PowerProtect Data Manager 19.10 Kubernetes User Guide

Add a Kubernetes cluster

Perform the following steps to add a Kubernetes cluster as an asset source in the PowerProtect Data Manager UI. When added, PowerProtect Data Manager automatically deploys resources on the cluster that enable the backup and recovery of namespaces.

1. From the left navigation pane, select Infrastructure > Asset Sources.
2. In the Asset Sources window, select the Kubernetes cluster tab.
3. Click Add.
4. In the Add Kubernetes cluster dialog box, specify the source attributes:
   1. Tanzu Cluster—If adding a Kubernetes Tanzu guest cluster for protection of vSphere CSI-based PVCs, move the slider to the right.
   2. Select vCenter—For a Kubernetes Tanzu guest cluster asset source, select the vCenter Server that contains the guest cluster from the list.
      NOTE Selecting a vCenter Server changes the method used for the Kubernetes protection policy backup. Instead of cProxy, a VM proxy (the VM Direct engine) will be used for the management and transfer of backup data, similar to what is used for virtual machine protection policies.
   3. Name—the cluster name
   4. Address—the fully qualified domain name (FQDN) or the IP address of the Kubernetes API server.
      NOTE It is recommended that you use the FQDN instead of the IP address.
   5. Port —specify the port to use for communication when not using the default port, 443.
      NOTE The use of any port other than 443 or 6443 requires you to open the port on PowerProtect Data Manager first to enable outgoing communication. The procedure that is described in Recommendations and considerations when using a Kubernetes cluster provides more information.
5. Under Host Credentials, click Add to add the service account token for the Kubernetes cluster, and then click Save.
   The service account must have the following privileges:

   • Get/Create/Update/List CustomResourceDefinitions
   • Get/Create/Update ClusterRoleBinding for 'cluster-admin' role
   • Create/Update 'powerprotect' namespace
   • Get/List/Create/Update/Delete/List
   • Get/List/Create/Update/Delete all kinds of resources inside 'powerprotect' namespace
   • Get/List/Watch all namespaces in the cluster as well as PV, PVC, storageclass, deployments and pods in all these namespaces
   NOTE The admin-user service account in the kube-system namespace contains all these privileges. You can provide the token of this account, or an existing similar service account. Alternatively, create a service account that is bound to a cluster role that contains these privileges, and then provide the token of this service account.

   If you do not want to provide a service account with cluster-admin privileges, the yaml files located in /usr/local/brs/lib/cndm/misc/rbac.tar.gz on the PowerProtect Data Manager appliance provide the definition of the cluster role with the required privileges required for PowerProtect Data Manager. Follow the instructions in the README.txt within this tar file to create the required clusterroles and clusterrolebindings, and to provide the token of the service account created in the yaml files.

6. Click Verify to review the certificate and token information, and then click Accept.
   Upon successful validation, the status for the new credentials updates to indicate Accepted.
7. Click Save.
   The Kubernetes cluster information that you entered now appears as an entry on the Asset Sources window, with a Discovery status of Unknown.

   NOTE Although PowerProtect Data Manager automatically synchronizes with the Kubernetes cluster to perform the initial discovery under most circumstances, certain conditions might require you to initiate a manual discovery.
8. (Optional) If you want to initiate a manual discovery, select the Kubernetes cluster, and then click Discover.
   Incremental discovery for a Kubernetes cluster in PowerProtect Data Manager is not supported. You can perform an on-demand (ad hoc) discovery at any time or set a scheduled discovery to update with changes in the Kubernetes cluster.

   NOTE Discovery time is based on networking bandwidth. The resources that are involved in the discovery process impact performance each time you initiate a discovery. It might appear that PowerProtect Data Manager is not updating the Asset Sources data while the discovery is in progress.
9. Verify that the Discovery Status column indicates OK, and then go to the Assets window.