The backup center feature of Container Service for Kubernetes (ACK) provides an all-in-one
solution for you to back up, restore, and migrate both stateless and stateful applications
deployed in ACK clusters. This solution meets the data redundancy and migration needs
of stateful applications deployed across multiple clusters in a hybrid cloud environment.
This topic describes how to enable cluster backup and grant required permissions to
ACK dedicated clusters and registered clusters.
Background information
A growing number of applications are running on Kubernetes. Therefore, it is important
to back up applications periodically. You can use the backup center to restore applications
that cannot be recovered after the applications are disrupted for a long period of
time. Traditional backup solutions include single-server backups and disk backups.
Compared with the traditional backup solutions, application backups allow you to back
up applications and related data, resource objects, configurations, and namespaces.
Step 1: Install the application backup component
Note If this is the first time you use the backup center feature, you must install the
application backup component. If the component is installed, skip this step.
- Log on to the ACK console.
- In the left-side navigation pane of the ACK console, click Clusters.
- On the Clusters page, find the cluster that you want to manage and click the name of the cluster
or click Details in the Actions column. The details page of the cluster appears.
- In the left-side navigation pane of the details page, choose .
- On the Application Backup page, click Install.
Note If the csdr namespace does not exist, the system automatically creates a namespace named csdr
when the system installs the component. Do not delete this namespace when you back
up applications.
After the component is installed, the page shown in the following figure appears.

Step 2 (optional): Grant OSS permissions to an ACK dedicated cluster
The backup center feature can store application backups only in OSS buckets. Before
you can store application backups in OSS buckets, you must grant OSS permissions to
your cluster.
If you use an existing ACK dedicated cluster, you must perform the following operations
to grant OSS permissions to the cluster. If you use a newly created ACK cluster, you
do not need to perform the following operations.
- Create a custom permission policy that is used to access OSS. For more information,
see Create a custom policy.
To grant full OSS permissions, create a permission policy based on the following template:
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:PutObject",
"oss:GetObject",
"oss:DeleteObject",
"oss:GetBucket",
"oss:ListObjects",
"oss:ListBuckets"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}
To grant only read and write permissions on a specified OSS bucket, create a permission
policy based on the following template:
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:PutObject",
"oss:GetObject",
"oss:DeleteObject",
"oss:GetBucket",
"oss:ListObjects",
"oss:ListBuckets"
],
"Resource": [
"acs:oss:*:*:mybackups",
"acs:oss:*:*:mybackups/*"
],
"Effect": "Allow"
}
]
}
Replace
mybackups
with the name of the OSS bucket that you want to use.
- Grant permissions to the Resource Access Management (RAM) role of the cluster.
- Log on to the ACK console.
- In the left-side navigation pane of the ACK console, click Clusters.
- On the Clusters page, find the cluster that you want to manage and click the name of the cluster
or click Details in the Actions column. The details page of the cluster appears.
- On the details page of the cluster, click the Cluster Resources tab and check the worker RAM role of the cluster.
- Log on to the RAM console.
- In the left-side navigation pane, click Grants.
- On the Grants page, click Grant Permission. In the Add Permissions panel, set the following parameters and click OK.
Parameter |
Description |
Authorized Scope |
Valid values: Alibaba Cloud Account and Specific Resource Group.
|
Principal |
Enter the worker RAM role that you obtained. |
Select Policy |
Click Custom Policy, enter the name of the permission policy that you created in Step 1, and then click the name of the policy.
|
Step 3 (optional): Grant OSS permissions to a registered cluster
If your applications are deployed in a registered cluster, you must create a RAM user
for the cluster, grant the RAM user the permissions to access cloud resources, and
then create an AccessKey pair for the RAM user.
- Create a RAM user. For more information, see Create a RAM user.
- Create a custom permission policy that is used to access OSS. For more information,
see Step 1.
- Attach the permission policy to the RAM user For more information, see Grant permissions to a RAM user.
- Create an AccessKey pair for the RAM user. For more information, see Obtain an AccessKey pair.
- Create a Secret in the registered cluster.
To ensure that the AccessKey pair is used only within the registered cluster, you
must use the AccessKey pair to create a Secret named alibaba-addon-secret in the cluster. This reduces the risk of information leakage.
- Run the following command to create a namespace named csdr:
- Run the following command to create a Secret named alibaba-addon-secret:
kubectl -n csdr create secret generic alibaba-addon-secret --from-literal='access-key-id=<your AccessKey ID>' --from-literal='access-key-secret=<your AccessKey Secret>'
Replace your AccessKey ID and your AccessKey Secret with the AccessKey ID and AccessKey secret that are obtained in the previous step.
Step 4 (optional): Grant HBR permissions to an ACK dedicated cluster or a registered
cluster
To grant HBR permissions to an ACK dedicated cluster or a registered cluster, perform
the following operations.
- Create a custom permission policy that is used to access HBR. For more information,
see Create a custom policy.
Configure the permission policy based on the following template:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"hbr:CreateVault",
"hbr:CreateBackupJob",
"hbr:DescribeVaults",
"hbr:DescribeBackupJobs2",
"hbr:DescribeRestoreJobs",
"hbr:SearchHistoricalSnapshots",
"hbr:CreateRestoreJob",
"hbr:AddContainerCluster",
"hbr:DescribeContainerCluster",
"hbr:DescribeRestoreJobs2"
],
"Resource": "*"
}
]
}
- Attach the permission policy to the RAM user. For more information, see Grant permissions to a RAM user.