How to Create a Schedule

The Schedule object defines the frequency, destination and secrets required to run K8up jobs in your namespace:

apiVersion: k8up.io/v1
kind: Schedule
metadata:
  name: schedule-test
spec:
  backend:
    s3:
      endpoint: http://minio:9000
      bucket: backups
      accessKeyIDSecretRef:
        name: minio-credentials
        key: username
      secretAccessKeySecretRef:
        name: minio-credentials
        key: password
    repoPasswordSecretRef:
      name: backup-repo
      key: password
  backup:
    schedule: '*/5 * * * *'
    failedJobsHistoryLimit: 2
    successfulJobsHistoryLimit: 2
    # optional
    #promURL: https://prometheus-io-instance:8443
  check:
    schedule: '0 1 * * 1'
    # optional
    #promURL: https://prometheus-io-instance:8443
  prune:
    schedule: '0 1 * * 0'
    retention:
      keepLast: 5
      keepDaily: 14

Save the YAML above in a file named schedule.yaml and use the kubectl apply -f schedule.yaml command to deploy this configuration to your cluster.

The file above will instruct the Operator to do backups every 5 minute, prune them monthly and run check jobs for repository maintenance. It will also archive the latest snapshots to the archive bucket once each week.

Feel free to adjust the frequencies to your liking. To help you with the crontab syntax, we recommend to check out crontab.guru.

You can always check the state and configuration of your backup by using kubectl describe schedule. By default, all PVCs are backed up automatically. Adding the annotation k8up.io/backup=false to a PVC object will exclude it from all following backups. Alternatively, you can set the environment variable BACKUP_SKIP_WITHOUT_ANNOTATION=true if you want K8up to ignore objects without the annotation.

Customize Pod Spec

Just like for each job type, it’s possible to pass custom pod specs to a schedule.

You can either set a PodConfig for all jobs in a schedule at once, or for each job individually. The PodConfig set in the job has precedence over the one in the schedule.

PodConfig supports the full Kubernetes pod spec, including nodeSelector, affinity, tolerations, and securityContext. Use it to control where backup jobs run or to configure pod-level security settings.

apiVersion: k8up.io/v1
kind: PodConfig
metadata:
  name: podconfig
  annotations:
    test: test
spec:
  template:
    spec:
      containers:
        - name: k8up
          env:
            - name: FOO
              value: bar
          securityContext:
            allowPrivilegeEscalation: true
---
apiVersion: k8up.io/v1
kind: Schedule
metadata:
  name: schedule-test
spec:
  podConfigRef:
    name: podconfig
  backend:
    # Abridged for readability
  backup:
    # Abridged for readability
    podConfigRef:
      name: anotherPodConfig

Restricted Pod Security Standard

To make K8up jobs comply with the "restricted" Pod Security Standard, configure both pod and container security contexts via PodConfig:

apiVersion: k8up.io/v1
kind: PodConfig
metadata:
  name: restricted-podconfig
spec:
  template:
    spec:
      containers:
        - name: k8up
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            capabilities:
              drop:
                - ALL
            seccompProfile:
              type: RuntimeDefault