Use a registered cluster to back up and restore applications within the same account when the backup and restore clusters belong to different accounts - Container Service for Kubernetes

To back up and restore applications across Alibaba Cloud accounts, create a registered cluster under the restore account and connect the backup cluster to it. This lets the backup center treat the cross-account operation as same-account, eliminating the account boundary during backup and restore.

How it works

Account roles

This workflow involves two accounts. Know which account you are using at each step — the instructions below label every step with the account context.

Role	Description
Backup account	Owns the backup cluster. Runs the source workloads.
Restore account	Owns the restore cluster and the registered cluster. Receives the restored workloads.

Limitations

The following limitations apply to cross-account backup and restore:

Category	Limitation
Kubernetes version	Both clusters must run Kubernetes 1.16 or later. Avoid migrating from a later Kubernetes version to an earlier one — apiVersion compatibility is not guaranteed.
Resources being deleted	The backup center does not back up resources that are being deleted.
NAS volumes across accounts	The sts-nas application cannot be backed up or restored across accounts through Virtual Private Clouds (VPCs). The restore cluster cannot read the original data stored in NAS.
FlexVolume	Application restoration is not supported in clusters that use FlexVolume or use csi-compatible-controller and FlexVolume.
ECS snapshots across accounts	ECS snapshots created in the registered cluster belong to the backup account. You cannot use the restore account to restore disks directly from these snapshots.
Ingresses and CronJobs	In Kubernetes 1.16, groups such as `apps` and `rbac.authorization.k8s.io` already support API version v1. After migrating to Kubernetes 1.28, manually restore Ingress and CronJob resources.

API version compatibility: The backup center restores resources to the API version recommended for the restore cluster. If no compatible API version exists between the source and target Kubernetes versions, you must deploy the resource manually. Examples:

Deployments in a cluster running Kubernetes 1.16 support extensions/v1beta1, apps/v1beta1, apps/v1beta2, and apps/v1. When restored to a cluster running Kubernetes 1.28, the API version is set to apps/v1.
Ingresses in a cluster running Kubernetes 1.16 support extensions/v1beta1 and networking.k8s.io/v1beta1. These cannot be restored to a cluster running Kubernetes 1.22 or later.

For API changes across Kubernetes versions, see Release notes for Kubernetes versions supported by ACK and the Deprecated API Migration Guide.

Different installation templates: The backup center installation template for registered clusters differs from the template for other Container Service for Kubernetes (ACK) clusters. If you connect or disconnect the backup cluster from the registered cluster and want to continue using the backup center, reinstall the backup center component in the registered cluster or backup cluster accordingly.

Cross-region restore: Create the registered cluster in the same region as the restore cluster, under the restore account. The backup cluster connects to the registered cluster and backs up data to the cloud over the Internet. Data is restored to the restore cluster over internal networks.

CNFS-managed NAS volumes: To restore backups to NAS volumes managed by CNFS (StorageClass: alibabacloud-cnfs-nas), create the StorageClass first. For more information, see Use CNFS to manage NAS file systems (recommended).

Prerequisites

Before you begin, make sure that:

Cloud Backup is activated. The backup center relies on Cloud Backup for file-based backups of NAS volumes, OSS buckets, local disk volumes, and hybrid cloud scenarios.
The restore cluster is created. To use Elastic Compute Service (ECS) snapshots to restore disk data, update the cluster to Kubernetes 1.18 or later. For more information, see Create an ACK managed cluster, Create an ACK dedicated cluster (discontinued), or Create a cluster registration proxy and register a Kubernetes cluster that is deployed in a data center.
Important
- The restore cluster must use the Container Storage Interface (CSI) plug-in. Application restoration is not supported in clusters that use FlexVolume or csi-compatible-controller and FlexVolume. - Before running a restore task, install and configure required system components in the restore cluster: - aliyun-acr-credential-helper: Grant permissions to the restore cluster and configure acr-configuration. - alb-ingress-controller: Configure an ALBConfig.
migrate-controller is installed and permissions are granted.
(Optional) To create disk snapshots for volume backup, install CSI 1.1.0 or later. For more information, see Manage the csi-plugin and csi-provisioner components.
A kubectl client is connected to the cluster.

Billing

The backup center is free. You may incur charges for the following related services:

OSS billing: An OSS bucket stores backup files such as YAML manifests.
Snapshot billing: Snapshots back up disk volumes.
- Starting 11:00 (UTC+8) on October 12, 2023, storage fees and feature usage fees for the instant access feature are no longer charged. For more information, see Use the instant access feature. - Snapshots created during backups for PL0 ESSD, PL1 ESSD, PL2 ESSD, PL3 ESSD, and ESSD AutoPL disks have the instant access feature enabled by default.
Cloud Backup pricing: Cloud Backup handles backups for volume types other than disk volumes.

Sample applications

The following sample applications demonstrate the backup and restore workflow. All three exist in the backup cluster.

Application	Volume type	PVC name	Backup required	Backup method
sts-disk	Disk volume	pvc-disk	Yes — requires data consistency; suspend writes before backup	Cloud Backup or ECS snapshots
sts-nas	NAS volume	pvc-nas	Yes — tolerates data written during backup; cannot be backed up or restored across accounts through VPCs	Cloud Backup
sts-oss	OSS volume	pvc-oss	No — restored via the original PVC and persistent volume (PV), mapped to the original OSS bucket	N/A

For information about creating applications with different volume types, see Storage - CSI.

Choose a backup solution for disk volumes

Disk volumes require a decision before you start: Cloud Backup or ECS snapshots. If your application does not use disk volumes, skip this section and use Cloud Backup throughout.

Dimension	Cloud Backup solution	ECS snapshot solution
How it works	Set `enable_ecs_snapshot: false` in the `csdr-config` ConfigMap to route disk volume backups through Cloud Backup. When restoring, set the StorageClass of the target volume to `alicloud-disk`.	Set `enable_ecs_snapshot: true` to use ECS snapshots for disk volumes. Share the snapshot from the backup account to the restore account, then manually create a VolumeSnapshotContent and VolumeSnapshot before running the restore task.
Advantages	No additional configuration beyond the ConfigMap change	Faster restore; guarantees data consistency within a single disk
Disadvantages	Slower backup and restore; cannot guarantee data consistency — suspend writes for longer periods if the application requires consistency	Manual steps required when many disk volumes are involved
Best for	Applications without strict consistency requirements, or when manual snapshot steps are impractical	Applications requiring consistent disk snapshots

(Optional) Step 1: Uninstall the backup center in the backup cluster

Account: backup account

Skip this step if the backup center (migrate-controller) is not installed in the backup cluster. If it is installed, uninstall it before proceeding — the backup center installation template for registered clusters differs from the template used for standard ACK clusters.

Log on to the ACK console with the backup account. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the backup cluster. In the left navigation pane, click Add-ons.
On the Add-ons page, click the Manage Applications tab.
Find the migrate-controller card and click Uninstall in the lower-right corner.
In the Uninstall message, click OK.

Step 2: Install the backup center in the registered cluster

Account: backup account

Create a registered cluster using the backup account and connect the backup cluster to it.
Install migrate-controller and grant permissions in the registered cluster.
The registered cluster is in the same region as the backup cluster, so you do not need to add a route to the internal network where your OSS bucket resides.

Step 3: Create a backup task in the registered cluster

Account: restore account (in the registered cluster)

Important

Run this step in the registered cluster under the restore account. Do not run it in the backup cluster under the backup account.

ECS snapshots are faster and guarantee data consistency, but snapshots of disk volumes belong to the backup account — they cannot be used directly in the restore account. Choose your approach based on the table in Choose a backup solution for disk volumes.

Cloud Backup solution

Use this solution when your application uses disk volumes and you want Cloud Backup to handle all volume types, or when your application does not use disk volumes at all.

Disable the ECS snapshot feature.
1. Edit the csdr-config ConfigMap:
```
kubectl -ncsdr edit cm csdr-config
```
2. Set enable_ecs_snapshot to false. Save and exit.
3. Restart the component for the change to take effect:
```
kubectl -ncsdr delete pod -l control-plane=csdr-controller
```
If the restore account does not have a backup vault, create one and associate it with the OSS bucket named cnfs-oss-* under the restore account. For more information, see Create a backup vault.
Create a backup task for sts-oss. For more information, see Create a backup plan or back up instantly.
- sts-oss uses the original OSS bucket directly — no volume data backup is needed. When configuring the backup task, set Backup Volume to Disable.
- sts-oss belongs to the oss namespace. Select the oss namespace when creating the task. If the namespace contains other applications, add labels to select only sts-oss.
- On the Backup Records tab of the Application Backup page, confirm the task status changes from InProgress to Completed. Click the backup record name and verify that sts-oss resources (StatefulSet, pod, PVC, PV, and the Secret storing the AccessKey pair) are all backed up.
Create a backup task for sts-nas and sts-disk. For more information, see Create a backup plan or back up instantly.
- Set Backup Volume to Mounted Volumes.
- Because enable_ecs_snapshot is false, Cloud Backup also handles disk volume data. To monitor progress, log on to the Cloud Backup console, click Container Backup in the left-side navigation pane, and check the Backup Jobs tab.

ECS snapshot solution

Use this solution when your application uses disk volumes and data consistency is critical.

Enable the ECS snapshot feature.
1. Edit the csdr-config ConfigMap:
```
kubectl -ncsdr edit cm csdr-config
```
2. Set enable_ecs_snapshot to true. Save and exit.
3. Restart the component for the change to take effect:
```
kubectl -ncsdr delete pod -l control-plane=csdr-controller
```
If the restore account does not have a backup vault, create one and associate it with the OSS bucket named cnfs-oss-* under the restore account. For more information, see Create a backup vault.
Create a backup task for sts-oss. For more information, see Create a backup plan or back up instantly.
- Set Backup Volume to Disable — sts-oss uses the original OSS bucket and does not require volume data backup.
- Select the oss namespace. Add labels to select only sts-oss if other applications are in the namespace.
- Confirm the backup completes on the Backup Records tab. Verify that all sts-oss resources are backed up.
Create a backup task named backup-nas-disk for sts-nas and sts-disk. For more information, see Create a backup plan or back up instantly.
- Set Backup Volume to Mounted Volumes.
- Disk volume data is backed up using ECS snapshots by default. To verify, log on to the ECS console, click Snapshots, and check the Disk Snapshots tab.
- NAS volume data is backed up using Cloud Backup. Monitor progress in the Cloud Backup console under Container Backup > Backup Jobs.

Step 4: Create a restore task in the restore cluster

Account: restore account (in the restore cluster)

Important

Before restoring, install and configure required components in the restore cluster:
Container Registry password-free image pulling component: Grant permissions and configure acr-configuration in the restore cluster.
ALB Ingress component: Configure an AlbConfig.
During restore, if a resource with the same name already exists in the cluster, the restore cluster skips it.

Service restore behavior:

Service type	Restore behavior
NodePort Services	Ports are retained by default during cross-cluster restore.
LoadBalancer Services with `ExternalTrafficPolicy: Local`	HealthCheckNodePort uses a random port by default. To retain the port, set `spec.preserveNodePorts: true` when creating the restore task.
Services using an existing SLB instance	The restored Service retains the original Server Load Balancer (SLB) instance, but all listeners are disabled by default. Configure listeners in the SLB console before the Service can receive traffic.
LoadBalancer Services managed by CCM	The cloud controller manager (CCM) creates new SLB instances during restore. For more information, see Considerations for configuring a LoadBalancer type Service.

Cloud Backup solution

Restore sts-oss.
1. On the Application Backup page, click Back up Now, then select and initialize a backup vault. Wait for the system to synchronize the backup file to the restore cluster.
2. Select the backup-oss backup file and create a restore task.
3. Verify sts-oss is running correctly in the restore cluster. Run kubectl exec to log on to the container and confirm data consistency.
Restore sts-nas and sts-disk using StorageClass conversion.
1. On the Application Backup page, click Back up Now and select backup-nas-disk. Select the alicloud-disk StorageClass for pvc-disk and the alibabacloud-cnfs-nas StorageClass for pvc-nas. alicloud-disk defaults to the alicloud-disk-topology-alltype StorageClass provided by the CSI plug-in. You can also create a custom StorageClass in the cluster for conversion.
2. Verify the applications and data in the restore cluster. Log on to the ECS console and confirm that a new disk is created under the restore account and mounted to the corresponding node.

ECS snapshot solution

Restore account — Restore sts-oss in the restore cluster.
1. On the Application Backup page, click Back up Now, select and initialize a backup vault, and wait for the backup file to sync to the restore cluster.
2. Select the backup-oss backup file and create a restore task.
3. Verify sts-oss is running correctly. Run kubectl exec to log on to the container and confirm data consistency.
Backup account — Log on to the ECS console and share the snapshot with the restore account. For more information, see Share a snapshot. Snapshots created by the backup center start with snapshot-. Find the correct snapshot by matching the creation time of the backup record.
Backup account — Record the PVC-to-snapshot mappings to simplify the manual restore steps.
1. In the ECS console, record the mapping between snapshot IDs and disk IDs.
2. Log on to the backup cluster and record which PVC maps to which disk. Run the following command to query the PVC, namespace, and disk ID for a given PV:
```
kubectl get pv <PV-Name> -o jsonpath='{"PVC: "}{.spec.claimRef.name}{"\nNamespace: "}{.spec.claimRef.namespace}{"\nVolumeHandle: "}{.spec.csi.volumeHandle}'
```
  Expected output:
```
PVC: <disk-pvc-name>
Namespace: <disk-pvc-namespace>
VolumeHandle: d-2ze323ra0h2v5lxxxxx
```
  - PVC: PVC name
  - Namespace: namespace of the PVC
  - VolumeHandle: disk ID
3. Combine the information from steps 1 and 2 to map each PVC to its corresponding snapshot ID.
Restore account — Log on to the Resource Management console and accept the shared snapshot. For more information, see Share a snapshot. The shared snapshot retains its original name in the restore account, but gets a new ID. Use the snapshot name and the mapping from step 3 to map each PVC to the new snapshot ID.
Restore account — Manually restore disk volumes in the restore cluster.
1. Use static provisioning to create a VolumeSnapshotContent and a VolumeSnapshot in the restore cluster. For more information, see Create a snapshot of a disk volume. Create the VolumeSnapshot in the same namespace as the target PVC. Set snapshotHandle in the VolumeSnapshotContent to the new snapshot ID.
2. Create a PVC with the same name as the original to reference the VolumeSnapshot. For more information, see Step 6 in Create a snapshot of a disk volume. The new PVC has the same configuration as the original, plus a dataSource parameter pointing to the VolumeSnapshot.
Restore account — Create a restore task for sts-nas and sts-disk. Because the disk volumes for sts-disk are already restored in step 5, the restore task skips them and mounts the PVC with the same name. For more information, see Restore applications and volumes.
1. On the Application Backup page, click Back up Now and select backup-nas-disk. Skip StorageClass conversion to use the original StorageClass — make sure it exists in the restore cluster.
2. Verify the applications and data in the restore cluster. Log on to the ECS console and confirm that a new disk is created under the restore account and mounted to the corresponding node.

(Optional) Step 5: Disconnect the backup cluster and reinstall the backup center

If you no longer need cross-account backup or restore, disconnect the backup cluster from the registered cluster. If you want to continue using the backup center in the backup cluster after disconnecting, uninstall and reinstall the backup center component there.

What's next

To migrate applications across clusters using different volume plug-ins or Kubernetes versions, see Use the backup center to migrate applications in an ACK cluster that runs an old Kubernetes version.
To migrate applications between clusters in the same region, see Migrate applications across clusters in the same region.
To migrate applications across regions, see Migrate applications across clusters in different regions.
To use kubectl for backup and restore, see Use kubectl to back up and restore applications.