Skip to content

Commit f226b87

Browse files
mitchrossclaude
andcommitted
Fix race condition: Kyverno policy now only triggers on CREATE
Added operations: [CREATE] filter to all 4 rules in the VolSync backup/restore policy. Without this filter, Kyverno intercepted all PVC operations including DELETE, preventing PVC deletion and causing race conditions. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
1 parent 44e8eb1 commit f226b87

2 files changed

Lines changed: 4 additions & 0 deletions

File tree

docs/backup-restore.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,7 @@ The system automatically backs up PVCs to S3-compatible storage (RustFS/MinIO) a
4242

4343
### 3. Kyverno ClusterPolicy
4444
- Triggers on PVCs with label `backup: hourly` or `backup: daily`
45+
- **Only triggers on CREATE operations** (not UPDATE/DELETE) to avoid race conditions
4546
- Calls pvc-plumber to check for existing backups
4647
- Generates:
4748
- ExternalSecret (per-PVC S3 credentials)

infrastructure/controllers/kyverno/policies/volsync-pvc-backup-restore.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -177,12 +177,15 @@ spec:
177177
fsGroup: 568
178178

179179
# Rule 4: Generate ReplicationDestination (restore capability)
180+
# IMPORTANT: Only trigger on CREATE to avoid race conditions during PVC deletion
180181
- name: generate-replication-destination
181182
match:
182183
any:
183184
- resources:
184185
kinds:
185186
- PersistentVolumeClaim
187+
operations:
188+
- CREATE
186189
selector:
187190
matchExpressions:
188191
- key: backup

0 commit comments

Comments
 (0)