This is a cache of https://docs.okd.io/4.19/backup_and_restore/application_backup_and_restore/oadp-self-service/oadp-self-service-namespace-admin-use-cases.html. It is a snapshot of the page at 2025-07-01T21:11:29.567+0000.
OADP Self-<strong>service</strong> namespace admin use cases - OADP Application backup and restore | Backup and restore | OKD 4.19
  1. Documentation
×

OADP Self-service namespace admin use cases

As a namespace admin user, you can use the Self-service feature in the following scenarios:

  • Create a backup storage location in your authorized namespace.

  • Create a NonAdminBackup (NAB) custom resource (CR).

  • Create a NonAdminRestore (NAR) CR.

  • Review NAB and NAR logs.

Creating a NonAdminBackupStorageLocation CR

You can create a NonAdminBackupStorageLocation (NABSL) custom resource (CR) in your authorized namespace. After the cluster administrator approves the NABSL CR request, you can use the NABSL CR in the NonAdminBackup CR spec.

Prerequisites

  • You are logged in to the cluster as a namespace admin user.

  • The cluster administrator has installed the OADP Operator.

  • The cluster administrator has configured the DataProtectionApplication (DPA) CR to enable OADP Self-service.

  • The cluster administrator has created a namespace for you and has authorized you to operate from that namespace.

Procedure

  1. Create a Secret CR by using the cloud credentials file content for your cloud provider. Run the following command:

    $ oc create secret generic cloud-credentials -n test-nac-ns --from-file <cloud_key_name>=<cloud_credentials_file> (1)
    1 In this example, the Secret name is cloud-credentials and the authorized namespace name is test-nac-ns. Replace <cloud_key_name> and <cloud_credentials_file> with your cloud key name and the cloud credentials file name, respectively.

  2. To create a NonAdminBackupStorageLocation CR, create a YAML manifest file with the following configuration:

    Example NonAdminBackupStorageLocation CR
    apiVersion: oadp.openshift.io/v1alpha1
kind: NonAdminBackupStorageLocation
metadata:
  name: test-nabsl
  namespace: test-nac-ns (1)
spec:
  backupStorageLocationSpec:
    config:
      profile: default
      region: <region_name> (2)
    credential:
      key: cloud
      name: cloud-credentials
    objectStorage:
      bucket: <bucket_name> (3)
      prefix: velero
    provider: aws
    1 Specify the namespace you are authorized to operate from. For example, test-nac-ns.
    2 Replace <region_name> with a region name.
    3 Replace <bucket_name> with a bucket name.

  3. To apply the NABSL CR configuration, run the following command:

    $ oc apply -f <nabsl_cr_filename> (1)
    1 Replace <nabsl_cr_filename> with the file name containing the NABSL CR configuration.
Verification

  1. To verify that the NABSL CR is in the New phase and is pending administrator approval, run the following command:

    $ oc get nabsl test-nabsl -o yaml
    Example output
    apiVersion: oadp.openshift.io/v1alpha1
kind: NonAdminBackupStorageLocation
...
status:
  conditions:
  - lastTransitionTime: "2025-02-26T09:07:15Z"
    message: NonAdminBackupStorageLocation spec validation successful
    reason: BslSpecValidation
    status: "True"
    type: Accepted
  - lastTransitionTime: "2025-02-26T09:07:15Z"
    message: NonAdminBackupStorageLocationRequest approval pending (1)
    reason: BslSpecApprovalPending
    status: "False"
    type: ClusterAdminApproved
  phase: New (2)
  veleroBackupStorageLocation:
    nacuuid: test-nac-test-bsl-c...d4389a1930
    name: test-nac-test-bsl-cd....1930
    namespace: openshift-adp
    1 Defines that the status.conditions.message field contains the NonAdminBackupStorageLocationRequest approval pending message .
    2 Defines that the status of a phase is New.

  2. After the cluster administrator approves the NonAdminBackupStorageLocationRequest CR request, verify that the NABSL CR is successfully created by running the following command:

    $ oc get nabsl test-nabsl -o yaml
    Example output
    apiVersion: oadp.openshift.io/v1alpha1
kind: NonAdminBackupStorageLocation
metadata:
  creationTimestamp: "2025-02-19T09:30:34Z"
  finalizers:
  - nonadminbackupstoragelocation.oadp.openshift.io/finalizer
  generation: 1
  name: test-nabsl
  namespace: test-nac-ns
  resourceVersion: "159973"
  uid: 4a..80-3260-4ef9-a3..5a-00...d1922
spec:
  backupStorageLocationSpec:
    credential:
      key: cloud
      name: cloud-credentials
    objectStorage:
      bucket: oadp...51rrdqj
      prefix: velero
    provider: aws
status:
  conditions:
  - lastTransitionTime: "2025-02-19T09:30:34Z"
    message: NonAdminBackupStorageLocation spec validation successful (1)
    reason: BslSpecValidation
    status: "True"
    type: Accepted
  - lastTransitionTime: "2025-02-19T09:30:34Z"
    message: Secret successfully created in the OADP namespace (2)
    reason: SecretCreated
    status: "True"
    type: SecretSynced
  - lastTransitionTime: "2025-02-19T09:30:34Z"
    message: BackupStorageLocation successfully created in the OADP namespace (3)
    reason: BackupStorageLocationCreated
    status: "True"
    type: BackupStorageLocationSynced
  phase: Created
  veleroBackupStorageLocation:
    nacuuid: test-nac-..f933a-4ec1-4f6a-8099-ee...b8b26 (4)
    name: test-nac-test-nabsl-36...11ab8b26 (5)
    namespace: openshift-adp
    status:
      lastSyncedTime: "2025-02-19T11:47:10Z"
      lastValidationTime: "2025-02-19T11:47:31Z"
      phase: Available (6)
    1 The NABSL spec is validated and approved by the cluster administrator.
    2 The secret object is successfully created in the openshift-adp namespace.
    3 The associated Velero BackupStorageLocation is successfully created in the openshift-adp namespace.
    4 The nacuuid NAC is orchestrating the NABSL CR.
    5 The name of the associated Velero backup storage location object.
    6 The Available phase indicates that the NABSL is ready for use.

Creating a NonAdminBackup CR

As a namespace admin user, you can create a NonAdminBackup (NAB) custom resource (CR) to back up your application from your authorized namespace. NAB is an OKD CR that securely facilitates the creation of a Velero backup object. The Velero backup object reports the status back to the NAB CR that ultimately updates the status.phase field.

After you create a NAB CR, the CR undergoes the following phases:

  • The initial phase for the CR is New.

  • The CR creation request goes to the NonAdminController (NAC) for reconciliation and validation.

  • Upon successful validation and creation of the Velero backup object, the status.phase field of the NAB CR is updated to the next phase, which is, Created.

Review the following important points when creating a NAB CR:

  • The NonAdminBackup CR creates the Velero backup object securely so that other namespace admin users cannot access the CR.

  • As a namespace admin user, you can only specify your authorized namespace in the NAB CR. You get an error when you specify a namespace you are not authorized to use.

Prerequisites

  • You are logged in to the cluster as a namespace admin user.

  • The cluster administrator has installed the OADP Operator.

  • The cluster administrator has configured the DataProtectionApplication (DPA) CR to enable OADP Self-service.

  • The cluster administrator has created a namespace for you and has authorized you to operate from that namespace.

  • Optional: You can create and use a NonAdminBackupStorageLocation (NABSL) CR to store the backup data. If you do not use a NABSL CR, then the backup is stored in the default backup storage location configured in the DPA.

Procedure

  1. To create a NonAdminBackup CR, create a YAML manifest file with the following configuration:

    Example NonAdminBackup CR
    apiVersion: oadp.openshift.io/v1alpha1
kind: NonAdminBackup
metadata:
  name: test-nab (1)
spec:
  backupSpec:
    defaultVolumesToFsBackup: true (2)
    snapshotMoveData: false (3)
    storageLocation: test-bsl (4)
    1 Specify a name for the NAB CR, for example, test-nab.
    2 To use File System Backup (FSB), set defaultVolumesToFsBackup to true.
    3 If you want to backup your data volumes by using the Data Mover, set the snapshotMoveData to true. This example uses the FSB for backup.
    4 Optionally, set a NABSL CR as a storage location. If you do not set a storageLocation, then the default backup storage location configured in the DPA is used.

  2. To apply the NAB CR configuration, run the following command:

    $ oc apply -f <nab_cr_filename> (1)
    1 Specify the file name containing the NAB CR configuration.
Verification

  • To verify that the NAB CR is successfully created, run the following command:

    $ oc get nab test-nab -o yaml
    Example output
    apiVersion: oadp.openshift.io/v1alpha1
kind: NonAdminBackup
metadata:
  creationTimestamp: "2025-03-06T10:02:56Z"
  finalizers:
  - nonadminbackup.oadp.openshift.io/finalizer
  generation: 2
  name: test-nab
  namespace: test-nac-ns (1)
  resourceVersion: "134316"
  uid: c5...4c8a8
spec:
  backupSpec:
    csiSnapshotTimeout: 0s
    defaultVolumesToFsBackup: true
    hooks: {}
    itemOperationTimeout: 0s
    metadata: {}
    storageLocation: test-bsl
    ttl: 0s
status:
  conditions:
  - lastTransitionTime: "202...56Z"
    message: backup accepted (2)
    reason: BackupAccepted
    status: "True"
    type: Accepted
  - lastTransitionTime: "202..T10:02:56Z"
    message: Created Velero Backup object
    reason: BackupScheduled
    status: "True"
    type: Queued
  dataMoverDataUploads: {}
  fileSystemPodVolumeBackups: (3)
    completed: 2
    total: 2
  phase: Created (4)
  queueInfo:
    estimatedQueuePosition: 0 (5)
  veleroBackup:
    nacuuid: test-nac-test-nab-d2...a9b14 (6)
    name: test-nac-test-nab-d2...b14 (7)
    namespace: openshift-adp
    spec:
      csiSnapshotTimeout: 10m0s
      defaultVolumesToFsBackup: true
      excludedResources:
      - nonadminbackups
      - nonadminrestores
      - nonadminbackupstoragelocations
      - securitycontextconstraints
      - clusterroles
      - clusterrolebindings
      - priorityclasses
      - customresourcedefinitions
      - virtualmachineclusterinstancetypes
      - virtualmachineclusterpreferences
      hooks: {}
      includedNamespaces:
      - test-nac-ns
      itemOperationTimeout: 4h0m0s
      metadata: {}
      snapshotMoveData: false
      storageLocation: test-nac-test-bsl-bf..02b70a
      ttl: 720h0m0s
    status: (8)
      completionTimestamp: "2025-0..3:13Z"
      expiration: "2025..2:56Z"
      formatVersion: 1.1.0
      hookStatus: {}
      phase: Completed (9)
      progress:
        itemsBackedUp: 46
        totalItems: 46
      startTimestamp: "2025-..56Z"
      version: 1
      warnings: 1
    1 The namespace name that the NonAdminController CR sets on the Velero backup object to back up.
    2 The NAC has reconciled and validated the NAB CR and has created the Velero backup object.
    3 The fileSystemPodVolumeBackups field indicates the number of volumes that are backed up by using FSB.
    4 The NAB CR is in the Created phase.
    5 This field indicates the queue position of the backup object. There can be multiple backups in process, and each backup object is assigned a queue position. When the backup is complete, the queue position is set to 0.
    6 The NAC creates the Velero backup object and sets the value for the nacuuid field.
    7 The name of the associated Velero backup object.
    8 The status of the Velero backup object.
    9 The Velero backup object is in the Completed phase and the backup is successful.

Creating a NonAdminRestore CR

As a namespace admin user, to restore a backup, you can create a NonAdminRestore (NAR) custom resource (CR). The backup is restored to your authorized namespace.

Prerequisites

  • You are logged in to the cluster as a namespace admin user.

  • The cluster administrator has installed the OADP Operator.

  • The cluster administrator has configured the DataProtectionApplication (DPA) CR to enable OADP Self-service.

  • The cluster administrator has created a namespace for you and has authorized you to operate from that namespace.

  • You have a backup of your application by creating a NonAdminBackup (NAB) CR.

Procedure

  1. To create a NonAdminRestore CR, create a YAML manifest file with the following configuration:

    Example NonAdminRestore CR
    apiVersion: oadp.openshift.io/v1alpha1
kind: NonAdminRestore
metadata:
  name: test-nar (1)
spec:
  restoreSpec:
    backupName: test-nab (2)
    1 Defines a name for the NAR CR, for example, test-nar.
    2 Defines the name of the NAB CR you want to restore from. For example, test-nab.

  2. To apply the NAR CR configuration, run the following command:

    $ oc apply -f <nar_cr_filename> (1)
    1 Replace <nar_cr_filename> with the file name containing the NAR CR configuration.
Verification

  1. To verify that the NAR CR is successfully created, run the following command:

    $ oc get nar test-nar -o yaml
    Example output
    apiVersion: oadp.openshift.io/v1alpha1
kind: NonAdminRestore
metadata:
  creationTimestamp: "2025-..:15Z"
  finalizers:
  - nonadminrestore.oadp.openshift.io/finalizer
  generation: 2
  name: test-nar
  namespace: test-nac-ns
  resourceVersion: "156517"
  uid: f9f5...63ef34
spec:
  restoreSpec:
    backupName: test-nab
    hooks: {}
    itemOperationTimeout: 0s
status:
  conditions:
  - lastTransitionTime: "2025..15Z"
    message: restore accepted (1)
    reason: RestoreAccepted
    status: "True"
    type: Accepted
  - lastTransitionTime: "2025-03-06T11:22:15Z"
    message: Created Velero Restore object
    reason: RestoreScheduled
    status: "True"
    type: Queued
  dataMoverDataDownloads: {}
  fileSystemPodVolumeRestores: (2)
    completed: 2
    total: 2
  phase: Created (3)
  queueInfo:
    estimatedQueuePosition: 0 (4)
  veleroRestore:
    nacuuid: test-nac-test-nar-c...1ba (5)
    name: test-nac-test-nar-c7...1ba (6)
    namespace: openshift-adp
    status:
      completionTimestamp: "2025...22:44Z"
      hookStatus: {}
      phase: Completed (7)
      progress:
        itemsRestored: 28
        totalItems: 28
      startTimestamp: "2025..15Z"
      warnings: 7
    1 The NonAdminController (NAC) CR has reconciled and validated the NAR CR.
    2 The fileSystemPodVolumeRestores field indicates the number of volumes that are restored.
    3 The NAR CR is in the Created phase.
    4 This field indicates the queue position of the restore object. There can be multiple restores in process, and each restore is assigned a queue position. When the restore is complete, the queue position is set to 0.
    5 The NAC creates the Velero restore object and sets the value as nacuuid.
    6 The name of the associated Velero restore object.
    7 The Velero restore object is in the Completed phase and the restore is successful.

About NonAdminDownloadRequest CR

As a namespace admin user, you can use the NonAdminDownloadRequest (NADR) custom resource (CR) to access detailed information about your backups and restores for troubleshooting.

This CR provides information that is equivalent to what a cluster administrator can access by using the velero backup describe --details command.

After the NADR CR request is validated, a secure download URL is generated to access the requested information.

You can download the following NADR resources:

Table 1. NADR resources

Resource type

Description

Equivalent to

BackupResourceList

List of resources included in the backup

velero backup describe --details (resource listing)

BackupContents

Contents of files backed up

Part of backup details

BackupLog

Logs from the backup operation

velero backup logs

BackupVolumeSnapshots

Information about volume snapshots

velero backup describe --details (snapshots section)

BackupItemOperations

Information about item operations performed during backup

velero backup describe --details (operations section)

RestoreLog

Logs from the restore operation

velero restore logs

RestoreResults

Detailed results of the restore

velero restore describe --details

Reviewing NAB and NAR logs

As a namespace admin user, you can review the logs for the NonAdminBackup (NAB) and NonAdminRestore (NAR) custom resources (CRs) by creating a NonAdminDownloadRequest (NADR) CR.

You can review the NAB logs only if you are using a NonAdminBackupStorageLocation (NABSL) CR as a backup storage location for the backup.
Prerequisites

  • You are logged in to the cluster as a namespace admin user.

  • The cluster administrator has installed the OADP Operator.

  • The cluster administrator has configured the DataProtectionApplication (DPA) CR to enable OADP Self-service.

  • The cluster administrator has created a namespace for you and has authorized you to operate from that namespace.

  • You have a backup of your application by creating a NAB CR.

  • You have restored the application by creating a NAR CR.

Procedure

  1. To review NAB CR logs, create a NonAdminDownloadRequest CR and specify the NAB CR name as shown in the following example:

    Example NonAdminDownloadRequest CR
    apiVersion: oadp.openshift.io/v1alpha1
kind: NonAdminDownloadRequest
metadata:
  name: test-nadr-backup
spec:
  target:
    kind: BackupLog (1)
    name: test-nab (2)
    1 Specify BackupLog as the value for the kind field of the NADR CR.
    2 Specify the name of the NAB CR.

  2. Verify that the NADR CR is processed by running the following command.

    $ oc get nadr test-nadr-backup -o yaml
    Example output
    apiVersion: oadp.openshift.io/v1alpha1
kind: NonAdminDownloadRequest
metadata:
  creationTimestamp: "2025-03-06T10:05:22Z"
  generation: 1
  name: test-nadr-backup
  namespace: test-nac-ns
  resourceVersion: "134866"
  uid: 520...8d9
spec:
  target:
    kind: BackupLog
    name: test-nab
status:
  conditions:
  - lastTransitionTime: "202...5:22Z"
    message: ""
    reason: Success
    status: "True"
    type: Processed
  phase: Created
  velero:
    status:
      downloadURL: https://... (1)
      expiration: "202...22Z"
      phase: Processed (2)
    1 The status.downloadURL field contains the download URL of the NAB logs. You can use the downloadURL to download and review the NAB logs.
    2 The status.phase is Processed.

  3. Download and analyze the backup information by using the status.downloadURL URL.

  4. To review NAR CR logs, create a NonAdminDownloadRequest CR and specify the NAR CR name as shown in the following example:

    Example NonAdminDownloadRequest CR
    apiVersion: oadp.openshift.io/v1alpha1
kind: NonAdminDownloadRequest
metadata:
  name: test-nadr-restore
spec:
  target:
    kind: RestoreLog (1)
    name: test-nar (2)
    1 Specify RestoreLog as the value for the kind field of the NADR CR.
    2 Defines the name of the NAR CR.

  5. Verify that the NADR CR is processed by running the following command.

    $ oc get nadr test-nadr-restore -o yaml
    Example output
    apiVersion: oadp.openshift.io/v1alpha1
kind: NonAdminDownloadRequest
metadata:
  creationTimestamp: "2025-03-06T11:26:01Z"
  generation: 1
  name: test-nadr-restore
  namespace: test-nac-ns
  resourceVersion: "157842"
  uid: f3e...7862f
spec:
  target:
    kind: RestoreLog
    name: test-nar
status:
  conditions:
  - lastTransitionTime: "202..:01Z"
    message: ""
    reason: Success
    status: "True"
    type: Processed
  phase: Created
  velero:
    status:
      downloadURL: https://... (1)
      expiration: "202..:01Z"
      phase: Processed (2)
    1 The status.downloadURL field contains the download URL of the NAR logs. You can use the downloadURL to download and review the NAR logs.
    2 The status.phase is Processed.

  6. Download and analyze the restore information by using the status.downloadURL URL.