Install migrate-controller and grant permissions for the backup center - Container Service for Kubernetes

The backup center lets you back up, restore, and migrate applications, enabling application disaster recovery and migration in multi-cluster and hybrid cloud environments. To use the backup center, you must install the migrate-controller backup service component and configure the required permissions to enable backup capabilities.

Prerequisites

The required cloud services are activated.
- Cloud Backup is activated. For more information about billing, see Billing methods and billable items of Cloud Backup.
  
  Use Cloud Backup to back up data on file system volumes, such as volumes that use Object Storage Service (OSS), NAS, CPFS, or local storage, and volumes in hybrid cloud scenarios.
- Object Storage Service (OSS) is activated. For more information about billing, see Billing overview of OSS.
  
  The backup center currently uses only Alibaba Cloud OSS to store application backups.
- The disk snapshot service is activated.
  
  Activating the snapshot service is free. After a snapshot is created, you are charged on a pay-as-you-go basis based on its size and retention period. For more information, see Snapshot billing.
A cluster is ready.
- You have a cluster that runs Kubernetes 1.18 or later. For more information, see Create an ACK managed cluster, Create an ACK dedicated cluster (Discontinued), Create an ACK Serverless cluster, Create an ACK Edge cluster, or create a registered cluster and connect it to an on-premises data center. To upgrade a cluster, see Manually upgrade an ACK cluster.
  
  If you use an ACK managed cluster, you must create a bucket whose name starts with cnfs-oss-****, such as cnfs-oss-backup. This simplifies permission management and provides a template for storing backups.
- You have connected to the cluster by using kubectl.
- The backup center does not support clusters that use the FlexVolume plug-in. If you want to use the backup feature, you must migrate to Container Storage Interface (CSI).
  - If the FlexVolume plug-in is for a cluster without storage, migrate the storage plug-in to CSI. For more information, see Migrate FlexVolume to CSI for Clusters Without Storage.
  - For other cases, join the DingTalk user group (DingTalk group ID: 35532895) for consultation.

Background

As more applications run on Kubernetes, periodic backups become crucial. The backup center helps prevent extended service interruptions caused by unexpected events. Unlike traditional server or disk backups, Kubernetes-native application backup focuses on the applications themselves, including their data, resource objects, configurations, and entire namespaces.

Notes

For ACK Serverless Pro clusters and ACK Edge clusters, the installation and permission requirements for the backup center are the same as for ACK managed clusters. For more information, see ACK managed cluster.

ACK Serverless Basic clusters do not support the backup center.
Backing up volumes is not supported when using the backup center with ACK Serverless Pro clusters or ACK Edge clusters.
For an ACK Edge cluster, the migrate-controller backup service component is installed on cloud-side nodes by default and accesses OSS over the internal network.

ACK managed cluster

Step 1: Install migrate-controller

Note

If this is your first time using the backup center, you must install the backup service component. If the component is already installed, you can skip this step.

Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, click the name of your cluster. In the left navigation pane, click Operations > Application Backup.
On the Application Backup page, click Install.
The system automatically detects a backup vault. If one is not found, you must create one. For more information, see Create a backup vault.
- After the backup service component is installed, a namespace named csdr is created. Do not delete this namespace.
- If an older version of the component is installed, click Upgrade on the Application Backup page to update it to the latest version.

Step 2: Configure permissions

OSS permissions

For an ACK managed cluster, we recommend that you use an OSS bucket whose name starts with cnfs-oss-*** as the backup vault for the backup center. In this case, no OSS permission configuration is required. If you use other buckets, you must configure the required OSS permissions as described in the ACK dedicated cluster section. For more information, see Step 1: Configure permissions.
Disk snapshot and Cloud
For ACK managed clusters, you do not need to configure permissions for disk snapshots or Cloud Backup.

(Optional) Step 3: Grant Cloud Backup permission to use API Gateway

If you run backup or restore jobs for a cluster in the China (Ulanqab), China (Heyuan), or China (Guangzhou) region, you must grant Cloud Backup permission to use API Gateway. This authorization is required only once for each Alibaba Cloud primary account.

Note

Starting from v1.8.4, the migrate-controller backup component supports using Cloud Backup to back up volumes for clusters in the China (Ulanqab), China (Heyuan), or China (Guangzhou) region. Supported volume types include OSS, NAS, CPFS, local storage, and volume data in hybrid cloud scenarios.

Log on to the Cloud Backup console.
In the navigation pane on the left, choose Backup > Container Backup.
In the upper-left corner of the top navigation bar, select the region where the cluster is located: China (Ulanqab), China (Heyuan), or China (Guangzhou).
In the Cloud Backup Authorization dialog box, click Confirm.

ACK dedicated clusters

Step 1: Configure permissions

Important

The migrate-controller component of v1.7.7 and later supports cross-region restoration of Alibaba Cloud disk storage backups. To use this feature, add the required permissions for ECS disk snapshots to the original RAM user by using the following custom policy template.

Create a RAM user. For more information, see Create a RAM user.

Create a custom policy. For more information, see Create a custom policy on the JSON tab.

In the following policy, oss:**** specifies the permissions for Object Storage Service (OSS), ecs:**** specifies the permissions for ECS disk snapshots, and hbr:**** specifies the permissions for Cloud Backup.

View the custom policy

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "oss:PutObject",
        "oss:GetObject",
        "oss:DeleteObject",
        "oss:GetBucket",
        "oss:ListObjects",
        "oss:ListBuckets",
        "oss:GetBucketStat"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecs:CreateSnapshot",
        "ecs:DeleteSnapshot",
        "ecs:DescribeSnapshotGroups",
        "ecs:CreateAutoSnapshotPolicy",
        "ecs:ApplyAutoSnapshotPolicy",
        "ecs:CancelAutoSnapshotPolicy",
        "ecs:DeleteAutoSnapshotPolicy",
        "ecs:DescribeAutoSnapshotPolicyEX",
        "ecs:ModifyAutoSnapshotPolicyEx",
        "ecs:DescribeSnapshots",
        "ecs:DescribeInstances",
        "ecs:CopySnapshot",
        "ecs:CreateSnapshotGroup",
        "ecs:DeleteSnapshotGroup"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "hbr:CreateVault",
        "hbr:CreateBackupJob",
        "hbr:DescribeVaults",
        "hbr:DescribeBackupJobs2",
        "hbr:DescribeRestoreJobs",
        "hbr:SearchHistoricalSnapshots",
        "hbr:CreateRestoreJob",
        "hbr:AddContainerCluster",
        "hbr:DescribeContainerCluster",
        "hbr:DescribeRestoreJobs2",
        "hbr:CancelBackupJob",
        "hbr:CancelRestoreJob"
      ],
      "Resource": "*"
    }
  ]
}

The preceding policy grants permissions on all OSS buckets. If you need to specify read and write permissions for a specific OSS bucket, modify the policy as shown in the following example. Replace mybackups in the policy with the name of your OSS bucket. For more information about how to configure fine-grained OSS permissions, see Use RAM to control access to OSS.

View the custom policy

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "oss:PutObject",
        "oss:GetObject",
        "oss:DeleteObject",
        "oss:GetBucket",
        "oss:ListObjects",
        "oss:ListBuckets",
        "oss:GetBucketStat"
      ],
      "Resource": [
        "acs:oss:*:*:mybackups",
        "acs:oss:*:*:mybackups/*"
      ],
      "Effect": "Allow"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecs:CreateSnapshot",
        "ecs:DeleteSnapshot",
        "ecs:DescribeSnapshotGroups",
        "ecs:CreateAutoSnapshotPolicy",
        "ecs:ApplyAutoSnapshotPolicy",
        "ecs:CancelAutoSnapshotPolicy",
        "ecs:DeleteAutoSnapshotPolicy",
        "ecs:DescribeAutoSnapshotPolicyEX",
        "ecs:ModifyAutoSnapshotPolicyEx",
        "ecs:DescribeSnapshots",
        "ecs:DescribeInstances",
        "ecs:CopySnapshot",
        "ecs:CreateSnapshotGroup",
        "ecs:DeleteSnapshotGroup"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "hbr:CreateVault",
        "hbr:CreateBackupJob",
        "hbr:DescribeVaults",
        "hbr:DescribeBackupJobs2",
        "hbr:DescribeRestoreJobs",
        "hbr:SearchHistoricalSnapshots",
        "hbr:CreateRestoreJob",
        "hbr:AddContainerCluster",
        "hbr:DescribeContainerCluster",
        "hbr:DescribeRestoreJobs2",
        "hbr:CancelBackupJob",
        "hbr:CancelRestoreJob"
      ],
      "Resource": "*"
    }
  ]
}

Grant the custom permissions to the RAM user. For more information, see Manage RAM user permissions.
Create an AccessKey pair for the RAM user. For more information, see Obtain an AccessKey pair.
Create a Secret in the ACK dedicated cluster.

To ensure that your AccessKey pair is used securely only within your cluster, you must first create a Secret named alibaba-addon-secret in the cluster by using your AccessKey information. This reduces the risk of credential leaks.
1. Run the following command to create the csdr namespace:
```
kubectl create ns csdr
```
2. Run the following command to create the Secret named alibaba-addon-secret:
```
kubectl -n csdr create secret generic alibaba-addon-secret --from-literal='access-key-id=<your AccessKey ID>' --from-literal='access-key-secret=<your AccessKey Secret>'
```
  Replace <your AccessKey ID> and <your AccessKey Secret> with the AccessKey pair that you obtained in the previous step.
  Note
  If you create the Secret after you install the migrate-controller component, restart the migrate-controller component in the kube-system namespace after you create the Secret.

Step 2: Install the migrate-controller component

See Install the migrate-controller backup service component.

(Optional) Step 3: Grant API Gateway permissions to Cloud Backup

This authorization is required only when you back up or restore a cluster in the China (Ulanqab), China (Heyuan), or China (Guangzhou) region. For more information about how to grant the permissions, see (Optional) Step 3: Grant API Gateway permissions to Cloud Backup.

Register a cluster

Important

migrate-controller versions 1.7.7 and later support cross-region restoration for Alibaba Cloud disk backups. Update onectl to version 1.1.0 and run the onectl ram-user revoke --addon migrate-controller command to update the permissions for the original RAM user.

Install components and configure permissions using onectl (Recommended)

Install and configure onectl on your local machine. For more information, see Manage registered clusters using onectl.

Run the following command to configure RAM permissions for the migrate-controller component.

onectl ram-user grant --addon migrate-controller

Expected output:

Ram policy ack-one-registered-cluster-policy-migrate-controller granted to ram user ack-one-user-ce313528c3 successfully.

Run the following command to install the backup service component.

onectl addon install migrate-controller

Expected output:

Addon migrate-controller, version **** installed.

onectl configures OSS permissions for all OSS buckets. If you need to configure permissions for a specific OSS bucket, modify the permissions that onectl generates, or manually install components and configure permissions.

Modify OSS permissions: Replace the content of the custom policy that you created with the following. To learn how to modify a policy, see Modify the content and description of a custom policy.

Note

Replace mybackups in the following policy with the name of your OSS bucket. For more information about fine-grained OSS authorization, see Manage OSS permissions using RAM.

Click to view the custom policy

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "oss:PutObject",
        "oss:GetObject",
        "oss:DeleteObject",
        "oss:GetBucket",
        "oss:ListObjects",
        "oss:ListBuckets",
        "oss:GetBucketStat"
      ],
      "Resource": [
        "acs:oss:*:*:mybackups",
        "acs:oss:*:*:mybackups/*"
      ],
      "Effect": "Allow"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecs:CreateSnapshot",
        "ecs:DeleteSnapshot",
        "ecs:DescribeSnapshotGroups",
        "ecs:CreateAutoSnapshotPolicy",
        "ecs:ApplyAutoSnapshotPolicy",
        "ecs:CancelAutoSnapshotPolicy",
        "ecs:DeleteAutoSnapshotPolicy",
        "ecs:DescribeAutoSnapshotPolicyEX",
        "ecs:ModifyAutoSnapshotPolicyEx",
        "ecs:DescribeSnapshots",
        "ecs:DescribeInstances",
        "ecs:CopySnapshot",
        "ecs:CreateSnapshotGroup",
        "ecs:DeleteSnapshotGroup"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "hbr:CreateVault",
        "hbr:CreateBackupJob",
        "hbr:DescribeVaults",
        "hbr:DescribeBackupJobs2",
        "hbr:DescribeRestoreJobs",
        "hbr:SearchHistoricalSnapshots",
        "hbr:CreateRestoreJob",
        "hbr:AddContainerCluster",
        "hbr:DescribeContainerCluster",
        "hbr:DescribeRestoreJobs2",
        "hbr:CancelBackupJob",
        "hbr:CancelRestoreJob"
      ],
      "Resource": "*"
    }
  ]
}

(Optional) Configure a route to the internal CIDR block of OSS in the same region as the registered cluster.

For registered clusters connected to a cloud VPC through CEN, Express Connect, or VPN, the backup center automatically accesses the OSS domain name over the internal network to increase the speed of data retrieval for backups. This occurs when the registered cluster and OSS are in the same region. In this case, you must configure a route to the internal CIDR block of OSS for that region.
- For more information about how to connect an on-premises data center to a cloud VPC, see Introduction to connection methods.
- For the mapping between OSS internal domain names and VIP CIDR blocks, see Access OSS using endpoints and bucket domain names.
(Optional) Grant the Cloud Backup service permissions to use API Gateway.

You must grant these permissions only when you back up or restore a cluster in the China (Ulanqab), China (Heyuan), or China (Guangzhou) region. For instructions, see (Optional) Step 3: Grant the Cloud Backup service permissions to use API Gateway.

Install components and configure permissions from the console

Step 1: Configure permissions

Create a RAM user for the registered cluster, grant the RAM user permissions to access cloud resources, and then create an AccessKey.

Create a RAM user. For more information, see Create a RAM user.

Create a custom policy as shown in the following example. For more information, see Create a custom policy using the script editor.

In the following policy, actions that start with oss: are OSS permissions, actions that start with ecs: are permissions related to ECS disk snapshots, and actions that start with hbr: are Cloud Backup permissions.

Click to view the custom policy

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "oss:PutObject",
        "oss:GetObject",
        "oss:DeleteObject",
        "oss:GetBucket",
        "oss:ListObjects",
        "oss:ListBuckets",
        "oss:GetBucketStat"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecs:CreateSnapshot",
        "ecs:DeleteSnapshot",
        "ecs:DescribeSnapshotGroups",
        "ecs:CreateAutoSnapshotPolicy",
        "ecs:ApplyAutoSnapshotPolicy",
        "ecs:CancelAutoSnapshotPolicy",
        "ecs:DeleteAutoSnapshotPolicy",
        "ecs:DescribeAutoSnapshotPolicyEX",
        "ecs:ModifyAutoSnapshotPolicyEx",
        "ecs:DescribeSnapshots",
        "ecs:DescribeInstances",
        "ecs:CopySnapshot",
        "ecs:CreateSnapshotGroup",
        "ecs:DeleteSnapshotGroup"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "hbr:CreateVault",
        "hbr:CreateBackupJob",
        "hbr:DescribeVaults",
        "hbr:DescribeBackupJobs2",
        "hbr:DescribeRestoreJobs",
        "hbr:SearchHistoricalSnapshots",
        "hbr:CreateRestoreJob",
        "hbr:AddContainerCluster",
        "hbr:DescribeContainerCluster",
        "hbr:DescribeRestoreJobs2",
        "hbr:CancelBackupJob",
        "hbr:CancelRestoreJob"
      ],
      "Resource": "*"
    }
  ]
}

The preceding policy grants permissions on all OSS buckets. If you need to specify read and write permissions for a specific OSS bucket, modify the policy as shown in the following example. Replace mybackups in the policy with the name of your OSS bucket. For more information about fine-grained OSS authorization, see Manage OSS permissions using RAM.

Click to view the custom policy

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "oss:PutObject",
        "oss:GetObject",
        "oss:DeleteObject",
        "oss:GetBucket",
        "oss:ListObjects",
        "oss:ListBuckets",
        "oss:GetBucketStat"
      ],
      "Resource": [
        "acs:oss:*:*:mybackups",
        "acs:oss:*:*:mybackups/*"
      ],
      "Effect": "Allow"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecs:CreateSnapshot",
        "ecs:DeleteSnapshot",
        "ecs:DescribeSnapshotGroups",
        "ecs:CreateAutoSnapshotPolicy",
        "ecs:ApplyAutoSnapshotPolicy",
        "ecs:CancelAutoSnapshotPolicy",
        "ecs:DeleteAutoSnapshotPolicy",
        "ecs:DescribeAutoSnapshotPolicyEX",
        "ecs:ModifyAutoSnapshotPolicyEx",
        "ecs:DescribeSnapshots",
        "ecs:DescribeInstances",
        "ecs:CopySnapshot",
        "ecs:CreateSnapshotGroup",
        "ecs:DeleteSnapshotGroup"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "hbr:CreateVault",
        "hbr:CreateBackupJob",
        "hbr:DescribeVaults",
        "hbr:DescribeBackupJobs2",
        "hbr:DescribeRestoreJobs",
        "hbr:SearchHistoricalSnapshots",
        "hbr:CreateRestoreJob",
        "hbr:AddContainerCluster",
        "hbr:DescribeContainerCluster",
        "hbr:DescribeRestoreJobs2",
        "hbr:CancelBackupJob",
        "hbr:CancelRestoreJob"
      ],
      "Resource": "*"
    }
  ]
}

Grant the custom policy that you created to the RAM user. For more information, see Manage permissions for a RAM user.
Create an AccessKey for the RAM user. For more information, see Obtain an AccessKey.
Create a Secret in the cluster.

To ensure that your AccessKey information is used securely only within your cluster, first deploy a Secret named alibaba-addon-secret in the cluster using your AccessKey information. This reduces the risk of information leaks.
1. Run the following command to create the csdr namespace.
```
kubectl create ns csdr
```
2. Run the following command to create a Secret named alibaba-addon-secret.
```
kubectl -n csdr create secret generic alibaba-addon-secret --from-literal='access-key-id=<your AccessKey ID>' --from-literal='access-key-secret=<your AccessKey Secret>'
```
  Replace <your AccessKey ID> and <your AccessKey Secret> in the command with the AccessKey information that you obtained in the previous step.

Step 2: Install the migrate-controller backup service component

See Install the migrate-controller backup service component.

(Optional) Step 3: Configure a route to the internal CIDR block of OSS in the same region as the registered cluster

For registered clusters connected to a cloud VPC through CEN, Express Connect, or VPN, the backup center automatically accesses the OSS domain name over the internal network to increase the speed of data retrieval for backups. This occurs when the registered cluster and OSS are in the same region. In this case, you must configure a route to the internal CIDR block of OSS for that region.

For more information about how to connect an on-premises data center to a cloud VPC, see Introduction to connection methods.
For the mapping between OSS internal domain names and VIP CIDR blocks, see Access OSS using endpoints and bucket domain names.

(Optional) Step 4: Grant the Cloud Backup service permissions to use API Gateway

You must grant these permissions only when you back up or restore a cluster in the China (Ulanqab), China (Heyuan), or China (Guangzhou) region. For instructions, see (Optional) Step 3: Grant the Cloud Backup service permissions to use API Gateway.