KubeRocketCI · orcsin · Dec 1, 2025
@@ -71,6 +71,7 @@ export const redirectMaps: Record<string, string> = {
   'operator-guide/install-reportportal': 'https://docs.kuberocketci.io/docs/operator-guide/project-management-and-reporting/install-reportportal',
   'operator-guide/install-tekton': 'https://docs.kuberocketci.io/docs/operator-guide/install-tekton',
   'operator-guide/install-velero': 'https://docs.kuberocketci.io/docs/operator-guide/disaster-recovery/install-velero',
+  'operator-guide/install-velero-add-ons': 'https://docs.kuberocketci.io/docs/operator-guide/disaster-recovery/install-velero-add-ons',
   'operator-guide/install-via-civo': 'https://docs.kuberocketci.io/docs/operator-guide/install-via-civo',
   'operator-guide/installation-overview': 'https://docs.kuberocketci.io/docs/operator-guide/installation-overview',
   'operator-guide/jira-gerrit-integration': 'https://docs.kuberocketci.io/docs/about-platform',

@@ -182,6 +182,8 @@ words:
   - passwordfile
   - patchset
   - patchsetcreated
+  - persistentvolumeclaims
+  - persistentvolumes
   - petclinic
   - pgcrypto
   - pgdb

@@ -214,3 +214,4 @@ The list of the available Add-Ons:
 |Tekton|A flexible and cloud-native framework for building, testing, and deploying applications using Kubernetes-native workflows.|false|
 |Tekton-cache||false|
 |Vault|An open-source secrets management solution that provides secure storage, encryption, and access control for sensitive data in Kubernetes clusters.|false|
+|Velero|An open source tool to safely backup and restore, perform disaster recovery, and migrate Kubernetes cluster resources and persistent volumes.|false|
@@ -0,0 +1,114 @@
+---
+title: "Install Velero"
+description: "Learn how to install Velero for Kubernetes backup, recovery, and migration, covering installation steps, AWS plugin configuration, and basic commands for backup and restore."
+sidebar_label: "Install Velero"
+---
+<!-- markdownlint-disable MD025 -->
+
+# Automated Kubernetes Backup and Restore Workflows With Velero
+
+<head>
+  <link rel="canonical" href="https://docs.kuberocketci.io/docs/operator-guide/disaster-recovery/install-velero-add-ons" />
+</head>
+
+[Velero](https://velero.io/) is an open source tool to safely back up, recover, and migrate Kubernetes clusters and persistent volumes.
+It works both on premises and in a public cloud. Velero consists of a server process running as a deployment in your
+Kubernetes cluster and a command-line interface (CLI) with which DevOps teams and platform operators configure scheduled
+backups, trigger ad-hoc backups, perform restores, and more.
+
+Configuring and installing Velero involves two key steps:
+
+- **Setting up AWS resources** – configuring IAM roles and policies.
+- **Installing Velero** – deploying the Velero components into the Kubernetes cluster.
+
+## Configuring AWS IAM Roles and Policies
+
+Velero requires specific IAM permissions to interact with AWS resources. These permissions allow Velero to create and manage EBS snapshots and volumes, as well as read and write backup data to the designated S3 bucket. This policy ensures Velero can perform backup and restore operations within your AWS account.
+
+To simplify the setup, we recommend using the [terraform-module/velero/kubernetes](https://registry.terraform.io/modules/terraform-module/velero/kubernetes/latest) module. This module automates the creation of the necessary IAM roles and policies for Velero. You can find Velero configuration parameters in the [terraform-aws-platform](https://github.com/KubeRocketCI/terraform-aws-platform/blob/master/eks/irsa.tf#L367) repository.
+
+With this configuration, the following IAM role will be created:
+
+- **AWSIRSA_\<ClusterName\>_Velero**: This role will be used by Velero to perform backup and restore operations by managing EBS snapshots and accessing the S3 backup bucket. The attached policy grants Velero the required permissions to perform backup and restore operations in AWS. It includes the following capabilities:
+
+  - **EC2 permissions** — allow Velero to create, describe, tag, and delete EBS snapshots and volumes used during backup and restore processes.
+  - **S3 bucket access** — allows listing the backup bucket and performing read/write operations on objects, including uploading backup data, retrieving it during restores, and deleting or tagging objects as needed.
+
+## Install Velero
+
+To deploy Velero in your Kubernetes cluster, we recommend using the [add-ons approach](https://github.com/epam/edp-cluster-add-ons/tree/main/clusters/core/addons/velero). Here's an example of how to configure values.yaml before installation:
+
+```yaml title="values.yaml"
+velero:
+  # -- Velero service account settings for AWS access via IRSA. Replace the role ARN with your own IAM role.
+  serviceAccount:
+    server:
+      create: true
+      name: velero-server
+      annotations:
+        eks.amazonaws.com/role-arn: "arn:aws:iam::01234567890:role/AWSIRSA_Core_Velero"
+
+  # -- Use Kubernetes secrets for AWS credentials (false = use IRSA)
+  credentials:
+    useSecret: false
+
+  configuration:
+    # -- Backup storage settings for Velero
+    backupStorageLocation:
+    - name: default
+      provider: aws
+      bucket: velero-core
+      prefix: velero
+      config:
+        region: eu-central-1
+    # -- Settings for volume snapshots
+    volumeSnapshotLocation:
+    - name: default
+      provider: aws
+      config:
+        region: eu-central-1
+
+  # -- Init container to load AWS plugin for Velero
+  initContainers:
+    - name: velero-plugin-for-aws
+      image: velero/velero-plugin-for-aws:v1.13.1
+      volumeMounts:
+        - mountPath: /target
+          name: plugins
+
+  # --------------------------------------------
+  # Velero Schedule: krci
+  # --------------------------------------------
+  # Description:
+  #   Creates daily backups of the "krci" namespace
+  #   on weekdays (Monday–Friday) at 13:00 UTC.
+  #   Excludes PersistentVolumes and PVCs,
+  #   does not snapshot volumes,
+  #   stores backups in the "default" location,
+  #   and retains them for 72 hours.
+  # --------------------------------------------
+  schedules:
+    krci:
+      disabled: true
+      paused: false
+      labels:
+        cluster: core
+        region: eu-central-1
+      schedule: "0 13 * * 1-5"
+      useOwnerReferencesInBackup: false
+      template:
+        excludedClusterScopedResources:
+          - persistentvolumes
+        excludedNamespaceScopedResources:
+          - persistentvolumeclaims
+        includedNamespaces:
+          - krci
+        snapshotVolumes: false
+        storageLocation: default
+        ttl: 72h0m0s
+```
+At the end of the file, you will find backup schedule settings that you can use as a template for creating your own schedules.
+
+## Related Articles
+
+* [Associate IAM Roles With Service Accounts](../infrastructure-providers/aws/enable-irsa.md)
@@ -5,7 +5,7 @@ sidebar_label: "Install Velero"
 ---
 <!-- markdownlint-disable MD025 -->
 
-# Install Velero
+# Automated Kubernetes Backup and Restore Workflows With Velero
 
 <head>
   <link rel="canonical" href="https://docs.kuberocketci.io/docs/operator-guide/disaster-recovery/install-velero" />

@@ -63,35 +63,7 @@ To successfully associate the IAM role with the service account, follow the step
       oidc.eks.us-west-2.amazonaws.com/id/EXAMPLED539D4633E53DE1B716D3041E
       ```
 
-2. Deploy the [amazon-eks-pod-identity-webhook](https://github.com/aws/amazon-eks-pod-identity-webhook/tree/master) v0.2.0.
-
-    :::note
-      The [amazon-eks-pod-identity-webhook](https://github.com/aws/amazon-eks-pod-identity-webhook/tree/master) functionality is provided out of the box in EKS v1.21 and higher. This does not apply if the cluster has been upgraded from older versions. Therefore, skip step 2 and continue from step 3 in this documentation.
-    :::
-
-    2.1. Provide the [stable](https://hub.docker.com/r/amazon/amazon-eks-pod-identity-webhook)(ed8c41f) version of the Docker image in the _deploy/deployment-base.yaml_ file.
-
-    2.2. Provide `${CA_BUNDLE}` in the _deploy/mutatingwebhook.yaml_ file:
-
-      ```bash
-      secret_name=$(kubectl -n default get sa default -o jsonpath='{.secrets[0].name}') \
-      CA_BUNDLE=$(kubectl -n default get secret/$secret_name -o jsonpath='{.data.ca\.crt}' | tr -d '\n')
-      ```
-
-    2.3. Deploy the Webhook:
-
-      ```bash
-      kubectl apply -f deploy/
-      ```
-
-    2.4. Approve the _csr_:
-
-      ```bash
-      csr_name=$(kubectl get csr -o jsonpath='{.items[?(@.spec.username=="system:serviceaccount:default:pod-identity-webhook")].metadata.name}')
-      kubectl certificate approve $csr_name
-      ```
-
-3. Annotate the created service account with the IAM role:
+2. Annotate the created service account with the IAM role:
 
     **Service Account**
 
@@ -105,7 +77,7 @@ To successfully associate the IAM role with the service account, follow the step
           eks.amazonaws.com/role-arn: "arn:aws:iam::<AWS_ACCOUNT_ID>:role/<IAM_ROLE_NAME>"
       ```
 
-4. All newly launched pods with this service account will be modified and then use the associated IAM role. Find below the pod specification template:
+3. All newly launched pods with this service account will be modified and then use the associated IAM role. Find below the pod specification template:
 
    **Pod Template**
 
@@ -123,7 +95,7 @@ To successfully associate the IAM role with the service account, follow the step
           command: ['sh', '-c', 'aws sts "get-caller-identity" && sleep 3600']
       ```
 
-5. Check the logs of the created pod from the template above.
+4. Check the logs of the created pod from the template above.
 
     Example output:
 

@@ -13,11 +13,6 @@ sidebar_label: "IAM Roles for Kaniko Service Accounts"
   <link rel="canonical" href="https://docs.kuberocketci.io/docs/operator-guide/infrastructure-providers/aws/kaniko-irsa" />
 </head>
 
-:::note
-  The information below is relevant in case ECR is used as Docker container registry.
-  Make sure that IRSA is enabled and [amazon-eks-pod-identity-webhook](https://github.com/aws/amazon-eks-pod-identity-webhook/tree/master) is deployed according to the [Associate IAM Roles With Service Accounts](enable-irsa.md) documentation.
-:::
-
 :::note
 Alternatively, the Kaniko IAM Role can also be created automatically during the cluster installation process.
 For more details, refer to the [Deploy AWS EKS Cluster](../../deploy-aws-eks.md) page.

@@ -13,10 +13,6 @@ sidebar_label: "Loki IAM Roles"
   <link rel="canonical" href="https://docs.kuberocketci.io/docs/operator-guide/monitoring-and-observability/loki-irsa" />
 </head>
 
-:::note
-  Make sure that IRSA is enabled and [amazon-eks-pod-identity-webhook](https://github.com/aws/amazon-eks-pod-identity-webhook/tree/master#amazon-eks-pod-identity-webhook) is deployed according to the [Associate IAM Roles With Service Accounts](../infrastructure-providers/aws/enable-irsa.md) documentation.
-:::
-
 It is possible to use Amazon Simple Storage Service [Amazon S3](https://aws.amazon.com/s3/) as object storage for Loki.
 In this case [Loki](https://grafana.com/docs/loki/latest/configure/examples/configuration-examples/) requires access to AWS resources. Follow the steps below to create a required role: