Protect ACK Cluster Apps with Backup and Restore - Container Service for Kubernetes

Use cases

Disaster recovery: Recover applications and volumes after accidental deletion, cluster failure, or data corruption.
Cluster migration: Move applications to a cluster running a different Kubernetes version or using a different volume plug-in.

Limits

Resources that are being deleted at the time of backup are not included in the backup.
The backup center requires Kubernetes 1.16 or later. For upgrade instructions, see Manually upgrade ACK clusters.
ECS snapshots for disk backups require Kubernetes 1.18 or later and Container Storage Interface (CSI). If your cluster does not meet these requirements, use Cloud Backup instead.

Prerequisites

Before you begin, make sure that you have:

Installed migrate-controller and granted the required permissions. See Install migrate-controller and grant permissions
(For disk snapshot backups) CSI 1.1.0 or later installed. See Manage the CSI plug-in
(For restoring to File Storage NAS (NAS) volumes managed by CNFS) A StorageClass with alibabacloud-cnfs-nas created in advance. See Use CNFS to manage NAS file systems (recommended)

Billing

The backup center feature itself is free. The following related services incur charges based on usage:

Object Storage Service (OSS): Stores backup YAML files. See OSS billing.
Snapshots: Used to back up disk volumes. See Snapshot billing.

Starting 11:00 (UTC+8) on October 12, 2023, storage fees and feature usage fees for the instant access feature are no longer charged. See Use the instant access feature. Snapshots created during backups of PL0 ESSD, PL1 ESSD, PL2 ESSD, PL3 ESSD, and ESSD AutoPL disks have the instant access feature enabled by default.
Cloud Backup: Used to back up volume types other than disk volumes. See Cloud Backup price details.

Step 1: Create a backup vault

Backup files are stored in an OSS bucket linked to a backup vault. Create one backup vault per region—all ACK clusters in the same region can share it.

Backup vaults cannot be updated after creation; they can only be deleted. If you create a vault with the same name as a deleted vault, the new vault cannot be used by clusters that previously used the application backup feature.

Log on to the ACK console. In the left-side navigation pane, choose Multi-cluster > Backup Center.
On the Backup Center page, click Create Backup Vault.

In the Create Backup Vault panel, configure the following parameters and click OK.

Parameter	Description
Vault Name	Lowercase letters and digits only.
OSS Bucket Region	The region where the OSS bucket is deployed.
OSS Bucket Name	The name of the OSS bucket. For ACK managed clusters, create the bucket in advance and name it in the *cnfs-oss\\\\*** format.
OSS Bucket Subdirectory	(Optional) A subdirectory within the bucket.
Visible Scope	Who can see this backup vault: Alibaba Cloud accounts and the creator only, or Alibaba Cloud accounts and RAM users.

Step 2: Create a backup plan or run an instant backup

The backup center supports two modes:

Backup plan: The system runs backup tasks on a recurring schedule (daily, weekly, or monthly) until you delete the plan.
Instant backup: The system runs a one-time backup immediately.

Both modes create a backup task in the cluster. Track the task status on the Backup Records tab.

Create a backup plan

On the Clusters page, click the cluster name. In the left-side navigation pane, choose Operations > Application Backup. The system checks whether the backup service component is installed. If it is not, follow the on-page instructions to install it. For registered clusters and ACK dedicated clusters, also configure permissions. See Install migrate-controller and grant permissions.

On the Application Backup page, click Create Backup Plan. In the Create Backup Plan panel, configure the following parameters and click OK.

Parameter	Description
Name	(Required) The name of the backup plan.
Backup Vault	(Required) The vault to store backups in.
Backup Type	Application Backup: backs up cluster resources and the volumes used by applications. Data Protection: backs up volume data only (PVCs and PVs). For guidance on which type to choose, see What are the scenarios for application backups and data protection?
Select Namespace	Include: backs up only the namespaces listed in Backup Namespace. Exclude: backs up all namespaces except those listed. If a new namespace is created later, it is automatically included. This setting is only available when creating a backup plan; instant backups default to Include.
Backup Namespace	(Required) One or more namespaces to back up. The following system namespaces cannot be backed up: `kube-system`, `kube-publish`, `kube-node-lease`, and `csdr`.
Backup Volume	For Application Backup: Mounted Volumes backs up data to ECS snapshots (disk volumes) or Cloud Backup (all other volume types). Disable skips volume data and restores YAML files only. For Data Protection: All Volumes, Specified Types of Volumes, or Specified Volumes (by PVC). For more information, see In which scenarios do I need to back up volumes in application backups?
Storage	Valid when Backup Type is Data Protection and Backup Volume is Specified Types of Volumes. Specify the volume types to back up.
Persistent Volume Claims	Valid when Backup Type is Data Protection and Backup Volume is Specified Volumes. Specify the PVCs to back up.
Backup Cycle	(Required for backup plans) A Linux crontab expression or an interval. For example, `0 2 * * *` runs a backup daily at 2:00 AM. For more examples, see How do I specify the backup cycle when I create a backup plan?

Advanced settings

Parameter	Description
Specified Label	Back up only applications with this label. One label per plan.
Specified Resources	Comma-separated Kubernetes resource types to include. Example: `deploy, configmap`.
Excluded Resources	Comma-separated Kubernetes resource types to exclude. Example: `pod, secret`.
Validity Period	How long backups are retained before expiry. Range: 1–65,536 days. Expired backups cannot be restored.

On the Backup Plans tab, click View Backup Records in the Actions column to monitor the backup. A Completed status means the backup succeeded. To modify backup namespaces or the backup cycle, click Edit in the Actions column.

Run an instant backup

On the Clusters page, click the cluster name. In the left-side navigation pane, choose Operations > Application Backup. The system checks whether the backup service component is installed. If it is not, follow the on-page instructions to install it. For registered clusters and ACK dedicated clusters, also configure permissions. See Install migrate-controller and grant permissions.

On the Application Backup page, click Instant Backup. In the Instant Backup panel, configure the following parameters and click OK. Advanced settings: Same options as for backup plans (Specified Label, Specified Resources, Excluded Resources, Validity Period).

Parameter	Description
Name	(Required) The name of the instant backup task.
Backup Vault	(Required) The vault to store the backup in.
Backup Type	Application Backup or Data Protection. See the backup plan table above for details.
Backup Namespace	(Required) One or more namespaces to back up. The `kube-system`, `kube-publish`, `kube-node-lease`, and `csdr` namespaces cannot be backed up.
Backup Volume	Same options as for backup plans.
Storage	Valid when Backup Type is Data Protection and Backup Volume is Specified Types of Volumes.
Persistent Volume Claims	Valid when Backup Type is Data Protection and Backup Volume is Specified Volumes.

On the Backup Plans tab, check the Status column. A Completed status means the backup succeeded. To create a real-time backup task from a backup record, click Clone in the Actions column.

Step 3: Restore applications and volumes

Important

The restore operation is non-destructive—it only creates resources that do not already exist in the target cluster and never overwrites existing resources. If the cluster already contains resources that conflict with the backup, delete them before restoring.

On the Application Backup page, click Restore Instantly.

In the Restore Instantly panel, configure the following parameters and click OK.

Parameter	Description
Name	Lowercase letters and digits only.
Backup Vaults	Select the vault containing the backup. Click Initialize Backup Vault to associate the cluster with the vault (one-time setup). After initialization, select a backup file to restore from.
Select Backup	The backup file to restore.
Restore Namespace	One or more namespaces to restore. Leave blank to restore everything. If the backup includes cluster-level resources, leave this field blank.
Reset Namespace	To restore into a different namespace, click Add, select the source namespace, and specify the target namespace after the colon (`:`). For example: `old-namespace:new-namespace`.
Reset Image Repository	To use a different container image registry, click Add, enter the current registry address, and specify the new address after the colon (`:`). For example: `docker.io/library:registry.cn-hangzhou.aliyuncs.com/xxx`.
StorageClass Conversion	Converts the StorageClass of PVCs during restore. For example, convert NAS volumes to disk volumes by selecting the `alicloud-disk` StorageClass. Only FileSystem-type volumes (non-disk volumes backed up by Cloud Backup) support conversion. ReadWriteMany volumes cannot be converted to disk. For ReadOnlyMany volumes, make sure replicas are not mounted on multiple nodes simultaneously before converting to disk.

Verify the restore

After restoring, confirm that applications, volumes, and Services are running correctly.

In the left-side navigation pane of the restored cluster, choose Workloads > Deployments. Find the application and click Details in the Actions column. On the Pods tab, check that the status shows Running.
Choose Volumes > Persistent Volume Claims. Confirm that the restored PVCs are listed.
Choose Network > Services. Click the external endpoint of a Service to confirm it is accessible.

What's next

Migrate applications across clusters that use different volume plug-ins or run different Kubernetes versions: Use the backup center to migrate applications in an ACK cluster that runs an old Kubernetes version
Migrate applications across clusters in the same region: Migrate applications across clusters in the same region
Migrate applications across regions: Migrate applications across clusters in different regions
Use kubectl instead of the console: Use kubectl to back up and restore applications