025
  2. Save as PDF
Views:
5
Visibility:
Public
Votes:
0
Category:
trident-kubernetes
Specialty:
snapx
Last Updated:
3/1/2025, 11:13:28 AM

Applies to

Astra Trident

Answer

Is it advaisable to adjust the permissions highlighted below.

    resourceNames:
      - trident-controller
      - trident-node-linux
      - trident-node-windows
      - trident-csi
      - trident
  - apiGroups:
      - authorization.openshift.io
      - rbac.authorization.k8s.io
    resources:
      - roles
      - rolebindings
      - clusterroles
      - clusterrolebindings
    verbs:
      - list
      - create
  - apiGroups:
      - authorization.openshift.io
      - rbac.authorization.k8s.io
    resources:
      - roles
      - rolebindings
      - clusterroles
      - clusterrolebindings
    verbs:
      - delete
      - update
      - patch
 

Ans. No. It's not advaisable modify the permissions for Trident containers.

Additional Information

Trident is a storage orchestrator for Kubernetes that integrates with various storage systems. The Trident containers are privileged containers for specific reasons related to their functionality and the requirements of the underlying storage systems. Here are a few reasons why Trident containers are privileged:
1.    Access to low-level storage operations: Trident interacts with the underlying storage systems and performs various operations, such as creating volumes, snapshots, and clones, and managing storage resources. To accomplish these tasks, Trident needs        privileged access to the host system to execute low-level storage operations that require elevated privileges.
2.    Access to device-specific APIs: Storage systems often expose device-specific APIs and interfaces that require privileged access to interact with. By running as a privileged container, Trident can utilize these APIs to communicate with the storage system and perform advanced operations that require direct interaction with the underlying storage hardware.
3.    Security and isolation: Trident operates and manages storage resources, which are critical components of an application's data. By running as a privileged container, Trident can enforce security measures and isolation to protect the storage system and prevent unauthorized access or tampering. Also Trident handles iscsi and nfs related tools which needs enhanced permissions.

 

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.