Velero backups stuck in "New" state and cannot be deleted when created in non-Velero namespace
search cancel

Velero backups stuck in "New" state and cannot be deleted when created in non-Velero namespace

book

Article ID: 438454

calendar_today

Updated On:

Products

VMware vSphere Kubernetes Service

Issue/Introduction

  • Backups created in a different namespace
  • Velero get backup shows backups in New state with no progress
  • CREATED field is <nil>
  • velero delete backup completes but backups remain 
    $ velero get backup -n <NAMESPACE>
NAME                   STATUS   ERRORS   WARNINGS   CREATED   EXPIRES   STORAGE LOCATION   QUEUE POSITION   SELECTOR
New-backup-test        New      0        0          <nil>     21d       default                             <none> 
New-backup-test02      New      0        0          <nil>     24d       default                             <none>

     

  • velero describe backup may show errors similar to:
    error getting backup volume info: client rate limiter Wait returned an error: rate: Wait(n=1) would exceed context deadline

Environment

VMware vSphere Kubernetes Service (VKS)

Cause

Velero is deployed as a namespace-scoped controller and only monitors the namespace in which it is installed (typically velero). Backup custom resources created in a different namespace are not processed or reconciled by the Velero controller. As a result, lifecycle operations such as deletion are not executed, leaving the Backup objects in a New state.

Resolution

Case 1: Backup WITHOUT finalizers (most common in this scenario)

Verify no finalizers exist: 

kubectl get backup <backup-name> -n <namespace> -o yaml | grep finalizers


If no output is returned, delete directly:

kubectl delete backup <backup-name> -n <incorrect-namespace>


Case 2: Backup WITH finalizers (deletion stuck in Terminating)

Check finalizers:

kubectl get backup <backup-name> -n <namespace> -o jsonpath='{.metadata.finalizers}'

Then delete the backup:

kubectl delete backup <backup-name> -n <namespace>


Verify deletion:

kubectl get backup -n <incorrect-namespace>
velero get backup -n velero

Additional Information

The Velero controller is architected to exclusively monitor and process CRs (Backups, Restores, Schedules) that reside within the namespace where the Velero server pod is deployed (typically velero or tanzu-system-data-protection in VMware Tanzu environments). Velero resources created outside of this authoritative namespace are ignored by the controller, leaving them permanently in the New state.

To correct this, the Backup or Schedule objects must be created within the Velero namespace, utilizing flags to specify which application namespaces should be included in the backup payload.

Remediation Instructions:

Identify the namespace hosting the active Velero controller: 

kubectl get pods -A | grep velero

Remove the inactive schedule and backup resources from the application namespace that remain, if any:

kubectl delete schedule pvc-daily-backup -n <incorrect-namespace>

Recreate the schedule in the correct Velero namespace (assuming velero), targeting the application namespace for inclusion:

velero schedule create pvc-daily-backup --schedule="0 2 * * *" --include-namespaces <namespace-to-be-backed-up> -n velero

Execute a manual backup to validate functionality: 

velero backup create <backup-name> --include-namespaces <namespace(s)-to-be-backup-up -n velero
Powered by Wolken Software