The backup center enables application backup, recovery, and migration. You can use the backup center to implement disaster recovery and application migration in multi-cluster and hybrid environments. To use the backup center, you must install the migrate-controller component and configure related permissions to enable backup capabilities.
Before you begin
Activate the related cloud services
Cloud Backup is activated. For billing information, see Billable methods and items of Cloud Backup.
Use Cloud Backup to back up data in file system storage volumes (OSS, NAS, CPFS, local storage, and storage volumes in hybrid cloud scenarios).
OSS is activated. For billing information, see Billing overview.
The backup center feature can store application backups only in OSS buckets.
The ECS Snapshot service is activated.
No fee is charged for activating the ECS Snapshot service. After you create a snapshot, Alibaba Cloud charges you based on the snapshot size and storage duration. For more information, see Snapshot billing.
Create a cluster
A cluster of Kubernetes 1.18 or later is created. For more information, see Create an ACK managed cluster, Create an ACK dedicated cluster (suspended), Create an ACK Serverless cluster, Create an ACK Edge cluster, or Create a registered cluster and connect the cluster to the data center. For information about how to upgrade a cluster, see Manually upgrade a cluster.
If you use an ACK managed cluster, you need to create a bucket whose name starts with cnfs-oss-**** to facilitate minimum permission management and store backup templates, such as cnfs-oss-backup.
The backup center feature does not support clusters that use FlexVolume. If your cluster uses FlexVolume, you must upgrade from FlexVolume to Container Storage Interface (CSI) before you can use the backup center feature.
For clusters on which FlexVolume is installed but no data is stored, we recommend that you use the Container Storage Interface (CSI) plug-in instead. For more information, see Upgrade from FlexVolume to CSI for clusters where no data is stored.
For other scenarios, join the DingTalk group 35532895 to request technical support.
Background information
As more applications run in Kubernetes, regular backups become increasingly important. The backup center can effectively prevent prolonged service interruptions caused by unexpected situations. Unlike traditional single-machine or disk backups, Kubernetes-based application backups primarily focus on applications running in Kubernetes and their data, resource objects, configurations, and entire namespaces.
Notes
When you use the backup center feature with ACK Serverless cluster Pro Edition and ACK Edge cluster, the installation and permission configuration requirements are the same as those for ACK managed cluster. For more information, see ACK managed cluster.
ACK Serverless cluster Basic Edition does not support the backup center feature.
ACK Serverless cluster Pro Edition and ACK Edge cluster do not support storage volume backup when you use the backup center feature.
The migrate-controller component of an ACK Edge cluster is installed on cloud nodes by default and accesses OSS through the internal network.
ACK managed cluster
Step 1: Install migrate-controller
If you are using the backup center feature for the first time, you need to install the backup service component. If the component is already installed, you can skip this step.
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, choose .
On the Application Backup page, click Start Installation.
The system automatically checks the backup repository. If no backup repository is created, see Create a backup repository.
After the backup service component is installed, a namespace named csdr is created. Do not delete this namespace.
If you have installed the component but it is not the latest version, click Application Backup and then click Start Upgrade. The system automatically upgrades the application backup service component to the latest version.
Step 2: Grant related permissions
OSS permissions
For an ACK managed cluster, we recommend that you use an OSS bucket whose name starts with
cnfs-oss-***as the backup repository for the backup center. In this case, you do not need to configure OSS permissions. If you use other buckets, you need to configure OSS permissions as described in ACK dedicated cluster. For more information, see Step 1: Configure related permissions.Disk snapshot and Cloud Backup permissions
For an ACK managed cluster, you do not need to configure disk snapshot and Cloud Backup permissions.
(Optional) Step 3: Grant API Gateway permissions to Cloud Backup
If you need to perform backup or restore tasks in a cluster in the China (Ulanqab), China (Heyuan), or China (Guangzhou) region, you need to use your Alibaba Cloud account to grant API Gateway permissions to Cloud Backup when you use the feature for the first time. Each Alibaba Cloud account needs to be authorized only once.
Starting from version 1.8.4, the migrate-controller component supports using Cloud Backup for storage volume backup in clusters in the China (Ulanqab), China (Heyuan), or China (Guangzhou) region. Supported storage volume types include OSS, NAS, CPFS, local storage, and storage volumes in hybrid cloud scenarios.
Log on to the Cloud Backup console.
In the left-side navigation pane, choose .
In the top navigation bar, select the region where the cluster is located, which is China (Ulanqab), China (Heyuan), or China (Guangzhou).
In the Cloud Backup Authorization dialog box, click Confirm Authorization.
ACK dedicated cluster
Step 1: Configure related permissions
migrate-controller 1.7.7 and later versions support cross-region restoration of Alibaba Cloud disks. To use this feature, follow the custom policy template below to grant the original RAM user additional permissions for ECS disk snapshots.
Create a RAM user. For more information, see Create a RAM user.
Create the following custom policy. For more information, see Create a custom policy by using the policy editor.
In the following policy script,
oss:****represents OSS permission policies,ecs:****represents ECS disk snapshot permission policies, andhbr:****represents Cloud Backup permission policies.The preceding policy grants permissions on all OSS buckets. If you need to specify read and write permissions for OSS, modify the policy according to the following example. Replace
mybackupsin the following policy script with your OSS bucket name. For more information about granular access control for OSS, see Use RAM to manage OSS permissions.Attach the preceding custom policy to the RAM user. For more information, see Grant permissions to a RAM user.
Create an AccessKey pair for the RAM user. For more information, see Obtain an AccessKey pair.
Create a Secret in the ACK dedicated cluster.
To ensure that your AccessKey information is securely used only within your cluster, you need to first deploy a Secret resource named alibaba-addon-secret in the cluster using your AccessKey information to reduce the risk of leakage.
Run the following command to create a namespace named csdr.
kubectl create ns csdrRun the following command to create a Secret named alibaba-addon-secret:
kubectl -n csdr create secret generic alibaba-addon-secret --from-literal='access-key-id=<your AccessKey ID>' --from-literal='access-key-secret=<your AccessKey Secret>'You need to replace
<your AccessKey ID>and<your AccessKey Secret>in the preceding code with the AccessKey information that you obtained in the previous step.NoteIf you create a Secret after you install the migrate-controller component, restart the migrate-controller component in the kube-system namespace.
Step 2: Install migrate-controller
See Install migrate-controller.
(Optional) Step 3: Grant API Gateway permissions to Cloud Backup
Authorization is required only for backup or restore operations in clusters in the China (Ulanqab), China (Heyuan), or China (Guangzhou) region. For authorization operations, see (Optional) Step 3: Grant API Gateway permissions to Cloud Backup.
Registered cluster
migrate-controller 1.7.7 and later versions support cross-region restoration of Alibaba Cloud disks. Update onectl to version 1.1.0 and run the onectl ram-user revoke --addon migrate-controller command to grant additional permissions to the original RAM user.
Use onectl to install migrate-controller and grant permissions (recommended)
Install onectl on your on-premises machine. For more information, see Manage registered clusters by using onectl.
Run the following command to grant RAM permissions to migrate-controller:
onectl ram-user grant --addon migrate-controllerExpected output:
Ram policy ack-one-registered-cluster-policy-migrate-controller granted to ram user ack-one-user-ce313528c3 successfully.Run the following command to install migrate-controller:
onectl addon install migrate-controllerExpected output:
Addon migrate-controller, version **** installed.The OSS permissions configured by onectl apply to all OSS buckets. If you need to configure permissions for specific OSS buckets, modify the OSS permissions generated by onectl or choose Manually install migrate-controller and grant permissions.
Modify OSS Permissions: Modify the content of the created custom policy to the following. For information about how to modify a policy, see Modify the content and notes of a custom policy.
NoteReplace
mybackupsin the following policy with your OSS bucket name. For more information about granular access control for OSS, see Use RAM to manage OSS permissions.(Optional) Create routes that point to the internal network of the region where the registered cluster and OSS bucket reside.
If the registered cluster is connected to a virtual private cloud (VPC) through Cloud Enterprise Network (CEN), Express Connect, or VPN and the registered cluster resides in the region of the OSS bucket, the backup center accesses the internal endpoint of the OSS bucket by default to increase the download speeds. Therefore, you need to create routes that point to the internal network of the region where the OSS bucket resides.
For information about how to connect an on-premises data center to a VPC, see Connection types.
For information about the mapping between OSS internal endpoints and virtual IP address (VIP) CIDR blocks, see Mapping between OSS internal endpoints and VIP CIDR blocks.
(Optional) Grant API Gateway permissions to Cloud Backup.
Authorization is required only for backup or restore operations in clusters in the China (Ulanqab), China (Heyuan), or China (Guangzhou) region. For authorization operations, see (Optional) Step 3: Grant API Gateway permissions to Cloud Backup.
Use the console to install migrate-controller and grant permissions
Step 1: Configure related permissions
You need to create a RAM user for the registered cluster, grant the RAM user the permissions to access cloud resources, and then create an AccessKey pair for the RAM user.
Create a RAM user. For more information, see Create a RAM user.
Create the following custom policy. For more information, see Create a custom policy by using the policy editor.
In the following policy script,
oss:****represents OSS permission policies,ecs:****represents ECS disk snapshot permission policies, andhbr:****represents Cloud Backup permission policies.The preceding policy grants permissions on all OSS buckets. If you need to specify read and write permissions for OSS, modify the policy according to the following example. Replace
mybackupsin the following policy script with your OSS bucket name. For more information about granular access control for OSS, see Use RAM to manage OSS permissions.Attach the custom policy to the RAM user. For more information, see Grant permissions to a RAM user.
Create an AccessKey pair for the RAM user. For more information, see Obtain an AccessKey pair.
Create a Secret in the cluster.
To ensure that your AccessKey information is securely used only within your cluster, you need to first deploy a Secret resource named alibaba-addon-secret in the cluster using your AccessKey information to reduce the risk of leakage.
Run the following command to create a namespace named csdr.
kubectl create ns csdrRun the following command to create a Secret named alibaba-addon-secret:
kubectl -n csdr create secret generic alibaba-addon-secret --from-literal='access-key-id=<your AccessKey ID>' --from-literal='access-key-secret=<your AccessKey Secret>'You need to replace
<your AccessKey ID>and<your AccessKey Secret>in the preceding code with the AccessKey information that you obtained in the previous step.
Step 2: Install migrate-controller
See Install migrate-controller.
(Optional) Step 3: Create routes that point to the internal network of the region where the registered cluster and OSS bucket reside
If the registered cluster is connected to a VPC through CEN, Express Connect, or VPN and the registered cluster resides in the region of the OSS bucket, the backup center accesses the internal endpoint of the OSS bucket by default to increase the download speeds. Therefore, you need to create routes that point to the internal network of the region where the OSS bucket resides.
For information about how to connect an on-premises data center to a VPC, see Connection types.
For information about the mapping between OSS internal endpoints and VIP CIDR blocks, see Mapping between OSS internal endpoints and VIP CIDR blocks.
(Optional) Step 4: Grant API Gateway permissions to Cloud Backup
Authorization is required only for backup or restore operations in clusters in the China (Ulanqab), China (Heyuan), or China (Guangzhou) region. For authorization operations, see (Optional) Step 3: Grant API Gateway permissions to Cloud Backup.