k8up

Kubernetes backup operator using Restic and S3-compatible storage.

k8up is a Kubernetes backup operator built on top of Restic. It provides Schedule, Backup, Restore, Archive, and Prune CRDs that automate PVC and application backup to S3-compatible object storage. It is used in this cluster as the primary backup solution, scheduled to back up Longhorn PVCs and database dumps to Hetzner Object Storage.

Alternatives considered

Self Hosted

Tool	Open Source	Full Features	Notes
Velero	Yes	Yes	CNCF project; supports volume snapshots and cluster state backups
Stash	Partial	Yes	Feature-rich; commercial for some backends
Kanister	Yes	Yes	App-aware backups via Blueprints; no built-in scheduler

Installation

Architecture

HelmRelease k8up in namespace k8up-system, chart version 4.8.6 from https://k8up-io.github.io/k8up. CRDs installed and upgraded automatically (install.crds: CreateReplace). skipWithoutAnnotation: true means only PVCs and pods explicitly annotated with k8up.io/backup: "true" are included in backups. Prometheus metrics exposed on port 8080 at /metrics.

Security

Pod securityContext: runAsNonRoot: true, runAsUser/Group: 65532, fsGroup: 65532, seccompProfile: RuntimeDefault. Container securityContext: allowPrivilegeEscalation: false, capabilities: drop: ALL, readOnlyRootFilesystem: true. RBAC is cluster-wide (needs to create backup Jobs in any namespace).

Updates

Managed by Renovate. Chart version is semver-pinned (4.8.6).

Administration

Usage

Application namespaces get a Schedule resource defining backup, prune, and archive cadences pointing to an S3 bucket. PVCs are annotated with k8up.io/backup: "true" to opt in. For database backups, pods are annotated with k8up.io/backupcommand (e.g. pg_dumpall) so k8up runs a logical dump instead of a filesystem copy. Restore operations are triggered via Restore resources.

Cluster-specific deviations from the above live in the per-cluster README — see k8s/infrastructure/talos/controllers/k8up/README.md.

Cluster Deployment

Used by on this cluster

• audiobookshelf
• baserow
• bichon
• gatus
• gitea
• immich
• jellyfin
• keycloak
• komga
• lldap
• miniflux
• n8n
• navidrome
• nextcloud
• ntfy
• outline
• paperless
• pocketid
• romm
• spotify
• tandoor
• tube-archivist
• vaultwarden
• vikunja

k8up — Talos cluster

Cluster-specific notes only. General product info, "why we use it", and alternatives live in docusaurus/docs/platform/k8up.mdx.

Deviations from defaults

Defaults live in docusaurus/docs/platform/k8up.mdx — document anything this cluster does differently here, with a one-line reason.

Kubernetes Metadata

• HelmRelease: k8up@4.8.6
• HelmRepo: k8up (https://k8up-io.github.io/k8up)

Rendered manifests (kustomize build)

apiVersion: v1
data:
  values.yaml: |
    k8up:
      skipWithoutAnnotation: true
    resources:
      requests:
        cpu: 10m
        memory: 100Mi
      limits:
        memory: 100Mi
    metrics:
      service:
        annotations:
          prometheus.io/scrape: "true"
          prometheus.io/port: "8080"
          prometheus.io/path: "/metrics"
kind: ConfigMap
metadata:
  name: k8up-values-bkk7t7dgkc
  namespace: k8up-system