Auto-exclude Velero namespace from backups instead of hard error

Replace the hard validation error with auto-exclude + warning log when
the Velero namespace would be included in a backup. This avoids a
breaking change where plain `velero backup create` would fail, and
follows the existing precedent for namespaces with the
velero.io/exclude-from-backup=true label.

Detects the Velero namespace using the Kubernetes service account
namespace file (/var/run/secrets/kubernetes.io/serviceaccount/namespace),
falling back to request.Backup.Namespace.

Signed-off-by: Achin Mishra <achinmishra@meta.com>

Author: achinmishra

changelogs/unreleased/9615-achinmishra

@@ -0,0 +1 @@
+Auto-exclude the Velero namespace from backups with a warning instead of failing validation

pkg/controller/backup_controller.go

@@ -575,6 +575,20 @@ func (b *backupReconciler) prepareBackupRequest(ctx context.Context, backup *vel
 		request.Status.ValidationErrors = append(request.Status.ValidationErrors, fmt.Sprintf("Invalid included/excluded namespace lists: %v", err))
 	}
 
+	// Auto-exclude the Velero namespace from the backup.
+	// Velero does not support backing up its own namespace.
+	veleroNs := request.Backup.Namespace
+	if nsData, err := os.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace"); err == nil {
+		veleroNs = string(nsData)
+	}
+	nsFilter := collections.NewIncludesExcludes().
+		Includes(request.Spec.IncludedNamespaces...).
+		Excludes(request.Spec.ExcludedNamespaces...)
+	if nsFilter.ShouldInclude(veleroNs) {
+		logger.Warnf("Velero namespace %q is being excluded from this backup because Velero does not support backing up its own namespace.", veleroNs)
+		request.Spec.ExcludedNamespaces = append(request.Spec.ExcludedNamespaces, veleroNs)
+	}
+
 	// validate that only one exists orLabelSelector or just labelSelector (singular)
 	if request.Spec.OrLabelSelectors != nil && request.Spec.LabelSelector != nil {
 		request.Status.ValidationErrors = append(request.Status.ValidationErrors, "encountered labelSelector as well as orLabelSelectors in backup spec, only one can be specified")

pkg/controller/backup_controller_test.go

@@ -270,6 +270,94 @@ func TestProcessBackupValidationFailures(t *testing.T) {
 	}
 }
 
+func TestProcessBackupVeleroNamespaceValidation(t *testing.T) {
+	defaultBackupLocation := builder.ForBackupStorageLocation("velero", "loc-1").Phase(velerov1api.BackupStorageLocationPhaseAvailable).Result()
+
+	tests := []struct {
+		name                       string
+		backup                     *velerov1api.Backup
+		expectedExcludedNamespaces []string
+		expectValidationError      bool
+	}{
+		{
+			name:                       "velero namespace explicitly in IncludedNamespaces is auto-excluded",
+			backup:                     builder.ForBackup(velerov1api.DefaultNamespace, "backup-1").Phase(velerov1api.BackupPhaseReadyToStart).IncludedNamespaces("velero").Result(),
+			expectedExcludedNamespaces: []string{"velero"},
+		},
+		{
+			name:                       "all namespaces (empty includes) auto-excludes velero namespace",
+			backup:                     builder.ForBackup(velerov1api.DefaultNamespace, "backup-1").Phase(velerov1api.BackupPhaseReadyToStart).Result(),
+			expectedExcludedNamespaces: []string{"velero"},
+		},
+		{
+			name:                       "velero namespace already excluded stays excluded",
+			backup:                     builder.ForBackup(velerov1api.DefaultNamespace, "backup-1").Phase(velerov1api.BackupPhaseReadyToStart).ExcludedNamespaces("velero").Result(),
+			expectedExcludedNamespaces: []string{"velero"},
+		},
+		{
+			name:                       "glob pattern matching velero namespace auto-excludes it",
+			backup:                     builder.ForBackup(velerov1api.DefaultNamespace, "backup-1").Phase(velerov1api.BackupPhaseReadyToStart).IncludedNamespaces("vel*").Result(),
+			expectedExcludedNamespaces: []string{"velero"},
+		},
+		{
+			name:                       "glob pattern in excludes matching velero namespace keeps it excluded",
+			backup:                     builder.ForBackup(velerov1api.DefaultNamespace, "backup-1").Phase(velerov1api.BackupPhaseReadyToStart).ExcludedNamespaces("vel*").Result(),
+			expectedExcludedNamespaces: []string{"vel*"},
+		},
+		{
+			name:                       "glob pattern not matching velero namespace does not auto-exclude",
+			backup:                     builder.ForBackup(velerov1api.DefaultNamespace, "backup-1").Phase(velerov1api.BackupPhaseReadyToStart).IncludedNamespaces("prod-*").Result(),
+			expectedExcludedNamespaces: nil,
+		},
+		{
+			name:                       "single char wildcard matching velero namespace auto-excludes it",
+			backup:                     builder.ForBackup(velerov1api.DefaultNamespace, "backup-1").Phase(velerov1api.BackupPhaseReadyToStart).IncludedNamespaces("veler?").Result(),
+			expectedExcludedNamespaces: []string{"velero"},
+		},
+		{
+			name:                       "character class wildcard matching velero namespace auto-excludes it",
+			backup:                     builder.ForBackup(velerov1api.DefaultNamespace, "backup-1").Phase(velerov1api.BackupPhaseReadyToStart).IncludedNamespaces("[vV]elero").Result(),
+			expectedExcludedNamespaces: []string{"velero"},
+			expectValidationError:      true,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			formatFlag := logging.FormatText
+			logger := logging.DefaultLogger(logrus.DebugLevel, formatFlag)
+
+			apiServer := velerotest.NewAPIServer(t)
+			discoveryHelper, err := discovery.NewHelper(apiServer.DiscoveryClient, logger)
+			require.NoError(t, err)
+
+			fakeClient := velerotest.NewFakeControllerRuntimeClient(t, defaultBackupLocation)
+
+			c := &backupReconciler{
+				logger:                logger,
+				discoveryHelper:       discoveryHelper,
+				kbClient:              fakeClient,
+				defaultBackupLocation: defaultBackupLocation.Name,
+				clock:                 &clock.RealClock{},
+				formatFlag:            formatFlag,
+				metrics:               metrics.NewServerMetrics(),
+				backupTracker:         NewBackupTracker(),
+			}
+
+			require.NotNil(t, test.backup)
+
+			res := c.prepareBackupRequest(ctx, test.backup, logger)
+			defer res.WorkerPool.Stop()
+			require.NotNil(t, res)
+
+			if !test.expectValidationError {
+				assert.Empty(t, res.Status.ValidationErrors)
+			}
+			assert.Equal(t, test.expectedExcludedNamespaces, res.Spec.ExcludedNamespaces)
+		})
+	}
+}
+
 func TestBackupLocationLabel(t *testing.T) {
 	tests := []struct {
 		name                   string
@@ -711,6 +799,7 @@ func TestProcessBackupCompletions(t *testing.T) {
 					StorageLocation:                  defaultBackupLocation.Name,
 					DefaultVolumesToFsBackup:         boolptr.True(),
 					SnapshotMoveData:                 boolptr.False(),
+					ExcludedNamespaces:               []string{velerov1api.DefaultNamespace},
 					ExcludedClusterScopedResources:   autoExcludeClusterScopedResources,
 					ExcludedNamespaceScopedResources: autoExcludeNamespaceScopedResources,
 				},
@@ -750,6 +839,7 @@ func TestProcessBackupCompletions(t *testing.T) {
 					StorageLocation:                  "alt-loc",
 					DefaultVolumesToFsBackup:         boolptr.False(),
 					SnapshotMoveData:                 boolptr.False(),
+					ExcludedNamespaces:               []string{velerov1api.DefaultNamespace},
 					ExcludedClusterScopedResources:   autoExcludeClusterScopedResources,
 					ExcludedNamespaceScopedResources: autoExcludeNamespaceScopedResources,
 				},
@@ -793,6 +883,7 @@ func TestProcessBackupCompletions(t *testing.T) {
 					StorageLocation:                  "read-write",
 					DefaultVolumesToFsBackup:         boolptr.True(),
 					SnapshotMoveData:                 boolptr.False(),
+					ExcludedNamespaces:               []string{velerov1api.DefaultNamespace},
 					ExcludedClusterScopedResources:   autoExcludeClusterScopedResources,
 					ExcludedNamespaceScopedResources: autoExcludeNamespaceScopedResources,
 				},
@@ -833,6 +924,7 @@ func TestProcessBackupCompletions(t *testing.T) {
 					StorageLocation:                  defaultBackupLocation.Name,
 					DefaultVolumesToFsBackup:         boolptr.False(),
 					SnapshotMoveData:                 boolptr.False(),
+					ExcludedNamespaces:               []string{velerov1api.DefaultNamespace},
 					ExcludedClusterScopedResources:   autoExcludeClusterScopedResources,
 					ExcludedNamespaceScopedResources: autoExcludeNamespaceScopedResources,
 				},
@@ -873,6 +965,7 @@ func TestProcessBackupCompletions(t *testing.T) {
 					StorageLocation:                  defaultBackupLocation.Name,
 					DefaultVolumesToFsBackup:         boolptr.True(),
 					SnapshotMoveData:                 boolptr.False(),
+					ExcludedNamespaces:               []string{velerov1api.DefaultNamespace},
 					ExcludedClusterScopedResources:   autoExcludeClusterScopedResources,
 					ExcludedNamespaceScopedResources: autoExcludeNamespaceScopedResources,
 				},
@@ -914,6 +1007,7 @@ func TestProcessBackupCompletions(t *testing.T) {
 					StorageLocation:                  defaultBackupLocation.Name,
 					DefaultVolumesToFsBackup:         boolptr.False(),
 					SnapshotMoveData:                 boolptr.False(),
+					ExcludedNamespaces:               []string{velerov1api.DefaultNamespace},
 					ExcludedClusterScopedResources:   autoExcludeClusterScopedResources,
 					ExcludedNamespaceScopedResources: autoExcludeNamespaceScopedResources,
 				},
@@ -955,6 +1049,7 @@ func TestProcessBackupCompletions(t *testing.T) {
 					StorageLocation:                  defaultBackupLocation.Name,
 					DefaultVolumesToFsBackup:         boolptr.True(),
 					SnapshotMoveData:                 boolptr.False(),
+					ExcludedNamespaces:               []string{velerov1api.DefaultNamespace},
 					ExcludedClusterScopedResources:   autoExcludeClusterScopedResources,
 					ExcludedNamespaceScopedResources: autoExcludeNamespaceScopedResources,
 				},
@@ -996,6 +1091,7 @@ func TestProcessBackupCompletions(t *testing.T) {
 					StorageLocation:                  defaultBackupLocation.Name,
 					DefaultVolumesToFsBackup:         boolptr.True(),
 					SnapshotMoveData:                 boolptr.False(),
+					ExcludedNamespaces:               []string{velerov1api.DefaultNamespace},
 					ExcludedClusterScopedResources:   autoExcludeClusterScopedResources,
 					ExcludedNamespaceScopedResources: autoExcludeNamespaceScopedResources,
 				},
@@ -1037,6 +1133,7 @@ func TestProcessBackupCompletions(t *testing.T) {
 					StorageLocation:                  defaultBackupLocation.Name,
 					DefaultVolumesToFsBackup:         boolptr.False(),
 					SnapshotMoveData:                 boolptr.False(),
+					ExcludedNamespaces:               []string{velerov1api.DefaultNamespace},
 					ExcludedClusterScopedResources:   autoExcludeClusterScopedResources,
 					ExcludedNamespaceScopedResources: autoExcludeNamespaceScopedResources,
 				},
@@ -1079,6 +1176,7 @@ func TestProcessBackupCompletions(t *testing.T) {
 					StorageLocation:                  defaultBackupLocation.Name,
 					DefaultVolumesToFsBackup:         boolptr.True(),
 					SnapshotMoveData:                 boolptr.False(),
+					ExcludedNamespaces:               []string{velerov1api.DefaultNamespace},
 					ExcludedClusterScopedResources:   autoExcludeClusterScopedResources,
 					ExcludedNamespaceScopedResources: autoExcludeNamespaceScopedResources,
 				},
@@ -1121,6 +1219,7 @@ func TestProcessBackupCompletions(t *testing.T) {
 					StorageLocation:                  defaultBackupLocation.Name,
 					DefaultVolumesToFsBackup:         boolptr.True(),
 					SnapshotMoveData:                 boolptr.False(),
+					ExcludedNamespaces:               []string{velerov1api.DefaultNamespace},
 					ExcludedClusterScopedResources:   autoExcludeClusterScopedResources,
 					ExcludedNamespaceScopedResources: autoExcludeNamespaceScopedResources,
 				},
@@ -1163,6 +1262,7 @@ func TestProcessBackupCompletions(t *testing.T) {
 					StorageLocation:                  defaultBackupLocation.Name,
 					DefaultVolumesToFsBackup:         boolptr.False(),
 					SnapshotMoveData:                 boolptr.True(),
+					ExcludedNamespaces:               []string{velerov1api.DefaultNamespace},
 					ExcludedClusterScopedResources:   autoExcludeClusterScopedResources,
 					ExcludedNamespaceScopedResources: autoExcludeNamespaceScopedResources,
 				},
@@ -1206,6 +1306,7 @@ func TestProcessBackupCompletions(t *testing.T) {
 					StorageLocation:                  defaultBackupLocation.Name,
 					DefaultVolumesToFsBackup:         boolptr.False(),
 					SnapshotMoveData:                 boolptr.False(),
+					ExcludedNamespaces:               []string{velerov1api.DefaultNamespace},
 					ExcludedClusterScopedResources:   autoExcludeClusterScopedResources,
 					ExcludedNamespaceScopedResources: autoExcludeNamespaceScopedResources,
 				},
@@ -1249,6 +1350,7 @@ func TestProcessBackupCompletions(t *testing.T) {
 					StorageLocation:                  defaultBackupLocation.Name,
 					DefaultVolumesToFsBackup:         boolptr.False(),
 					SnapshotMoveData:                 boolptr.False(),
+					ExcludedNamespaces:               []string{velerov1api.DefaultNamespace},
 					ExcludedClusterScopedResources:   autoExcludeClusterScopedResources,
 					ExcludedNamespaceScopedResources: autoExcludeNamespaceScopedResources,
 				},
@@ -1292,6 +1394,7 @@ func TestProcessBackupCompletions(t *testing.T) {
 					StorageLocation:                  defaultBackupLocation.Name,
 					DefaultVolumesToFsBackup:         boolptr.False(),
 					SnapshotMoveData:                 boolptr.True(),
+					ExcludedNamespaces:               []string{velerov1api.DefaultNamespace},
 					ExcludedClusterScopedResources:   autoExcludeClusterScopedResources,
 					ExcludedNamespaceScopedResources: autoExcludeNamespaceScopedResources,
 				},
@@ -1336,6 +1439,7 @@ func TestProcessBackupCompletions(t *testing.T) {
 					StorageLocation:                  defaultBackupLocation.Name,
 					DefaultVolumesToFsBackup:         boolptr.False(),
 					SnapshotMoveData:                 boolptr.False(),
+					ExcludedNamespaces:               []string{velerov1api.DefaultNamespace},
 					ExcludedClusterScopedResources:   autoExcludeClusterScopedResources,
 					ExcludedNamespaceScopedResources: autoExcludeNamespaceScopedResources,
 				},
@@ -1379,6 +1483,7 @@ func TestProcessBackupCompletions(t *testing.T) {
 					StorageLocation:                  defaultBackupLocation.Name,
 					DefaultVolumesToFsBackup:         boolptr.False(),
 					SnapshotMoveData:                 boolptr.True(),
+					ExcludedNamespaces:               []string{velerov1api.DefaultNamespace},
 					ExcludedClusterScopedResources:   autoExcludeClusterScopedResources,
 					ExcludedNamespaceScopedResources: autoExcludeNamespaceScopedResources,
 				},
@@ -1427,6 +1532,7 @@ func TestProcessBackupCompletions(t *testing.T) {
 					DefaultVolumesToFsBackup:         boolptr.False(),
 					SnapshotMoveData:                 boolptr.True(),
 					IncludedClusterScopedResources:   []string{"storageclasses"},
+					ExcludedNamespaces:               []string{velerov1api.DefaultNamespace},
 					ExcludedClusterScopedResources:   append([]string{"clusterroles"}, autoExcludeClusterScopedResources...),
 					IncludedNamespaceScopedResources: []string{"pods"},
 					ExcludedNamespaceScopedResources: append([]string{"secrets"}, autoExcludeNamespaceScopedResources...),
@@ -1476,6 +1582,7 @@ func TestProcessBackupCompletions(t *testing.T) {
 					DefaultVolumesToFsBackup:         boolptr.False(),
 					SnapshotMoveData:                 boolptr.True(),
 					IncludedClusterScopedResources:   []string{"storageclasses"},
+					ExcludedNamespaces:               []string{velerov1api.DefaultNamespace},
 					ExcludedClusterScopedResources:   append([]string{"clusterroles"}, autoExcludeClusterScopedResources...),
 					IncludedNamespaceScopedResources: []string{"pods"},
 					ExcludedNamespaceScopedResources: append([]string{"secrets"}, autoExcludeNamespaceScopedResources...),