Exact Permissions needed

[twonds]

Hello, I have just started using mirrord and it seems great. Because I am new I am still uncertain about the specific permissions needed to use mirrord. I have only used it at a very high level of cluster permissions.

Another thing I have ran into is that when I use teleport to access a cluster I can not make the connection between the mirrord pod and the local process. Should I file a bug report?

Thanks!

[eyalb181]

Hey, thanks for trying out mirrord!

mirrord requires the permission to create a privileged pod on the cluster. Note that for teams that want to use mirrord together and don't want to give everyone privileged pod permissions, we offer mirrord for Teams. It lets you install an operator on the cluster which carries out the pod creation, so the users themselves don't have to have these permissions, plus you can manage it through K8S RBAC.

Re Teleport, it should work as far as we know, so please do open a bug report.

Thank you!

[twonds]

Thank you for your quick response. I will try out mirrord for teams. I am just curious what 'privileged' means exactly to understand if I need to use mirrord for teams or not. Can you define that more? Or does it change too often to document the exact privileges?

I will replicate the teleport issue and file a bug report.

[aviramha]

The reason we don't specify it precisely is that it's not a default RBAC configuration. The RBAC access you need to have is to create pods, but sometimes in more strict environments there's PSP or PSA that will remove the pod we create.
In case there aren't any restricted policies (PSA or PSP) you just need pod creation permissions and listing the "target" pod.

[twonds]

Thank you for your answers! I created an issue for when I use teleport