The backup center feature of Container Service for Kubernetes (ACK) provides an all-in-one solution for you to back up, restore, and migrate both stateless and stateful applications deployed in ACK clusters. This solution meets the data redundancy and migration needs of stateful applications deployed across multiple clusters in a hybrid cloud environment. This topic describes how to enable cluster backup and grant required permissions to different types of clusters.
Prerequisites
- Hybrid Backup Recovery (HBR) is activated if your applications are deployed in a hybrid cloud. For more information, see HBR.
- An ACK cluster is created. For more information, see Create an ACK managed cluster, Create an ACK dedicated cluster, or Register an external Kubernetes cluster. Important The backup center feature supports only ACK clusters that run Kubernetes 1.18 or later versions. If the Kubernetes version of your cluster is earlier than 1.18, you must update the Kubernetes version to 1.18 or later. Fore more information, see Update the Kubernetes version of an ACK cluster.
- OSS is activated. Fore more information, see Activate OSS.
- The backup center feature does not support clusters that use FlexVolume. If your cluster uses FlexVolume, you must upgrade from FlexVolume to Container Storage Interface (CSI) before you can use the backup center feature.
- For clusters that have FlexVolume installed but no data is stored, we recommend that you use the Container Storage Interface (CSI) plug-in instead. For more information, see Upgrade from FlexVolume to CSI for clusters where no data is stored.
- For other clusters, join the DingTalk group 35532895 for support.
- If you use an ACK managed cluster, you must create an OSS bucket named cnfs-oss-****. Example: cnfs-oss-backup.
- A kubectl client is connected to your cluster. For more information, see Connect to ACK clusters by using kubectl.
Background information
A growing number of applications are running on Kubernetes. Therefore, it is important to back up applications periodically. You can use the backup center to restore applications that cannot be recovered after the applications are disrupted for a long period of time. Traditional backup solutions include single-server backups and disk backups. Compared with the traditional backup solutions, application backups allow you to back up applications and related data, resource objects, configurations, and namespaces.
The backup center feature can store application backups only in OSS buckets. Before you can store application backups in OSS buckets, you must grant OSS permissions to your cluster. If you want to use the backup center in a hybrid cloud environment, you need to activate HBR and grant HBR permissions to your cluster. Before you enable cluster backup, you must install migrate-controller. The following sections describe how to install migrate-controller and grant permissions in an ACK managed cluster, ACK dedicated cluster, and registered cluster.
Install migrate-controller and grant permissions in an ACK managed cluster
Step 1: Install migrate-controller
- Log on to the ACK console and click Clusters in the left-side navigation pane.
- On the Clusters page, click the name of a cluster and choose in the left-side navigation pane.
- On the Application Backup page, click Install. The system will automatically search for backup vaults. If you do not have a backup vault, create one first. For more information, see Create a backup vault.
- If this is the first time you install migrate-controller, the page shown in the following figure appears. Note If the csdr namespace does not exist, the system automatically creates a namespace named csdr when the system installs the component. Do not delete this namespace when you back up applications.
- If you have already installed migrate-controller but the migrate-controller version is not up-to-date, click Upgrade on the Application Backup page. The system will automatically update migrate-controller to the latest version.
- If this is the first time you install migrate-controller, the page shown in the following figure appears.
Step 2: Grant OSS permissions and HBR permissions
- Grant OSS permissions
Make sure that the name of the OSS bucket that is used as a backup vault by the ACK managed cluster starts with
cnfs-oss-***
. This way, you do not need to grant OSS permissions to the cluster. - Grant HBR permissions
You do not need to grant HBR permissions to an ACK managed cluster.
Install migrate-controller and grant permissions in an ACK managed cluster or registered cluster
Method 1 (recommended): Use onectl to install migrate-controller and grant permissions
Alibaba Cloud provides the onectl command-line tool that you can use to manage registered clusters. You can use onectl to install and configure add-ons such as migrate-controller in registered clusters. You can use onectl to enable cluster backup for an ACK dedicated cluster. For more information, see Use onectl to manage registered clusters.
Step 1: Authorize migrate-controller to access cloud services- Create a RAM user. For more information, see Create a RAM user.
- Create an AccessKey pair for the RAM user. For more information, see Create an AccessKey pair.
- Create a custom RAM policy named externalK8sPolicy-tmp. The following template shows an example of the policy content. For more information, see Create a custom policy.
{ "Statement": [ { "Action": [ "cs:InstallClusterAddons" ], "Effect": "Allow", "Resource": [ "acs:cs:*:*:cluster/*" ] }, { "Action": [ "ram:GetPolicy", "ram:CreatePolicy", "ram:AttachPolicyToUser" ], "Effect": "Allow", "Resource": [ "*" ] } ], "Version": "1" }
- Attach the custom RAM policy to the RAM user. For more information, see Grant permissions to the RAM user. Note If you no longer use onectl to manage registered clusters, we recommend that you detach the externalK8sPolicy-tmp policy from the RAM user.
- Run the following command to install onectl. onectl supports macOS and Linux.
curl https://ack-one.oss-cn-hangzhou.aliyuncs.com/onectl/get-onectl.sh |bash
- Run the following command to check whether onectl is installed:
onectl version
Expected output:
onectl: v1.0.0+a2c6304 BuildDate: 2022-10-26T03:23:39Z GitCommit: a2c6304befede75f870423e5686319055a963717 GitTreeState: clean GoVersion: go1.18.2 Compiler: gc Platform: linux/amd64
- Run the following command to configure onectl. You must specify an AccessKey pair, a Resource Access Management (RAM) user, a cluster ID, and the path of the kubeconfig file used to log on to the cluster.
onectl configure
Expected output:
Configuring profile 'default' ... Access Key Id [LTAI5tRf5ipP1h81PL****]: Access Key Secret [****]: Default SubAccount Username [xxxx]: Default Cluster Id (ClusterId of ACK Regitry Cluster) [c696eaff87cd44d2ea8c18cd54e6****]: Default Kubeconfig Path (default is ~/.kube/config) []: Saving profile[default] ... Done.
Access Key Id
andAccess Key Secret
: the AccessKey ID and the AccessKey secret of the RAM user that you want to use.SubAccount Username
: the RAM user that you want to use. For example, if the logon name of the RAM user that you want to use is shuwei@18807*****.onaliyun.com, setSubAccount Username
toshuwei
.Cluster Id
: the ID of the ACK dedicated cluster or the ID of the registered cluster.Kubeconfig Path
:- If you use an ACK dedicated cluster, set the value to the path of the kubeconfig file used to log on to the cluster. Default value: ~/.kube/config.
- If you use a registered cluster, set the value to the path of the kubeconfig file used to log on to the cluster. Default value: ~/.kube/config.
Note onectl can use AccessKey pairs for the following purposes:- Call API operations to query and create custom RAM policies, attach custom RAM policies, and install ACK add-ons.
- Access cloud resources. We recommend that you keep AccessKey pairs confidential and manage the permissions of the RAM user used by onectl based on the principle of lease privilege
onectl addon install migrate-controller
Expected output:
Addon migrate-controller installed
Modify OSS permissions: Modify the content of the RAM policy created in Step 3 based on the following code block: For more information about how to modify RAM policies, see Modify the document and description of a custom policy.
- Replace
mybackups
in the following code block with the name of your OSS bucket. - For more information about how to configure fine-grained access to OSS, see Use RAM to manage OSS permissions.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"hbr:CreateVault",
"hbr:CreateBackupJob",
"hbr:DescribeVaults",
"hbr:DescribeBackupJobs2",
"hbr:DescribeRestoreJobs",
"hbr:SearchHistoricalSnapshots",
"hbr:CreateRestoreJob",
"hbr:AddContainerCluster",
"hbr:DescribeContainerCluster",
"hbr:DescribeRestoreJobs2"
],
"Resource": "*"
},
{
"Action": [
"oss:PutObject",
"oss:GetObject",
"oss:DeleteObject",
"oss:GetBucket",
"oss:ListObjects",
"oss:ListBuckets"
],
"Resource": [
"acs:oss:*:*:mybackups",
"acs:oss:*:*:mybackups/*"
],
"Effect": "Allow"
}
]
}
Method 2: Manually install migrate-controller and grant OSS permissions
Step 1: Install migrate-controllerInstall migrate-controller For more information, see Step 1: Install migrate-controller.
Step 2: Grant HBR permissions and OSS permissionsYou need to create a RAM user for the ACK dedicated cluster or registered cluster, grant the RAM user the permissions to access cloud resources, and then create an AccessKey pair for the RAM user.
- Create a RAM user. Fore more information, see Create a RAM user.
- Create the following custom policies to grant OSS permissions and HBR permissions. Fore more information, see Create a custom policy on the JSON tab.
- Create a custom policy to grant OSS permissionsNote
- Replace
mybackups
in the following code block with the name of your OSS bucket. - For more information about how to configure fine-grained access to OSS, see Use RAM to manage OSS permissions.
- To grant permissions on all OSS buckets, create a custom policy based on the following template:
{ "Version": "1", "Statement": [ { "Action": [ "oss:PutObject", "oss:GetObject", "oss:DeleteObject", "oss:GetBucket", "oss:ListObjects", "oss:ListBuckets", "oss:GetBucketStat" ], "Resource": [ "*" ], "Effect": "Allow" } ] }
- To grant read and write permissions on a specified OSS bucket, create a custom policy based on the following template:
{ "Version": "1", "Statement": [ { "Action": [ "oss:PutObject", "oss:GetObject", "oss:DeleteObject", "oss:GetBucket", "oss:ListObjects", "oss:ListBuckets", "oss:GetBucketStat" ], "Resource": [ "acs:oss:*:*:mybackups", "acs:oss:*:*:mybackups/*" ], "Effect": "Allow" } ] }
- Replace
- Create a custom policy to grant HBR permissions
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "hbr:CreateVault", "hbr:CreateBackupJob", "hbr:DescribeVaults", "hbr:DescribeBackupJobs2", "hbr:DescribeRestoreJobs", "hbr:SearchHistoricalSnapshots", "hbr:CreateRestoreJob", "hbr:AddContainerCluster", "hbr:DescribeContainerCluster", "hbr:DescribeRestoreJobs2" ], "Resource": "*" } ] }
- Create a custom policy to grant OSS permissions
- Grant OSS permissions and HBR permissions to the RAM user. Fore more information, see Grant permissions to the RAM user.
- Create an AccessKey pair for the RAM user. Fore more information, see Obtain an AccessKey pair.
- Create a Secret in the ACK dedicated cluster or registered cluster.
To ensure that the AccessKey pair is used only within the ACK dedicated cluster or registered cluster, you must create a Secret named alibaba-addon-secret in the ACK dedicated cluster or registered cluster to store the AccessKey pair. This reduces the risk of information leakage.