FAQ

Production Impact

Does Kymaros affect production workloads?

No. Kymaros performs all restore validation in an isolated sandbox namespace. It does not modify, restart, or interact with production workloads at any point. The sandbox is a separate Kubernetes namespace with a NetworkPolicy that blocks all traffic to and from production namespaces by default. Production pods, services, and storage are never touched.

How much cluster capacity does a restore test consume?

The sandbox runs real application pods — the same images and resource requests as the original workload. Kymaros applies a ResourceQuota and LimitRange to the sandbox namespace to prevent unbounded consumption. The actual capacity consumed depends on your application size. For workloads with explicit resource requests, the sandbox will consume roughly the same capacity as the source namespace for the duration of the test (typically 10–60 minutes).

Schedule restore tests during off-peak hours if your cluster operates close to capacity.

Backup Provider Support

Which backup providers does Kymaros support?

Kymaros currently supports Velero as its backup provider. Velero must be installed separately with at least one configured BackupStorageLocation. Kymaros reads Velero Backup and Schedule resources and triggers Velero Restore operations on your behalf.

Support for Kasten (K10) and Trilio is planned for future releases. Follow github.com/kymorahq/kymora for updates.

Data Safety

Does Kymaros read or transmit application data?

No. Kymaros observes the restore process through the Kubernetes API — it reads pod status, events, and health check results. It does not read application data from volumes, databases, or file systems. Health check exec commands capture only the exit code and stdout of the probe command. Nothing is sent outside the cluster. RestoreReport resources contain only metadata: scores, timestamps, durations, and pass/fail results.

What happens to the sandbox after the test?

The sandbox namespace is deleted automatically after the TTL configured in sandbox.ttl expires. The controller removes all resources in the namespace and then removes the namespace itself. The finalizer kymaros.io/sandbox-cleanup ensures cleanup proceeds even if the controller restarts during teardown.

If the controller crashes before cleanup, the TTL failsafe runs when the controller restarts and removes any sandbox that has exceeded its TTL. Sandboxes do not persist indefinitely under any normal failure mode.

Test Execution

What happens if a restore test crashes or hangs?

The TTL failsafe is the primary safety net. Every sandbox namespace has a maximum lifetime defined by sandbox.ttl. When that TTL elapses, the controller deletes the sandbox regardless of test state. If the test was still in progress, the RestoreReport is marked failed. No manual intervention is required.

Can I trigger a restore test manually without waiting for the cron schedule?

Yes. Add the trigger annotation to the RestoreTest resource:

kubectl annotate restoretest <name> -n kymaros-system \
  kymaros.io/trigger-now=true --overwrite

You can also trigger runs via the Kymaros REST API if the API server is accessible:

curl -X POST http://<kymaros-api>:8080/api/v1/tests/<name>/trigger

Compatibility

Which Kubernetes versions are supported?

Kymaros is tested and supported on Kubernetes 1.28, 1.29, 1.30, and 1.31. Earlier versions are not supported. Cloud-managed distributions (EKS, GKE, AKS, OKE, DOKS) are supported as long as the underlying Kubernetes version is within this range.

Does Kymaros work on any cloud provider?

Yes. Kymaros is a standard Kubernetes operator with no cloud-provider-specific dependencies. It works on any Kubernetes 1.28+ cluster where Velero is installed and configured. The only external dependency is the backup storage backend that Velero is configured to use (S3, GCS, Azure Blob, NFS, etc.).

Is there a SaaS version of Kymaros?

No. Kymaros is self-hosted only. It runs entirely within your cluster. Backup data and restore reports never leave your infrastructure. This is intentional — many organizations cannot allow backup metadata or application manifests to transit third-party systems.

GitOps and Automation

Is Kymaros compatible with GitOps workflows (ArgoCD, Flux)?

Yes. RestoreTest and HealthCheckPolicy resources are standard Kubernetes CRDs defined in YAML. You can store them in Git and sync them to your cluster using any GitOps tool. The controller reacts to changes immediately — editing a RestoreTest in Git and applying it updates the schedule without any restart required.

How do I handle Kymaros in a multi-environment setup (dev/staging/prod)?

Deploy Kymaros independently in each cluster. Each installation maintains its own RestoreTest resources and RestoreReport history. For multi-cluster visibility from a single dashboard, the Enterprise tier supports aggregating reports across clusters.

Licensing

How does the license mechanism work?

Licenses are stored as a Kubernetes Secret named kymaros-license in the kymaros-system namespace. The Secret contains three fields: tier (community, team, or enterprise), key (the license string in KYM-<TIER>-<HMAC> format), and expires (expiry date). The controller validates the license using HMAC at startup. No outbound network call is made — validation is fully offline.

Does Kymaros work in air-gapped environments?

Yes. License validation is offline (HMAC-based, no phone-home). Container images can be pulled from an internal OCI registry — the Helm chart accepts an image.registry override. The only network dependency at runtime is access to your Velero backup storage backend (which must already be reachable for Velero to function).

Upgrading

What is the upgrade procedure?

helm repo update
helm upgrade kymaros kymaros/kymaros -n kymaros-system --reuse-values

If the release notes mention CRD changes, apply the updated CRDs manually before running helm upgrade. See Upgrading for the full procedure, including rollback steps.

Community and Contributing

What is the difference between Community and Team tier?

The Community tier includes the full restore validation operator (all four validation levels), the dashboard with 7-day history, and all CRD-based automation. The Team tier adds the compliance page, 90-day dashboard history, CSV export, RTO analytics, regression alerts, timeline view, score breakdown, and support for multiple backup sources per RestoreTest. See the Pricing page for the complete feature matrix.

Can I contribute to Kymaros?

Yes. Kymaros is Apache 2.0 licensed. The source repository is at github.com/kymorahq/kymora. Bug reports, feature requests, and pull requests are welcome. Check the CONTRIBUTING.md in the repository for development setup instructions and contribution guidelines.

Production Impact​

Backup Provider Support​

Data Safety​

Test Execution​

Compatibility​

GitOps and Automation​

Licensing​

Upgrading​

Community and Contributing​