DNM OADP-6074: add network policies for OADP

[weshayutin]

Why the changes were made

https://issues.redhat.com/browse/OADP-6074

How to test the changes made

For now the only way to test is to use the networkpolicy yaml in the docs directory and attempt backup and restore operations.

• Needs discussion on the content of the policy and how to deploy w/ the bundle.

[openshift-ci-robot]

@weshayutin: This pull request references OADP-6074 which is a valid jira issue.

In response to this:

Why the changes were made

https://issues.redhat.com/browse/OADP-6074

How to test the changes made

For now the only way to test is to use the networkpolicy yaml in the docs directory and attempt backup and restore operations.

• Needs discussion on the content of the policy and how to deploy w/ the bundle.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: weshayutin
Once this PR has been reviewed and has the lgtm label, please assign dymurray for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[shawn-hurley]

Overall looks good, I assume that these will be included in the bundle for the next release?

[shawn-hurley]

Will this block the OADP CLI from functioning? Did we ever enable the pull-through logs download that @kaovilai had started? Do we need to allow this in some way?

[kaovilai]

I think we can revise the default policy later if needed. The download server has not yet been implemented.

[weshayutin]

/retest

[weshayutin]

@shawn-hurley @kaovilai ugh.. I don't even remember writing this pr. It does appear as a trace through emails and jira this will need to be backported across all versions and released. I need to do more reading and testing. @shubham-pampattiwar @sseago additional in-depth reviews welcomed

[shubham-pampattiwar]

@weshayutin Is this the primary issue https://issues.redhat.com/browse/OCPSTRAT-819 ?
Seems like this is a hardening requirement across all openshift components. We may want the network policy to be applied during install time. Most likely the policy should be part of the operator bundle manifest folder.

[weshayutin]

@shubham-pampattiwar yup.. going through the hardening now.. hold reviews

[coderabbitai]

Walkthrough

Adds a kustomization and a NetworkPolicy (default-deny with specific ingress/egress allowances) targeting pods labeled app.kubernetes.io/managed-by: "oadp-operator" in the openshift-adp namespace, plus a README documenting the policy and usage.

Changes

Cohort / File(s)	Summary
Network policy kustomization config/networkpolicy/kustomization.yaml	New kustomization referencing networkpolicy.yaml, sets namespace: openshift-adp, and applies commonLabels (app.kubernetes.io/name=oadp-operator, app.kubernetes.io/part-of=oadp-operator).
NetworkPolicy manifest config/networkpolicy/networkpolicy.yaml	New NetworkPolicy named oadp-default-deny-labelled selecting pods labeled app.kubernetes.io/managed-by: "oadp-operator". Implements a default-deny baseline with ingress rules (allow internal pod traffic; allow monitoring namespaces on TCP 8085/8443; allow TCP 9443) and egress rules (allow TCP 443/6443 to 0.0.0.0/0; DNS to openshift-dns on UDP/TCP 53/5353; allow TCP 443 to default and OpenShift API namespaces).
Documentation docs/NetworkPolicies/README.md	New README describing the NetworkPolicy purpose, prerequisites, apply instructions, monitoring/troubleshooting tips, customization options, and security considerations.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Verify label keys/values and selector match operator-managed pod labels.
• Confirm target namespace openshift-adp is correct.
• Validate ingress/egress port lists and namespace/CIDR destinations for least-privilege intent.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (2)

docs/NetworkPolicies/README.md (2)

77-77: Convert bold section headers to proper markdown headings.

Lines 77, 92, and 110 use bold text (**...**) instead of markdown headings (###). Update these to use proper heading syntax:

-**1. HTTPS Internet Access**
+### HTTPS Internet Access

-**2. DNS Resolution**
+### DNS Resolution

-**3. Kubernetes API Access**
+### Kubernetes API Access

This improves document structure and consistency.

Also applies to: 92-92, 110-110

---

69-69: Document the broad ingress rule rationale.

Line 69 notes that the first ingress rule "allows incoming traffic from any pod within the same namespace." While this is documented, consider clarifying in the "Important Considerations" section why namespace-wide ingress is acceptable for OADP components. This helps users understand the security posture and any associated risks.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between d9ff173 and 846e6ea.

📒 Files selected for processing (3)

• config/networkpolicy/kustomization.yaml (1 hunks)
• config/networkpolicy/networkpolicy.yaml (1 hunks)
• docs/NetworkPolicies/README.md (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• config/networkpolicy/networkpolicy.yaml
• config/networkpolicy/kustomization.yaml
• docs/NetworkPolicies/README.md

🪛 LanguageTool

docs/NetworkPolicies/README.md

[style] ~141-~141: You have already used this phrasing in nearby sentences. Consider replacing it to add variety to your writing.
Context: ...Webhooks: The Kubernetes API server needs to reach the OADP operator for CR validati...

(REP_NEED_TO_VB)

🪛 markdownlint-cli2 (0.18.1)

docs/NetworkPolicies/README.md

77-77: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

---

92-92: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

---

110-110: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

🔇 Additional comments (2)

config/networkpolicy/kustomization.yaml (1)

7-9: Verify label alignment after kustomize application.

The commonLabels will merge with the labels defined in networkpolicy.yaml. Line 6 of networkpolicy.yaml sets app.kubernetes.io/name: oadp-networkpolicy, but this kustomization will apply app.kubernetes.io/name: oadp-operator (line 8), resulting in the latter. Confirm this label merge is intentional and aligns with your labeling strategy.

config/networkpolicy/networkpolicy.yaml (1)

11-13: Verify that OADP pods are labeled with app.kubernetes.io/managed-by: "oadp-operator".

The policy's podSelector targets pods with this label. Confirm that all OADP operator and managed components (Velero pods, etc.) are consistently labeled with this label in the codebase, otherwise the policy will not select them and traffic rules will not apply.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Restrict the webhook ingress rule to the API server.

The ingress rule on port 9443 lacks a from clause, meaning it allows traffic from any source on this port. Since this is documented as a webhook for API server validation/mutation (line 65 of README), restrict it to the Kubernetes API server to reduce attack surface:

  - ports:
    - protocol: TCP
      port: 9443
+   from:
+   - podSelector: {}
+     namespaceSelector:
+       matchLabels:
+         kubernetes.io/metadata.name: default

Alternatively, if the webhook needs to accept traffic from pods within the same namespace, document this decision explicitly.

Would you like me to refine this rule further or provide additional security-hardened options?

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- ports:
	- protocol: TCP
	port: 9443
	- ports:
	- protocol: TCP
	port: 9443
	from:
	- podSelector: {}
	namespaceSelector:
	matchLabels:
	kubernetes.io/metadata.name: default

🤖 Prompt for AI Agents

In config/networkpolicy/networkpolicy.yaml around lines 32-34, the ingress rule
allowing TCP port 9443 has no `from` clause (allowing all sources); restrict it
to only the Kubernetes API server by adding a `from` selector that targets the
API server pods or control-plane CIDR (e.g., namespaceSelector + podSelector
matching the kube-system API server pods, or an ipBlock matching the cluster
control-plane IPs); alternatively, if the webhook must accept traffic from
same-namespace pods, add a `from` clause limiting sources to that namespace
(namespaceSelector matching the webhook namespace) and document the decision.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Correct the policy filename reference.

Line 18 refers to the policy as network_policy.yaml, but the actual filename is networkpolicy.yaml (no underscore). Update the reference:

-The `network_policy.yaml` file in this directory defines a NetworkPolicy specifically designed for OADP components. Here's what it does:
+The `networkpolicy.yaml` file in this directory defines a NetworkPolicy specifically designed for OADP components. Here's what it does:

Also applies to: 23-23

🤖 Prompt for AI Agents

In docs/NetworkPolicies/README.md around lines 18 and 23, the README incorrectly
references the policy file as "network_policy.yaml"; update both occurrences to
the actual filename "networkpolicy.yaml" (remove the underscore) so the README
matches the repository file name and any links or commands referencing it work
correctly.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Correct the NetworkPolicy name reference.

Line 160 references the policy as default-deny-labelled, but the actual policy name is oadp-default-deny-labelled. Update the reference:

-kubectl describe networkpolicy default-deny-labelled -n <oadp-namespace>
+kubectl describe networkpolicy oadp-default-deny-labelled -n <oadp-namespace>

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	kubectl describe networkpolicy default-deny-labelled -n <oadp-namespace>
	kubectl describe networkpolicy oadp-default-deny-labelled -n <oadp-namespace>

🤖 Prompt for AI Agents

In docs/NetworkPolicies/README.md around line 160, the kubectl command
references the wrong NetworkPolicy name; change `default-deny-labelled` to the
actual policy name `oadp-default-deny-labelled` so the command reads `kubectl
describe networkpolicy oadp-default-deny-labelled -n <oadp-namespace>`.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (2)

config/networkpolicy/networkpolicy.yaml (1)

32-34: Port 9443 webhook ingress rule lacks source restriction — restricting to API server traffic is strongly recommended.

An unrestricted webhook ingress rule allows communication from any pod to the webhook server, which increases the attack surface. For webhook security, the minimal ingress rule should restrict traffic to only the Kubernetes API server by using an IP block or pod selector.

Apply this diff to restrict the webhook to the API server:

  - ports:
    - protocol: TCP
      port: 9443
+   from:
+   - ipBlock:
+       cidr: <API_SERVER_IP>/32  # Replace with your control-plane IP
+   - namespaceSelector:
+       matchLabels:
+         kubernetes.io/metadata.name: kube-system
+     podSelector:
+       matchLabels:
+         component: kube-apiserver

Alternatively, if restricting by IP is not feasible in your environment, document this security decision explicitly with a comment explaining why unrestricted access is acceptable for your threat model.

docs/NetworkPolicies/README.md (1)

18-18: Correct filename and policy name references throughout the documentation.

Multiple references to the policy and file use incorrect names:

• Lines 18, 170: Refer to network_policy.yaml instead of networkpolicy.yaml
• Lines 23, 182: Reference policy name as default-deny-labelled instead of oadp-default-deny-labelled

Apply these diffs:

-The `network_policy.yaml` file in this directory defines a NetworkPolicy specifically designed for OADP components. Here's what it does:
+The `networkpolicy.yaml` file in this directory defines a NetworkPolicy specifically designed for OADP components. Here's what it does:

-name: default-deny-labelled
+name: oadp-default-deny-labelled

-kubectl apply -f network_policy.yaml -n <oadp-namespace>
+kubectl apply -f networkpolicy.yaml -n <oadp-namespace>

-kubectl describe networkpolicy default-deny-labelled -n <oadp-namespace>
+kubectl describe networkpolicy oadp-default-deny-labelled -n <oadp-namespace>

Also applies to: 23-23, 170-170, 182-182

🧹 Nitpick comments (1)

docs/NetworkPolicies/README.md (1)

77-77: Use proper Markdown headings instead of bold emphasis.

Lines 77 ("1. General Network Access"), 94 ("2. DNS Resolution"), and 110 ("3. Kubernetes API Access (Explicit)") use bold emphasis to simulate headings. Replace with Markdown level-3 headings for proper document structure:

-**1. General Network Access**
+### 1. General Network Access

-**2. DNS Resolution**
+### 2. DNS Resolution

-**3. Kubernetes API Access (Explicit)**
+### 3. Kubernetes API Access (Explicit)

Also applies to: 94-94, 110-110

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 846e6ea and 08ca8c0.

📒 Files selected for processing (2)

• config/networkpolicy/networkpolicy.yaml (1 hunks)
• docs/NetworkPolicies/README.md (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• config/networkpolicy/networkpolicy.yaml
• docs/NetworkPolicies/README.md

🪛 LanguageTool

docs/NetworkPolicies/README.md

[style] ~163-~163: You have already used this phrasing in nearby sentences. Consider replacing it to add variety to your writing.
Context: ...Webhooks: The Kubernetes API server needs to reach the OADP operator for CR validati...

(REP_NEED_TO_VB)

🪛 markdownlint-cli2 (0.18.1)

docs/NetworkPolicies/README.md

77-77: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

---

94-94: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

---

110-110: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

🔇 Additional comments (1)

config/networkpolicy/networkpolicy.yaml (1)

1-79: Policy structure and egress rules are well-designed.

The policy correctly implements a default-deny model with explicit allowlists for DNS, API servers, and cloud storage access. The egress rules properly scope access to necessary namespaces and IP ranges, reducing the attack surface.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (3)

docs/NetworkPolicies/README.md (2)

18-18: Correct the policy filename reference.

Lines 18 and 178 reference the policy file as network_policy.yaml, but the actual filename is networkpolicy.yaml (no underscore). Update both occurrences for accuracy:

-The `network_policy.yaml` file in this directory defines a NetworkPolicy specifically designed for OADP components. Here's what it does:
+The `networkpolicy.yaml` file in this directory defines a NetworkPolicy specifically designed for OADP components. Here's what it does:

-kubectl apply -f network_policy.yaml -n <oadp-namespace>
+kubectl apply -f networkpolicy.yaml -n <oadp-namespace>

Also applies to: 178-178

---

23-23: Correct the NetworkPolicy name reference.

The documentation references the policy as default-deny-labelled, but the actual policy name is oadp-default-deny-labelled (defined in networkpolicy.yaml line 4). Update lines 23 and 190:

-name: default-deny-labelled
+name: oadp-default-deny-labelled

-kubectl describe networkpolicy default-deny-labelled -n <oadp-namespace>
+kubectl describe networkpolicy oadp-default-deny-labelled -n <oadp-namespace>

Also applies to: 190-190

config/networkpolicy/networkpolicy.yaml (1)

36-38: Restrict the webhook ingress rule to the API server.

The ingress rule on port 9443 allows traffic from any source due to the missing from clause. Since this port is for API server validation/mutation webhooks, restrict it to the Kubernetes API server to reduce attack surface.

Apply this diff to restrict webhook traffic to the API server:

  - ports:
    - protocol: TCP
      port: 9443
+   from:
+   - podSelector: {}
+     namespaceSelector:
+       matchLabels:
+         kubernetes.io/metadata.name: default

Alternatively, if the webhook must accept traffic from same-namespace pods, document this decision explicitly and adjust the selector accordingly.

🧹 Nitpick comments (1)

docs/NetworkPolicies/README.md (1)

77-77: Use Markdown headings instead of bold emphasis.

Lines 77, 94, and 118 use bold emphasis (**...**) for section headers. For better document structure and semantic meaning, convert these to proper Markdown headings (####):

-**1. General Network Access**
+#### 1. General Network Access

-**2. DNS Resolution**
+#### 2. DNS Resolution

-**3. Kubernetes API Access (Explicit)**
+#### 3. Kubernetes API Access (Explicit)

Also applies to: 94-94, 118-118

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 08ca8c0 and deababf.

📒 Files selected for processing (2)

• config/networkpolicy/networkpolicy.yaml (1 hunks)
• docs/NetworkPolicies/README.md (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• config/networkpolicy/networkpolicy.yaml
• docs/NetworkPolicies/README.md

🪛 LanguageTool

docs/NetworkPolicies/README.md

[style] ~171-~171: You have already used this phrasing in nearby sentences. Consider replacing it to add variety to your writing.
Context: ...Webhooks: The Kubernetes API server needs to reach the OADP operator for CR validati...

(REP_NEED_TO_VB)

🪛 markdownlint-cli2 (0.18.1)

docs/NetworkPolicies/README.md

77-77: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

---

94-94: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

---

118-118: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

[kaovilai]

/retest

ai-retester: The e2e tests failed because the MySQL application two Vol CSI test timed out and Pod initialization also timed out.

comment for /pull/1906

[kaovilai]

/retest

ai-retester: The e2e-test-aws step failed because the MySQL application KOPIA test within OADP's end-to-end tests timed out after 540 seconds, and other related test cases were skipped. The detailed logs show various steps succeeding, but this single timeout caused the whole test to fail. The underlying reason for the timeout would need further digging within MySQL application KOPIA. Also the final error is container "todolist" in pod "todolist-79ff45dd6c-zdnq5" is waiting to start: PodInitializing that seems the pod has not passed to running state due some initializing check.

comment for /pull/1906

[kaovilai]

/retest

ai-retester: The e2e-test-aws-e2e step failed because the "Mongo application DATAMOVER" test in /go/src/github.com/openshift/oadp-operator/tests/e2e/backup_restore_suite_test.go timed out after 540 seconds, and because the todolist container in pod "todolist-755b6749cf-85fgw" was waiting to start because of an issue in pod initialization. This caused the overall e2e test to fail.

comment for /pull/1906

[kaovilai]

/retest

ai-retester: The E2E test failed because the Parks application Native-Snapshots test timed out waiting for a pod to become ready, and the subsequent must-gather operation found errors. Specifically, the restify container in the restify-1-q7qlf pod was stuck in PodInitializing state, and the restore process timed out waiting for it. Additionally, there were errors related to unavailable state on BackupStorageLocation.

comment for /pull/1906

[openshift-ci]

@weshayutin: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/4.20-e2e-test-cli-aws	deababf	link	true	/test 4.20-e2e-test-cli-aws

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[weshayutin]

after a lot of testing and retesting... the networkpolicy is responsible for the backuprepository NOT getting created. Other communication to the s3 bucket is working so it's a little wierd. debug logs are here: https://termbin.com/k9wv
don't see much other than the error backuprespository not found. Investigation continues

[weshayutin]

velero-68c5c58459-wh8k2 velero time="2025-12-04T19:01:52Z" level=debug msg="starting plugin" args="[/velero run-plugins --features=EnableCSI --uploader-type=kopia --fs-backup-timeout=4h --restore-resource-priorities=securitycontextconstraints,customresourcedefinitions,klusterletconfigs.config.open-cluster-management.io,managedcluster.cluster.open-cluster-management.io,namespaces,roles,rolebindings,clusterrolebindings,klusterletaddonconfig.agent.open-cluster-management.io,managedclusteraddon.addon.open-cluster-management.io,storageclasses,volumesnapshotclass.snapshot.storage.k8s.io,volumesnapshotcontents.snapshot.storage.k8s.io,volumesnapshots.snapshot.storage.k8s.io,datauploads.velero.io,persistentvolumes,persistentvolumeclaims,serviceaccounts,secrets,configmaps,limitranges,pods,replicasets.apps,clusterclasses.cluster.x-k8s.io,endpoints,services,-,clusterbootstraps.run.tanzu.vmware.com,clusters.cluster.x-k8s.io,clusterresourcesets.addons.cluster.x-k8s.io --log-level debug --log-format=text --disable-informer-cache=false]" cmd=/velero logSource="pkg/plugin/clientmgmt/process/logrus_adapter.go:75" path=/velero
velero-68c5c58459-wh8k2 velero time="2025-12-04T19:01:52Z" level=debug msg="plugin started" cmd=/velero logSource="pkg/plugin/clientmgmt/process/logrus_adapter.go:75" path=/velero pid=356
velero-68c5c58459-wh8k2 velero time="2025-12-04T19:01:52Z" level=debug msg="waiting for RPC address" cmd=/velero logSource="pkg/plugin/clientmgmt/process/logrus_adapter.go:75" plugin=/velero
velero-68c5c58459-wh8k2 velero time="2025-12-04T19:01:52Z" level=debug msg="Setting log level to DEBUG" cmd=/velero logSource="pkg/plugin/framework/server.go:269" pluginName=velero
velero-68c5c58459-wh8k2 velero time="2025-12-04T19:01:52Z" level=debug msg="plugin address" address=/tmp/plugin205027667 cmd=/velero logSource="pkg/plugin/clientmgmt/process/logrus_adapter.go:75" network=unix pluginName=velero
velero-68c5c58459-wh8k2 velero time="2025-12-04T19:01:52Z" level=debug msg="using plugin" cmd=/velero logSource="pkg/plugin/clientmgmt/process/logrus_adapter.go:75" version=2
velero-68c5c58459-wh8k2 velero time="2025-12-04T19:01:52Z" level=debug msg="waiting for stdio data" cmd=/velero logSource="pkg/plugin/clientmgmt/process/logrus_adapter.go:75" pluginName=stdio
velero-68c5c58459-wh8k2 velero time="2025-12-04T19:01:52Z" level=debug msg="received EOF, stopping recv loop" cmd=/plugins/velero-plugin-for-aws err="rpc error: code = Unavailable desc = error reading from server: EOF" logSource="pkg/plugin/clientmgmt/process/logrus_adapter.go:75" pluginName=stdio
velero-68c5c58459-wh8k2 velero time="2025-12-04T19:01:52Z" level=info msg="plugin process exited" cmd=/plugins/velero-plugin-for-aws id=346 logSource="pkg/plugin/clientmgmt/process/logrus_adapter.go:80" plugin=/plugins/velero-plugin-for-aws
velero-68c5c58459-wh8k2 velero time="2025-12-04T19:01:52Z" level=debug msg="plugin exited" cmd=/plugins/velero-plugin-for-aws logSource="pkg/plugin/clientmgmt/process/logrus_adapter.go:75"
velero-68c5c58459-wh8k2 velero time="2025-12-04T19:01:52Z" level=debug msg="received EOF, stopping recv loop" cmd=/velero err="rpc error: code = Unavailable desc = error reading from server: EOF" logSource="pkg/plugin/clientmgmt/process/logrus_adapter.go:75" pluginName=stdio
velero-68c5c58459-wh8k2 velero time="2025-12-04T19:01:52Z" level=info msg="plugin process exited" cmd=/velero id=356 logSource="pkg/plugin/clientmgmt/process/logrus_adapter.go:80" plugin=/velero
velero-68c5c58459-wh8k2 velero time="2025-12-04T19:01:52Z" level=debug msg="plugin exited" cmd=/velero logSource="pkg/plugin/clientmgmt/process/logrus_adapter.go:75"
node-agent-w9zhg node-agent time="2025-12-04T19:01:57Z" level=info msg="Reconcile test3-7mp8m" controller=dataupload dataupload=openshift-adp/test3-7mp8m logSource="pkg/controller/data_upload_controller.go:143"
node-agent-kl66n node-agent time="2025-12-04T19:01:57Z" level=info msg="Preparing dataupload" Backup pod=test3-7mp8m Datadupload=test3-7mp8m logSource="pkg/controller/data_upload_controller.go:704"
node-agent-kl66n node-agent time="2025-12-04T19:01:57Z" level=info msg="Reconcile test3-7mp8m" controller=dataupload dataupload=openshift-adp/test3-7mp8m logSource="pkg/controller/data_upload_controller.go:143"
node-agent-kl66n node-agent time="2025-12-04T19:01:57Z" level=info msg="Data upload is prepared and should be processed by ip-10-0-72-179.us-west-2.compute.internal (ip-10-0-72-179.us-west-2.compute.internal)" controller=dataupload dataupload=openshift-adp/test3-7mp8m logSource="pkg/controller/data_upload_controller.go:305"
node-agent-kl66n node-agent time="2025-12-04T19:01:57Z" level=info msg="Backup pod is in running state in node ip-10-0-72-179.us-west-2.compute.internal" logSource="pkg/exposer/csi_snapshot.go:300" owner=test3-7mp8m pod=test3-7mp8m
+ test3-7mp8m › 2fc62f25-3a52-43da-a544-e36390cf9547
node-agent-kl66n node-agent time="2025-12-04T19:01:57Z" level=info msg="Backup PVC is bound" backup pvc=test3-7mp8m logSource="pkg/exposer/csi_snapshot.go:307" owner=test3-7mp8m
node-agent-kl66n node-agent time="2025-12-04T19:01:57Z" level=info msg="Backup volume is found in pod at index 0" logSource="pkg/exposer/csi_snapshot.go:320" owner=test3-7mp8m pod=test3-7mp8m
node-agent-kl66n node-agent time="2025-12-04T19:01:57Z" level=info msg="Exposed snapshot is ready and creating data path routine" controller=dataupload dataupload=openshift-adp/test3-7mp8m logSource="pkg/controller/data_upload_controller.go:334"
node-agent-kl66n node-agent time="2025-12-04T19:01:57Z" level=info msg="Init cancelable dataUpload" controller=dataupload dataupload=openshift-adp/test3-7mp8m logSource="pkg/controller/data_upload_controller.go:437"
node-agent-w9zhg node-agent time="2025-12-04T19:01:57Z" level=info msg="Data upload is prepared and should be processed by ip-10-0-72-179.us-west-2.compute.internal (ip-10-0-100-6.us-west-2.compute.internal)" controller=dataupload dataupload=openshift-adp/test3-7mp8m logSource="pkg/controller/data_upload_controller.go:305"
node-agent-4spck node-agent time="2025-12-04T19:01:57Z" level=info msg="Reconcile test3-7mp8m" controller=dataupload dataupload=openshift-adp/test3-7mp8m logSource="pkg/controller/data_upload_controller.go:143"
node-agent-4spck node-agent time="2025-12-04T19:01:57Z" level=info msg="Data upload is prepared and should be processed by ip-10-0-72-179.us-west-2.compute.internal (ip-10-0-23-187.us-west-2.compute.internal)" controller=dataupload dataupload=openshift-adp/test3-7mp8m logSource="pkg/controller/data_upload_controller.go:305"
test3-7mp8m 2fc62f25-3a52-43da-a544-e36390cf9547 time="2025-12-04T19:01:56Z" level=info msg="Running data path service test3-7mp8m" logSource="pkg/cmd/cli/datamover/backup.go:247"
node-agent-kl66n node-agent time="2025-12-04T19:01:57Z" level=info msg="MicroServiceBR is initialized" controller=dataupload dataupload=openshift-adp/test3-7mp8m logSource="pkg/datapath/micro_service_watcher.go:176" taskName=test3-7mp8m taskType=backup thisPod=test3-7mp8m
node-agent-kl66n node-agent time="2025-12-04T19:01:57Z" level=info msg="async backup init for pod test3-7mp8m, volume 2fc62f25-3a52-43da-a544-e36390cf9547" controller=dataupload dataupload=openshift-adp/test3-7mp8m logSource="pkg/controller/data_upload_controller.go:443"
node-agent-4spck node-agent time="2025-12-04T19:01:57Z" level=info msg="Reconcile test3-7mp8m" controller=dataupload dataupload=openshift-adp/test3-7mp8m logSource="pkg/controller/data_upload_controller.go:143"
node-agent-w9zhg node-agent time="2025-12-04T19:01:57Z" level=info msg="Reconcile test3-7mp8m" controller=dataupload dataupload=openshift-adp/test3-7mp8m logSource="pkg/controller/data_upload_controller.go:143"
node-agent-kl66n node-agent time="2025-12-04T19:01:57Z" level=info msg="Data upload is marked as in progress" controller=dataupload dataupload=openshift-adp/test3-7mp8m logSource="pkg/controller/data_upload_controller.go:390"
node-agent-kl66n node-agent time="2025-12-04T19:01:57Z" level=info msg="Start cancelable dataUpload" controller=dataupload dataupload=openshift-adp/test3-7mp8m logSource="pkg/controller/data_upload_controller.go:449"
node-agent-kl66n node-agent time="2025-12-04T19:01:57Z" level=info msg="Start watching backup ms for source 2fc62f25-3a52-43da-a544-e36390cf9547" controller=dataupload dataupload=openshift-adp/test3-7mp8m logSource="pkg/datapath/micro_service_watcher.go:217"
node-agent-kl66n node-agent time="2025-12-04T19:01:57Z" level=info msg="Async backup started for pod test3-7mp8m, volume 2fc62f25-3a52-43da-a544-e36390cf9547" controller=dataupload dataupload=openshift-adp/test3-7mp8m logSource="pkg/controller/data_upload_controller.go:457"
node-agent-kl66n node-agent time="2025-12-04T19:01:57Z" level=info msg="Reconcile test3-7mp8m" controller=dataupload dataupload=openshift-adp/test3-7mp8m logSource="pkg/controller/data_upload_controller.go:143"
node-agent-kl66n node-agent time="2025-12-04T19:01:57Z" level=info msg="Start watching data path pod" controller=dataupload dataupload=openshift-adp/test3-7mp8m logSource="pkg/datapath/micro_service_watcher.go:260"
node-agent-kl66n node-agent time="2025-12-04T19:01:57Z" level=info msg="Received event for data path test3-7mp8m, reason: SuccessfulAttachVolume, message: AttachVolume.Attach succeeded for volume \"pvc-1aa38f64-f97e-4e4f-9b65-6fed0140395e\" " controller=dataupload dataupload=openshift-adp/test3-7mp8m logSource="pkg/datapath/micro_service_watcher.go:357"
node-agent-kl66n node-agent time="2025-12-04T19:01:57Z" level=info msg="Received event for data path test3-7mp8m, reason: ProvisioningSucceeded, message: Successfully provisioned volume pvc-1aa38f64-f97e-4e4f-9b65-6fed0140395e" controller=dataupload dataupload=openshift-adp/test3-7mp8m logSource="pkg/datapath/micro_service_watcher.go:357"
node-agent-kl66n node-agent time="2025-12-04T19:01:57Z" level=info msg="Received event for data path test3-7mp8m, reason: ExternalProvisioning, message: Waiting for a volume to be created either by the external provisioner 'ebs.csi.aws.com' or manually by the system administrator. If volume creation is delayed, please verify that the provisioner is running and correctly registered." controller=dataupload dataupload=openshift-adp/test3-7mp8m logSource="pkg/datapath/micro_service_watcher.go:357"
node-agent-kl66n node-agent time="2025-12-04T19:01:57Z" level=info msg="Received event for data path test3-7mp8m, reason: Provisioning, message: External provisioner is provisioning volume for claim \"openshift-adp/test3-7mp8m\"" controller=dataupload dataupload=openshift-adp/test3-7mp8m logSource="pkg/datapath/micro_service_watcher.go:357"
node-agent-kl66n node-agent time="2025-12-04T19:01:57Z" level=info msg="Received event for data path test3-7mp8m, reason: SnapshotReady, message: Snapshot openshift-adp/test3-7mp8m is ready to use." controller=dataupload dataupload=openshift-adp/test3-7mp8m logSource="pkg/datapath/micro_service_watcher.go:357"
node-agent-kl66n node-agent time="2025-12-04T19:01:57Z" level=info msg="Received event for data path test3-7mp8m, reason: WaitForFirstConsumer, message: waiting for first consumer to be created before binding" controller=dataupload dataupload=openshift-adp/test3-7mp8m logSource="pkg/datapath/micro_service_watcher.go:357"
node-agent-kl66n node-agent time="2025-12-04T19:01:57Z" level=info msg="Received event for data path test3-7mp8m, reason: Created, message: Created container: 2fc62f25-3a52-43da-a544-e36390cf9547" controller=dataupload dataupload=openshift-adp/test3-7mp8m logSource="pkg/datapath/micro_service_watcher.go:357"
node-agent-kl66n node-agent time="2025-12-04T19:01:57Z" level=info msg="Received event for data path test3-7mp8m, reason: AddedInterface, message: Add eth0 [10.129.2.22/23] from ovn-kubernetes" controller=dataupload dataupload=openshift-adp/test3-7mp8m logSource="pkg/datapath/micro_service_watcher.go:357"
node-agent-kl66n node-agent time="2025-12-04T19:01:57Z" level=info msg="Received event for data path test3-7mp8m, reason: Scheduled, message: Successfully assigned openshift-adp/test3-7mp8m to ip-10-0-72-179.us-west-2.compute.internal" controller=dataupload dataupload=openshift-adp/test3-7mp8m logSource="pkg/datapath/micro_service_watcher.go:357"
node-agent-kl66n node-agent time="2025-12-04T19:01:57Z" level=info msg="Received event for data path test3-7mp8m, reason: Pulled, message: Container image \"quay.io/konveyor/velero:latest\" already present on machine" controller=dataupload dataupload=openshift-adp/test3-7mp8m logSource="pkg/datapath/micro_service_watcher.go:357"
node-agent-kl66n node-agent time="2025-12-04T19:01:57Z" level=info msg="Received event for data path test3-7mp8m, reason: SnapshotCreated, message: Snapshot openshift-adp/test3-7mp8m was successfully created by the CSI driver." controller=dataupload dataupload=openshift-adp/test3-7mp8m logSource="pkg/datapath/micro_service_watcher.go:357"
node-agent-kl66n node-agent time="2025-12-04T19:01:57Z" level=info msg="Received event for data path test3-7mp8m, reason: Started, message: Started container 2fc62f25-3a52-43da-a544-e36390cf9547" controller=dataupload dataupload=openshift-adp/test3-7mp8m logSource="pkg/datapath/micro_service_watcher.go:357"
test3-7mp8m 2fc62f25-3a52-43da-a544-e36390cf9547 time="2025-12-04T19:01:57Z" level=info msg="Run cancelable dataUpload" dataupload=test3-7mp8m logSource="pkg/datamover/backup_micro_service.go:164"
test3-7mp8m 2fc62f25-3a52-43da-a544-e36390cf9547 time="2025-12-04T19:01:57Z" level=info msg="No repository found, creating one" backupLocation=dpa-sample-1 logSource="pkg/repository/ensurer.go:88" repositoryType=kopia volumeNamespace=mysql-persistent
test3-7mp8m 2fc62f25-3a52-43da-a544-e36390cf9547 time="2025-12-04T19:01:57Z" level=info msg="Closing FileSystemBR" dataupload=test3-7mp8m logSource="pkg/datapath/file_system.go:146" user=test3-7mp8m
test3-7mp8m 2fc62f25-3a52-43da-a544-e36390cf9547 time="2025-12-04T19:01:57Z" level=info msg="FileSystemBR is closed" dataupload=test3-7mp8m logSource="pkg/datapath/file_system.go:152" user=test3-7mp8m
test3-7mp8m 2fc62f25-3a52-43da-a544-e36390cf9547 time="2025-12-04T19:01:57Z" level=info msg="Closing FileSystemBR" dataupload=test3-7mp8m logSource="pkg/datapath/file_system.go:146" user=test3-7mp8m
test3-7mp8m 2fc62f25-3a52-43da-a544-e36390cf9547 time="2025-12-04T19:01:57Z" level=info msg="FileSystemBR is closed" dataupload=test3-7mp8m logSource="pkg/datapath/file_system.go:152" user=test3-7mp8m