Velero
Kubernetes backup, restore, and migration tool maintained by VMware Tanzu. Velero backs up Kubernetes cluster resources (all objects from etcd) and persistent volume data to object storage (S3, GCS, Azure Blob), enabling disaster recovery, cluster migration, and namespace-level restore. Supports scheduled backups, pre/post-backup hooks, and selective resource filtering. The de-facto standard for Kubernetes backup.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Apache 2.0. Backups include K8s Secrets — encrypt object storage. IRSA/Workload Identity for cloud storage auth. Kubernetes RBAC for CRD access. Velero service account typically has cluster-admin — scope access carefully.
⚡ Reliability
Best When
You need Kubernetes cluster backup and DR with object storage as the backup target, namespace migration, or cluster upgrade rollback capability.
Avoid When
You need sub-hour RPO with continuous replication — Velero's scheduled backup model has gaps between backup points.
Use Cases
- • Schedule automated Kubernetes cluster backups to S3/GCS for disaster recovery — restore entire cluster or specific namespaces after failure
- • Migrate Kubernetes workloads between clusters or cloud providers by backing up source cluster and restoring in target cluster
- • Backup persistent volume data alongside Kubernetes resource definitions for complete application state recovery
- • Implement namespace-level backups for multi-tenant clusters — back up individual tenant namespaces on schedule
- • Run pre-backup hooks to quiesce database writes before taking PV snapshots for consistent application backups
Not For
- • ETCD-level backup — Velero backs up Kubernetes object state, not raw etcd; etcd snapshots are separate
- • Real-time replication — Velero is backup-on-schedule, not continuous replication; use storage-level replication for RPO < backup interval
- • Application-aware backup for complex stateful apps — Velero's PV backup is crash-consistent; app-consistent backup requires hooks
Interface
Authentication
Velero interfaces via Kubernetes CRDs — Kubernetes RBAC is the auth model. Object store access via cloud IAM (IRSA for AWS, Workload Identity for GCP). Backup/restore operations run with Velero's cluster-admin service account.
Pricing
Apache 2.0, CNCF incubating. Free software — pay only for object storage (typically $0.023/GB/month on S3).
Agent Metadata
Known Gotchas
- ⚠ Velero requires CSI snapshotter for consistent PV backup — without CSI, only file system backup (restic/kopia) is available which is slower
- ⚠ Backup of resources with dependencies must preserve order — Velero backs up all resources but restore order may cause temporary failures for dependent resources
- ⚠ Namespace-scoped restore won't restore cluster-scoped resources (ClusterRoleBindings, StorageClasses) — separate backup/restore required
- ⚠ Large cluster backups can take hours — Velero runs backup as background job; poll Backup CRD status, don't wait synchronously
- ⚠ Cross-cloud migration requires identical storage class names or StorageClass mapping — mismatched storage classes cause PVC restore failures
- ⚠ Restic/Kopia (file-level backup) requires running a privileged DaemonSet — security policy restrictions can prevent installation
- ⚠ Default backup includes secrets — ensure object storage encryption and access controls before backing up production clusters
Alternatives
Full Evaluation Report
Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Velero.
Scores are editorial opinions as of 2026-03-06.