The backup center feature of Container Service for Kubernetes (ACK) provides an all-in-one solution for you to back up, restore, and migrate both stateless and stateful applications deployed in ACK clusters. This solution meets the data redundancy and migration needs of stateful applications deployed across multiple clusters in a hybrid cloud environment. This topic describes how to enable cluster backup and grant required permissions to ACK dedicated clusters and registered clusters.

Prerequisites

Background information

A growing number of applications are running on Kubernetes. Therefore, it is important to back up applications periodically. You can use the backup center to restore applications that cannot be recovered after the applications are disrupted for a long period of time. Traditional backup solutions include single-server backups and disk backups. Compared with the traditional backup solutions, application backups allow you to back up applications and related data, resource objects, configurations, and namespaces.

Step 1: Install the application backup component

Note If this is the first time you use the backup center feature, you must install the application backup component. If the component is installed, skip this step.
  1. Log on to the ACK console.
  2. In the left-side navigation pane of the ACK console, click Clusters.
  3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
  4. In the left-side navigation pane of the details page, choose Operations > Application Backup.
  5. On the Application Backup page, click Install.
    Note If the csdr namespace does not exist, the system automatically creates a namespace named csdr when the system installs the component. Do not delete this namespace when you back up applications.
    After the component is installed, the page shown in the following figure appears. Application backup component

Step 2 (optional): Grant OSS permissions to an ACK dedicated cluster

The backup center feature can store application backups only in OSS buckets. Before you can store application backups in OSS buckets, you must grant OSS permissions to your cluster.

If you use an existing ACK dedicated cluster, you must perform the following operations to grant OSS permissions to the cluster. If you use a newly created ACK cluster, you do not need to perform the following operations.

  1. Create a custom permission policy that is used to access OSS. For more information, see Create a custom policy.
    Note For more information about how to configure fine-grained access to OSS, see Use RAM to manage OSS permissions.

    To grant full OSS permissions, create a permission policy based on the following template:

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "oss:PutObject",
                    "oss:GetObject",
                    "oss:DeleteObject",
                    "oss:GetBucket",
                    "oss:ListObjects",
                    "oss:ListBuckets"
                ],
                "Resource": [
                    "*"
                ],
                "Effect": "Allow"
            }
        ]
    }
    To grant only read and write permissions on a specified OSS bucket, create a permission policy based on the following template:
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "oss:PutObject",
                    "oss:GetObject",
                    "oss:DeleteObject",
                    "oss:GetBucket",
                    "oss:ListObjects",
                    "oss:ListBuckets"
                ],
                "Resource": [
                    "acs:oss:*:*:mybackups",
                    "acs:oss:*:*:mybackups/*"
                ],
                "Effect": "Allow"
            }
        ]
    }
    Replace mybackups with the name of the OSS bucket that you want to use.
  2. Grant permissions to the Resource Access Management (RAM) role of the cluster.
    1. Log on to the ACK console.
    2. In the left-side navigation pane of the ACK console, click Clusters.
    3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
    4. On the details page of the cluster, click the Cluster Resources tab and check the worker RAM role of the cluster.
    5. Log on to the RAM console.
    6. In the left-side navigation pane, click Grants.
    7. On the Grants page, click Grant Permission. In the Add Permissions panel, set the following parameters and click OK.
      Parameter Description
      Authorized Scope Valid values: Alibaba Cloud Account and Specific Resource Group.
      Principal Enter the worker RAM role that you obtained.
      Select Policy Click Custom Policy, enter the name of the permission policy that you created in Step 1, and then click the name of the policy.

Step 3 (optional): Grant OSS permissions to a registered cluster

If your applications are deployed in a registered cluster, you must create a RAM user for the cluster, grant the RAM user the permissions to access cloud resources, and then create an AccessKey pair for the RAM user.

  1. Create a RAM user. For more information, see Create a RAM user.
  2. Create a custom permission policy that is used to access OSS. For more information, see Step 1.
  3. Attach the permission policy to the RAM user For more information, see Grant permissions to a RAM user.
  4. Create an AccessKey pair for the RAM user. For more information, see Obtain an AccessKey pair.
  5. Create a Secret in the registered cluster.

    To ensure that the AccessKey pair is used only within the registered cluster, you must use the AccessKey pair to create a Secret named alibaba-addon-secret in the cluster. This reduces the risk of information leakage.

    1. Run the following command to create a namespace named csdr:
      kubectl create ns csdr
    2. Run the following command to create a Secret named alibaba-addon-secret:
      kubectl -n csdr create secret generic alibaba-addon-secret --from-literal='access-key-id=<your AccessKey ID>' --from-literal='access-key-secret=<your AccessKey Secret>'

      Replace your AccessKey ID and your AccessKey Secret with the AccessKey ID and AccessKey secret that are obtained in the previous step.

Step 4 (optional): Grant HBR permissions to an ACK dedicated cluster or a registered cluster

To grant HBR permissions to an ACK dedicated cluster or a registered cluster, perform the following operations.

  1. Create a custom permission policy that is used to access HBR. For more information, see Create a custom policy.
    Configure the permission policy based on the following template:
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "hbr:CreateVault",
                    "hbr:CreateBackupJob",
                    "hbr:DescribeVaults",
                    "hbr:DescribeBackupJobs2",
                    "hbr:DescribeRestoreJobs",
                    "hbr:SearchHistoricalSnapshots",
                    "hbr:CreateRestoreJob",
                    "hbr:AddContainerCluster",
                    "hbr:DescribeContainerCluster",
                    "hbr:DescribeRestoreJobs2"
                ],
                "Resource": "*"
            }
        ]
    }
  2. Attach the permission policy to the RAM user. For more information, see Grant permissions to a RAM user.