System Requirements for Kubernetes


Verify that your environment meets the system requirements for Kubernetes.


Metallic does not require a backup gateway to protect public Azure Kubernetes Service (AKS) clusters.

A backup gateway is required only in the following scenarios:

  • Private AKS clusters

  • Amazon EKS clusters

  • Oracle Cloud Infrastructure Container Engine for Kubernetes (OKE) clusters

  • Other cloud-based Kubernetes distributions

  • On-premises Kubernetes clusters

For more information, see Metallic Backup Gateway.

Helm Chart Protection (Supported Only for On-Premises Backup Gateways)

If Helm is installed on your Kubernetes backup gateways, Metallic automatically discovers, protects, and restores Helm-based applications and metadata.

Metallic supports the following protection operations for Helm-based applications:

  • Full backup

  • Incremental backup

  • In-place recovery to the original cluster and namespace

Download the most recent Helm binary for your Kubernetes distribution from helm / helm on GitHub.

Requirements are as follows:

  • The Helm binary must be installed in the system PATH of the Kubernetes backup gateways.

  • The following labels are required on applications that are deployed by Helm chart:



Kubernetes Service Account

To protect Kubernetes data, Metallic requires a restricted or cluster-wide Kubernetes service account and a service account token.

The service account must have either a custom ClusterRole or the cluster-admin role.

Kubernetes Releases

In addition to the specific releases documented in this section, Metallic supports protection of the following:

  • All CNCF-certified Kubernetes distributions that are listed in the Platforms category that exposes the kube-apiserver

  • Kubernetes releases that are in active maintenance at the time of the Metallic release into General Availability (GA)

Vanilla Kubernetes: Active Maintenance Releases

The following Vanilla Kubernetes releases, which are actively maintained by the Kubernetes Project, are supported:

  • Kubernetes 1.24

  • Kubernetes 1.23

  • Kubernetes 1.22

Amazon EKS

The following versions are supported:

  • Amazon EKS

  • Amazon EKS on AWS Outposts

  • Amazon EKS Anywhere

  • Amazon EKS Distro 1.22.x, 1.21.x, and 1.20.x


The following versions are supported:

  • AKS 1.24.x

  • AKS 1.23.x

  • AKS 1.22.x

Red Hat OpenShift Container Platform (RHOCP): Active Maintenance Releases

The following RHOCP releases, which are actively maintained by Red Hat, are supported:

  • RHOCP 4.10

  • RHOCP 4.9

  • RHOCP 4.8

  • RHOCP 4.7

  • RHOCP 4.6 EUS

End-of-Life Kubernetes Releases

The following versions are supported:

  • Kubernetes 1.21, End of Life 2022-06-28

  • Kubernetes 1.20, End of Life 2022-02-28

  • Kubernetes 1.19, End of Life 2021-10-28

  • Kubernetes 1.18, End of Life 2021-06-18

  • Kubernetes 1.17, End of Life 2021-01-13

  • Kubernetes 1.16, End of Life 2020-09-02

  • Kubernetes 1.15, End of Life 2020-05-06

  • Kubernetes 1.14, End of Life 2019-12-11

Cloud-Native Storage

CSI Storage

Metallic supports protection of PersistentVolumeClaims residing on production CSI drivers. See Kubernetes production CSI drivers list in the Kubernetes documentation.

Metallic requires the production CSI driver to support the following features:

  • Dynamic provisioning (for restores)

  • Expansion (for restores)

  • Snapshot (for backups)

PersistentVolumes must be provisioned and managed by a registered StorageClass and a corresponding VolumeSnapshotClass.

For CSI storage of the NFS (Network File Sharing) type, you must configure the Storage Class with the root enabled flag, to allow Commvault to restore files as any uid or gid (which is collected during backups). For information, see Configuring a Root Access Storage Class for Kubernetes.

The following CSI drivers are validated by Commvault:

CSI plug-in

CSI driver

Snapshot verified

Commvault Distributed Storage



AWS Elastic Block Storage


Azure Disk


Azure File


Ceph RBD


GCE Persistent Disk






Oracle Cloud Infrastructure Block Volume

Not supported by the driver



Volume Snapshot CRD Versions

Multiple versions of the CSI external-snapshotter are available for download. Metallic supports all API versions of the volume snapshot custom resource.

Metallic supports all released versions of the external-snapshotter and all API versions of the volume snapshot custom resource.

To determine the API version of your VolumeSnapshotClass CRD, use the following command:

kubectl describe volumesnapshot class <volume-snapshot-class-name> | grep -i version

Example output:

API Version:

Kubernetes Worker Node Architectures

Metallic supports the protection of containers that run on x86 64-bit processor architectures from Intel and AMD.

Metallic does not support the protection of the following:

  • Arm 64-bit containers

  • IBM S/390 containers

Network and Firewall Requirements

Metallic backup gateways require that the following network connectivity and firewall dependencies are met.

Kubernetes API Server Endpoint

Metallic backup gateways must be able to reach the Kubernetes API server endpoint, either directly or via a Metallic network gateway.

Metallic performs backup and recovery control and data plane transfers via the kube-apiserver. Metallic requires no more than 1 millisecond round-trip time (RTT) latency between the backup gateway and the kube-apiserver endpoint.

To determine your Kubernetes API server endpoint, run the following command:

kubectl cluster-info

Example output:

Kubernetes control plane is running at

CoreDNS is running at https://k8s-123-4.local.domain:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy

Docker Hub

To perform backups and other operations for Kubernetes, Metallic pulls a Docker image for a temporary worker pod that performs data movement. Metallic uses the oraclelinux:9 image.

vsphereVolume Snapshot Support

Metallic backup gateways must be able to contact the vCenter SDK endpoint URL on port 443 to authenticate and orchestrate the creation and deletion of VMDK snapshots and the creation of VMDK volumes.

Istio Service Mesh Support

Metallic supports protection of Kubernetes applications in clusters that use the service mesh. Metallic supports all currently supported Istio releases, for all Kubernetes releases that are supported by Metallic.


Certain third-party software and service releases (together, "Releases") may not be supported by Commvault. You are solely responsible for ensuring Commvault’s products and services are compatible with any such Releases.