All Products
Search

This Product

    Container Service for Kubernetes:Install migrate-controller and grant permissions

    Document Center

    Container Service for Kubernetes:Install migrate-controller and grant permissions

    Last Updated:Feb 18, 2025

    The backup center can be used to backup, restore, and migrate applications. To use these features for disaster recovery and application migration in multi-cluster and colocation environments, you must install the migrate-controller component and grant the relevant permissions.

    Prerequisites

    • Activate the related cloud services

      • Cloud Backup is activated. For more information, see Billing methods and billable items.

        Use Cloud Backup to back up volumes that use Object Storage Service (OSS) buckets, File Storage NAS (NAS) file systems, Cloud Parallel File Storage (CPFS) file systems, and local disks or back up volumes in hybrid cloud scenarios. Before you use Cloud Backup, you need to activate Cloud Backup and grant permissions. For more information, see the following section.

      • OSS is activated. For more information, see Billing overview.

        The backup center feature can store application backups only in OSS buckets. Before you can store application backups in OSS buckets, you must grant OSS permissions to your cluster. For more information, see the following section.

      • ECS Snapshot is activated.

        • No fee is charged for activating the Elastic Compute Service (ECS) Snapshot service. After you create snapshots, you are charged for the snapshots based on their size and retention period. For more information, see Snapshots.

        • If you want to use Elastic Compute Service (ECS) Snapshot to back up volumes that use Alibaba Cloud disks, you need to enable ECS Snapshot and grant permissions. For more information, see the following section.

    • Create a cluster

    Background information

    A growing number of applications are running on Kubernetes. Therefore, it is important to back up applications periodically. You can use the backup center to prevent long-time service unavailability due to unexpected circumstances. Unlike traditional single-server backups or disk backups, Kubernetes-based application backups allow you to back up applications and related data, resource objects, configurations, and namespaces.

    Usage notes

    • If you use the backup center feature in ACK Serverless Pro clusters and ACK Edge clusters, the requirements for installation and permission configuration are the same as those for ACK managed clusters. For more information, see Install migrate-controller in an ACK managed cluster and grant permissions.

      ACK Serverless Basic clusters are not supported.

    • If you use the backup center feature in ACK Serverless Pro clusters or ACK Edge clusters, you cannot back up volumes.

    • In an ACK Edge cluster, the migrate-controller component is installed on an on-cloud node by default and accesses OSS over the internal network.

    ACK managed cluster

    Step 1: Install migrate-controller

    Note

    If this is the first time you use the backup center feature, you must install migrate-controller. If migrate-controller is already installed, skip this step.

    1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, choose Operations > Application Backup.

    3. On the Application Backup page, click Install.

      The system will automatically search for backup vaults. If you do not have a backup vault, create one first. For more information, see Create a backup vault.

      • If the csdr namespace does not exist, the system automatically creates a namespace named csdr when the system installs the component. Do not delete this namespace.

      • If you have already installed migrate-controller but the migrate-controller version is not up-to-date, click Upgrade on the Application Backup page. The system will automatically update migrate-controller to the latest version.

    Step 2: Grant related permissions

    • Grant OSS permissions

      Make sure that the name of the OSS bucket used as a backup vault by the ACK managed cluster starts with cnfs-oss-***. In this scenario, you do not need to grant OSS permissions. For other buckets, you need to grant related OSS permissions in an ACK dedicated cluster based on the following section. For more information, see Step 1: Grant related permissions.

    • Grant ECS Snapshot and Cloud Backup permissions

      You do not need to grant ECS Snapshot and Cloud Backup permissions if your cluster is an ACK managed cluster.

    Step 3 (optional): Authorize Cloud Backup to access API Gateway

    If you need to back up or restore data for clusters that reside in the China (Ulanqab), China (Heyuan), and China (Guangzhou) regions, you must use your Alibaba Cloud account to authorize Cloud Backup to access API Gateway the first time you use the backup center feature.

    Note

    migrate-controller 1.8.4 and later allow you to use Cloud Backup to back up volumes in clusters that reside in the China (Ulanqab), China (Heyuan), and China (Guangzhou) regions. The types of volumes that be backed up include OSS volumes, NAS volumes, CPFS, volumes, local volumes, and volumes in a hybrid cloud environment.

    1. Log on to the Cloud Backup console.

    2. In the left-side navigation pane, choose Backup > Container Backup.

    3. In the upper-left corner of the Container Backup page, select the region where your cluster resides. In this example, your cluster resides in the China (Ulanqab), China (Heyuan), or China (Guangzhou) region.

    4. In the Service Access Authorization for Cloud Backup dialog box, click Confirm Authorization.

    ACK dedicated cluster

    Step 1: Grant related permissions

    Important

    migrate-controller 1.7.7 and later versions support cross-region restoration of Alibaba Cloud disks. If you want to use this feature, grant the Resource Access Management (RAM) user the ECS Snapshot permissions based on the following custom policy template.

    1. Create a RAM user. For information about how to create a RAM user, see Create a RAM user.

    2. Create the following custom policy. For more information, see Create a custom policy on the JSON tab.

      In the following policy, oss:**** indicates OSS permissions, ecs:**** indicates ECS Snapshot permissions, and hbr:**** indicates Cloud Backup permissions.

      View the custom policy

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "oss:PutObject",
        "oss:GetObject",
        "oss:DeleteObject",
        "oss:GetBucket",
        "oss:ListObjects",
        "oss:ListBuckets",
        "oss:GetBucketStat"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecs:CreateSnapshot",
        "ecs:DeleteSnapshot",
        "ecs:DescribeSnapshotGroups",
        "ecs:CreateAutoSnapshotPolicy",
        "ecs:ApplyAutoSnapshotPolicy",
        "ecs:CancelAutoSnapshotPolicy",
        "ecs:DeleteAutoSnapshotPolicy",
        "ecs:DescribeAutoSnapshotPolicyEX",
        "ecs:ModifyAutoSnapshotPolicyEx",
        "ecs:DescribeSnapshots",
        "ecs:DescribeInstances",
        "ecs:CopySnapshot",
        "ecs:CreateSnapshotGroup",
        "ecs:DeleteSnapshotGroup"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "hbr:CreateVault",
        "hbr:CreateBackupJob",
        "hbr:DescribeVaults",
        "hbr:DescribeBackupJobs2",
        "hbr:DescribeRestoreJobs",
        "hbr:SearchHistoricalSnapshots",
        "hbr:CreateRestoreJob",
        "hbr:AddContainerCluster",
        "hbr:DescribeContainerCluster",
        "hbr:DescribeRestoreJobs2",
        "hbr:CancelBackupJob",
        "hbr:CancelRestoreJob"
      ],
      "Resource": "*"
    }
  ]
}

      The preceding policy grants permissions on all OSS buckets. To grant read and write permissions on the specified OSS bucket, modify the custom policy based on the following template. Replace mybackups with the name of your OSS bucket. For more information about how to grant fine-grained OSS permissions, see Use RAM to manage OSS permissions.

      View the custom policy

      {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "oss:PutObject",
        "oss:GetObject",
        "oss:DeleteObject",
        "oss:GetBucket",
        "oss:ListObjects",
        "oss:ListBuckets",
        "oss:GetBucketStat"
      ],
      "Resource": [
        "acs:oss:*:*:mybackups",
        "acs:oss:*:*:mybackups/*"
      ],
      "Effect": "Allow"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecs:CreateSnapshot",
        "ecs:DeleteSnapshot",
        "ecs:DescribeSnapshotGroups",
        "ecs:CreateAutoSnapshotPolicy",
        "ecs:ApplyAutoSnapshotPolicy",
        "ecs:CancelAutoSnapshotPolicy",
        "ecs:DeleteAutoSnapshotPolicy",
        "ecs:DescribeAutoSnapshotPolicyEX",
        "ecs:ModifyAutoSnapshotPolicyEx",
        "ecs:DescribeSnapshots",
        "ecs:DescribeInstances",
        "ecs:CopySnapshot",
        "ecs:CreateSnapshotGroup",
        "ecs:DeleteSnapshotGroup"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "hbr:CreateVault",
        "hbr:CreateBackupJob",
        "hbr:DescribeVaults",
        "hbr:DescribeBackupJobs2",
        "hbr:DescribeRestoreJobs",
        "hbr:SearchHistoricalSnapshots",
        "hbr:CreateRestoreJob",
        "hbr:AddContainerCluster",
        "hbr:DescribeContainerCluster",
        "hbr:DescribeRestoreJobs2",
        "hbr:CancelBackupJob",
        "hbr:CancelRestoreJob"
      ],
      "Resource": "*"
    }
  ]
}

    3. Attach the preceding custom policy to the RAM user. For more information, see Grant permissions to RAM users.

    4. Create an AccessKey pair for the RAM user. For more information, see Create an AccessKey pair.

    5. Create a Secret in an ACK dedicated cluster.

      To ensure that the AccessKey pair is used only within your cluster, you need to create a Secret named alibaba-addon-secret in the cluster to store the AccessKey pair. This reduces the risk of information leakage.

      1. Run the following command to create a namespace named csdr: 

        kubectl create ns csdr

      2. Run the following command to create a Secret named alibaba-addon-secret: 

        kubectl -n csdr create secret generic alibaba-addon-secret --from-literal='access-key-id=<your AccessKey ID>' --from-literal='access-key-secret=<your AccessKey Secret>'

        Replace <your AccessKey ID> and <your AccessKey Secret> with the AccessKey pair that you obtained in the preceding step.

        Note

        If you create a Secret after you install the migrate-controller component, restart the migrate-controller component in the kube-system namespace.

    Step 2: Install migrate-controller

    Install migrate-controller. For more information, see Step 1: Install migrate-controller.

    Step 3 (optional): Authorize Cloud Backup to access API Gateway

    Authorization is required only when you need to back up or restore data for clusters that reside in the China (Ulanqab), China (Heyuan), and China (Guangzhou) regions. For more information, see Step 3 (optional): Authorize Cloud Backup to access API Gateway.

    Registered cluster

    Important

    The versions of migrate-controller that support cross-region restoration of Alibaba Cloud disks are 1.7.7 and later. Update onectl to version 1.1.0 and run the onectl ram-user revoke --addon migrate-controller command to grant permissions to the RAM user.

    Use onectl to install migrate-controller and grant permissions (recommended)

    1. Install onectl on your on-premises machine. For more information, see Use onectl to manage registered clusters.

    2. Run the following command to grant RAM permissions to migrate-controller: 

      onectl ram-user grant --addon migrate-controller

      Expected output:

      Ram policy ack-one-registered-cluster-policy-migrate-controller granted to ram user ack-one-user-ce313528c3 successfully.

    3. Run the following command to install migrate-controller: 

      onectl addon install migrate-controller

      Expected output:

      Addon migrate-controller, version **** installed.

      The onectl command grants permissions on all OSS buckets that belong to your Alibaba Cloud account. To grant permissions on specified OSS buckets, modify the OSS permissions granted by onectl. Alternatively, you can Manually install migrate-controller and grant permissions.

      Modify OSS permissions: Modify the custom policy based on the following content. For more information about how to modify a policy, see Modify the document and description of a custom policy.

      Note

      Replace mybackups with the name of your OSS bucket. For more information about how to grant fine-grained OSS permissions, see Use RAM to manage OSS permissions.

      View the custom policy

      {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "oss:PutObject",
        "oss:GetObject",
        "oss:DeleteObject",
        "oss:GetBucket",
        "oss:ListObjects",
        "oss:ListBuckets",
        "oss:GetBucketStat"
      ],
      "Resource": [
        "acs:oss:*:*:mybackups",
        "acs:oss:*:*:mybackups/*"
      ],
      "Effect": "Allow"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecs:CreateSnapshot",
        "ecs:DeleteSnapshot",
        "ecs:DescribeSnapshotGroups",
        "ecs:CreateAutoSnapshotPolicy",
        "ecs:ApplyAutoSnapshotPolicy",
        "ecs:CancelAutoSnapshotPolicy",
        "ecs:DeleteAutoSnapshotPolicy",
        "ecs:DescribeAutoSnapshotPolicyEX",
        "ecs:ModifyAutoSnapshotPolicyEx",
        "ecs:DescribeSnapshots",
        "ecs:DescribeInstances",
        "ecs:CopySnapshot",
        "ecs:CreateSnapshotGroup",
        "ecs:DeleteSnapshotGroup"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "hbr:CreateVault",
        "hbr:CreateBackupJob",
        "hbr:DescribeVaults",
        "hbr:DescribeBackupJobs2",
        "hbr:DescribeRestoreJobs",
        "hbr:SearchHistoricalSnapshots",
        "hbr:CreateRestoreJob",
        "hbr:AddContainerCluster",
        "hbr:DescribeContainerCluster",
        "hbr:DescribeRestoreJobs2",
        "hbr:CancelBackupJob",
        "hbr:CancelRestoreJob"
      ],
      "Resource": "*"
    }
  ]
}

    4. (Optional) Create routes that point to the internal network of the region where the registered cluster and OSS bucket reside

      If the registered cluster is connected to a virtual private cloud (VPC) through Cloud Enterprise Network (CEN), Express Connect, or VPN and the registered cluster resides in the region of the OSS bucket, the backup center accesses the internal endpoint of the OSS bucket by default to increase the download speeds. Therefore, you need to create routes that point to the internal network of the region where the OSS bucket resides.

    5. (Optional) Authorize Cloud Backup to access API Gateway Authorization is required only when you need to back up or restore data for clusters that reside in the China (Ulanqab), China (Heyuan), and China (Guangzhou) regions. For more information, see Step 3 (optional): Authorize Cloud Backup to access API Gateway.

    Use the console to install migrate-controller and grant permissions

    Step 1: Grant related permissions

    You need to create a RAM user for the registered cluster, grant the RAM user the permissions to access cloud resources, and then create an AccessKey pair for the RAM user.

    1. Create a RAM user. For information about how to create a RAM user, see Create a RAM user.

    2. Create the following custom policy. For more information, see Create a custom policy on the JSON tab.

      In the following policy, oss:**** indicates OSS permissions, ecs:**** indicates ECS Snapshot permissions, and hbr:**** indicates Cloud Backup permissions.

      View the custom policy

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "oss:PutObject",
        "oss:GetObject",
        "oss:DeleteObject",
        "oss:GetBucket",
        "oss:ListObjects",
        "oss:ListBuckets",
        "oss:GetBucketStat"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecs:CreateSnapshot",
        "ecs:DeleteSnapshot",
        "ecs:DescribeSnapshotGroups",
        "ecs:CreateAutoSnapshotPolicy",
        "ecs:ApplyAutoSnapshotPolicy",
        "ecs:CancelAutoSnapshotPolicy",
        "ecs:DeleteAutoSnapshotPolicy",
        "ecs:DescribeAutoSnapshotPolicyEX",
        "ecs:ModifyAutoSnapshotPolicyEx",
        "ecs:DescribeSnapshots",
        "ecs:DescribeInstances",
        "ecs:CopySnapshot",
        "ecs:CreateSnapshotGroup",
        "ecs:DeleteSnapshotGroup"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "hbr:CreateVault",
        "hbr:CreateBackupJob",
        "hbr:DescribeVaults",
        "hbr:DescribeBackupJobs2",
        "hbr:DescribeRestoreJobs",
        "hbr:SearchHistoricalSnapshots",
        "hbr:CreateRestoreJob",
        "hbr:AddContainerCluster",
        "hbr:DescribeContainerCluster",
        "hbr:DescribeRestoreJobs2",
        "hbr:CancelBackupJob",
        "hbr:CancelRestoreJob"
      ],
      "Resource": "*"
    }
  ]
}

      The preceding policy grants permissions on all OSS buckets. To grant read and write permissions on the specified OSS bucket, modify the custom policy based on the following template. Replace mybackups with the name of your OSS bucket. For more information about how to grant fine-grained OSS permissions, see Use RAM to manage OSS permissions.

      View the custom policy

      {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "oss:PutObject",
        "oss:GetObject",
        "oss:DeleteObject",
        "oss:GetBucket",
        "oss:ListObjects",
        "oss:ListBuckets",
        "oss:GetBucketStat"
      ],
      "Resource": [
        "acs:oss:*:*:mybackups",
        "acs:oss:*:*:mybackups/*"
      ],
      "Effect": "Allow"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecs:CreateSnapshot",
        "ecs:DeleteSnapshot",
        "ecs:DescribeSnapshotGroups",
        "ecs:CreateAutoSnapshotPolicy",
        "ecs:ApplyAutoSnapshotPolicy",
        "ecs:CancelAutoSnapshotPolicy",
        "ecs:DeleteAutoSnapshotPolicy",
        "ecs:DescribeAutoSnapshotPolicyEX",
        "ecs:ModifyAutoSnapshotPolicyEx",
        "ecs:DescribeSnapshots",
        "ecs:DescribeInstances",
        "ecs:CopySnapshot",
        "ecs:CreateSnapshotGroup",
        "ecs:DeleteSnapshotGroup"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "hbr:CreateVault",
        "hbr:CreateBackupJob",
        "hbr:DescribeVaults",
        "hbr:DescribeBackupJobs2",
        "hbr:DescribeRestoreJobs",
        "hbr:SearchHistoricalSnapshots",
        "hbr:CreateRestoreJob",
        "hbr:AddContainerCluster",
        "hbr:DescribeContainerCluster",
        "hbr:DescribeRestoreJobs2",
        "hbr:CancelBackupJob",
        "hbr:CancelRestoreJob"
      ],
      "Resource": "*"
    }
  ]
}

    3. Attach the custom policy to the RAM user. For more information, see Grant permissions to RAM users.

    4. Create an AccessKey pair for the RAM user. For more information, see Create an AccessKey pair.

    5. Create a Secret in the cluster.

      To ensure that the AccessKey pair is used only within your cluster, you need to create a Secret named alibaba-addon-secret in the cluster to store the AccessKey pair. This reduces the risk of information leakage.

      1. Run the following command to create a namespace named csdr: 

        kubectl create ns csdr

      2. Run the following command to create a Secret named alibaba-addon-secret: 

        kubectl -n csdr create secret generic alibaba-addon-secret --from-literal='access-key-id=<your AccessKey ID>' --from-literal='access-key-secret=<your AccessKey Secret>'

        Replace <your AccessKey ID> and <your AccessKey Secret> with the AccessKey pair that you obtained in the preceding step.

    Step 2: Install migrate-controller

    Install migrate-controller. For more information, see Step 1: Install migrate-controller.

    Step 3 (optional): Create routes that point to the internal network of the region where the registered cluster and OSS bucket reside

    If the registered cluster is connected to a VPC through CEN, Express Connect, or VPN and the registered cluster resides in the region of the OSS bucket, the backup center accesses the internal endpoint of the OSS bucket by default to increase the download speeds. Therefore, you need to create routes that point to the internal network of the region where the OSS bucket resides.

    Step 4 (optional): Authorize Cloud Backup to access API Gateway

    Authorization is required only when you need to back up or restore data for clusters that reside in the China (Ulanqab), China (Heyuan), and China (Guangzhou) regions. For more information, see Step 3 (optional): Authorize Cloud Backup to access API Gateway.