Review the following considerations when restoring Kubernetes namespaces and PVCs in an OpenShift environment.
Restoring to a new or existing namespace
During a restore to a new namespace or an existing namespace, the restored service accounts are not added to any SCC on OpenShift. After the restore, run the following command to add the restored service accounts to SCC as required:
oc adm policy add-scc-to-user
scc name -z
service account name -n
restored namespace
Post-restore requirements when restoring application workloads to another cluster
During a restore of application workloads from one OpenShift cluster to another OpenShift cluster, if the original workload images are pulled from the in-cluster OpenShift integrated registry, then the following post-restore steps must be performed.
Ensure that container images that are required by the workload pods are uploaded to the OpenShift integrated registry on the target cluster. If this step is not performed, the application pod can fail with an
ImagePullBackOff error after the restore.
For more information about OpenShift image management, see the following
documentation.
If the workload pods are restored to a target namespace that has a different name than the original namespace, then the image URL defined in the workload specification must be updated to reflect the target namespace. If this step is not performed, the application pod can fail with an
ImagePullBackOff error after the restore.
For example, if the original pod is deployed in the
mysql-test namespace with the image from
image-registry.openshift-image-registry.svc:5000/mysql-test/mysql:latest, restoring to the target cluster in a new namespace that is named
mysql-test-restored requires you to change the image URL of the pod to
image-registry.openshift-image-registry.svc:5000/mysql-test-restored/mysql:latest.
If the original OpenShift cluster was used to build and deploy container images by way of the BuildConfig resources, then all the build's
dockercfg secrets must be excluded from the backup in the original cluster. Failure to exclude these secrets results in the restored builds in the target cluster failing with image registry authentication errors.
For example, the following command displays a list of space-separated build and deploy
dockercfg secrets in the
mysql-test namespace:
oc -n mysql-test get secret -ojsonpath='{.items[?(@.type=="kubernetes.io/dockercfg")].metadata.name}
To exclude such secrets from the backup, run the following command on all the secrets: