Release Notes

8.5.4

Release Date: 2026-03-06

New Features

• Added k10.kasten.io/freezeVM annotation support at the namespace level. Any VM in the namespace that is not individually annotated will use this value.

Improvements

• Added support for disabling guest filesystem freezing for multiple VMs from the Virtual Machines dashboard.
• Added support for accessing multiple filesystem partitions on a single volume via a FileRecoverySession. See Accessing files for details.
• Veeam Kasten will automatically run Kanister Blueprint Pods as non-root in application namespaces where the restricted Pod Security Standard is enforced.
• Added runtime default seccomp profile handling and preserved container security context when applying TLS certificate volume overrides.
• Refreshed the Restore Point details panel UI.

Bug Fixes

• Fixed an issue following a KDR metadata restore where exports to an existing repository failed with the error "Invalid repository password".
• Fixed an issue where block mode exports might fail if the requested volume size is rounded up by the storage provisioner to align with underlying storage volume allocation.
• Fixed an issue where refreshing the immutability period for backups in Google Cloud Storage repositories could exceed rate limits for object updates.
• Fixed Kanister pod override behavior so root-mode overrides do not set non-root-only group fields.
• Fixed duplicate execution of jobs that could cause action failures for VM-based backups that protect many VMs.

Security Issues

• Updated base image used to build Veeam Kasten container images to pull in latest security updates.

Other Notes

• Extended support for OpenShift 4.16.

8.5.3

Release Date: 2026-02-24

Improvements

• Added support for File-based Basic Authentication for remote Prometheus endpoints.
• Extended garbage collector to support removal of Kasten profiles, secrets, services, network policies and configmaps orphaned during restore operations.

Bug Fixes

• Fixed an issue to ensure temporary custom-ca-bundle-store ConfigMaps are properly removed from the Kasten namespace.
• Optimized query of completed actions to improve dashboard performance at scale.

Security Issues

• Upgrade to Go 1.25.7 to address CVE-2025-61732

8.5.2

Release Date: 2026-02-09

New Features

• Added support for Veeam Data Cloud (VDC) Vault AWS location profiles.

Improvements

• Updated Virtual Machines dashboard page to include Last Backup time.
• Virtual machine snapshots capture additional metadata related to snapshot consistency. See VM Snapshot Consistency Metadata for more details.

Bug Fixes

• Fixed StorageSecurityContextBinding validation failing when the namespace is omitted in storageSecurityContextRef. The controller now correctly defaults to the binding's namespace, matching standard Kubernetes reference behavior.
• Fixed an issue where performing a large number of parallel VM export actions could result in an inability to obtain a repository lock, causing export action failure.
• Fixed an issue in environments using OpenShift authentication where the Job used to automatically extract required certificates was missing expected label, annotation, and resource settings.

Security Issues

• Updated base image used to build Veeam Kasten container images to pull in latest security updates.

Known Issues

• Clusters with Kasten DR configured to export to a VDC Vault location profile using the "Create local catalog snapshots only" option may experience failures when attempting to restore the KDR backup to a different cluster. It is recommended that such environments update Kasten DR configuration to "Export local catalog snapshots".

8.5.1

Release Date: 2026-01-22

New Features

• Added support for integrating Veeam Kasten with Red Hat Advanced Cluster Management (ACM) Observability Service, including automated cluster name and ID detection from OpenShift infrastructure, Prometheus remote write configuration, and external labels for ACM integration.
• Added support for performing backupPrehook and backupPosthook Blueprint actions on custom resources.

Improvements

• Phone Home data is now sent to https://analytics.kasten.io instead of https://storage.googleapis.com.

Bug Fixes

• Fixed an issue where backups of namespaces with many virtual machines could become stuck indefinitely after a CSI error.

Security Issues

• Upgrade to Go 1.25.6 to address CVEs: CVE-2025-61726, CVE-2025-61728, CVE-2025-61731, CVE-2025-68119, CVE-2025-68121.
• Updated base image used to build Veeam Kasten container images to pull in latest security updates.

Known Issues

• Fixed an issue where the PVC owner discovery mechanism would fail for Blueprints assigned to a Namespace or cluster-scoped resource.

Deprecations

• The VeeamVault location and secret types for location profiles using Azure-based VDC Vault have been deprecated. Existing profiles should be updated to use the current VeeamVaultAzure type. See Profiles for usage details.

8.5.0

Release Date: 2026-01-08

Release Summary

The launch of Veeam Kasten for Kubernetes v8.5 introduces several new capabilities and improvements to support the growing trend of modern virtualization and diverse needs of container-based environments, including:

• VM-Centric Protection Policies: Policies can now select Virtual Machines as first-class resources, enabling users to define backup and recovery strategies based on VMs rather than just at the namespace or label level. By automatically identifying resource dependencies for each VM, this innovation simplifies management and improves protection for virtualized workloads running within Kubernetes environments. See Protecting VMs on Kubernetes for details.

• VM-Centric Recovery Improvements: Multiple enhancements have been made to the recovery experience for VMs:

  • VM-centric policies protect each VM as independent restore points, enabling users to confidently restore individual VMs without manual identification and filtering of dependencies.

  • Multiple VMs from one or more namespaces can now be easily restored as part of a single, batch operation.

  • Individual disks within a VM can now be restored, providing greater flexibility and efficiency when recovering data volumes or rolling back an OS volume while retaining existing data volumes.

  • Users can now choose to retain the original MAC addresses of network interfaces during restore, required in some environments to provide consistent network identity and connectivity post-restore.

• Kubernetes-native File Recovery: File Recovery Sessions enable users to securely browse and recover individual files from exported restore points without restoring an entire application or volumes. This critical recovery capability supports both Filesystem mode PVCs for container-based workloads and Block mode PVCs for virtualized workloads. See Restoring Individual Files for details.

• Restore Point Validation: Enables users to verify the integrity of exported restore points before using them for recovery, especially useful when the backup target does not support immutability. Validation supports both full scans of selected Filesystem mode PVCs and faster metadata-only scans. See Validate RestorePoint for details.

• Expanded Azure Integrations: Kubernetes clusters running on Microsoft Azure can now take advantage of multiple new integrations to enhance security and flexibility:

  • Azure Key Vault Integration: Users can now leverage Key Vault to provide the KDR passphrase used for cluster recovery and securely manage keys used to encrypt restore point data, enhancing data protection and compliance.

  • Azure Federated Identity for Location Profiles: Integration with Federated Identity delivers seamless and secure access to Azure resources, including Azure Blob Storage, without managing long-lived credentials.

  • Azure Files CSI Validation: Users can now use Kasten and volume snapshots to protect shared volumes provisioned via the Azure Files CSI v1.33.4 or later.

• SMB-based Location Profiles: Users can now create Location Profiles backed by SMB shares mounted to the cluster. In addition to broad support object storage, NFS, and Veeam Backup & Replication, Kasten continues to deliver on freedom of choice across the Kubernetes ecosystem.

• Simplified Encryption Key Rotation: Users can now manage local or externally-managed Passkeys used for encrypting exported data directly from the Dashboard UI.

• Prometheus Remote Write: The built-in Prometheus instance used by Kasten to store key operational metrics can now be configured to write metrics to any external, Prometheus-compatible monitoring system, enabling unified observability across the enterprise.

New Features

• Added support for recovering individual files from exported restore points using SFTP. In addition to the new FileRecoverySession API, k10tools provides a simple CLI interface and SFTP client to manage file recovery sessions.
• Added support for OpenShift 4.20.
• Added Virtual Machine support to the Restore Points page, allowing users to manage and restore VM-based restore points.
• Added support for VM-based backup policies that enable fine-grained protection of individual Virtual Machines using the k10.kasten.io/virtualMachineRef selector with automatic discovery of VM dependencies.
• Added batch restore for Virtual Machines, allowing users to select multiple VMs from the Virtual Machines page to initiate a restore operation.

Improvements

• Updated Restore Point Details view in Kasten dashboard to include all applicable actions.
• Added the kastenDisasterRecovery.validationTimeout Helm parameter to configure timeout period for validation of KDR restore points when initiating a KDR restore operation through the dashboard or creating a KastenDRReview via YAML.
• Improved restore performance using optimized batch reads for backups exported to object storage locations.
• To improve VM snapshot consistency, Kasten will now attempt to freeze the guest filesystem by default during backup operations. See Guest Filesystem Freezing for more details.

Bug Fixes

• Fixed an issue where KastenDRReview status was not updated after reaching the timeout for KDR restore point validation. The timeout to validate KDR restore points was extended from 5 minutes to 30 minutes to further reduce premature failures in environments where validation may take longer due to number of KDR restore points or environmental factors.
• Fixed an issue that can result in individual policies not performing scheduled runs following a system interruption or upgrade.
• Fixed a workload snapshot failure for StatefulSets that specify a custom ordinal start value.

Deprecations

• Support for OpenShift 4.16 has been removed.

8.0.15

Release Date: 2025-12-18

New Features

• Added support for Azure Key Vault as a passkey provider for encryption key management, enabling envelope encryption of the primary key.
• Added support for Azure Key Vault Secrets as a passphrase provider for Disaster Recovery, allowing KDR passphrase storage and retrieval from Azure Key Vault.
• Added support for Prometheus remote_write to forward Kasten metrics to external monitoring systems such as Grafana Cloud, Datadog, or other Prometheus-compatible endpoints.
• Added search to the Kasten dashboard to allow for quick navigation to specific policies, profiles, and application namespaces based on name.

Improvements

• Improved job throughput under load after reaching concurrency limits defined by limiter.*PerCluster Helm values.
• Improved loading time for Virtual Machines in the dashboard.

Bug Fixes

• Fixed an issue where the Veeam Kasten Disaster Recovery policy fails with "invalid repository password" errors after performing a KDR restore.
• Fixed an issue where excessive keep alive requests resulted in block mode exports failing with an ENHANCE_YOUR_CALM error code.
• Fixed an issue where jobs could become stuck indefinitely after reaching concurrency limits defined by limiter.*PerCluster Helm values.
• Fix incorrect state when clearing filter on Restore Points page
• Fixed an issue where a KDR restore would attempt to import redundant restore points following a successful restore of a catalog snapshot.

Security Issues

• Upgrade to Go 1.25.5 to address CVE-2025-61727 and CVE-2025-61729.
• Updated base image used to build Veeam Kasten container images to pull in latest security updates.

Deprecations

• The k10restore Helm chart and k10restore OpenShift operands have been removed. See Veeam Kasten Disaster Recovery for details on alternate options to recover Veeam Kasten.

Other Notes

• Backups exported from Veeam Kasten to a Veeam Backup & Replication (VBR) repository now include Kubernetes application metadata captured by the policy. At this time, no change to existing policies is required and there is no impact to restore operations. Policies exporting to VBR continue to require an additional Kasten location profile for storing each application's Kubernetes metadata.

8.0.14

Release Date: 2025-11-26

Improvements

• Added a new Helm value, vault.mountPath, to specify an authentication mount path when using Hashicorp Vault with the Kubernetes auth method. This works for both creating a Passkey using the transit engine or when enabling K10 DR using the KV secrets engine.
• When removing location profile, you get a warning if there is any existing restore point or policy which uses this profile

Security Issues

• Improved logging security for specific block mode datamover upload Pod invocations. It is recommended to upgrade Veeam Kasten to get this fix.

8.0.13

Release Date: 2025-11-18

New Features

• Added support for OpenShift 4.19.
• Added a new Passkey Management page in the Settings section of the Kasten Dashboard, providing a centralized interface for managing passkeys used to encrypt backup data. The Passkey Management interface supports creating and managing multiple types of passkeys:
  • Passphrase-based passkeys
  • AWS Key Management Service
  • HashiCorp Vault integration
• Using a filter in a backup policy to include resources based on VirtualMachine name now discovers and protects hot plugged volumes.
• Added support for snapshot and filesystem mode export of persistent volumes provisioned by the vSphere CSI driver without requiring a vSphere Infrastructure Profile. See Storage Integration for details.

Improvements

• Introduced support for ED25519 certificates.
• Integrated Go Cryptographic Modules to enhance and maintain compliance with FIPS 140-3 standards.
• Updated to Go 1.25.4.

Bug Fixes

• Support for “no-auth mode” has been fully restored. The “no-auth mode” (used to run K10 without authentication for testing or development) was unintentionally disabled in version 8.0.12.
• Fixed an issue where Gatekeeper constraint violation messages for Kasten policies were not being displayed in the dashboard.
• Fixed an issue where Kasten policies could not be resubmitted following an admission controller validation error in the dashboard.

Security Issues

• Updated base image used to build Veeam Kasten container images to pull in latest security updates.

Deprecations

• Support for OpenShift 4.15 has been removed.

8.0.12

Release Date: 2025-10-29

Known Issues

• Upgrading to Kasten 8.0.8 or later is not recommended for clusters running Kubernetes 1.27, OpenShift 4.14 or earlier versions due to lack of support for SelfSubjectReview API, which may result in dashboard authentication issues. It is recommended to first upgrade to a supported Kubernetes version to ensure compatibility.

Other Notes

• When performing snapshots of KubeVirt VMs, guest filesystem freeze and unfreeze operations are directly invoked by Kasten and no longer depend on a Kanister Blueprint.
• Added new limiter vmSnapshotsPerCluster to control the number of concurrent VM snapshots per K8s cluster. The default value is 1.

8.0.11

Release Date: 2025-10-21

New Features

• Added an openshift.consolePlugin.enabled configuration value to allow disabling console plugin and related resources on OpenShift.

Bug Fixes

• The previous release of Veeam Kasten enabled FIPS TLS enforcement regardless of whether the underlying system was in FIPS mode or the Veeam Kasten fips.enabled setting was set to true. This release fixes that issue by enforcing FIPS TLS only if the Veeam Kasten fips.enabled helm value is set to true or if the underlying system is in FIPS mode.
• Fixed an issue when creating a Location Profile for Dell ECS that led to an unsupported S3 API being used.
• Added app.kubernetes.io/component label to gateway Service.
• Fixed an issue where export actions and policy runs could terminate in error when a backup action is deleted. An exception is now raised and the rest of the export process continues.
• Made OpenShift console-plugin and console-plugin-proxy deployments respect global resource configuration.

Security Issues

• Upgrade to Go 1.25.3 to mitigate security vulnerabilities.
• Upgrade to golang.org/x/net@v0.46.0 to address CVE-2025-58190 and CVE-2025-47911.
• Updated base image used to build Veeam Kasten container images to pull in latest security updates.

Known Issues

• Upgrading to Kasten 8.0.8 or later is not recommended for clusters running Kubernetes 1.27, OpenShift 4.14 or earlier versions due to lack of support for SelfSubjectReview API, which may result in dashboard authentication issues. It is recommended to first upgrade to a supported Kubernetes version to ensure compatibility.

Deprecations

• Following Red Hat Marketplace closure in April 2025, Kasten licenses can no longer be purchased via the Red Hat Marketplace. As a result, the Enterprise Term/PAYGO listings have been removed from the Red Hat OperatorHub. Customers currently using either the kasten-k10-operator-paygo-rhmp-bundle or kasten-k10-operator-term-rhmp-bundle operators must refer to KB4774 for transition details.

8.0.10

Release Date: 2025-10-02

Bug Fixes

• global.resourceLabels are now applied to the console-plugin and console-plugin-proxy services when deployed on OpenShift.
• Fixed an issue that could delay backup actions for large applications when CSI snapshots fail.
• Consistently applied app.kubernetes.io/version and app.kubernetes.io/component labels to all Deployments.
• Fixed an issue where Kasten DR could not restore properly when being authenticated with federated credentials.
• Fixed documentation related to Azure Federated Identity installations.
• Fixed an issue where editing a KDR policy that was configured to export snapshots would result in policy validation error.
• Applied global.resourceLabels configuration to metadata of deployments.

Security Issues

• Updated base image used to build Veeam Kasten container images to pull in latest security updates.

Known Issues

• Upgrading to Kasten 8.0.8 or later is not recommended for clusters running Kubernetes 1.27, OpenShift 4.14 or earlier versions due to lack of support for SelfSubjectReview API, which may result in dashboard authentication issues. It is recommended to first upgrade to a supported Kubernetes version to ensure compatibility.

8.0.9

Release Date: 2025-09-20

Known Issues

• Upgrading to Kasten 8.0.8 or later is not recommended for clusters running Kubernetes 1.27, OpenShift 4.14 or earlier versions due to lack of support for SelfSubjectReview API, which may result in dashboard authentication issues. It is recommended to first upgrade to a supported Kubernetes version to ensure compatibility.

Deprecations

• Support for Instant Recovery of PVC data to guest Kubernetes clusters using the vSphere Cloud Native Storage CSI has been deprecated and will be removed in a future release. Standard restore of local or exported Kasten restore points will remain unaffected.
• The k10restore Helm chart and k10restore OpenShift operands were deprecated in 8.0 release and will be removed in 8.5. See Veeam Kasten Disaster Recovery for details on alternate options to recover Veeam Kasten.

Other Notes

• Added instructions for cleaning up Custom Resource Definitions after uninstalling Kasten via Helm.

8.0.8

Release Date: 2025-09-05

New Features

• Added Helm flags global.resourceLabels and global.ephemeralResourceLabels. Use global.resourceLabels to specify labels on all Kasten PVCs, Network Policies, Services, and Pods, and global.ephemeralResourceLabels to specify labels only on ephemeral Kasten PVCs, Network Policies, Services, and Pods.
• Veeam Kasten Disaster Recovery restore timeout can be configured using kastenDisasterRecovery.restoreTimeoutMinutes Helm value to avoid timeout.
• Added support for Kubernetes 1.33.
• Made prometheus.server.resources and prometheus.configmapReload.prometheus.resources respect the global.resources settings if defined. Prometheus-specific overrides still take precedence over global values.

Bug Fixes

• Resolved an issue with error propagation in the Veeam Kasten Disaster Recovery restore workflow to ensure errors are properly returned when timeout occurs.
• Fixed kubectl server side dry run support for Kasten resources.
• Fixed merging of Helm global.resources values for individual container requests and limits. This prevents the possibility of referencing non-existent configuration keys and subsequent CreateContainerConfigError errors.

Security Issues

• Upgrade to Go 1.24.7 to mitigate security vulnerabilities.

Known Issues

• Upgrading to Kasten 8.0.8 or later is not recommended for clusters running Kubernetes 1.27, OpenShift 4.14 or earlier versions due to lack of support for SelfSubjectReview API, which may result in dashboard authentication issues. It is recommended to first upgrade to a supported Kubernetes version to ensure compatibility.

Upgrade Notes

• Removed the Helm flags kanisterPodCustomLabels and kanisterPodCustomAnnotations.

Deprecations

• Deprecated the Helm flag global.podLabels in favor of global.resourceLabels and global.ephemeralResourceLabels. global.podLabels will be removed in a future release.
• Removed support for Kubernetes 1.29. OpenShift 4.16 clusters continue to be supported.

Other Notes

• Modified Resource Requirement documentation for global.resources usage and ephemeral-storage fields.

8.0.7

Release Date: 2025-08-22

New Features

• Added optional workerPodMetricSidecar.resources.[requests|limits].ephemeral-storage helm configuration values to control the ephemeral storage resource quota for dynamically created metrics sidecar containers.
• Added genericVolumeSnapshot.resources.[requests|limits].ephemeral-storage helm configuration values to control the ephemeral storage resource quota for dynamically created worker pods.
• Added optional helm configuration values for gateway.resources.[requests|limits].ephemeral-storage. These propagate to the Gateway deployment resource quota.
• Added optional global.resources.[limits|requests] helm configuration value. If specified, this value gets applied to all Kasten K10 pods deployed by the chart (except Prometheus - see prometheus.resources). Can be overridden by resources.<service-name> values for individual pods. This value also serves as a fallback for dynamically created pods that do not have specific resource configurations defined.
• Updated the Licenses page with latest license and node usage cards and a new compliance status card that identifies nodes running Veeam Kasten-protected workloads that are not licensed.

Bug Fixes

• Updated Veeam Kasten license provisioning for Azure Marketplace
• Fixed an issue causing Kanister blueprint operations involving MultiContainerRun to not be FIPS compliant since Veeam Kasten version 7.0.12
• Fixed an issue where Kasten DR was not restoring properly when using an Azure location profile authenticated with federated credentials.
• Fixed an issue where Azure Location Profiles could not enable immutable backups when being authenticated with federated credentials.
• Fixed documentation related to Azure Federated Identity installations.

Security Issues

• Updated base image used to build Veeam Kasten container images to pull in latest security updates.

Deprecations

• Kanister blueprint functions CreateVolumeSnapshot, WaitForSnapshotCompletion, CreateVolumeFromSnapshot and DeleteVolumeSnapshot are no longer available.

8.0.6

Release Date: 2025-08-08

New Features

• Added support for Azure Federated Identity for authenticating location profiles for OpenShift on Azure.

Bug Fixes

• Added missing Helm and Kubernetes well-known labels to the console-plugin and console-plugin-proxy pods.
• Fixed a performance issue leading to timeouts when loading Policies dashboard page.

Security Issues

• Updated base image used to build Veeam Kasten container images to pull in latest security updates.
• Upgrade to Go 1.24.6 to mitigate security vulnerabilities.

8.0.5

Release Date: 2025-07-25

New Features

• Added a ValidateAction to the K10 API, allowing users to validate volume data exported as part of a backup.
• Added support for the k10.kasten.io/minimumExportDiskSize annotation in StorageClass to influence temporary PVC sizing during exports. Supported units for the annotation value include: Ki, Mi, Gi, Ti, Pi, Ei, k, M, G, T, P, E.
• Added a feature to preserve MAC addresses for virtual machines during restoration, to enhance network stability and configuration consistency across VM lifecycle.
• Added RestorePoint Validation with support for Full Data Scan, Metadata Only mode, and Fast Fail to ensure backup integrity.
• Extended trial license evaluation period from 30 days to 60 days.
• Added explicit grace period availability indicators in UI.

Bug Fixes

• Fixed export failures for PVCs smaller than 4Gi when using exporterStorageClassName with AWS io1.
• Fixed an issue with Kasten Disaster Recovery backup failing when multicluster.enabled is set to false via Helm.
• Fixed a performance issue leading to timeouts when loading Profiles
• Fixed an issue in license validation and status handling.

Security Issues

• Increased the security of the generated backup repository passwords.
• Updated base image used to build Veeam Kasten container images to pull in latest security updates.

Other Notes

• Updated Enterprise license grace period from 50 to 30 days.
• Removed the grace period for trial licenses.

8.0.4

Release Date: 2025-07-10

New Features

• Added the datastore.cacheSizeLimitMB Helm parameter to control the size limit of emptyDir volumes used by temporary Pods performing data mover operations. The parameter accepts the following values:
  • null (Default) - Limit is dynamically determined by Kasten
  • 0 - Disables emptyDir size limit
  • 3000 or greater - Explicitly sets the emptyDir size limit in MiB
• Added UI support for Import policies to restore to an alternate namespace.
• Added UI support for Import policies to optionally enable overwriting existing resources during restore.

Bug Fixes

• Fixed an issue that broke FIPS compliance in versions 8.0.2 and 8.0.3.
• Fixed an issue where labels set via the global.podLabels parameter were not being applied to all Pods.
• Fixed an issue where annotations set via the global.podAnnotations parameter were not being applied to all Pods.
• Fixed an issue requiring using a literal hostname rather than an IP address when accessing the Kasten UI if configuring a VDC Vault location profile.
• Fixed an issue where Veeam Vault secret type was not supported in GSB/GVS environments

Security Issues

• Updated base image used to build Veeam Kasten container images to pull in latest security updates.
• Upgrade to Go 1.24.5 to mitigate security vulnerabilities.

Other Notes

• VirtualMachineInstanceMigration resources are now automatically excluded from snapshots. Restore points created before this that include VirtualMachineInstanceMigration resources are unaffected and will require manual exclusion of these resources when restoring virtual machines.

8.0.3

Release Date: 2025-07-01

New Features

• Added support for restoring individual volumes of existing virtual machines in OpenShift Virtualization 4.18 and later.
• Added support for Veeam Data Cloud (VDC) Vault location profiles.

Bug Fixes

• Prevents restore failures caused by attempting to recreate Pods with a pre-set nodeName, which is typically assigned by the scheduler.
• Fixed an issue where KDR policies with export enabled would fail during export to NFS location profiles.
• Fixed an issue where the volume counter in the restore form displayed higher counts than actual volumes.

Security Issues

• Updated base image used to build Veeam Kasten container images to pull in latest security updates.

Known Issues

• Version 8.0.3 should not be used if requiring FIPS compliance.
• When configuring a VDC Vault location profile, you currently must use a literal hostname to access the Kasten UI rather than an IP address. For example, you would need to use http://localhost:8080/k10/#/ rather than http://127.0.0.1:8080/k10/#/ when accessing the Kasten UI to go through the VDC Vault location profile configuration process.
• Multi-cluster Manager registration is not supported for Veeam Data Cloud (VDC) Vault location profiles.

8.0.2

Release Date: 2025-06-13

New Features

• Added cacertconfigmap.key Helm parameter to set an optional, custom key for the CA certificate bundle ConfigMap.
• Added support for allowing CSI ephemeral volumes in the Kasten SecurityContextConstraints (SCC) profile.
• Added support for SMB location profiles.

Bug Fixes

• Fixed an issue that made versions 7.5.10, 8.0.0 and 8.0.1 not FIPS compliant.
• Fixed an issue that made the kanister-tools image always run in FIPS mode which could lead to TLS errors.
• Fixed an issue where KDR reviews could fail in environments using the vSphere CSI if the local catalog snapshot was no longer available.
• Fixed an issue with Kasten Disaster Recovery that would cause validation to fail when using Vault or AWS Secrets Manager.
• Fixed an issue that prevented setting up Kasten Disaster Recovery via the UI when Legacy KDR is enabled.
• Fixed a logout redirection issue when launching the Veeam Kasten dashboard from the Veeam Backup & Replication Console.

Security Issues

• Updated base image used to build Veeam Kasten container images to pull in latest security updates.
• Upgrade to Go 1.24.4 to mitigate security vulnerabilities.

Known Issues

• Versions 7.5.10, 8.0.0, 8.0.1, and 8.0.2 should not be used if requiring FIPS compliance.

Deprecations

• Legacy KDR mode has been deprecated and will be removed in a future release. All clusters should be updated to a supported Quick KDR configuration.
• Support for Kubernetes 1.26 and OpenShift 4.13 has been removed.
• Support for Kubernetes 1.27 and OpenShift 4.14 has been removed.

8.0.1

Release Date: 2025-05-30

Bug Fixes

• Fixed a performance issue leading to timeouts when loading Policies.
• Fixed an issue where prometheus was incorrectly reporting the gateway service was unhealthy.
• Improved loading performance of the Restore Points page for admin users. Non-admin users with access to many namespaces may still experience slow loading of the Restore Points page.
• Fixed an authentication redirection issue when launching the Veeam Kasten dashboard from the Veeam Backup & Replication Console.

Security Issues

• Updated base image used to build Veeam Kasten container images to pull in latest security updates.
• Upgrade to Go 1.24.3 to mitigate CVE-2025-22873.

8.0.0

Release Date: 2025-05-15

Release Summary

Veeam Kasten for Kubernetes v8.0 continues Veeam's leadership in Kubernetes data protection by introducing new and enhanced capabilities related to operations management, security, and modern virtualization workloads, including:

• Expanded Veeam Backup & Replication Compatibility: Support for exporting to VBR repositories has been expanded to all clusters where storage provisioners support block mode export, and includes support for exporting KubeVirt volumes.

• Virtual Machines Dashboard: New dashboard page to provide visibility into KubeVirt-based workloads and dependent resources across the cluster.

• Restore Point Dashboard: New dashboard page to simplify management of available restore points and initiate restore operations.

• Policies Dashboard: Redesigned dashboard page to improve policy management at scale with new table-based view, expanded search and filtering options, and new policy details view.

• Self-Service Cluster Migrations: New Veeam Kasten validating admissions policies allow non-admin users to securely perform import and restore operations of existing backups on alternate clusters.

• Reduced Privileges for Veeam Kasten Services: Minimized attack surface by adopting individual ServiceAccounts for each Veeam Kasten microservice and reducing permissions where possible.

• ISO 27001 Certification: Veeam Kasten is now certified, ensuring industry-leading security and compliance for Kubernetes data protection.

• Encryption Key Rotation: Veeam Kasten now supports the creation and simultaneous use of multiple passkeys to allow easy key rotation for exported data.

• Expanded KDR Compatibility: Veeam Kasten Disaster Recovery (KDR) improves compatibility and resilience for environments with limited snapshot capabilities.

• Multi-Architecture Support: Veeam Kasten now supports deployment to Kubernetes clusters using either 64-bit ARM or POWER CPU architectures, in addition to existing x86_64 CPU support.

New Features

• Added helm flag to enable installation of Validating Admission Policy which enforces permissions during Kasten policy creation for non-admin users.
• Added support for Import actions for application-scoped policies created by non-admin users.
• The Multi-Cluster Distributions UI has been updated to a table view and a multi-step form for creating distribution resources.
• Added support for the use of multiple, active passkeys.
• Added support for OpenShift 4.18.
• The Policies page has been updated for additional clarity and visual consistency. A list of all policies in a namespace can now be viewed, filtered, and sorted in a table.
• A Policy view page has been introduced to provide a detailed view of the policy and its status.

Security Issues

• Updated base image used to build Veeam Kasten container images to pull in latest security updates.

Known Issues

• Fixed issue with multicluster global policies where after distributing, the imageRepoProfile.namespace field in backupParameters is incorrect.
• Environments where Veeam Kasten is installed using the kubernetes.io/portworx-volume in-tree Portworx storage provisioner do not currently support the new default Veeam Kasten Disaster Recovery (KDR) mode. Prior to upgrade, it is recommended that any applicable Veeam Kasten installation should explicitly disable Quick DR mode using Helm values.

Upgrade Notes

• Kasten now uses deployment specific service accounts instead of the k10-k10 service account for a default helm install. Kasten continues to support using a customer provided service account name via the helm value serviceAccount.name.

  NOTE: Customers who previously configured their Vault server for Kubernetes Auth with the k10-k10 service account must re-configure the Vault server with the crypto-svc service account before an upgrade.

• Following upgrade to 8.0.0, any Veeam Kasten installations that do not explicitly set kastenDisasterRecovery.quickMode.enabled=false and have Veeam Kasten Disaster Recovery (KDR) enabled will now default to Quick DR with local catalog snapshot. This mode is recommended for all installations where Veeam Kasten has been deployed to storage that supports both the ability to create and to restore from local snapshots. See documentation for details on alternate configurations.

• Upgrading to this version changes the manner in which passkeys are handled. Performing a KDR backup is recommended prior to upgrading.

Deprecations

• The k10restore Helm chart is deprecated and will be removed in a future release. See Veeam Kasten Disaster Recovery for details on alternate options to recover Veeam Kasten.

7.5.10

Release Date: 2025-04-18

New Features

• Added support for restoring VMs with overriding image references on SUSE Virtualization (Harvester).
• Added support for unencrypted VM image backup, restore, and migration on SUSE Virtualization (Harvester).

Bug Fixes

• Links to the Kasten documentation in the UI have been updated to reflect the new documentation structure.
• Fixed the missing link to Grafana on the Data Usage page when Grafana is installed.

Other Notes

• Starting with Veeam Kasten v8.0, all new and existing installations will default to Quick DR mode for Veeam Kasten Disaster Recovery (KDR). This mode is recommended for all installations where supported, snapshot-capable storage is available. Prior to upgrading to this version, any Veeam Kasten installation deployed using storage that lacks the ability to create or restore from local snapshots should explicitly disable Quick DR mode using Helm values.

7.5.9

Release Date: 2025-04-03

Bug Fixes

• Fixed an issue where users without RBAC permission to list actions may encounter timeouts during loading of dashboard activity section.
• Fixed an issue causing panic and executor pod restarts after some FCD snapshot errors.
• Fixed an issue where while using Veeam Kasten Disaster Recovery on OpenShift environment, an incorrect error was being displayed in case of file permissions issue.

Security Issues

• Updated base image used to build Veeam Kasten container images to pull in latest security updates.
• Upgrade to Go 1.23.8 to mitigate CVE-2025-22871.

Deprecations

• Legacy pages for Location and Infrastructure Profiles, which were previously still available using features flags, have been removed from the UI.

Other Notes

• The SBOM download URL has been updated to https://docs.kasten.io/downloads/<version>/sboms/sboms-<version>.tar.gz. The SBOM for the latest version can also be downloaded from https://docs.kasten.io/downloads/latest/sboms/sboms-<version>.tar.gz.
• Starting with Veeam Kasten v8.0, all new and existing installations will default to Quick DR mode for Veeam Kasten Disaster Recovery (KDR). This mode is recommended for all installations where supported, snapshot-capable storage is available. Prior to upgrading to this version, any Veeam Kasten installation deployed using storage that lacks the ability to create or restore from local snapshots should explicitly disable Quick DR mode using Helm values.

7.5.8

Release Date: 2025-03-20

New Features

• Added support for Kubernetes 1.32.
• Improved the VirtualMachine snapshot and restore workflow to automatically include cluster scoped resources that are referred in VirtualMachine.

Bug Fixes

• Fixed an issue where ephemeral pods created during KDR restore were missing required-scc annotation which was causing failures while writing files in ephemeral pods in OpenShift environments.
• Fixed an issue where during KDR restore, Kasten deployments were not getting scaled down due to existing deprecated fields in OpenShift environments.
• Fixed an issue that could cause the Block-mode upload Pod to become stale under certain conditions.

Security Issues

• Updated base image used to build Veeam Kasten container images to pull in latest security updates.

Deprecations

• Removed support for Kubernetes 1.28.

Other Notes

• The default value of the cache limit for snapshot and export workflow is set to 500MB. This change is to avoid the cache from growing indefinitely and consuming more storage.

7.5.7

Release Date: 2025-03-11

Release Summary

Veeam Kasten v7.5.7 is a re-release of v7.5.5 that corrects packaging and documentation issues.

Known Issues

• Fixed issue of missing k10tools images for Veeam Kasten v7.5.5.
• Fixed issue of missing release notes for Veeam Kasten v7.5.6.

7.5.5

Release Date: 2025-03-08

Bug Fixes

• Resolved the image copy failure that occurred during the offline installation of the Kasten 7.5.4 Operator.
• A more helpful validation error message is now displayed when K10DR validate fails on the Configure DR page.

Security Issues

• Upgrade to Go 1.23.7 to mitigate security vulnerabilities.

Other Notes

• The Activity Section Filter in the UI now returns individual root actions instead of grouped actions when filtering by Action and grouped Policy Runs when filtering by Policy name.

7.5.4

Release Date: 2025-02-25

Bug Fixes

• Corrected Operator metadata which caused the Kasten Operator to not be listed in the Red Hat Marketplace for the amd64 platform with the 7.5.3 release.
• Fixed an issue where Pods created while restoring a Veeam Kasten Disaster Recovery backup were using the default service account. This includes Pods with prefix restore-data-dr-, data-mover-svc- and restorectl-validate-. These Pods will now run with the service account used by other Kasten Pods.
• Fixed a bug in the validation of immutable settings for policies that use the VBR scale-out backup repository.

Security Issues

• Update K10 services base image to pull in latest security updates.
• Updated base image used to build Veeam Kasten container images to pull in latest security updates.
• Upgrade to Go 1.23.6 to mitigate security vulnerabilities.

7.5.3

Release Date: 2025-02-06

New Features

• Application details panel in Veeam Kasten dashboard has been improved to show the policies selecting that namespace.
• Added support for exporting NetApp ONTAP-NAS-Economy volume snapshots created using Trident CSI v24.10.0 or later.

Bug Fixes

• Fixed a potential panic in aggregatedapis-svc when running Kasten DR restore.
• Fixed an issue where RetireActions associated with blueprints were failing due to missing custom-ca-bundle-store ConfigMap.
• Fixed an issue where imagePullSecrets were not being set in affinity pod created during Veeam Kasten Disaster Recovery workflow
• Fixed the formatting of documented KastenDRRestore examples.
• Fixed the ability to set the limiter.executorReplicas value.

Security Issues

• Upgraded Prometheus to chart version v26.1.0 to pull in latest security updates.
• Update K10 services base image to pull in latest security updates.
• Redacted sensitive information in Kasten logging.

7.5.2

Release Date: 2025-01-10

New Features

• Added Helm flags to control the degree of parallelism when uploading or downloading snapshot data exported in block mode.
• Added the ability to copy Iron Bank images to/from the local filesystem using the k10tools ironbank image copy command (--dst_path and --src-path options).

Bug Fixes

• Removed restrictive validation that previously prevented the creation of a policy with file mode export on Tanzu clusters.
• Fixed an issue where SSL certificate validation was failing when performing a Veeam Kasten Disaster Recovery (KDR) restore from a S3 compatible location profile.
• Fixed an issue where generic backup of shareable volumes failed because encryption key artifact was not found.
• Fixed an issue that prevented users from creating new vSphere infrastructure profiles.
• Fix a false positive tampering warning for specific blobs that required retry during export.

Security Issues

• Update K10 services base image to pull in latest security updates.

Other Notes

• The change to Quick DR mode for Veeam Kasten Disaster Recovery (KDR) as the default for new and existing installations planned for the v7.5.3 release will be delayed to a future release.

7.5.1

Release Date: 2024-12-12

New Features

• The Infrastructure Profiles page has been updated for additional clarity and visual consistency. Profiles can now be created and edited using a multi-step form.
• Added support for Azure Federated Identity for OpenShift on Azure in the UI.
• Added the ability to copy images to and from the local filesystem using k10tools image copy.
• Added the ability to specify multiple platforms and/or remove attestation-manifests such as SBOMs and provenance when using k10tools image copy.
• Added support for Kubernetes 1.31 starting from Veeam Kasten v7.5.0.
• Added support for 64-bit Arm and Power architectures, in addition to the already supported x86_64 architecture.
  • Testing for Power was done on Red Hat OpenShift for IBM Power using the IBM Spectrum Scale CSI Driver.
  • Testing for Arm was done on AWS Graviton using the AWS Elastic Block Storage (EBS) CSI Driver.

Bug Fixes

• Fixed an issue where setting local retention to 0 causes metadata export to fail.
• Fixed an issue where creating an Azure infrastructure profile with a default client ID would fail with a missing client ID error.
• Fixed inconsistencies when paging through recent actions on Veeam Kasten dashboard. Capped count displayed of filtered recent actions.
• Correctly hides the "Multi-Cluster" sidebar link on a drilled into secondary cluster in Multi-Cluster mode.

Security Issues

• Basic users are now restricted from viewing application details of applications in other namespaces.
• Basic users now require specific permission to view each action type through the Veeam Kasten dashboard.
• Update K10 services base image to pull in latest security updates.

Upgrade Notes

• This release will perform a catalog schema upgrade. The catalog-pv-claim PVC size may need to be increased to ensure a successful upgrade. The schema upgrade requires at least 50% of free space in the catalog-pv-claim PV. You can view available catalog storage space in the Kasten dashboard under Settings > System Information > Upgrade Status. Refer to this page for more information.

7.5.0

Release Date: 2024-12-02

Release Summary

Veeam Kasten for Kubernetes v7.5 builds upon Veeam's leadership in Kubernetes data protection by introducing significant advancements in performance, security, and expanded support for modern virtualization solutions.

New and enhanced capabilities of Veeam Kasten v7.5 include:

• Performance Improvements: Data mover optimizations to reduce initial backup and on-going incremental backup duration by up to 3x for volumes containing millions of files.

• Granular Worker Pod Requests & Limits: New custom resources, ActionPodSpec and ActionPodSpecBinding, allowing per-app or per-policy Kubernetes resource requests and limits for dynamically provisioned worker Pods used for data protection operations.

• Expanded Changed Block Tracking Support: Integration with Microsoft Azure to enable CBT for Azure Managed Disk volumes for efficient data exports.

• OpenShift Console Plugin: Providing data protection insights including compliance, storage utilization, and recent activity without leaving the OpenShift console.

• Azure Federated Identity: Enhancing security for Azure Infrastructure Profiles by eliminating the need for long-lived credentials.

• Expanded Immutability Support: Integration with Google Cloud Storage enabling protection of Kasten backups against ransomware or accidental deletion.

• Expanded FIPS 140-3 Support: Kasten Multi-Cluster Manager and Veeam Backup & Replication Location Profiles can now be used in FIPS mode on supported OpenShift clusters.

• OpenShift Virtualization Instance Types: VMs created using Instance Types can now be restored without requiring additional transformation.

• SUSE Virtualization (formerly Harvester): Introducing support for backup and restore operations of SUSE Virtualization VMs.

New Features

• Added the Dynamic Console Plugin for the OpenShift Web Console for OpenShift versions prior to 4.15. For more details, please refer to the Using Veeam Kasten Console Plugin section.
• Included the Software Bill of Materials (SBOM) as part of the published images. Please refer to this documentation for more information.
• Allow block mode exports of Harvester VM image volumes, bypassing the need to annotate the image storage class with k10.kasten.io/sc-supports-block-mode-exports=true if the storage class used for VM image creation is already annotated.
• Added support for Kubernetes 1.31.
• Added KastenDRReview and KastenDRRestore custom resources to enable KDR recovery via Kubernetes API or CLI.
• Added support for backing up and restoring Multi-Cluster Manager configuration resources for primary and secondary clusters when Quick DR mode is enabled.
• Added support to restore VirtualMachines that are referring to VirtualMachineInstanceTypes, VirtualMachinePreferences, or their respective cluster scoped resources.

Bug Fixes

• Fixed an issue where disaster recovery of Veeam Kasten using Helm would fail if the installation was performed in a namespace other than kasten-io.

Security Issues

• Improved algorithm for authentication cookie validation in OIDC mode. All the users will need to re-login.

Known Issues

• Metadata export fails when using a policy with zero local retention or a policy that references a preset with zero local retention. As a workaround, set the retention count to a value greater than zero. Fixed in release 7.5.1.

Deprecations

• The k10restore Helm chart is deprecated and will be removed in a future release. See Veeam Kasten Disaster Recovery for details on alternate options to recover Veeam Kasten.
• Removed support for helm values deprecated since Kasten 7.0.10 - apigateway.serviceResolver, gateway.insecureDisableSSLVerify, gateway.exposeAdminPort, and service.gatewayAdminPort.
• Removed support for the helm values secrets.apiTlsCrt and secrets.apiTlsKey, which were deprecated in Veeam Kasten 7.0.8.
• Grafana has been removed from Veeam Kasten's installation process, installing Veeam Kasten no longer installs Grafana. This guide can be followed to set up a separate instance of Grafana.
• The k10offline tool has been replaced with k10tools image. Please refer to the air-gapped install documentation for more information on using k10tools image.
• The original injectKanisterSidecar Helm parameters are deprecated and will be removed in an upcoming release in favor of injectGenericVolumeBackupSidecar. Please update existing Helm- or Operator-based Veeam Kasten deployment configurations with the corresponding replacement parameters. Replacement parameter naming is intended to better reflect the purpose of each, but there is no change to parameter function.

Other Notes

• Starting with Veeam Kasten v7.5.3, all new and existing installations will default to Quick DR mode for Veeam Kasten Disaster Recovery (KDR). This mode is recommended for all installations where supported, snapshot-capable storage is available. Prior to upgrading to this version, any Veeam Kasten installation deployed using storage that lacks the ability to create or restore from local snapshots should explicitly disable Quick DR mode using Helm values.
• Grafana will no longer be included as part of the Veeam Kasten installation. Upon upgrading to this version, the integrated version of Grafana will be removed. It is advised to install Grafana separately and follow the procedure described in KB4635 to configure the Kasten dashboard and any alerts prior to upgrading to version 7.5.0.

7.0.14

Release Date: 2024-11-15

New Features

• Added the Dynamic Console Plugin for the OpenShift Web Console for OpenShift versions 4.15+. For more details, please refer to the Using Veeam Kasten Console Plugin section.
• Added support for Azure Federated Identity for OpenShift on Azure via helm. Refer to this section for more details.
• Added support for OCP 4.16 starting Veeam Kasten v7.0.12.
• Added support for OCP 4.17.

Bug Fixes

• Fixed installation failure introduced in Veeam Kasten 7.0.13 if the Helm flag auth.ldap.restartPod is set to true.

Security Issues

• Update K10 services base image to pull in latest security updates.

Known Issues

• Metadata export fails when using a policy with zero local retention or a policy that references a preset with zero local retention. As a workaround, set the retention count to a value greater than zero.

Deprecations

• The original Helm parameter keys listed below are deprecated and will be removed in an upcoming release. Please update existing Helm- or Operator-based Veeam Kasten deployment configurations with the corresponding replacement parameters. Replacement parameter naming is intended to better reflect the purpose of each, but there is no change to parameter function.

Original Parameter Name	Replacement Parameter Name
executorReplicas	limiter.executorReplicas
kanisterPodMetricSidecar	workerPodMetricSidecar
services.executor.workerCount	limiter.executorThreads
services.executor.maxConcurrentRestoreCsiSnapshots	limiter.csiSnapshotRestoresPerAction
services.executor.maxConcurrentRestoreGenericVolumeSnapshots	limiter.volumeRestoresPerAction
services.executor.maxConcurrentRestoreWorkloads	limiter.workloadRestoresPerAction
limiter.concurrentSnapConversions	limiter.snapshotExportsPerAction
limiter.genericVolumeSnapshots	limiter.genericVolumeBackupsPerCluster
limiter.genericVolumeCopies	limiter.snapshotExportsPerCluster
limiter.genericVolumeRestores	limiter.volumeRestoresPerCluster
limiter.csiSnapshots	limiter.csiSnapshotsPerCluster
limiter.providerSnapshots	limiter.directSnapshotsPerCluster
limiter.imageCopies	limiter.imageCopiesPerCluster
kanister.backupTimeout	timeout.blueprintBackup
kanister.restoreTimeout	timeout.blueprintRestore
kanister.deleteTimeout	timeout.blueprintDelete
kanister.hookTimeout	timeout.blueprintHooks
kanister.checkRepoTimeout	timeout.checkRepoPodReady
kanister.statsTimeout	timeout.statsPodReady
kanister.efsPostRestoreTimeout	timeout.efsRestorePodReady
kanister.podReadyWaitTimeout	timeout.workerPodReady
maxJobWaitDuration	timeout.jobWait
forceRootInKanisterHooks	forceRootInBlueprintActions

Other Notes

• Usage of VBR location profile is now supported in FIPS mode.

7.0.13

Release Date: 2024-10-31

New Features

• Added support for incremental block mode export with changed block tracking (CBT) for Azure Disk volumes provisioned using the disk.csi.azure.com CSI driver.
• Added support for read-only location profiles for import & restore operations, providing enhanced control over data access and security.

Security Issues

• Update Grafana version to 8.5.8 to pull in the latest security updates.
• Upgraded Prometheus chart version to 25.28.0 to pull in latest security updates.

Other Notes

• Enhancements have been made to the method used for estimating the amount of data left to upload.

7.0.12

Release Date: 2024-10-18

New Features

• Added immutability support for Google Cloud Storage location profiles.

Bug Fixes

• Fixed an issue where a Deployment without a ReplicaSet or a DeploymentConfig without a ReplicationController would cause a snapshot to fail. Enabling Ignore Exceptions and Continue if Possible will now proceed with a best effort snapshot (unless the degraded workload uses a Blueprint).

7.0.11

Release Date: 2024-10-07

Release Summary

This release addresses the following bugs encountered after the release of 7.0.10 (which was retracted).

Bug Fixes

• Fixed an issue rendering the logging network policy which caused it to be omitted.
• Fixed an issue that caused validation failures for PolicyPreset resources.

7.0.10

Release Date: 2024-10-03

New Features

• Added Helm flags podLabels and podAnnotations to the k10restore chart to add custom pod labels and annotations to pods created during Veeam Kasten Disaster Recovery. Refer to this section for more information.
• Granular resource requests/limits configuration for k10 worker pods.

Bug Fixes

• Fixed an issue where some Veeam Kasten clusters installed with multi-cluster management enabled do not prompt the user to accept the EULA when first accessing the Dashboard. Clusters without an accepted EULA will prompt for acceptance following upgrade.
• Allow Red Hat Operator based Kasten installation to create a custom route configuration.
• Fixed an issue where an excluded, stale GVR could still cause a policy run to fail.

Security Issues

• Update K10 services base image to pull in latest security updates.

Deprecations

• The following helm values are deprecated and will be removed in an upcoming release - apigateway.serviceResolver, gateway.insecureDisableSSLVerify, gateway.exposeAdminPort, and gateway.service.adminPort.

Other Notes

• A new image called gateway has been added to Veeam Kasten.
• Multiple policies that select the same applications now perform separate actions, associated with the respective policy, when run simultaneously.

7.0.9

Release Date: 2024-09-20

New Features

• Added Helm flags global.podLabels and global.podAnnotations that can be used to set labels and annotations on all Veeam Kasten pods globally.

Security Issues

• Update K10 services base image to pull in latest security updates.

Deprecations

• The Helm flags kanisterPodCustomLabels and kanisterPodCustomAnnotations are deprecated and will be removed in a future version, targeting Q2 2025. Please use the flags global.podLabels and global.podAnnotations to configure labels and annotations for Veeam Kasten pods.

7.0.8

Release Date: 2024-09-05

New Features

• Extended the k10_debug.sh script to optionally collect metrics from the Prometheus server installed by Veeam Kasten. Positional arguments have been replaced with optional flags.
• Preserving SELinuxLevel of source namespace for the Kanister Pod during the Export phase has been added for OpenShift clusters.
• Added a User Profile page and updated the main header with a new User Menu and a dark mode toggle. Launching the guided tour was moved to the new User Menu.

Security Issues

• Update K10 services base image to pull in latest security updates.

Deprecations

• The Helm values secrets.apiTlsCrt and secrets.apiTlsKey are deprecated and will be removed in an upcoming release. Please use secrets.tlsSecret to specify the name of a secret of type kubernetes.io/tls. This reduces the security risk of caching the certificates and keys in the bash history.

7.0.7

Release Date: 2024-08-22

Bug Fixes

• Fixed an issue where an excluded, non-running VirtualMachine could still cause a policy run to fail.

Other Notes

• PDF reports can now be generated using the native browsers print dialog.

7.0.6

Release Date: 2024-08-09

New Features

• Added support for Kubernetes 1.30.
• A new openshift.io/required-scc annotation has been applied to all K10 pods. Starting with Openshift 4.14, it will force K10 pods to use the k10-scc SecurityContextConstraints. Default priority for k10-scc SCC set to 0.

Bug Fixes

• Downloads of Block mode snapshot exports during restore were not honoring the rate limit set by the limiter.genericVolumeRestores Helm option.
• Pre and post-snapshot action hooks now persist correctly when using a preset during policy form configuration.
• Fixed an issue that occurred when enabling immutability for an existing profile on Wasabi.

Security Issues

• Fixed critical authentication vulnerability. This upgrade is recommended for all users.

Deprecations

• Removed support for Kubernetes 1.26.

7.0.5

Release Date: 2024-07-25

New Features

• FIPS-enabled clusters now support joining a Veeam Kasten multi-cluster instance and promotion to a multi-cluster primary.
• General availability of a new user interface to simplify recovery of an entire Kasten instance following the loss of a cluster. Refer to Recovering Kasten from a Disaster via UI.
• The Location Profiles page now supports a dedicated view page, multi-step form, and table view with filtering option.
• When using OpenShift OAuth authentication, OpenShift Root CA certificates are now automatically included in the Kasten custom CA bundle. For more details, please refer to the OpenShift Authentication section.
• New openshift.io/required-scc annotation has been applied to all K10 permanent running pods. Starting with Openshift 4.14, it will force K10 pods to use the k10-scc SecurityContextConstraints.

Bug Fixes

• Updated the Kasten Operator to ensure the datamover and metric-sidecar images are pulled from the Red Hat image registry.

Security Issues

• Update K10 services base image to pull in latest security updates.

7.0.4

Release Date: 2024-07-11

New Features

• Added a new helm flag grafana.external.url that can be used to configure the URL of an externally installed Grafana instance.

Bug Fixes

• Fixed an issue that could prevent upgrade to versions 7.0.2 and 7.0.3.
• Fixed an issue that occurred when enabling immutability for an existing profile.
• The ingress.tls.secretName Helm parameter is now optional when Ingress TLS is enabled.
• Insecure connections to a multi-cluster primary are now restricted by default. Refer to HTTP primary ingress connections for details.

Security Issues

• Upgrade Fluent Bit to mitigate CVE-2024-4323.
• Upgrade to Go 1.22.5 to mitigate security vulnerabilities.

Other Notes

• Grafana will no longer be included in the Veeam Kasten installation process from the upcoming release 7.5.0. Upon upgrading to this version, the integrated version of Grafana will be removed. It is advised to install Grafana separately and follow the procedure described in our knowledge base article to configure the Kasten dashboards and alerts before upgrading Kasten to version 7.5.0.

7.0.3

Release Date: 2024-06-28

Bug Fixes

• Fixed a potential issue in the UI where the dropdown selector for profiles did not populate as expected.

7.0.2

Release Date: 2024-06-27

New Features

• K10 now automatically attaches the k10.kasten.io/containsGVS label to exported RestorePoint and RestorePointContent resources to indicate a backup containing Generic Volume Snapshots.
• Added the datastore.parallelDownloads helm option to allow configuring the number of files to be downloaded in parallel from the storage repository. For more information, please refer to the Helm Configuration for Parallel Download from the Storage Repository section.

Security Issues

• Upgrade Python packages to mitigate security vulnerabilities.
• Update K10 services base image to pull in latest security updates.

Upgrade Notes

• This release will perform a catalog schema upgrade. The catalog-pv-claim PVC size may need to be increased to ensure a successful upgrade. The schema upgrade requires at least 50% of free space in the catalog-pv-claim PV. You can view available catalog storage space in the Kasten dashboard under Settings > System Information > Upgrade Status. Refer to this page for more information.

7.0.1

Release Date: 2024-06-13

New Features

• Allow for canceling a Multi-Cluster Join Request from the UI if the join is stuck in a joining state.

Bug Fixes

• Fixed a bug that allowed unsupported partial restores of Virtual Machines.
• Fonts are now served from local static files instead of being fetched from Google Fonts.

Security Issues

• Upgrade to Go 1.22.4 to mitigate security vulnerabilities.
• Update K10 services base image to pull in latest security updates.

Other Notes

• Following the renaming of Azure Active Directory to Microsoft Entra ID, the Helm values secrets.microsoftEntraIDEndpoint and secrets.microsoftEntraIDResourceID have been added to configure Endpoint and Resource ID when required. The original Helm values, secrets.azureADEndpoint and secrets.azureADResourceID, continue to be supported but will be deprecated in a future release.

7.0.0

Release Date: 2024-05-31

Release Summary

Veeam Kasten V7.0 represents another leap forward for the industry's leading platform for Kubernetes data protection and application mobility. This release focuses on improving cyber resilience, enabling new integrations with enterprise partners, and enhancing the restore experience.

New and enhanced capabilities of Kasten V7.0 include:

• FIPS 140-3 Compliance: Kasten can now be installed in FIPS mode on supported OpenShift clusters.

• Expanded Immutability Support: Azure Location Profiles now support immutable backups. Additionally, raw block mode volumes can now be protected using any immutability-enabled Location Profile.

• Expanded SIEM Support: Added example Kasten-specific events for Microsoft Sentinel SIEM.

• Dashboard Authentication: The existing process for enabling OpenShift OAuth integration has been further automated to simplify configuration. Dashboard authentication options now allow the configuration of sensitive values by referencing an existing Secret, providing additional flexibility in integrating with Secrets management tools to achieve secure deployments of Kasten.

• Secure Supply Chain: Kasten Helm chart provenance can now be verified before installation.

• Azure Marketplace Availability: Offers simplified deployment and consolidated licensing of Kasten for clusters on Azure.

• OpenShift ImageStream: Native support for protecting and restoring container images managed by ImageStreams and hosted using the OpenShift internal registry.

• Multi-Cluster Manager: A new user interface simplifies the creation of a primary cluster and the addition of secondary clusters. Creation of a primary cluster and the addition of secondary clusters can be fully automated using GitOps tools.

• Kasten-DR: A new user interface simplifies the recovery of an entire Kasten instance following the loss of a cluster.

• Restore Volume Clones: Added the ability to restore copies of volumes within the original namespace to enable self-service data retrieval without impacting running workloads.

New Features

• Added the extract-certificates sub-command to the k10tools openshift for extracting CA certificates from OpenShift clusters. For more details, please refer to the Extracting OpenShift CA Certificates section.
• Added the capability to automatically generate the OAuth Client Service Account with its corresponding secret for enabling OpenShift OAuth integration. For more details, please refer to the OpenShift Authentication section.
• Support for a FIPS compliant mode of operation. This activates the FIPS mode of the cryptographic modules and ensures adherence to strict federal guidelines by deactivating non-FIPS algorithms.
• Added support to install Kasten K10 via Azure Marketplace.
• Added the ability to configure the ingress URL of a secondary cluster, required for click-through access from the Multi-Cluster Manager, using mc-join-configmap.
• Added the ability to promote a cluster to be the primary cluster in a Multi-Cluster system through the Kasten dashboard.
• Added the ability for a secondary cluster to join an existing Multi-Cluster system through the Kasten dashboard.
• Added progress indicators for restore actions.
• Added an alternative method for K10 Disaster Recovery, known as K10 Quick Disaster Recovery. This method introduces a faster and more storage-efficient approach to K10 Disaster Recovery. It provides recovery of applications' exported restore points and other K10 resources. Refer to the K10 Quick Disaster Recovery section for more details.
• Successfully restored volumes will now be retained between restore attempts within a single Restore action. This enhancement will significantly speed up retries in the event of partial failures.
• The details of application ExportAction and RestoreAction objects now contain information on volume data transfers associated with these actions. This information is also visible in the GUI in the "Action Details" panels.

Security Issues

• Update K10 services base image to pull in latest security updates.

Deprecations

• The k10multicluster tool has been deprecated. Please refer to the getting started guide for configuring the Multi-Cluster system through the Kasten dashboard or via GitOps.

6.5.14

Release Date: 2024-05-17

New Features

• Support for Block mode export of a volume mounted in Filesystem Volume Mode is now possible with a PVC annotation, provided its StorageClass supports the Block VolumeMode.
• Added support for Helm chart verification using Helm provenance.
• Added the datastore.parallelUploads helm option to allow configuring the number of files to be uploaded in parallel to the storage repository. For more information, please refer to the Helm Configuration for Parallel Upload to the Storage Repository section.
• Added support for upgrading policies backing up applications using GSB/Kanister Blueprints.
• Added support for upgrading K10 DR policies.

Bug Fixes

• API now supports label selectors when listing passkey resources. Note that passkeys do not have, currently, any label assigned. Therefore, label selectors are most useful for passkeys when listing multiple resource types with a common label selector.
• Fixed a bug that caused restored PVCs to remain in a pending state.
• Resolved a compatibility issue with Kubernetes and third-party tools that was causing crashes in auth/dashboard services during OIDC authentication. The auth.groupAllowList field is now 'optional' to support scenarios where empty fields are not populated into secrets, resulting in improved stability in a wide range of deployment environments.
• Fixed an issue with cancellation of a K10 policy session or a K10 session from VBR.

Security Issues

• Limited the scope of infrastructure credentials to improve security posture.
• Upgrade to Go 1.22.3 to mitigate security vulnerabilities.
• Update K10 services base image to pull in latest security updates.

Upgrade Notes

• Multi-cluster join process was updated. Join tokens generated from previous versions will be become invalid as part of this upgrade, and will be regenerated. New joins to multi-cluster requires both primary and secondary clusters to be upgraded to 6.5.14. Join configuration override options via the Join ConfigMap were updated. Secondary clusters that are already connected to a multi-cluster primary are not affected.

6.5.13

Release Date: 2024-05-02

New Features

• Added the ability to provide AWS credentials using a reference to a Secret. For additional information, please refer to the Existing Secret Usage section.
• Added the ability to provide Google Cloud credentials using a reference to a Secret. For additional information, please refer to the Existing Secret Usage section.
• Added the ability to change the value of the Priority field for the SecurityContextConstraints resource in Red Hat Openshift.
• Added the ability to provide vSphere credentials using a reference to a Secret. For additional information, please refer to the Installing K10 on VMware vSphere section.

Bug Fixes

• Fixed an issue that resulted in a timeout error during the restoration of large PVCs.

Security Issues

• Update K10 services base image to pull in latest security updates.

6.5.12

Release Date: 2024-04-19

New Features

• Added the ability to provide Azure credentials using a reference to a Secret instead of Helm parameters. For additional information, please refer to the Existing Secret Usage section.
• Added the ability to use the Ceph Rados Block Device API when exporting Ceph CSI RBD volumes in block mode, possibly reducing the size and duration of a backup.
• Added metrics to track the duration and transfer rate of data transfer operations, along with monitoring the volume count. A new panel has been added to the K10 Grafana dashboard to visualize these metrics.
• Added the ability to filter imported namespaces.
• Added the capability to now include local container images from ImageStreams when backing up an application.
• Added a Helm option to override the default name of the Ingress object for the K10 dashboard.
• Added Helm options for specifying the default backend service for the K10 dashboard Ingress object.
• Added Helm options for specifying the default backend resource for the K10 dashboard Ingress object.
• The authentication service now sends requests to an internal Dex instance using internal endpoints. This configuration is valid if K10 was set up with LDAP, AD, or OpenShift authentication.
• The Restore Volume Clones mode has been implemented, providing the ability to restore only data without affecting workloads.
• Added support to restore VirtualMachines in their original namespaces.

Bug Fixes

• Fixed an issue validating Infrastructure Profiles on Azure sovereign clouds.
• Fixed failure in restoring a block mode export from a locked but damaged S3 repository, within its protected period. After upgrading, a new backup must be made to the locked repository to support restoration within the protection period. Restoration from an undamaged repository continues to function as before.
• Fixed an issue where PVC labels were lost after restoration from an exported restore point.
• Restricted the immutable exports active monitoring for imported restore points. Only the original cluster can now extend protection.

Upgrade Notes

• New multicluster joins require a mc-join-config ConfigMap along with mc-join secret. For additional information, please refer to the Adding a Secondary Cluster section.

6.5.11

Release Date: 2024-04-05

New Features

• Added support for OCP 4.15.
• Added the ability to provide sensitive OIDC values using a reference to a Secret instead of Helm parameters. For additional information, please refer to the OpenID Connect Authentication section.
• This release introduces namespaced RunAction resource. All existing non-namespaced RunActions will be converted to namespaced resources automatically and inherit the namespace of the policy referenced in their specs. Non-admin users can now manually create RunActions, via kubectl or via K10 dashboard, in the namespaces that they have access to. Uses of RunActions in scripts and APIs should be reviewed and updated with namespaces as needed.

Security Issues

• Upgraded to Go v1.21.9 to mitigate security vulnerabilities.

Known Issues

• While creating a manual RunAction via kubectl, non-admin users will encounter a permission error for customresourcedefinitions.apiextensions.k8s.io. Users can workaround this issue by passing --validate=false along with the command. Creating manual RunAction via K10 dashboard is not affected.
• Storage repository resources that had previously been deleted might be recreated when upgrading to this release or to a more recent one. It is safe to delete them again.

Upgrade Notes

• This release will perform a catalog schema upgrade. The catalog service's PVC service's PVC size may need to be increased to ensure a successful upgrade. The schema upgrade requires at least 50% of free space in the catalog service's PVC. You can find the current size at Settings > Support > Upgrade Status on the K10 dashboard. Refer to this page for more information.

6.5.10

Release Date: 2024-03-25

Bug Fixes

• Fixed an issue where some region names caused profile cards on Location Profile for object storage to not display correctly.

6.5.9

Release Date: 2024-03-25

New Features

• Added a new mandatory FCD migration step for the Instant Recovery process. The recovered application will be running from a network volume during the migration process.

Bug Fixes

• Fixed a UI issue when custom export retention settings couldn't be saved in Policy and Policy preset form.
• Fixed a bug that in rare cases allowed basic users to list actions in namespaces without authorization.
• Fixed an issue where in-tree storage plugin based PVs were left abandoned after an export action or after deleting a restored application, on the environments where in-tree storage plugins had been migrated to CSI volume provisioners.

Security Issues

• Users are now restricted from listing actions in namespaces without proper authorization. All customers are encouraged to upgrade to get the fix for this issue.

Deprecations

• The auth.dex.* helm values were removed in favor of auth.openshift.* and auth.ldap.*. Deprecation had been announced since version 6.0.11.

6.5.7

Release Date: 2024-03-07

New Features

• Added the capability to automatically generate a token for the Service Account in the OpenShift authentication configuration. For additional information, please refer to the OpenShift Authentication section.
• Added capability to setup a cluster as a multicluster primary via Helm.

Bug Fixes

• Fixed a bug that prevented policy revalidation in secondary clusters.
• Fixed an issue with OIDC refresh token support, which prevented the UI session to continue after successful refresh.
• Fixed an issue where export with block mode volumes failed due to misconfigurations in the ephemeral pods' spec.
• Fixed storage repositories not listing correctly in certain Kubernetes clients.
• Fixed an issue with exports and restores when using the Dell VxFlexOS CSI driver.

Security Issues

• Upgraded google.golang.org/protobuf to mitigate CVE-2024-24786.
• Upgraded to Go v1.21.8 to mitigate security vulnerabilities.
• Changes in SecurityContextConstraints resource were made to reflect the latest securityContext updates on K10 workloads.
• Explicitly set runAsNonRoot=true, seccompProfile=RuntimeDefault, allowPrivilegeEscalation=false and capabilities.drop=["ALL"] for K10 service containers.
• Update K10 services base image to pull in latest security updates.

6.5.6

Release Date: 2024-03-01

New Features

• Added support for OCP 4.14.

Bug Fixes

• Fixed a performance issue affecting listing the Applications on the K10 Dashboard.

Deprecations

• Removed support for OpenShift 4.11. Reason - reached Red Hat's End-of-Life status on 2024-02-10.

6.5.5

Release Date: 2024-02-23

New Features

• Added a new feature for multi-cluster configurations. Now, users can set secondary cluster names using the cluster-name field within the mc-join secret of the secondary cluster. It is required that these names adhere to Kubernetes naming conventions and are unique within the managed cluster set. The Cluster resource in the primary kasten-io-mc namespace has been enhanced to use the provided name whenever possible. If the naming requirements are not met, the secondary cluster will fail to join the primary cluster.
• Added the Helm options defaultPriorityClassName to specify the default priority class name for all K10 deployments and ephemeral pods.
• Added the Helm options priorityClassName.<deploymentName> to override the default priority class name for the specified deployment.
• An additional step has been added to the DR restore process. Newly DR-restored K10 instances will now require user confirmation of the permanent deactivation of the original K10 before assuming ownership of backup data. This confirmation involves deleting the k10-dr-remove-to-get-ownership configmap in the K10 namespace.

Bug Fixes

• Fixed an issue where the aggregatedapis-svc pod would log CRD deprecation warnings.
• Fixed an issue where the custom values for ephemeral pods defined in the pod-spec-override config map and the K10 default settings defined via Helm values did not merge.
• Fixed an issue with improper SCC selection after K10 upgrade in Red Hat OpenShift clusters.

Other Notes

• Independently (without K10) using, interacting, connecting, modifying, copying, upgrading, or in any way accessing/manipulating a K10 storage repository is unsupported and might cause data corruption/loss to some or all of the restore points. Users must never attempt to perform any such action themselves unless under constant, active, supervision by a member of Kasten's support or engineering teams.

6.5.4

Release Date: 2024-02-08

New Features

• Added the capability to refer to the client's secret name in the OpenShift authentication configuration. For additional information, please refer to the OpenShift Authentication section.
• Availability of SCC for DR limited to K10 DR user
• Added the Helm options kanisterPodMetricSidecar.resources to specify resource settings for the Kanister pod metric sidecar.
• Improved worker node count estimates for licensing in Openshift clusters.

Bug Fixes

• Fixed UX issues that affected the Policy form, the System Information, Data Usage, and Applications pages.

Please see this Knowledge Base article for more information.

• Fixed a bug that allowed basic users to access data without authorization.

Security Issues

• Explicitly set runAsNonRoot=true, seccompProfile=RuntimeDefault, allowPrivilegeEscalation=false and capabilities.drop=["ALL"] for K10 service containers.
• Users are now restricted from restoring data without proper authorization. All customers are encouraged to upgrade to get the fix for this issue.
• Update K10 services base image to pull in latest security updates.

6.5.3

Release Date: 2024-01-26

New Features

• Added the "Filter Resources" option in the Multiple Applications Restore form.
• Added Azure Immutability protection.

Bug Fixes

• Fixed an issue where Generic Storage Backup of applications with shareable volumes failed to connect to the backup repository.
• Fixed an issue where snapshot of an application with non-running Virtual Machines failed even after excluding the Virtual Machine resource using the policy's exclude parameters.
• Fixed the PDF download button on the Reports Table.

Security Issues

• Improve logging to prevent logging of sensitive backup location connection details.

Known Issues

• With the recent deprecation of in-tree provisioners, volumes that are restored from snapshots that use the GCE PD in-tree provisioner may not be deleted. For information on how to clean up these orphaned volumes, please refer to K10 knowledge base articles.

Upgrade Notes

• The gateway service port has changed to 80. To emulate the previous behavior set the gateway.service.externalPort value to 8000.

Deprecations

• The K10 Operator no longer supports downloading PDF reports. Setting reporting.pdfReports as true for a K10 Operand install or upgrade will result in an error.

6.5.2

Release Date: 2024-01-12

New Features

• Added the capability to configure the security context of Kanister Execution Hooks using the new helm flag forceRootInKanisterHooks which is set to true by default. For additional information, please refer to the Configuring Security Context for Kanister Execution Hooks section.
• The support for CephFS CSI Snapshots as shallow read-only volumes has been added.
• The ability to perform a read-only mount of a snapshot into the Kanister Pod during the Export phase has been added.
• The ability to preserve the SELinuxLevel of Pods and Deployments for the Kanister Pod during the Export phase has been added for OpenShift clusters.
• Added the ability to delete storage repository API resources.
• Added support for Kubernetes 1.28.

Bug Fixes

• Fixed incorrect api groups and specified verbs for resources in k10 restore helm chart.

Security Issues

• Upgrade golang.org/x/crypto to mitigate security vulnerability CVE-2023-48795.
• Updates dependencies to address security vulnerabilities in 3rd party libraries.

Upgrade Notes

• If you have applications using native Ceph provisioning, please switch over to CSI-based Ceph provisioning for continued K10 support.

Deprecations

• Removed categories from vSphere profile. vSphere tags aren't used for tracking k10 snapshots anymore.
• K10 support for native Ceph provisioning, which was deprecated in K10 5.5.10, has now been removed in favor of CSI-based Ceph support. For applications reliant on native Ceph provisioning, taking application snapshots and exporting the snapshots will stop working after upgrading to K10 6.5.2.

warning

In order to preserve snapshots of applications that use native Ceph provisioning, snapshots must be exported before upgrading to K10 6.5.2.

Application restores from an exported snapshot can be used by applying a resource transformation on the storage class of the persistent volume claim. The transformation will be a replace on the /spec/storageClassName path of the persistentvolumeclaims resource.

6.5.1

Release Date: 2023-12-18

New Features

• Added ability to view blueprint bindings and manage blueprint annotations inside namespace details.
• The Policy validation now also includes a consistency check of the immutability settings in VBR and K10. The Protection Period set in K10 should not exceed the backup's immutable period set in VBR.

Bug Fixes

• Updated the k10multicluster tool to detect misconfigurations of user-provided contexts in the disconnect command, preventing incomplete cleanup.
• Fixes incorrect Grafana datasource when a custom release name is used.
• Fixed an issue where K10 Disaster Recovery was failing when the k10-disaster-recovery-policy was edited to be on demand.
• Fixed an issue where the transform set updates would freeze when no changes were made.
• Fix downloading reports as PDFs when OIDC authentication is enabled.
• Fixed an issue that caused RetireAction to fail when a RestorePoint contained multiple resources with the same name and different assigned blueprints.
• Transform set referencing bug fixed in the UI of Restore and Policy forms.

Security Issues

• Update K10 services base image to pull in latest security updates.

Other Notes

• FCD snapshots created by K10 now listed by their descriptions instead of vSphere tags.

6.5.0

Release Date: 2023-11-27

Release Summary

Kasten K10 V6.5 was focused on security integrations and supporting large-scale Kubernetes deployments.

New capabilities of Kasten K10 V6.5 include:

• Automatically published Software Bill of Materials (SBOMs): SBOMs are now automatically generated and published in the documentation using Syft.

• Images published to Iron Bank: Iron Bank is the verified, centralized, hardened container image repository trusted by the U.S. Department of Defense, government, health, and financial sectors. This process includes container scanning with Anchore, Twistlock, and OpenSCAP.

• SIEM Integration: K10-specific events can now be logged to an ObjectStorage for consumption by SIEMs, including in managed Kubernetes environments. See the documentation for further details.

• Massive Multi-Cluster: The scalability of multi-cluster has been improved in several values. Instantiating clusters can be done entirely through Kubernetes APIs, simplifying GitOps workflows. Ingresses are no longer required on secondaries and all metrics/communication can now use a single ingress on the primary cluster.

• Block Mode Backups: Full backups of arbitrary block devices are now supported. Support for incremental backups of AWS EBS volumes was also added.

• Multi-application restore: Simplifies and speeds up bulk restore operations by enabling users to select multiple applications from the dashboard and restore them to the same or a different cluster with just a few clicks.

New Features

• Google Workload Identity Federation with Kubernetes as the Identity Provider is supported for application exports as well as K10 DR backup and restore. Refer to Using Google Workload Identity Federation for details.
• K10 images are now available through Platform One's Iron Bank container registry.
• K10 can now be deployed using Iron Bank hardened images via the public Kasten Helm chart.
• K10 restore can now be deployed using Iron Bank hardened images via the public Kasten Helm chart.
• The multi-cluster primary instance exports new metrics collected from all clusters within the multi-cluster system. Refer to Veeam Kasten Multi-Cluster Metrics for more information.
• Updated the upgrade-action API documentation.

Bug Fixes

• Fixed an issue where export action failed while exporting data to a Veeam Repository.
• Fixed an issue where, applications restore was failing on vSphere Tanzu 8.0U2.
• Fixed an issue where, after upgrading to K10 version v6.0.12, certain short-lived pods would fail with the ImagePullBackOff error due to missing image pull secret.
• Fixed an issue where the custom CA certificate ConfigMap was not mounted on certain short-lived pods after upgrading to K10 version v6.0.12.
• Fixed an issue where a limit was reached, causing multi-cluster license leases to fail to renew.
• Fixed an issue with collection of the multi-cluster export storage metric.

Security Issues

• Update K10 services base image to pull in latest security updates.

Known Issues

• Currently, the K10 admin image is not available in Iron Bank. This means downloading PDF reports is not possible, and only the K10 UI can be used to view reports.

Upgrade Notes

• Ingress is required for the primary cluster in the multi-cluster system. Please update the primary cluster's spec.k10.ingress.url to the URL of K10's ingress on the primary cluster.

Deprecations

• Support for a primary cluster without an ingress will be removed in an upcoming release.
• Previously, all secondary metrics were scraped by the primary cluster. Now only specific metrics are collected by the primary cluster. Refer to Veeam Kasten Multi-Cluster Metrics for more information.

Other Notes

• Generic Storage Backup will now be disabled by default. For more details, refer to this page.

6.0.12

Release Date: 2023-11-03

New Features

• Support of block mode export for AWS EBS volumes added, including the use of AWS Change-Block-Tracking API that improves performance of data exporting.
• Added Garbage Collector support for each type of Kasten K10 actions.
• Security settings for internal K10 pods responsible for backup and restore operations were adjusted to reflect the storage and location profile types. By default, these pods will run with root permissions for the NFS location profile or NFS target storage. For the other storage or location profile types, K10 will run with non-root permissions. Security settings for these pods can be customized by using the StorageSecurityContext custom resource.
• Added new custom resources StorageSecurityContext and StorageSecurityContextBinding, enabling security settings customization to access storage for backup and restore operations.

Deprecations

• The helm field restore.copyImagePullSecrets has been removed. K10 no longer copies the imagePullSecrets from the K10 namespace (kasten-io by default) to the application namespace.
• The garbagecollector.importRunActions, garbagecollector.backupRunActions, garbagecollector.retireActions blocks within the helm chart values have been replaced with garbagecollector.actions.

Other Notes

• Effective with the release of Kasten K10 6.5.0, currently targeted for Q4 CY2023, Generic Storage Backup will be disabled for all new deployments of Kasten K10, as well as existing deployments when upgraded to 6.5.0 or later. For more details, refer to this page.

6.0.11

Release Date: 2023-10-24

Bug Fixes

• Fixed a critical issue with new backup repositories that were created with K10 version v6.0.9, where RestorePoints could be partially removed on an arbitrary schedule. Once K10 is upgraded, the correct retention settings will be applied to these repositories. Customers are advised to upgrade as soon as possible.

6.0.10

Release Date: 2023-10-23

New Features

• Add support for spec.infra.aws.disableEBSDirectForBlockMode in the Profile CRD to disable access to the EBS Direct API for block mode operations.
• Add support for status.infra.aws.hasAccessForEBS in the Profile CRD to indicate that a profile has permissions for EBS via the EC2 client.
• Add support for status.infra.aws.hasAccessForEFS in the Profile CRD to indicate that a profile has access to EFS.
• Add support for status.infra.aws.hasAccessForEBSDirect in the Profile CRD to indicate that a profile has access to the EBS Direct API.
• Add support for status.warning in the Profile CRD to report validation warnings.
• Adds the ability to delete completed Multi-Cluster bootstrap objects from the UI.

Bug Fixes

• Fixed an issue where policies were running up to 3 minutes before their initial scheduled time.
• Fixed an issue where the Missing Profile message was incorrectly showing on policy cards when the user did not have profile list permissions.

Security Issues

• Upgrade to Go v1.21.3 to mitigate security vulnerabilities.
• Update K10 services base image to pull in latest security updates.

Deprecations

• The auth.dex block of the helm chart values will be deprecated in favor of auth.openshift and auth.ldap in version 6.5.
• Deprecate the use of spec.infra.aws.hasAccessForEBS in favor of status.infra.aws.hasAccessForEBS in the Profile CRD.
• Deprecate the use of spec.infra.aws.hasAccessForEFS in favor of status.infra.aws.hasAccessForEFS in the Profile CRD.

Other Notes

• Effective with the release of Kasten K10 6.5.0, currently targeted for Q4 CY2023, Generic Storage Backup will be disabled for all new deployments of Kasten K10, as well as existing deployments when upgraded to 6.5.0 or later. For more details, refer to this page.

6.0.9

Release Date: 2023-10-10

New Features

• Added a new Action API resource BatchRestoreAction, enabling concurrent batch restores for multiple applications using the same underlying restore mechanisms as the existing RestoreAction.
• When performing a restore via the UI, it is now possible to initiate the restore of multiple applications at once.
• Added a Garbage Collector to perform cleanup of RunActions that create BackupActions (and optionally ExportActions).
• Added a new Helm flag, kanister.managedDataServicesBlueprintsEnabled, which can be used to enable or disable the built-in Kanister Blueprints for data services such as PGO and K8ssandra.
• A new service was added to K10 that handles aggregating storage data statistics for backup data exported from the cluster.
• Added shadow indicators to the top and bottom of the navigation sidebar whenever there is content above or below the visible area.

Bug Fixes

• Fixed an issue where restore action failed while restoring PVCs, if K10 was set up to use a private container registry.

Other Notes

• Effective with the release of Kasten K10 6.5.0, currently targeted for Q4 CY2023, Generic Storage Backup will be disabled for all new deployments of Kasten K10, as well as existing deployments when upgraded to 6.5.0 or later. For more details, refer to this page.

6.0.8

Release Date: 2023-09-22

Bug Fixes

• Fixed an issue where non-admin users were unable to see details of a restore point.
• More efficient utilization of VMware vSphere resources is now supported with the ability to retain zero local snapshots in backup and export policies involving volumes of the VMware vSphere CSI provisioner. To ensure the continuity of current incremental block mode exports, installations should allow at least one run of existing policies with the upgraded software before reducing the local snapshot retention value to 0.
• Fixed an issue in which logical backup of applications failed with the error message Failed to render template: "kopiaOutput" not found. The issue occurred only when Kanister pods are being injected with sidecar containers.
• An error will now be thrown if there is an attempt to import restore points into the same cluster that exported them, which is unsupported. The supported method of repopulating restore point metadata to the K10 instance that exported them is via the DR workflow.

Security Issues

• Update K10 services base image to pull in latest security updates.

Upgrade Notes

• Several values were removed from the Helm chart due to simplification and improved sub-chart integration.

Chart Value	Note
grafana.prometheusName	Grafana is now automatically configured to communicate with Prometheus.
grafana.prometheusPrefixURL	Grafana is now automatically configured to communicate with Prometheus.
grafana.extraLabels.component	Grafana is now automatically configured with required labels.
grafana.podLabels.component	Grafana is now automatically configured with required labels.
grafana.rbac.namespaced	Grafana is now automatically configured to enable namespaced RBAC.
grafana.rbac.pspEnabled	This value was unused.
global.ingress.create	This value was unused, please use ingress.create instead.
global.ingress.urlPath	This value was unused, please use ingress.urlPath instead.
global.route.enabled	This value was unused, please use route.enabled instead.
global.route.path	This value was unused, please use route.path instead.

Deprecations

• Removed support for IBM SoftLayer Block Provider direct API integration.

Other Notes

• Effective with the release of Kasten K10 6.5.0, currently targeted for Q4 CY2023, Generic Storage Backup will be disabled for all new deployments of Kasten K10, as well as existing deployments when upgraded to 6.5.0 or later. For more details, refer to this page.

6.0.7

Release Date: 2023-09-10

New Features

• Add sidebar navigation and make Profiles, Blueprints, Transform Sets, and User Roles, top level items. Policies, Profiles, User Permissions, Distributions, and Licensing in the Multi-Cluster Manager have also been moved to the top-level in the sidebar. Switching context between the Multi-Cluster Manager and it's individual clusters is now done via a dropdown menu on the top of the sidebar.

Bug Fixes

• Fixed a problem where K10 affinity pods were not being created with proper tolerations. They are now going to get created with the same tolerations that application pods have.
• Support for OIDC refresh tokens is off by default.

Security Issues

• Upgrade to Go 1.20.8 to mitigate security vulnerabilities.

Deprecations

• Removed support for OpenShift 4.10 and Kubernetes 1.23.

Other Notes

• Effective with the release of Kasten K10 6.5.0, currently targeted for Q4 CY2023, Generic Storage Backup will be disabled for all new deployments of Kasten K10, as well as existing deployments when upgraded to 6.5.0 or later. For more details, refer to this page.

6.0.6

Release Date: 2023-08-25

New Features

• Added support for Kubernetes 1.27.
• Added support for OCP 4.13.
• Support for OIDC refresh tokens has been introduced. This feature can be disabled using the new auth.oidcAuth.refreshTokenSupport helm flag.
• Added a new helm flag, auth.oidcAuth.sessionDuration to manage the session duration within the K10 UI.

Upgrade Notes

• The Prometheus chart used by the K10 helm chart has been upgraded from 15.8.5 to 23.3.0 and as a result, some of the K10 helm configuration options have changed:

Old Configuration	New Configuration
prometheus.kubeStateMetrics	prometheus.kube-state-metrics
prometheus.nodeExporter	prometheus.prometheus-node-exporter
prometheus.pushgateway	prometheus.prometheus-pushgateway
prometheus.serviceAccounts.alertmanager.create	prometheus.alertmanager.serviceAccount.create
prometheus.serviceAccounts.kubeStateMetrics.create	prometheus.kube-state-metrics.serviceAccount.create
prometheus.serviceAccounts.nodeExporter.create	prometheus.prometheus-node-exporter.serviceAccount.create
prometheus.serviceAccounts.pushgateway.create	prometheus.prometheus-pushgateway.serviceAccount.create

No action is required if your K10 installation does not use the old helm configuration values. However, if you have any of the above features enabled, make sure to use the new configuration value for the feature with your helm upgrade.

Deprecations

• The Prometheus configurations listed below are deprecated and will be removed in a future release.

Deprecated Helm Configuration
prometheus.alertmanager.enabled
prometheus.alertmanager.serviceAccount.create
prometheus.networkPolicy.enabled
prometheus.prometheus-node-exporter.enabled
prometheus.prometheus-node-exporter.serviceAccount.create
prometheus.prometheus-pushgateway.enabled
prometheus.prometheus-pushgateway.serviceAccount.create
prometheus.scrapeCAdvisor
prometheus.server.strategy.rollingUpdate.maxSurge
prometheus.server.strategy.rollingUpdate.maxUnavailable
prometheus.server.strategy.type
prometheus.server.persistentVolume.enabled
prometheus.server.persistentVolume.size
prometheus.server.configMapOverrideName
prometheus.server.serviceAccounts.server.create

6.0.5

Release Date: 2023-08-13

New Features

• Added the opportunity to cancel BackupClusterAction and RestoreClusterAction using CancelAction.
• Added support to export a volume snapshot's data in Block Mode, based on the VolumeMode of its PersistentVolume and the presence of a K10 annotation in its StorageClass. This will work on any cluster, subject to passing the K10 Primer Block Mount Check test.

Existing support for block mode exports with the csi.vsphere.vmware.com storage provisioner will continue to function even without the new StorageClass annotation.

Bug Fixes

• Fixed an issue where Snapshot for EFS Shared Volume backed PVC was failing.
• Fixed a validation issue with immutable backups profiles authenticated with AWS IAM roles.
• Fixed issues where PVCs were deleted during restore. Issues could occur when PVC had been excluded from restore point during backup or when PVC name was modified by transform during restore. Avoids need for workaround of using restore filter to exclude PVC.

Security Issues

• Upgrade golang.org/x/net to v0.13.0 to mitigate CVE-2023-3978.
• Upgrade to Go 1.20.7 to mitigate security vulnerabilities.
• Update K10 services base image to pull in latest security updates.

Known Issues

• Shareable volume backup and restore workflows are not compatible with NFS FileStore location profiles.

6.0.4

Release Date: 2023-07-31

New Features

• Improved performance of restores by optimizing the number of API calls meant for fetching storage classes.
• Added support for having a GCP Service Account in the project other than the one in which the cluster is located. Refer to this page for more details.
• Improved rendering time of the restore points page.
• The OpenShift Virtualization Virtual Machines in Stopped state can be backed up with K10 starting from version v6.0.3.

Bug Fixes

• The auth.groupAllowList option now properly filters allowed OIDC groups.
• Fixed an issue where backup failed with Failed to determine if VM should be frozen before snapshot for non VM resources.
• Fixed a rare issue that caused the K10 data mover to ignore access permission errors. Fix was applied in v6.0.3.

Known Issues

• Fixed key collision issue while performing an update operation on the StorageRepository artifacts.

Upgrade Notes

• This release will perform a catalog schema upgrade. The catalog service's PVC service's PVC size may need to be increased to ensure a successful upgrade. The schema upgrade requires at least 50% of free space in the catalog service's PVC. You can find the current size at Settings > Support > Upgrade Status on the K10 dashboard. Refer to this page for more information.

Other Notes

• Non-standard kube- prefixed namespaces will be exposed to the K10 dashboard and considered for compliance considerations. If the excludedApps helm flag was previously used, the standard kube- namespaces may also be visible. In this case, to continue hiding and excluding the standard namespaces from compliance considerations, they should be added to the excludedApps list. Applications in the excludedApps list will also be skipped during backups.

6.0.3

Release Date: 2023-07-14

New Features

• Improved execution times of backups and restores by removing API calls meant for discovering the version of the Ingress resource.

Security Issues

• Updates emissary's Go dependencies to address security vulnerabilities.
• Upgrade to Go 1.20.6 to mitigate security vulnerabilities.

6.0.2

Release Date: 2023-06-29

Security Issues

• Update K10 services base image to pull in latest security updates.

6.0.1

Release Date: 2023-06-16

New Features

• Added a new panel to the Grafana dashboard that displays CPU/memory consumption by K10. This panel includes metrics from ephemeral pods, which are short-lived pods used by k10 for individual tasks.

Bug Fixes

• Fixed an issue where PDF reports would sometimes be blank.
• Fixed an issue where workloads were visible in action details even though they were excluded in policy parameters.
• Fixed an issue of restore failing with error "PVC not found in list".

Security Issues

• Update K10 services base image to pull in latest security updates.

6.0.0

Release Date: 2023-06-02

Release Summary

With Kasten K10 V6.0 we focused on increasing operational efficiency. This release focuses on helping customers scale their cloud native data protection efficiently, while retaining our industry-leading platform that provides enterprise-grade Kubernetes data protection and application mobility.

New capabilities of Kasten K10 V6.0 include:

• Transform Library: Kasten K10 V6.0 offers a way to store repeatable metadata transformations. These Transforms Sets will allow organizations to save and re-use transforms, paving the way for lower friction mobility of applications between environments.

• Multi-cluster License Management: With the new feature, Kasten K10 V6.0 enables organizations to pool licenses between all clusters in the multi-cluster systems, allowing for simpler license management. It means that licenses no longer must be distributed to secondary clusters manually. But you can certainly continue to, if you so choose, the system will adapt to that as well.

• Application Fingerprinting: Newly deployed stateful applications can be automatically mapped to appropriate blueprints to achieve proper data consistency. This helps to reduce risk, minimize complexity, nurture operational consistency, and enforce improved compliance, paving the way for scale.

• Veeam Data Platform Integration: Kasten K10 V6.0 can now be connected to Veeam Data Platform V12, allowing centralized visibility and management of Kubernetes backups in Veeam Backup & Replication V12. Kasten K10 V6.0 also enables Instant Recovery capabilities, tapping into Veeam’s long-standing & well-established track record in data protection.

New Features

• Support to import applications with block mode exports to volumes of the openshift-storage.rbd.csi.ceph.com CSI provisioner on RedHat OpenShift clusters.

Bug Fixes

• Fixed an issue where kube-apiserver would have continuous OpenAPI errors.
• Update secondary clusters when primary cluster's ingress URL changes.

Other Notes

• Upgrade of a policy has been temporarily disabled.

5.5.11

Release Date: 2023-05-19

New Features

• Add a configurable helm value - maxJobWaitDuration which overrides the default 10 hours, after which jobs should be canceled.
• Added multicluster licensing statistics to usage reporting

Bug Fixes

• Fixed an issue where retire actions were failing for exported restore points after upgrading K10 to 5.5.9 when using NFS FileStore location profiles.
• Fixed issue with Instant Recovery where Instant Recovery would fail if multiple datacenters were defined in vCenter.

Security Issues

• Update K10 services base image to pull in latest security updates.

Deprecations

• Direct Ceph Integration (RBD only) will be removed in an upcoming release in favor of direct CSI integration. This involves dropping support for Ceph Infrastructure Profile.

5.5.10

Release Date: 2023-05-05

New Features

• Root permissions are no longer required for backup, restore, and export operations to the NFS FileStore location profile. To handle rootless access, a new Supplemental Group field has been added to the NFS FileStore.
• Improved execution times of backups and restores in OpenShift environments by caching OpenShift Route API discovery results.
• Added storage utilization metrics to usage reporting
• A new button on the Policy card allows users to upgrade their policies. Periodically, policies can be upgraded to improve the underlying backups' robustness and space usage. See UpgradeActions for more information.

Bug Fixes

• Enabling Immutable Backups in K10 caused indefinite "Saving" process when more than one day is specified for protection. Fix implemented to ensure day slider works and location profile is created.

Deprecations

• Removed support for Kubernetes 1.22 and OpenShift 4.9.

5.5.9

Release Date: 2023-04-22

New Features

• Support to import applications with block mode exports in clusters that do not natively support block mode exports.
• Instant Recovery decreases restore time for Persistent Volumes. Requires vSphere and a Veeam Backup & Replication server.
• Added the option to rename PVCs during restores.

Bug Fixes

• When upgrading multi-cluster, access tokens are immediately issued to secondary clusters after upgrading the primary cluster. This ensures that secondary clusters don’t have to wait several hours before receiving a license lease.

Security Issues

• Update K10 services base image to pull in latest security updates.

Upgrade Notes

• Additional validation requirements for transforms have been implemented. The policies and transform sets that contain invalid transforms will be marked as invalid. Consequently, policies with invalid transforms or transform sets will not run on schedule. Please refer to Transform Validation Requirements for further information.
• New metrics have been added. If you are using your own instance of Prometheus, you need to add one more target by following this guide .

5.5.8

Release Date: 2023-04-07

New Features

• Added support for Kubernetes 1.26.
• Add license management to Multi-Cluster Manager. See License Management for details.
• Improved execution times of backups and restores in OpenShift environments by caching OpenShift API discovery results.
• Root permissions are no longer required for backup, restore and export operations. The only exception is policies with export to NFS Filestore location profiles. Additionally, for Generic Storage Backups on OCP 4.11 and above, adjustments to the workloads need to be made to continue using this feature. Please see the this section for more details.
• The Veeam Backup & Replication console now has a single pane of glass integration for many Kasten K10 operations, documented in the `Veeam Backup & Replication 12: Kasten K10 Integration Guide https://helpcenter.veeam.com/docs/backup/kasten_integration/overview.html?ver=120.

Bug Fixes

• Retiring cross-region exported AWS EBS snapshots will fail unless the AWS IAM policy is updated. Please see Creating an IAM Policy and Using K10 with AWS EBS for the updated policies.
• Fixes repeated logging of "inconsistent label" error messages from the catalog.
• Fixed a bug that allowed users to create profiles outside the K10 namespace via CLI. All profiles that were created outside of the K10 namespace will become invalid. Policies using such profiles will also become invalid and no longer as scheduled until they are assigned a valid profile.

Upgrade Notes

• Multi-cluster deployments should update the configuration of the primary cluster to include an ingress in order to enable the License Management feature. See Upgrading for details.

5.5.7

Release Date: 2023-03-24

New Features

• Added API support for blueprint bindings. New custom resource can be used to automate blueprints assignment to applications by K10 without having to manually annotate workloads.
• Added support to configure the K10 DR restore timeout using the helm flag restore.timeout.
• Option to overwrite existing kubernetes resources to their restore point state during restores.

Bug Fixes

• Fixed an issue where the Kanister Blueprint was not executed when a Custom Resource having the blueprint annotation is included using "Include Filter" in the policy.

Security Issues

• Update K10 services base image to pull in latest security updates.

Known Issues

• If you have an export that includes snapshot references and you want the snapshot to be copied to a different region than the source cluster, then the retirement of exported restore points containing CSI snapshots will fail.

Upgrade Notes

• The format of timestamps in service logs has been updated to match RFC 3339.

Deprecations

• Support for global.upstreamCertifiedImages has been removed from the K10 Helm chart since all images now use Red Hat certified base images by default. The --upstreamCertifiedImages flag has also been removed from the k10offline tool.

Other Notes

• For AKS clusters running K8s 1.24+, ingress traffic is not being forwarded to the respective services in the AKS cluster because the load balancer's health probes fail.

To resolve this issue when using the nginx ingress controller add the following annotation

service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: "/healthz"

to the affected load balancer service to point it to the correct path.

Details: https://github.com/Azure/AKS/blob/master/CHANGELOG.md#release-2022-09-11

5.5.6

Release Date: 2023-02-24

New Features

• Added support for overriding built-in backup workflow for Crunchy Data Postgres Operator and K8ssandra. Custom blueprints can now be used by annotating the CRs.
• Added support for Transform Sets.

Bug Fixes

• Fixed an issue where missing or unbound PVC could not be excluded from snapshot.
• Fix distributed policies to properly reference distributed profiles.
• Fixed an issue where by enabling K10 Disaster Recovery with the correct HashiCorp Vault credentials via the UI would fail.

Security Issues

• Upgrade to Go 1.19.6 to mitigate security vulnerabilities.

5.5.5

Release Date: 2023-02-10

New Features

• Added support for providing K10 Disaster Recovery passphrase via secret stored in AWS Secrets Manager.
• Ability to preserve or transform PersistentVolumeClaim annotations on restore.

Bug Fixes

• Fixed CA Cert configmap cleanup issue when backup with multiple applications having Blueprint annotation fails.
• Fixed an issue exporting snapshot references in AWS & Azure to the current region.

Security Issues

• Update K10 services base image to pull in latest security updates.

5.5.4

Release Date: 2023-01-28

New Features

• Running an import policy now pulls in all active restore points from shared storage, not just the latest. If a restore point has been retired according to the export policy retention settings, the import action will clean up the imported restore point in the destination cluster as well.
• Added the repositories API for representing and managing the state of backup data exported by K10.

Security Issues

• Basic users are now restricted from using transforms in RestoreActions.

Upgrade Notes

• Helm settings image.registry and image.repository are being replaced with global.image.registry to set a custom registry. image.tag is being replaced with global.image.tag. image.pullPolicy is being replaced with global.image.pullPolicy.

5.5.3

Release Date: 2023-01-15

New Features

• Upgrade-init pods no longer require root permissions.
• Improved VirtualMachine restore workflow so that manual transforms to VirtualMachines, DataVolumes and PersistentVolumeClaims are no longer required. Any restore points created before this release will still need the transform.

Bug Fixes

• Import Policies outside K10's namespace will be ignored, including Import-and-Restore Policies. This prevents basic users from triggering ImportActions or RestoreActions through Policies in user namespaces.

Security Issues

• It is now possible to prevent basic users from creating ImportActions or RestoreActions. In some multi-tenant environments, these actions should only be available to administrators.
• Update K10 services base image to pull in latest security updates.

5.5.2

Release Date: 2022-12-20

New Features

• New helm flag to exclude applications from the dashboard & compliance considerations.
• Added connect [azure|gcs|pwx|s3|vbr|vsphere] sub-commands to k10tools primer storage command for Day-0/Day-1 checks of storage provider accessibility.
• Added check [awsebs|azure|csi|gcepd|vsphere] sub-commands to k10tools primer storage command for Day-0/Day-1 checks of storage snapshot/restore capabilities.
• Added auth check [oidc|ldap] sub-commands to k10tools primer command for Day-0/Day-1 checks of access to 3rd-party authentication services like AD/LDAP and OIDC.
• Added support for Kubernetes 1.24 and Openshift 4.11.
• Added support for Kubernetes 1.25.
• Added support to include NetworkAttachmentDefinitions referenced by VirtualMachines, while managing them.
• Added support to snapshot/restore the OpenShift Virtualization Virtual Machines that have DataVolumes defined separately i.e., not as part of VirtualMachine resource.

Bug Fixes

• Fixed an issue where Kanister sidecar injection was failing with configmaps "custom-ca-bundle-store" already exists when multiple apps were installed concurrently.
• Fixed K10 upgrade failure when vmWare.taskTimeoutMin helm flag is set.
• Fix Red Hat Marketplace installations to reference the correct Dex image.
• Prevent a transformation negative test from causing restores to fail.
• Fixed an issue where backup of multiple VirtualMachines simultaneously resulted in Blueprint not found error.

Security Issues

• Upgrade to Go 1.19.4 to mitigate security vulnerabilities.
• Update K10 services base image to pull in latest security updates.

Deprecations

• Command k10tools primer storage vsphere-connect is deprecated in favor of k10tools primer storage connect vsphere.
• Command k10tools primer storage pwx-connect is deprecated in favor of k10tools primer storage connect pwx.
• Command k10tools primer storage csi-checker is deprecated in favor of k10tools primer storage check csi.

Other Notes

• Built-in Prometheus now requires Kubernetes API permissions to discover K10 pods. Refer to the documentation for the details.

5.5.1

Release Date: 2022-11-17

Bug Fixes

• Increased the threshold for warning of slow immutable backup scans, and clarified the explanation in the associated warning message.
• Prevented a false-positive warning for immutable backups data integrity checks.
• Fixed export action failures when exporting CSI snapshots with VolumeSnapshotClasscontaining snapshot.storage.kubernetes.io/is-default-class=true annotation.
• Fixed bug where clicking on tabs on the Policies page would switch back to the primary cluster.

Security Issues

• Update K10 services base image to pull in latest security updates.

5.5.0

Release Date: 2022-11-04

Release Summary

With this release, Kasten by Veeam scales the simplicity of operations to bridge the Kubernetes skills gap with powerful capabilities, including autonomous operations and cloud-native expansion.

Kasten K10 adds capabilities for autonomous operations & decisions, that simplify data protection at scale:

• Backup Windows: Kasten K10 will automatically start/stop backup operations based on configured, per policy, off-peak hours.

• Job Staggering: Kasten K10 will not only honor the backup windows but will further automate the sequencing of the underlying backup jobs, thereby optimizing the utilization of the infrastructure resources.

• Policy Presets: Operations teams can define multiple protection policies that specify parameters such as backup frequency and location, which can then be re-used by application teams. This ensures the separation of concerns while scaling operations in a cloud-native environment.

Red Hat OpenShift Virtualization: OpenShift Virtualization enables you to run and manage Virtual Machine (VM) and container workloads side-by-side on Red Hat OpenShift. Kasten K10 now adds support for those VM workloads.

GitOps Pipeline Integration: Defining your application and configuration as code and enabling feature velocity with CI/CD is one of the key benefits provided by GitOps. Kasten K10 can now integrate into GitOps workflows to backup applications right before a new automated release.

IPv6 Support: IP address exhaustion is a here-and-now issue that organizations using IPv4 face. Kasten K10 addresses this issue by operating in IPv6 environments such as Amazon EKS.

VMware Tanzu: Kasten K10 now also supports NFS as a storage target in block mode for these environments.

Azure Managed Identity: Kasten K10 further simplifies security with support for Azure Managed Identities. You can now authenticate with any resource that supports Azure Active Directory authentication.

New Features

• Use an existing passphrase stored inside a Vault instance when enabling a K10 Disaster Recovery profile.
• K10 now supports backup/restore and migration of OpenShift Virtualization Virtual Machines.
• Added support for Policy Presets. Refer to this page for more details.
• Added Presets page to manage Policy Presets on the K10 Dashboard.
• Added support for HashiCorp Vault Kubernetes Authentication method.

Bug Fixes

• Fix a situation where immutable backups blob integrity checks were triggering a false positive.
• Fixed the external link in K10 installation documentation that points to AWS page for creating an IAM Role and Policy for Service Account.
• Fixed issue where users were being routed back to the primary cluster when clicking certain links or buttons inside a secondary cluster.

Security Issues

• Update K10 services base image to pull in latest security updates.

Other Notes

• K10 doesn't use OpenSSL and isn't affected by the recently announced CVE-2022-3602 and CVE-2022-3786 vulnerabilities. Additionally, the version of OpenSSL in the underlying Docker images is 1.1.1, which is also unaffected.

5.0.11

Release Date: 2022-10-21

New Features

• Added support to use Azure File Share as a target for backups and exports via an NFS FileStore location profile.
• Block-mode snapshot exports can now be sent to an NFS File Storage Location.
• Add Garbage Collector to clean up RetireActions, ImportRunActions and expired RestorePointContents.
• Option added to set an expiration time for a manual snapshot.
• Added a Prometheus metric for highest nodes seen per month.
• Added processed volumes progress and data transfer rates to Action Details for exports.

Security Issues

• Upgrade Dex image to mitigate security vulnerabilities.
• Upgrade to Go 1.19.2 to mitigate security vulnerabilities.

Upgrade Notes

• When verifying an LDAP host, the Common Name of the certificate is no longer consulted, a valid Subject Alternate Name (SAN) must be provided instead. Installations using LDAP authentication should check that the LDAP host's certificate has an appropriate SAN for the host.

For more information, see the Common Name Certificates troubleshooting section.

5.0.10

Release Date: 2022-10-06

New Features

• Added support for NFS FileStore location profile for etcd backup and restore of OpenShift Container Platform clusters.
• Added form view for installing the K10 operator on Openshift platform.
• Add support for running K10 in IPv6 clusters on EKS. See EKS IPv6 Support for more details.
• Users without list permissions on profiles can now manually enter the profile name when creating a policy via the UI.
• New helm options to configure concurrent sub-operation limit for each restore action.

Bug Fixes

• Fixed an issue with updating infrastructure profile to include new spec for Azure Managed Identity with default ID feature.
• Improved data upload performance on subsequent runs of export operation.

Known Issues

• For import operation to be successful, the target cluster K10 namespace must match the source cluster namespace.

5.0.9

Release Date: 2022-09-23

New Features

• The kubectl command now displays additional columns for Action objects, including their current Status.
• Added support for Azure Managed Identity, with a specific client ID or with default ID. Refer to Azure Managed Disks page for more details.
• Added support for staggering when a Backup Window is used.
• Added progress indication for actions and policy runs.
• Added a new action status filter on policy run pages that includes the ability to filter on cancelled actions.

Bug Fixes

• Fixed a bug that caused the creation of blueprints from the Blueprints page on the K10 Dashboard to fail without a clear error message.
• Fixed an issue detecting region mismatches when creating an immutability-enabled profile.

Security Issues

• Update Grafana version to 9.1.5 to pull in the latest security updates.
• Update K10 services base image to pull in latest security updates.

5.0.8

Release Date: 2022-09-08

New Features

• Added support for Backup Window in a backup policy.

Bug Fixes

• Fixed an issue where Azure profile creation was failing in the UI.
• Hide the "Run Once" button if the policy was not created in the k10 namespace.
• Paused notifications no longer cover side panels, therefore the delete button of Restore Point Details remains clickable.
• Fixed an issue where the k10.kasten.io/isRunNow label was missing from the BackupActions and ExportActions created when a K10 policy was triggered using the "run once" button on K10 dashboard.

Security Issues

• Update K10 services base image to pull in latest security updates.

Upgrade Notes

• The gateway service has changed from using the upstream emissary image to a custom built emissary image. If you are using K10 in an airgapped environment, consider re-running the steps here to get the latest set of K10 images and then updating your air-gapped repository with any new images.

5.0.7

Release Date: 2022-08-26

Bug Fixes

• Using backup and export with custom export retention settings now allows the user to have 0 retained local backups via the UI.
• Fixes rare issue that could prevent direct upgrade from very old K10 version to K10 versions 5.0.1-5.0.4.

Deprecations

• Removed the option to automatically create buckets during profile creation if they don't exist. Prior creation is now required.

5.0.6

Release Date: 2022-08-16

Bug Fixes

• Fix "Unexpectedly empty PVC name" error when restoring backups without PVCs.

5.0.5

Release Date: 2022-08-11

New Features

• Warning when adding a Veeam Backup & Replication location profile with a server different from the already saved
• Upload end time is now displayed in restore point content details via the API.

Bug Fixes

• Restoration from an immutable backup will use a point-in-time slightly later than the recorded upload end time for each PVC data upload to help compensate for clock skew.
• Fixed a bug that caused Grafana alerts creation to fail due to the DataSource authorization issue.
• Fixed an issue where in certain rare cases K10 would throw a false positive alert for tampering with an immutable backups repository.
• Fixed an issue where backups would fail with a "Storage Class referenced by PVC not found" error when a PVC associated with the application was excluded using filters and when the PVC's storage class did not exist in the cluster.

Security Issues

• Update K10 services base image to pull in latest security updates.
• Update Emissary Ingress to 3.1.0 to include latest security updates.

Upgrade Notes

• Updated K10's Grafana sub chart to version 6.32.9.

5.0.4

Release Date: 2022-07-29

New Features

• Added ability to set up IPv6 listener for frontend service. It is usable if cluster was configured in IPv6-only mode.
• Added support for Kubernetes 1.23.
• Added support for OpenShift 4.10.
• Added new regions for profiles such as AWS Jakarta and GCP Milan.
• Added keyboard navigation and a Back button to the Guided Tour.
• The use of a Veeam Backup Repository in a vSphere with Tanzu guest cluster is now supported. See vSphere for details.

Bug Fixes

• Fixed an issue where V2 Kanister Blueprints were failing on non-workload subjects.
• Fixed an issue where snapshot jobs fail due to lack of AWS credentials even though they are provided in an infrastructure profile.
• Longhorn CSI storage classes are now identified as CSI.
• Fixed an issue where GCP buckets were created in the wrong location if not pre-created before profile creation.
• Fixes a visual bug where four or more exported restore points displays improperly and not in a stack.

5.0.3

Release Date: 2022-07-15

New Features

• Added ability to manage service account for pods running during k10tools primer GVS operations. Refer to this page for more details.

Bug Fixes

• Added ambassador_id in all ambassador resources created by K10. This will ensure that the K10's ambassador will not conflict with other ambassador instances running on the same cluster.
• Fixed an issue where the backup data stats were being gathered twice as often as needed.
• Fixed an issue with failing restore of resources with a long persistent volume claim name
• Omit Aggregated API watch termination message from logs.
• Fixed an issue where PVCs were restored without their annotations.
• The number of pods that can run simultaneously to gather backup data stats has been reduced.

Security Issues

• Upgrade to Go 1.17.12 to include the latest security patches.

5.0.2

Release Date: 2022-06-30

New Features

• Using an immutable-backups-enabled location profile with the generic volume snapshot or shareable volumes workflow will warn the user that immutability guarantees are unsupported, but will otherwise backup and restore as a standard (non-immutable) location profile.
• Added the ability to create an Azure infrastructure profile for specifying Azure credentials.

Bug Fixes

• Fixed an error preventing the restoration of backups created via the generic volume snapshot workflow with an immutable backups enabled location profile.
• Added owner reference to the secret of automatically created infrastructure profile.

Security Issues

• Update K10 services base image to pull in latest security updates.
• Update Emissary Ingress (Ambassador) to 3.0.0 to include latest security updates.

5.0.1

Release Date: 2022-06-18

New Features

• Added optional storageclass (-s) parameter to the k10tools Generic Volume Snapshot Capabilities Check command.
• Added manual validation of storage classes to the dashboard (Settings -> Support) for admin users. This is the same validation performed by k10tools.

Bug Fixes

• Fixed a regression backing up applications with multiple non-workload PVCs. Issue introduced in version 4.5.13.
• Fixed issue retiring snapshot+export policy runs that select no applications and do not trigger export.

Security Issues

• Update K10 services base image to pull in latest security updates.

Known Issues

• The generic storage and shareable volume backup and restore workflows are not compatible with immutable backups location profiles; their use together is not supported.

Upgrade Notes

• NOTE: K10 5.0.1 is not compatible with Kubernetes v1.24.0. The following instructions are applicable for future releases of K10.

With the release of Kubernetes v1.24.0, client.authentication.k8s.io/v1alpha1 has been deprecated. Amazon EKS users with older clusters will be required to perform the following operations before upgrading K10.

1. Upgrade aws-cli to the latest version.

2. Run the aws eks update-kubeconfig --name ${EKS_CLUSTER_NAME} [FLAGS] command to update the Kubernetes configuration. For more information on the command, see https://awscli.amazonaws.com/v2/documentation/api/latest/reference/eks/update-kubeconfig.html.

If you have questions or need support, see Support and Troubleshooting.

5.0.0

Release Date: 2022-06-06

Release Summary

With this latest release of Kasten K10, we focused on security enhancements, improved operational capabilities, and expanded ecosystem support.

Security features include KMS integration with AWS KMS and HashiCorp Vault, a Kubernetes-native RBAC objects UI, ransomware attack detection with AWS S3 or S3-compatible storage supporting S3 Object Lock, data protection policy guardrails, and support for Veeam-hardened Linux repositories with immutability that offers comprehensive ransomware protection.

To better support left-shifting data protection operations, we added fully integrated add-ons for newly launched Amazon EKS Blueprints, Level III certified Red Hat OpenShift Operator with full lifecycle capabilities, new built-in Kanister Blueprints for MS SQL and Crunchy Data Postgres Operator, and simplified UX for operations with the new Kanister Blueprint editor for a more intuitive and streamlined workflow, and a new report mechanism for critical metrics.

We continued enhancing ecosystem support and added support for Red Hat and SUSE Rancher Marketplaces. We also added support for VMWare vSphere with Tanzu and Falco.

New Features

• Added Blueprints page to manage Kanister Blueprints on the K10 Dashboard. Refer to this page for more details.
• Support for block mode exports to an Object Storage Location is now available in vSphere environments.
• Added support for external Prometheus to scrape K10 metrics. For more information, see Integrating External Prometheus with Veeam Kasten.
• Added support for Crunchy Data Postgres Operator backup and restore with K10. Refer to this page for more details.
• Users will now get alerts on K10 Dashboard when policy validation fails.
• vSphere with Tanzu guest clusters are now supported. Access to vCenter is required from the guest cluster and the additional Cns.Searchable privilege is required for the account used to connect to vCenter. Available functionality is described in the vSphere storage integration section.

The Velero vSphere Operator is used to enable changed block tracking in vSphere with Tanzu guest clusters, as explained in the K10 knowledge base article Enable changed block tracking in vSphere with Tanzu guest clusters. Please ensure that the operator version used is compatible with the Kubernetes version of the supervisor.

Support for block mode exports to a Veeam Backup Repository Location with vSphere with Tanzu guest clusters is currently experimental and not enabled by default.

Bug Fixes

• Fix for the regression of the PVC transform feature.
• Fixed bug where a policy's export setting could be updated to an incompatible profile.
• Fixed issue with excluding non-workload PVCs by label.

Security Issues

• Upgrade to Go 1.17.10 to include the latest security patches.

Upgrade Notes

• The K10 config-svc has been updated and renamed to controllermanager-svc.
• Upgrade bundled Prometheus from version 2.26.0 to 2.34.0.

Other Notes

• Beginning with this version, the free Starter edition of K10 is restricted to 5 nodes or fewer.

4.5.15

Release Date: 2022-05-13

New Features

• Increased the timeout for K10 DR backup operation to 60 minutes.
• The K10 Operator now supports K10 Disaster Recovery.
• Limited access users can now view their namespaces' RBAC objects in the dashboard.

Bug Fixes

• Fixes issue where run actions fail and automatic retirement ceases for a policy with selective export and independent export retention schedule.

Security Issues

• Update Grafana version to 8.5.0 to pull in the latest security updates.
• Update K10 services base image to pull in latest security updates.

4.5.14

Release Date: 2022-04-22

New Features

• Added manual validation to policies.

Bug Fixes

• Fixed an issue that caused UI to timeout while loading actions for non-admin users.
• The K10 DR restore process now has a more robust timeout handling mechanism.
• Ensured the Operator deployed K10 instance uses the Red Hat registry version of kanister-tools image.
• Fixed an issue that prevented the backup of custom resources named "services".
• Fixed issue where cluster ID and system info were not displaying properly after switching clusters inside a multicluster dashboard.

Upgrade Notes

• The repository and image name of the ingress gateway used by K10 changed in v4.5.12. Upgrades from versions prior to v4.5.12 will need to explicitly reset the ambassadorImage helm value. See this knowledge base article for more information.

Other Notes

• Updated documentation to include offline OpenShift K10 operator installation instructions.
• The Export snapshot data to VBR repository label in the backup policy dialog has changed to Export snapshot data in block mode.

4.5.13

Release Date: 2022-04-08

New Features

• Infrastructure profile for AWS is now supported. Refer to AWS storage page for more details.
• Added manual validation to Location & Infrastructure profiles.
• Added the ability to manage (create, edit) Blueprints on the dashboard.

Bug Fixes

• Fixed an issue where K10 DR restore failed when K10 was installed on a non-default namespace.

Security Issues

• Update K10 services base image to pull in latest security updates.

Deprecations

• Restore and retirement operations for exported restore points and Generic Volume Snapshots created in K10 releases older than 2.5.1 have been deprecated. If you have questions or need support, see Support and Troubleshooting.
• Starting with the next major release of K10, the number of free nodes will be reduced from 10 to 5. If you believe you will be affected by this change, please reach out to your Kasten Sales Representative.

4.5.12

Release Date: 2022-03-24

New Features

• Support added for Azure government object store locations.
• Introducing a Role Based Access Control (RBAC) dashboard for customizing access to K10's dashboard and APIs.
• Added the ability to limit the number of reports retained.

Security Issues

• Update K10 services base image to pull in latest security updates.

Other Notes

• Upgraded Ambassador from 1.14 to 2.2.2.

4.5.11

Release Date: 2022-03-14

New Features

• Compliance and snapshot/export storage size metric names updated and added to Grafana. See the Monitoring documentation for more details.
• Add volume snapshot size information to RestorePoint.
• Added a filter option to filter restore points that were created manually.

Bug Fixes

• Fixed an issue where the restore application phase attempted recreation of an existing namespace.
• Added a display for "System Policies" to the dashboard.

Security Issues

• Update Ambassador to 1.14.3 to include latest security updates.

Other Notes

• Improved node count calculation for license enforcement.

4.5.10

Release Date: 2022-02-28

Bug Fixes

• Fixed bug where Passkey names were not honored while storing in catalog.
• Fixed an issue introduced in K10 release 4.5.9 due to which import policies were importing old restore points instead of latest restore point.
• Fixed a message on policy run actions such that "All successfully completed" should not be displayed if some actions were cancelled.

Security Issues

• Upgrade to Go 1.17.7 to mitigate CVE-2022-23772 and CVE-2022-23806.

4.5.9

Release Date: 2022-02-11

New Features

• Upgraded Fluent-bit version in logging service from 0.14.8 to 1.18.11
• Issues with protecting and monitoring immutable backups are now shown in Alert Messages panel on the dashboard.
• Introduced a new helm flag ingress.pathType to set path type for ingress resources. Defaults to ImplementationSpecific.
• Added support for installing K10 enterprise editions via Red Hat Marketplace

Bug Fixes

• Fixed an issue that caused exports of cluster-scoped resources to fail.
• Fixed an issue where exports were failing for policies deleted and recreated with the same name. The issue was introduced in K10 release 4.5.2. After upgrading source and destination clusters to 4.5.9, to apply this fix, the export policy must be deleted and recreated while the import policy must be updated with the newly generated import details.
• Fixed bug where a policy that uses Kanister hooks for backup was not displaying the hooks on the form when editing the policy.
• Fixed a bug where the EULA acceptance form would not display when there is no connection to the outside internet.

Security Issues

• Fix CVE-2021-23017 discovered in the previous nginx versions.
• Update K10 services base image to pull in latest security updates.

Upgrade Notes

• Upgrade frontend nginx server to the 1.20 series.

4.5.8

Release Date: 2022-01-29

New Features

• Added an events service for processing background events in K10.
• Infrastructure profile for GCP is now supported. Refer to Google Cloud Platform page for more details.
• Added highest nodes seen per month to Settings -> Licenses. Last two months only.
• Added support for OpenShift 4.9.

Bug Fixes

• Fixed an issue with failed jobs being displayed as running in certain conditions.
• Fixed an issue that could potentially log sensitive information when KubeTask function is used in Kanister Blueprints.
• The "Grant Permissions" button on the multi-cluster dashboard was not pre-populating the form correctly and has been fixed.

Other Notes

• Add resourceVersion to Action resources.

4.5.7

Release Date: 2022-01-14

New Features

• Enable cleanup of orphaned snapshots for Ceph.
• Added an option to download troubleshooting logs from K10 dashboard.
• Enable cleanup of orphaned snapshots for vSphere.
• Cancelling parent RunAction jobs now cancels the child jobs.
• Added support for Kubernetes 1.22.
• New k10tool command to list FCD snapshots taken by K10.
• Add ability to download PDFs of reports in the Dashboard.

Bug Fixes

• Allow use of k10tools primer upgrade in previous releases.
• Fixed an issue that caused the first export of a backup with multiple volumes to fail.
• Improved the error message when attempting to create a policy or profile with an existing name.
• Fixed a bug where restoring of some cluster-scoped resources was not working in the dashboard.

Security Issues

• Update K10 services base image to pull in latest security updates.

4.5.6

Release Date: 2021-12-17

New Features

• Added the ability to tag vSphere snapshots.
• Allow Prometheus and Grafana to be disabled separately.
• Overall action metrics are now emitted in addition to the specific action metrics.
• Added the ability to view the details on a policy run action.
• Added the ability to create a custom schedule for report generation.
• Tagging of vSphere snapshots can now be enabled.
• Add the ability to view the recommended Helm based K10 upgrade steps to k10tools and dashboard.
• Added support for HashiCorp Vault Transit Secret Engine to protect K10 encryption key.
• Veeam Backup support. This release supports the export of vSphere CSI provisioned volume snapshot data to a Veeam Backup Repository when using a supported vSphere cluster. Immutable Veeam repositories are not supported at this time. The feature requires Veeam Backup 11a CP3 (build number 11.0.1.1261 P20211211) or greater.

Bug Fixes

• Fixed an issue due to which the unmounted PVCs were not being listed on the Application Details page.
• Fixed an issue that caused application scoped policies to fail validation when using NFS FileStore location profile.
• Fixed an issue that caused snapshots to fail for workloads having both Generic Volume Snapshot and Kanister Blueprint annotations.
• Fixed issue with labels on export actions when multiple policies select same application.
• Fixed an issue that caused imports to fail when using Google Cloud Storage location profiles.

Security Issues

• Update Grafana version to pull in fix for CVE-2021-43798.

Known Issues

• Release 4.5.5 requires global.imagePullSecret to be set to k10-ecr when either secrets.dockerConfig or secrets.dockerConfigPath is set. Customers upgrading from a previous version will need to set this if using docker repository credentials.

Upgrade Notes

• Upgraded Ambassador from 1.9.1 to version 1.13.8 when using certified Red Hat images with Helm.
• Overall action metrics are now used in dashboards and reports. As such, action data from before the upgrade may not be shown.

Deprecations

• Deprecate the use of grafana.image.pullSecrets and prometheus.imagePullSecrets in favor of global.imagePullSecret.

4.5.5

Release Date: 2021-12-03

New Features

• Added support for installation via AWS marketplace for containers anywhere.
• Added a new global helm value global.imagePullSecret. Specify a secret name using this helm value if a custom docker config is provided for a private repository using global.dockerConfig or global.dockerConfigPath.
• New report fields results.general.infraType, results.general.authType, results.general.k10namespace, results.general.aws.
• Added on demand frequency option to policies API and dashboard.

Bug Fixes

• RunActions generated by application scoped policies can now be seen on the dashboard.
• Fixed issue where form data was not populating correctly when editing an Import policy.
• Kubeconfig file input now accepts file types with no extension by default and is clickable.
• Fixed an issue that caused Generic Volume Snapshots of unmounted PVCs to fail when they are created using CSI provisioners.

4.5.4

Release Date: 2021-11-23

Bug Fixes

• Fixed a regression introduced in version 4.5.3, which impacted volume snapshots in VMware clusters.

4.5.3

Release Date: 2021-11-19

New Features

• Introduced a new helm flag services.aggregatedapis.hostNetwork that can be used to enable hostNetwork for aggregatedapis service pod.
• Re-import of RestorePoint now supported after deleting RestorePointContent

Bug Fixes

• EFS volumes that were left behind during export are cleaned up.
• Option to skip certificate verification now also applies to Immutable Backups bucket validation during profile creation.
• Fixed a bug on the policy form where export retention values are not reset correctly.
• Enable Reports switch value is now correct after page refresh.
• Fixed a bug where a paused policy is unintentionally resumed after editing.

Known Issues

• The first time a backup with multiple volume snapshots is exported to an export location, data in the location may be inconsistent in a way that renders that location unusable. ExportActions to this repository will fail. As a temporary workaround, delete the contents of the export location for that application. Rerun the ExportAction, but select only a single volume. Future ExportActions will now work for this policy, even with multiple volume snapshots selected.

4.5.2

Release Date: 2021-11-09

New Features

• A success message has been added to the Actions card to indicate that all phases have completed successfully.

Bug Fixes

• Fix service disk usage reporting for some environments.
• Fixed an error related to the image of the init container in the Grafana deployment during installation of K10 using the OpenShift operator.
• Fixed a permission error seen during the startup of the init container in Grafana's deployment during installation of K10 using the OpenShift operator.
• K10's grafana deployment now honors the global.persistence.enabled , global.peristence.storageClass and global.persistence.accessMode helm values.
• Fixed an issue that caused exports to NFS FileStore location to fail when K10 is installed as an OpenShift Operator.
• Fixed an issue that caused restore of unmounted PVCs from exported/imported restore points to fail when using an NFS FileStore location profile.
• Remove creation of the k10-k10 SecurityContextConstraint in OpenShift environments to workaround https://access.redhat.com/solutions/4727461

Security Issues

• Update K10 services base image to pull in latest security updates.

Upgrade Notes

• The helm values grafana.persistence.size , grafana.persistence.accessModes and grafana.persistence.storageClassName have been deprecated. The helm values for configuring any stateful service's PVCs (including Grafana) are global.persistence.enabled, global.persistence.size, global.persistence.accessMode and global.persistence.storageClass. To ensure that the Grafana PVC is not recreated during an upgrade, the global.persistence helm values must match the deprecated helm values.

Other Notes

• Updated AWS EFS permissions in the docs to better reflect K10's requirements.

4.5.1

Release Date: 2021-10-25

Bug Fixes

• Correct the secrets mount path to be /var/run/secrets.
• Conflict when another Grafana installation is already present in the cluster.

4.5.0

Release Date: 2021-10-24

Release Summary

With this latest release of Kasten K10, we focused on delivering an improved out-of-the-box experience, expanding edge capabilities, and broadening ecosystem support for data services and partner technologies. These innovations will help organizations protect and optimize their Kubernetes investments.

On the improved out-of-the-box experience front, we added built-in support for monitoring and alerting to help our customers quickly identify issues in their Kasten K10 deployments, get notified of those issues, and fix them as quickly as possible. We also added reporting capabilities that lets you access reports through our GUI and through native Kubernetes tooling such as kubectl or the Kubernetes API.

Many of our customers have expressed interest in deploying Kubernetes at the edge of their environment and asked us to help support them in their journey. We’re happy to announce that Kasten K10 now support K3s as well as EKS-Anywhere.

New Features

• Introducing integration with Grafana. A new dashboard in Grafana lets users monitor K10 actions, policy runs and storage consumption. Alerts can be created using Grafana's dashboard based on K10 metrics. See the Monitoring documentation for more details.
• The immutable backups feature is now available by default.
• Added support for K8ssandra backup and restore with K10. Refer to this page for more details.
• The dashboard now supports adding blueprints to application workloads.
• Introducing scheduled reports on the dashboard. See the Usage & Reports page to enable report generation.

Bug Fixes

• Fixed an issue where K10 air-gapped DR restore was failing as kanister-tools image defaulted to github container registry.
• Avoid spurious errors by creating cluster secrets before clusters.
• Fixed issue of K10 service disk usage metrics with incorrect units.
• Allow manual cluster removal when automatic disconnection is not possible.
• Fixed a bug on multi-cluster dashboard where the number of actions could be negative after removing a cluster.
• The Policy Form now correctly refreshes data when switching between Snapshot and Import Actions.
• Fixed a bug where K10 upgrade checks was displaying error messages on air-gap systems.

Upgrade Notes

• If Prometheus was previously disabled with prometheus.server.enabled = false, the grafana.enabled value must be updated to match.

4.0.13

Release Date: 2021-09-27

New Features

• Added support for AWS KMS to protect K10 encryption key.
• Memory and CPU resources for Generic Volume Copy pods used for exporting snapshots can now be configured using helm options. Refer to this page for more details.
• Added a new helm option kanister.podReadyWaitTimeout to configure timeout to wait for Kanister pods to reach the ready state during K10 operations.
• Dynamic EFS snapshots are now supported via the shareable volume snapshot mechanism.
• Simplified RDS PostgreSQL integration with K10. Refer to this page for more details.
• The dashboard now has an Alert Messages panel for centrally displaying helpful warnings.

Bug Fixes

• Fixed issue where blueprint backup annotation was being ignored.
• Fixed an issue where unsupported PVCs caused an error; even though they were excluded through filters.
• Fix accessing secondary clusters when the primary cluster is using basic authentication.
• Fixed an issue where an inadvertent schema change in the catalog caused a requested index not found error after upgrading to 4.0.11.
• Fixed an issue that caused restores to fail on workloads annotated with older Kanister blueprints when deployed with workloads annotated with V2 Kanister blueprints in the same namespace.
• Fixed issue with restoring pods that contained affinities.
• Fixed a bug where global policies showed empty import migration string option.

Security Issues

• Update K10 services base image to pull in latest security updates.

Upgrade Notes

• This release will perform a catalog schema upgrade. The catalog service's PVC size may have to be increased to ensure a successful upgrade.

Other Notes

• Update Ambassador to 1.14.1

4.0.12

Release Date: 2021-09-11

New Features

• Emit metrics to indicate when an action has started, ended, and been skipped.
• Added support for K10 DR Restore in air-gapped installation mode.
• The Application Details panel now displays custom resources.
• The dashboard now supports resource filters for import and restore policies.
• The dashboard now supports pre/post kanister-execution hooks for manual exports of restore points.

Known Issues

• After running the k10multicluster disconnect command to remove a cluster, it might continue to be listed on K10's multi-cluster dashboard. This happens only if the cluster was added to K10 in a release older than 4.0.10. The workaround for removing the cluster would be to remove the finalizer dist.kio.kasten.io/manual-debootstrap from the cluster's spec using kubectl edit cluster <cluster name> --namespace=kasten-io-mc.

Other Notes

• Update documentation to indicate Kubernetes 1.20 and 1.21 are supported.

4.0.11

Release Date: 2021-08-27

Bug Fixes

• Fixed an issue where profile validation would fail with the error The requested DurationSeconds exceeds the MaxSessionDuration set for this role. K10's config service now uses the helm value awsConfig.assumeRoleDuration to avoid this error.
• Automatically remove Prometheus scrape configs when a cluster is deleted.
• Fix the Prometheus server to automatically reload its configuration when changed.
• Fixes issue where 500 errors appear on Dashboard for non-admin users.
• Fixed a bug in the dashboard policy form where an edited form was not retaining the setting for exporting snapshot references only.

Known Issues

• If K10 has been deployed using an AWS IAM role and if this error is seen in K10's logs The requested DurationSeconds exceeds the MaxSessionDuration set for this role, then this can be fixed by either setting the K10 helm value awsConfig.assumeRoleDuration to a value that is less than or equal to the maximum session duration for the IAM role or by increasing the maximum session duration. For documentation about how to view and edit the maximum session duration for an IAM role see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session.

4.0.10

Release Date: 2021-08-13

New Features

• K10 now supports pre-action Kanister hooks and pre/post action hooks are now supported on backup actions.
• When clusters are deleted, resources created during bootstrapping are automatically cleaned up.
• Secondary clusters in a multi-cluster setup now support all authentication methods.
• A new helm value awsConfig.assumeRoleDuration can be used to configure the duration of a session token generated by AWS for an IAM role. The minimum value is 15 minutes and the maximum value is the maximum duration setting for that IAM role. For documentation about how to view and edit the maximum session duration for an IAM role see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session.
• The Dashboard now supports disconnecting secondary clusters from a multi-cluster system.
• Actions related to Policy Runs are now grouped. Policy Runs now have a dedicated page where you can view policy run details and actions.

Bug Fixes

• Use service account token for cluster connection when bootstrapping through the API or UI.
• Made Generic Volume Snapshot deletion idempotent to avoid failures stating that the snapshot was not found.
• Fixed bug where a policy that targets both cluster-scoped resources and applications by label was creating an invalid policy spec.
• Fixed a Dashboard bug that was incorrectly showing resource filter options when editing import policies.

Security Issues

• Update K10 services base image to pull in latest security updates.

Upgrade Notes

• CRD APIs are updated from v1beta1 to v1, that are available since Kubernetes version v1.16.

4.0.9

Release Date: 2021-08-02

New Features

• Added a new sub-command openshift prepare-install to the k10tools command. It generates the helm installation command for installing K10 in an OpenShift cluster. Refer to the K10 Tools Page for more details.
• Renamed the remove command in k10multicluster to disconnect.
• On the Dashboard, a manual restore now presents the option to specify an alternate location profile for restoring an external restore point.
• Improved display of Kanister-related workloads on the Dashboard application details panel.
• The policy form on the Dashboard now shows other non-matching profiles in addition to the profile options that are compatible with the given migration string.

Bug Fixes

• Support vSphere xfs exports and restores.
• Label filtering has increased the number of navigable actions in the dashboard.

Security Issues

• Update K10 services base image to pull in latest security updates.

Other Notes

• Performance improvement to dashboard though use of label indexes.

4.0.8

Release Date: 2021-07-20

Bug Fixes

• Update govmomi version to support error checking.

4.0.7

Release Date: 2021-07-19

New Features

• Validate secondary cluster connections while bootstrapping with the k10multicluster tool.
• Preserve source volume tags for provider snapshots.
• Support CSI cross-region migration for AWS, Azure and Google cloud service providers.
• The Dashboard now supports the advanced export option for specifying an azure resource group when copying volume snapshots.

Bug Fixes

• Fix the overall status condition for Bootstrap objects to not indicate failure prematurely.
• Fix to support snapshot exports of xfs formatted vSphere volumes.
• Multi-cluster global policy form now displays selector labels from all clusters and not just the primary cluster.
• Fixed bug where policy shows error for missing profile after creating a profile in the policy form.
• Added a message to global policies and profiles to clarify that they won't be validated until after they are distributed to clusters.

Deprecations

• The type sub-field has been deprecated from Kanister blueprint actions.
• Removed support for Kubernetes 1.15.

4.0.6

Release Date: 2021-07-02

New Features

• Application and action state summary added to RunAction details.
• Added Helm options to override Kanister operation timeouts.
• Added new Azure regions for Germany, Australia, China, Norway, S Africa, Switzerland, and UAE.

Bug Fixes

• Fixed an issue where custom URL path set by ingress.urlPath or route.path was not working with authentication methods except basic authentication.
• Fixed an issue that caused backups to fail on workloads annotated with older Kanister blueprints when deployed with workloads annotated with V2 Kanister blueprints in the same namespace.
• Fixed an issue that would cause long running Generic Volume Snapshot backups to timeout after 4 hours due to the default Kubernetes streaming connection idle timeout.
• Fixed an issue where import jobs on a destination cluster would fail with the error chacha20poly1305: message authentication failed if the source cluster had an existing export policy and was upgraded from a pre-3.0.9 to a newer release. After upgrading source and destination clusters to 4.0.6 to apply this fix, the import policy will need to be updated. Refer to https://kb.kasten.io/knowledge for instructions.
• Fixed an issue related to accessing K10's instance of prometheus when ingress.urlPath or route.path is used. The K10 helm values for prometheus will have to be updated if one of these helm values is used. Refer to the documentation for accessing K10's dashboard using ingress here and OpenShift routes here.
• Fixed a bug in the Dashboard where the letter F could not be entered into the search field of the YAML editor dialog.
• An improved fix for a bug where editing a policy with sub-frequency options resets the frequency settings.

Security Issues

• Fix proxy requests to secondary clusters to be restricted to the secondary cluster.
• Update K10 services base image to pull in latest security updates.

Other Notes

• Update Ambassador to 1.13.8.

4.0.5

Release Date: 2021-06-19

New Features

• Introduced a new helm flag cluster.domainName to set custom cluster domain name in an environment where the domain name is not cluster.local.
• Transform paths now accept escape characters to support objects with keys that contain /. Current transform paths that contain ~ characters may need modification. See transforms documentation, "Paths" section, for details.
• Label index added. Searches using label filters on k10.kasten.io labels will be faster.
• Kanister artifacts created by backup of an application annotated with V2 Kanister blueprint will now include snapshot size information.

Bug Fixes

• Fixed an issue where K10 Disaster Recovery restore was failing if K10 was installed with custom CA certificate.
• Fixed an issue where backup data stats for K10 DR backup were not getting updated on the data usage page.
• Fixed an issue that could duplicate storage class artifact in RestorePoint and cause ExportAction to fail.

Security Issues

• Update Go to pull in latest security fixes.
• Update K10 services base image to pull in latest security updates.

Upgrade Notes

• This release will perform a catalog schema upgrade to add label indexes that support label filtering.

Other Notes

• Kanister release 0.60.0 introduced some breaking changes to V2 blueprints that use kando to write and read data. Note that we removed the gzip command from the bash command since the stream is deduplicated/compressed during processing. Similarly, the corresponding gunzip command has been removed from the restore action. Due to this, the backups performed using V2 blueprints from Kanister releases 0.58.0 and 0.59.0 can no longer be restored using the newer blueprint. To restore such backups after upgrading to the latest blueprint, delete the blueprint before triggering the restore.

4.0.4

Release Date: 2021-06-08

New Features

• Added policy detail to RunAction resource. Added counts of action status to RunAction details sub-resource.

Bug Fixes

• Made blueprint creation idempotent to avoid failure stating that it already exists.
• Fixes issue with policies that export cluster-scoped resources. The issue was introduced in K10 release 4.0.2.
• Fixed an issue where the dashboard service would CrashLoopBackoff periodically if K10 was configured with a FileStore profile.
• Fixed an issue where custom CA certificate ConfigMap was getting deleted after the backup.
• Fixed an issue where Generic Volume Snapshot into an NFS FileStore location would fail if triggered on a workload with no PVCs.
• Fixed issue with application scoped policies where migration token would unexpectedly get deleted.
• Fixed Multi-Cluster issue where users without any bindings were able to view clusters as admins.
• Fixed an issue that caused Generic Volume Snapshot and K10 Disaster Recovery operations to timeout when using NFS FileStore location profile.
• The dashboard no longer displays error message banners after logout.
• Fixed a problem where appended white space in filter fields was not being trimmed.

Security Issues

• Update Ambassador to 1.13.6 to include latest security updates.
• Update K10 services base image to pull in latest security updates.

Known Issues

• An issue has been identified with policies that export cluster-scoped resources. The issue results in failure to export migration metadata and may prevent export of some or all applications selected by the policy. One workaround is to disable "Snapshot Cluster-Scoped Resources" in such policies and to perform a manual snapshot and export of cluster-scoped resources. This issue was introduced in K10 release 4.0.2.

4.0.3

Release Date: 2021-05-24

New Features

• Add arm64 support (including Apple Silicon) for k10multicluster and k10tools.
• Added support for immutable backups when exporting to a locked object store bucket.
• Support for NFS FileStore profiles is now out of preview mode and available for production use.
• Kanister-enabled applications can now be configured to use NFS FileStore profiles. Refer to this section for more details.

Bug Fixes

• Readiness probe for the config service reporting ready before CRDs have been registered.
• Fixed an issue with retirement of K10 Disaster Recovery restore points when using an NFS FileStore profile.
• Fixes issue with policy-driven retirement of exported backups for policies that select multiple applications. Issue was introduced in K10 release 4.0.2.
• Fixed an issue with filters during backup that lead to volume binding problems during restore.

Security Issues

• Upgrade golang.org/x/net prevent denial of service (CVE-2021-33194).

4.0.2

Release Date: 2021-05-08

New Features

• added detail sub-resource to run actions
• Kafka topic backup and restore using Adobe Kafka Connect S3 is now supported.
• Policies that protect multiple applications by creating and exporting snapshots as backups now create a separate ExportAction for each application. When each BackupAction completes an ExportAction for the application is started. BackupActions and ExportActions for different applications protected by the same policy may now run concurrently.

A successful ExportAction creates an exported RestorePoint and exports snapshot data if that option is set in the policy. If a BackupAction fails or is skipped, the ExportAction for that application is skipped with a corresponding reason.

Once all BackupActions and ExportActions complete, all successful ExportActions are pushed to the migration location together.

• Pre-flight checks are able to distinguish unsupported vSphere TKGS clusters.

Bug Fixes

• When editing a K10 disaster recovery policy, the policy form is limited to supported features.
• Fixed a bug where editing policies with sub-hourly frequencies did not preserve sub-hourly frequency settings.
• Fixed a bug where the dropdown on resource filter dialog sometimes would not register the click.
• The Dashboard now correctly displays multiple exported restore points for the same application and scheduled time.

Security Issues

• Update K10 services base image to pull in latest security updates.

Other Notes

• Add Kubernetes 1.19 to the list of supported versions.

4.0.1

Release Date: 2021-04-27

Release Summary

With this latest release of Kasten K10, we have taken our focus on security and application protection to the next level to introduce a Kubernetes-native ransomware protection solution. This solution leverages immutable object storage backups, which will enable in a future release the ability to specify the retention period for backups. The retention setting ensures that the backed-up content cannot be altered during that time period. Automation via policies combines not only the actions you want to take (e.g., snapshots) but also the retention period for object immutability.

We have continued to make advancements to our multi-cluster operation so that operations can work at the speed of DevOps with secure self-service portals. Authorized users can now manage their own clusters, create backup policies for their own application namespaces and add secondary clusters directly through the multi-cluster manager for easy scalability.

Lastly, we also added support for NFS for migration and as a backup target in addition to object storage options.

Bug Fixes

• Fixed an issue where K10 Disaster Recovery restore failed when using NFS FileStore profiles with custom path prefix.
• Fixed an issue where in some cases CSI snapshots were failing due to invalid labels.

3.0.13

Release Date: 2021-04-17

New Features

• Filter objects by label when performing restores while using the API.
• Added support to identify error events associated with an OpenShift service account while debugging OpenShift authentication using the k10tools command. Refer to the K10 Tools Page for more details.

Bug Fixes

• Fixed an issue that caused prometheus deployment to be created even if prometheus.enabled option is set to false.
• Fixes issue with retirement of restore points created by policies that select multiple applications and perform selective export.

Security Issues

• Update Ambassador version to pull in security fixes in Envoy 1.15.4

3.0.12

Release Date: 2021-04-09

New Features

• Secondary clusters can now be added directly through the multi-cluster manager using a portable kubeconfig.
• Introduced helm flag gateway.insecureDisableSSLVerify that can be used to disable ssl verification for gateway pod.
• Added a command to k10multicluster that generates portable Kubernetes configs.
• The Dashboard now links to related documentation.
• Users who are granted permissions with a k10 cluster role binding now are able to browse into secondary clusters on the Dashboard using those permissions.

Bug Fixes

• Improve error message with more detail when jobs fail due to "Unique index violated".
• Fixed an issue that caused backup of AWS RDS Aurora DB cluster to fail.
• Ignore kanister pods during backup.
• When editing a cluster role binding that targets all clusters, the form is now correctly populated.

3.0.11

Release Date: 2021-03-26

New Features

• Place grouped PVCs on the same node during Generic Volume Snapshot restores.
• Enable cleanup of orphaned snapshots for Azure disk.
• Added a new command to k10tools - k10tools debug ca-certificate to validate CA certificate installation in K10. Refer to the K10 Tools Page for more details.
• Enable cleanup of orphaned snapshots for Cinder.
• On restores, generic volumes are placed in the zones specified by the pod affinity.
• Added support for Generic Volume Snapshots of unmounted PVCs. Refer to this section for more details.
• Custom labels and annotations can be configured for Kanister pods launched during K10 operations. Refer to Configuring custom labels and annotations for more details.
• Added a new debugger for debugging K10's OpenShift authentication mode. Refer to the K10 Tools Page for more details.
• Scheduled policy runs will be paused when free disk space on K10 stateful services goes below 25% to avoid abrupt failures.
• Preserve volume modes on restore.
• K10 Rate Limiter controls number of concurrent operations across policies and actions. K10 Helm options allow configuration of limits for snapshot creation operations and generic storage backup operations.
• Added a "create a policy" button for one-click policy creation of cluster-scoped resources.
• Sometimes it necessary to create multiple artifact transforms that are just slightly different from one another, so we've added a duplicate button to the transform for easy copy and paste.

Bug Fixes

• The search input field on the code editor window now correctly focuses the cursor.
• Fixes an issue where the gateway service would not start if an IngressClass resource was present in the cluster.

Known Issues

• Fixed a bug the transform form would get stuck in edit mode and not allow the creation of new transforms.

3.0.10

Release Date: 2021-03-12

New Features

• Introducing the ability to create application-scoped policies by non administrative users. Refer to this page for more details.
• Enable cleanup of orphaned snapshots for AWS EBS and EFS.
• Enable cleanup of orphaned snapshots for Google cloud engine.
• K10 Dashboard will now alert users when available disk space on K10 stateful services is below 25%.
• Clean up snapshots created by failed CSI backups.
• The Dashboard now enables users to add one or many secondary clusters to a multi-cluster deployment.
• Better handling on the Dashboard for users with limited access.
• The Dashboard's restore point panel now indicates when a restore point has been imported.

Bug Fixes

• Fixed a potential crash when creating an NFS FileStore profile with a non-existent PVC.
• Fixed an issue with the k10tools tool for debugging OpenShift authentication.
• Preserve access modes of PVCs and PVs on restore.
• Fix multicluster bootstrapping in environments where ServiceAccounts have multiple secrets.

Deprecations

• Removed Helm v2 commands from K10 documentation.
• Removed Helm v2 checks from K10 pre-flight scripts.

3.0.9

Release Date: 2021-02-26

New Features

• Added errors and exceptions to Action API resources.
• CSI volume snapshot objects are now labeled with Kasten labels.
• Improve backup performance for policies that cover a large number of namespaces.
• Added support to configure memory and CPU resources for injected Kanister Sidecar container using helm values used for Generic Volume Restore pod. Refer to Generic Volume Backup and Restore Resource Requirements for more details.

Bug Fixes

• Fixed issue where an extra cluster settings tab appeared for K10 setup with basic or no authentication.
• Fixed issue where k10primer tool incorrectly required the kasten-io namespace to be created before running it. It will now run in the default namespace by default.
• Fixed an issue in OpenShift environments where DeploymentConfig labels were not enumerated when creating a policy.
• Fixed an issue with the k10multicluster tool removing the wrong cluster.
• On Dashboard artifact card, volumes size is now correctly formatted instead of being shows in bytes.

3.0.8

Release Date: 2021-02-15

New Features

• Added applications sub-command to k10tools debug command to get complete application information from the specified namespace.
• Reduced K10 Disaster Recovery backup retention count from 50 to 4.
• Added new helm options to configure memory and CPU resources for the Generic Volume Restore pod.
• Added a new tool - k10genericbackup to make Kubernetes workloads compatible for K10 Generic Storage Backup by injecting a Kanister sidecar.
• Added backupactions sub-command to k10tools debug command to allow debugging of backup actions present on the cluster.
• Kanister Backup/Restore workflow can now create Root CA ConfigMap in the application namespace when cacertconfigmap.name helm option is enabled. This ConfigMap is created when the Root CA Cert ConfigMap is not available in the application namespace and is deleted at the end of Kanister workflow.
• Enterprise license node limits now stack. Support for additional nodes may now be purchased without invalidating the previous license.
• Multi-Cluster admins can now configure cluster-level access for non-admin users through the dashboard as well as via API.
• Added gvs-cluster-check sub-command to k10tools primer command to check cluster compatibility for K10 Generic Volume Snapshots.
• Helm upgrade will restart all the K10 service pods if the k10-config config map or K10 related secrets are modified.
• Added disk usage Prometheus metrics for stateful K10 services.
• Retire action details are available in the K10 Dashboard and API.
• Added the ability to manage multi-cluster RBAC resources to the Dashboard.
• Added ability to specify the VolumeSnapshotClass as an annotation to the StorageClass.

Bug Fixes

• Fixed an issue that caused updating prometheus policy metrics to fail due to the presence of policies in Indeterminate state.
• Fixed an issue where a failure to meter in a GKE marketplace deployed instance would cause the metering service to restart.

Upgrade Notes

• This release requires re-bootstrapping of all secondary clusters.

3.0.7

Release Date: 2021-01-28

New Features

• A new binary named k10tools is available for validation and debugging the environment where K10 is installed. Refer to this page for more information.
• Pods created by Kanister are labeled with createdBy: kanister.
• Added optional override of Kanister operation timeouts.
• Ability to handle volumes of size smaller than 1 GiB.
• Exported restore points now indicate the export type - whether the restore point contains references to snapshots or portable data.

Bug Fixes

• Fixes an issue in OpenShift environments where DeploymentConfig labels were not enumerated when creating a policy.
• Fixes issue of not backing up Custom Resources in some cases when Custom Resource Definition defines multiple versions.
• Fixed an issue in the helm chart that caused K10 pods to fail with ImagePullBackOff error after upgrade.
• Fixes issue where imported cluster restore point could not be manually restored.
• Fixed an issue that caused policy validation status to be stuck in Indeterminate state after K10 upgrade.
• Fixed a bug on distributions page where text overlapped on narrower page widths.

Known Issues

• The gateway service does not start if an IngressClass resource is present in the cluster. The workaround is to update the gateway service image to quay.io/datawire/ambassador:1.11.0.

Upgrade Notes

• This release will perform a catalog schema upgrade.

Other Notes

• The k10_primer.sh script has been updated. If the latest version of the script is used with a version of K10 <= 3.0.6, an error about a missing image might be seen. Upgrade K10 and retry the script to address this error.

3.0.6

Release Date: 2021-01-19

Bug Fixes

• Fixed an issue with Generic Volume Snapshot blueprint needed for restoration of PVCs containing symbolic links.
• Fixes issue of bad counts in dashboard Policies card.

3.0.5

Release Date: 2021-01-16

New Features

• K10 service storage can be compacted in service procedure.
• When a workload with Kanister sidecar injection feature enabled is updated, K10 will automatically update the existing kanister-tools sidecar image to the latest version.
• Owner references are preserved for restored objects.
• When creating a policy to import and restore, users now have the option to not restore cluster-scoped resources.
• Restore points that were generated by clicking "Run Once" on the policy now display an icon to indicate this.
• Restore actions on the Dashboard now link to the restore point that was used for the restore.
• Added support for stable (v1) Kubernetes Volume Snapshot APIs.
• Additional error information is available when a backup fails due to a workload not being ready.

Bug Fixes

• Fixed a potential crash when exporting a restore point to an NFS File Storage Location.
• Fixed an issue with restoration of PVCs containing symbolic links with absolute paths.
• Fixed an issue with restoring PVCs containing symbolic links where retries would always fail.
• The Dashboard will now detect when a user's authentication has expired and redirect to the Logout page.

3.0.4

Release Date: 2020-12-30

New Features

• New helm options to define a list of groups and users whose members are granted admin-level access to K10's dashboard.
• Added support for installation of K10 on Azure Stack.
• New helm options to resize PVC sizes of individual services.
• Introducing the ability to protect cluster-scoped (non-namespaced) resources in addition to protecting application namespaces.
• Introduced a new helm value global.upstreamCertifiedImages to use Red Hat certified versions of upstream container images.
• K10 will generate a ConfigMap in the application namespace containing a private CA certificate when the cacacertconfigmap.name helm option is enabled and if the Kanister sidecar injection feature is used for that application.

Known Issues

• Dashboard users creating import+restore policies to restore cluster-scoped resources must set restoreClusterResources using kubectl edit. Refer to restoreParameters in the Policy API specification.

3.0.3

Release Date: 2020-12-14

New Features

• Added a new helm value auth.groupAllowList to define a list of groups whose members are allowed to access K10's dashboard.
• Added a new isRunNow label to differentiate RestorePoint resources created by run once option of a Policy.
• Added a new helm value auth.ldap.restartPod to force a restart of the authentication service pod.
• Added support to snapshot and restore standalone pods.
• The support page now displays information about the currently authenticated user and also provides a link to the cluster status page.

Bug Fixes

• Fixed an issue where Active Directory passwords with certain special characters were causing authentication service failures.
• Fixed issue with multi-cluster dashboard not visible when K10 is setup in no authentication mode.
• Fixed the image tag of K10 images reported by the k10offline list-images command.

Other Notes

• Upgraded Ambassador API Gateway to version 1.9.1.

3.0.2

Release Date: 2020-11-25

Bug Fixes

• Fixed issue where policy creation fails for applications with names starting with numbers.
• Fixed an issue where the ingress.urlPath helm option was being ignored while setting up K10's services.
• Fixes an issue where the webhook to create Generic Backup sidecars was always configured with the kasten-io namespace instead of the namespace K10 was deployed in.
• Fixed an issue where the ingress.urlPath helm option was not being used while setting up Active Directory and OpenShift based authentication.
• Retrying Policy edits no longer results in invalid Policies being created.
• Fixed issues during snapshot and restore of containers that include a VolumeMount with a subPath.

Deprecations

• helm v2 is no longer supported. helm should be upgraded to v3 or higher. To upgrade the helm version used to install K10, please use the community developed plugin. See https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/

3.0.1

Release Date: 2020-11-14

Release Summary

The K10 Multi-Cluster Manager is now generally available. K10 multi-cluster allows management of multiple Kubernetes clusters through a single dashboard. Using the k10multicluster tool, primary-secondary relationships may be created between K10 instances in different clusters. Once logged-in to a primary K10 instance and granted the correct authorization, users have access to the multi-cluster dashboard that contains aggregate metrics and action summaries of the all secondary clusters. In addition, the main dashboards of secondary instances may be accessed directly through the multi-cluster dashboard. K10 resources, specifically Policies and Profiles, may be synchronized from primaries to secondaries.

New Features

• Set auth.openshift.useServiceAccountCA to true to setup K10's Authentication Service with OpenShift's CA certificate for verifying TLS connections to the OpenShift OAuth server.
• The Dashboard snapshot storage chart now only reflects namespaces that the user has permissions to view.

Bug Fixes

• The cacertconfigmap.name helm option can be used to update K10's Authentication Service's trust store with a private root CA certificate for OpenShift based authentication.
• Fix to enable restores of PVCs that are missing a StorageClass.
• Fixed a bug where the profile card, shown in a pop-up, always used the dark mode color scheme.

Security Issues

• Mitigate potential crashes caused by malicious certificates.

2.5.25

Release Date: 2020-11-06

New Features

• Improve the responsiveness for user and dashboard queries for K10 actions.
• Performance improvements to dashboard compliance checks.
• Auto dark mode on Dashboard automatically switches between light/dark modes based on day/night time.
• When restoring an application via the UI, support selecting/deselecting all artifacts by resource type instead of choosing them individually.

Bug Fixes

• Fixed an issue where CSI snapshot pre-checks were run even if a Kanister blueprint was being used to backup the workload.
• Fixed an issue which would result in the global policy form not showing the complete list of namespaces when one or more clusters was unreachable.
• Fixed an issue that would cause backup jobs to fail when writing to a Minio object store running Minio version RELEASE.2020-08-25T00-21-20Z or newer.
• Fixed an issue that would cause backup of Portworx volumes with an empty storage class to fail.
• Fixed an issue where some export or import policy runs would fail after K10 Disaster Recovery.

Known Issues

• The Kanister kando tool does not use multi-part uploads for Azure Blob storage. This impacts Kanister Blueprints that use Azure Blob profiles and when uploading objects larger than 256 MiB.
• Retrying Policy edits may cause invalid Policies to skip validation and still be created. The workaround is to recreate the Policy.
• Restore actions fail when restoring PVC's that use annotations to reference a StorageClass. The workaround is to use a transform to add a StorageClass during restore.
• When restoring a generic storage backup of a PVC that was mounted in a container at a sub path, the sub path is ignored and data is restored in the new root of the restored PVC.

Deprecations

• Removed support for OpenShift 4.3

2.5.24

Release Date: 2020-10-26

New Features

• K10 dashboard can now authenticate against an Active Directory or LDAP server.
• Add namespace label to prometheus metrics for snapshot sizes which can be used to filter by applications.
• Add namespace label to prometheus metrics for PVC count and PVC size which can be used to filter by application.
• Support for NFS FileStore profiles is now available in preview mode.
• Introducing a preview of the multi-cluster dashboard, which adds the ability to monitor and manage several clusters in one dashboard view.

Bug Fixes

• Fixed an issue where the catalog_actions_count metrics values become negative on deleting restore points.
• Fixed an issue that caused creation of Infrastructure Profiles from Dashboard to fail.
• Fixed an issue where K10 DR failed if specific special characters were used in the passphrase.

Known Issues

• Backup jobs fail when writing to a Minio object store running Minio version RELEASE.2020-08-25T00-21-20Z or newer. The workaround is to use an older Minio release till this is addressed.
• When K10 is deployed with OIDC authentication, the dashboard may show errors after the token generated by the OIDC provider has expired. Reloading the dashboard will fix the error.

Upgrade Notes

• This release will perform a catalog schema upgrade.

Deprecations

• Removed support for Kubernetes 1.14
• Removed support for OpenShift 3.11

Other Notes

• Readjusted the disaster recovery sidecar default resource requirements.

2.5.23

Release Date: 2020-10-09

New Features

• Additional metrics for catalog store and jobs service operations.
• Introduced helm flag services.executor.hostNetwork that can be used to enable hostNetwork for executor pods.
• Improved performance and scalability of exports and retirement of applications with large numbers of artifacts.
• Added --json flag to k10offline list-images command to provide output in JSON format.

Bug Fixes

• Fixed the logic that displays the dashboard loading animation.
• Fixed issue with restore of Kanister protected application in different cluster.
• The Dashboard UI has been updated with the latest storage regions for Azure and Google.
• Fixed a bug where deleted applications were not being shown on the applications restore page.

Other Notes

• Update vSphere documentation with CSI driver requirement.

2.5.22

Release Date: 2020-09-27

New Features

• Added support for authenticating tokens present in Authorization Bearer Token Header.
• Exclude filters can now be applied to workloads that are not ready.
• Add policy label to prometheus metrics for K10 actions which can be used to filter by policy name.
• Application details on Dashboard now include OpenShift Route resources.

Bug Fixes

• Fixed the image tag of Dex reported by the k10offline tool.
• Fixed issue with AWS backups, where user with correct role permissions was reported as unauthorized.
• Fixed bug with cancel action workflow where cancelling resulted in error message.
• Fix CrashLoopBackoff issues with the Config service when invalid Profiles were missing Secrets.
• Fixed an issue that caused exports to repositories created before release 2.5.18 to fail.
• Fixed retirement and restore of exported restore point for Kanister-enabled application.
• Fixed potential race between snapshot GC and reusing a deleted directory in a snapshot
• Fixed an issue where restores get stuck and eventually fail if K10 was deployed with the cacertconfigmap.name helm option and if the namespace where the application is being restored does not have a config map containing the root CA in it.

2.5.20

Release Date: 2020-09-13

New Features

• Add metrics for catalog store operations.
• Improved performance and scalability for applications with large numbers of artifacts.
• Added the ability to set runAsUser option for K10Primer.

Bug Fixes

• The K10 dashboard in deployments with no authentication configured or Basic authentication mode did not show an option to create a namespace during restore.
• Fixed K10Primer issue when validating a CSI provisioner.
• K10Primer uses the CSI snapshots restoreSize when performing a restore.
• Only backup StorageClass when taking a snapshot of a PersistentVolumeClaim.
• Airgapped installation issue, where Prometheus pod was not coming into running state, has been fixed.
• Fixed issue with handling errors when creating backups by exporting snapshots.
• Fixed a bug where the Application list was not getting refreshed on the UI dashboard if the underlying resource watcher encountered a timeout.
• On the manual snapshot form, we now show "insufficient permissions" instead of "no options" on the profiles dropdown when the user does not have permissions to list profiles.

2.5.19

Release Date: 2020-09-04

New Features

• Added support for additional GKE regions: asia-northeast2, asia-northeast3, asia-southeast2, us-west3 and us-west4.
• Do not display the Data card on the dashboard for "Basic" users.
• etcd backup for Kubernetes clusters installed via kubeadm is now supported.
• etcd backup for OpenShift Container Platform clusters is now supported.
• Improved response times for expensive queries from the dashboard by using an authorization cache.
• Users will only be able to see the names of applications or namespaces on the dashboard they have access to.

Bug Fixes

• The persistentvolumeclaims resource is now visible in the resource drop down list.
• Fix an issue with the Helm chart that would break installs initiated through the Rancher dashboard.
• Fixed potential index compaction issue that would resurrect deleted content entries during full maintenance
• Restoring into a new namespace now works correctly for RBAC users with and without namespace creation permissions.

Known Issues

• Checking a basic user's permissions may be slow when they first login to clusters with a large number of namespaces. This may cause up to a 30 second delay in loading some UI elements such as applications, actions, and compliance information.

Other Notes

• Increase default memory request for disaster recovery sidecar.

2.5.18

Release Date: 2020-08-31

New Features

• Change the default timeout for restore operations (from 90 minutes to 10 hours) since users can now cancel stuck jobs via the API.
• K10 now supports cancellation of in-progress actions through Dashboard and API.
• Added compliance data stats to Prometheus metrics.
• K10 dashboard can now authenticate against the built-in OAuth server in OpenShift Container Platform environments.
• Dashboard editor dialog windows now support text search.
• The Dashboard data page now only shows application data for namespaces the user has permissions to view.
• Switch service discovery to use Kubernetes DNS by default and provide an optional Helm setting to use Kubernetes endpoints in environments where DNS is disabled or not working.
• Added the ability to create an infrastructure profile for vSphere.
• Added a new Dashboard infrastructure profile type for vSphere configuration.

Bug Fixes

• Adds missing metrics for retire actions, running actions, and pending actions.
• Fixed restore of application with generic storage backup and Kanister blueprint with hooks.
• An issue (required volume not mounted) that occurred in case of multi replica workload during GVS is fixed
• Added validations for vSphere credentials.
• vSphere persistent volumes are no longer left in 'Failed' state upon claim deletion.

Known Issues

• vSphere persistent volumes are left in a 'Released' state. Fixed in v2.0.0 of vSphere's external-provisioner.

Upgrade Notes

• The K10 Helm chart options persistence are moved under global.persistence. Setting global.persistence.storageClass now overwrites default StorageClass for Prometheus PVCs.

2.5.17

Release Date: 2020-08-14

New Features

• On the policy form, values for exported snapshot retention can be "Set to Zero" with a new action link.
• K10 deployments now have default resource requests for memory and CPU.
• Added support for OpenShift 4.4 and 4.5, and Kubernetes 1.18
• Resource requests and limits can be set by Helm values for K10 deployments.

Bug Fixes

• Correctly display total/retired artifact counts.
• Fix problem when backup fails with unready workloads despite ignoreExceptions being set.
• Fix PodSpecOverride while restoring applications using Generic Volume Snapshot.
• Fixed timeout issue when restoring CSI backups from an object store.
• Fixes the retirement of restore points that contain both Kanister-protected workloads and Generic Volume Snapshots in the same restore point.

Known Issues

• When the authentication service is restarted due to upgrades, manual restarts or errors, users might see 403 errors while accessing the dashboard due to scheduling issues in the gateway service. Restarting the gateway service should resolve the 403 errors.

Deprecations

• Removed support for OpenShift 4.2 and Kubernetes 1.13.

Other Notes

• Reduce DeleteSnapshot scope for AWS IAM permissions.
• Support for OpenShift 4.3 and Kubernetes 1.14 will be removed in an upcoming release.
• Kanister Blueprints that implement the backup action must return at least one output artifact if they want K10 to invoke a delete action upon restore point retirement.

2.5.16

Release Date: 2020-08-01

New Features

• Use Kubernetes Endpoints for service discovery instead of cluster DNS.
• Add license compliance information in prometheus metrics. So that compliance, with respect to time, can be seen in the dashboard.
• Support token authentication mode with OAuth proxy for OpenShift clusters.
• Added support for Portworx infrastructure profiles.
• Added direct (non-CSI) support for Portworx storage.
• Applications for policies can be selected via wildcard selectors.
• Added support to create an OpenShift Route object to connect to the K10 dashboard.

Bug Fixes

• Fixed a Dashboard bug where the retry of a backup action omitted profile info and resulted in failed actions.
• Fixed issue where restore from a generic-volume-snapshot could result in multiple PVC restore processes.
• Fixed an issue where an application creation via the OpenShift console fails when Kanister sidecar injection feature is enabled.
• Fixes issue where export action fails when policy selects no applications to snapshot.

Known Issues

• ManagedFields in API objects are not preserved when taking backups. Introduced in Kubernetes 1.18.x (OpenShift 4.5.x), they track the actor in the system who last modified each field in an API object. They are used by server-side apply report conflicting patches to objects. Since these are omitted by K10, executing server-side apply after an application is restored may result in different behavior than before restore.
• Sidecar injection for generic volume snapshots is not supported in Kubernetes 1.18+ or OpenShift 4.5+. Do not use the helm value injectKanisterSidecar.enabled=true on these versions.
• When K10 is deployed with the helm option auth.tokenAuth.enabled set to true, and when OAuth proxy is used for authentication, the OAuth proxy session is not cleared when the user signs out of the dashboard.
• PersistentVolumes provisioned by K10 on vSphere do not get removed when they are released.

2.5.15

Release Date: 2020-07-19

New Features

• K10 automatically adds the k10.kasten.io/forcegenericbackup="true" annotation to selected workloads to enforce generic backups when the Kanister sidecar injection feature is enabled.
• Dashboard now shows DR restore progress and displays suggested actions with failure messages.
• When OIDC based authentication is enabled, if K10 is not able to get the user's information from the OIDC token, it will use the provider's userinfo endpoint to get it.

Bug Fixes

• Fixed an issue where an injected Kanister sidecar was failing on OpenShift due to a root SecurityContext. An injected Kanister sidecar's SecurityContext is copied from the primary container.
• If configured authentication method is basic, ignore any authentication cookie in requests.

Other Notes

• Document how to run Prometheus with a specific user and group ID.

2.5.14

Release Date: 2020-07-06

New Features

• Added ability to add licenses using the Dashboard.
• Validate OpenStack Cinder profiles upon creation.
• Added ability to remove a license using the Dashboard.
• Improve catalog storage utilization and reduce DR resource and time requirements by performing catalog pruning.
• K10 Disaster Recovery now performs app-consistent backups of the K10 catalog store.
• K10 now creates an export restore point whenever a snapshot is exported. This includes when a policy is used to copy snapshots to another region.
• Exported restore points are now visible in the API as RestorePoint resources in the namespace of the snapshot RestorePoint resource as well as being RestorePointContent resources.
• K10 policies that select multiple applications now copy each application independently and export all successfully copied applications by default. Application copy errors are noted as exceptions in the ExportAction and an export restore point is not created for an application with a copy error.
• When manually restoring an application, the UI will provide the option of adding transforms previously used to restore that application.
• Added support for taking generic snapshots of DeploymentConfigs
• New OIDC-related settings - auth.oidcAuth.groupClaim and auth.oidcAuth.groupPrefix have been added to K10's Helm chart.
• Add a Helm option to allow modification of the K10 service security context.
• Additional statistics are collected for backups exported to object storage.
• Simplify license updates and deletes. No Helm upgrade or patches required anymore.
• Support pre-populated namespace labels in the policy creation form.
• New OIDC-related setting - auth.oidcAuth.prompt has been added to K10's helm chart.
• Improvement in the user experience on the dashboard when an OIDC provider returns an error.
• Dashboard now supports specifying region for OpenStack infrastructure profiles.
• Dashboard charts with multiple result sets are now customizable, allowing you to select which results to display.
• Support page now displays an upgrade button when a newer version of K10 is available.

Bug Fixes

• Fixed an issue where switching between K10 clusters while using kubectl proxy would result in a token validation error on the dashboard due to invalid cookies in the browser cache.
• Fixed an issue that caused Kanister operations to fail when the subject of the Blueprint was an OpenShift DeploymentConfig.
• Fixes bugs leading to early retirement of snapshots when using storage class overrides or independent retention counts.
• Fixes bug with object storage data metrics when using the option to ignore exceptions for export.
• Fixes bug with import after exporting snapshot data using the option to ignore exceptions for export.
• When "View Action YAML" was clicked, the format of the action was not correct. This has been fixed.
• Fixed a Dashboard bug when editing a transform that replaces a value with JSON.
• Fixed cosmetic bug where object storage profiles with no region showed 'undefined' in profile dropdowns.
• Fixed an issue with K10 installation when these options are used together - cacertconfigmap.name and auth.tokenAuth.enabled.
• The K10 Helm chart now checks if ingress.annotations are set before using them.
• Fixed issue with profile validation where the original error was being masked.
• Fixed an issue where the APIServer was failing to call the mutating webhook endpoint on OpenShift clusters.

Security Issues

• Module upgrades to address CVE-2020-14040.
• Upgraded Ambassador to incorporate the Envoy 1.14.3 security update.

Upgrade Notes

• A schema change is required and will reduce storage consumed by the K10 catalog.

Deprecations

• The default docs location has changed to support documentation versioning.

2.5.13

Release Date: 2020-06-20

New Features

• The Dashboard data page now displays object storage usage for each application.
• Simplify K10 Disaster Recovery by not requiring the K10 cluster passphrase on recovery.
• The Object Storage Data Usage will now include K10 Disaster Recovery statistics.
• K10Primer tool will use the same node selector and tolerations for all test pods it creates.
• Added a new settings tab for viewing installed licenses and license details.
• The compliance and storage services have been merged with the dashboard service to reduce the total number of the pods required by K10.
• Add hold support for policy-created backups.
• Object storage usage metrics can now be viewed for individual applications.
• New OIDC-related settings - auth.oidcAuth.usernameClaim and auth.oidcAuth.usernamePrefix have been added to K10's Helm chart.
• Added progress bar to indicate when a Dashboard page is still being loaded.
• Added support to automatically inject Kanister sidecars into pods for Generic Volume Backup. This can be done cluster-wide or, with label filtering, at the namespace or workload level.
• Include skipped actions in prometheus metrics.
• During manual snapshot or policy snapshot, added the ability to filter resources by label.
• Added a support tab under settings on the Dashboard that displays information about the cluster, K10, and how to contact support.

Bug Fixes

• Fixed an issue where Kanister actions would fail with OpenShift DeploymentConfig workloads.
• Fixed a case where object storage data usage may not update immediately following a backup.
• Fixed bug that prevented the test transform operation from displaying its results.
• Fixed temporary metering service report creation errors when the service is restarted.
• Improve error message when no OIDC configuration is discovered from the provider URL specified for OIDC authentication.
• Fixes issue with retiring restore points for policies that selected zero applications.
• Fixes metering service bug when the Kubernetes API server is unresponsive.

Deprecations

• The following labels have been removed from the metrics exposed by jobs service to Prometheus - job_id, phase, policy_id, scheduled_time, start_time, status, finish_time and attempt_count. jobs_running metric has also been removed to optimize storage consumption by Prometheus.

2.5.12

Release Date: 2020-06-07

New Features

• Policies that select multiple applications treat application snapshot failures independently.
• Allow users with only namespace access to create backups.
• New CSI checker application that verifies CSI snapshot/restore capabilities.
• Move EFS support out of preview mode.
• K10Primer pre-check validates the existence of required CSI feature gate.
• Failed backup jobs can now be retried from the Job Details panel.
• YAML for jobs can now be viewed and copied to the clipboard from the Job Details panel.
• Add support for Kubernetes auditing.
• Add guidance for K10 resource requirements.
• Added support for Kubernetes 1.17 and Beta Snapshot CRDs.
• K10 can be used with an OpenID Connect(OIDC) provider irrespective of whether the Kubernetes cluster is configured with the same OIDC provider, a different OIDC provider, or no authentication system. K10 achieves this by using Kubernetes User Impersonation.
• All PVCs within a namespace are snapshotted, independent of being linked to a workload.
• Added the ability to use pre-made example transforms on the Dashboard.

Bug Fixes

• Fixed an issue where backup restore points were not displaying the volume snapshot as a selectable artifact on the Dashboard.
• Disable RBAC resource creation for the Prometheus server which would not work in OCP 3.11 clusters.
• Fixed compliance calculation issue when using policies with advanced frequency options.
• Fixed a bug where transform JSON field does not retain its value when editing.

Security Issues

• When K10 is deployed with OIDC, user-initiated actions (via the API, CLI, or the dashboard) will be attributed to the user instead of the K10 service account.

Upgrade Notes

• The k10-dashboard-view ClusterRole has been updated and renamed to k10-config-view. Check and update bindings for users and service accounts.

Deprecations

• We only support Helm v2.16.0+ from this release.

2.5.11

Release Date: 2020-05-29

New Features

• Added the ability to filter policies by name.
• Improved the display of job errors by surfacing the nested root cause messages.

Bug Fixes

• Dashboard login page now accepts a variety of authentication tokens versus only JWT tokens.

2.5.10

Release Date: 2020-05-28

New Features

• No longer require a VolumeSnapshotClass with Retain deletion policy.
• Workaround EFS's behavior where a restored instance is placed in a child directory by moving child directory's contents to the file system's root after restore.
• Adjust namespace metadata for cloned Helm 3 applications.
• Adding a new tool, K10Primer, that validates a Kubernetes cluster prior to installing K10
• Installation of trusted but private root certificate authorities to be used by K10 for verifying TLS connections to object stores.

Bug Fixes

• Exclude VolumeSnapshot objects in application backup.
• Cleanup VolumeSnapshot resources if the driver failed the snapshot operation.
• Fixed an issue that caused temporary secrets to be left behind after computing object store data usage statistics.
• Fixed perpetual UI alerts on outdated failed K10 service/pods.
• Fixes issue where multiple VolumeSnapshotClasses with K10 annotations caused snapshot failures.
• Recreate provisioner annotations for Ceph-RBD provisioned Persistent Volumes on restore.
• Updated prometheus's baseURL and prefixURL Helm values to work with K10 routes.
• Fix backup data charts not populating on dashboard.
• Fixed problem deleting old actions.

Known Issues

• Kanister Blueprints used for database-level application backup currently do not work with private root CAs. An available workaround is to disable TLS verification of these object stores for Location profiles in use with Kanister.

Upgrade Notes

• This release will perform a catalog schema upgrade.
• We no longer require or recommend a Retain deletionPolicy for VolumeSnapshotClasses.

2.5.9

Release Date: 2020-05-09

New Features

• The air-gapped installation process was simplified.
• Improve the display of job errors by showing error details in a modal window with color syntax-highlighting.
• Generate skipped jobs when policy scheduler offline across scheduling window.

Bug Fixes

• Added Ceph profile validation on create.
• The K10 dashboard will not allow the creation of policies or profiles if the K10 install namespace is not known.
• Fixed a bug where the code editor window sometimes displayed unformatted code.
• Fixed a bug that prevented K10 disaster recovery from a manual run of the disaster recovery policy.
• Fixed a bug that caused some restores to fail after K10 Disaster Recovery.
• Fixed a bug that could cause object store logical data size to be under-reported.

Security Issues

• Upgraded several JavaScript packages to address recently disclosed CVEs.

Upgrade Notes

• K10 image comes with Ceph tools enabled.

Other Notes

• Combined the policy and profile services to reduce the number of pods used by K10.

2.5.8

Release Date: 2020-05-01

New Features

• Add AWS Africa (Cape Town) and Europe (Milan) regions.
• Added infrastructure profiles for direct (non-CSI) integration with Ceph and OpenStack Cinder.
• Added ability to pause scheduled runs of policies.
• Support specifying a region when an endpoint is used with S3 compatible Profiles.
• Retention of snapshots and exported backups supports pausing and editing of policies.

Bug Fixes

• Discover AWS region from node labels when EC2 instance metadata endpoint is not reachable.
• EBS snapshot jobs fail gracefully if AWS credentials are not provided.
• Fixed a bug in the k10-ns-admin Role for GET permission on secrets in the K10 namespace.
• Fixed unlikely case where manual policy run could retire artifacts created by a scheduled policy run.

2.5.7

Release Date: 2020-04-26

New Features

• Allow specifying which StorageClass should be used when exporting snapshot data.
• Volume type transforms on restore are now supported for Azure Disks. Supported storage account types of Azure Disks include Standard_LRS, Premium_LRS, StandardSSD_LRS, UltraSSD_LRS.
• Policy scheduler now waits until the next scheduled time after a policy edit to start a new job.
• Reduction in space consumed by the metering service (used for cloud market place billing). The service will delete legacy data and will ensure new data is not retained indefinitely.
• Added finer control of policy frequency, start times, and snapshot retention to the K10 API and Dashboard.
• Force a file-system level backup if a workload has the k10.kasten.io/forcegenericbackup annotation.

Bug Fixes

• Improve Ceph snapshot mechanism.
• Fixed a bug that caused Object Storage Data Usage statistics to be inaccurate.
• Fixed a bug with S3-compatible Location profiles. K10 used transport layer security by default even if the user specified http:// as the transport protocol in the location profile's endpoint.

Upgrade Notes

• Kanister profiles are being deprecated. Disable and re-enable any existing DR policy after an upgrade to switch to using a Location profile.

Deprecations

• For storage providers that are not supported by K10, do not automatically attempt a file-system backup unless the workload has the k10.kasten.io/forcegenericbackup annotation.

Other Notes

• Enabled zoom for documentation images.

2.5.6

Release Date: 2020-04-18

Bug Fixes

• Fixed a bug that caused K10 DR backups to fail after a successful retirement of DR snapshots.

2.5.5

Release Date: 2020-04-16

New Features

• Add a Prometheus metric to indicate if K10 DR is enabled.
• New pre-flight script to validate CSI Snapshot capability.
• Ability to transform PersistentVolumeClaim labels on restore.

Bug Fixes

• Fixed a bug that caused failure in retirement of K10 Disaster Recovery snapshots.
• Fix issue with Azure profiles incompatibility while creating import policies.
• Resolves early retirement of artifacts after K10 disaster recovery.
• Preserve PersistentVolumeClaim labels on restore.
• Fixed UI bug that prevented import/restore policy creation.

Other Notes

• Workaround documented for the migration of EFS CSI Volumes in EKS clusters using the K10 dashboard and AWS CLI/Console.
• Increase timeout for waiting for ready pods to 15 minutes.

2.5.4

Release Date: 2020-04-11

New Features

• Support specifying destination region (Azure, AWS) and account (AWS) when exporting snapshots.
• Added the ability to define TLS certificates in the K10 ingress definition. This allows the use an external ingress controller and definition of a custom FQDN to access the K10 platform through the HTTPS protocol.
• Reduced the number of Kubernetes workloads by combining the jobs and jobs queue services.
• Consolidate Profiles into a new type: Location Profiles.
• Reduction in memory consumed by the metering service (used for cloud marketplace billing).
• New policies now wait until the first scheduled time to run. Use a manual policy run before then if desired.
• API support for offset policy run times (e.g., choose an hour to run a daily backup).
• Volume type transforms on restore are now supported for GCE Persistent Disk and AWS EBS. Supported types for GCE Persistent Disk include pd-ssd and pd-standard. Supported types for AWS EBS include standard, io1, gp2, sc1 and st1.

Bug Fixes

• Fix cryptography service failing to start when the catalog service isn't yet available.
• Fixed a bug in the DR Restore tool when no skipResource argument was specified.

Known Issues

• The Object Storage Data Usage statistics may not be completely accurate.

Upgrade Notes

• Existing import and export profiles will be converted to location profiles automatically.