Use kubectl to back up and restore applications - Container Service for Kubernetes

You can use kubectl when you cannot manage the backup center through the Container Service for Kubernetes (ACK) console or you want to automate backup and disaster recovery. By using kubectl, you can deploy BackupLocation, ApplicationBackup, and ApplicationRestore CustomResources (CRs) in the backup and restore clusters to migrate applications.

Prerequisites

Install the migrate-controller backup service component and configure permissions

Scenarios

You cannot manage the backup center in the Container Service for Kubernetes (ACK) console because you do not have the required permissions.
You want to automate the backup procedure.

Notes

You cannot delete backup and restore tasks by running the kubectl delete command. For more information, see Step 4: Delete resources related to the backup center.
Pay close attention to the new releases of the backup center component named migrate-controller and update the component to the latest version at your earliest convenience. For more information, see Manage components.
Do not delete the parameters in the following sample code to ensure the backup files can be restored.

Step 1: Create a backup vault

Use the following content to create a backuplocation.yaml file in the backup and restore clusters.

apiVersion: csdr.alibabacloud.com/v1beta1
kind: BackupLocation
metadata:
  name: <yourBackuplocationName>
  namespace: csdr
spec:
  backupSyncPeriod: 0s
  config:
    network: internal
    region: cn-beijing
  objectStorage:
    bucket: <cnfs-oss-yourBucketName>
    prefix: <subDir>
  provider: alibabacloud

The following table describes the parameters that you need to specify. Keep the default setting for other parameters.

Parameter	Required	Description
name	Yes	The name of the backup vault. The name must comply with the Kubernetes naming convention.
network	Yes	The network mode that is used to access the specified Object Storage Service (OSS) bucket. Valid values: internal: internal network. All associated clusters and the OSS bucket must be deployed in the same region. public: Internet. No region limit is imposed.
region	Yes	The region where the OSS bucket that you want to use is deployed.
bucket	Yes	The name of the OSS bucket. Make sure that the OSS bucket name exists and starts with cnfs-oss-.
prefix	No	The subdirectory in the OSS bucket. If you specify this parameter, backups are stored in the specified subdirectory.

Run the following command in the backup and restore clusters to deploy the backuplocation object.
```
kubectl apply -f backuplocation.yaml
```
Run the following command in the backup and restore clusters to check the status of the backuplocation object.
```
kubectl describe backuplocation <yourBackuplocationName> -n csdr
```
Expected result:
```
...
Status:
  Last Validation Time:  2022-12-08T04:00:22Z
  Message:               success by csdr-controller
  Phase:                 Available
```
The output indicates that the status of the created backup vault is Available. This indicates that the current cluster has the permissions to access the OSS bucket.

Step 2: Create a backup task

You can select one of the following backup types based on your business requirements:

Application Backup: backs up applications that run in the cluster, including cluster resources and the volumes that are used by the applications.
Data Protection: backs up volume data. The resources include only persistent volume claims (PVCs) and persistent volumes (PVs).

For more information, see Scenarios for application backup and data protection.

Application backup

Create a real-time backup task

Use the following content to create an applicationbackup.yaml file in the backup cluster.

apiVersion: csdr.alibabacloud.com/v1beta1
kind: ApplicationBackup
metadata:
  annotations:
    csdr.alibabacloud.com/backuplocations: >-
      {"name":"<yourBackuplocationName>","region":"cn-beijing","bucket":"<cnfs-oss-yourBucketName>","prefix":"<subDir>","provider":"alibabacloud"}}
  name: <yourApplicationBackupName>
  namespace: csdr
spec:
  includedNamespaces:
    - default
  includedResources:
    - statefulset
  excludedResources:
    - deployment
  labelSelector:
    matchLabels:
      app: mysql-sts
  includeClusterResources: false 
  pvBackup:
    defaultPvBackup: false
  storageLocation: <yourBackuplocationName>
  ttl: 720h0m0s

The following table describes the parameters that you need to specify. Keep the default setting for other parameters.

Parameter	Required	Description
`csdr.alibabacloud.com/backuplocations`	Yes	The backup vault that stores the backups. Make sure that the information is the same as the configuration of the backup vault.
`name`	Yes	The name of the real-time backup task.
`includedNamespaces`	Yes	The name of the namespace.
`includedResources`	No	The type of cluster resource to be included in the backup list. Important To avoid unexpected backup results, you need to configure only one of the includedResources and excludedResources parameters. If you leave both parameters empty, all resource types are backed up.
`excludedResources`	No	The type of cluster resource to be excluded from the backup list. Important To avoid unexpected backup results, you need to configure only one of the includedResources and excludedResources parameters. If you leave both parameters empty, all resource types are backed up.
`matchLabels`	No	The labels of the resources to be backed up.
`includeClusterResources`	No	Specify whether to back up all cluster-level resources, such as StorageClasses, CustomResourceDefinitions (CRDs), and webhooks. `true`: back up all cluster-level resources. `false`: back up only cluster-level resources used by namespace-level resources in the specified namespaces. For example, when the system backs up a pod, the service account used by the pod is assigned a cluster role. In this case, the cluster role is automatically backed up. When the system backs up a CustomResource (CR), the corresponding CRD is backed up. Note By default, `IncludeClusterResources` is set to `false` for backup tasks created in the ACK console.
`defaultPvBackup`		Specifies whether to back up volumes. Valid values: true: backs up applications and volumes. false: backs up only applications.
`storageLocation`	Yes	The name of the backup vault. Note If Velero is already used in your cluster, join the DingTalk group (ID: 35532895) for consultation.
`ttl`	Yes	The validity period of backups. You cannot restore data from expired backups. Specify the time period in the 720h0m0s format. Valid values: 24h0m0s to 1572864h0m0s.

Run the following command in the backup cluster to deploy the applicationbackup object.
```
kubectl apply -f applicationbackup.yaml
```

Run the following command in the backup cluster to query the status of the real-time backup task:

kubectl describe applicationbackup <yourApplicationBackupName> -n csdr

Expected result:

...
Status:
  Completion Timestamp:  2022-12-05T15:02:35Z
  Expiration:            2023-01-04T15:02:25Z
  Message:               success
  Phase:                 Completed

When the status of the real-time backup task changes from Inprogress to Completed, the real-time backup task is created.

Create a backup schedule

Use the following content to create a backupschedule.yaml file in the backup cluster.

apiVersion: csdr.alibabacloud.com/v1beta1
kind: BackupSchedule
metadata:
  annotations:
    csdr.alibabacloud.com/backuplocations: >-
      {"name":"<yourBackuplocationName>","region":"cn-beijing","bucket":"<cnfs-oss-yourBucketName>","prefix":"<subDir>","provider":"alibabacloud"}
  name: <yourBackupScheduleName>
  namespace: csdr
spec:
  schedule: 1 4 * * *
  template:
    includedNamespaces:
      - default
    includedResources:
      - statefulset
    excludedResources:
      - deployment
    labelSelector:
      matchLabels:
        app: mysql-sts
    includeClusterResources: false 
    pvBackup:
      defaultPvBackup: true
    storageLocation: <yourBackuplocationName>
    ttl: 720h0m0s

The following table describes the parameters that you need to specify. Keep the default setting for other parameters.

Parameter	Required	Description
csdr.alibabacloud.com/backuplocations	Yes	The backup vault that stores the backups. Make sure that the information is the same as the configuration of the backup vault.
name	Yes	The name of the scheduled backup task.
schedule	Yes	The cron expression that specifies the backup cycle. For more information about how to specify a cron expression, see How do I specify a backup cycle when I create a backup schedule?.
includedNamespaces	Yes	The name of the namespace.
includedResources	No	The type of cluster resource to be included in the backup list. Important To avoid unexpected backup results, you need to configure only one of the includedResources and excludedResources parameters. If you leave both parameters empty, all resource types are backed up.
excludedResources	No	The type of cluster resource to be excluded from the backup list. Important To avoid unexpected backup results, you need to configure only one of the includedResources and excludedResources parameters. If you leave both parameters empty, all resource types are backed up.
matchLabels	No	The labels of the resources to be backed up.
includeClusterResources	No	Specify whether to back up all cluster-level resources, such as StorageClasses, CustomResourceDefinitions (CRDs), and webhooks. `true`: back up all cluster-level resources. `false`: back up only cluster-level resources used by namespace-level resources in the specified namespaces. For example, when the system backs up a pod, the service account used by the pod is assigned a cluster role. In this case, the cluster role is automatically backed up. When the system backs up a CustomResource (CR), the corresponding CRD is backed up. Note By default, `IncludeClusterResources` is set to `false` for backup tasks created in the ACK console.
defaultPvBackup	Yes	Specifies whether to back up volumes. Valid values: true: backs up applications and volumes. false: backs up only applications.
storageLocation	Yes	The name of the backup vault. Note If Velero is already used in your cluster, join the DingTalk group (ID: 35532895) for consultation.
ttl	Yes	The validity period of backups. You cannot restore data from expired backups. Specify the time period in the 720h0m0s format. Valid values: 24h0m0s to 1572864h0m0s.

Run the following command in the backup cluster to deploy the backupschedule object.
```
kubectl apply -f backupschedule.yaml
```

Run the following command in the backup cluster to query the status of the scheduled backup task:

kubectl describe backupschedule <yourBackupScheduleName> -n csdr

Expected result:

...
Status:
  Last Backup:          2022-12-07T20:01:11Z
  Last Processed Time:  2022-12-08T13:05:37Z
  Phase:                Enabled

When the status of the backup schedule is Enabled, the backup schedule is created.

Run the following command in the backup cluster to view the backups that are created on a regular basis.

kubectl get applicationbackup -n csdr | grep <yourBackupScheduleName>

Expected result:

<yourBackupScheduleName>-20221205225845   2d22h
<yourBackupScheduleName>-20221206040104   2d17h
<yourBackupScheduleName>-20221207040137   41h
<yourBackupScheduleName>-20221208040111   17h

Data protection

Create a real-time backup task

Use the following content to create an applicationbackup.yaml file in the backup cluster.

apiVersion: csdr.alibabacloud.com/v1beta1
kind: ApplicationBackup
metadata:
  annotations:
    csdr.alibabacloud.com/backuplocations: >-
      {"name":"<yourBackuplocationName>","region":"cn-beijing","bucket":"<cnfs-oss-yourBucketName>","prefix":"<subDir>","provider":"alibabacloud"}}
  name: <yourApplicationBackupName>
  namespace: csdr
spec:
  backupType: PvBackup #Fixed configuration
  icludedNamespaces:
  - default
  pvBackup:
    # Specify volumes
    pvcList:
    - name: essd-pvc-0 
      namespace: default 
    - name: essd-pvc-1
      namespace: default
    # Specify volume types
    storageClassList:
    - disk-essd
    - disk-ssd
  storageLocation: <yourBackuplocationName>
  ttl: 720h0m0s

Parameter	Required	Description
`csdr.alibabacloud.com/backuplocations`	Yes	The backup vault that stores the backups. Make sure that the information is the same as the configuration of the backup vault.
`name`	Yes	The name of the real-time backup task.
`includedNamespaces`	Yes	The name of the namespace.
`pvcList`	No	The PVCs that correspond to the volumes that you want to back up. The `name` parameter specifies the name of the PVC. Important If both `pvcList` and `storageClassList` are specified, the `storageClassList` configuration becomes invalid. If neither `pvcList` nor `storageClassList` is specified, all volumes in the specified namespace are backed up.
`storageClassList`	No	The types of volumes that you want to back up, which are the names of StorageClasses.
`storageLocation`	Yes	The name of the backup vault. Note If Velero is already used in your cluster, join the DingTalk group (ID: 35532895) for consultation.
`ttl`	Yes	The validity period of backups. You cannot restore data from expired backups. Specify the time period in the 720h0m0s format. Valid values: 24h0m0s to 1572864h0m0s.

Run the following command in the backup cluster to deploy the applicationbackup object.
```
kubectl apply -f applicationbackup.yaml
```

Run the following command in the backup cluster to query the status of the real-time backup task:

kubectl describe applicationbackup <yourApplicationBackupName> -n csdr

Expected result:

...
Status:
  Completion Timestamp:  2025-03-25T08:20:24Z
  Expiration:            2025-04-24T08:18:03Z
  Message:               success
  Phase:                 Completed

Create a backup schedule

Use the following content to create a backupschedule.yaml file in the backup cluster.

apiVersion: csdr.alibabacloud.com/v1beta1
kind: BackupSchedule
metadata:
  annotations:
    csdr.alibabacloud.com/backuplocations: >-
      {"name":"<yourBackuplocationName>","region":"cn-beijing","bucket":"<cnfs-oss-yourBucketName>","prefix":"<subDir>","provider":"alibabacloud"}
  name: <yourBackupScheduleName>
  namespace: csdr
spec:
  schedule: 1 4 * * *
  template:
    backupType: PvBackup #Fixed
    icludedNamespaces:
    - default
    pvBackup:
      # Specify volumes
      pvcList:
      - name: essd-pvc-0 
        namespace: default
      - name: essd-pvc-1
        namespace: default
      # Specify volume types
      storageClassList:
      - disk-essd
      - disk-ssd
    storageLocation: <yourBackuplocationName>
    ttl: 720h0m0s

Parameter	Required	Description
`csdr.alibabacloud.com/backuplocations`	Yes	The backup vault that stores the backups. Make sure that the information is the same as the configuration of the backup vault.
`name`	Yes	The name of the real-time backup task.
`schedule`	Yes	The cron expression that specifies the backup cycle. For more information about how to specify a cron expression, see How do I specify a backup cycle when I create a backup schedule?.
`includedNamespaces`	Yes	The name of the namespace.
`pvcList`	No	The PVCs that correspond to the volumes that you want to back up. The `name` parameter specifies the name of the PVC. Important If both `pvcList` and `storageClassList` are specified, the `storageClassList` configuration becomes invalid. If neither `pvcList` nor `storageClassList` is specified, all volumes in the specified namespace are backed up.
`storageClassList`	No	The types of volumes that you want to back up, which are the names of StorageClasses.
`storageLocation`	Yes	The name of the backup vault. Note If Velero is already used in your cluster, join the DingTalk group (ID: 35532895) for consultation.
`ttl`	Yes	The validity period of backups. You cannot restore data from expired backups. Specify the time period in the 720h0m0s format. Valid values: 24h0m0s to 1572864h0m0s.

Run the following command in the backup cluster to deploy the backupschedule object.
```
kubectl apply -f backupschedule.yaml
```

Run the following command in the backup cluster to query the status of the scheduled backup task:

kubectl describe backupschedule <yourBackupScheduleName> -n csdr

Expected result:

...
Status:
  Last Backup:  2025-03-25T09:24:38Z
  Phase:        Enabled

Step 3: Create a restore task

Use the following content to create an applicationrestore.yaml file in the restore cluster.

apiVersion: csdr.alibabacloud.com/v1beta1
kind: ApplicationRestore
metadata:
  annotations:    
    csdr.alibabacloud.com/backuplocations: >-
      {"name":"<yourBackuplocationName>","region":"cn-beijing","bucket":"<cnfs-oss-yourBucketName>","prefix":"<subDir>","provider":"alibabacloud"}
  name: <yourApplicationRestoreName>
  namespace: csdr
spec:
  appRestoreOnly: false
  preserveNodePorts: true
  includedNamespaces:
    - default
  includedResources:
    - statefulset
  excludedResources:
    - secret
  convertedarg:
  - convertToStorageClassType: alicloud-disk-topology-alltype
    convertToAccessModes:
    - ReadWriteOnce
    namespace: nas
    persistentVolumeClaim: pvc-nas
  - convertToStorageClassType: alicloud-disk-topology-alltype
    namespace: oss
    persistentVolumeClaim: pvc-oss
  backupName: <yourApplicationBackupName>
  namespaceMapping:
    <backupNamespace>: <restoreNamespace>
  imageRegistryMapping:
    <oldImageRegistry>: <newImageRegistry>

The following table describes the parameters that you need to specify. Keep the default setting for other parameters.

Note

The appRestoreOnly, preserveNodePorts, includedResources, and excludedResources parameters are supported only for application backup. These parameters do not take effect in data protection scenarios.

Parameter	Required	Description
csdr.alibabacloud.com/backuplocations	Yes	The backup vault that stores the backups. Make sure that the information is the same as the configuration of the backup vault.
name	Yes	The name of the restore job.
appRestoreOnly	No	This parameter takes effect only for application backup tasks, not for data protection tasks. Specifies whether to restore only applications from backups that contain volume data. Persistent volume claims (PVCs), persistent volumes (PVs), and the relevant data are not restored. Valid values: true: restores only applications. If you want to change the data source where you back up applications, you need to manually create a PVC and PV, create a restore task, and then set this parameter to true. false: restores applications and the relevant volume data. Default value: false.
preserveNodePorts	No	This parameter takes effect only for application backup tasks, not for data protection tasks. Specifies whether to retain the NodePort of the application. If the backup cluster and restore cluster use the same NodePort, set this parameter to false to change the NodePort to a random port. In other scenarios, set the parameter to true.
includedNamespaces	Yes	The name of the namespace to be restored. If you leave this parameter empty, all namespaces that have been backed up are restored.
includedResources	No	This parameter takes effect only for application backup tasks, not for data protection tasks. The type of cluster resource to be included in the restore list. Important To avoid unexpected backup results, you need to configure only one of the includedResources and excludedResources parameters. If you leave both parameters empty, all resourcetypes are restored.
excludedResources	No	This parameter takes effect only for application backup tasks, not for data protection tasks. The type of cluster resource to be excluded from the restore list. Important To avoid unexpected backup results, you need to configure only one of the includedResources and excludedResources parameters. If you leave both parameters empty, all resourcetypes are restored.
backupName	Yes	The name of the backup to be restored. If you use the scheduled backup feature, you need to specify the name of a backup that is created at a specific point in time, such as <yourBackupScheduleName>-20221205225845.
namespaceMapping	No	This parameter maps the namespace in the backup cluster to a namespace in the restore cluster. Valid values: <backupNamespace>: the namespace in the backup cluster that is specified when you create the backup task. <restoreNamespace>: the namespace in the restore cluster to which the resources are restored. If you do not specify this parameter, the resources are restored to a namespace that uses the same name as the namespace in the backup cluster. Note If <restoreNamespace> does not exist, the system automatically creates one.
imageRegistryMapping	No	Redefines the image repository address. This parameter applies to all image configurations of applications that match the rule. Valid values: <oldImageRegistry>: the original image repository address of the application in the backup. <newImageRegistry>: the destination image repository address for restoration. If you do not set this parameter, the image configuration of the application remains unchanged. Example: The image used by the application in the original cluster is `registry.cn-beijing.aliyuncs.com/my-registry/nginx:v1`, and you want to change it to `registry.cn-hangzhou.aliyuncs.com/my-registry/nginx:v1`. Configure this field as follows: `namespaceMapping: "registry.cn-beijing.aliyuncs.com/my-registry/": "registry.cn-beijing.aliyuncs.com/my-registry/"`
convertedarg	No	The list of StorageClass conversions. For volumes of the FileSystem type, such as OSS, NAS, CPFS, and local volumes, you can configure this parameter to convert the StorageClasses of their PVCs to the specified StorageClass during the restoration process. For example, you can convert NAS volumes to disk volumes. convertToStorageClassType: the desired StorageClass. Make sure that the StorageClass exists in the current cluster. You can specify only the disk or NAS StorageClass. namespace: the namespace of the PVC. persistentVolumeClaim: the name of the PVC. These are the required parameters for the StorageClass conversion feature. When you convert the StorageClass, you can also use the following optional parameter to modify the AccessModes configuration of the volume. convertToAccessModes: the list of target AccessModes. Note When you restore volumes whose AccessModes are ReadWriteMany or ReadOnlyMany to disk StorageClasses, you must also convert the AccessModes to ReadWriteOnce to avoid the risk of forced disk detachment. You can run the `kubectl -ncsdr describe <backup-name>` command to query the PVC information in the backup. In the output, the `status.resourceList.dataResource.pvcBackupInfo` list contains the dataType field, which can be FileSystem or Snapshot. The nameSpace and pvcName fields specify the namespace and name of the PVC.

Run the following command in the restore cluster to deploy the applicationrestore object.
```
kubectl apply -f applicationrestore.yaml
```

Run the following command in the restore cluster to query the status of the restore task:

kubectl describe applicationrestore <yourApplicationRestoreName> -n csdr

Expected result:

...
Status:
  Completion Timestamp:  2022-12-05T15:52:19Z
  Phase:                 Completed
  Start Timestamp:       2022-12-05T15:52:09Z

When the status of the restore task changes from Inprogress to Completed, the restore task is created.

Step 4: Delete resources related to the backup center

Important

Other clusters may also use the backup vault that you created. Therefore, the backup center does not allow you to delete the BackupLocation object.

Delete a backup schedule

Run the following command to delete the BackupSchedule resource of the backup schedule to stop the backup schedule.

kubectl delete backupschedule <yourBackupSchedule> - ncsdr

Delete a backup task or restore task

Use the following content to create a deleterequest.yaml file in the cluster where you want to delete the task.

apiVersion: csdr.alibabacloud.com/v1beta1
kind: DeleteRequest
metadata:
  name: <objectName-dbr>
  namespace: csdr
spec:
  deleteObjectName: <objectName>
  deleteObjectType: "Backup"

The following table describes the parameters that you need to specify. Keep the default setting for other parameters.

Parameter	Required	Description
name	Yes	The name of the request. To delete a backup task, specify the request name in the following format: ApplicationBackup name of the backup task+"-dbr". To delete a restore task, specify the request name in the following format: ApplicationRestore name of the restore task+"-dbr".
deleteObjectName	Yes	The name of the resource to be deleted.
deleteObjectType	Yes	The type of resource to be deleted. Valid values: "Backup": deletes the ApplicationBackup resource of the backup task and the related resources. "Restore": deletes the ApplicationRestore resource of the restore task and the related resources. Note Deleting backup tasks does not affect the backups that are created in the cluster. Deleting restore tasks does not affect the data that is restored.

Run the following command in the cluster where you want to delete the task to deploy the deleterequest request.
```
kubectl apply -f deleterequest.yaml
```
Run the following commands to check the resource status:
- Check The Deleted Backup Task
  - Run the following command to query the status of the backup task:
```
kubectl get applicationbackup <yourApplicationBackupName> -n csdr
```
    Expected result:
```
Error from server (NotFound): applicationbackups.csdr.alibabacloud.com "yourApplicationBackupName" not found
```
    The output indicates that the backup task resources are deleted.
  - Run the following command to query the status of the deleterequest resources:
```
kubectl get deleterequest <yourApplicationBackupName-dbr> -n csdr
```
    Expected result:
```
Error from server (NotFound): deleterequests.csdr.alibabacloud.com "yourApplicationBackupName-dbr" not found
```
    The output indicates that the deleterequest resources are also deleted.
- Check The Deleted Restore Task
  - Run the following command to query the status of the restore task:
```
kubectl get applicationrestore <yourApplicationRestoreName> -n csdr
```
    Expected result:
```
Error from server (NotFound): applicationrestores.csdr.alibabacloud.com "yourApplicationRestoreName" not found
```
    The output indicates that the restore task resources are deleted.
  - Run the following command to query the status of the deleterequest resources:
```
kubectl get deleterequest <yourApplicationRestoreName-dbr> -n csdr
```
    Expected result:
```
Error from server (NotFound): deleterequests.csdr.alibabacloud.com "yourApplicationRestoreName-dbr" not found
```
    The output indicates that the deleterequest resources are also deleted.

References

For more information about how to back up and migrate applications in the console, see the following topics:
For more information about how to migrate applications across storage plug-ins and across clusters of different versions, see Use the backup center to migrate applications from earlier Kubernetes versions.
Use Terraform to back up and restore applications