Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products

PowerProtect Data Manager 19.10 Kubernetes User Guide

Add a Kubernetes cluster

Perform the following steps to add a Kubernetes cluster as an asset source in the PowerProtect Data Manager UI. When added, PowerProtect Data Manager automatically deploys resources on the cluster that enable the backup and recovery of namespaces.

Prerequisites

  • You must have Administrator privileges.
  • If your environment has firewall or other restrictions that might prevent pulling of the required images from Docker Hub, review the procedure in the section Prerequisites to Kubernetes cluster discovery.
  • If adding a Kubernetes guest cluster for vSphere CSI-based Persistent Volume Claims (PVCs), add a VM Direct protection engine in the vCenter where the Tanzu Kubernetes guest cluster is located.

About this task

NOTE Discovery of a Kubernetes cluster discovers namespaces that contain volumes from both container storage interface (CSI) and non-CSI based storage. However, backup and recovery are supported only from CSI-based storage. Also, only PVCs with the VolumeMode Filesystem are supported.

Steps

  1. From the left navigation pane, select Infrastructure > Asset Sources.
  2. In the Asset Sources window, select the Kubernetes cluster tab.
  3. Click Add.
  4. In the Add Kubernetes cluster dialog box, specify the source attributes:
    1. Tanzu Cluster—If adding a Kubernetes Tanzu guest cluster for protection of vSphere CSI-based PVCs, move the slider to the right.
    2. Select vCenter—For a Kubernetes Tanzu guest cluster asset source, select the vCenter Server that contains the guest cluster from the list.
      NOTE Selecting a vCenter Server changes the method used for the Kubernetes protection policy backup. Instead of cProxy, a VM proxy (the VM Direct engine) will be used for the management and transfer of backup data, similar to what is used for virtual machine protection policies.
    3. Name—the cluster name
    4. Address—the fully qualified domain name (FQDN) or the IP address of the Kubernetes API server.
      NOTE It is recommended that you use the FQDN instead of the IP address.
    5. Port —specify the port to use for communication when not using the default port, 443.
      NOTE The use of any port other than 443 or 6443 requires you to open the port on PowerProtect Data Manager first to enable outgoing communication. The procedure that is described in Recommendations and considerations when using a Kubernetes cluster provides more information.
  5. Under Host Credentials, click Add to add the service account token for the Kubernetes cluster, and then click Save.
    The service account must have the following privileges:
    • Get/Create/Update/List CustomResourceDefinitions
    • Get/Create/Update ClusterRoleBinding for 'cluster-admin' role
    • Create/Update 'powerprotect' namespace
    • Get/List/Create/Update/Delete/List
    • Get/List/Create/Update/Delete all kinds of resources inside 'powerprotect' namespace
    • Get/List/Watch all namespaces in the cluster as well as PV, PVC, storageclass, deployments and pods in all these namespaces
    NOTE The admin-user service account in the kube-system namespace contains all these privileges. You can provide the token of this account, or an existing similar service account. Alternatively, create a service account that is bound to a cluster role that contains these privileges, and then provide the token of this service account.

    If you do not want to provide a service account with cluster-admin privileges, the yaml files located in /usr/local/brs/lib/cndm/misc/rbac.tar.gz on the PowerProtect Data Manager appliance provide the definition of the cluster role with the required privileges required for PowerProtect Data Manager. Follow the instructions in the README.txt within this tar file to create the required clusterroles and clusterrolebindings, and to provide the token of the service account created in the yaml files.

  6. Click Verify to review the certificate and token information, and then click Accept.
    Upon successful validation, the status for the new credentials updates to indicate Accepted.
  7. Click Save.
    The Kubernetes cluster information that you entered now appears as an entry on the Asset Sources window, with a Discovery status of Unknown.
    NOTE Although PowerProtect Data Manager automatically synchronizes with the Kubernetes cluster to perform the initial discovery under most circumstances, certain conditions might require you to initiate a manual discovery.
  8. (Optional) If you want to initiate a manual discovery, select the Kubernetes cluster, and then click Discover.
    Incremental discovery for a Kubernetes cluster in PowerProtect Data Manager is not supported. You can perform an on-demand (ad hoc) discovery at any time or set a scheduled discovery to update with changes in the Kubernetes cluster.
    NOTE Discovery time is based on networking bandwidth. The resources that are involved in the discovery process impact performance each time you initiate a discovery. It might appear that PowerProtect Data Manager is not updating the Asset Sources data while the discovery is in progress.
  9. Verify that the Discovery Status column indicates OK, and then go to the Assets window.

Results

Upon adding the Kubernetes cluser as an asset source, a PowerProtect controller is installed on the cluster, which is also used to install Velero with the DD Object store plug-in and the vSphere plug-in. The namespaces in the Kubernetes cluster will appear in the Kubernetes tab of the Assets window. To view more details within this window, click the magnifying glass icon next to an entry. Also, if a namespace has associated PVCs that you want to exclude from a policy, you can click the link in the PVCs Exclusion column.
NOTE If namespace assets are not discovered after adding a Kubernetes cluster asset source, ensure that the bearer token that is provided for the Kubernetes asset source belongs to a service account that has the privileges as specified in step 5.

Next steps

Create Kubernetes protection policies to back up namespaces and PVCs.


Rate this content

Accurate
Useful
Easy to understand
Was this article helpful?
0/3000 characters
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please select whether the article was helpful or not.
  Comments cannot contain these special characters: <>()\