All Policies
Backup All Volumes
In order for Velero to backup volumes in a Pod using an opt-in approach, it requires an annotation on the Pod called `backup.velero.io/backup-volumes` with the value being a comma-separated list of the volumes mounted to that Pod. This policy automatically annotates Pods (and Pod controllers) which refer to a PVC so that all volumes are listed in the aforementioned annotation if a Namespace with the label `velero-backup-pvc=true`.
Policy Definition
/velero/backup-all-volumes/backup-all-volumes.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: backup-all-volumes
5 annotations:
6 policies.kyverno.io/title: Backup All Volumes
7 policies.kyverno.io/category: Velero
8 policies.kyverno.io/severity: medium
9 policies.kyverno.io/subject: Pod, Annotation
10 kyverno.io/kyverno-version: 1.9.2
11 kyverno.io/kubernetes-version: "1.25"
12 policies.kyverno.io/description: >-
13 In order for Velero to backup volumes in a Pod using an opt-in approach, it
14 requires an annotation on the Pod called `backup.velero.io/backup-volumes` with the
15 value being a comma-separated list of the volumes mounted to that Pod. This policy
16 automatically annotates Pods (and Pod controllers) which refer to a PVC so that
17 all volumes are listed in the aforementioned annotation if a Namespace with the label
18 `velero-backup-pvc=true`.
19spec:
20 rules:
21 - name: backup-velero-pv
22 match:
23 any:
24 - resources:
25 kinds:
26 - Pod
27 namespaceSelector:
28 matchLabels:
29 velero-backup-pvc: "true"
30 preconditions:
31 all:
32 - key: "{{ request.object.spec.volumes[?contains(keys(@), 'persistentVolumeClaim')] | length(@) }}"
33 operator: GreaterThanOrEquals
34 value: 1
35 - key: "{{request.operation}}"
36 operator: Equals
37 value: CREATE
38 context:
39 - name: volumes
40 variable:
41 jmesPath: join(',',request.object.spec.volumes[?persistentVolumeClaim].name)
42 mutate:
43 patchStrategicMerge:
44 metadata:
45 annotations:
46 backup.velero.io/backup-volumes: "{{ volumes }}"