All Products
Search

This Product

    Container Service for Kubernetes:Install migrate-controller and grant permissions

    Document Center

    Container Service for Kubernetes:Install migrate-controller and grant permissions

    Last Updated:Oct 24, 2023

    The backup center feature of Container Service for Kubernetes (ACK) provides an all-in-one solution for you to back up, restore, and migrate both stateless and stateful applications deployed in ACK clusters. This solution meets the data redundancy and migration needs of stateful applications deployed across multiple clusters in a hybrid cloud environment. This topic describes how to enable cluster backup and grant required permissions to different types of clusters.

    Table of contents

    Prerequisites

    • Hybrid Backup Recovery (HBR) is activated. The backup center uses HBR in hybrid cloud scenarios or when you want to back up Apsara File Storage NAS (NAS), Object Storage Service (OSS), or disk volumes. For more information, see HBR.

    • An ACK cluster is created. For more information, see Create an ACK managed cluster, Create an ACK dedicated cluster, or Register an external Kubernetes cluster.

      Important

      The backup center feature supports only ACK clusters that run Kubernetes 1.18 or later versions. If the Kubernetes version of your cluster is earlier than 1.18, you must update the Kubernetes version. For more information, see Update the Kubernetes version of an ACK cluster.

    • Object Storage Service (OSS) is activated. For more information, see Activate OSS.

    • The backup center feature does not support clusters that use FlexVolume. If your cluster uses FlexVolume, you must upgrade from FlexVolume to Container Storage Interface (CSI) before you can use the backup center feature.

    • If you use an ACK managed cluster, you must create an OSS bucket named cnfs-oss-****. Example: cnfs-oss-backup.

    • A kubectl client is connected to your cluster. For more information, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.

    Background information

    A growing number of applications are running on Kubernetes. Therefore, it is important to back up applications periodically. You can use the backup center to restore applications that cannot recover after the applications are disrupted for a long period of time. Traditional backup solutions include single-server backups and disk backups. Compared with the traditional backup solutions, application backups allow you to back up applications and related data, resource objects, configurations, and namespaces.

    The backup center feature can store application backups only in OSS buckets. Before you can store application backups in OSS buckets, you must grant OSS permissions to your cluster. If you want to use the backup center in a hybrid cloud environment, you need to activate Cloud Backup and grant Cloud Backup permissions to your cluster. Before you enable cluster backup, you must install migrate-controller. The following sections describe how to install migrate-controller in an ACK managed cluster, ACK dedicated cluster, or registered cluster and grant permissions.

    Install migrate-controller in an ACK managed cluster and grant permissions

    Step 1: Install migrate-controller

    Note

    If this is the first time you use the backup center feature, you must install migrate-controller. If migrate-controller is already installed, skip this step.

    1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, click the name of the cluster that you want to manage and choose Operations > Application Backup in the left-side navigation pane.

    3. On the Application Backup page, click Install.

      The system will automatically search for backup vaults. If you do not have a backup vault, create one first. For more information, see Create a backup vault.

      • If this is the first time you install the application backup component, the page in the following figure appears.应用备份组件

        Note

        If the csdr namespace does not exist, the system automatically creates a namespace named csdr when the system installs the component. Do not delete this namespace when you back up applications.

      • If you have already installed migrate-controller but the migrate-controller version is not up-to-date, click Upgrade on the Application Backup page. The system will automatically update migrate-controller to the latest version.

    Step 2: Grant OSS permissions and Cloud Backup permissions

    • Grant OSS permissions

      Make sure that the name of the OSS bucket used as a backup vault by the ACK managed cluster starts with cnfs-oss-***. In this scenario, you do not need to grant OSS permissions.

    • Grant Cloud Backup permissions

      You do not need to grant Cloud Backup permissions if your cluster is an ACK managed cluster.

    Install migrate-controller in an ACK dedicated cluster or registered cluster and grant permissions

    Use onectl to install migrate-controller and grant permissions (recommended)

    1. Install onectl on your on-premises machine. For more information, see Use onectl to manage registered clusters.

    2. Run the following command to grant RAM permissions to migrate-controller: 

      onectl ram-user grant --addon migrate-controller

      Expected output:

      Ram policy ack-one-registered-cluster-policy-migrate-controller granted to ram user ack-one-user-ce313528c3 successfully.

    3. Run the following command to install migrate-controller: 

      onectl addon install migrate-controller

      Expected output:

      Addon migrate-controller, version **** installed.

      onectl grants permissions on all OSS buckets that belong to your Alibaba Cloud account. If you want to grant permissions on specified OSS buckets, perform the following operation to modify the OSS permissions granted by onectl. You can also manually install migrate-controller and grant permissions. For more information, see Manually install migrate-controller and grant permissions.

      Modify OSS permissions: Modify the custom policy based on the following content. For more information about how to modify a policy, see Modify the document and description of a custom policy.

      Note 
      {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "hbr:CreateVault",
                "hbr:CreateBackupJob",
                "hbr:DescribeVaults",
                "hbr:DescribeBackupJobs2",
                "hbr:DescribeRestoreJobs",
                "hbr:SearchHistoricalSnapshots",
                "hbr:CreateRestoreJob",
                "hbr:AddContainerCluster",
                "hbr:DescribeContainerCluster",
                "hbr:DescribeRestoreJobs2"
            ],
            "Resource": "*"
        },
        {
            "Action": [
                "oss:PutObject",
                "oss:GetObject",
                "oss:DeleteObject",
                "oss:GetBucket",
                "oss:ListObjects",
                "oss:ListBuckets"
            ],
            "Resource": [
                "acs:oss:*:*:mybackups",
                "acs:oss:*:*:mybackups/*"
            ],
            "Effect": "Allow"
        }
    ]
}

    4. Create routes that point to the internal network of the region where the registered cluster and OSS bucket reside (optional)

      If the registered cluster is connected to a virtual private cloud (VPC) through Cloud Enterprise Network (CEN), Express Connect, or VPN and the registered cluster resides in the region of the OSS bucket, the backup center accesses the internal endpoint of the OSS bucket by default to increase the download speeds. Therefore, you need to create routes that point to the internal network of the region where the OSS bucket resides.

    Use the console to install migrate-controller and grant permissions

    Step 1: Install migrate-controller

    Install migrate-controller. For more information, see Step 1: Install migrate-controller.

    Step 2: Grant Cloud Backup permissions and OSS permissions

    You need to create a RAM user for the ACK dedicated cluster or registered cluster, grant the RAM user the permissions to access cloud resources, and then create an AccessKey pair for the RAM user.

    1. Create a RAM user. For more information, see Create a RAM user.

    2. Create the following custom policies to grant OSS and Cloud Backup permissions. For more information, see the "Create a custom policy on the JSON tab" section in Create a custom policy.

      • Create a custom policy to grant OSS permissions

        Note

        • To grant permissions on all OSS buckets, create a custom policy based on the following template:

          {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss:PutObject",
                "oss:GetObject",
                "oss:DeleteObject",
                "oss:GetBucket",
                "oss:ListObjects",
                "oss:ListBuckets",
                "oss:GetBucketStat"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}

        • To grant read and write permissions on a specified OSS bucket, create a custom policy based on the following template:

          {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss:PutObject",
                "oss:GetObject",
                "oss:DeleteObject",
                "oss:GetBucket",
                "oss:ListObjects",
                "oss:ListBuckets", 
                "oss:GetBucketStat"
            ],
            "Resource": [
                "acs:oss:*:*:mybackups",
                "acs:oss:*:*:mybackups/*"
            ],
            "Effect": "Allow"
        }
    ]
}

      • Create a custom policy to grant Cloud Backup permissions

        {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "hbr:CreateVault",
                "hbr:CreateBackupJob",
                "hbr:DescribeVaults",
                "hbr:DescribeBackupJobs2",
                "hbr:DescribeRestoreJobs",
                "hbr:SearchHistoricalSnapshots",
                "hbr:CreateRestoreJob",
                "hbr:AddContainerCluster",
                "hbr:DescribeContainerCluster",
                "hbr:DescribeRestoreJobs2"
            ],
            "Resource": "*"
        }
    ]
}

    3. Grant OSS and Cloud Backup permissions to the RAM user. For more information, see Create a RAM user and grant permissions to the RAM user.

    4. Create an AccessKey pair for the RAM user. For more information, see Obtain an AccessKey pair.

    5. Create a Secret in an ACK dedicated cluster or a registered cluster.

      To ensure that the AccessKey pair is used only within the ACK dedicated cluster or registered cluster, you need to create a Secret named alibaba-addon-secret in the cluster to store the AccessKey pair. This reduces the risk of information leakage.

      • Run the following command to create a namespace named csdr: 

        kubectl create ns csdr

      • Run the following command to create a Secret named alibaba-addon-secret: 

        kubectl -n csdr create secret generic alibaba-addon-secret --from-literal='access-key-id=<your AccessKey ID>' --from-literal='access-key-secret=<your AccessKey Secret>'

        Replace <your AccessKey ID> and <your AccessKey Secret> with the AccessKey pair that you obtained in the preceding step.

    Step 3 (optional): Create routes that point to the internal network of the region where the registered cluster and OSS bucket reside

    If the registered cluster is connected to a VPC through CEN, Express Connect, or VPN and the registered cluster resides in the region of the OSS bucket, the backup center accesses the internal endpoint of the OSS bucket by default to increase the download speeds. Therefore, you need to create routes that point to the internal network of the region where the OSS bucket resides.