File Recovery Sessions
A FileRecoverySession custom resource (CR) is used to request network access to files in one or more exported RestorePoints in a namespace.
Veeam Kasten will automatically exclude the FileRecoverySession resource from all backups.
Implementation
Veeam Kasten maintains a Pod in the kasten-io namespace
for each active FileRecoverySession CR.
Within the Pod it mounts the filesystems of the requested
volumes and runs an OpenSSH SFTP service.
The volumes referenced by the CR are not restored in their entirety,
but instead their data are fetched on demand via FUSE-based interfaces.
Block mode exports utilize the underlying node's operating system
to mount ext4 and xfs Linux filesystems; ntfs filesystems
are supported via the ntfs-3g package.
Block mode exports may also involve the creation of loopback devices
to access disk partitions.
The Pod is configured with the following security configuration:
-
It runs with privilege (i.e. as the
rootuser) in order to use FUSE and loopback devices and to mount filesystems. -
It directly accesses the underlying node's
/devfilesystem to access FUSE and loopback device paths. - It requires the
SYS_ADMINcapability in order to mount filesystems.
Associated with this Pod are Kubernetes Service and NetworkPolicy objects that expose and protect access to the SFTP service.
File Recovery Session Operations
The kubectl command or the Kubernetes API can be used to Create,
Read or List, Update, or Delete FileRecoverySession CR objects.
See Restoring Individual Files for usage examples, and FileRecoverySession API Type below for an explanation of the fields.
Additionally, the k10tools command provides support to operate on FileRecoverySession CRs.
Permissions
The principal initiating a file recovery session requires
get, create, and delete permissions for the FileRecoverySession CR
in the datamover.kio.kasten.io API group.
These permissions are provided by both the k10-admin and k10-basic pre-configured ClusterRoles. Alternatively the required permissions can be included in a custom role.
Limits on Resource Consumption
A FileRecoverySession CR consumes shared system resources including:
- FUSE devices
- Loopback devices
- Kernel mount points
- Network resources
- Memory and CPU
The amount of system resources consumed by any given FileRecoverySession CR is proportional to the number of volume requests made in the CR, and the organizational complexity of the volume. For example, unpartitioned disks use less system resources than partitioned disks.
Multiple Helm parameters, are provided to limit the total concurrent volume mounts and session duration:
- frs.maxMountsPerSession
- frs.maxMountsPerNamespace
- frs.maxSystemMounts
- frs.sessionExpiryTimeInMinutes
FileRecoverySession API Type
The following is a complete specification of the FileRecoverySession custom resource.
# Standard Kubernetes API Version declaration. Required.
apiVersion: datamover.kio.kasten.io/v1alpha1
# Standard Kubernetes Kind declaration. Required.
kind: FileRecoverySession
# Standard Kubernetes metadata. Required.
metadata:
# Namespace of the FileRecoverySession. Required.
namespace: app2
# Name of the FileRecoverySession. Either Name or GenerateName must be set.
name: frs-app2
# GenerateName is an optional prefix used to auto-create a unique name if Name is not set.
generateName: "frs-"
# Spec of the FileRecoverySession. Required.
spec:
# Volumes is a list of volume backups, each identified by the name of the volume PVC
# and a RestorePoint that captured the content of that volume at some point in time.
#
# It is possible to repeat the PVC and RestorePoint names across list entries, but the
# combination of any specific PVC and RestorePoint name must be distinct in the list.
# Specifying multiple RestorePoints for a single PVC enables the detection
# of changes between the snapshots. Specifying just a single RestorePoint is useful
# when the RestorePoint containing the data to be recovered is known.
#
# Only RestorePoints of export operations are supported, and all the specified
# RestorePoints must export data to the same location.
#
# External policy may limit the number of volume requests that can be specified.
# Runtime availability of resources may limit the ability to fulfil the request.
volumes:
# RestorePointName is the name of an apps.kio.kasten.io/v1alpha1 RestorePoint object in the Namespace.
- restorePointName: rpc-name
# PVCName is the name of a PersistentVolumeClaim object in the Namespace.
pvcName: pvc-name
# Transports specifies the transport protocols to be used.
# At least one transport protocol must be specified.
transports:
# SFTP contains configuration information for Secure FTP.
sftp:
# UserPublicKey is the public SSH key of a user authorized to use the service.
userPublicKey: "public key"
# Status of the FileRecoverySession. Set by Veeam Kasten.
status:
# State reflects the progress made in fulfilling the request. Value is one of:
# - Starting
# No action has been taken yet.
# - Processing
# Activity to fulfil the request has started.
# - Ready
# The requested volumes can now be accessed via a requested transport protocol.
# - Failed
# Processing of a request has failed or a fulfilled request has timed out.
# - Resetting
# All previous progress toward fulfilling the request is being cleaned
# up to handle a change in the request specification.
state: Starting
# Conditions is a standard Kubernetes type that provides detailed progress.
conditions: []
# ExpiryTime is set once the state becomes Ready, and specifies the max duration of the session.
expiryTime: "2025-10-28T21:20:08Z"
# LastUpdateTime is set every time the Status is updated.
lastUpdateTime: "2025-10-28T20:50:08Z"
# Transports returns connection details for the requested transport protocols when the state is Ready.
transports:
# SFTP status contains connection information for the Secure FTP service.
sftp:
# Endpoints contains a list of cluster DNS addresses for the Service object exposing the SFTP service.
endpoints:
- frs-26zl6.kasten-io.svc.cluster.local.
# HostKeyFingerprint is the fingerprint of the service host key.
hostKeyFingerprint: "SHA256:HostKeyFingerprint"
# HostKeySignature contains the service host key in the "known hosts" file format.
hostKeySignature: "[frs-26zl6.kasten-io.svc.cluster.local.]:2222 ssh-ed25519 HostKeySignature"
# The port number used by the SFTP service.
portNumber: 2222
# The name of the Kubernetes Service object exposing the SFTP service.
serviceName: frs-26zl6
# The namespace of the Kubernetes Service object exposing the SFTP service.
serviceNamespace: kasten-io