System Apps

Overview

System Apps are Kubernetes operators that run inside your cluster and extend what PodWarden can do. They are separate from PodWarden itself — you install only the ones you need. PodWarden detects installed operators automatically and enables the corresponding features in the UI.

Without the relevant operator installed, the associated features (e.g. backup scheduling, Helm chart deployment) will not function even if policies are configured.

How PodWarden Detects System Apps

When PodWarden connects to a cluster, it looks for a ConfigMap in each namespace with the label:

podwarden.com/system-app=true

This ConfigMap declares the operator name, version, and capabilities. PodWarden reads it and reflects the status in Settings → System Apps. No polling agent is required — detection happens on each cluster sync.

Available System Apps

Backup Operator

Manages the full backup lifecycle for PodWarden workloads.

What it does:

• Watches BackupPolicy CRDs created by PodWarden
• Schedules and executes BackupRun resources on the defined cron schedule
• Runs Restic inside the cluster to copy volume data to your storage target
• Applies retention rules and manages RestoreRun resources for data recovery

Required for: the Backups feature. Without this operator, backup policies remain in Pending state and backup runs will fail with "BackupPolicy CRD not found" errors.

Install:

kubectl apply -f https://www.podwarden.com/operators/backup-operator/install.yaml

See the Backups guide for full usage documentation.

Admission Webhook

Intercepts direct kubectl operations on PodWarden-managed namespaces and logs bypass events to PodWarden's system messages.

What it does:

• Watches CREATE, UPDATE, and DELETE operations on resources in managed namespaces
• Logs bypass events to PodWarden system messages with context about the resource and operation
• In strict mode, can block direct kubectl operations and suggest the equivalent PodWarden API or MCP tool
• Includes deny messages that reference the correct PodWarden MCP tool for each operation (e.g. deploy_workload, create_ingress_rule)

Required for: detecting when users or LLM agents bypass PodWarden and modify cluster resources directly.

Install:

The Admission Webhook is automatically installed on cluster registration — no manual installation needed.

Configuration: Go to Settings → Admission Webhook to configure the webhook behavior:

Helm Operator

Manages Helm chart deployments as first-class PodWarden workloads.

What it does:

• Watches HelmRelease CRDs created by PodWarden
• Installs, upgrades, and rolls back Helm charts in the cluster
• Reports release status and history back to PodWarden

Required for: deploying workloads from Helm charts via the PodWarden UI.

Install:

kubectl apply -f https://www.podwarden.com/operators/helm-operator/install.yaml

Or find it in the Hub catalog under System Apps.

Installing via Hub Catalog

1. Go to Hub in the PodWarden sidebar
2. Filter by category System Apps
3. Select the operator you want to install
4. Choose the target cluster
5. Click Deploy

PodWarden applies the operator manifest to the cluster and the detection label is registered automatically.

Verifying Installation

After installing, confirm the operator is running:

kubectl -n podwarden-system get pods

Check the ConfigMap that signals detection:

kubectl get configmaps -A -l podwarden.com/system-app=true

In the PodWarden UI, go to Settings → System to see detected system apps and their versions.