Back up and restore cluster applications using kubectl - Container Service for Kubernetes

If you cannot access the backup center from the Container Service for Kubernetes (ACK) console or need to automate disaster recovery and backup, you can use the kubectl command line. This lets you migrate applications between clusters by deploying custom resources (CRs) for backup repositories, application backups, and application restores in your backup and restore clusters.

Prerequisites

Install the migrate-controller backup service component and configure permissions

Scenarios

You cannot use the backup center from the ACK console due to permission issues.
You need to automate the disaster recovery and backup process.

Notes

You cannot delete backup and restore jobs using the kubectl delete command. For more information, see Step 4: Delete resources related to the backup center.
Monitor new releases of the migrate-controller component and update it to the latest version promptly. For more information, see Manage components.
Do not delete the configuration parameters in the following examples. Deleting these parameters may cause the backup or restore to fail.

Step 1: Create a backup repository

In both the backup cluster and the restore cluster, create a file named backuplocation.yaml that contains the following content.

apiVersion: csdr.alibabacloud.com/v1beta1
kind: BackupLocation
metadata:
  name: <yourBackuplocationName>
  namespace: csdr
spec:
  backupSyncPeriod: 0s
  config:
    network: internal
    region: cn-beijing
  objectStorage:
    bucket: <cnfs-oss-yourBucketName>
    prefix: <subDir>
  provider: alibabacloud

Retain the default configurations for the other parameters.

Parameter	Required	Description
name	Yes	The name of the backup repository. The name must follow Kubernetes naming conventions.
network	Yes	The network access mode for the Object Storage Service (OSS) Bucket. Valid values: internal: The internal network access mode. All associated clusters and the OSS Bucket must be in the same region. public: The public network access mode. There are no region restrictions.
region	Yes	The region where the OSS Bucket is located.
bucket	Yes	The name of the OSS Bucket. You must create the bucket in advance. The name must start with cnfs-oss-****.
prefix	No	The subdirectory in the OSS Bucket. If you set this parameter, the backup content is stored in this subdirectory.

Run the following command in both the backup cluster and the restore cluster to deploy the backuplocation object.
```
kubectl apply -f backuplocation.yaml
```
Run the following command in both the backup cluster and the restore cluster to check the status of the backuplocation object.
```
kubectl describe backuplocation <yourBackuplocationName> -n csdr
```
Expected output:
```
...
Status:
  Last Validation Time:  2022-12-08T04:00:22Z
  Message:               success by csdr-controller
  Phase:                 Available
```
The expected output shows that the status of the backup repository is Available. This status indicates that the cluster has the permissions required to access OSS.

Step 2: Create a backup job

Choose a backup type based on your scenario:

Application backup: Backs up a service that is running in the cluster. The backup includes cluster resources and the persistent volumes (PVs) that the service uses.
Data protection: Backs up PV data. The backup includes only persistent volume claims (PVCs) and PVs.

For more information, see Scenarios for application backup and data protection.

Application backup

Create an on-demand backup job

In the backup cluster, create a file named applicationbackup.yaml that contains the following content.

apiVersion: csdr.alibabacloud.com/v1beta1
kind: ApplicationBackup
metadata:
  annotations:
    csdr.alibabacloud.com/backuplocations: >-
      {"name":"<yourBackuplocationName>","region":"cn-beijing","bucket":"<cnfs-oss-yourBucketName>","prefix":"<subDir>","provider":"alibabacloud"}}
  name: <yourApplicationBackupName>
  namespace: csdr
spec:
  includedNamespaces:
    - default
  includedResources:
    - statefulset
  excludedResources:
    - deployment
  labelSelector:
    matchLabels:
      app: mysql-sts
  includeClusterResources: false 
  pvBackup:
    defaultPvBackup: false
  storageLocation: <yourBackuplocationName>
  ttl: 720h0m0s

Retain the default configurations for the other parameters.

Parameter	Required	Description
`csdr.alibabacloud.com/backuplocations`	Yes	Information about the backup repository where the backup is stored. This must be consistent with the backup repository configuration.
`name`	Yes	The name of the on-demand backup job.
`includedNamespaces`	Yes	Specifies the namespace name.
`includedResources`	No	Specifies the cluster resource type. Important To avoid unexpected backup results, configure only one of includedResources or excludedResources. If both are empty, all resource types are backed up.
`excludedResources`	No	Excludes the cluster resource type. Important To avoid unexpected backup results, configure only one of includedResources or excludedResources. If both are empty, all resource types are backed up.
`matchLabels`	No	Specifies labels. Only resources that match the labels are backed up.
`includeClusterResources`	No	Specify whether to back up all cluster-level resources, such as StorageClasses, CustomResourceDefinitions (CRDs), and webhooks. `true`: back up all cluster-level resources. `false`: back up only cluster-level resources used by namespace-level resources in the specified namespaces. For example, when the system backs up a pod, the service account used by the pod is assigned a cluster role. In this case, the cluster role is automatically backed up. When the system backs up a CustomResource (CR), the corresponding CRD is backed up. Note By default, `IncludeClusterResources` is set to `false` for backup tasks created in the ACK console.
`defaultPvBackup`		Specifies whether to back up PVs and enable data backup. Valid values: true: Backs up the application and PVs. false: Backs up only the application.
`storageLocation`	Yes	The name of the backup repository. Note If your cluster already uses Velero, join the DingTalk group (ID: 35532895) for assistance.
`ttl`	Yes	The retention period of the backup. This is the data storage period for the backup job. After this period expires, the data cannot be restored. The format is 720h0m0s. The value ranges from 24h0m0s to 1572864h0m0s.

Run the following command in the backup cluster to deploy the applicationbackup object.
```
kubectl apply -f applicationbackup.yaml
```

Run the following command in the backup cluster to check the status of the on-demand backup job.

kubectl describe applicationbackup <yourApplicationBackupName> -n csdr

Expected output:

...
Status:
  Completion Timestamp:  2022-12-05T15:02:35Z
  Expiration:            2023-01-04T15:02:25Z
  Message:               success
  Phase:                 Completed

The backup job is complete when its status changes from Inprogress to Completed.

Create a backup schedule

In the backup cluster, create a file named backupschedule.yaml that contains the following content.

apiVersion: csdr.alibabacloud.com/v1beta1
kind: BackupSchedule
metadata:
  annotations:
    csdr.alibabacloud.com/backuplocations: >-
      {"name":"<yourBackuplocationName>","region":"cn-beijing","bucket":"<cnfs-oss-yourBucketName>","prefix":"<subDir>","provider":"alibabacloud"}
  name: <yourBackupScheduleName>
  namespace: csdr
spec:
  schedule: 1 4 * * *
  template:
    includedNamespaces:
      - default
    includedResources:
      - statefulset
    excludedResources:
      - deployment
    labelSelector:
      matchLabels:
        app: mysql-sts
    includeClusterResources: false 
    pvBackup:
      defaultPvBackup: true
    storageLocation: <yourBackuplocationName>
    ttl: 720h0m0s

Retain the default configurations for the other parameters.

Parameter	Required	Description
csdr.alibabacloud.com/backuplocations	Yes	Information about the backup repository where the backup is stored. This must be consistent with the backup repository configuration.
name	Yes	The name of the backup schedule.
schedule	Yes	The backup cycle. Use a cron expression. For more information about the rules, see How do I specify a backup cycle when I create a backup plan?.
includedNamespaces	Yes	Specifies the namespace name.
includedResources	No	Specifies the cluster resource type. Important To avoid unexpected backup results, configure only one of includedResources or excludedResources. If both are empty, all resource types are backed up.
excludedResources	No	Excludes the cluster resource type. Important To avoid unexpected backup results, configure only one of includedResources or excludedResources. If both are empty, all resource types are backed up.
matchLabels	No	Specifies labels. Only resources that match the labels are backed up.
includeClusterResources	No	Specify whether to back up all cluster-level resources, such as StorageClasses, CustomResourceDefinitions (CRDs), and webhooks. `true`: back up all cluster-level resources. `false`: back up only cluster-level resources used by namespace-level resources in the specified namespaces. For example, when the system backs up a pod, the service account used by the pod is assigned a cluster role. In this case, the cluster role is automatically backed up. When the system backs up a CustomResource (CR), the corresponding CRD is backed up. Note By default, `IncludeClusterResources` is set to `false` for backup tasks created in the ACK console.
defaultPvBackup	Yes	Specifies whether to back up PVs and enable data backup. Valid values: true: Backs up the application and PVs. false: Backs up only the application.
storageLocation	Yes	The name of the backup repository. Note If your cluster already uses Velero, join the DingTalk group (ID: 35532895) for assistance.
ttl	Yes	The retention period of the backup. This is the data storage period for the backup job. After this period expires, the data cannot be restored. The format is 720h0m0s. The value ranges from 24h0m0s to 1572864h0m0s.

Run the following command in the backup cluster to deploy the backupschedule object.
```
kubectl apply -f backupschedule.yaml
```

Run the following command in the backup cluster to check the status of the backup schedule.

kubectl describe backupschedule <yourBackupScheduleName> -n csdr

Expected output:

...
Status:
  Last Backup:          2022-12-07T20:01:11Z
  Last Processed Time:  2022-12-08T13:05:37Z
  Phase:                Enabled

The backup schedule is successfully created when its status is Enabled.

Run the following command in the backup cluster to check the backups that are created periodically.

kubectl get applicationbackup -n csdr | grep <yourBackupScheduleName>

Expected output:

<yourBackupScheduleName>-20221205225845   2d22h
<yourBackupScheduleName>-20221206040104   2d17h
<yourBackupScheduleName>-20221207040137   41h
<yourBackupScheduleName>-20221208040111   17h

Data protection

Create an on-demand backup job

In the backup cluster, create a file named applicationbackup.yaml that contains the following content.

apiVersion: csdr.alibabacloud.com/v1beta1
kind: ApplicationBackup
metadata:
  annotations:
    csdr.alibabacloud.com/backuplocations: >-
      {"name":"<yourBackuplocationName>","region":"cn-beijing","bucket":"<cnfs-oss-yourBucketName>","prefix":"<subDir>","provider":"alibabacloud"}}
  name: <yourApplicationBackupName>
  namespace: csdr
spec:
  backupType: PvBackup # Fixed configuration
  includedNamespaces:
  - default
  pvBackup:
    # Specify volumes
    pvcList:
    - name: essd-pvc-0 
      namespace: default 
    - name: essd-pvc-1
      namespace: default
    # Specify volume types
    storageClassList:
    - disk-essd
    - disk-ssd
  storageLocation: <yourBackuplocationName>
  ttl: 720h0m0s

Parameter	Required	Description
`csdr.alibabacloud.com/backuplocations`	Yes	Information about the backup repository where the backup is stored. This must be consistent with the backup repository configuration.
`name`	Yes	The name of the on-demand backup job.
`includedNamespaces`	Yes	Specifies the namespace name.
`pvcList`	No	Specifies the PVCs that correspond to the PVs you want to back up. `name` is the name of the PVC. Important If you specify both `pvcList` and `storageClassList`, the `storageClassList` configuration does not take effect. If you specify neither `pvcList` nor `storageClassList`, all PVs in the specified namespace are backed up.
`storageClassList`	No	Specifies the type of PVs to back up. This is the name of the StorageClass.
`storageLocation`	Yes	The name of the backup repository. Note If your cluster already uses Velero, join the DingTalk group (ID: 35532895) for assistance.
`ttl`	Yes	The retention period of the backup. This is the data storage period for the backup job. After this period expires, the data cannot be restored. The format is 720h0m0s. The value ranges from 24h0m0s to 1572864h0m0s.

Run the following command in the backup cluster to deploy the applicationbackup object.
```
kubectl apply -f applicationbackup.yaml
```

Run the following command in the backup cluster to check the status of the on-demand backup job.

kubectl describe applicationbackup <yourApplicationBackupName> -n csdr

Expected output:

...
Status:
  Completion Timestamp:  2025-03-25T08:20:24Z
  Expiration:            2025-04-24T08:18:03Z
  Message:               success
  Phase:                 Completed

Create a backup schedule

In the backup cluster, create a file named backupschedule.yaml that contains the following content.

apiVersion: csdr.alibabacloud.com/v1beta1
kind: BackupSchedule
metadata:
  annotations:
    csdr.alibabacloud.com/backuplocations: >-
      {"name":"<yourBackuplocationName>","region":"cn-beijing","bucket":"<cnfs-oss-yourBucketName>","prefix":"<subDir>","provider":"alibabacloud"}
  name: <yourBackupScheduleName>
  namespace: csdr
spec:
  schedule: 1 4 * * *
  template:
    backupType: PvBackup # Fixed
    includedNamespaces:
    - default
    pvBackup:
      # Specify volumes
      pvcList:
      - name: essd-pvc-0 
        namespace: default
      - name: essd-pvc-1
        namespace: default
      # Specify volume types
      storageClassList:
      - disk-essd
      - disk-ssd
    storageLocation: <yourBackuplocationName>
    ttl: 720h0m0s

Parameter	Required	Description
`csdr.alibabacloud.com/backuplocations`	Yes	Information about the backup repository where the backup is stored. This must be consistent with the backup repository configuration.
`name`	Yes	The name of the on-demand backup job.
`schedule`	Yes	The backup cycle. Use a cron expression. For more information about the rules, see How do I specify a backup cycle when I create a backup plan?.
`includedNamespaces`	Yes	Specifies the namespace name.
`pvcList`	No	Specifies the PVCs that correspond to the PVs you want to back up. `name` is the name of the PVC. Important If you specify both `pvcList` and `storageClassList`, the `storageClassList` configuration does not take effect. If you specify neither `pvcList` nor `storageClassList`, all PVs in the specified namespace are backed up.
`storageClassList`	No	Specifies the type of PVs to back up. This is the name of the StorageClass.
`storageLocation`	Yes	The name of the backup repository. Note If your cluster already uses Velero, join the DingTalk group (ID: 35532895) for assistance.
`ttl`	Yes	The retention period of the backup. This is the data storage period for the backup job. After this period expires, the data cannot be restored. The format is 720h0m0s. The value ranges from 24h0m0s to 1572864h0m0s.

Run the following command in the backup cluster to deploy the backupschedule object.
```
kubectl apply -f backupschedule.yaml
```

You can run the following command in the backup cluster to check the status of the backup schedule.

kubectl describe backupschedule <yourBackupScheduleName> -n csdr

Expected output:

...
Status:
  Last Backup:  2025-03-25T09:24:38Z
  Phase:        Enabled

Step 3: Create a restore job

In the restore cluster, create a file named applicationrestore.yaml that contains the following content.

apiVersion: csdr.alibabacloud.com/v1beta1
kind: ApplicationRestore
metadata:
  annotations:    
    csdr.alibabacloud.com/backuplocations: >-
      {"name":"<yourBackuplocationName>","region":"cn-beijing","bucket":"<cnfs-oss-yourBucketName>","prefix":"<subDir>","provider":"alibabacloud"}
  name: <yourApplicationRestoreName>
  namespace: csdr
spec:
  appRestoreOnly: false
  preserveNodePorts: true
  includedNamespaces:
    - default
  includedResources:
    - statefulset
  excludedResources:
    - secret
  convertedarg:
  - convertToStorageClassType: alicloud-disk-topology-alltype
    convertToAccessModes:
    - ReadWriteOnce
    namespace: nas
    persistentVolumeClaim: pvc-nas
  - convertToStorageClassType: alicloud-disk-topology-alltype
    namespace: oss
    persistentVolumeClaim: pvc-oss
  backupName: <yourApplicationBackupName>
  namespaceMapping:
    <backupNamespace>: <restoreNamespace>
  imageRegistryMapping:
    <oldImageRegistry>: <newImageRegistry>

Retain the default configurations for the other parameters.

Note

The appRestoreOnly, preserveNodePorts, includedResources, and excludedResources parameters apply only to application backups. These parameters are ignored in data protection scenarios.

Parameter	Required	Description
csdr.alibabacloud.com/backuplocations	Yes	Information about the backup repository where the backup is stored. This must be consistent with the backup repository configuration.
name	Yes	The name of the restore job.
appRestoreOnly	No	This parameter is valid only for application backup jobs. It does not take effect for data protection jobs. For backups that include PVs, specifies whether to restore only the application and not the PVCs, PVs, and their corresponding data. Valid values: true: Restores only the application. To change the data source of the backed-up application, you can manually create the PVCs and PVs, then create a restore job and set this parameter to true. false: Restores the application and the related storage data. This is the default value.
preserveNodePorts	No	This parameter is valid only for application backup jobs. It does not take effect for data protection jobs. Specifies whether to keep the NodePort of the application. When the backup cluster and the restore cluster are the same, the default value is false. The port value is randomly changed to avoid conflicts with existing applications of the same type. Otherwise, set this to true.
includedNamespaces	Yes	Specifies the name of the namespace to restore. If you leave this empty, all backed-up namespaces are restored.
includedResources	No	This parameter is valid only for application backup jobs. It does not take effect for data protection jobs. Specifies the cluster resource types to restore. Important To avoid unexpected results, configure only one of includedResources or excludedResources. If both are empty, all backed-up resource types are restored.
excludedResources	No	This parameter is valid only for application backup jobs. It does not take effect for data protection jobs. Excludes the cluster resource types to restore. Important To avoid unexpected results, configure only one of includedResources or excludedResources. If both are empty, all backed-up resource types are restored.
backupName	Yes	The name of the backup to restore. If you use the scheduled backup feature, you must specify the name of a backup created at a specific point in time, such as <yourBackupScheduleName>-20221205225845.
namespaceMapping	No	Remaps the namespace. Valid values: <backupNamespace>: The namespace in the backup cluster that was specified when the backup job was created. <restoreNamespace>: The namespace in the restore cluster where the resources from the backup are created. If you do not set this, the resources are restored to a namespace with the same name by default. Note If <restoreNamespace> does not exist, a new namespace is created.
imageRegistryMapping	No	Remaps the image repository address. This applies to the image configurations of all applications that match the rule. Valid values: <oldImageRegistry>: The original image repository address of the application in the backup. <newImageRegistry>: The target image repository address for the restore. If you do not set this, the image configuration in the application is not changed. Example: The original application uses the image `registry.cn-beijing.aliyuncs.com/my-registry/nginx:v1`. You need to change it to `registry.cn-hangzhou.aliyuncs.com/my-registry/nginx:v1`. Configure the field as follows: `imageRegistryMapping: "registry.cn-beijing.aliyuncs.com/my-registry/": "registry.cn-hangzhou.aliyuncs.com/my-registry/"`
convertedarg	No	A list of StorageClass transformations. The PVCs of FileSystem data type volumes (such as OSS, NAS, CPFS, and local storage) in the backup are restored to the target StorageClass in the current cluster. This allows transformations, for example, from NAS storage to disk storage. convertToStorageClassType: The target StorageClass. It must exist in the current cluster. The current version only supports selecting a disk or NAS StorageClass. namespace: The namespace where the storage claim is located. persistentVolumeClaim: The name of the PVC. The preceding parameters are required for the StorageClass transformation feature. When transforming a StorageClass, you can also modify the AccessModes configuration of the PV using the following optional parameter. convertToAccessModes: A list of target AccessModes. Note When a PV with an AccessModes of ReadWriteMany or ReadOnlyMany needs to be restored to a disk StorageClass, you must also transform the AccessModes to ReadWriteOnce to avoid the risk of forced disk detachment. You can run `kubectl -ncsdr describe <backup-name>` to query the PVC information of the backup. In the `status.resourceList.dataResource.pvcBackupInfo` list of the output, the dataType field indicates the data type, which can be FileSystem or Snapshot. The nameSpace and pvcName fields are the namespace and name of the PVC, respectively.

Run the following command in the restore cluster to deploy the applicationrestore object.
```
kubectl apply -f applicationrestore.yaml
```

Run the following command in the restore cluster to check the status of the restore job.

kubectl describe applicationrestore <yourApplicationRestoreName> -n csdr

Expected output:

...
Status:
  Completion Timestamp:  2022-12-05T15:52:19Z
  Phase:                 Completed
  Start Timestamp:       2022-12-05T15:52:09Z

The restore job is complete when its status changes from Inprogress to Completed.

Step 4: Delete resources related to the backup center

Important

You cannot delete BackupLocation resources from the backup center. This is because the backup repository might be in use by other clusters.

Delete a backup schedule

Run the following command to delete the BackupSchedule resource and stop scheduled backups.

kubectl delete backupschedule <yourBackupSchedule> -n csdr

Delete a backup or restore job

In the cluster that contains the job you want to delete, create a file named deleterequest.yaml that contains the following content.

apiVersion: csdr.alibabacloud.com/v1beta1
kind: DeleteRequest
metadata:
  name: <objectName-dbr>
  namespace: csdr
spec:
  deleteObjectName: <objectName>
  deleteObjectType: "Backup"

Retain the default configurations for the other parameters.

Parameter	Required	Description
name	Yes	The name of the delete request. For a backup job: The name of the ApplicationBackup to be deleted, plus "-dbr". For a restore job: The name of the ApplicationRestore to be deleted, plus "-dbr".
deleteObjectName	Yes	The name of the resource to delete.
deleteObjectType	Yes	The type of resource to delete. Valid values: "Backup": Deletes the ApplicationBackup job and its associated resources. "Restore": Deletes the ApplicationRestore job and its associated resources. Note Deleting a backup job does not affect replicas that have been synchronized to the cluster. Deleting a restore job does not affect restored content.

Run the following command in the cluster that contains the job you want to delete to deploy the deleterequest object.
```
kubectl apply -f deleterequest.yaml
```
Use the following commands to check the resource status.
- Check the deleted backup job
  - Run the following command to check the status of the backup job deletion.
```
kubectl get applicationbackup <yourApplicationBackupName> -n csdr
```
    Expected output:
```
Error from server (NotFound): applicationbackups.csdr.alibabacloud.com "yourApplicationBackupName" not found
```
    An empty output indicates that the backup job resource has been deleted.
  - Run the following command to check the status of the delete request resource.
```
kubectl get deleterequest <yourApplicationBackupName-dbr> -n csdr
```
    Expected output:
```
Error from server (NotFound): deleterequests.csdr.alibabacloud.com "yourApplicationBackupName-dbr" not found
```
    The output shows that the backup job resource and its related delete request resources are automatically deleted.
- Check the deleted restore job
  - Run the following command to check the status of the deleted restore job.
```
kubectl get applicationrestore <yourApplicationRestoreName> -n csdr
```
    Expected output:
```
Error from server (NotFound): applicationrestores.csdr.alibabacloud.com "yourApplicationRestoreName" not found
```
    An empty output indicates that the restore job resource has been deleted.
  - Run the following command to check the status of the delete request resource.
```
kubectl get deleterequest <yourApplicationRestoreName-dbr> -n csdr
```
    Expected output:
```
Error from server (NotFound): deleterequests.csdr.alibabacloud.com "yourApplicationRestoreName-dbr" not found
```
    An empty output indicates that the related delete request resource is also automatically deleted.

References

To back up and migrate cluster applications from the console, see the following documents:
To migrate applications between clusters with different storage plug-ins or Kubernetes versions, see Migrate applications from a low-version Kubernetes cluster using the backup center.
Back up and restore applications using Terraform