Restore of GKE cluster deployed with Autopilot mode shows status as “Partial”

Summary

This article explains why restore of a GKE cluster deployed in Autopilot mode may sometimes be marked as “Partial”.

Description

With Autopilot mode, GKE manages the underlying cluster infrastructure such as node configuration, autoscaling, auto-upgrades, security configurations, and networking configuration. Because of that, some Kubernetes resources can be managed only by GKE. This prevents CloudCasa from creating such resources during restore and hence, the restore would be marked as “Partial”. In order to confirm that this is indeed the case, download the logs (See Activity), and check if the creation of some resources has been blocked by GKE.

Here is a sample log message showing that the restore of some resources was denied by GKE:

Namespace kube-system, resource restore error: error restoring endpointslices.discovery.k8s.io/kube-system/kube-dns-khwgb: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:cloudcasa-io:cloudcasa-io\" cannot create resource \"endpointslices\" in API group \"discovery.k8s.io\" in the namespace \"kube-system\": GKE Warden authz [denied by managed-namespaces-limitation]: the namespace \"kube-system\" is managed and the request's verb \"create\" is denied

If there are no similar log messages indicating that GKE blocked the restore of resources, you can contact CloudCasa support for help in determining the cause of the partial success status.