Filtering Files During Backup/Restore

This guide will show you how to exclude/include subset of files during backup/restore process.

Before You Begin

  • At first, you need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. If you do not already have a cluster, you can create one by using kind.
  • Install Stash in your cluster following the steps here.
  • Install Stash kubectl plugin following the steps here.
  • You should be familiar with the following Stash concepts:

To keep everything isolated, we are going to use a separate namespace called demo throughout this tutorial.

❯ kubectl create ns demo
namespace/demo created

Prepare Workload

At first, we are going to create a PVC then we are going to create a Deployment that will use this PVC.

Create PVC

Below is the YAML of the sample PVC that we are going to create,

kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: source-data
  namespace: demo
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: standard
  resources:
    requests:
      storage: 2Gi

Let’s create the PVC we have shown above,

❯ kubectl apply -f https://github.com/stashed/docs/raw/v2025.1.9/docs/guides/use-cases/exclude-include-files/examples/pvc-source.yaml
persistentvolumeclaim/source-data created

Create Deployment

Now, we are going to deploy a Deployment that uses the above PVC. Below is the YAML of the Deployment that we are going to create,

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: stash-demo
  name: stash-demo
  namespace: demo
spec:
  replicas: 1
  selector:
    matchLabels:
      app: stash-demo
  template:
    metadata:
      labels:
        app: stash-demo
      name: busybox
    spec:
      containers:
      - args:
        - sleep
        - "3600"
        image: busybox
        imagePullPolicy: IfNotPresent
        name: busybox
        volumeMounts:
        - mountPath: /source/data
          name: source-data
      restartPolicy: Always
      volumes:
      - name: source-data
        persistentVolumeClaim:
          claimName: source-data

Let’s create the Deployment we have shown above,

❯ kubectl apply -f https://github.com/stashed/docs/raw/v2025.1.9/docs/guides/use-cases/exclude-include-files/examples/deployment-source.yaml
deployment.apps/stash-demo created

Now, wait for the pod of the Deployment to go into Running state.

❯ kubectl get pod -n demo
NAME                          READY   STATUS    RESTARTS   AGE
stash-demo-67576d874-2tj9d    1/1     Running   0          81s

Insert Data

# create sample data
❯ kubectl exec -n demo -it  stash-demo-67576d874-2tj9d -- /bin/sh -c "touch /source/data/data-1.txt"

❯ kubectl exec -n demo -it  stash-demo-67576d874-2tj9d -- /bin/sh -c "touch /source/data/data-2.txt"

❯ kubectl exec -n demo -it  stash-demo-67576d874-2tj9d -- /bin/sh -c "touch /source/data/not-important.txt"

❯ kubectl exec -n demo -it  stash-demo-67576d874-2tj9d -- /bin/sh -c "touch /source/data/index.html"

❯ kubectl exec -n demo -it  stash-demo-67576d874-2tj9d -- /bin/sh -c "touch /source/data/resp.json"

❯ kubectl exec -n demo -it  stash-demo-67576d874-2tj9d -- /bin/sh -c "mkdir /source/data/tmp"

❯ kubectl exec -n demo -it  stash-demo-67576d874-2tj9d -- /bin/sh -c "touch /source/data/tmp/tmp.txt"

Prepare Backend

We are going to store our backed up data into a GCS bucket. We have to create a Secret with necessary credentials and a Repository crd to use this backend. If you want to use a different backend, please read the respective backend configuration doc from here.

For GCS backend, if the bucket does not exist, Stash needs Storage Object Admin role permissions to create the bucket. For more details, please check the following guide.

Create Secret

Let’s create a secret called gcs-secret with access credentials to our desired GCS bucket,

$ echo -n 'changeit' > RESTIC_PASSWORD
$ echo -n '<your-project-id>' > GOOGLE_PROJECT_ID
$ cat /path/to/downloaded-sa-key.json > GOOGLE_SERVICE_ACCOUNT_JSON_KEY
$ kubectl create secret generic -n demo gcs-secret \
    --from-file=./RESTIC_PASSWORD \
    --from-file=./GOOGLE_PROJECT_ID \
    --from-file=./GOOGLE_SERVICE_ACCOUNT_JSON_KEY
secret/gcs-secret created

Full Backup

Stash automatically takes backup of all the data in the specified path. We are going to create a BackupConfiguration crd targeting the stash-demo Deployment that we have deployed earlier. Then, Stash will inject a sidecar container into the target. It will also create a CronJob to take periodic backup of /source/data directory of the target.

We are going to use the following Repository to backup our data,

apiVersion: stash.appscode.com/v1alpha1
kind: Repository
metadata:
  name: gcs-repo-full
  namespace: demo
spec:
  backend:
    gcs:
      bucket: stash-testing
      prefix: /demo/stash-demo/full
    storageSecretName: gcs-secret

Let’s create the Repository,

❯ kubectl apply -f https://github.com/stashed/docs/raw/v2025.1.9/docs/guides/use-cases/exclude-include-files/examples/repository-full.yaml
repository.stash.appscode.com/gcs-repo-full created

Bellow is the yaml of the BackupConfiguration we are going to create,

apiVersion: stash.appscode.com/v1beta1
kind: BackupConfiguration
metadata:
  name: deployment-backup-full
  namespace: demo
spec:
  repository:
    name: gcs-repo-full
  schedule: "*/5 * * * *"
  target:
    ref:
      apiVersion: apps/v1
      kind: Deployment
      name: stash-demo
    volumeMounts:
    - name: source-data
      mountPath: /source/data
    paths:
    - /source/data
  retentionPolicy:
    name: 'keep-last-5'
    keepLast: 5
    prune: true

The above BackupConfiguration will backup everything inside the /source/data directory.

Let’s create the BackupConfiguration object that we have shown above,

❯ kubectl apply -f https://github.com/stashed/docs/raw/v2025.1.9/docs/guides/use-cases/exclude-include-files/examples/backupconfiguration-full.yaml
backupconfiguration.stash.appscode.com/deployment-backup-full created

If everything goes well, the phase of the BackupConfiguration should be Ready. The Ready phase indicates that the backup setup is successful.

Trigger a Backup

Lets trigger a backup using Stash kubectl plugin,

❯ kubectl stash trigger -n demo deployment-backup-full

Wait for BackupSession to Succeed

Run the following command to watch BackupSession phase,

❯ watch kubectl get -n demo backupsession -n demo
NAME                                INVOKER-TYPE          INVOKER-NAME        PHASE       AGE
deployment-backup-full-1647347700   BackupConfiguration   deployment-backup   Succeeded   21s

Verify Backup

Lets download the latest snapshot of the Repository in /tmp/full-backup directory using Stash kubectl plugin,

❯ mkdir /tmp/full-backup
❯ kubectl stash download gcs-repo-full -n demo --destination=/tmp/full-backup --snapshots="latest"

List the files in /tmp/full-backup/latest/source/data directory to verify the backup data.

❯ ls -R /tmp/full-backup/latest/source/data

/tmp/full-backup/latest/source/data:
data-1.txt  data-2.txt  index.html  not-important.txt  resp.json  tmp/

/tmp/full-backup/latest/source/data/tmp:
tmp.txt

Filtering During Backup

In this section, we are going to show how to filter files during a backup.

Exclude Subset of Files

Here, we are going show how to exclude particular files during a backup. We can exclude a subset of files during backup using the spec.target.exclude section in the BackupConfiguration.

We are going to use the following Repository to backup our data,

apiVersion: stash.appscode.com/v1alpha1
kind: Repository
metadata:
  name: gcs-repo-exclude
  namespace: demo
spec:
  backend:
    gcs:
      bucket: stash-testing
      prefix: /demo/stash-demo/exclude
    storageSecretName: gcs-secret

Let’s create the Repository we have shown above,

❯ kubectl apply -f https://github.com/stashed/docs/raw/v2025.1.9/docs/guides/use-cases/exclude-include-files/examples/repository-exclude.yaml
repository.stash.appscode.com/gcs-repo-exclude created

Below is the YAML of the BackupConfiguration crd that we are going to create,

apiVersion: stash.appscode.com/v1beta1
kind: BackupConfiguration
metadata:
  name: deployment-backup-exclude
  namespace: demo
spec:
  repository:
    name: gcs-repo-exclude
  schedule: "*/5 * * * *"
  target:
    ref:
      apiVersion: apps/v1
      kind: Deployment
      name: stash-demo
    volumeMounts:
    - name: source-data
      mountPath: /source/data
    paths:
    - /source/data
    exclude:
    - /source/data/not-important.txt # exclude only one file
    - /source/data/*.html # exclude the files with .html extension
    - /source/data/tmp/* # exclude a directory
  retentionPolicy:
    name: 'keep-last-5'
    keepLast: 5
    prune: true

The above BackupConfiguration will backup everything inside the /source/data directory except the file source/data/not-important.txt, all the html files, and the directory source/data/tmp.

Let’s create the BackupConfiguration object that we have shown above,

❯ kubectl apply -f https://github.com/stashed/docs/raw/v2025.1.9/docs/guides/use-cases/exclude-include-files/examples/backupconfiguration-exclude.yaml
backupconfiguration.stash.appscode.com/deployment-backup-exclude created

If everything goes well, the phase of the BackupConfiguration should be Ready. The Ready phase indicates that the backup setup is successful.

Trigger a Backup

Lets trigger a backup using Stash kubectl plugin,

kubectl stash trigger -n demo deployment-backup-exclude

Wait for BackupSession to Succeed

Run the following command to watch BackupSession phase,

$ watch kubectl get -n demo backupsession -n demo
NAME                                   INVOKER-TYPE          INVOKER-NAME        PHASE       AGE
deployment-backup-exclude-1647347700   BackupConfiguration   deployment-backup   Succeeded   21s

Verify Backup

Lets download the latest snapshot of the Repository in /tmp/partial-backup directory using Stash kubectl plugin,

❯ mkdir /tmp/partial-backup
❯ kubectl stash download gcs-repo-full -n demo --destination=/tmp/partial-backup --snapshots="latest"

List the files in /tmp/partial-backup/latest/source/data directory to verify the backup data.

❯ ls -R /tmp/partial-backup/latest/source/data

/tmp/partial-backup/latest/source/data:
data-1.txt  data-2.txt  resp.json  tmp/

/tmp/partial-backup/latest/source/data/tmp:

Filtering During Restore

In this section, we are going to show how to filter files during a backup. At first, we are going to deploy a new Deployment with a PVC . Then, we are going to restore the backed up data using Stash.

Prepare Workload

Below is the YAML of the PVC that we are going to create,

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: recovered-data
  namespace: demo
spec:
  accessModes:
  - ReadWriteOnce
  storageClassName: standard
  resources:
    requests:
      storage: 1Gi

Let’s create the PVC we have shown above,

❯ kubectl apply -f https://github.com/stashed/docs/raw/v2025.1.9/docs/guides/use-cases/exclude-include-files/examples/pvc-recovered.yaml
persistentvolumeclaim/recovered-data created

Below is the YAML of the Deployment that we are going to create,

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: stash-recovered
  name: stash-recovered
  namespace: demo
spec:
  replicas: 1
  selector:
    matchLabels:
      app: stash-recovered
  template:
    metadata:
      labels:
        app: stash-recovered
      name: busybox
    spec:
      containers:
      - args:
        - sleep
        - "3600"
        image: busybox
        imagePullPolicy: IfNotPresent
        name: busybox
        volumeMounts:
        - mountPath: /source/data
          name: source-data
      restartPolicy: Always
      volumes:
      - name: source-data
        persistentVolumeClaim:
          claimName: recovered-data

Let’s create the Deployment we have shown above,

❯ kubectl apply -f https://github.com/stashed/docs/raw/v2025.1.9/docs/guides/use-cases/exclude-include-files/examples/deployment-recovered.yaml
deployment.apps/stash-recovered created

Now, wait for the pod of the Deployment to go into Running state.

❯ kubectl get pod -n demo
NAME                               READY   STATUS    RESTARTS   AGE
stash-recovered-67576d874-2tj9d    1/1     Running   0          81s

Exclude Subset of Files

Here, we are going show how to exclude particular files during a restore. We can exclude a subset of files during a restore using the spec.target.rules section in the RestoreSession.

Below is the YAML of the RestoreSession crd that we are going to create,

apiVersion: stash.appscode.com/v1beta1
kind: RestoreSession
metadata:
  name: deployment-restore-exclude
  namespace: demo
spec:
  repository:
    name: gcs-repo-full
  target:
    ref:
      apiVersion: apps/v1
      kind: Deployment
      name: stash-recovered
    volumeMounts:
    - name:  source-data
      mountPath:  /source/data
    rules:
    - paths:
      - /source/data/
      exclude:
      - /source/data/not-important.txt # don't restore this file
      - /source/data/*.html # don't restore the files with .html extension
      - /source/data/tmp/* # don't restore this directory

The above RestoreSession will restore everything inside the /source/data directory except source/data/not-important.txt, all the html files, and the directory source/data/tmp.

Let’s create the RestoreSession object that we have shown above,

❯ kubectl apply -f https://github.com/stashed/docs/raw/v2025.1.9/docs/guides/use-cases/exclude-include-files/examples/restoresession-exclude.yaml
restoresession.stash.appscode.com/deployment-restore-exclude created

Verify that the files have been restored in /source/data directory using the following command,

❯ kubectl exec -n demo stash-recovered-67576d874-2tj9d -- ls -R /source/data

/source/data:
data-1.txt
data-2.txt
resp.json
tmp/

/source/data/tmp:

Restore Subset of Files

Previously we have restored the backed up data excluding specific files or directory. You can also restore only the selected files or directory during a restore.

Below is the YAML of the RestoreSession crd that we are going to create,

apiVersion: stash.appscode.com/v1beta1
kind: RestoreSession
metadata:
  name: deployment-restore-include
  namespace: demo
spec:
  repository:
    name: gcs-repo-full
  target:
    ref:
      apiVersion: apps/v1
      kind: Deployment
      name: stash-recovered
    volumeMounts:
    - name:  source-data
      mountPath:  /source/data
    rules:
    - paths:
      - /source/data/
      include:
      - /source/data/data1.txt # restore this file
      - /source/data/*.json # restore the files with .json extension
      - /source/data/tmp/* # restore this directory

Let’s create the RestoreSession object that we have shown above,

❯ kubectl apply -f https://github.com/stashed/docs/raw/v2025.1.9/docs/guides/use-cases/exclude-include-files/examples/restoresession-include.yaml
restoresession.stash.appscode.com/deployment-restore-include created

Verify that the files have been restored in /source/data directory using the following command,

❯ kubectl exec -n demo stash-recovered-7dd74d9ff7-h9t7x -- ls -R /source/data
/source/data:
resp.json
tmp

/source/data/tmp:
tmp.txt

Cleaning Up

❯ kubectl delete -n demo deployment stash-demo
❯ kubectl delete -n demo deployment stash-recovered
❯ kubectl delete -n demo backupconfiguration deployment-backup-full
❯ kubectl delete -n demo backupconfiguration deployment-backup-exclude
❯ kubectl delete -n demo restoresession deployment-restore-include
❯ kubectl delete -n demo restoresession deployment-restore-exclude
❯ kubectl delete -n demo repository gcs-repo-full
❯ kubectl delete -n demo repository gcs-repo-exclude
❯ kubectl delete -n demo secret gcs-secret
❯ kubectl delete -n demo pvc --all