No resources should be backed up with non-matching label, but the namespace is backed up

[ywk253100]

Create a backup with velero backup create test11 --include-namespaces default --snapshot-volumes --wait --selector app=etcd0, because the label app=etcd0 doesn't match any resource, there should be no resource in the backup, but the backup contains the namespace resource.

The workload:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: etcd0-pv-claim
spec:
  storageClassName: "default"
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
---
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: etcd
    etcd_node: etcd0
  name: etcd0
  annotations:
    "pre.hook.backup.velero.io/container": "etcd0"
    "pre.hook.backup.velero.io/command": "[\"/usr/local/bin/etcd\", \"-h\"]"
spec:
  volumes:
    - name: etcd0-storage
      persistentVolumeClaim:
        claimName: etcd0-pv-claim
  containers:
    - command:
        - /usr/local/bin/etcd
        - --name
        - etcd0
        - --initial-advertise-peer-urls
        - http://etcd0:2380
        - --listen-peer-urls
        - http://0.0.0.0:2380
        - --listen-client-urls
        - http://0.0.0.0:2379
        - --advertise-client-urls
        - http://etcd0:2379
        - --initial-cluster
        - etcd0=http://etcd0:2380,etcd1=http://etcd1:2380,etcd2=http://etcd2:2380
        - --initial-cluster-state
        - new
      image: quay.io/coreos/etcd:latest
      volumeMounts:
        - mountPath: "/etcd0.etcd"
          name: etcd0-storage
      name: etcd0
      ports:
        - containerPort: 2379
          name: client
          protocol: TCP
        - containerPort: 2380
          name: server
          protocol: TCP
  restartPolicy: Always

Describe the backup:

velero backup describe test11 --details
Name:         test11
Namespace:    velero
Labels:       velero.io/storage-location=default
Annotations:  velero.io/resource-timeout=10m0s
              velero.io/source-cluster-k8s-gitversion=v1.28.7+vmware.1
              velero.io/source-cluster-k8s-major-version=1
              velero.io/source-cluster-k8s-minor-version=28

Phase:  Completed

Namespaces:
  Included:  default
  Excluded:  <none>

Resources:
  Included:        *
  Excluded:        <none>
  Cluster-scoped:  auto

Label selector:  app=etcd0

Or label selector:  <none>

Storage Location:  default

Velero-Native Snapshot PVs:  true
Snapshot Move Data:          true
Data Mover:                  velero

TTL:  720h0m0s

CSISnapshotTimeout:    10m0s
ItemOperationTimeout:  4h0m0s

Hooks:  <none>

Backup Format Version:  1.1.0

Started:    2024-04-28 08:35:50 +0000 UTC
Completed:  2024-04-28 08:35:51 +0000 UTC

Expiration:  2024-05-28 08:35:50 +0000 UTC

Total items to be backed up:  1
Items backed up:              1

Resource List:
  v1/Namespace:
    - default

Backup Volumes:
  Velero-Native Snapshots: <none included>

  CSI Snapshots: <none included>

  Pod Volume Backups: <none included>

HooksAttempted:  0
HooksFailed:     0

The default namespace:

kubectl get ns default -o yaml
apiVersion: v1
kind: Namespace
metadata:
  creationTimestamp: "2024-04-26T02:00:45Z"
  labels:
    kubernetes.io/metadata.name: default
  name: default
  resourceVersion: "49"
  uid: 8500642b-916a-4487-a657-d462d7eb85dd
spec:
  finalizers:
  - kubernetes
status:
  phase: Active

[blackpiglet]

The current behavior of the item collector for the namespace resource is the namespaces passed the backup.Spec.NamespaceIncludesExcludes.ShouldInclude check is included in the backup.

Because the backup includes this parameter --include-namespaces default, the default namespace is included into the resource list.

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days. If a Velero team member has requested log or more information, please provide the output of the shared commands.