Container Service for Kubernetes (ACK) allows you to back up and restore stateful
applications deployed in an ACK cluster. This is an all-in-one solution to achieve
crash consistency, application consistency, and cross-region disaster recovery for
stateful applications in ACK clusters. You can install the application backup component
in ACK clusters and then use the component to back up and restore applications. This
topic describes how to install the application backup component.
Background information
A growing number of applications are running on Kubernetes. Therefore, it is important
to back up applications periodically. You can use backups to restore applications
that cannot be recovered after the applications are disrupted for a long period of
time. Traditional backup solutions include single-server backups and disk backups.
Compared with the traditional backup solutions, application backups allow you to back
up applications and the relevant data, resource objects, configurations, and namespaces.
Step 1: Grant OSS permissions to the cluster
The application backup feature can store application backups only in Object Storage
Service (OSS). Before you use OSS, you must grant OSS permissions to your cluster.
Grant OSS permissions to managed or dedicated Kubernetes clusters
If you use a managed or dedicated Kubernetes cluster, you must grant the required
OSS permissions to the cluster.
- Create a custom permission policy that is used to access OSS. For more information,
see Create a custom policy.
To grant full OSS permissions, create a permission policy based on the following template:
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:PutObject",
"oss:GetObject",
"oss:DeleteObject",
"oss:GetBucket",
"oss:ListObjects",
"oss:ListBuckets"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}
To grant only read and write permissions on a specified OSS bucket, create a permission
policy based on the following template:
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:PutObject",
"oss:GetObject",
"oss:DeleteObject",
"oss:GetBucket",
"oss:ListObjects",
"oss:ListBuckets"
],
"Resource": [
"acs:oss:*:*:mybackups",
"acs:oss:*:*:mybackups/*"
],
"Effect": "Allow"
}
]
}
Replace
mybackups with the name of the OSS bucket that you want to use.
- Grant permissions to the Resource Access Management (RAM) role of the managed Kubernetes
cluster.
- Log on to the ACK console.
- In the left-side navigation pane of the ACK console, click Clusters.
- On the Clusters page, find the cluster that you want to manage and click the name of the cluster
or click Details in the Actions column. The details page of the cluster appears.
- On the details page of the cluster, click the Cluster Resources tab and view the worker RAM role of the cluster.
- Log on to the RAM console.
- In the left-side navigation pane, click Grants.
- On the Grants page, click Grant Permission. In the Add Permissions panel, set the parameters and click OK.
| Parameter |
Description |
| Authorized Scope |
Valid values: Alibaba Cloud Account and Specific Resource Group.
|
| Principal |
Enter the worker RAM role that you obtained. |
| Select Policy |
Click Custom Policy, enter the name of the permission policy that is created in Step 1, and then click the name of the policy.
|
Grant OSS permissions to a registered Kubernetes cluster
If your applications are deployed in a registered Kubernetes cluster, you must create
a RAM user for the cluster, grant the RAM user the permissions to access cloud resources,
and then create an AccessKey pair for the RAM user.
- Create a RAM user. For more information, see Create a RAM user.
- Create a custom permission policy that is used to access OSS. For more information,
see Step 1.
- Grant permissions to the RAM user. For more information, see Grant permissions to a RAM user.
- Create an AccessKey pair for the RAM user. For more information, see Obtain an AccessKey pair.
- Create a Secret in the registered Kubernetes cluster.
To ensure that the AccessKey pair is used only within the registered cluster, you
must use the AccessKey pair to create a Secret named alibaba-addon-secret in the cluster. This reduces the risk of information leakage.
ACK installs migrate-controller in the velero namespace, which is inherited from the open source Velero project. If the velero namespace does not exist, you must create a namespace named velero. After you create
the namespace, use the AccessKey pair to create a Secret named alibaba-addon-secret
in the namespace.
- Optional:Run the following command to create a namespace named velero:
- Run the following command to create a Secret named alibaba-addon-secret:
kubectl -n velero create secret generic alibaba-addon-secret --from-literal='access-key-id=<your AccessKey ID>' --from-literal='access-key-secret=<your AccessKey Secret>'
Replace your AccessKey ID and your AccessKey Secret with the AccessKey ID and AccessKey secret that are obtained in Step 4.
Step 2: Install the application backup component
Note Before you can use the application backup feature, you must install the application
backup component. If the application backup component is already installed, skip this
step.
- Log on to the ACK console.
- In the left-side navigation pane of the ACK console, click Clusters.
- On the Clusters page, find the cluster that you want to manage and click the name of the cluster
or click Details in the Actions column. The details page of the cluster appears.
- In the left-side navigation pane of the details page, choose .
- On the Application Backup page, click Install.
Note If the velero namespace does not exist, the system automatically creates a namespace
named velero when the system installs the component. Do not delete this namespace
when you back up applications.
After the component is installed, the page in the following figure appears.
