The migrate-controller component is developed by Alibaba Cloud based on the open source
project Velero. You can use this component to migrate Kubernetes applications. This
topic describes how to install and use migrate-controller.
Background information
Velero is a cloud native tool that can be used to back up, restore, and migrate cluster
applications. Velero is written in Golang. This tool ensures data security when you
use it to back up, restore, and migrate applications and persistent volumes (PVs)
in ACK clusters. For more information about source code of the Velero project, see
velero. For more information about the source code of the Velero plug-in for Alibaba Cloud,
see
velero-plugin.
Note Velero requires Kubernetes version later than V1.10.
Step 1: Make preparations
Before you install and use migrate-controller, perform the following steps:
- Create a Resource Access Management (RAM) user and create an AccessKey pair for the
RAM user.
Before you can install the component in a registered cluster, you must set the AccessKey
information to grant the registered cluster the permissions to access Alibaba Cloud
resources. Before you set the AccessKey information, create a RAM user and grant the
RAM user the permissions to access Alibaba Cloud resources.
- Create a RAM user.
- Create a permission policy.
For more information, see
Create a custom policy.
The following code block shows the content of the permission policy for Velero:
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:PutObject",
"oss:GetObject",
"oss:DeleteObject",
"oss:GetBucket",
"oss:ListObjects",
"oss:ListBuckets"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}
If you want to grant the RAM user only the read and write permissions on the mybackups
resource in an Object Storage Service (OSS) bucket, create a permission policy based
on the following content:
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:PutObject",
"oss:GetObject",
"oss:DeleteObject",
"oss:GetBucket",
"oss:ListObjects",
"oss:ListBuckets"
],
"Resource": [
"acs:oss:*:*:mybackups",
"acs:oss:*:*:mybackups/*"
],
"Effect": "Allow"
}
]
}
For information about how to regulate finer-grained access to an OSS bucket, see Use RAM to manage OSS permissions.
- Grant permissions to the RAM user.
- Create an AccessKey pair for the RAM user.
- Create a Secret in the registered cluster.
To ensure that the AccessKey information is used only within the registered cluster,
you must first use the AccessKey pair to deploy a Secret named alibaba-addon-secret
in the cluster. This reduces the risk of information leakage. Like the Velero open
source community, Container Service for Kubernetes (ACK) installs migrate-controller
in the
velero namespace. If the namespace does not exist, you must first create a namespace and
name it velero. Then, use the AccessKey pair to create the alibaba-addon-secret Secret
in the namespace. Command:
kubectl create ns velero
kubectl -n velero create secret generic alibaba-addon-secret --from-literal='access-key-id=<your AccessKey ID>' --from-literal='access-key-secret=<your AccessKey Secret>'
Notice
Replace <your AccessKey ID>
and <your AccessKey Secret>
in the preceding command with the AccessKey ID and AccessKey secret obtained in Step 1.
- Install the Velero client in the registered cluster.
Velero provides client-side binary files that enable you to submit backup and recovery
tasks to the Velero server in an easy and efficient manner.
You must install the Velero client on a machine that allows you to access your registered
cluster by using the kubeconfig file. Download the Velero client based on the operating system of your machine.
After you complete the preceding steps, perform the following operations to install
and use migrate-controller (the Velero server).
Step 2: Install migrate-controller
- Log on to the ACK console.
- In the left-side navigation pane, click Clusters.
- On the Clusters page, find the cluster that you want to manage and select Manage System Components from the More drop-down list in the Actions column.
- On the Add-ons page, find the migrate-controller component and click Install.
Step 3: Configure an OSS bucket
You must create a resource of the BackupStorageLocation type in an OSS bucket. The
resource is used to specify the storage location for Velero backups.
- Create a file named BackupStorageLocation.yaml and copy the following content to the file:
apiVersion: velero.io/v1
kind: BackupStorageLocation
metadata:
labels:
component: velero
name: default
namespace: velero
spec:
config:
region: cn-hangzhou
objectStorage:
bucket: velero-bucket
provider: alibabacloud
Parameter descriptions:
Note
- Set
spec.config.region
to the region where the OSS bucket is created.
- Set
spec.objectStorage.bucket
to the name of the OSS bucket.
- If data is transmitted to an internal OSS endpoint, add
spec.config.network: internal
to the file. This way, ACK transmits data over the Internet by default.
- To use a specified subdirectory of the OSS bucket, add
spe.objectStorage.prefix: <your prefix>
to the file. This way, ACK uses the root directory of the OSS bucket by default.
- Run the following command to create a BackupStorageLocation resource:
kubectl apply -f BackupStorageLocation.yaml