From c927e991f628971bb46f2d335fb031b2fead2200 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Elias=20H=C3=A4reskog?= Date: Fri, 28 Nov 2025 09:40:00 +0100 Subject: [PATCH 1/2] apps wc: fix velero snapshots --- .../templates/default/volumes.yaml | 1 + .../networkpolicies/common/velero.yaml.gotmpl | 8 +++++ .../common/velero.yaml.gotmpl | 31 +++++++++++++++++-- helmfile.d/values/velero/wc.yaml.gotmpl | 1 + 4 files changed, 39 insertions(+), 2 deletions(-) diff --git a/helmfile.d/charts/gatekeeper/podsecuritypolicies/templates/default/volumes.yaml b/helmfile.d/charts/gatekeeper/podsecuritypolicies/templates/default/volumes.yaml index cb076ed8cf..00057913ec 100644 --- a/helmfile.d/charts/gatekeeper/podsecuritypolicies/templates/default/volumes.yaml +++ b/helmfile.d/charts/gatekeeper/podsecuritypolicies/templates/default/volumes.yaml @@ -21,6 +21,7 @@ spec: volumes: - configMap - downwardAPI + - hostPath - emptyDir - persistentVolumeClaim - projected diff --git a/helmfile.d/values/networkpolicies/common/velero.yaml.gotmpl b/helmfile.d/values/networkpolicies/common/velero.yaml.gotmpl index bb7b44780c..82f36cdf73 100644 --- a/helmfile.d/values/networkpolicies/common/velero.yaml.gotmpl +++ b/helmfile.d/values/networkpolicies/common/velero.yaml.gotmpl @@ -33,3 +33,11 @@ policies: egress: - rule: egress-rule-dns - rule: egress-rule-apiserver + + velero-data-mover: + podSelectorLabels: + velero.io/exposer-pod-group: snapshot-exposer + egress: + - rule: egress-rule-dns + - rule: egress-rule-apiserver + - rule: egress-rule-object-storage diff --git a/helmfile.d/values/podsecuritypolicies/common/velero.yaml.gotmpl b/helmfile.d/values/podsecuritypolicies/common/velero.yaml.gotmpl index b51cc9eb7b..04ab336368 100644 --- a/helmfile.d/values/podsecuritypolicies/common/velero.yaml.gotmpl +++ b/helmfile.d/values/podsecuritypolicies/common/velero.yaml.gotmpl @@ -9,6 +9,7 @@ constraints: - emptyDir - projected - secret + - configMap allowedHostPaths: - pathPrefix: /var/lib/kubelet/pods readOnly: false @@ -25,16 +26,42 @@ constraints: allow: runAsUser: rule: MustRunAsNonRoot + volumes: + - hostPath + - emptyDir + - projected + - secret + - persistentVolumeClaim + - configMap + - downwardAPI + allowedHostPaths: + - pathPrefix: /var/lib/kubelet/pods + readOnly: false + - pathPrefix: /var/lib/kubelet/plugins + readOnly: false mutation: - runAsUser: 1000 + runAsUser: 1002 data-upload: podSelectorLabels: velero.io/exposer-pod-group: snapshot-exposer allow: runAsUser: rule: MustRunAsNonRoot + volumes: + - hostPath + - emptyDir + - projected + - secret + - persistentVolumeClaim + - configMap + - downwardAPI + allowedHostPaths: + - pathPrefix: /var/lib/kubelet/pods + readOnly: false + - pathPrefix: /var/lib/kubelet/plugins + readOnly: false mutation: - runAsUser: 1000 + runAsUser: 1002 repo-maintenance: podSelectorExpressions: - key: velero.io/repo-name diff --git a/helmfile.d/values/velero/wc.yaml.gotmpl b/helmfile.d/values/velero/wc.yaml.gotmpl index 8a300b22ab..7b2c442803 100644 --- a/helmfile.d/values/velero/wc.yaml.gotmpl +++ b/helmfile.d/values/velero/wc.yaml.gotmpl @@ -134,6 +134,7 @@ schedules: template: storageLocation: default snapshotMoveData: {{ .Values.velero.useVolumeSnapshots }} + snapshotVolumes: {{ .Values.velero.useVolumeSnapshots }} excludedNamespaces: {{- with .Values.velero.excludedNamespaces }} {{- toYaml . | nindent 8 }} From d0390b3f3ba92de2410eff4bdc8b8131d2b00aa9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Elias=20H=C3=A4reskog?= Date: Tue, 9 Dec 2025 09:26:47 +0100 Subject: [PATCH 2/2] sc --- helmfile.d/values/velero/sc.yaml.gotmpl | 1 + 1 file changed, 1 insertion(+) diff --git a/helmfile.d/values/velero/sc.yaml.gotmpl b/helmfile.d/values/velero/sc.yaml.gotmpl index efc2b0747e..407647877d 100644 --- a/helmfile.d/values/velero/sc.yaml.gotmpl +++ b/helmfile.d/values/velero/sc.yaml.gotmpl @@ -134,6 +134,7 @@ schedules: template: storageLocation: default snapshotMoveData: {{ .Values.velero.useVolumeSnapshots }} + snapshotVolumes: {{ .Values.velero.useVolumeSnapshots }} labelSelector: matchLabels: velero: backup