Backing up Kubernetes persistent volume data to Amazon S3

Contributors netapp-tonacki

Complete a few steps to get started backing up data from your Kubernetes cluster persistent volumes to Amazon S3.

Quick start

Get started quickly by following these steps or scroll down to the remaining sections for full details.

One Review prerequisites
  • You have discovered the Kubernetes cluster as a Cloud Manager working environment.

    • Trident must be installed on the cluster, and the Trident version must be 21.1 or greater.

    • All PVCs that will be used to create persistent volumes that you want to back up must have "snapshotPolicy" set to "default".

    • The cluster must be using Cloud Volumes ONTAP on AWS for its' backend storage.

    • The Cloud Volumes ONTAP system must be running ONTAP 9.7P5 or later.

  • You have a valid cloud provider subscription for the storage space where your backups will be located.

  • You have subscribed to the Cloud Manager Marketplace Backup offering, an AWS annual contract, or you have purchased and activated a Cloud Backup BYOL license from NetApp.

  • The IAM role that provides the Cloud Manager Connector with permissions includes S3 permissions from the latest Cloud Manager policy.

Two Enable Cloud Backup on your existing Kubernetes cluster

Select the working environment and click Enable next to the Backup & Restore service in the right-panel, and then follow the setup wizard.

A screenshot that shows the Cloud Backup Enable button which is available after you select a working environment.

Three Define the backup policy

The default policy backs up volumes every day and retains the most recent 30 backup copies of each volume. Change to hourly, daily, weekly, or monthly backups, or select one of the system-defined policies that provide more options. You can also change the number of backup copies you want to retain.

A screenshot that shows the Cloud Backup settings where you can choose your backup schedule and retention period.

Four Select the volumes that you want to back up

Identify which volumes you want to back up in the Select Volumes page. An S3 bucket is created automatically in the same AWS account and Region as the Cloud Volumes ONTAP system, and the backup files are stored there.

Five Restore your data, as needed

Restore an entire backup as a new volume on the same or different Kubernetes cluster in AWS (in the same region).

Requirements

Read the following requirements to make sure that you have a supported configuration before you start backing up Kubernetes persistent volumes to S3.

The following image shows each component and the connections that you need to prepare between them:

A diagram showing how Cloud Backup communicates with the volumes on the source systems and the destination storage where the backup files are located.

Note that the VPC Endpoint is optional.

Kubernetes cluster requirements
  • You have discovered the Kubernetes cluster as a Cloud Manager working environment. See how to discover the Kubernetes cluster.

  • Trident must be installed on the cluster, and the Trident version must be a minimum of 21.1. See how to install Trident or how to upgrade the Trident version.

  • The cluster must be using Cloud Volumes ONTAP on AWS for its' backend storage.

  • The Cloud Volumes ONTAP system must be in the same AWS region as the Kubernetes cluster, and it must be running ONTAP 9.7P5 or later.

    Note that Kubernetes clusters in on-premises locations are not supported. Only Kubernetes clusters in cloud deployments that are using Cloud Volumes ONTAP systems are supported.

  • All Persistent Volume Claim objects that will be used to create the persistent volumes that you want to back up must have "snapshotPolicy" set to "default".

    You can do this for individual PVCs by adding snapshotPolicy under annotations:

    kind: PersistentVolumeClaim
    apiVersion: v1
    metadata:
      name: full
      annotations:
        trident.netapp.io/snapshotPolicy: "default"
    spec:
      accessModes:
        - ReadWriteMany
      resources:
        requests:
          storage: 100Mi
      storageClassName: silver

    You can do this for all PVCs associated with a particular backend storage by adding the snapshotPolicy field under defaults in the backend.json file:

    apiVersion: trident.netapp.io/v1
    kind: TridentBackendConfig
    metadata:
      name: backend-tbc-ontap-nas-advanced
    spec:
      version: 1
      storageDriverName: ontap-nas
      managementLIF: 10.0.0.1
      dataLIF: 10.0.0.2
      backendName: tbc-ontap-nas-advanced
      svm: trident_svm
      credentials:
        name: backend-tbc-ontap-nas-advanced-secret
      limitAggregateUsage: 80%
      limitVolumeSize: 50Gi
      nfsMountOptions: nfsvers=4
      defaults:
        spaceReserve: volume
        exportPolicy: myk8scluster
        snapshotPolicy: default
        snapshotReserve: '10'
      deletionPolicy: retain
License requirements

For Cloud Backup PAYGO licensing, a Cloud Manager subscription is available in the AWS Marketplace that enables deployments of Cloud Volumes ONTAP and Cloud Backup. You need to subscribe to this Cloud Manager subscription before you enable Cloud Backup. Billing for Cloud Backup is done through this subscription.

For an annual contract that enables you to back up both Cloud Volumes ONTAP data and on-premises ONTAP data, you need to subscribe from the AWS Marketplace page and then associate the subscription with your AWS credentials.

For an annual contract that enables you to bundle Cloud Volumes ONTAP and Cloud Backup Service, you must set up the annual contract when you create a Cloud Volumes ONTAP working environment. This option doesn’t enable you to back up on-prem data.

For Cloud Backup BYOL licensing, you need the serial number from NetApp that enables you to use the service for the duration and capacity of the license. Learn how to manage your BYOL licenses.

And you need to have an AWS account for the storage space where your backups will be located.

Supported AWS regions

Cloud Backup is supported in all AWS regions where Cloud Volumes ONTAP is supported.

AWS Backup permissions required

The IAM role that provides Cloud Manager with permissions must include S3 permissions from the latest Cloud Manager policy.

Here are the specific S3 permissions from the policy:

{
            "Sid": "backupPolicy",
            "Effect": "Allow",
            "Action": [
                "s3:DeleteBucket",
                "s3:GetLifecycleConfiguration",
                "s3:PutLifecycleConfiguration",
                "s3:PutBucketTagging",
                "s3:ListBucketVersions",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:ListBucket",
                "s3:ListAllMyBuckets",
                "s3:GetBucketTagging",
                "s3:GetBucketLocation",
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketPublicAccessBlock",
                "s3:GetBucketAcl",
                "s3:GetBucketPolicy",
                "s3:PutBucketPublicAccessBlock"
            ],
            "Resource": [
                "arn:aws:s3:::netapp-backup-*"
            ]
        },

Enabling Cloud Backup on an existing system

Enable Cloud Backup at any time directly from the working environment.

Steps
  1. Select the working environment and click Enable next to the Backup & Restore service in the right-panel.

    A screenshot that shows the Cloud Backup Settings button which is available after you select a working environment.

  2. Enter the backup policy details and click Next.

    You can define the backup schedule and choose the number of backups to retain. See the list of existing policies you can choose.

    A screenshot that shows the Cloud Backup settings where you can choose your schedule and backup retention.

  3. Select the persistent volumes that you want to back up.

    • To back up all volumes, check the box in the title row (button backup all volumes).

    • To back up individual volumes, check the box for each volume (button backup 1 volume).

      A screenshot of selecting the volumes that will be backed up.

  4. Click Activate Backup and Cloud Backup starts taking the initial backups of each selected volume.

Result

An S3 bucket is created automatically in the same AWS account and Region as the Cloud Volumes ONTAP system, and the backup files are stored there.

The Kubernetes Dashboard is displayed so you can monitor the state of the backups.