DEV Community

NTCTech
NTCTech

Posted on • Originally published at rack2cloud.com

Velero Going CNCF Isn't About Backup. It's About Control.

#kubernetes #devops #cloudnative #infrastructure

Velero CNCF backup governance shift illustrated as dark server room with purple and cyan gradient lighting overlaid with architectural blueprint grid lines representing Kubernetes control plane authority

The Velero CNCF backup announcement at KubeCon EU 2026 was framed as an open source governance story. Broadcom contributed Velero — its Kubernetes-native backup, restore, and migration tool — to the CNCF Sandbox, where it was accepted by the CNCF Technical Oversight Committee.

Most coverage treated this as a backup story. It isn't.

Velero moving to CNCF governance is a control plane story disguised as an open source announcement. And if your team is running stateful workloads on Kubernetes, the distinction between vendor-neutral governance and vendor-independent operations is the architectural decision that sits beneath the headline.

What the Velero CNCF Backup Move Actually Means

Velero originated at Heptio — founded by Kubernetes co-creators Joe Beda and Craig McLuckie — which VMware acquired in 2019. It's been under VMware, then Broadcom stewardship ever since. The project operates at the Kubernetes API layer, not the storage layer. All backup operations are defined via CRDs (Backup, Restore, Schedule, BackupStorageLocation, VolumeSnapshotLocation) and managed through standard Kubernetes control loops.

At KubeCon EU, Broadcom formalized the transition: Velero is now a CNCF Sandbox project, with maintainers from Broadcom, Red Hat, and Microsoft.

Timeline diagram showing Velero's governance history from Heptio 2017 to VMware acquisition 2019 to Broadcom 2023 to CNCF Sandbox 2026 with purple accent markers

Broadcom's own framing was telling: "We really don't want people to mistrust the open source project and believe that it's somehow a VMware thing even though it hasn't been a VMware thing for quite some time."

This move is as much about trust repair as governance mechanics.

Vendor-Neutral ≠ Vendor-Independent

This is the distinction most teams will miss.

Vendor-neutral governance means no single vendor controls the roadmap. CNCF governance means Broadcom can no longer make breaking changes to Velero unilaterally. Community-steered, broader contributor base. That's real.

Vendor-independent operations means your recovery path survives without the vendor. That's a different question entirely — and CNCF governance doesn't answer it.

Your backup storage location is still a cloud bucket outside your cluster. Your IAM credentials still have to reach that bucket. Your restore workflow still depends on a working target cluster. None of those operational dependencies changed on March 24th.

The Real Architecture Question

When your cluster dies — what actually survives?

Velero operates at the Kubernetes API layer, which makes it a state reconstruction layer, not a storage tool. A Velero backup is a portable snapshot of declarative cluster state — namespaces, CRDs, RBAC policies, PVC claims — not a disk image.

That portability is the real capability. A backup taken on VKS can theoretically be restored on EKS, AKS, or bare-metal kubeadm — because it operates through the Kubernetes API, not hypervisor-specific snapshots.

Diagram showing Velero operating at Kubernetes API layer between cluster state and object storage, with arrows showing backup flow from CRDs and namespace resources through API to object storage and back on restore

But state reconstruction has limits:

Axis What Velero Controls What Velero Depends On
Backup Definitions CRDs inside cluster etcd — gone if cluster is gone
Restore Logic Velero controller + API server Working target cluster
Metadata Object metadata, resource specs External object storage bucket
APIs Kubernetes API layer ops Cloud IAM for bucket access

Velero cannot bootstrap a cluster from nothing. It cannot authenticate to object storage without valid IAM credentials. It cannot run a restore without a target cluster already operational.

The Four Production Failure Modes

These won't appear in the press releases:

01 / Object Storage Dependency
Every backup lands outside your cluster in object storage. Full cluster failure + network partition = recovery blocked, regardless of whether the backup data is intact.

02 / IAM Credential Survivability
Velero authenticates via IAM roles, IRSA, or Workload Identity — all provisioned outside Velero itself. If your identity system is compromised or the cloud control plane is unavailable, the data exists but is unreachable.

03 / Restore-Time Complexity
Velero restores Kubernetes objects. It does not restore external databases, DNS records, ingress configurations, or certificate bindings. The gap between "backup succeeded" and "system restored" is proportional to how many external dependencies your workloads carry.

04 / Air Gap Theater
Velero deployed with on-premises MinIO, backups running, compliance checkbox ticked. The problem: restore still requires live access to that storage endpoint, live IAM credentials, and a functional API server. If those dependencies fail, the air gap was theater. The backup exists. The restore doesn't work.

Dark moody illustration of a network diagram bisected by a physical wall representing an air gap, with Kubernetes cluster nodes on one side and isolated object storage on the other, but a faint glowing credential key visibly bridging the gap suggesting false isolation

The Broadcom Signal Worth Reading

Broadcom has been navigating a trust deficit since the VMware acquisition — the pricing restructuring, perpetual license elimination, and VCF bundling created a market perception that it would eventually lock down everything it touched.

The Velero CNCF contribution is a counter-signal. By relinquishing governance of a project at the center of Kubernetes backup and migration, Broadcom is demonstrating that at least some of its stack is genuinely community-governed.

It also creates a clean architectural separation: Velero as open, portable, community-governed backup — VKS/VCF as proprietary platform layer. That separation is useful for teams evaluating VMware Cloud Foundation. Your backup portability is no longer contingent on your platform choice.

That's a genuine architectural benefit — independent of the marketing attached to it.

Architect's Verdict

The CNCF move is real and it matters — but not for the reasons most teams will act on.

If your concern is Broadcom controlling Velero's roadmap to disadvantage non-VMware users: that concern is now materially reduced. Multi-vendor maintainership and CNCF oversight create real structural separation.

If your concern is operational — whether Velero works when your cluster is down: the CNCF transition changes nothing. Object storage dependency still exists. IAM credential chain still needs to survive the same incident your cluster didn't. Restore-time complexity is still proportional to your external dependencies.

The teams that benefit most from this transition are those running multi-distribution environments who hesitated to standardize on Velero because of its VMware lineage. The governance change removes a legitimate organizational objection. The operational architecture still requires the same engineering discipline it always did.

CNCF doesn't remove risk. It changes where the risk lives — from project governance to operational design. Most teams haven't engineered the latter. That's the work.

Originally published at rack2cloud.com — architecture-first analysis for enterprise infrastructure teams.

Top comments (0)