All Products
Search
Document Center

Container Service for Kubernetes:Install migrate-controller and grant permissions

Last Updated:Nov 01, 2024

The backup center can be used to backup, restore, and migrate applications. To use these features for disaster recovery and application migration in multi-cluster and colocation environments, you must install the migrate-controller component and grant the relevant permissions.

Prerequisites

  • Activate the related cloud services

    • Cloud Backup is activated. For more information, see Billing methods and billable items.

      Use Cloud Backup to back up volumes that use Object Storage Service (OSS) buckets, File Storage NAS (NAS) file systems, Cloud Parallel File Storage (CPFS) file systems, and local disks or back up volumes in hybrid cloud scenarios. Before you use Cloud Backup, you need to activate Cloud Backup and grant permissions. For more information, see the following section.

    • OSS is activated. For more information, see Billing overview.

      The backup center feature can store application backups only in OSS buckets. Before you can store application backups in OSS buckets, you must grant OSS permissions to your cluster. For more information, see the following section.

    • ECS Snapshot is activated.

      • No fee is charged for activating the Elastic Compute Service (ECS) Snapshot service. After you create snapshots, you are charged for the snapshots based on their size and retention period. For more information, see Snapshots.

      • If you want to use Elastic Compute Service (ECS) Snapshot to back up volumes that use Alibaba Cloud disks, you need to enable ECS Snapshot and grant permissions. For more information, see the following section.

  • Create a cluster

Background information

A growing number of applications are running on Kubernetes. Therefore, it is important to back up applications periodically. You can use the backup center to restore applications that cannot recover after the applications are disrupted for a long period of time. Traditional backup solutions include single-server backups and disk backups. Compared with the traditional backup solutions, application backups allow you to back up applications and related data, resource objects, configurations, and namespaces.

Usage notes

  • If you use the backup center feature in ACK Serverless Pro clusters and ACK Edge clusters, the requirements for installation and permission configuration are the same as those for ACK managed clusters. For more information, see Install migrate-controller in an ACK managed cluster and grant permissions.

    ACK Serverless Basic clusters are not supported.

  • If you use the backup center feature in ACK Serverless Pro clusters or ACK Edge clusters, you cannot back up volumes.

  • In an ACK Edge cluster, the migrate-controller component is installed on an on-cloud node by default and accesses OSS over the internal network.

ACK managed cluster

Step 1: Install migrate-controller

Note

If this is the first time you use the backup center feature, you must install migrate-controller. If migrate-controller is already installed, skip this step.

  1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

  2. On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, choose Operations > Application Backup.

  3. On the Application Backup page, click Install.

    The system will automatically search for backup vaults. If you do not have a backup vault, create one first. For more information, see Create a backup vault.

    • If the csdr namespace does not exist, the system automatically creates a namespace named csdr when the system installs the component. Do not delete this namespace when you back up applications.

    • If you have already installed migrate-controller but the migrate-controller version is not up-to-date, click Upgrade on the Application Backup page. The system will automatically update migrate-controller to the latest version.

Step 2: Grant related permissions

  • Grant OSS permissions

    Make sure that the name of the OSS bucket used as a backup vault by the ACK managed cluster starts with cnfs-oss-***. In this scenario, you do not need to grant OSS permissions. For other buckets, you need to grant related OSS permissions in an ACK dedicated cluster based on the following section. For more information, see Step 1: Grant related permissions.

  • Grant ECS Snapshot and Cloud Backup permissions

    You do not need to grant ECS Snapshot and Cloud Backup permissions if your cluster is an ACK managed cluster.

ACK dedicated cluster

Step 1: Grant related permissions

Important

migrate-controller 1.7.7 and later versions support cross-region restoration of Alibaba Cloud disks. If you want to use this feature, grant the Resource Access Management (RAM) user the ECS Snapshot permissions based on the following custom policy template.

  1. Create a RAM user. For information about how to create a RAM user, see Create a RAM user.

  2. Create the following custom policy. For more information, see Create a custom policy on the JSON tab.

    In the following policy, oss:**** indicates OSS permissions, ecs:**** indicates ECS Snapshot permissions, and hbr:**** indicates Cloud Backup permissions.

    View the custom policy

    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "oss:PutObject",
            "oss:GetObject",
            "oss:DeleteObject",
            "oss:GetBucket",
            "oss:ListObjects",
            "oss:ListBuckets",
            "oss:GetBucketStat"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "ecs:CreateSnapshot",
            "ecs:DeleteSnapshot",
            "ecs:DescribeSnapshotGroups",
            "ecs:CreateAutoSnapshotPolicy",
            "ecs:ApplyAutoSnapshotPolicy",
            "ecs:CancelAutoSnapshotPolicy",
            "ecs:DeleteAutoSnapshotPolicy",
            "ecs:DescribeAutoSnapshotPolicyEX",
            "ecs:ModifyAutoSnapshotPolicyEx",
            "ecs:DescribeSnapshots",
            "ecs:DescribeInstances",
            "ecs:CopySnapshot",
            "ecs:CreateSnapshotGroup",
            "ecs:DeleteSnapshotGroup"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "hbr:CreateVault",
            "hbr:CreateBackupJob",
            "hbr:DescribeVaults",
            "hbr:DescribeBackupJobs2",
            "hbr:DescribeRestoreJobs",
            "hbr:SearchHistoricalSnapshots",
            "hbr:CreateRestoreJob",
            "hbr:AddContainerCluster",
            "hbr:DescribeContainerCluster",
            "hbr:DescribeRestoreJobs2"
          ],
          "Resource": "*"
        }
      ]
    }

    The preceding policy grants permissions on all OSS buckets. To grant read and write permissions on the specified OSS bucket, modify the custom policy based on the following template. Replace mybackups with the name of your OSS bucket. For more information about how to grant fine-grained OSS permissions, see Use RAM to manage OSS permissions.

    View the custom policy

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "oss:PutObject",
            "oss:GetObject",
            "oss:DeleteObject",
            "oss:GetBucket",
            "oss:ListObjects",
            "oss:ListBuckets",
            "oss:GetBucketStat"
          ],
          "Resource": [
            "acs:oss:*:*:mybackups",
            "acs:oss:*:*:mybackups/*"
          ],
          "Effect": "Allow"
        },
        {
          "Effect": "Allow",
          "Action": [
            "ecs:CreateSnapshot",
            "ecs:DeleteSnapshot",
            "ecs:DescribeSnapshotGroups",
            "ecs:CreateAutoSnapshotPolicy",
            "ecs:ApplyAutoSnapshotPolicy",
            "ecs:CancelAutoSnapshotPolicy",
            "ecs:DeleteAutoSnapshotPolicy",
            "ecs:DescribeAutoSnapshotPolicyEX",
            "ecs:ModifyAutoSnapshotPolicyEx",
            "ecs:DescribeSnapshots",
            "ecs:DescribeInstances",
            "ecs:CopySnapshot",
            "ecs:CreateSnapshotGroup",
            "ecs:DeleteSnapshotGroup"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "hbr:CreateVault",
            "hbr:CreateBackupJob",
            "hbr:DescribeVaults",
            "hbr:DescribeBackupJobs2",
            "hbr:DescribeRestoreJobs",
            "hbr:SearchHistoricalSnapshots",
            "hbr:CreateRestoreJob",
            "hbr:AddContainerCluster",
            "hbr:DescribeContainerCluster",
            "hbr:DescribeRestoreJobs2"
          ],
          "Resource": "*"
        }
      ]
    }
  3. Attach the preceding custom policy to the RAM user. For more information, see Grant permissions to RAM users.

  4. Create an AccessKey pair for the RAM user. For more information, see Create an AccessKey pair.

  5. Create a Secret in an ACK dedicated cluster.

    To ensure that the AccessKey pair is used only within your cluster, you need to create a Secret named alibaba-addon-secret in the cluster to store the AccessKey pair. This reduces the risk of information leakage.

    1. Run the following command to create a namespace named csdr:

      kubectl create ns csdr
    2. Run the following command to create a Secret named alibaba-addon-secret:

      kubectl -n csdr create secret generic alibaba-addon-secret --from-literal='access-key-id=<your AccessKey ID>' --from-literal='access-key-secret=<your AccessKey Secret>'

      Replace <your AccessKey ID> and <your AccessKey Secret> with the AccessKey pair that you obtained in the preceding step.

      Note

      If you create a Secret after you install the migrate-controller component, restart the migrate-controller component in the kube-system namespace.

Step 2: Install migrate-controller

Install migrate-controller. For more information, see Step 1: Install migrate-controller.

Registered cluster

Important

migrate-controller 1.7.7 and later versions support cross-region restoration of Alibaba Cloud disks. If you want to use this feature, update onectl to 1.1.0 and run the onectl ram-user revoke --addon migrate-controller command to grant the RAM user the ECS Snapshot permissions.

Use onectl to install migrate-controller and grant permissions (recommended)

  1. Install onectl on your on-premises machine. For more information, see Use onectl to manage registered clusters.

  2. Run the following command to grant RAM permissions to migrate-controller:

    onectl ram-user grant --addon migrate-controller

    Expected output:

    Ram policy ack-one-registered-cluster-policy-migrate-controller granted to ram user ack-one-user-ce313528c3 successfully.
  3. Run the following command to install migrate-controller:

    onectl addon install migrate-controller

    Expected output:

    Addon migrate-controller, version **** installed.

    onectl grants permissions on all OSS buckets that belong to your Alibaba Cloud account. If you want to grant permissions on specified OSS buckets, perform the following operation to modify the OSS permissions granted by onectl. You can also manually install migrate-controller and grant permissions. For more information, see Manually install migrate-controller and grant permissions.

    Modify OSS permissions: Modify the custom policy based on the following content. For more information about how to modify a policy, see Modify the document and description of a custom policy.

    Note

    Replace mybackups with the name of your OSS bucket. For more information about how to grant fine-grained OSS permissions, see Use RAM to manage OSS permissions.

    View the custom policy

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "oss:PutObject",
            "oss:GetObject",
            "oss:DeleteObject",
            "oss:GetBucket",
            "oss:ListObjects",
            "oss:ListBuckets",
            "oss:GetBucketStat"
          ],
          "Resource": [
            "acs:oss:*:*:mybackups",
            "acs:oss:*:*:mybackups/*"
          ],
          "Effect": "Allow"
        },
        {
          "Effect": "Allow",
          "Action": [
            "ecs:CreateSnapshot",
            "ecs:DeleteSnapshot",
            "ecs:DescribeSnapshotGroups",
            "ecs:CreateAutoSnapshotPolicy",
            "ecs:ApplyAutoSnapshotPolicy",
            "ecs:CancelAutoSnapshotPolicy",
            "ecs:DeleteAutoSnapshotPolicy",
            "ecs:DescribeAutoSnapshotPolicyEX",
            "ecs:ModifyAutoSnapshotPolicyEx",
            "ecs:DescribeSnapshots",
            "ecs:DescribeInstances",
            "ecs:CopySnapshot",
            "ecs:CreateSnapshotGroup",
            "ecs:DeleteSnapshotGroup"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "hbr:CreateVault",
            "hbr:CreateBackupJob",
            "hbr:DescribeVaults",
            "hbr:DescribeBackupJobs2",
            "hbr:DescribeRestoreJobs",
            "hbr:SearchHistoricalSnapshots",
            "hbr:CreateRestoreJob",
            "hbr:AddContainerCluster",
            "hbr:DescribeContainerCluster",
            "hbr:DescribeRestoreJobs2"
          ],
          "Resource": "*"
        }
      ]
    }
  4. Create routes that point to the internal network of the region where the registered cluster and OSS bucket reside (optional)

    If the registered cluster is connected to a virtual private cloud (VPC) through Cloud Enterprise Network (CEN), Express Connect, or VPN and the registered cluster resides in the region of the OSS bucket, the backup center accesses the internal endpoint of the OSS bucket by default to increase the download speeds. Therefore, you need to create routes that point to the internal network of the region where the OSS bucket resides.

Use the console to install migrate-controller and grant permissions

Step 1: Grant related permissions

You need to create a RAM user for the registered cluster, grant the RAM user the permissions to access cloud resources, and then create an AccessKey pair for the RAM user.

  1. Create a RAM user. For information about how to create a RAM user, see Create a RAM user.

  2. Create the following custom policy. For more information, see Create a custom policy on the JSON tab.

    In the following policy, oss:**** indicates OSS permissions, ecs:**** indicates ECS Snapshot permissions, and hbr:**** indicates Cloud Backup permissions.

    View the custom policy

    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "oss:PutObject",
            "oss:GetObject",
            "oss:DeleteObject",
            "oss:GetBucket",
            "oss:ListObjects",
            "oss:ListBuckets",
            "oss:GetBucketStat"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "ecs:CreateSnapshot",
            "ecs:DeleteSnapshot",
            "ecs:DescribeSnapshotGroups",
            "ecs:CreateAutoSnapshotPolicy",
            "ecs:ApplyAutoSnapshotPolicy",
            "ecs:CancelAutoSnapshotPolicy",
            "ecs:DeleteAutoSnapshotPolicy",
            "ecs:DescribeAutoSnapshotPolicyEX",
            "ecs:ModifyAutoSnapshotPolicyEx",
            "ecs:DescribeSnapshots",
            "ecs:DescribeInstances",
            "ecs:CopySnapshot",
            "ecs:CreateSnapshotGroup",
            "ecs:DeleteSnapshotGroup"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "hbr:CreateVault",
            "hbr:CreateBackupJob",
            "hbr:DescribeVaults",
            "hbr:DescribeBackupJobs2",
            "hbr:DescribeRestoreJobs",
            "hbr:SearchHistoricalSnapshots",
            "hbr:CreateRestoreJob",
            "hbr:AddContainerCluster",
            "hbr:DescribeContainerCluster",
            "hbr:DescribeRestoreJobs2"
          ],
          "Resource": "*"
        }
      ]
    }

    The preceding policy grants permissions on all OSS buckets. To grant read and write permissions on the specified OSS bucket, modify the custom policy based on the following template. Replace mybackups with the name of your OSS bucket. For more information about how to grant fine-grained OSS permissions, see Use RAM to manage OSS permissions.

    View the custom policy

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "oss:PutObject",
            "oss:GetObject",
            "oss:DeleteObject",
            "oss:GetBucket",
            "oss:ListObjects",
            "oss:ListBuckets",
            "oss:GetBucketStat"
          ],
          "Resource": [
            "acs:oss:*:*:mybackups",
            "acs:oss:*:*:mybackups/*"
          ],
          "Effect": "Allow"
        },
        {
          "Effect": "Allow",
          "Action": [
            "ecs:CreateSnapshot",
            "ecs:DeleteSnapshot",
            "ecs:DescribeSnapshotGroups",
            "ecs:CreateAutoSnapshotPolicy",
            "ecs:ApplyAutoSnapshotPolicy",
            "ecs:CancelAutoSnapshotPolicy",
            "ecs:DeleteAutoSnapshotPolicy",
            "ecs:DescribeAutoSnapshotPolicyEX",
            "ecs:ModifyAutoSnapshotPolicyEx",
            "ecs:DescribeSnapshots",
            "ecs:DescribeInstances",
            "ecs:CopySnapshot",
            "ecs:CreateSnapshotGroup",
            "ecs:DeleteSnapshotGroup"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "hbr:CreateVault",
            "hbr:CreateBackupJob",
            "hbr:DescribeVaults",
            "hbr:DescribeBackupJobs2",
            "hbr:DescribeRestoreJobs",
            "hbr:SearchHistoricalSnapshots",
            "hbr:CreateRestoreJob",
            "hbr:AddContainerCluster",
            "hbr:DescribeContainerCluster",
            "hbr:DescribeRestoreJobs2"
          ],
          "Resource": "*"
        }
      ]
    }
  3. Attach the custom policy to the RAM user. For more information, see Grant permissions to RAM users.

  4. Create an AccessKey pair for the RAM user. For more information, see Create an AccessKey pair.

  5. Create a Secret in the cluster.

    To ensure that the AccessKey pair is used only within your cluster, you need to create a Secret named alibaba-addon-secret in the cluster to store the AccessKey pair. This reduces the risk of information leakage.

    1. Run the following command to create a namespace named csdr:

      kubectl create ns csdr
    2. Run the following command to create a Secret named alibaba-addon-secret:

      kubectl -n csdr create secret generic alibaba-addon-secret --from-literal='access-key-id=<your AccessKey ID>' --from-literal='access-key-secret=<your AccessKey Secret>'

      Replace <your AccessKey ID> and <your AccessKey Secret> with the AccessKey pair that you obtained in the preceding step.

Step 2: Install migrate-controller

Install migrate-controller. For more information, see Step 1: Install migrate-controller.

Step 3 (optional): Create routes that point to the internal network of the region where the registered cluster and OSS bucket reside

If the registered cluster is connected to a VPC through CEN, Express Connect, or VPN and the registered cluster resides in the region of the OSS bucket, the backup center accesses the internal endpoint of the OSS bucket by default to increase the download speeds. Therefore, you need to create routes that point to the internal network of the region where the OSS bucket resides.