Skip to main content
Version: 7.5.9 (latest)

Kanister Pod Override

In some cases, there can be a requirement to override Kanister jobs pods specifications with custom values, such as tolerations for taints, nodeSelector, or serviceAccountName. This can serve a use-case when the pods need to be scheduled on a particular node, or use a ServiceAccount which provides limited access. Changing these values manually for Kanister Job pods will not be feasible.

To handle specifying the custom pod override for all Kanister Pods, a ConfigMap named pod-spec-override must be created in the kasten-io namespace. Veeam Kasten will merge the specifications configured in pod-spec-override with other specifications set through Helm (such as Root CA) and apply the merged configuration to all Kanister Job Pods.

Note

imagePullSecrets and securityContext should not be set via pod-spec-override. If these configurations are set in this manner, Veeam Kasten will ignore them.

Note

When the helm option for providing a Root CA to Veeam Kasten (i.e., cacertconfigmap.name) is enabled, the Kanister Backup/Restore workflow will create a new ConfigMap, in the application namespace to provide the Root CA to the sidecar. This ConfigMap in the application namespace would be a copy of the Root CA ConfigMap residing in the Veeam Kasten namespace, which would be deleted at the end of the workflow. To override this, the Root CA ConfigMap can be created in the application namespace and the respective Volume and VolumeMounts in the pod-spec-override in kasten-io namespace.

For example, the following ConfigMap defines a Pod Specification, which contains tolerations to node taints, and a nodeSelector. 

apiVersion: v1
data:
  override: |
    kind: Pod
    spec:
      nodeSelector:
        disktype: ssd
      tolerations:
        - effect: NoSchedule
          key: app
          operator: Equal
          value: mysql
      serviceAccountName: abcd
      containers:
        - name: container
          volumeMounts:
            - mountPath: /etc/ssl/certs/custom-ca-bundle.pem
              name: custom-ca-bundle-store
              subPath: custom-ca-bundle.pem
      volumes:
        - configMap:
            defaultMode: 420
            name: custom-ca-bundle-store
          name: custom-ca-bundle-store
kind: ConfigMap
metadata:
  name: pod-spec-override
  namespace: kasten-io
...

This ConfigMap now would be merged with all Kanister job Pod specifications. The Kanister restore job Pods would look like: 

apiVersion: v1
kind: Pod
metadata:
  name: restore-data-*
  namespace: mysql
spec:
  containers:
    - name: container
      imagePullPolicy: IfNotPresent
      volumeMounts:
        - mountPath: /etc/ssl/certs/custom-ca-bundle.pem
          name: custom-ca-bundle-store
          subPath: custom-ca-bundle.pem
  nodeSelector:
    disktype: ssd
  serviceAccount: abcd
  serviceAccountName: abcd
  tolerations:
    - effect: NoSchedule
      key: app
      operator: Equal
      value: mysql
  volumes:
    - configMap:
        defaultMode: 420
        name: custom-ca-bundle-store
      name: custom-ca-bundle-store
...

Configuring custom labels and annotations

Kanister pods launched during Veeam Kasten operations can be configured with additional custom labels and annotations through Helm Values.

Custom labels can be configured through Helm in following ways:

  • Providing the path to one or more YAML files during helm install or helm upgrade with the --values flag: 

    kanisterPodCustomLabels: "key1=value1,key2=value2"
    kanisterPodCustomAnnotations: "key1=value1,key2=value2"

  • Modifying the resource values one at a time with the --set flag during helm install or helm upgrade: 

    --set=kanisterPodCustomLabels="key1=value1,key2=value2"
    --set=kanisterPodCustomAnnotations="key1=value1,key2=value2"