Skip to content
Kubernetes resource yamls backup to git
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
bin first Jul 16, 2018
deploy Add README and deploy scripts Nov 25, 2018
.tool-versions first Jul 16, 2018


Kubernetes resource state backup to git

Git structure

_global_ - global resources such as Node, ClusterRole, StorageClass
_grafana_ - grafana configs (when grafana enabled)
<namespace> - such as kube-system, default, etc...
  <ResourceType> - folder for each resource type
    <resource-name.yaml> - file for each resource



Yaml manifests are in deploy folder.

Create Deployment Key

Github and gitlab support adding key only for one repository

  • Create repo
  • Generate ssh key ssh-keygen -f ./new_key
  • Add new ssh key to repo with write access
  • Save key to 2_config_map.yaml (see comments in file)

Testing Deployment

I recommend to run it periodically with kubernetes' CronJob resource, if you want to test how it works without waiting then can change running schedule or create pod with same parameters


  • kube_backup backup - pull remote git repository, save kubernetes state, make git commit in local repository
  • kube_backup push - push changes to remote repository
  • kube_backup help - shows help

Docker image by default runs kube_backup backup && kube_backup push


  • GIT_REPO_URL - remote git URL like (required)
  • BACKUP_VERBOSE use 1 to enable verbose logging
  • TARGET_PATH - local git repository folder, default ./kube_state
  • SKIP_NAMESPACES - namespaces to exclude, separated by coma (,)
  • ONLY_NAMESPACES - whitelist namespaces
  • GLOBAL_RESOURCES - override global resources list, default is node, apiservice, clusterrole, clusterrolebinding, podsecuritypolicy, storageclass, persistentvolume, customresourcedefinition, mutatingwebhookconfiguration, validatingwebhookconfiguration, priorityclass
  • EXTRA_GLOBAL_RESOURCES - use it to add resources to GLOBAL_RESOURCES list
  • SKIP_GLOBAL_RESOURCES - blacklist global resources
  • RESOURCES - default list of namespaces resources, see KubeBackup::TYPES
  • EXTRA_RESOURCES - use it to add resources to RESOURCES list
  • SKIP_RESOURCES - exclude resources
  • SKIP_OBJECTS - use it to skip individual objects, such as kube-backup/ConfigMap/kube-backup-ssh-config (separated by coma, spaces around coma ignored)
  • GIT_USER - default is kube-backup
  • GIT_EMAIL - default is kube-backup@$(HOSTNAME)
  • GIT_BRANCH - Git branch, default is master
  • GIT_PREFIX - Path to the subdirectory in your repository
  • GRAFANA_URL - grafana api URL, e.g.
  • GRAFANA_TOKEN - grafana API token, create at https://your-grafana/org/apikeys
  • TZ - timezone of commit times. e.g. :Europe/Berlin


To avoid man in a middle attack it's recommended to provide known_hosts file. Default known_hosts contain keys for, and

Custom Resources

Let's say we have a cluster with prometheus and certmanager, they register custom resources and we want to add them in backup.

Get list of custom resource definitions:

$ kubectl get crd

NAME                                    CREATED AT     2018-06-27T10:33:00Z         2018-06-27T09:39:43Z       2018-06-27T09:39:43Z              2018-06-27T09:39:44Z      2018-06-27T10:33:00Z   2018-06-27T10:33:00Z   2018-06-27T10:33:00Z

Or get more useful output:

$ kubectl get crd -o json | jq -r '.items | (.[] | [.spec.names.singular,, .spec.scope]) | @tsv'
alertmanager  Namespaced
certificate     Namespaced
clusterissuer     Cluster
issuer     Namespaced
prometheus  Namespaced
prometheusrule  Namespaced
servicemonitor  Namespaced

Set env variables in container spec:

    value: clusterissuer
    value: alertmanager, prometheus, prometheusrule, servicemonitor, certificate, issuer

Special thanks to Pieter Lange for original idea

You can’t perform that action at this time.