-
Bug
-
Resolution: Unresolved
-
Undefined
-
OADP 1.4.2
-
None
-
3
-
False
-
-
False
-
ToDo
-
-
-
0
-
0.000
-
Very Likely
-
0
-
None
-
Unset
-
Unknown
-
None
Description of problem:
On performing the backup of an application with excluded cluster scoped resources, including namespace,storageclass, The backup succeeds but the restore fails.
Version-Release number of selected component (if applicable):
1.4.2
How reproducible:
Always
Steps to Reproduce:
1. Deploy an application
2. Perform backup with appropriate exclude cluster scoped resources param.
3. Delete Project and perform the restore.
Actual results:
Restore partilally fails.
Expected results:
Restore should succeed.
Additional info:
Backup:
apiVersion: velero.io/v1 kind: Backup metadata: name: backup9 namespace: openshift-adp spec: defaultVolumesToFsBackup: true hooks: {} includedNamespaces: - mysql2 excludedClusterScopedResources: ["storageclasses", "Namespace"] storageLocation: velero-sample-1 ttl: 720h0s
Velero Describe Restore:
$ velero describe restore mytest1 -n openshift-adp --details Name: mytest1 Namespace: openshift-adp Labels: <none> Annotations: <none> Phase: PartiallyFailed (run 'velero restore logs mytest1' for more information) Total items to be restored: 28 Items restored: 28 Started: 2024-11-18 18:25:03 +0530 IST Completed: 2024-11-18 18:25:07 +0530 IST Warnings: Velero: <none> Cluster: <none> Namespaces: mytest1: could not restore, RoleBinding "system:image-builders" already exists. Warning: the in-cluster version is different than the backed-up version could not restore, RoleBinding "system:image-pullers" already exists. Warning: the in-cluster version is different than the backed-up version could not restore, ConfigMap "kube-root-ca.crt" already exists. Warning: the in-cluster version is different than the backed-up version could not restore, ConfigMap "openshift-service-ca.crt" already exists. Warning: the in-cluster version is different than the backed-up version could not restore, RoleBinding "admin" already exists. Warning: the in-cluster version is different than the backed-up version could not restore, RoleBinding "system:deployers" already exists. Warning: the in-cluster version is different than the backed-up version could not restore, RoleBinding "system:image-builders" already exists. Warning: the in-cluster version is different than the backed-up version could not restore, RoleBinding "system:image-pullers" already exists. Warning: the in-cluster version is different than the backed-up version Errors: Velero: <none> Cluster: <none> Namespaces: mytest1: error restoring pods/mytest1/mysql-7db78bc44b-rwtsk: pods "mysql-7db78bc44b-rwtsk" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "restore-wait" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "restore-wait" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "restore-wait" must set securityContext.runAsNonRoot=true) Backup: mytest1 Namespaces: Included: all namespaces found in the backup
- depends on
-
OADP-5031 Make OADP work in restricted Pod Security Standard environment
-
- New
-
