Kasten backup job failing with 401 Unauthorized when accessing OpenShift internal registry

Question

Hello community,We are running Kasten K10 v7.5.3 on OpenShift (bare metal) and encountering recurring backup job failures during the CopyVolumeData phase.In the logs, Kasten attempts to pull images from the internal OpenShift image registry and receives multiple 401 Unauthorized responses. Example error:GET https://image-registry.openshift-image-registry.svc:5000/openshift/token?scope=repository:/:pullunexpected status code 401 UnauthorizedOnly certain workloads are affected (those belonging to one project currently in a failed state by design). All other namespaces complete backups successfully.We’ve confirmed:The node hosting the copy-vol-data pod was ready and schedulable during retries.Policy configuration selects only the affected namespace.Storage backend is NFS.Has anyone experienced Kasten backup failures caused by workloads in a failed deployment state or image registry authentication issues?Any advice or workaround (such as excluding failed workloads from backup policies) would be appreciated.Thanks in advance!

eprieto · Answer

Hello community,We are running Kasten K10 v7.5.3 on OpenShift (bare metal) and encountering recurring backup job failures during the CopyVolumeData phase.In the logs, Kasten attempts to pull images from the internal OpenShift image registry and receives multiple 401 Unauthorized responses. Example error:GET https://image-registry.openshift-image-registry.svc:5000/openshift/token?scope=repository:/:pullunexpected status code 401 UnauthorizedOnly certain workloads are affected (those belonging to one project currently in a failed state by design). All other namespaces complete backups successfully.We’ve confirmed:The node hosting the copy-vol-data pod was ready and schedulable during retries.Policy configuration selects only the affected namespace.Storage backend is NFS.Has anyone experienced Kasten backup failures caused by workloads in a failed deployment state or image registry authentication issues?Any advice or workaround (such as excluding failed workloads from backup policies) would be appreciated.Thanks in advance!You may want to double-check which ServiceAccount the copy-vol-data Pod is using and whether it actually has permission to pull images from the internal OpenShift registry in that specific namespace.If the images are coming from ImageStreams in that project (or mirrored there), the ServiceAccount typically needs image pull permissions, such as the system:image-puller role, on that namespace. A 401 Unauthorized response from the registry token endpoint usually means the Pod is trying to authenticate but does not have the correct pull rights for that project.Since only one namespace is affected, it’s very likely a permissions or registry access issue specific to that project rather than a general Kasten problemBest!

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded