Release Notes
7.5.10
Release Date: 2025-04-18
New Features
- Added support for restoring VMs with overriding image references on SUSE Virtualization (Harvester).
- Added support for unencrypted VM image backup, restore, and migration on SUSE Virtualization (Harvester).
Bug Fixes
- Links to the Kasten documentation in the UI have been updated to reflect the new documentation structure.
- Fixed the missing link to Grafana on the Data Usage page when Grafana is installed.
Other Notes
- Starting with Veeam Kasten v8.0, all new and existing installations will default to Quick DR mode for Veeam Kasten Disaster Recovery (KDR). This mode is recommended for all installations where supported, snapshot-capable storage is available. Prior to upgrading to this version, any Veeam Kasten installation deployed using storage that lacks the ability to create or restore from local snapshots should explicitly disable Quick DR mode using Helm values.
7.5.9
Release Date: 2025-04-03
Bug Fixes
- Fixed an issue where users without RBAC permission to list actions may encounter timeouts during loading of dashboard activity section.
- Fixed an issue causing panic and executor pod restarts after some FCD snapshot errors.
- Fixed an issue where while using Veeam Kasten Disaster Recovery on OpenShift environment, an incorrect error was being displayed in case of file permissions issue.
Security Issues
- Updated base image used to build Veeam Kasten container images to pull in latest security updates.
- Upgrade to Go 1.23.8 to mitigate CVE-2025-22871.
Deprecations
- Legacy pages for Location and Infrastructure Profiles, which were previously still available using features flags, have been removed from the UI.
Other Notes
-
The SBOM download URL has been updated to
https://docs.kasten.io/downloads/<version>/sboms/sboms-<version>.tar.gz
. The SBOM for the latest version can also be downloaded fromhttps://docs.kasten.io/downloads/latest/sboms/sboms-<version>.tar.gz
. - Starting with Veeam Kasten v8.0, all new and existing installations will default to Quick DR mode for Veeam Kasten Disaster Recovery (KDR). This mode is recommended for all installations where supported, snapshot-capable storage is available. Prior to upgrading to this version, any Veeam Kasten installation deployed using storage that lacks the ability to create or restore from local snapshots should explicitly disable Quick DR mode using Helm values.
7.5.8
Release Date: 2025-03-20
New Features
- Added support for Kubernetes 1.32.
- Improved the
VirtualMachine
snapshot and restore workflow to automatically include cluster scoped resources that are referred in VirtualMachine.
Bug Fixes
- Fixed an issue where ephemeral pods created during KDR restore were missing
required-scc
annotation which was causing failures while writing files in ephemeral pods in OpenShift environments. - Fixed an issue where during KDR restore, Kasten deployments were not getting scaled down due to existing deprecated fields in OpenShift environments.
- Fixed an issue that could cause the Block-mode upload Pod to become stale under certain conditions.
Security Issues
- Updated base image used to build Veeam Kasten container images to pull in latest security updates.
Deprecations
- Removed support for Kubernetes 1.28.
Other Notes
- The default value of the cache limit for snapshot and export workflow is set to 500MB. This change is to avoid the cache from growing indefinitely and consuming more storage.
7.5.7
Release Date: 2025-03-11
Release Summary
Veeam Kasten v7.5.7 is a re-release of v7.5.5 that corrects packaging and documentation issues.
Known Issues
- Fixed issue of missing k10tools images for Veeam Kasten v7.5.5.
- Fixed issue of missing release notes for Veeam Kasten v7.5.6.
7.5.5
Release Date: 2025-03-08
Bug Fixes
- Resolved the image copy failure that occurred during the offline installation of the Kasten 7.5.4 Operator.
- A more helpful validation error message is now displayed when K10DR validate fails on the Configure DR page.
Security Issues
- Upgrade to Go 1.23.7 to mitigate security vulnerabilities.
Other Notes
- The Activity Section Filter in the UI now returns individual root actions instead of grouped actions when filtering by Action and grouped Policy Runs when filtering by Policy name.
7.5.4
Release Date: 2025-02-25
Bug Fixes
- Corrected Operator metadata which caused the Kasten Operator to not be listed in the Red Hat Marketplace for the amd64 platform with the 7.5.3 release.
- Fixed an issue where Pods created while restoring a Veeam Kasten Disaster Recovery backup were using the default service account. This includes Pods with prefix restore-data-dr-, data-mover-svc- and restorectl-validate-. These Pods will now run with the service account used by other Kasten Pods.
- Fixed a bug in the validation of immutable settings for policies that use the VBR scale-out backup repository.
Security Issues
- Update K10 services base image to pull in latest security updates.
- Updated base image used to build Veeam Kasten container images to pull in latest security updates.
- Upgrade to Go 1.23.6 to mitigate security vulnerabilities.
7.5.3
Release Date: 2025-02-06
New Features
- Application details panel in Veeam Kasten dashboard has been improved to show the policies selecting that namespace.
- Added support for exporting NetApp ONTAP-NAS-Economy volume snapshots created using Trident CSI v24.10.0 or later.
Bug Fixes
- Fixed a potential panic in
aggregatedapis-svc
when running Kasten DR restore. - Fixed an issue where RetireActions associated with blueprints were failing due to missing
custom-ca-bundle-store
ConfigMap. - Fixed an issue where
imagePullSecrets
were not being set in affinity pod created during Veeam Kasten Disaster Recovery workflow - Fixed the formatting of documented
KastenDRRestore
examples. - Fixed the ability to set the
limiter.executorReplicas
value.
Security Issues
- Upgraded Prometheus to chart version
v26.1.0
to pull in latest security updates. - Update K10 services base image to pull in latest security updates.
- Redacted sensitive information in Kasten logging.
7.5.2
Release Date: 2025-01-10
New Features
- Added Helm flags to control the degree of parallelism when uploading or downloading snapshot data exported in :ref:
block mode<block_mode_export>
. - Added the ability to copy Iron Bank images to/from the local filesystem using the
k10tools ironbank image copy
command (--dst_path
and--src-path
options).
Bug Fixes
- Removed restrictive validation that previously prevented the creation of a policy with file mode export on Tanzu clusters.
- Fixed an issue where SSL certificate validation was failing when performing a Veeam Kasten Disaster Recovery (KDR) restore from a S3 compatible location profile.
- Fixed an issue where generic backup of shareable volumes failed because encryption key artifact was not found.
- Fixed an issue that prevented users from creating new vSphere infrastructure profiles.
- Fix a false positive tampering warning for specific blobs that required retry during export.
Security Issues
- Update K10 services base image to pull in latest security updates.
Other Notes
- The change to Quick DR mode for Veeam Kasten Disaster Recovery (KDR) as the default for new and existing installations planned for the v7.5.3 release will be delayed to a future release.
7.5.1
Release Date: 2024-12-12
New Features
- The Infrastructure Profiles page has been updated for additional clarity and visual consistency. Profiles can now be created and edited using a multi-step form.
- Added support for Azure Federated Identity for OpenShift on Azure in the UI.
- Added the ability to copy images to and from the local filesystem using
k10tools image copy
. - Added the ability to specify multiple platforms and/or remove attestation-manifests such as SBOMs and provenance when using
k10tools image copy
. - Added support for Kubernetes 1.31 starting from Veeam Kasten v7.5.0.
-
Added support for 64-bit Arm and Power
architectures, in addition to the already supported x86_64 architecture.
- Testing for Power was done on Red Hat OpenShift for IBM Power using the IBM Spectrum Scale CSI Driver.
- Testing for Arm was done on AWS Graviton using the AWS Elastic Block Storage (EBS) CSI Driver.
Bug Fixes
- Fixed an issue where setting local retention to 0 causes metadata export to fail.
- Fixed an issue where creating an Azure infrastructure profile with a default client ID would fail with a
missing client ID
error. - Fixed inconsistencies when paging through recent actions on Veeam Kasten dashboard. Capped count displayed of filtered recent actions.
- Correctly hides the "Multi-Cluster" sidebar link on a drilled into secondary cluster in Multi-Cluster mode.
Security Issues
- Basic users are now restricted from viewing application details of applications in other namespaces.
- Basic users now require specific permission to view each action type through the Veeam Kasten dashboard.
- Update K10 services base image to pull in latest security updates.
Upgrade Notes
-
This release will perform a catalog schema upgrade. The
catalog-pv-claim
PVC size may need to be increased to ensure a successful upgrade. The schema upgrade requires at least 50% of free space in thecatalog-pv-claim
PV. You can view available catalog storage space in the Kasten dashboard underSettings > System Information > Upgrade Status
. Refer to :ref:this<install_upgrade>
page for more information.
7.5.0
Release Date: 2024-12-02
Release Summary
Veeam Kasten for Kubernetes v7.5 builds upon Veeam's leadership in Kubernetes data protection by introducing significant advancements in performance, security, and expanded support for modern virtualization solutions.
New and enhanced capabilities of Veeam Kasten v7.5 include:
-
Performance Improvements: Data mover optimizations to reduce initial backup and on-going incremental backup duration by up to 3x for volumes containing millions of files.
-
Granular Worker Pod Requests & Limits: New custom resources, ActionPodSpec and ActionPodSpecBinding, allowing per-app or per-policy Kubernetes resource requests and limits for dynamically provisioned worker Pods used for data protection operations.
-
Expanded Changed Block Tracking Support: Integration with Microsoft Azure to enable CBT for Azure Managed Disk volumes for efficient data exports.
-
OpenShift Console Plugin: Providing data protection insights including compliance, storage utilization, and recent activity without leaving the OpenShift console.
-
Azure Federated Identity: Enhancing security for Azure Infrastructure Profiles by eliminating the need for long-lived credentials.
-
Expanded Immutability Support: Integration with Google Cloud Storage enabling protection of Kasten backups against ransomware or accidental deletion.
-
Expanded FIPS 140-3 Support: Kasten Multi-Cluster Manager and Veeam Backup & Replication Location Profiles can now be used in FIPS mode on supported OpenShift clusters.
-
OpenShift Virtualization Instance Types: VMs created using Instance Types can now be restored without requiring additional transformation.
-
SUSE Virtualization (formerly Harvester): Introducing support for backup and restore operations of SUSE Virtualization VMs.
New Features
- Added the Dynamic Console Plugin for the OpenShift Web Console for OpenShift versions prior to 4.15. For more details, please refer to the Using Veeam Kasten Console Plugin section.
- Included the Software Bill of Materials (SBOM) as part of the published images. Please refer to this documentation for more information.
- Allow block mode exports of Harvester VM image volumes, bypassing the need to annotate the image storage class with
k10.kasten.io/sc-supports-block-mode-exports=true
if the storage class used for VM image creation is already annotated. - Added support for Kubernetes 1.31.
- Added KastenDRReview and KastenDRRestore custom resources to enable KDR recovery via Kubernetes API or CLI.
- Added support for backing up and restoring Multi-Cluster Manager configuration resources for primary and secondary clusters when Quick DR mode is enabled.
- Added support to restore
VirtualMachines
that are referring toVirtualMachineInstanceTypes
,VirtualMachinePreferences
, or their respective cluster scoped resources.
Bug Fixes
- Fixed an issue where disaster recovery of Veeam Kasten using Helm would fail if the installation was performed in a namespace other than
kasten-io
.
Security Issues
- Improved algorithm for authentication cookie validation in OIDC mode. All the users will need to re-login.
Known Issues
- Metadata export fails when using a policy with zero local retention or a policy that references a preset with zero local retention. As a workaround, set the retention count to a value greater than zero. Fixed in release 7.5.1.
Deprecations
- The
k10restore
Helm chart is deprecated and will be removed in a future release. See Veeam Kasten Disaster Recovery for details on alternate options to recover Veeam Kasten. - Removed support for helm values deprecated since Kasten 7.0.10 -
apigateway.serviceResolver
,gateway.insecureDisableSSLVerify
,gateway.exposeAdminPort
, andservice.gatewayAdminPort
. - Removed support for the helm values
secrets.apiTlsCrt
andsecrets.apiTlsKey
, which were deprecated in Veeam Kasten7.0.8
. - Grafana has been removed from Veeam Kasten's installation process, installing Veeam Kasten no longer installs Grafana. This guide can be followed to set up a separate instance of Grafana.
- The
k10offline
tool has been replaced withk10tools image
. Please refer to the :ref:air-gapped install<offline>
documentation for more information on usingk10tools image
. -
The original
injectKanisterSidecar
Helm parameters are deprecated and will be removed in an upcoming release in favor ofinjectGenericVolumeBackupSidecar
. Please update existing Helm- or Operator-based Veeam Kasten deployment configurations with the corresponding replacement parameters. Replacement parameter naming is intended to better reflect the purpose of each, but there is no change to parameter function.
Other Notes
- Starting with Veeam Kasten v7.5.3, all new and existing installations will default to Quick DR mode for Veeam Kasten Disaster Recovery (KDR). This mode is recommended for all installations where supported, snapshot-capable storage is available. Prior to upgrading to this version, any Veeam Kasten installation deployed using storage that lacks the ability to create or restore from local snapshots should explicitly disable Quick DR mode using Helm values.
- Grafana will no longer be included as part of the Veeam Kasten installation. Upon upgrading to this version, the integrated version of Grafana will be removed. It is advised to install Grafana separately and follow the procedure described in KB4635 to configure the Kasten dashboard and any alerts prior to upgrading to version
7.5.0
.
7.0.14
Release Date: 2024-11-15
New Features
- Added the Dynamic Console Plugin for the OpenShift Web Console for OpenShift versions 4.15+. For more details, please refer to the Using Veeam Kasten Console Plugin section.
- Added support for Azure Federated Identity for OpenShift on Azure via helm. Refer to this section for more details.
- Added support for OCP 4.16 starting Veeam Kasten v7.0.12.
- Added support for OCP 4.17.
Bug Fixes
- Fixed installation failure introduced in Veeam Kasten 7.0.13 if the Helm flag
auth.ldap.restartPod
is set to true.
Security Issues
- Update K10 services base image to pull in latest security updates.
Known Issues
- Metadata export fails when using a policy with zero local retention or a policy that references a preset with zero local retention. As a workaround, set the retention count to a value greater than zero.
Deprecations
- The original Helm parameter keys listed below are deprecated and will be removed in an upcoming release. Please update existing Helm- or Operator-based Veeam Kasten deployment configurations with the corresponding replacement parameters. Replacement parameter naming is intended to better reflect the purpose of each, but there is no change to parameter function.
Original Parameter Name | Replacement Parameter Name |
---|---|
executorReplicas |
limiter.executorReplicas |
kanisterPodMetricSidecar |
workerPodMetricSidecar |
services.executor.workerCount |
limiter.executorThreads |
services.executor.maxConcurrentRestoreCsiSnapshots |
limiter.csiSnapshotRestoresPerAction |
services.executor.maxConcurrentRestoreGenericVolumeSnapshots |
limiter.volumeRestoresPerAction |
services.executor.maxConcurrentRestoreWorkloads |
limiter.workloadRestoresPerAction |
limiter.concurrentSnapConversions |
limiter.snapshotExportsPerAction |
limiter.genericVolumeSnapshots |
limiter.genericVolumeBackupsPerCluster |
limiter.genericVolumeCopies |
limiter.snapshotExportsPerCluster |
limiter.genericVolumeRestores |
limiter.volumeRestoresPerCluster |
limiter.csiSnapshots |
limiter.csiSnapshotsPerCluster |
limiter.providerSnapshots |
limiter.directSnapshotsPerCluster |
limiter.imageCopies |
limiter.imageCopiesPerCluster |
kanister.backupTimeout |
timeout.blueprintBackup |
kanister.restoreTimeout |
timeout.blueprintRestore |
kanister.deleteTimeout |
timeout.blueprintDelete |
kanister.hookTimeout |
timeout.blueprintHooks |
kanister.checkRepoTimeout |
timeout.checkRepoPodReady |
kanister.statsTimeout |
timeout.statsPodReady |
kanister.efsPostRestoreTimeout |
timeout.efsRestorePodReady |
kanister.podReadyWaitTimeout |
timeout.workerPodReady |
maxJobWaitDuration |
timeout.jobWait |
forceRootInKanisterHooks |
forceRootInBlueprintActions |
Other Notes
- Usage of VBR location profile is now supported in FIPS mode.
7.0.13
Release Date: 2024-10-31
New Features
-
Added support for incremental block mode export with changed block tracking (CBT) for
Azure Disk volumes provisioned using the
disk.csi.azure.com
CSI driver. - Added support for read-only location profiles for import & restore operations, providing enhanced control over data access and security.
Security Issues
- Update Grafana version to
8.5.8
to pull in the latest security updates. - Upgraded Prometheus chart version to
25.28.0
to pull in latest security updates.
Other Notes
- Enhancements have been made to the method used for estimating the amount of data left to upload.
7.0.12
Release Date: 2024-10-18
New Features
- Added immutability support for Google Cloud Storage location profiles.
Bug Fixes
-
Fixed an issue where a Deployment without a ReplicaSet or a DeploymentConfig without a ReplicationController
would cause a snapshot to fail. Enabling
Ignore Exceptions and Continue if Possible
will now proceed with a best effort snapshot (unless the degraded workload uses a Blueprint).
7.0.11
Release Date: 2024-10-07
Release Summary
This release addresses the following bugs encountered after the release of 7.0.10 (which was retracted).
Bug Fixes
- Fixed an issue rendering the logging network policy which caused it to be omitted.
- Fixed an issue that caused validation failures for PolicyPreset resources.
7.0.10
Release Date: 2024-10-03
New Features
-
Added Helm flags
podLabels
andpodAnnotations
to thek10restore
chart to add custom pod labels and annotations to pods created during Veeam Kasten Disaster Recovery. Refer to this section for more information. - Granular resource requests/limits configuration for k10 worker pods.
Bug Fixes
- Fixed an issue where some Veeam Kasten clusters installed with multi-cluster management enabled do not prompt the user to accept the EULA when first accessing the Dashboard. Clusters without an accepted EULA will prompt for acceptance following upgrade.
- Allow Red Hat Operator based Kasten installation to create a custom route configuration.
- Fixed an issue where an excluded, stale GVR could still cause a policy run to fail.
Security Issues
- Update K10 services base image to pull in latest security updates.
Deprecations
-
The following helm values are deprecated and will be removed in an upcoming release -
apigateway.serviceResolver
,gateway.insecureDisableSSLVerify
,gateway.exposeAdminPort
, andgateway.service.adminPort
.
Other Notes
- A new image called
gateway
has been added to Veeam Kasten. - Multiple policies that select the same applications now perform separate actions, associated with the respective policy, when run simultaneously.
7.0.9
Release Date: 2024-09-20
New Features
- Added Helm flags
global.podLabels
andglobal.podAnnotations
that can be used to set labels and annotations on all Veeam Kasten pods globally.
Security Issues
- Update K10 services base image to pull in latest security updates.
Deprecations
- The Helm flags
kanisterPodCustomLabels
andkanisterPodCustomAnnotations
are deprecated and will be removed in a future version, targeting Q2 2025. Please use the flagsglobal.podLabels
andglobal.podAnnotations
to configure labels and annotations for Veeam Kasten pods.
7.0.8
Release Date: 2024-09-05
New Features
- Extended the k10_debug.sh script to optionally collect metrics from the Prometheus server installed by Veeam Kasten. Positional arguments have been replaced with optional flags.
- Preserving SELinuxLevel of source namespace for the Kanister Pod during the Export phase has been added for OpenShift clusters.
- Added a User Profile page and updated the main header with a new User Menu and a dark mode toggle. Launching the guided tour was moved to the new User Menu.
Security Issues
- Update K10 services base image to pull in latest security updates.
Deprecations
-
The Helm values
secrets.apiTlsCrt
andsecrets.apiTlsKey
are deprecated and will be removed in an upcoming release. Please usesecrets.tlsSecret
to specify the name of a secret of typekubernetes.io/tls
. This reduces the security risk of caching the certificates and keys in the bash history.
7.0.7
Release Date: 2024-08-22
Bug Fixes
- Fixed an issue where an excluded, non-running VirtualMachine could still cause a policy run to fail.
Other Notes
- PDF reports can now be generated using the native browsers print dialog.
7.0.6
Release Date: 2024-08-09
New Features
- Added support for Kubernetes 1.30.
-
A new
openshift.io/required-scc
annotation has been applied to all K10 pods. Starting withOpenshift 4.14
, it will force K10 pods to use thek10-scc
SecurityContextConstraints
. Default priority fork10-scc
SCC set to 0.
Bug Fixes
- Downloads of Block mode snapshot exports during restore were not honoring the rate limit set by the limiter.genericVolumeRestores Helm option.
- Pre and post-snapshot action hooks now persist correctly when using a preset during policy form configuration.
- Fixed an issue that occurred when enabling immutability for an existing profile on Wasabi.
Security Issues
- Fixed critical authentication vulnerability. This upgrade is recommended for all users.
Deprecations
- Removed support for Kubernetes 1.26.
7.0.5
Release Date: 2024-07-25
New Features
- FIPS-enabled clusters now support joining a Veeam Kasten multi-cluster instance and promotion to a multi-cluster primary.
- General availability of a new user interface to simplify recovery of an entire Kasten instance following the loss of a cluster. Refer to Recovering Kasten from a Disaster via UI.
- The Location Profiles page now supports a dedicated view page, multi-step form, and table view with filtering option.
- When using OpenShift OAuth authentication, OpenShift Root CA certificates are now automatically included in the Kasten custom CA bundle. For more details, please refer to the OpenShift Authentication section.
-
New
openshift.io/required-scc
annotation has been applied to all K10 permanent running pods. Starting withOpenshift 4.14
, it will force K10 pods to use thek10-scc
SecurityContextConstraints
.
Bug Fixes
- Updated the Kasten Operator to ensure the
datamover
andmetric-sidecar
images are pulled from the Red Hat image registry.
Security Issues
- Update K10 services base image to pull in latest security updates.
7.0.4
Release Date: 2024-07-11
New Features
- Added a new helm flag
grafana.external.url
that can be used to configure the URL of an externally installed Grafana instance.
Bug Fixes
- Fixed an issue that could prevent upgrade to versions 7.0.2 and 7.0.3.
- Fixed an issue that occurred when enabling immutability for an existing profile.
- The
ingress.tls.secretName
Helm parameter is now optional when Ingress TLS is enabled. - Insecure connections to a multi-cluster primary are now restricted by default. Refer to HTTP primary ingress connections for details.
Security Issues
- Upgrade Fluent Bit to mitigate CVE-2024-4323.
- Upgrade to Go 1.22.5 to mitigate security vulnerabilities.
Other Notes
- Grafana will no longer be included in the Veeam Kasten installation process from the upcoming release
7.5.0
. Upon upgrading to this version, the integrated version of Grafana will be removed. It is advised to install Grafana separately and follow the procedure described in our knowledge base article to configure the Kasten dashboards and alerts before upgrading Kasten to version7.5.0
.
7.0.3
Release Date: 2024-06-28
Bug Fixes
- Fixed a potential issue in the UI where the dropdown selector for profiles did not populate as expected.
7.0.2
Release Date: 2024-06-27
New Features
-
K10 now automatically attaches the
k10.kasten.io/containsGVS
label to exported RestorePoint and RestorePointContent resources to indicate a backup containing Generic Volume Snapshots. -
Added the
datastore.parallelDownloads
helm option to allow configuring the number of files to be downloaded in parallel from the storage repository. For more information, please refer to the Helm Configuration for Parallel Download from the Storage Repository section.
Security Issues
- Upgrade Python packages to mitigate security vulnerabilities.
- Update K10 services base image to pull in latest security updates.
Upgrade Notes
-
This release will perform a catalog schema upgrade. The
catalog-pv-claim
PVC size may need to be increased to ensure a successful upgrade. The schema upgrade requires at least 50% of free space in thecatalog-pv-claim
PV. You can view available catalog storage space in the Kasten dashboard underSettings > System Information > Upgrade Status
. Refer to this page for more information.
7.0.1
Release Date: 2024-06-13
New Features
- Allow for canceling a Multi-Cluster Join Request from the UI if the join is stuck in a joining state.
Bug Fixes
- Fixed a bug that allowed unsupported partial restores of Virtual Machines.
- Fonts are now served from local static files instead of being fetched from Google Fonts.
Security Issues
- Upgrade to Go 1.22.4 to mitigate security vulnerabilities.
- Update K10 services base image to pull in latest security updates.
Other Notes
-
Following the renaming of Azure Active Directory to Microsoft Entra ID,
the Helm values
secrets.microsoftEntraIDEndpoint
andsecrets.microsoftEntraIDResourceID
have been added to configure Endpoint and Resource ID when required. The original Helm values,secrets.azureADEndpoint
andsecrets.azureADResourceID
, continue to be supported but will be deprecated in a future release.
7.0.0
Release Date: 2024-05-31
Release Summary
Veeam Kasten V7.0 represents another leap forward for the industry's leading platform for Kubernetes data protection and application mobility. This release focuses on improving cyber resilience, enabling new integrations with enterprise partners, and enhancing the restore experience.
New and enhanced capabilities of Kasten V7.0 include:
-
FIPS 140-3 Compliance: Kasten can now be installed in FIPS mode on supported OpenShift clusters.
-
Expanded Immutability Support: Azure Location Profiles now support immutable backups. Additionally, raw block mode volumes can now be protected using any immutability-enabled Location Profile.
-
Expanded SIEM Support: Added example Kasten-specific events for Microsoft Sentinel SIEM.
-
Dashboard Authentication: The existing process for enabling OpenShift OAuth integration has been further automated to simplify configuration. Dashboard authentication options now allow the configuration of sensitive values by referencing an existing Secret, providing additional flexibility in integrating with Secrets management tools to achieve secure deployments of Kasten.
-
Secure Supply Chain: Kasten Helm chart provenance can now be verified before installation.
-
Azure Marketplace Availability: Offers simplified deployment and consolidated licensing of Kasten for clusters on Azure.
-
OpenShift ImageStream: Native support for protecting and restoring container images managed by ImageStreams and hosted using the OpenShift internal registry.
-
Multi-Cluster Manager: A new user interface simplifies the creation of a primary cluster and the addition of secondary clusters. Creation of a primary cluster and the addition of secondary clusters can be fully automated using GitOps tools.
-
Kasten-DR: A new user interface simplifies the recovery of an entire Kasten instance following the loss of a cluster.
-
Restore Volume Clones: Added the ability to restore copies of volumes within the original namespace to enable self-service data retrieval without impacting running workloads.
New Features
-
Added the
extract-certificates
sub-command to thek10tools openshift
for extracting CA certificates from OpenShift clusters. For more details, please refer to the Extracting OpenShift CA Certificates section. - Added the capability to automatically generate the OAuth Client Service Account with its corresponding secret for enabling OpenShift OAuth integration. For more details, please refer to the OpenShift Authentication section.
- Support for a FIPS compliant mode of operation. This activates the FIPS mode of the cryptographic modules and ensures adherence to strict federal guidelines by deactivating non-FIPS algorithms.
- Added support to install Kasten K10 via Azure Marketplace.
-
Added the ability to configure the ingress URL of a secondary cluster, required for
click-through access from the Multi-Cluster Manager, using
mc-join-configmap
. - Added the ability to promote a cluster to be the primary cluster in a Multi-Cluster system through the Kasten dashboard.
- Added the ability for a secondary cluster to join an existing Multi-Cluster system through the Kasten dashboard.
- Added progress indicators for restore actions.
- Added an alternative method for K10 Disaster Recovery, known as K10 Quick Disaster Recovery. This method introduces a faster and more storage-efficient approach to K10 Disaster Recovery. It provides recovery of applications' exported restore points and other K10 resources. Refer to the K10 Quick Disaster Recovery section for more details.
- Successfully restored volumes will now be retained between restore attempts within a single Restore action. This enhancement will significantly speed up retries in the event of partial failures.
- The details of application ExportAction and RestoreAction objects now contain information on volume data transfers associated with these actions. This information is also visible in the GUI in the "Action Details" panels.
Security Issues
- Update K10 services base image to pull in latest security updates.
Deprecations
-
The
k10multicluster
tool has been deprecated. Please refer to the getting started guide for configuring the Multi-Cluster system through the Kasten dashboard or via GitOps.
6.5.14
Release Date: 2024-05-17
New Features
- Support for Block mode export of a volume mounted in Filesystem Volume Mode is now possible with a PVC annotation, provided its StorageClass supports the Block VolumeMode.
- Added support for Helm chart verification using Helm provenance.
-
Added the
datastore.parallelUploads
helm option to allow configuring the number of files to be uploaded in parallel to the storage repository. For more information, please refer to the Helm Configuration for Parallel Upload to the Storage Repository section. - Added support for upgrading policies backing up applications using GSB/Kanister Blueprints.
- Added support for upgrading K10 DR policies.
Bug Fixes
- API now supports label selectors when listing passkey resources. Note that passkeys do not have, currently, any label assigned. Therefore, label selectors are most useful for passkeys when listing multiple resource types with a common label selector.
- Fixed a bug that caused restored PVCs to remain in a pending state.
- Resolved a compatibility issue with Kubernetes and third-party tools that was causing crashes in auth/dashboard services during OIDC authentication. The
auth.groupAllowList
field is now 'optional' to support scenarios where empty fields are not populated into secrets, resulting in improved stability in a wide range of deployment environments. - Fixed an issue with cancellation of a K10 policy session or a K10 session from VBR.
Security Issues
- Limited the scope of infrastructure credentials to improve security posture.
- Upgrade to Go 1.22.3 to mitigate security vulnerabilities.
- Update K10 services base image to pull in latest security updates.
Upgrade Notes
- Multi-cluster join process was updated. Join tokens generated from previous versions will be become invalid as part of this upgrade, and will be regenerated. New joins to multi-cluster requires both primary and secondary clusters to be upgraded to 6.5.14. Join configuration override options via the Join ConfigMap were updated. Secondary clusters that are already connected to a multi-cluster primary are not affected.
6.5.13
Release Date: 2024-05-02
New Features
- Added the ability to provide AWS credentials using a reference to a Secret. For additional information, please refer to the Existing Secret Usage section.
- Added the ability to provide Google Cloud credentials using a reference to a Secret. For additional information, please refer to the Existing Secret Usage section.
- Added the ability to change the value of the Priority field for the SecurityContextConstraints resource in Red Hat Openshift.
- Added the ability to provide vSphere credentials using a reference to a Secret. For additional information, please refer to the Installing K10 on VMware vSphere section.
Bug Fixes
- Fixed an issue that resulted in a timeout error during the restoration of large PVCs.
Security Issues
- Update K10 services base image to pull in latest security updates.
6.5.12
Release Date: 2024-04-19
New Features
- Added the ability to provide Azure credentials using a reference to a Secret instead of Helm parameters. For additional information, please refer to the Existing Secret Usage section.
- Added the ability to use the Ceph Rados Block Device API when exporting Ceph CSI RBD volumes in block mode, possibly reducing the size and duration of a backup.
- Added metrics to track the duration and transfer rate of data transfer operations, along with monitoring the volume count. A new panel has been added to the K10 Grafana dashboard to visualize these metrics.
- Added the ability to filter imported namespaces.
- Added the capability to now include local container images from ImageStreams when backing up an application.
- Added a Helm option to override the default name of the Ingress object for the K10 dashboard.
- Added Helm options for specifying the default backend service for the K10 dashboard Ingress object.
- Added Helm options for specifying the default backend resource for the K10 dashboard Ingress object.
- The authentication service now sends requests to an internal Dex instance using internal endpoints. This configuration is valid if K10 was set up with LDAP, AD, or OpenShift authentication.
- The Restore Volume Clones mode has been implemented, providing the ability to restore only data without affecting workloads.
- Added support to restore VirtualMachines in their original namespaces.
Bug Fixes
- Fixed an issue validating Infrastructure Profiles on Azure sovereign clouds.
- Fixed failure in restoring a block mode export from a locked but damaged S3 repository, within its protected period. After upgrading, a new backup must be made to the locked repository to support restoration within the protection period. Restoration from an undamaged repository continues to function as before.
- Fixed an issue where PVC labels were lost after restoration from an exported restore point.
- Restricted the immutable exports active monitoring for imported restore points. Only the original cluster can now extend protection.
Upgrade Notes
-
New multicluster joins require a
mc-join-config
ConfigMap along withmc-join
secret. For additional information, please refer to the Adding a Secondary Cluster section.
6.5.11
Release Date: 2024-04-05
New Features
- Added support for OCP 4.15.
- Added the ability to provide sensitive OIDC values using a reference to a Secret instead of Helm parameters. For additional information, please refer to the OpenID Connect Authentication section.
- This release introduces namespaced RunAction resource. All existing non-namespaced RunActions will be converted to namespaced resources automatically and inherit the namespace of the policy referenced in their specs. Non-admin users can now manually create RunActions, via kubectl or via K10 dashboard, in the namespaces that they have access to. Uses of RunActions in scripts and APIs should be reviewed and updated with namespaces as needed.
Security Issues
- Upgraded to Go v1.21.9 to mitigate security vulnerabilities.
Known Issues
- While creating a manual RunAction via
kubectl
, non-admin users will encounter a permission error forcustomresourcedefinitions.apiextensions.k8s.io
. Users can workaround this issue by passing--validate=false
along with the command. Creating manual RunAction via K10 dashboard is not affected. - Storage repository resources that had previously been deleted might be recreated when upgrading to this release or to a more recent one. It is safe to delete them again.
Upgrade Notes
-
This release will perform a catalog schema upgrade. The catalog service's PVC
service's PVC size may need to be increased to ensure a successful upgrade.
The schema upgrade requires at least 50% of free space in the catalog service's PVC.
You can find the current size at
Settings > Support > Upgrade Status
on the K10 dashboard. Refer to this page for more information.
6.5.10
Release Date: 2024-03-25
Bug Fixes
- Fixed an issue where some region names caused profile cards on Location Profile for object storage to not display correctly.
6.5.9
Release Date: 2024-03-25
New Features
- Added a new mandatory FCD migration step for the Instant Recovery process. The recovered application will be running from a network volume during the migration process.
Bug Fixes
- Fixed a UI issue when custom export retention settings couldn't be saved in Policy and Policy preset form.
- Fixed a bug that in rare cases allowed basic users to list actions in namespaces without authorization.
- Fixed an issue where in-tree storage plugin based PVs were left abandoned after an export action or after deleting a restored application, on the environments where in-tree storage plugins had been migrated to CSI volume provisioners.
Security Issues
- Users are now restricted from listing actions in namespaces without proper authorization. All customers are encouraged to upgrade to get the fix for this issue.
Deprecations
- The
auth.dex.*
helm values were removed in favor ofauth.openshift.*
andauth.ldap.*
. Deprecation had been announced since version 6.0.11.
6.5.7
Release Date: 2024-03-07
New Features
- Added the capability to automatically generate a token for the Service Account in the OpenShift authentication configuration. For additional information, please refer to the OpenShift Authentication section.
- Added capability to setup a cluster as a multicluster primary via Helm.
Bug Fixes
- Fixed a bug that prevented policy revalidation in secondary clusters.
- Fixed an issue with OIDC refresh token support, which prevented the UI session to continue after successful refresh.
- Fixed an issue where export with block mode volumes failed due to misconfigurations in the ephemeral pods' spec.
- Fixed storage repositories not listing correctly in certain Kubernetes clients.
- Fixed an issue with exports and restores when using the Dell VxFlexOS CSI driver.
Security Issues
- Upgraded google.golang.org/protobuf to mitigate CVE-2024-24786.
- Upgraded to Go v1.21.8 to mitigate security vulnerabilities.
- Changes in
SecurityContextConstraints
resource were made to reflect the latestsecurityContext
updates on K10 workloads. -
Explicitly set
runAsNonRoot=true
,seccompProfile=RuntimeDefault
,allowPrivilegeEscalation=false
andcapabilities.drop=["ALL"]
for K10 service containers. - Update K10 services base image to pull in latest security updates.
6.5.6
Release Date: 2024-03-01
New Features
- Added support for OCP 4.14.
Bug Fixes
- Fixed a performance issue affecting listing the Applications on the K10 Dashboard.
Deprecations
- Removed support for OpenShift 4.11. Reason - reached Red Hat's End-of-Life status on 2024-02-10.
6.5.5
Release Date: 2024-02-23
New Features
-
Added a new feature for multi-cluster configurations. Now, users can set secondary cluster names using
the
cluster-name
field within themc-join
secret of the secondary cluster. It is required that these names adhere to Kubernetes naming conventions and are unique within the managed cluster set. TheCluster
resource in the primarykasten-io-mc
namespace has been enhanced to use the provided name whenever possible. If the naming requirements are not met, the secondary cluster will fail to join the primary cluster. - Added the Helm options
defaultPriorityClassName
to specify the default priority class name for all K10 deployments and ephemeral pods. - Added the Helm options
priorityClassName.<deploymentName>
to override the default priority class name for the specified deployment. -
An additional step has been added to the DR restore process.
Newly DR-restored K10 instances will now require user confirmation
of the permanent deactivation of the original K10 before assuming
ownership of backup data. This confirmation involves deleting the
k10-dr-remove-to-get-ownership
configmap in the K10 namespace.
Bug Fixes
- Fixed an issue where the
aggregatedapis-svc
pod would log CRD deprecation warnings. - Fixed an issue where the custom values for ephemeral pods defined in the
pod-spec-override
config map and the K10 default settings defined via Helm values did not merge. - Fixed an issue with improper SCC selection after K10 upgrade in Red Hat OpenShift clusters.
Other Notes
- Independently (without K10) using, interacting, connecting, modifying, copying, upgrading, or in any way accessing/manipulating a K10 storage repository is unsupported and might cause data corruption/loss to some or all of the restore points. Users must never attempt to perform any such action themselves unless under constant, active, supervision by a member of Kasten's support or engineering teams.
6.5.4
Release Date: 2024-02-08
New Features
- Added the capability to refer to the client's secret name in the OpenShift authentication configuration. For additional information, please refer to the OpenShift Authentication section.
- Availability of SCC for DR limited to K10 DR user
-
Added the Helm options
kanisterPodMetricSidecar.resources
to specify resource settings for the Kanister pod metric sidecar. - Improved worker node count estimates for licensing in Openshift clusters.
Bug Fixes
- Fixed UX issues that affected the Policy form, the System Information, Data Usage, and Applications pages.
Please see this Knowledge Base article for more information.
- Fixed a bug that allowed basic users to access data without authorization.
Security Issues
-
Explicitly set
runAsNonRoot=true
,seccompProfile=RuntimeDefault
,allowPrivilegeEscalation=false
andcapabilities.drop=["ALL"]
for K10 service containers. - Users are now restricted from restoring data without proper authorization. All customers are encouraged to upgrade to get the fix for this issue.
- Update K10 services base image to pull in latest security updates.
6.5.3
Release Date: 2024-01-26
New Features
- Added the "Filter Resources" option in the Multiple Applications Restore form.
- Added Azure Immutability protection.
Bug Fixes
- Fixed an issue where Generic Storage Backup of applications with shareable volumes failed to connect to the backup repository.
- Fixed an issue where snapshot of an application with non-running Virtual Machines failed even after excluding the Virtual Machine resource using the policy's exclude parameters.
- Fixed the PDF download button on the Reports Table.
Security Issues
- Improve logging to prevent logging of sensitive backup location connection details.
Known Issues
- With the recent deprecation of in-tree provisioners, volumes that are restored from snapshots that use the GCE PD in-tree provisioner may not be deleted. For information on how to clean up these orphaned volumes, please refer to K10 knowledge base articles.
Upgrade Notes
- The gateway service port has changed to
80
. To emulate the previous behavior set thegateway.service.externalPort
value to8000
.
Deprecations
-
The K10 Operator no longer supports downloading PDF reports. Setting
reporting.pdfReports
astrue
for a K10 Operand install or upgrade will result in an error.
6.5.2
Release Date: 2024-01-12
New Features
-
Added the capability to configure the security context of Kanister Execution Hooks
using the new helm flag
forceRootInKanisterHooks
which is set totrue
by default. For additional information, please refer to the Configuring Security Context for Kanister Execution Hooks section. - The support for CephFS CSI Snapshots as shallow read-only volumes has been added.
- The ability to perform a read-only mount of a snapshot into the Kanister Pod during the Export phase has been added.
- The ability to preserve the SELinuxLevel of Pods and Deployments for the Kanister Pod during the Export phase has been added for OpenShift clusters.
- Added the ability to delete storage repository API resources.
- Added support for Kubernetes 1.28.
Bug Fixes
- Fixed incorrect api groups and specified verbs for resources in
k10 restore
helm chart.
Security Issues
- Upgrade
golang.org/x/crypto
to mitigate security vulnerability CVE-2023-48795. - Updates dependencies to address security vulnerabilities in 3rd party libraries.
Upgrade Notes
- If you have applications using native Ceph provisioning, please switch over to CSI-based Ceph provisioning for continued K10 support.
Deprecations
- Removed categories from vSphere profile. vSphere tags aren't used for tracking k10 snapshots anymore.
- K10 support for native Ceph provisioning, which was deprecated in K10 5.5.10, has now been removed in favor of CSI-based Ceph support. For applications reliant on native Ceph provisioning, taking application snapshots and exporting the snapshots will stop working after upgrading to K10 6.5.2.
In order to preserve snapshots of applications that use native Ceph provisioning, snapshots must be exported before upgrading to K10 6.5.2.
Application restores from an exported snapshot can be used by applying a resource transformation
on the storage class of the persistent volume claim. The transformation will be a replace
on the
/spec/storageClassName
path of the persistentvolumeclaims
resource.
6.5.1
Release Date: 2023-12-18
New Features
- Added ability to view blueprint bindings and manage blueprint annotations inside namespace details.
- The Policy validation now also includes a consistency check of the immutability settings in VBR and K10. The Protection Period set in K10 should not exceed the backup's immutable period set in VBR.
Bug Fixes
- Updated the k10multicluster tool to detect misconfigurations of user-provided contexts in the disconnect command, preventing incomplete cleanup.
- Fixes incorrect Grafana datasource when a custom release name is used.
- Fixed an issue where K10 Disaster Recovery was failing when the
k10-disaster-recovery-policy
was edited to be on demand. - Fixed an issue where the transform set updates would freeze when no changes were made.
- Fix downloading reports as PDFs when OIDC authentication is enabled.
- Fixed an issue that caused RetireAction to fail when a RestorePoint contained multiple resources with the same name and different assigned blueprints.
- Transform set referencing bug fixed in the UI of Restore and Policy forms.
Security Issues
- Update K10 services base image to pull in latest security updates.
Other Notes
- FCD snapshots created by K10 now listed by their descriptions instead of vSphere tags.
6.5.0
Release Date: 2023-11-27
Release Summary
Kasten K10 V6.5 was focused on security integrations and supporting large-scale Kubernetes deployments.
New capabilities of Kasten K10 V6.5 include:
-
Automatically published Software Bill of Materials (SBOMs): SBOMs are now automatically generated and published in the documentation using Syft.
-
Images published to Iron Bank: Iron Bank is the verified, centralized, hardened container image repository trusted by the U.S. Department of Defense, government, health, and financial sectors. This process includes container scanning with Anchore, Twistlock, and OpenSCAP.
-
SIEM Integration: K10-specific events can now be logged to an ObjectStorage for consumption by SIEMs, including in managed Kubernetes environments. See the documentation for further details.
-
Massive Multi-Cluster: The scalability of multi-cluster has been improved in several values. Instantiating clusters can be done entirely through Kubernetes APIs, simplifying GitOps workflows. Ingresses are no longer required on secondaries and all metrics/communication can now use a single ingress on the primary cluster.
-
Block Mode Backups: Full backups of arbitrary block devices are now supported. Support for incremental backups of AWS EBS volumes was also added.
-
Multi-application restore: Simplifies and speeds up bulk restore operations by enabling users to select multiple applications from the dashboard and restore them to the same or a different cluster with just a few clicks.
New Features
- Google Workload Identity Federation with Kubernetes as the Identity Provider is supported for application exports as well as K10 DR backup and restore. Refer to Using Google Workload Identity Federation for details.
- K10 images are now available through Platform One's Iron Bank container registry.
- K10 can now be deployed using Iron Bank hardened images via the public Kasten Helm chart.
- K10 restore can now be deployed using Iron Bank hardened images via the public Kasten Helm chart.
- The multi-cluster primary instance exports new metrics collected from all clusters within the multi-cluster system. Refer to Veeam Kasten Multi-Cluster Metrics for more information.
- Updated the
upgrade-action
API documentation.
Bug Fixes
- Fixed an issue where export action failed while exporting data to a Veeam Repository.
- Fixed an issue where, applications restore was failing on vSphere Tanzu 8.0U2.
- Fixed an issue where, after upgrading to K10 version v6.0.12, certain short-lived pods would fail with the
ImagePullBackOff
error due to missing image pull secret. - Fixed an issue where the custom CA certificate ConfigMap was not mounted on certain short-lived pods after upgrading to K10 version v6.0.12.
- Fixed an issue where a limit was reached, causing multi-cluster license leases to fail to renew.
- Fixed an issue with collection of the multi-cluster export storage metric.
Security Issues
- Update K10 services base image to pull in latest security updates.
Known Issues
- Currently, the K10 admin image is not available in Iron Bank. This means downloading PDF reports is not possible, and only the K10 UI can be used to view reports.
Upgrade Notes
- Ingress is required for the primary cluster in the multi-cluster system. Please update the primary cluster's
spec.k10.ingress.url
to the URL of K10's ingress on the primary cluster.
Deprecations
- Support for a primary cluster without an ingress will be removed in an upcoming release.
- Previously, all secondary metrics were scraped by the primary cluster. Now only specific metrics are collected by the primary cluster. Refer to Veeam Kasten Multi-Cluster Metrics for more information.
Other Notes
- Generic Storage Backup will now be disabled by default. For more details, refer to this page.
6.0.12
Release Date: 2023-11-03
New Features
- Support of block mode export for AWS EBS volumes added, including the use of AWS Change-Block-Tracking API that improves performance of data exporting.
- Added Garbage Collector support for each type of Kasten K10 actions.
- Security settings for internal K10 pods responsible for backup and restore operations were adjusted to reflect the storage and location profile types. By default, these pods will run with root permissions for the NFS location profile or NFS target storage. For the other storage or location profile types, K10 will run with non-root permissions. Security settings for these pods can be customized by using the StorageSecurityContext custom resource.
- Added new custom resources StorageSecurityContext and StorageSecurityContextBinding, enabling security settings customization to access storage for backup and restore operations.
Deprecations
-
The helm field
restore.copyImagePullSecrets
has been removed. K10 no longer copies theimagePullSecrets
from the K10 namespace (kasten-io
by default) to the application namespace. - The
garbagecollector.importRunActions
,garbagecollector.backupRunActions
,garbagecollector.retireActions
blocks within the helm chart values have been replaced withgarbagecollector.actions
.
Other Notes
- Effective with the release of Kasten K10 6.5.0, currently targeted for Q4 CY2023, Generic Storage Backup will be disabled for all new deployments of Kasten K10, as well as existing deployments when upgraded to 6.5.0 or later. For more details, refer to this page.
6.0.11
Release Date: 2023-10-24
Bug Fixes
- Fixed a critical issue with new backup repositories that were created with K10 version v6.0.9, where RestorePoints could be partially removed on an arbitrary schedule. Once K10 is upgraded, the correct retention settings will be applied to these repositories. Customers are advised to upgrade as soon as possible.