All Products
Search
Document Center

Container Service for Kubernetes:install migrate-controller and grant permissions

Last Updated:Jan 25, 2025

The Backup Center is utilized for application backup, recovery, and migration. To enable these capabilities, install the migrate-controller backup service component and configure the necessary permissions, thus ensuring data disaster recovery and application migration across multi-cluster and hybrid environments.

Prerequisites

Background information

As more applications are deployed on Kubernetes, regular backups become increasingly important. The Backup Center can effectively prevent prolonged service interruptions due to unexpected events. Unlike traditional single-machine or disk backups, Kubernetes-based application backup focuses on the applications running on Kubernetes, their data, resource objects, configurations, and the entire namespace.

Notes

  • ACK Serverless cluster Pro Edition and ACK Edge cluster share the same installation and permission configuration requirements as the ACK managed cluster when integrating with the backup center. For detailed procedures, see ACK managed cluster.

    The Basic Edition of the ACK Serverless cluster is not supported.

  • ACK Serverless cluster Pro Edition and ACK Edge cluster are not compatible with storage volume backups through the backup center.

  • The migrate-controller backup service component comes pre-installed on cloud nodes within the ACK Edge cluster and utilizes the internal network to access OSS.

ACK managed cluster

Step 1: Install migrate-controller backup service component

Note

If you are using the Backup Center feature for the first time, you need to install the backup service component. If it is already installed, you can skip this step.

  1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

  2. On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, choose Operations > Application Backup.

  3. On the Application Backup page, click Start Installation.

    The system automatically detects the backup repository. If it is not created, see Create a Backup Repository.

    • Once the backup service component has been installed, a namespace called csdr will be created. This namespace should not be deleted.

    • If the component is installed but not up to date, click Start Upgrade on the Application Backup page, and the system will automatically upgrade the application backup service component to the latest version.

Step 2: Grant related permissions

  • OSS Permissions

    For an ACK managed cluster, we recommend using an OSS bucket with the prefix cnfs-oss-*** as the backup repository for the backup center. This does not require additional OSS permissions. However, if you opt for alternative buckets, you must configure the necessary OSS permissions for the ACK dedicated cluster. For more information, see Step 1: Grant related permissions.

  • ```html
  • ECS Snapshot and Cloud Backup Permissions

    For an ACK managed cluster, ECS Snapshot and Cloud Backup permissions are not required.

(Optional) Step 3: Grant API Gateway permissions to Cloud Backup

If you need to perform backup or restore jobs in clusters located in China (Ulanqab), China (Heyuan), or China (Guangzhou), you must grant API Gateway permissions to Cloud Backup using your Alibaba Cloud account when you use it for the first time. Each Alibaba Cloud account only needs to grant permissions once.

Note

Starting with version 1.8.4, the migrate-controller backup service component now allows the use of Cloud Backup for backing up storage volumes in clusters located in China (Ulanqab), China (Heyuan), or China (Guangzhou). This includes support for a variety of storage volume types such as OSS, NAS, CPFS, local storage, and volumes in hybrid cloud environments.

  1. Log on to the Cloud Backup console.

  2. In the left-side navigation pane, choose Backup > Container Backup.

  3. In the upper left corner of the top menu bar, select the region where the cluster is located, that is, China (Ulanqab), China (Heyuan), or China (Guangzhou).

  4. In the Cloud Backup Authorization dialog box that appears, click Confirm Authorization.

ACK dedicated cluster

Step 1: Grant related permissions

Important

migrate-controller 1.7.7 and later versions support cross-region restoration of Alibaba Cloud disks. To use this feature, grant the RAM user the ECS Snapshot permissions based on the following custom policy template.

  1. Create a RAM user. For specific operations, see Create a RAM User.

  2. Create the following custom policy. For specific operations, see Create a Custom Policy in Script Edit Mode.

    The following policy script includes oss:**** for Object Storage Service policies, ecs:**** for ECS Snapshot policies, and hbr:**** for Cloud Backup policies.

    Expand to View the Custom Policy

    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "oss:PutObject",
            "oss:GetObject",
            "oss:DeleteObject",
            "oss:GetBucket",
            "oss:ListObjects",
            "oss:ListBuckets",
            "oss:GetBucketStat"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "ecs:CreateSnapshot",
            "ecs:DeleteSnapshot",
            "ecs:DescribeSnapshotGroups",
            "ecs:CreateAutoSnapshotPolicy",
            "ecs:ApplyAutoSnapshotPolicy",
            "ecs:CancelAutoSnapshotPolicy",
            "ecs:DeleteAutoSnapshotPolicy",
            "ecs:DescribeAutoSnapshotPolicyEX",
            "ecs:ModifyAutoSnapshotPolicyEx",
            "ecs:DescribeSnapshots",
            "ecs:DescribeInstances",
            "ecs:CopySnapshot",
            "ecs:CreateSnapshotGroup",
            "ecs:DeleteSnapshotGroup"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "hbr:CreateVault",
            "hbr:CreateBackupJob",
            "hbr:DescribeVaults",
            "hbr:DescribeBackupJobs2",
            "hbr:DescribeRestoreJobs",
            "hbr:SearchHistoricalSnapshots",
            "hbr:CreateRestoreJob",
            "hbr:AddContainerCluster",
            "hbr:DescribeContainerCluster",
            "hbr:DescribeRestoreJobs2",
            "hbr:CancelBackupJob",
            "hbr:CancelRestoreJob"
          ],
          "Resource": "*"
        }
      ]
    }

    The preceding policy grants permissions on all OSS buckets. If you need to specify read and write permissions for OSS, modify the policy based on the following example. Replace mybackups in the following policy script with your OSS bucket name. For more information about fine-grained OSS authorization configuration, see Manage OSS Permissions through RAM.

    Expand to View the Custom Policy

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "oss:PutObject",
            "oss:GetObject",
            "oss:DeleteObject",
            "oss:GetBucket",
            "oss:ListObjects",
            "oss:ListBuckets",
            "oss:GetBucketStat"
          ],
          "Resource": [
            "acs:oss:*:*:mybackups",
            "acs:oss:*:*:mybackups/*"
          ],
          "Effect": "Allow"
        },
        {
          "Effect": "Allow",
          "Action": [
            "ecs:CreateSnapshot",
            "ecs:DeleteSnapshot",
            "ecs:DescribeSnapshotGroups",
            "ecs:CreateAutoSnapshotPolicy",
            "ecs:ApplyAutoSnapshotPolicy",
            "ecs:CancelAutoSnapshotPolicy",
            "ecs:DeleteAutoSnapshotPolicy",
            "ecs:DescribeAutoSnapshotPolicyEX",
            "ecs:ModifyAutoSnapshotPolicyEx",
            "ecs:DescribeSnapshots",
            "ecs:DescribeInstances",
            "ecs:CopySnapshot",
            "ecs:CreateSnapshotGroup",
            "ecs:DeleteSnapshotGroup"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "hbr:CreateVault",
            "hbr:CreateBackupJob",
            "hbr:DescribeVaults",
            "hbr:DescribeBackupJobs2",
            "hbr:DescribeRestoreJobs",
            "hbr:SearchHistoricalSnapshots",
            "hbr:CreateRestoreJob",
            "hbr:AddContainerCluster",
            "hbr:DescribeContainerCluster",
            "hbr:DescribeRestoreJobs2",
            "hbr:CancelBackupJob",
            "hbr:CancelRestoreJob"
          ],
          "Resource": "*"
        }
      ]
    }
  3. Attach the custom policy to the RAM user. For specific operations, see Grant Permissions to a RAM User.

  4. Create an AccessKey for the RAM user. For specific operations, see Obtain an AccessKey.

  5. Create a Secret within the ACK dedicated cluster.

    To ensure secure use of your AccessKey information within your cluster, deploy a Secret resource named alibaba-addon-secret in the cluster using the AccessKey information to minimize the risk of leakage.

    1. Run the following command to create a namespace named csdr.

      kubectl create ns csdr
    2. Run the following command to create a Secret named alibaba-addon-secret.

      kubectl -n csdr create secret generic alibaba-addon-secret --from-literal='access-key-id=<your AccessKey ID>' --from-literal='access-key-secret=<your AccessKey Secret>'

      Replace <your AccessKey ID> and <your AccessKey Secret> in the above code with your actual AccessKey information obtained in the previous step.

      Note

      If you create a Secret after installing the migrate-controller component, restart the migrate-controller component in the kube-system namespace.

Step 2: Install migrate-controller backup service component

Install the migrate-controller backup service component. For specific operations, see Step 1: Install Migrate-Controller Backup Service Component.

(Optional) Step 3: Grant API Gateway permissions to Cloud Backup

Authorization is only required when backing up or restoring clusters located in China (Ulanqab), China (Heyuan), or China (Guangzhou). For authorization operations, see (Optional) Step 3: Grant API Gateway Permissions to Cloud Backup.

Registered cluster

Important

migrate-controller 1.7.7 and later versions support cross-region restoration of Alibaba Cloud disk storage backups. Update the onectl version to 1.1.0 and run the onectl ram-user revoke --addon migrate-controller command to grant additional permissions to the RAM user.

Install components and configure permissions using onectl (recommended)

  1. Install and configure onectl on your on-premises machine. For specific operations, see Manage Registered Clusters Using onectl.

  2. Run the following command to grant RAM permissions to the migrate-controller component.

    onectl ram-user grant --addon migrate-controller

    Expected results:

    Ram policy ack-one-registered-cluster-policy-migrate-controller granted to ram user ack-one-user-ce313528c3 successfully.
  3. Run the following command to install the backup service component.

    onectl addon install migrate-controller

    Expected results:

    Addon migrate-controller, version **** installed.
    The OSS permissions configured by onectl cover all OSS buckets. If you need to configure permissions for a specified OSS bucket, modify the OSS permissions generated by onectl, or choose Manually Install Components and Configure Permissions. ```html Install Migrate-Controller and Grant Permissions Install Migrate-Controller and Grant Permissions The Backup Center is utilized for application backup, recovery, and migration. To enable these capabilities, install the migrate-controller backup service component and configure the necessary permissions, thus ensuring data disaster recovery and application migration across multi-cluster and hybrid environments. Prerequisites Activate the related cloud services: Cloud Backup is activated. For billing details, see Cloud Backup Billing Methods and Billable Items. Use Cloud Backup to back up data from file system type storage volumes (OSS, NAS, CPFS, local storage, and storage volumes in hybrid cloud scenarios). Before use, activate Cloud Backup and configure its permissions. For more information, see the following section. OSS service is activated. For billing details, see OSS Billing Overview. The current Backup Center only uses Alibaba Cloud OSS to store application backups. Before using Alibaba Cloud OSS, configure its permissions. For more information, see the following section. ECS Snapshot service is activated. Activating the ECS Snapshot service is free of charge. Charges are based on snapshot size and duration after creating a snapshot. For more information, see Snapshot Billing. To use ECS Snapshot for backing up volumes that utilize Alibaba Cloud disks, enable ECS Snapshot and grant the necessary permissions. For more information, see the following section. Prepare the cluster: Create a cluster of version 1.18 or later. See Create an ACK Managed Cluster, Create an ACK Dedicated Cluster, Create an ACK Serverless Cluster, Create an ACK Edge Cluster, or Create a Registered Cluster and Connect to a Data Center Cluster. For information on upgrading a cluster, see Manually Upgrade a Cluster. If using an ACK Managed Cluster, create a bucket named with the prefix cnfs-oss-**** to facilitate minimal permission management and store backup templates, such as cnfs-oss-backup. The cluster is connected through the kubectl tool. The Backup Center does not support clusters that use FlexVolume. If you need to use the backup feature, migrate to CSI. For clusters with FlexVolume installed but no data stored, it is recommended to use the Container Storage Interface (CSI) plugin instead. For specific operations, see Migrate FlexVolume to CSI for Clusters without Storage. For other scenarios, join the DingTalk group 35532895 to request technical support. Background Information As more applications are deployed on Kubernetes, regular backups become increasingly important. The Backup Center can effectively prevent prolonged service interruptions due to unexpected events. Unlike traditional single-machine or disk backups, Kubernetes-based application backup focuses on the applications running on Kubernetes, their data, resource objects, configurations, and the entire namespace. Notes The ACK Serverless Cluster Pro Edition and ACK Edge Cluster have the same installation and permission configuration requirements as the ACK Managed Cluster when using the Backup Center. For specific operations, see ACK Managed Cluster. The ACK Serverless Cluster Basic Edition is not supported. The ACK Serverless Cluster Pro Edition and ACK Edge Cluster do not support backing up storage volumes when using the Backup Center. For the ACK Edge Cluster, the migrate-controller backup service component is installed on cloud nodes by default and accesses OSS through the internal network. ACK Managed Cluster Step 1: Install Migrate-Controller Backup Service Component If you are using the Backup Center feature for the first time, you need to install the backup service component. If it is already installed, you can skip this step. Log on to the Container Service Management ConsoleContainer Service Management Console. In the left-side navigation pane, select Cluster List. On the Cluster List page, click the name of the target cluster. In the left-side navigation pane, select Maintenance ManagementApplication Backup. On the Application Backup page, click Start Installation.

    The OSS permissions set up through onectl apply to all OSS buckets. To set permissions for a specific OSS bucket, you can either adjust the permissions created by onectl or opt for manual component installation and permission configuration.

    Modify OSS Permissions: Update the custom policy with the content provided below. For guidance on policy modification, see Modifying a Custom Policy.

    Note

    Replace mybackups with your OSS bucket name in the policy code below. For detailed information on configuring fine-grained OSS permissions, see Manage OSS permissions through RAM.

    Expand to view the custom policy

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "oss:PutObject",
            "oss:GetObject",
            "oss:DeleteObject",
            "oss:GetBucket",
            "oss:ListObjects",
            "oss:ListBuckets",
            "oss:GetBucketStat"
          ],
          "Resource": [
            "acs:oss:*:*:mybackups",
            "acs:oss:*:*:mybackups/*"
          ],
          "Effect": "Allow"
        },
        {
          "Effect": "Allow",
          "Action": [
            "ecs:CreateSnapshot",
            "ecs:DeleteSnapshot",
            "ecs:DescribeSnapshotGroups",
            "ecs:CreateAutoSnapshotPolicy",
            "ecs:ApplyAutoSnapshotPolicy",
            "ecs:CancelAutoSnapshotPolicy",
            "ecs:DeleteAutoSnapshotPolicy",
            "ecs:DescribeAutoSnapshotPolicyEX",
            "ecs:ModifyAutoSnapshotPolicyEx",
            "ecs:DescribeSnapshots",
            "ecs:DescribeInstances",
            "ecs:CopySnapshot",
            "ecs:CreateSnapshotGroup",
            "ecs:DeleteSnapshotGroup"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "hbr:CreateVault",
            "hbr:CreateBackupJob",
            "hbr:DescribeVaults",
            "hbr:DescribeBackupJobs2",
            "hbr:DescribeRestoreJobs",
            "hbr:SearchHistoricalSnapshots",
            "hbr:CreateRestoreJob",
            "hbr:AddContainerCluster",
            "hbr:DescribeContainerCluster",
            "hbr:DescribeRestoreJobs2",
            "hbr:CancelBackupJob",
            "hbr:CancelRestoreJob"
          ],
          "Resource": "*"
        }
      ]
    }
    After installing the backup service component, a namespace named csdr is created. Do not delete this namespace. If the component is installed but not the latest version, click Start Upgrade on the Application Backup page. The system will automatically upgrade the backup service component to the latest version. Step 2: Grant Related Permissions OSS Permissions : Modify the content of the created custom policy to the following content. For information about how to modify a policy, see .
  4. (Optional) Create routes that point to the internal network of the region where the registered cluster and OSS bucket reside.

    If the registered cluster is connected to a VPC through CEN, Express Connect, or VPN and the registered cluster resides in the region of the OSS bucket, the Backup Center accesses the internal endpoint of the OSS bucket by default to increase the download speeds. Therefore, you need to create routes that point to the internal network of the region where the OSS bucket resides.

  5. (Optional) Grant API Gateway Permissions to Cloud Backup.

    Authorization is required only when backing up or restoring clusters located in China (Ulanqab), China (Heyuan), or China (Guangzhou). For authorization operations, see (Optional) Step 3: Grant API Gateway Permissions to Cloud Backup.

Install components and configure permissions using the console

Step 1: Grant related permissions

Create a RAM user for the registered cluster, grant the RAM user access to cloud resources, and then create an AccessKey pair for the RAM user.

  1. Create a RAM user. For specific operations, see Create a RAM User.

  2. Create the following custom policy. For specific operations, see Create a Custom Policy in Script Edit Mode.

    The following policy script includes oss:**** for Object Storage Service policies, ecs:**** for ECS Snapshot policies, and hbr:**** for Cloud Backup policies.

    Expand to View the Custom Policy

    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "oss:PutObject",
            "oss:GetObject",
            "oss:DeleteObject",
            "oss:GetBucket",
            "oss:ListObjects",
            "oss:ListBuckets",
            "oss:GetBucketStat"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "ecs:CreateSnapshot",
            "ecs:DeleteSnapshot",
            "ecs:DescribeSnapshotGroups",
            "ecs:CreateAutoSnapshotPolicy",
            "ecs:ApplyAutoSnapshotPolicy",
            "ecs:CancelAutoSnapshotPolicy",
            "ecs:DeleteAutoSnapshotPolicy",
            "ecs:DescribeAutoSnapshotPolicyEX",
            "ecs:ModifyAutoSnapshotPolicyEx",
            "ecs:DescribeSnapshots",
            "ecs:DescribeInstances",
            "ecs:CopySnapshot",
            "ecs:CreateSnapshotGroup",
            "ecs:DeleteSnapshotGroup"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "hbr:CreateVault",
            "hbr:CreateBackupJob",
            "hbr:DescribeVaults",
            "hbr:DescribeBackupJobs2",
            "hbr:DescribeRestoreJobs",
            "hbr:SearchHistoricalSnapshots",
            "hbr:CreateRestoreJob",
            "hbr:AddContainerCluster",
            "hbr:DescribeContainerCluster",
            "hbr:DescribeRestoreJobs2",
            "hbr:CancelBackupJob",
            "hbr:CancelRestoreJob"
          ],
          "Resource": "*"
        }
      ]
    }

    The preceding policy grants permissions on all OSS buckets. If you need to specify read and write permissions for OSS, modify the policy based on the following example. Replace mybackups in the following policy script with your OSS bucket name. For more information about fine-grained OSS authorization configuration, see Manage OSS Permissions through RAM.

    Expand to View the Custom Policy

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "oss:PutObject",
            "oss:GetObject",
            "oss:DeleteObject",
            "oss:GetBucket",
            "oss:ListObjects",
            "oss:ListBuckets",
            "oss:GetBucketStat"
          ],
          "Resource": [
            "acs:oss:*:*:mybackups",
            "acs:oss:*:*:mybackups/*"
          ],
          "Effect": "Allow"
        },
        {
          "Effect": "Allow",
          "Action": [
            "ecs:CreateSnapshot",
            "ecs:DeleteSnapshot",
            "ecs:DescribeSnapshotGroups",
            "ecs:CreateAutoSnapshotPolicy",
            "ecs:ApplyAutoSnapshotPolicy",
            "ecs:CancelAutoSnapshotPolicy",
            "ecs:DeleteAutoSnapshotPolicy",
            "ecs:DescribeAutoSnapshotPolicyEX",
            "ecs:ModifyAutoSnapshotPolicyEx",
            "ecs:DescribeSnapshots",
            "ecs:DescribeInstances",
            "ecs:CopySnapshot",
            "ecs:CreateSnapshotGroup",
            "ecs:DeleteSnapshotGroup"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "hbr:CreateVault",
            "hbr:CreateBackupJob",
            "hbr:DescribeVaults",
            "hbr:DescribeBackupJobs2",
            "hbr:DescribeRestoreJobs",
            "hbr:SearchHistoricalSnapshots",
            "hbr:CreateRestoreJob",
            "hbr:AddContainerCluster",
            "hbr:DescribeContainerCluster",
            "hbr:DescribeRestoreJobs2",
            "hbr:CancelBackupJob",
            "hbr:CancelRestoreJob"
          ],
          "Resource": "*"
        }
      ]
    }
  3. Attach the custom policy to the RAM user. For specific operations, see Grant Permissions to a RAM User.

  4. Create an AccessKey for the RAM user. For specific operations, see Obtain an AccessKey.

  5. Create a Secret in the cluster.

    To ensure secure use of your AccessKey information within your cluster, deploy a Secret resource named alibaba-addon-secret in the cluster using the AccessKey information to minimize the risk of leakage.

    1. Run the following command to create a namespace named csdr.

      kubectl create ns csdr
    2. Run the following command to create a Secret named alibaba-addon-secret.

      kubectl -n csdr create secret generic alibaba-addon-secret --from-literal='access-key-id=<your AccessKey ID>' --from-literal='access-key-secret=<your AccessKey Secret>'

      Replace <your AccessKey ID> and <your AccessKey Secret> in the above code with your actual AccessKey information obtained in the previous step.

Step 2: Install migrate-controller backup service component

Install the migrate-controller backup service component. For specific operations, see Step 1: Install Migrate-Controller Backup Service Component.

(Optional) Step 3: Create routes that point to the internal network of the region where the registered cluster and OSS bucket reside

If the registered cluster is connected to a VPC through CEN, Express Connect, or VPN and the registered cluster resides in the region of the OSS bucket, the Backup Center accesses the internal endpoint of the OSS bucket by default to increase the download speeds. Therefore, you need to create routes that point to the internal network of the region where the OSS bucket resides.

(Optional) Step 4: Grant API Gateway permissions to Cloud Backup

Authorization is required only when backing up or restoring clusters located in China (Ulanqab), China (Heyuan), or China (Guangzhou). For authorization operations, see (Optional) Step 3: Grant API Gateway Permissions to Cloud Backup.

```