Exclude automatically created resources from backups
Some Kubernetes controllers and operators automatically create additional resources when parent resources are deployed. Backing up and restoring these controller-created resources can cause conflicts because the destination cluster recreates them automatically during restore.
Why automatically created resources cause restore failures
Automatically created resources are owned and managed by a controller. Their lifecycle is tied to a parent resource and not to your application data. When these resources are included in a backup and restored to a different cluster:
- The controller on the destination cluster creates its own version of the resource when the parent object is restored.
- The restored copy may reference stale endpoints or identifiers from the source cluster.
- Two conflicting copies of the resource can coexist, causing errors or unpredictable application behavior.
Example: AWS Load Balancer Controller
When you deploy a Service of type LoadBalancer on an AWS cluster that uses the AWS Load Balancer Controller, the controller automatically creates a TargetGroupBinding custom resource. This resource maps the Service to the AWS Target Group that routes traffic to the application pods.
When this TargetGroupBinding is included in a backup and the backup is restored to a new cluster:
- Portworx Backup restores the
TargetGroupBinding, which now references Target Group backends from the original cluster. - The AWS Load Balancer Controller on the destination cluster creates a new
TargetGroupBindingfor the same Service, referencing the correct backends for that cluster. - The restored
TargetGroupBindingand the controller-created one conflict, and the load balancer may route traffic to non-existent backends.
Similar patterns occur with other Kubernetes operators and controllers that create child resources in response to parent objects.
Other examples of automatically created resources include DNS records managed by ExternalDNS, resources created by service mesh controllers, ingress controller–managed resources, and child resources generated by Kubernetes operators. Before including such resources in a backup, review whether they are recreated automatically by the controller and whether restoring them could introduce conflicts or stale references in the destination cluster.
Identify automatically created resources
To determine whether a resource was created automatically by a controller, inspect its ownerReferences field:
kubectl get <resource-type> <resource-name> -n <namespace> -o yaml
If the ownerReferences field is populated, the resource is managed by another Kubernetes object and may have been created automatically by a controller or operator. Review such resources to determine whether they should be excluded from backups.
metadata:
ownerReferences:
- apiVersion: v1
kind: Service
name: my-service
uid: abc-123
Review the operators and controllers installed in your cluster and identify any child resources they create automatically. These are the resources to exclude from your backups.
Exclude automatically created resources from backups
The recommended approach is to apply an exclusion label to automatically created resources and configure your backups to skip resources with that label.
Step 1: Apply an exclusion label
Apply a label to each automatically created resource you want to exclude from backups. You can use any label key and value that does not conflict with existing labels in your cluster:
kubectl label <resource-type> <resource-name> -n <namespace> <key>=<value>
For example, to label a TargetGroupBinding created by the AWS Load Balancer Controller:
kubectl label targetgroupbinding <tgb-name> -n <namespace> exclude-from-backup=true
If the controller already applies a unique, consistent label to the resources it creates, you can use that label directly instead of applying a custom one.
Step 2: Configure the backup to exclude labeled resources
When creating a backup, use the advanced resource label filter with the Exclude (notin) option to skip resources with the label you applied in Step 1. In the label filter, enter:
<key> notin (<value>)
For example, if you applied the label exclude-from-backup=true in Step 1, enter:
exclude-from-backup notin (true)
This filter excludes all resources with the specified label from the backup while including all other resources.
For step-by-step instructions on using the advanced filter when creating a backup, see Create Backups with Advanced Filters.
Advanced resource label filters require Stork version 25.2.1 or later on the application cluster.
Result
When you restore from a backup that excludes auto-created resources, the controllers on the destination cluster recreate those resources automatically from their parent objects. The recreated resources reference the correct endpoints and identifiers for the destination cluster, preventing conflicts.