apps: fix velero snapshots (#2884)

Eliastisys · rarescosma · commit 1b83d6dd6476 · 2025-12-19T12:53:13.000+02:00
diff --git a/helmfile.d/charts/gatekeeper/podsecuritypolicies/templates/default/volumes.yaml b/helmfile.d/charts/gatekeeper/podsecuritypolicies/templates/default/volumes.yaml
@@ -21,6 +21,7 @@ spec:
     volumes:
       - configMap
       - downwardAPI
+      - hostPath
       - emptyDir
       - persistentVolumeClaim
       - projected
diff --git a/helmfile.d/values/networkpolicies/common/velero.yaml.gotmpl b/helmfile.d/values/networkpolicies/common/velero.yaml.gotmpl
@@ -33,3 +33,11 @@ policies:
       egress:
         - rule: egress-rule-dns
         - rule: egress-rule-apiserver
+
+    velero-data-mover:
+      podSelectorLabels:
+        velero.io/exposer-pod-group: snapshot-exposer
+      egress:
+        - rule: egress-rule-dns
+        - rule: egress-rule-apiserver
+        - rule: egress-rule-object-storage
diff --git a/helmfile.d/values/podsecuritypolicies/common/velero.yaml.gotmpl b/helmfile.d/values/podsecuritypolicies/common/velero.yaml.gotmpl
@@ -9,6 +9,7 @@ constraints:
           - emptyDir
           - projected
           - secret
+          - configMap
         allowedHostPaths:
           - pathPrefix: /var/lib/kubelet/pods
             readOnly: false
@@ -25,16 +26,42 @@ constraints:
       allow:
         runAsUser:
           rule: MustRunAsNonRoot
+        volumes:
+          - hostPath
+          - emptyDir
+          - projected
+          - secret
+          - persistentVolumeClaim
+          - configMap
+          - downwardAPI
+        allowedHostPaths:
+          - pathPrefix: /var/lib/kubelet/pods
+            readOnly: false
+          - pathPrefix: /var/lib/kubelet/plugins
+            readOnly: false
       mutation:
-        runAsUser: 1000
+        runAsUser: 1002
     data-upload:
       podSelectorLabels:
         velero.io/exposer-pod-group: snapshot-exposer
       allow:
         runAsUser:
           rule: MustRunAsNonRoot
+        volumes:
+          - hostPath
+          - emptyDir
+          - projected
+          - secret
+          - persistentVolumeClaim
+          - configMap
+          - downwardAPI
+        allowedHostPaths:
+          - pathPrefix: /var/lib/kubelet/pods
+            readOnly: false
+          - pathPrefix: /var/lib/kubelet/plugins
+            readOnly: false
       mutation:
-        runAsUser: 1000
+        runAsUser: 1002
     repo-maintenance:
       podSelectorExpressions:
         - key: velero.io/repo-name
diff --git a/helmfile.d/values/velero/sc.yaml.gotmpl b/helmfile.d/values/velero/sc.yaml.gotmpl
@@ -134,6 +134,7 @@ schedules:
     template:
       storageLocation: default
       snapshotMoveData: {{ .Values.velero.useVolumeSnapshots }}
+      snapshotVolumes: {{ .Values.velero.useVolumeSnapshots }}
       labelSelector:
         matchLabels:
           velero: backup
diff --git a/helmfile.d/values/velero/wc.yaml.gotmpl b/helmfile.d/values/velero/wc.yaml.gotmpl
@@ -134,6 +134,7 @@ schedules:
     template:
       storageLocation: default
       snapshotMoveData: {{ .Values.velero.useVolumeSnapshots }}
+      snapshotVolumes: {{ .Values.velero.useVolumeSnapshots }}
       excludedNamespaces:
         {{- with .Values.velero.excludedNamespaces }}
         {{- toYaml . | nindent 8 }}
