Perform the following steps to add a Kubernetes cluster as an asset source in the
PowerProtect Data Manager UI. When added,
PowerProtect Data Manager automatically deploys resources on the cluster that enable the backup and recovery of namespaces.
Prerequisites
You must have Administrator privileges.
If your environment has firewall or other restrictions that might prevent pulling of the required images from Docker Hub, review the procedure in the section
Prerequisites to Kubernetes cluster discovery.
If adding a Kubernetes guest cluster for vSphere CSI-based Persistent Volume Claims (PVCs), add a
VM Direct protection engine in the vCenter where the Tanzu Kubernetes guest cluster is located.
About this task
NOTE Discovery of a Kubernetes cluster discovers namespaces that contain volumes from both container storage interface (CSI) and non-CSI based storage. However, backup and recovery are supported only from CSI-based storage. Also, only PVCs with the VolumeMode
Filesystem are supported.
Steps
From the left navigation pane, select
Infrastructure > Asset Sources.
In the
Asset Sources window, select the
Kubernetes cluster tab.
Click
Add.
In the
Add Kubernetes cluster dialog box, specify the source attributes:
Tanzu Cluster—If adding a Kubernetes Tanzu guest cluster for protection of vSphere CSI-based PVCs, move the slider to the right.
Select vCenter—For a Kubernetes Tanzu guest cluster asset source, select the vCenter Server that contains the guest cluster from the list.
NOTE Selecting a vCenter Server changes the method used for the Kubernetes protection policy backup. Instead of cProxy, a VM proxy (the VM Direct engine) will be used for the management and transfer of backup data, similar to what is used for virtual machine protection policies.
Name—the cluster name
Address—the fully qualified domain name (FQDN) or the IP address of the Kubernetes API server.
NOTE It is recommended that you use the FQDN instead of the IP address.
Port
—specify the port to use for communication when not using the default port, 443.
NOTE The use of any port other than 443 or 6443 requires you to open the port on
PowerProtect Data Manager first to enable outgoing communication. The procedure that is described in
Recommendations and considerations when using a Kubernetes cluster provides more information.
Under
Host Credentials, click
Add to add the service account token for the Kubernetes cluster, and then click
Save.
The service account must have the following privileges:
Get/Create/Update/List CustomResourceDefinitions
Get/Create/Update ClusterRoleBinding for 'cluster-admin' role
Create/Update 'powerprotect' namespace
Get/List/Create/Update/Delete/List
Get/List/Create/Update/Delete all kinds of resources inside 'powerprotect' namespace
Get/List/Watch all namespaces in the cluster as well as PV, PVC, storageclass, deployments and pods in all these namespaces
NOTE The
admin-user service account in the
kube-system namespace contains all these privileges. You can provide the token of this account, or an existing similar service account. Alternatively, create a service account that is bound to a cluster role that contains these privileges, and then provide the token of this service account.
If you do not want to provide a service account with cluster-admin privileges, the yaml files located in
/usr/local/brs/lib/cndm/misc/rbac.tar.gz on the
PowerProtect Data Manager appliance provide the definition of the cluster role with the required privileges required for
PowerProtect Data Manager. Follow the instructions in the
README.txt within this tar file to create the required
clusterroles and
clusterrolebindings, and to provide the token of the service account created in the yaml files.
Click
Verify to review the certificate and token information, and then click
Accept.
Upon successful validation, the status for the new credentials updates to indicate
Accepted.
Click
Save.
The Kubernetes cluster information that you entered now appears as an entry on the
Asset Sources window, with a Discovery status of
Unknown.
NOTE Although
PowerProtect Data Manager automatically synchronizes with the Kubernetes cluster to perform the initial discovery under most circumstances, certain conditions might require you to initiate a manual discovery.
(Optional) If you want to initiate a manual discovery, select the Kubernetes cluster, and then click
Discover.
Incremental discovery for a Kubernetes cluster in
PowerProtect Data Manager is not supported. You can perform an on-demand (ad hoc) discovery at any time or set a scheduled discovery to update with changes in the Kubernetes cluster.
NOTE Discovery time is based on networking bandwidth. The resources that are involved in the discovery process impact performance each time you initiate a discovery. It might appear that
PowerProtect Data Manager is not updating the Asset Sources data while the discovery is in progress.
Verify that the
Discovery Status column indicates
OK, and then go to the
Assets window.
Results
Upon adding the Kubernetes cluser as an asset source, a PowerProtect controller is installed on the cluster, which is also used to install Velero with the DD Object store plug-in and the vSphere plug-in. The namespaces in the Kubernetes cluster will appear in the
Kubernetes tab of the
Assets window. To view more details within this window, click the magnifying glass icon next to an entry. Also, if a namespace has associated PVCs that you want to exclude from a policy, you can click the link in the
PVCs Exclusion column.
NOTE If namespace assets are not discovered after adding a Kubernetes cluster asset source, ensure that the bearer token that is provided for the Kubernetes asset source belongs to a service account that has the privileges as specified in step 5.
Next steps
Create Kubernetes protection policies to back up namespaces and PVCs.
Data is not available for the Topic
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\