Install migrate-controller and grant permissions - Container Service for Kubernetes

The backup center can be used to backup, restore, and migrate applications. To use these features for disaster recovery and application migration in multi-cluster and colocation environments, you must install the migrate-controller component and grant the relevant permissions.

Prerequisites

Activate the related cloud services
- Cloud Backup is activated. For more information, see Billing methods and billable items.
  Use Cloud Backup to back up volumes that use Object Storage Service (OSS) buckets, File Storage NAS (NAS) file systems, Cloud Parallel File Storage (CPFS) file systems, and local disks or back up volumes in hybrid cloud scenarios. Before you use Cloud Backup, you need to activate Cloud Backup and grant permissions. For more information, see the following section.
- OSS is activated. For more information, see Billing overview.
  The backup center feature can store application backups only in OSS buckets. Before you can store application backups in OSS buckets, you must grant OSS permissions to your cluster. For more information, see the following section.
- ECS Snapshot is activated.
  - No fee is charged for activating the Elastic Compute Service (ECS) Snapshot service. After you create snapshots, you are charged for the snapshots based on their size and retention period. For more information, see Snapshots.
  - If you want to use Elastic Compute Service (ECS) Snapshot to back up volumes that use Alibaba Cloud disks, you need to enable ECS Snapshot and grant permissions. For more information, see the following section.
Create a cluster
- An ACK cluster that runs Kubernetes 1.18 or later is created. For more information, see Create an ACK managed cluster, Create an ACK dedicated cluster, Create an ACK Serverless cluster, Create an ACK Edge cluster in the console, or Create a registered cluster in the ACK console. For more information about how to update a cluster, see Manually update ACK clusters.
  If you use an ACK managed cluster, you must create an OSS bucket named cnfs-oss-**** to simplify permissions management and store backup templates. Example: cnfs-oss-backup.
- A kubectl client is connected to the cluster.
- The backup center feature does not support clusters that use FlexVolume. If your cluster uses FlexVolume, you must upgrade from FlexVolume to Container Storage Interface (CSI) before you can use the backup center feature.
  - For clusters on which FlexVolume is installed but no data is stored, we recommend that you use the Container Storage Interface (CSI) plug-in instead. For more information, see Upgrade from FlexVolume to CSI for clusters where no data is stored.
  - For other scenarios, join the DingTalk group 35532895 to request technical support.

Background information

A growing number of applications are running on Kubernetes. Therefore, it is important to back up applications periodically. You can use the backup center to restore applications that cannot recover after the applications are disrupted for a long period of time. Traditional backup solutions include single-server backups and disk backups. Compared with the traditional backup solutions, application backups allow you to back up applications and related data, resource objects, configurations, and namespaces.

Usage notes

If you use the backup center feature in ACK Serverless Pro clusters and ACK Edge clusters, the requirements for installation and permission configuration are the same as those for ACK managed clusters. For more information, see Install migrate-controller in an ACK managed cluster and grant permissions.
ACK Serverless Basic clusters are not supported.
If you use the backup center feature in ACK Serverless Pro clusters or ACK Edge clusters, you cannot back up volumes.
In an ACK Edge cluster, the migrate-controller component is installed on an on-cloud node by default and accesses OSS over the internal network.

ACK managed cluster

Step 1: Install migrate-controller

Note

If this is the first time you use the backup center feature, you must install migrate-controller. If migrate-controller is already installed, skip this step.

Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, choose Operations > Application Backup.
On the Application Backup page, click Install.
The system will automatically search for backup vaults. If you do not have a backup vault, create one first. For more information, see Create a backup vault.
- If the csdr namespace does not exist, the system automatically creates a namespace named csdr when the system installs the component. Do not delete this namespace when you back up applications.
- If you have already installed migrate-controller but the migrate-controller version is not up-to-date, click Upgrade on the Application Backup page. The system will automatically update migrate-controller to the latest version.

Step 2: Grant related permissions

Grant OSS permissions
Make sure that the name of the OSS bucket used as a backup vault by the ACK managed cluster starts with cnfs-oss-***. In this scenario, you do not need to grant OSS permissions. For other buckets, you need to grant related OSS permissions in an ACK dedicated cluster based on the following section. For more information, see Step 1: Grant related permissions.
Grant ECS Snapshot and Cloud Backup permissions
You do not need to grant ECS Snapshot and Cloud Backup permissions if your cluster is an ACK managed cluster.

ACK dedicated cluster

Step 1: Grant related permissions

Important

migrate-controller 1.7.7 and later versions support cross-region restoration of Alibaba Cloud disks. If you want to use this feature, grant the Resource Access Management (RAM) user the ECS Snapshot permissions based on the following custom policy template.

Create a RAM user. For information about how to create a RAM user, see Create a RAM user.

Create the following custom policy. For more information, see Create a custom policy on the JSON tab.

In the following policy, oss:**** indicates OSS permissions, ecs:**** indicates ECS Snapshot permissions, and hbr:**** indicates Cloud Backup permissions.

View the custom policy

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "oss:PutObject",
        "oss:GetObject",
        "oss:DeleteObject",
        "oss:GetBucket",
        "oss:ListObjects",
        "oss:ListBuckets",
        "oss:GetBucketStat"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecs:CreateSnapshot",
        "ecs:DeleteSnapshot",
        "ecs:DescribeSnapshotGroups",
        "ecs:CreateAutoSnapshotPolicy",
        "ecs:ApplyAutoSnapshotPolicy",
        "ecs:CancelAutoSnapshotPolicy",
        "ecs:DeleteAutoSnapshotPolicy",
        "ecs:DescribeAutoSnapshotPolicyEX",
        "ecs:ModifyAutoSnapshotPolicyEx",
        "ecs:DescribeSnapshots",
        "ecs:DescribeInstances",
        "ecs:CopySnapshot",
        "ecs:CreateSnapshotGroup",
        "ecs:DeleteSnapshotGroup"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "hbr:CreateVault",
        "hbr:CreateBackupJob",
        "hbr:DescribeVaults",
        "hbr:DescribeBackupJobs2",
        "hbr:DescribeRestoreJobs",
        "hbr:SearchHistoricalSnapshots",
        "hbr:CreateRestoreJob",
        "hbr:AddContainerCluster",
        "hbr:DescribeContainerCluster",
        "hbr:DescribeRestoreJobs2"
      ],
      "Resource": "*"
    }
  ]
}

The preceding policy grants permissions on all OSS buckets. To grant read and write permissions on the specified OSS bucket, modify the custom policy based on the following template. Replace mybackups with the name of your OSS bucket. For more information about how to grant fine-grained OSS permissions, see Use RAM to manage OSS permissions.

View the custom policy

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "oss:PutObject",
        "oss:GetObject",
        "oss:DeleteObject",
        "oss:GetBucket",
        "oss:ListObjects",
        "oss:ListBuckets",
        "oss:GetBucketStat"
      ],
      "Resource": [
        "acs:oss:*:*:mybackups",
        "acs:oss:*:*:mybackups/*"
      ],
      "Effect": "Allow"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecs:CreateSnapshot",
        "ecs:DeleteSnapshot",
        "ecs:DescribeSnapshotGroups",
        "ecs:CreateAutoSnapshotPolicy",
        "ecs:ApplyAutoSnapshotPolicy",
        "ecs:CancelAutoSnapshotPolicy",
        "ecs:DeleteAutoSnapshotPolicy",
        "ecs:DescribeAutoSnapshotPolicyEX",
        "ecs:ModifyAutoSnapshotPolicyEx",
        "ecs:DescribeSnapshots",
        "ecs:DescribeInstances",
        "ecs:CopySnapshot",
        "ecs:CreateSnapshotGroup",
        "ecs:DeleteSnapshotGroup"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "hbr:CreateVault",
        "hbr:CreateBackupJob",
        "hbr:DescribeVaults",
        "hbr:DescribeBackupJobs2",
        "hbr:DescribeRestoreJobs",
        "hbr:SearchHistoricalSnapshots",
        "hbr:CreateRestoreJob",
        "hbr:AddContainerCluster",
        "hbr:DescribeContainerCluster",
        "hbr:DescribeRestoreJobs2"
      ],
      "Resource": "*"
    }
  ]
}

Attach the preceding custom policy to the RAM user. For more information, see Grant permissions to RAM users.
Create an AccessKey pair for the RAM user. For more information, see Create an AccessKey pair.
Create a Secret in an ACK dedicated cluster.
To ensure that the AccessKey pair is used only within your cluster, you need to create a Secret named alibaba-addon-secret in the cluster to store the AccessKey pair. This reduces the risk of information leakage.
1. Run the following command to create a namespace named csdr:
```
kubectl create ns csdr
```
2. Run the following command to create a Secret named alibaba-addon-secret:
```
kubectl -n csdr create secret generic alibaba-addon-secret --from-literal='access-key-id=<your AccessKey ID>' --from-literal='access-key-secret=<your AccessKey Secret>'
```
  Replace <your AccessKey ID> and <your AccessKey Secret> with the AccessKey pair that you obtained in the preceding step.
  Note
  If you create a Secret after you install the migrate-controller component, restart the migrate-controller component in the kube-system namespace.

Step 2: Install migrate-controller

Install migrate-controller. For more information, see Step 1: Install migrate-controller.

Registered cluster

Important

migrate-controller 1.7.7 and later versions support cross-region restoration of Alibaba Cloud disks. If you want to use this feature, update onectl to 1.1.0 and run the onectl ram-user revoke --addon migrate-controller command to grant the RAM user the ECS Snapshot permissions.

Use onectl to install migrate-controller and grant permissions (recommended)

Install onectl on your on-premises machine. For more information, see Use onectl to manage registered clusters.

Run the following command to grant RAM permissions to migrate-controller:

onectl ram-user grant --addon migrate-controller

Expected output:

Ram policy ack-one-registered-cluster-policy-migrate-controller granted to ram user ack-one-user-ce313528c3 successfully.

Run the following command to install migrate-controller:

onectl addon install migrate-controller

Expected output:

Addon migrate-controller, version **** installed.

onectl grants permissions on all OSS buckets that belong to your Alibaba Cloud account. If you want to grant permissions on specified OSS buckets, perform the following operation to modify the OSS permissions granted by onectl. You can also manually install migrate-controller and grant permissions. For more information, see Manually install migrate-controller and grant permissions.

Modify OSS permissions: Modify the custom policy based on the following content. For more information about how to modify a policy, see Modify the document and description of a custom policy.

Note

Replace mybackups with the name of your OSS bucket. For more information about how to grant fine-grained OSS permissions, see Use RAM to manage OSS permissions.

View the custom policy

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "oss:PutObject",
        "oss:GetObject",
        "oss:DeleteObject",
        "oss:GetBucket",
        "oss:ListObjects",
        "oss:ListBuckets",
        "oss:GetBucketStat"
      ],
      "Resource": [
        "acs:oss:*:*:mybackups",
        "acs:oss:*:*:mybackups/*"
      ],
      "Effect": "Allow"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecs:CreateSnapshot",
        "ecs:DeleteSnapshot",
        "ecs:DescribeSnapshotGroups",
        "ecs:CreateAutoSnapshotPolicy",
        "ecs:ApplyAutoSnapshotPolicy",
        "ecs:CancelAutoSnapshotPolicy",
        "ecs:DeleteAutoSnapshotPolicy",
        "ecs:DescribeAutoSnapshotPolicyEX",
        "ecs:ModifyAutoSnapshotPolicyEx",
        "ecs:DescribeSnapshots",
        "ecs:DescribeInstances",
        "ecs:CopySnapshot",
        "ecs:CreateSnapshotGroup",
        "ecs:DeleteSnapshotGroup"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "hbr:CreateVault",
        "hbr:CreateBackupJob",
        "hbr:DescribeVaults",
        "hbr:DescribeBackupJobs2",
        "hbr:DescribeRestoreJobs",
        "hbr:SearchHistoricalSnapshots",
        "hbr:CreateRestoreJob",
        "hbr:AddContainerCluster",
        "hbr:DescribeContainerCluster",
        "hbr:DescribeRestoreJobs2"
      ],
      "Resource": "*"
    }
  ]
}

Create routes that point to the internal network of the region where the registered cluster and OSS bucket reside (optional)
If the registered cluster is connected to a virtual private cloud (VPC) through Cloud Enterprise Network (CEN), Express Connect, or VPN and the registered cluster resides in the region of the OSS bucket, the backup center accesses the internal endpoint of the OSS bucket by default to increase the download speeds. Therefore, you need to create routes that point to the internal network of the region where the OSS bucket resides.
- For more information about how to connect a data center to a VPC, see Methods that are used to connect data centers to Alibaba Cloud.
- For more information about internal endpoints of OSS buckets and VIP ranges, see Internal endpoints of OSS buckets and VIP ranges.

Use the console to install migrate-controller and grant permissions

Step 1: Grant related permissions

You need to create a RAM user for the registered cluster, grant the RAM user the permissions to access cloud resources, and then create an AccessKey pair for the RAM user.

Create a RAM user. For information about how to create a RAM user, see Create a RAM user.

Create the following custom policy. For more information, see Create a custom policy on the JSON tab.

In the following policy, oss:**** indicates OSS permissions, ecs:**** indicates ECS Snapshot permissions, and hbr:**** indicates Cloud Backup permissions.

View the custom policy

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "oss:PutObject",
        "oss:GetObject",
        "oss:DeleteObject",
        "oss:GetBucket",
        "oss:ListObjects",
        "oss:ListBuckets",
        "oss:GetBucketStat"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecs:CreateSnapshot",
        "ecs:DeleteSnapshot",
        "ecs:DescribeSnapshotGroups",
        "ecs:CreateAutoSnapshotPolicy",
        "ecs:ApplyAutoSnapshotPolicy",
        "ecs:CancelAutoSnapshotPolicy",
        "ecs:DeleteAutoSnapshotPolicy",
        "ecs:DescribeAutoSnapshotPolicyEX",
        "ecs:ModifyAutoSnapshotPolicyEx",
        "ecs:DescribeSnapshots",
        "ecs:DescribeInstances",
        "ecs:CopySnapshot",
        "ecs:CreateSnapshotGroup",
        "ecs:DeleteSnapshotGroup"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "hbr:CreateVault",
        "hbr:CreateBackupJob",
        "hbr:DescribeVaults",
        "hbr:DescribeBackupJobs2",
        "hbr:DescribeRestoreJobs",
        "hbr:SearchHistoricalSnapshots",
        "hbr:CreateRestoreJob",
        "hbr:AddContainerCluster",
        "hbr:DescribeContainerCluster",
        "hbr:DescribeRestoreJobs2"
      ],
      "Resource": "*"
    }
  ]
}

View the custom policy

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "oss:PutObject",
        "oss:GetObject",
        "oss:DeleteObject",
        "oss:GetBucket",
        "oss:ListObjects",
        "oss:ListBuckets",
        "oss:GetBucketStat"
      ],
      "Resource": [
        "acs:oss:*:*:mybackups",
        "acs:oss:*:*:mybackups/*"
      ],
      "Effect": "Allow"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecs:CreateSnapshot",
        "ecs:DeleteSnapshot",
        "ecs:DescribeSnapshotGroups",
        "ecs:CreateAutoSnapshotPolicy",
        "ecs:ApplyAutoSnapshotPolicy",
        "ecs:CancelAutoSnapshotPolicy",
        "ecs:DeleteAutoSnapshotPolicy",
        "ecs:DescribeAutoSnapshotPolicyEX",
        "ecs:ModifyAutoSnapshotPolicyEx",
        "ecs:DescribeSnapshots",
        "ecs:DescribeInstances",
        "ecs:CopySnapshot",
        "ecs:CreateSnapshotGroup",
        "ecs:DeleteSnapshotGroup"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "hbr:CreateVault",
        "hbr:CreateBackupJob",
        "hbr:DescribeVaults",
        "hbr:DescribeBackupJobs2",
        "hbr:DescribeRestoreJobs",
        "hbr:SearchHistoricalSnapshots",
        "hbr:CreateRestoreJob",
        "hbr:AddContainerCluster",
        "hbr:DescribeContainerCluster",
        "hbr:DescribeRestoreJobs2"
      ],
      "Resource": "*"
    }
  ]
}

Attach the custom policy to the RAM user. For more information, see Grant permissions to RAM users.
Create an AccessKey pair for the RAM user. For more information, see Create an AccessKey pair.
Create a Secret in the cluster.
To ensure that the AccessKey pair is used only within your cluster, you need to create a Secret named alibaba-addon-secret in the cluster to store the AccessKey pair. This reduces the risk of information leakage.
1. Run the following command to create a namespace named csdr:
```
kubectl create ns csdr
```
2. Run the following command to create a Secret named alibaba-addon-secret:
```
kubectl -n csdr create secret generic alibaba-addon-secret --from-literal='access-key-id=<your AccessKey ID>' --from-literal='access-key-secret=<your AccessKey Secret>'
```
  Replace <your AccessKey ID> and <your AccessKey Secret> with the AccessKey pair that you obtained in the preceding step.

Step 2: Install migrate-controller

Install migrate-controller. For more information, see Step 1: Install migrate-controller.

Step 3 (optional): Create routes that point to the internal network of the region where the registered cluster and OSS bucket reside

If the registered cluster is connected to a VPC through CEN, Express Connect, or VPN and the registered cluster resides in the region of the OSS bucket, the backup center accesses the internal endpoint of the OSS bucket by default to increase the download speeds. Therefore, you need to create routes that point to the internal network of the region where the OSS bucket resides.

For more information about how to connect a data center to a VPC, see Methods that are used to connect data centers to Alibaba Cloud.
For more information about internal endpoints of OSS buckets and VIP ranges, see Internal endpoints of OSS buckets and VIP ranges.