Container Service for Kubernetes (ACK) allows you to back up and restore stateful applications deployed in an ACK cluster. This is an all-in-one solution to achieve crash consistency, application consistency, and cross-region disaster recovery for stateful applications in ACK clusters. You can install the application backup component in ACK clusters and then use the component to back up and restore applications. This topic describes how to install the application backup component.

Prerequisites

Background information

A growing number of applications are running on Kubernetes. Therefore, it is important to back up applications periodically. You can use backups to restore applications that cannot be recovered after the applications are disrupted for a long period of time. Traditional backup solutions include single-server backups and disk backups. Compared with the traditional backup solutions, application backups allow you to back up applications and the relevant data, resource objects, configurations, and namespaces.

Step 1: Grant OSS permissions to the cluster

The application backup feature can store application backups only in Object Storage Service (OSS). Before you use OSS, you must grant OSS permissions to your cluster.

Grant OSS permissions to managed or dedicated Kubernetes clusters

If you use a managed or dedicated Kubernetes cluster, you must grant the required OSS permissions to the cluster.

  1. Create a custom permission policy that is used to access OSS. For more information, see Create a custom policy.
    Note For more information about how to configure fine-grained access to OSS, see Use RAM to manage OSS permissions.

    To grant full OSS permissions, create a permission policy based on the following template:

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "oss:PutObject",
                    "oss:GetObject",
                    "oss:DeleteObject",
                    "oss:GetBucket",
                    "oss:ListObjects",
                    "oss:ListBuckets"
                ],
                "Resource": [
                    "*"
                ],
                "Effect": "Allow"
            }
        ]
    }
    To grant only read and write permissions on a specified OSS bucket, create a permission policy based on the following template:
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "oss:PutObject",
                    "oss:GetObject",
                    "oss:DeleteObject",
                    "oss:GetBucket",
                    "oss:ListObjects",
                    "oss:ListBuckets"
                ],
                "Resource": [
                    "acs:oss:*:*:mybackups",
                    "acs:oss:*:*:mybackups/*"
                ],
                "Effect": "Allow"
            }
        ]
    }
    Replace mybackups with the name of the OSS bucket that you want to use.
  2. Grant permissions to the Resource Access Management (RAM) role of the managed Kubernetes cluster.
    1. Log on to the ACK console.
    2. In the left-side navigation pane of the ACK console, click Clusters.
    3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
    4. On the details page of the cluster, click the Cluster Resources tab and view the worker RAM role of the cluster.
    5. Log on to the RAM console.
    6. In the left-side navigation pane, click Grants.
    7. On the Grants page, click Grant Permission. In the Add Permissions panel, set the parameters and click OK.
      Parameter Description
      Authorized Scope Valid values: Alibaba Cloud Account and Specific Resource Group.
      Principal Enter the worker RAM role that you obtained.
      Select Policy Click Custom Policy, enter the name of the permission policy that is created in Step 1, and then click the name of the policy.

Grant OSS permissions to a registered Kubernetes cluster

If your applications are deployed in a registered Kubernetes cluster, you must create a RAM user for the cluster, grant the RAM user the permissions to access cloud resources, and then create an AccessKey pair for the RAM user.

  1. Create a RAM user. For more information, see Create a RAM user.
  2. Create a custom permission policy that is used to access OSS. For more information, see Step 1.
  3. Grant permissions to the RAM user. For more information, see Grant permissions to a RAM user.
  4. Create an AccessKey pair for the RAM user. For more information, see Obtain an AccessKey pair.
  5. Create a Secret in the registered Kubernetes cluster.

    To ensure that the AccessKey pair is used only within the registered cluster, you must use the AccessKey pair to create a Secret named alibaba-addon-secret in the cluster. This reduces the risk of information leakage.

    ACK installs migrate-controller in the velero namespace, which is inherited from the open source Velero project. If the velero namespace does not exist, you must create a namespace named velero. After you create the namespace, use the AccessKey pair to create a Secret named alibaba-addon-secret in the namespace.

    1. Optional:Run the following command to create a namespace named velero:
      kubectl create ns velero
    2. Run the following command to create a Secret named alibaba-addon-secret:
      kubectl -n velero create secret generic alibaba-addon-secret --from-literal='access-key-id=<your AccessKey ID>' --from-literal='access-key-secret=<your AccessKey Secret>'

      Replace your AccessKey ID and your AccessKey Secret with the AccessKey ID and AccessKey secret that are obtained in Step 4.

Step 2: Install the application backup component

Note Before you can use the application backup feature, you must install the application backup component. If the application backup component is already installed, skip this step.
  1. Log on to the ACK console.
  2. In the left-side navigation pane of the ACK console, click Clusters.
  3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
  4. In the left-side navigation pane of the details page, choose Operations > Application Backup (Public Preview).
  5. On the Application Backup page, click Install.
    Note If the velero namespace does not exist, the system automatically creates a namespace named velero when the system installs the component. Do not delete this namespace when you back up applications.
    After the component is installed, the page in the following figure appears. The application backup component