Stay organized with collectionsSave and categorize content based on your preferences.
AutopilotStandard
This page explains how to enable permissive mode on a backup plan.
During backup execution, if Backup for GKE detects conditions that are likely
to cause restore to fail, the backup itself fails. The reason for the failure
is provided in the backup'sstate_reasonfield. In the Google Cloud console, this field is termed asStatus reason.
About permissive mode
When backup failures aren't acceptable and it's not possible to address the
underlying issues, you can enablepermissive mode. Permissive mode ensures
that backups complete successfully, even if GKE resources that
could potentially cause restore failures are detected during the backup process.
Details about the issues are provided in the backup'sStatus reasonfield.
We recommend using this option only if you understand the issues and can
implement workarounds during the restoration process. For a list of potential
error messages in the backup'sStatus reasonfield with recommended actions,
seeTroubleshoot backup failures.
Enable permissive mode
Use the following instructions to enable permissive mode:
gcloud
To enable permissive mode, run thegcloud beta container backup-restore backup-plans updatecommand:
The following table provides explanations and recommended actions for various
backup failure messages displayed in the backup'sStatus reasonfield.
Backup failure message
Message description and failure reason
Recommended action
CustomResourceDefinitions "..." have invalid schemas
Description: A Custom Resource Definition (CRD) in
the cluster was originally applied asapiextensions.k8s.io/v1beta1and lacks a structural schema
required inapiextensions.k8s.io/v1.
Reason: Backup for GKE cannot automatically define
the structural schema. Restoring the CRD in Kubernetes v1.22+ clusters,
whereapiextensions.k8s.io/v1beta1is not available, causes
the restore to fail. This failure happens when restoring custom
resources defined by the CRD.
We recommend you to use the following options:
If you manage the CRD, follow the steps inthe Kubernetes documentationto specify a structural schema for your CRD.
If it's a GKE-managed CRD, you can callkubectl delete
crdif there are no existing resources served by the CRD. If
there are existing resources served by the CRD, you can enable
permissive mode with an understanding of the restore behavior. For
recommendations on common CRDs, see thedocumentation.
If it's a third-party CRD, consult the relevant documentation to
migrate toapiextensions.k8s.io/v1.
When permissive mode is enabled, the CRD without a structural schema
won't be backed up in a Kubernetes v1.22+ cluster. To successfully
restore such a backup, you need to exclude the resources served by the
CRD from restore or create the CRD in the target cluster before starting
the restore.
Failed to query API resources ...
Description: An API service in the cluster is
misconfigured. This causes requests to the API path to return "Failed to
query API resources." The underlying service may not exist or may not be
ready yet.
Reason: Backup for GKE is unable to back up any
resources served by the unavailable API.
Check the underlying service in the API service'sspec.serviceto make sure it is ready.
When permissive mode is enabled, resources from the API groups that
failed to load won't be backed up.
Secret ... is an auto-generated token from ServiceAccount ...
referenced in Pod specs
Description: In Kubernetes v1.23 and earlier, service
accounts automatically generate a token backed by a secret. However, in
later versions, Kubernetes removed this auto-generated token feature. A
Pod in the cluster might have mounted the secret volume to its
containers' file system.
Reason: If Backup for GKE attempts to restore a
service account along with its auto-generated secret and a Pod that
mounts the secret volume, the restore appears to be successful. However,
Kubernetes removes the secret, which causes the Pod to get stuck in
container creation and fail to start.
Define thespec.serviceAccountNamefield in the Pod. This
action ensures that the token is automatically mounted on/var/run/secrets/kubernetes.io/serviceaccountin the
containers. For more information, refer toConfigure Service Accounts for Podsdocumentation.
When permissive mode is enabled, the secret is backed up but can't
be mounted in Pods in Kubernetes v1.24+ clusters.
Common Custom Resource Definitions (CRDs) with issues and recommended actions
Here are some common CRDs that have backup issues and the actions we recommend
to address the issues:
capacityrequests.internal.autoscaling.k8s.io:
This CRD was used temporarily in v1.21 clusters. Runkubectl
delete crd capacityrequests.internal.autoscaling.k8s.ioto
remove the CRD.
scalingpolicies.scalingpolicy.kope.io:
This CRD was used to control fluentd resources, but GKE has migrated to using
fluentbit. Runkubectl delete crd scalingpolicies.scalingpolicy.kope.ioto
remove the CRD.
memberships.hub.gke.io:
Runkubectl delete crd memberships.hub.gke.ioto remove the CRD if there are
no membership resources. Enable permissive mode if there are membership
resources.
applications.app.k8s.io:
Enable permissive mode with an understanding of restore behavior.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-09 UTC."],[],[],null,["# Enable permissive mode on a backup plan\n\nAutopilot Standard\n\n*** ** * ** ***\n\nThis page explains how to enable permissive mode on a backup plan.\n\nDuring backup execution, if Backup for GKE detects conditions that are likely\nto cause restore to fail, the backup itself fails. The reason for the failure\nis provided in the backup's\n[state_reason](/kubernetes-engine/docs/add-on/backup-for-gke/reference/rest/v1/projects.locations.backupPlans.backups#Backup.FIELDS.state_reason)\nfield. In the Google Cloud console, this field is termed as **Status reason**.\n| **Note:** You can [set up alerts](/kubernetes-engine/docs/add-on/backup-for-gke/how-to/alerts) to receive notifications if backups fail.\n\nAbout permissive mode\n---------------------\n\nWhen backup failures aren't acceptable and it's not possible to address the\nunderlying issues, you can enable *permissive mode* . Permissive mode ensures\nthat backups complete successfully, even if GKE resources that\ncould potentially cause restore failures are detected during the backup process.\nDetails about the issues are provided in the backup's **Status reason** field.\n\nWe recommend using this option only if you understand the issues and can\nimplement workarounds during the restoration process. For a list of potential\nerror messages in the backup's **Status reason** field with recommended actions,\nsee [Troubleshoot backup failures](/kubernetes-engine/docs/add-on/backup-for-gke/troubleshoot/permissive-mode#troubleshoot_backup_failures).\n\nEnable permissive mode\n----------------------\n\nUse the following instructions to enable permissive mode: \n\n### gcloud\n\nTo enable permissive mode, run the\n`gcloud beta container backup-restore backup-plans update` command: \n\n gcloud beta container backup-restore backup-plans update \u003cvar translate=\"no\"\u003eBACKUP_PLAN\u003c/var\u003e \\\n --project=\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e \\\n --location=\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e\n --permissive-mode\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eBACKUP_PLAN\u003c/var\u003e: the name of the backup plan that you want to update.\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the ID of your Google Cloud project.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: the\n [compute region](/compute/docs/regions-zones#available)\n for the resource, for example `us-central1`. See [About resource locations](/kubernetes-engine/docs/add-on/backup-for-gke/concepts/about-locations).\n\n For a full list of options, refer to the\n [gcloud beta container backup-restore backup-plans update](/sdk/gcloud/reference/beta/container/backup-restore/backup-plans/update)\n documentation.\n\n### Console\n\nUse the following instructions to enable permissive mode in the\nGoogle Cloud console:\n\n1. In the Google Cloud console, go to the **Google Kubernetes Engine** page.\n\n [Go to Google Kubernetes Engine](https://console.cloud.google.com/kubernetes/list)\n2. In the navigation menu, click **Backup for GKE**.\n\n3. Click the **Backup plans** tab.\n\n4. Expand the cluster and click the plan name.\n\n5. Click the **Details** tab to edit the plan details.\n\n6. Click **Edit** to edit the section with **Backup mode**.\n\n7. Click the **Permissive mode** checkbox and click **Save changes**.\n\n### Terraform\n\nUpdate the existing `google_gke_backup_backup_plan` resource. \n\n resource \"google_gke_backup_backup_plan\" \"\u003cvar translate=\"no\"\u003eNAME\u003c/var\u003e\" {\n ...\n backup_config {\n permissive_mode = true\n ...\n }\n }\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eNAME\u003c/var\u003e: the name of the `google_gke_backup_backup_plan` that you want to update.\n\nFor more information, see\n[gke_backup_backup_plan](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/gke_backup_backup_plan).\n\nTroubleshoot backup failures\n----------------------------\n\nThe following table provides explanations and recommended actions for various\nbackup failure messages displayed in the backup's **Status reason** field.\n\n### Common Custom Resource Definitions (CRDs) with issues and recommended actions\n\nHere are some common CRDs that have backup issues and the actions we recommend\nto address the issues:\n\n- `capacityrequests.internal.autoscaling.k8s.io`: This CRD was used temporarily in v1.21 clusters. Run `kubectl\n delete crd capacityrequests.internal.autoscaling.k8s.io` to remove the CRD.\n- `scalingpolicies.scalingpolicy.kope.io`: This CRD was used to control fluentd resources, but GKE has migrated to using fluentbit. Run `kubectl delete crd scalingpolicies.scalingpolicy.kope.io` to remove the CRD.\n- `memberships.hub.gke.io`: Run `kubectl delete crd memberships.hub.gke.io` to remove the CRD if there are no membership resources. Enable permissive mode if there are membership resources.\n- `applications.app.k8s.io`: Enable permissive mode with an understanding of restore behavior."]]
