Stay organized with collections
Save and categorize content based on your preferences.
Standard
The Backup for GKE agent
requires full privileges to read and write every object in the cluster.
The version of the agent that runs in GKE cluster versions
prior to 1.24 is a preview version released in February 2022 that runs as a
workload in the GKE user cluster. Users or workloads with root
access to the underlying node on which the Backup for GKE Pod is scheduled,
such as through Pod hostpath mounts or SSH, can gain these root-in-cluster
privileges.
This node-to-cluster escalation vulnerability is addressed in the generally
available (GA) version of the agent, which was released in November 2022. The GA
agent runs on an inaccessible host in the GKE control plane and
is only available in clusters running GKE version 1.24 or later.
To avoid the potential for a node-to-cluster escalation, we highly recommend
that you run Backup for GKE only for GKE clusters running
version 1.24 or later.
New installations of the preview agent will be blocked starting on April 27th 2023.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Backup for GKE preview agent deprecation\n\nStandard\n\n*** ** * ** ***\n\n| **Note:** Starting on April 27th 2023, Backup for GKE will block the agent from being installed in clusters running a version of GKE earlier than 1.24. This change won't impact clusters already running the preview agent, but will block new installations.\n\nThe Backup for GKE [agent](/kubernetes-engine/docs/add-on/backup-for-gke/concepts/backup-for-gke#agent_overview)\nrequires full privileges to read and write every object in the cluster.\n\nThe version of the agent that runs in GKE cluster versions\nprior to 1.24 is a preview version released in February 2022 that runs as a\nworkload in the GKE user cluster. Users or workloads with root\naccess to the underlying node on which the Backup for GKE Pod is scheduled,\nsuch as through Pod hostpath mounts or SSH, can gain these root-in-cluster\nprivileges.\n\nThis node-to-cluster escalation vulnerability is addressed in the generally\navailable (GA) version of the agent, which was released in November 2022. The GA\nagent runs on an inaccessible host in the GKE control plane and\nis only available in clusters running GKE version 1.24 or later.\nTo avoid the potential for a node-to-cluster escalation, we highly recommend\nthat you run Backup for GKE **only for GKE clusters running\nversion 1.24 or later**.\n\nNew installations of the preview agent will be blocked starting on April 27th 2023."]]
