Restore
kopiur.home-operations.com / v1alpha1
apiVersion: kopiur.home-operations.com/v1alpha1
kind: Restore
metadata:
name: example
spec object required
A restore operation from a snapshot/identity into a PVC, or a passive populator source.
Desired state of a Restore: where to read from, where to write to, and how to behave when the snapshot is missing.
credentialProjection object
Opt-in copying of the repository's credential Secret(s) into the mover's namespace (default off).
enabled
boolean
Copy the repository's credential Secret(s) into the namespace of each mover Job; off by default.
failurePolicy object
Mover `Job` retry/deadline limits (`backoffLimit`, `activeDeadlineSeconds`).
activeDeadlineSeconds
integer
Mover `Job.spec.activeDeadlineSeconds` — wall-clock cap after which a running run is killed.
format:
int64
backoffLimit
integer
Mover `Job.spec.backoffLimit` — retries before a failed run is marked failed.
format:
int32
podStartupDeadlineSeconds
integer
Seconds a non-starting (wedged) mover pod may sit before the run is failed; default 300s.
format:
int64mover object
Per-run mover overrides for this restore's Job (resources, cache, `securityContext`).
cache object
Override the repository's [`CacheDefaults`] for this recipe's movers.
capacity
string
Size of the PVC backing the mover's kopia cache (e.g. `10Gi`).
contentCacheSizeMb
integer
kopia content cache budget in MiB (`--content-cache-size-mb`).
format:
int64
metadataCacheSizeMb
integer
kopia metadata cache budget in MiB (`--metadata-cache-size-mb`).
format:
int64
mode
string
How a mover's kopia cache volume is provisioned.
enum:
Ephemeral, Persistent
storageClassName
string
StorageClass for the cache PVC; absent uses the cluster default.
inheritSecurityContextFrom object
Copy the UID/GID security context from a live workload instead of setting it explicitly.
pvcConsumer object
Backup sources only: auto-derive the workload from the PVC this snapshot backs up.
container
string
Which container within the matched consumer pod to inherit from; absent uses the first/only.
workloadSelector object
Inherit from workload pod(s) matched by an explicit label selector (backup or restore).
container
string
Which container within the matched pod; absent uses the first/only container.
podSelector object required
Label selector matching the workload pod(s) to read context/hooks from.
matchExpressions []object
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key
string required
key is the label key that the selector applies to.
operator
string required
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values
[]string
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels
object
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
podSecurityContext object
Pod security context for the mover (notably `fsGroup` for group-writable restore volumes).
appArmorProfile object
appArmorProfile is the AppArmor options to use by the containers in this pod. Note that this field cannot be set when spec.os.name is windows.
localhostProfile
string
localhostProfile indicates a profile loaded on the node that should be used. The profile must be preconfigured on the node to work. Must match the loaded name of the profile. Must be set if and only if type is "Localhost".
type
string required
type indicates which kind of AppArmor profile will be applied. Valid options are:
Localhost - a profile pre-loaded on the node.
RuntimeDefault - the container runtime's default profile.
Unconfined - no AppArmor enforcement.
fsGroup
integer
A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:
1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw----
If unset, the Kubelet will not modify the ownership and permissions of any volume. Note that this field cannot be set when spec.os.name is windows.
format:
int64
fsGroupChangePolicy
string
fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. This field will only apply to volume types which support fsGroup based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. Note that this field cannot be set when spec.os.name is windows.
runAsGroup
integer
The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.
format:
int64
runAsNonRoot
boolean
Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
runAsUser
integer
The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.
format:
int64
seLinuxChangePolicy
string
seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod. It has no effect on nodes that do not support SELinux or to volumes does not support SELinux. Valid values are "MountOption" and "Recursive".
"Recursive" means relabeling of all files on all Pod volumes by the container runtime. This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.
"MountOption" mounts all eligible Pod volumes with `-o context` mount option. This requires all Pods that share the same volume to use the same SELinux label. It is not possible to share the same volume among privileged and unprivileged Pods. Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their CSIDriver instance. Other volumes are always re-labelled recursively. "MountOption" value is allowed only when SELinuxMount feature gate is enabled.
If not specified and SELinuxMount feature gate is enabled, "MountOption" is used. If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes and "Recursive" for all other volumes.
This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.
All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state. Note that this field cannot be set when spec.os.name is windows.
seLinuxOptions object
The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.
level
string
Level is SELinux level label that applies to the container.
role
string
Role is a SELinux role label that applies to the container.
type
string
Type is a SELinux type label that applies to the container.
user
string
User is a SELinux user label that applies to the container.
seccompProfile object
The seccomp options to use by the containers in this pod. Note that this field cannot be set when spec.os.name is windows.
localhostProfile
string
localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. Must be set if type is "Localhost". Must NOT be set for any other type.
type
string required
type indicates which kind of seccomp profile will be applied. Valid options are:
Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied.
supplementalGroups
[]integer
A list of groups applied to the first process run in each container, in addition to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to or instead of any group memberships defined in the container image. If unspecified, no additional groups are added, though group memberships defined in the container image may still be used, depending on the supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows.
supplementalGroupsPolicy
string
Defines how supplemental groups of the first container processes are calculated. Valid values are "Merge" and "Strict". If not specified, "Merge" is used. (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container runtime must implement support for this feature. Note that this field cannot be set when spec.os.name is windows.
sysctls []object
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.
name
string required
Name of a property to set
value
string required
Value of a property to set
windowsOptions object
The Windows specific settings applied to all containers. If unspecified, the options within a container's SecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux.
gmsaCredentialSpec
string
GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.
gmsaCredentialSpecName
string
GMSACredentialSpecName is the name of the GMSA credential spec to use.
hostProcess
boolean
HostProcess determines if a container should be run as a 'Host Process' container. All of a Pod's containers must have the same effective HostProcess value (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). In addition, if HostProcess is true then HostNetwork must also be set to true.
runAsUserName
string
The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
privilegedMode
boolean
Opt-in, namespace-gated privileged mode; preserves UID/GID on restore.
resources object
Resource requests/limits for the mover container.
claims []object
Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.
This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
name
string required
Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.
request
string
Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request.
limits
object
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
requests
object
Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
securityContext object
Container security context for the mover; merged field-wise over the defaults and hardened base.
allowPrivilegeEscalation
boolean
AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows.
appArmorProfile object
appArmorProfile is the AppArmor options to use by this container. If set, this profile overrides the pod's appArmorProfile. Note that this field cannot be set when spec.os.name is windows.
localhostProfile
string
localhostProfile indicates a profile loaded on the node that should be used. The profile must be preconfigured on the node to work. Must match the loaded name of the profile. Must be set if and only if type is "Localhost".
type
string required
type indicates which kind of AppArmor profile will be applied. Valid options are:
Localhost - a profile pre-loaded on the node.
RuntimeDefault - the container runtime's default profile.
Unconfined - no AppArmor enforcement.
capabilities object
The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. Note that this field cannot be set when spec.os.name is windows.
add
[]string
Added capabilities
drop
[]string
Removed capabilities
privileged
boolean
Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. Note that this field cannot be set when spec.os.name is windows.
procMount
string
procMount denotes the type of proc mount to use for the containers. The default value is Default which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. Note that this field cannot be set when spec.os.name is windows.
readOnlyRootFilesystem
boolean
Whether this container has a read-only root filesystem. Default is false. Note that this field cannot be set when spec.os.name is windows.
runAsGroup
integer
The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.
format:
int64
runAsNonRoot
boolean
Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
runAsUser
integer
The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.
format:
int64seLinuxOptions object
The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.
level
string
Level is SELinux level label that applies to the container.
role
string
Role is a SELinux role label that applies to the container.
type
string
Type is a SELinux type label that applies to the container.
user
string
User is a SELinux user label that applies to the container.
seccompProfile object
The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container options override the pod options. Note that this field cannot be set when spec.os.name is windows.
localhostProfile
string
localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. Must be set if type is "Localhost". Must NOT be set for any other type.
type
string required
type indicates which kind of seccomp profile will be applied. Valid options are:
Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied.
windowsOptions object
The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux.
gmsaCredentialSpec
string
GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.
gmsaCredentialSpecName
string
GMSACredentialSpecName is the name of the GMSA credential spec to use.
hostProcess
boolean
HostProcess determines if a container should be run as a 'Host Process' container. All of a Pod's containers must have the same effective HostProcess value (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). In addition, if HostProcess is true then HostNetwork must also be set to true.
runAsUserName
string
The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
ttlSecondsAfterFinished
integer
Per-recipe override of `Job.spec.ttlSecondsAfterFinished` so finished Jobs self-GC.
format:
int64options object
kopia restore behavior (file deletion, permission/atomicity handling).
enableFileDeletion
boolean
Delete files in the target that are not present in the snapshot (exact mirror); off by default.
Wired to kopia's `--[no-]delete-extra` (previously a silent no-op — see issue #216 gap sweep).
ignoreErrors
boolean
`--[no-]ignore-errors`: ignore all restore errors and continue (kopia default `false`).
ignorePermissionErrors
boolean
Continue past permission errors during restore (default true).
overwriteDirectories
boolean
`--[no-]overwrite-directories`: overwrite existing directories in the target
(kopia default `true`).
overwriteFiles
boolean
`--[no-]overwrite-files`: overwrite existing files in the target (kopia default `true`).
overwriteSymlinks
boolean
`--[no-]overwrite-symlinks`: overwrite existing symlinks in the target
(kopia default `true`).
parallel
integer
`--parallel`: restore parallelism (kopia default `8`; `1` disables parallelism).
format:
uint32minimum:
0
skipExisting
boolean
`--[no-]skip-existing`: skip files/symlinks that already exist in the target
(kopia default `false`).
skipOwners
boolean
`--[no-]skip-owners`: skip restoring file owners (kopia default `false`).
skipPermissions
boolean
`--[no-]skip-permissions`: skip restoring file permissions (kopia default `false`).
skipTimes
boolean
`--[no-]skip-times`: skip restoring file modification times (kopia default `false`).
writeFilesAtomically
boolean
Write files atomically via a temp file + rename (default true).
writeSparseFiles
boolean
`--[no-]write-sparse-files`: attempt to write files sparsely, allocating the
minimum disk space needed (kopia default `false`).
policy object
What to do when the referenced snapshot doesn't exist yet, and how long to wait.
onMissingSnapshot
string
What to do when the resolved source matches no snapshot. Defaults to `Fail`
(fail-closed) so an explicit restore can never silently no-op; choose
`Continue` to provision an empty volume instead (deploy-or-restore).
enum:
Fail, Continue
waitTimeout
string
How long to wait for the source snapshot to appear before giving up (e.g. `5m`).
repository object
The repository to read from; derived from `source` when omitted, required only with `source.identity`.
kind
string
Which repository CRD this points at; defaults to [`RepositoryKind::Repository`].
enum:
Repository, ClusterRepository
name
string required
Name of the referenced `Repository`/`ClusterRepository`.
namespace
string
Cross-namespace `Repository` reference; ignored/forbidden for `ClusterRepository`.
source object required
Where to read data from (snapshotRef, fromPolicy, or identity).
fromPolicy object
A `SnapshotPolicy` CR, resolved via identity even with no `Snapshot` CR present (deploy-or-restore).
asOf
string
Restore the newest snapshot at or before this RFC3339 timestamp (point-in-time).
name
string required
Name of the `SnapshotPolicy` whose identity selects the snapshot.
namespace
string
Namespace of the `SnapshotPolicy`; absent = the `Restore`'s own namespace.
offset
integer
Which snapshot to pick: 0 = latest, 1 = previous, and so on.
format:
int64identity object
A raw kopia identity (foreign writers / aged-out catalog); requires `spec.repository`.
asOf
string
Restore the newest snapshot at or before this RFC3339 timestamp (point-in-time).
hostname
string required
The kopia `hostname` to match.
offset
integer
Which snapshot to pick: 0 = latest, 1 = previous, and so on.
format:
int64
snapshotID
string
Pin an exact kopia snapshot by ID.
sourcePath
string
The kopia source path to match; absent matches any path for the identity.
username
string required
The kopia `username` to match.
snapshotRef object
A `Snapshot` CR (scheduled, manual, or discovered).
name
string required
Name of the referenced object.
namespace
string
Namespace of the referenced object; absent = same namespace as the referrer.
target object required
Where to write the restored data (pvc, pvcRef, or populator).
populator
object
Passive populator mode: the restore is claimed by a PVC's `spec.dataSourceRef`.
pvc object
Operator creates the PVC.
accessModes
[]string
Access modes for the new PVC; empty defaults to `[ReadWriteOnce]`. Closed
enum in the schema; a non-canonical value persisted before enforcement
decodes as [`PvcAccessMode::Unknown`] and is rejected per-CR with the
value quoted (webhook + reconciler, via `validate_access_modes`) instead
of poisoning the typed watcher.
capacity
string
Requested size of the new PVC (e.g. `100Gi`).
name
string required
Name of the PVC to create.
storageClassName
string
StorageClass for the new PVC; absent uses the cluster default.
pvcRef object
Write into an existing PVC.
name
string required
Name of the referenced object.
namespace
string
Namespace of the referenced object; absent = same namespace as the referrer.
status object
Observed state of a Restore, written by the controller/mover.
conditions []object
Standard Kubernetes conditions carrying the human-readable status/reason.
lastTransitionTime
string required
lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format:
date-time
message
string required
message is a human readable message indicating details about the transition. This may be an empty string.
observedGeneration
integer
observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
format:
int64
reason
string required
reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
status
string required
status of the condition, one of True, False, Unknown.
type
string required
type of condition in CamelCase or in foo.example.com/CamelCase.
failure object
Structured terminal-failure detail (kopia error class, stderr tail, retry hint).
exitCode
integer
The process exit code, if one was reported.
format:
int32
kopiaErrorClass
string required
kopia error class (e.g. `RepositoryUnavailable`, `AuthFailure`).
message
string required
A short human-readable message: what failed, why, and how to fix it.
retryRecommended
boolean required
Whether retrying the same operation unchanged could succeed.
stderrTail
string
The last lines of kopia's stderr, if any were captured (bounded by
[`MAX_LOG_TAIL_BYTES`]).
logTail
string
The last lines of the run's output, written by the mover at the terminal transition.
observedGeneration
integer
`metadata.generation` last reconciled, so stale status is detectable.
format:
int64
phase
string
Lifecycle phase of a restore.
enum:
Pending, Resolving, Restoring, Completed, Failedprogress object
Bytes/files restored so far, patched periodically by the mover.
bytesRestored
integer
Total bytes restored so far.
format:
int64
filesRestored
integer
Total files restored so far.
format:
int64resolved object
The source resolved and pinned at admission; never re-resolved.
identity object
The resolved kopia identity (`username@hostname:path`) of the snapshot.
hostname
string required
The final `hostname` kopia records, fixed at admission.
sourcePath
string
The resolved snapshot source path, when applicable (`username@hostname:path`).
username
string required
The final `username` kopia records, fixed at admission.
kopiaSnapshotID
string
The exact kopia snapshot manifest id the source resolved to; pinned once.
pinnedAt
string
Timestamp at which the source was pinned (RFC3339).
repository object
The repository the snapshot lives in, resolved from the source.
kind
string
Which repository CRD this points at; defaults to [`RepositoryKind::Repository`].
enum:
Repository, ClusterRepository
name
string required
Name of the referenced `Repository`/`ClusterRepository`.
namespace
string
Cross-namespace `Repository` reference; ignored/forbidden for `ClusterRepository`.
resolution
string
Which outcome the source resolution pinned, once and never re-resolved.
enum:
Snapshot, NoSnapshotsnapshotRef object
The concrete `Snapshot` CR the source resolved to, when applicable.
name
string required
Name of the referenced object.
namespace
string
Namespace of the referenced object; absent = same namespace as the referrer.
sourceKind
string
The pinned source kind (`SnapshotRef`/`FromPolicy`/`Identity`); backs the `SOURCE` printer column.
target object
Resolved target details (the PVC written to / populator handshake).
pvcPrime
string
Populator handshake (passive / pvc-create modes).
pvcRef object
The PVC actually written to (created or pre-existing).
name
string required
Name of the referenced object.
namespace
string
Namespace of the referenced object; absent = same namespace as the referrer.
timing object
Start/end timestamps for the restore run.
endTime
string
When the restore reached a terminal phase (RFC3339).
startTime
string
When the mover began restoring (RFC3339).
No matches. Try .spec.credentialProjection for an exact path