The backup for the workloads that uses Generic Storage Backup (GSB) fails with the error:

mkdir /tmp/kopia-log: read-only file system\r\nUnable to create logs directory: mkdir /tmp/kopia-log: read-only file system

Veeam Kasten for Kubernetes's datamover needs write access to the /tmp directory for storing the config files and log files. If readOnlyRootFilesystem is set to true in the securityContext of the kanister-sidecar container, any writes to /tmp are restricted, causing the backup in Kasten to fail with the above error message.

Starting from Veeam Kasten for Kubernetes version 7.0.8, the automatic sidecar injector for GSB merges the securityContext of all the other containers in the workload and selects the most restrictive securityContext for the kanister-sidecar container.

Due to this change, there may be instances where customers need to manually adjust the kanister-sidecar to ensure the GSB functions properly. For example, when the usage of readOnlyRootFilesystem securityContext in any application containers in which the sidecar is injected. 

By default, data operations done by Kasten requires the Linux Capabilities 'CHOWN', 'DAC_OVERRIDE', and `FOWNER' to be allowed to run in the container.

Starting in Veeam Kasten for Kubernetes v7.0.8, any workload that is injected with a sidecar will automatically incorporate the necessary capabilities. However, existing workloads that have already been injected with sidecars will require a manual update to include these capabilities.