Install migrate-controller and grant permissions - Container Service for Kubernetes

The backup center can be used to backup, restore, and migrate applications. To use these features for disaster recovery and application migration in multi-cluster and colocation environments, you must install the migrate-controller component and grant the relevant permissions.

Prerequisites

Cloud Backup is activated. For more information, see Billing methods and billable items.
Use Cloud Backup to back up volumes that use Object Storage Service (OSS) buckets, Apsara File Storage NAS (NAS) file systems, Cloud Parallel File Storage (CPFS) file systems, and local disks or back up volumes in hybrid cloud scenarios. Before you use Cloud Backup, you need to activate Cloud Backup and grant permissions. For more information about how to grant permissions to different types of clusters, see the following section.
A Container Service for Kubernetes (ACK) cluster is created. For more information, see Create an ACK managed cluster, Create an ACK dedicated cluster, Create an ACK Serverless cluster, Create an ACK Edge cluster, or Create a registered cluster in the ACK console.
Important
The backup center feature supports only ACK clusters that run Kubernetes 1.18 or later versions. If the Kubernetes version of your cluster is earlier than 1.18, you must update the Kubernetes version. For more information, see Update the Kubernetes version of an ACK cluster.
OSS is activated. For more information, see Billing overview.
The backup center feature can store application backups only in OSS buckets. Before you can store application backups in OSS buckets, you must grant OSS permissions to your cluster. For more information about how to grant OSS permissions to different types of clusters, see the following section.
ECS Snapshot is activated.
- No fee is charged for activating the Elastic Compute Service (ECS) Snapshot service. After you create snapshots, you are charged for the snapshots based on their size and retention period. For more information, see Snapshots.
- If you want to use ECS Snapshot to back up volumes that use Alibaba Cloud disks, you need to enable ECS Snapshot and grant permissions. For more information about how to grant snapshot permissions to different types of clusters, see the following section.
If you use an ACK managed cluster, you must create an OSS bucket named cnfs-oss-****. Example: cnfs-oss-backup.
A kubectl client is connected to the cluster.
The backup center feature does not support clusters that use FlexVolume. If your cluster uses FlexVolume, you must upgrade from FlexVolume to Container Storage Interface (CSI) before you can use the backup center feature.
- For clusters on which FlexVolume is installed but no data is stored, we recommend that you use the Container Storage Interface (CSI) plug-in instead. For more information, see Upgrade from FlexVolume to CSI for clusters where no data is stored.
- For other scenarios, join the DingTalk group 35532895 to request technical support.

Background information

A growing number of applications are running on Kubernetes. Therefore, it is important to back up applications periodically. You can use the backup center to restore applications that cannot recover after the applications are disrupted for a long period of time. Traditional backup solutions include single-server backups and disk backups. Compared with the traditional backup solutions, application backups allow you to back up applications and related data, resource objects, configurations, and namespaces.

Usage notes

If you use the backup center feature in ACK Serverless Pro clusters and ACK Edge clusters, the requirements for installation and permission configuration are the same as those for ACK managed clusters. For more information, see Install migrate-controller in an ACK managed cluster and grant permissions.
ACK Serverless Basic clusters are not supported.
If you use the backup center feature in ACK Serverless Pro clusters or ACK Edge clusters, you cannot back up volumes.
In an ACK Edge cluster, the migrate-controller component is installed on an on-cloud node by default and accesses OSS over the internal network.

ACK managed cluster

Step 1: Install migrate-controller

Note

If this is the first time you use the backup center feature, you must install migrate-controller. If migrate-controller is already installed, skip this step.

Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the cluster that you want to manage and choose Operations > Application Backup in the left-side navigation pane.
On the Application Backup page, click Install.
The system will automatically search for backup vaults. If you do not have a backup vault, create one first. For more information, see Create a backup vault.
- If the csdr namespace does not exist, the system automatically creates a namespace named csdr when the system installs the component. Do not delete this namespace when you back up applications.
- If you have already installed migrate-controller but the migrate-controller version is not up-to-date, click Upgrade on the Application Backup page. The system will automatically update migrate-controller to the latest version.

Step 2: Grant related permissions

Grant OSS permissions
Make sure that the name of the OSS bucket used as a backup vault by the ACK managed cluster starts with cnfs-oss-***. In this scenario, you do not need to grant OSS permissions.
Grant ECS Snapshot and Cloud Backup permissions
You do not need to grant ECS Snapshot and Cloud Backup permissions if your cluster is an ACK managed cluster.

ACK dedicated cluster

Step 1: Grant related permissions

Important

migrate-controller 1.7.7 and later versions support cross-region restoration of Alibaba Cloud disks. If you want to use this feature, grant the RAM user the ECS Snapshot permissions based on the following custom policy template.

Create a RAM user. For more information, see Create a RAM user.

Create the following custom policy. For more information, see Create a custom policy on the JSON tab.

In the following policy, oss:**** indicates OSS permissions, ecs:**** indicates ECS Snapshot permissions, and hbr:**** indicates Cloud Backup permissions.

View the custom policy

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "oss:PutObject",
        "oss:GetObject",
        "oss:DeleteObject",
        "oss:GetBucket",
        "oss:ListObjects",
        "oss:ListBuckets",
        "oss:GetBucketStat"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecs:CreateSnapshot",
        "ecs:DeleteSnapshot",
        "ecs:DescribeSnapshotGroups",
        "ecs:CreateAutoSnapshotPolicy",
        "ecs:ApplyAutoSnapshotPolicy",
        "ecs:CancelAutoSnapshotPolicy",
        "ecs:DeleteAutoSnapshotPolicy",
        "ecs:DescribeAutoSnapshotPolicyEX",
        "ecs:ModifyAutoSnapshotPolicyEx",
        "ecs:DescribeSnapshots",
        "ecs:DescribeInstances",
        "ecs:CopySnapshot",
        "ecs:CreateSnapshotGroup",
        "ecs:DeleteSnapshotGroup"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "hbr:CreateVault",
        "hbr:CreateBackupJob",
        "hbr:DescribeVaults",
        "hbr:DescribeBackupJobs2",
        "hbr:DescribeRestoreJobs",
        "hbr:SearchHistoricalSnapshots",
        "hbr:CreateRestoreJob",
        "hbr:AddContainerCluster",
        "hbr:DescribeContainerCluster",
        "hbr:DescribeRestoreJobs2"
      ],
      "Resource": "*"
    }
  ]
}

The preceding policy grants permissions on all OSS buckets. To grant read and write permissions on the specified OSS bucket, modify the custom policy based on the following template. Replace mybackups with the name of your OSS bucket. For more information about how to grant fine-grained OSS permissions, see Use RAM to manage OSS permissions.

View the custom policy

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "oss:PutObject",
        "oss:GetObject",
        "oss:DeleteObject",
        "oss:GetBucket",
        "oss:ListObjects",
        "oss:ListBuckets",
        "oss:GetBucketStat"
      ],
      "Resource": [
        "acs:oss:*:*:mybackups",
        "acs:oss:*:*:mybackups/*"
      ],
      "Effect": "Allow"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecs:CreateSnapshot",
        "ecs:DeleteSnapshot",
        "ecs:DescribeSnapshotGroups",
        "ecs:CreateAutoSnapshotPolicy",
        "ecs:ApplyAutoSnapshotPolicy",
        "ecs:CancelAutoSnapshotPolicy",
        "ecs:DeleteAutoSnapshotPolicy",
        "ecs:DescribeAutoSnapshotPolicyEX",
        "ecs:ModifyAutoSnapshotPolicyEx",
        "ecs:DescribeSnapshots",
        "ecs:DescribeInstances",
        "ecs:CopySnapshot",
        "ecs:CreateSnapshotGroup",
        "ecs:DeleteSnapshotGroup"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "hbr:CreateVault",
        "hbr:CreateBackupJob",
        "hbr:DescribeVaults",
        "hbr:DescribeBackupJobs2",
        "hbr:DescribeRestoreJobs",
        "hbr:SearchHistoricalSnapshots",
        "hbr:CreateRestoreJob",
        "hbr:AddContainerCluster",
        "hbr:DescribeContainerCluster",
        "hbr:DescribeRestoreJobs2"
      ],
      "Resource": "*"
    }
  ]
}

Attach the preceding custom policy to the RAM user. For more information, see Grant permissions to a RAM user.
Create an AccessKey pair for the RAM user. For more information, see Create an AccessKey pair.
Create a Secret in an ACK dedicated cluster.
To ensure that the AccessKey pair is used only within your cluster, you need to create a Secret named alibaba-addon-secret in the cluster to store the AccessKey pair. This reduces the risk of information leakage.
1. Run the following command to create a namespace named csdr:
```
kubectl create ns csdr
```
2. Run the following command to create a Secret named alibaba-addon-secret:
```
kubectl -n csdr create secret generic alibaba-addon-secret --from-literal='access-key-id=<your AccessKey ID>' --from-literal='access-key-secret=<your AccessKey Secret>'
```
  Replace <your AccessKey ID> and <your AccessKey Secret> with the AccessKey pair that you obtained in the preceding step.

Step 2: Install migrate-controller

Install migrate-controller. For more information, see Step 1: Install migrate-controller.

Registered cluster

Important

migrate-controller 1.7.7 and later versions support cross-region restoration of Alibaba Cloud disks. If you want to use this feature, update onectl to 1.1.0 and run the onectl ram-user revoke --addon migrate-controller command to grant the RAM user the ECS Snapshot permissions.

Use onectl to install migrate-controller and grant permissions (recommended)

Install onectl on your on-premises machine. For more information, see Use onectl to manage registered clusters.

Run the following command to grant RAM permissions to migrate-controller:

onectl ram-user grant --addon migrate-controller

Expected output:

Ram policy ack-one-registered-cluster-policy-migrate-controller granted to ram user ack-one-user-ce313528c3 successfully.

Run the following command to install migrate-controller:

onectl addon install migrate-controller

Expected output:

Addon migrate-controller, version **** installed.

onectl grants permissions on all OSS buckets that belong to your Alibaba Cloud account. If you want to grant permissions on specified OSS buckets, perform the following operation to modify the OSS permissions granted by onectl. You can also manually install migrate-controller and grant permissions. For more information, see Manually install migrate-controller and grant permissions.

Modify OSS permissions: Modify the custom policy based on the following content. For more information about how to modify a policy, see Modify the document and description of a custom policy.

Note

Replace mybackups with the name of your OSS bucket. For more information about how to grant fine-grained OSS permissions, see Use RAM to manage OSS permissions.

View the custom policy

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "oss:PutObject",
        "oss:GetObject",
        "oss:DeleteObject",
        "oss:GetBucket",
        "oss:ListObjects",
        "oss:ListBuckets",
        "oss:GetBucketStat"
      ],
      "Resource": [
        "acs:oss:*:*:mybackups",
        "acs:oss:*:*:mybackups/*"
      ],
      "Effect": "Allow"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecs:CreateSnapshot",
        "ecs:DeleteSnapshot",
        "ecs:DescribeSnapshotGroups",
        "ecs:CreateAutoSnapshotPolicy",
        "ecs:ApplyAutoSnapshotPolicy",
        "ecs:CancelAutoSnapshotPolicy",
        "ecs:DeleteAutoSnapshotPolicy",
        "ecs:DescribeAutoSnapshotPolicyEX",
        "ecs:ModifyAutoSnapshotPolicyEx",
        "ecs:DescribeSnapshots",
        "ecs:DescribeInstances",
        "ecs:CopySnapshot",
        "ecs:CreateSnapshotGroup",
        "ecs:DeleteSnapshotGroup"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "hbr:CreateVault",
        "hbr:CreateBackupJob",
        "hbr:DescribeVaults",
        "hbr:DescribeBackupJobs2",
        "hbr:DescribeRestoreJobs",
        "hbr:SearchHistoricalSnapshots",
        "hbr:CreateRestoreJob",
        "hbr:AddContainerCluster",
        "hbr:DescribeContainerCluster",
        "hbr:DescribeRestoreJobs2"
      ],
      "Resource": "*"
    }
  ]
}

Create routes that point to the internal network of the region where the registered cluster and OSS bucket reside (optional)
If the registered cluster is connected to a virtual private cloud (VPC) through Cloud Enterprise Network (CEN), Express Connect, or VPN and the registered cluster resides in the region of the OSS bucket, the backup center accesses the internal endpoint of the OSS bucket by default to increase the download speeds. Therefore, you need to create routes that point to the internal network of the region where the OSS bucket resides.
- For more information about how to connect a data center to a VPC, see Methods that are used to connect data centers to Alibaba Cloud.
- For more information about internal endpoints of OSS buckets and VIP ranges, see Internal endpoints of OSS buckets and VIP ranges.

Use the console to install migrate-controller and grant permissions

Step 1: Grant related permissions

You need to create a RAM user for the registered cluster, grant the RAM user the permissions to access cloud resources, and then create an AccessKey pair for the RAM user.

Create a RAM user. For more information, see Create a RAM user.

Create the following custom policy. For more information, see Create a custom policy on the JSON tab.

In the following policy, oss:**** indicates OSS permissions, ecs:**** indicates ECS Snapshot permissions, and hbr:**** indicates Cloud Backup permissions.

View the custom policy

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "oss:PutObject",
        "oss:GetObject",
        "oss:DeleteObject",
        "oss:GetBucket",
        "oss:ListObjects",
        "oss:ListBuckets",
        "oss:GetBucketStat"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecs:CreateSnapshot",
        "ecs:DeleteSnapshot",
        "ecs:DescribeSnapshotGroups",
        "ecs:CreateAutoSnapshotPolicy",
        "ecs:ApplyAutoSnapshotPolicy",
        "ecs:CancelAutoSnapshotPolicy",
        "ecs:DeleteAutoSnapshotPolicy",
        "ecs:DescribeAutoSnapshotPolicyEX",
        "ecs:ModifyAutoSnapshotPolicyEx",
        "ecs:DescribeSnapshots",
        "ecs:DescribeInstances",
        "ecs:CopySnapshot",
        "ecs:CreateSnapshotGroup",
        "ecs:DeleteSnapshotGroup"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "hbr:CreateVault",
        "hbr:CreateBackupJob",
        "hbr:DescribeVaults",
        "hbr:DescribeBackupJobs2",
        "hbr:DescribeRestoreJobs",
        "hbr:SearchHistoricalSnapshots",
        "hbr:CreateRestoreJob",
        "hbr:AddContainerCluster",
        "hbr:DescribeContainerCluster",
        "hbr:DescribeRestoreJobs2"
      ],
      "Resource": "*"
    }
  ]
}

View the custom policy

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "oss:PutObject",
        "oss:GetObject",
        "oss:DeleteObject",
        "oss:GetBucket",
        "oss:ListObjects",
        "oss:ListBuckets",
        "oss:GetBucketStat"
      ],
      "Resource": [
        "acs:oss:*:*:mybackups",
        "acs:oss:*:*:mybackups/*"
      ],
      "Effect": "Allow"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecs:CreateSnapshot",
        "ecs:DeleteSnapshot",
        "ecs:DescribeSnapshotGroups",
        "ecs:CreateAutoSnapshotPolicy",
        "ecs:ApplyAutoSnapshotPolicy",
        "ecs:CancelAutoSnapshotPolicy",
        "ecs:DeleteAutoSnapshotPolicy",
        "ecs:DescribeAutoSnapshotPolicyEX",
        "ecs:ModifyAutoSnapshotPolicyEx",
        "ecs:DescribeSnapshots",
        "ecs:DescribeInstances",
        "ecs:CopySnapshot",
        "ecs:CreateSnapshotGroup",
        "ecs:DeleteSnapshotGroup"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "hbr:CreateVault",
        "hbr:CreateBackupJob",
        "hbr:DescribeVaults",
        "hbr:DescribeBackupJobs2",
        "hbr:DescribeRestoreJobs",
        "hbr:SearchHistoricalSnapshots",
        "hbr:CreateRestoreJob",
        "hbr:AddContainerCluster",
        "hbr:DescribeContainerCluster",
        "hbr:DescribeRestoreJobs2"
      ],
      "Resource": "*"
    }
  ]
}

Attach the custom policy to the RAM user. For more information, see Grant permissions to a RAM user.
Create an AccessKey pair for the RAM user. For more information, see Create an AccessKey pair.
Create a Secret in the cluster.
To ensure that the AccessKey pair is used only within your cluster, you need to create a Secret named alibaba-addon-secret in the cluster to store the AccessKey pair. This reduces the risk of information leakage.
1. Run the following command to create a namespace named csdr:
```
kubectl create ns csdr
```
2. Run the following command to create a Secret named alibaba-addon-secret:
```
kubectl -n csdr create secret generic alibaba-addon-secret --from-literal='access-key-id=<your AccessKey ID>' --from-literal='access-key-secret=<your AccessKey Secret>'
```
  Replace <your AccessKey ID> and <your AccessKey Secret> with the AccessKey pair that you obtained in the preceding step.

Step 2: Install migrate-controller

Install migrate-controller. For more information, see Step 1: Install migrate-controller.

Step 3 (optional): Create routes that point to the internal network of the region where the registered cluster and OSS bucket reside

If the registered cluster is connected to a VPC through CEN, Express Connect, or VPN and the registered cluster resides in the region of the OSS bucket, the backup center accesses the internal endpoint of the OSS bucket by default to increase the download speeds. Therefore, you need to create routes that point to the internal network of the region where the OSS bucket resides.

For more information about how to connect a data center to a VPC, see Methods that are used to connect data centers to Alibaba Cloud.
For more information about internal endpoints of OSS buckets and VIP ranges, see Internal endpoints of OSS buckets and VIP ranges.