Add a protection policy for Kubernetes namespace protection
A Kubernetes protection policy enables you to select namespaces in the Kubernetes cluster that you want to back up. Use the
PowerProtect Data Manager UI to create a Kubernetes namespace protection policy.
Prerequisites
NOTE Discovery of a Kubernetes cluster discovers namespaces that contain volumes from both container storage interface (CSI) and non-CSI based storage. However, backup and recovery are supported only from CSI-based storage. If you select a namespace from non-CSI storage, the backup fails.
Optionally, if you want to protect a namespace that contains non-CSI storage, you can exclude the non-CSI PVC from the backup. If excluding the PVC, ensure that such a policy still meets your protection requirements.
If applicable, complete all of the virtual network configuration tasks before you assign any virtual networks to the protection policy.
The
PowerProtect Data Manager Administration and User Guide provides more information about working with storage units, including applicable limitations and security considerations.
Before performing any backups on a weekly or monthly schedule from the protection policy, ensure that the
PowerProtect Data Manager time zone is set to the local time zone.
About this task
When PowerProtect Data Manager backs up a Kubernetes namespace, the following items are included in the protection policy backup:
Kubernetes resources, in addition to the contents of the persistent volumes bound to PVCs in that namespace. Kubernetes resources are backed up using Velero. Upstream Kubernetes resources such as Deployments, StatefulSets, DaemonSets, Pods, Secrets, ConfigMap, and Custom Resources, are backed up as part of the Kubernetes resources.
Cluster resources are backed up automatically as part of the Kubernetes protection policy. These resources include cluster roles, cluster role bindings, and custom resource definitions (CRDs) that are associated with namespace-scoped resources.
For OpenShift, OpenShift-specific resources such as DeploymentConfig, BuildConfig, and ImageStream are also protected using the
Velero OpenShift plug-in.
NOTE Container images are not protected as part of the ImageStream resource.
Steps
From the left navigation pane, select
Protection > Protection Policies.
The
Protection Policies window appears.
In the
Protection Policies window, click
Add.
The
Add Policy wizard appears.
On the
Type page, specify the following fields, and then click
Next:
Name—Type a descriptive name for the protection policy.
Description—Type a description for the policy.
Type—For the policy type, select
Kubernetes.
On the
Purpose page, select from the following options to indicate the purpose of the new protection policy group, and then click
Next:
Crash Consistent—Select this type for point-in-time backup of namespaces.
Exclusion—Select this type if there are assets within the protection policy that you plan to exclude from data protection operations.
In the
Assets page, select one or more unprotected namespaces that you want to back up as part of this protection policy.
If the namespace that you want to protect is not listed, perform one of the following:
Click
Find More Assets to perform an updated discovery of the Kubernetes cluster.
Use the
Search box to search by asset name.
(Optional) For the selected namespaces, click the link in the
PVCs Excluded column, if available, to clear any PVCs that you want to exclude from the backup. By default, all PVCs are selected for inclusion.
Click
Next.
The
Objectives page appears.
On the
Objectives page, select a policy-level Service Level Agreement (SLA) from the
Set Policy Level SLA list, or select
Add to open the
Add Service Level Agreement wizard and create a policy-level SLA.
On the
Schedules pane of the
Add Primary Backup dialog:
Specify the following fields to schedule the synthetic full backup of this protection policy:
Create a Synthetic Full...—Specify how often to create a synthetic full backup. For Persistent Volume Claims (PVCs) on VMware first class disks (FCDs), a
Synthetic Full backs up only the changed blocks since last backup to create a new full backup. Also, namespace metadata is backed up in full upon every backup.
Retain For—Specify the retention period for the synthetic full backup.
You can extend the retention period for the latest primary backup copy by adding an
Extend Retention backup. For example, your regular schedule for daily backups can use a retention period of 30 days, but you can apply extended retention backups to keep the full backups taken on Mondays for 10 weeks.
Extended retention provides information.
NOTE For database backups,
PowerProtect Data Manager chains the dependent backups together. For example, the synthetic full or transaction log backups are chained to their base full backup. The backups do not expire until the last backup in the chain expires. Backup chaining ensures that all synthetic full and transaction log backups are recoverable until they have all expired.
Start and
End—For the activity window, specify a time of day to start the synthetic full backup, and a time of day after which backups cannot be started.
NOTE Any backups started before the
End Time occurs continue until completion.
Click
Save to save and collapse the backup schedule.
Click
Add Backup to periodically force a full (level 0) backup, and then specify the following fields to schedule the full backup of this protection policy:
NOTE When you select this option, the backup chain is reset.
Create a Full...—Specify whether you want to create a weekly or monthly full backup.
Repeat on—Depending on the frequency of the full backup schedule, specify the day of the week or date of the month to perform the full backup.
Retain For—Specify the retention period for the full backup. This can be the same value as the synthetic full backup schedule, or a different value.
Start and
End—For the activity window, specify a time of day to start the full backup, and a time of day after which backups cannot be started.
NOTE Any backups started before the
End Time occurs continue until completion.
Click
Save to save and collapse the backup schedule.
On the
Target pane of the
Add Primary Backup dialog, specify the following fields:
Storage Name—Select a backup destination from the list of existing
protection storage systems, or select
Add to add a system and complete the details in the
Storage Target window.
NOTE The
Space field indicates the total amount of space, and the percentage of available space, on the
protection storage system.
Storage Unit—Select whether this protection policy should use a
New storage unit on the selected
protection storage system, or select an existing storage unit from the list. Hover over a storage unit to view the full name and statistics for available capacity and total capacity, for example,
testvmplc-ppdm-daily-123ab (300 GB/1 TB)
When you select
New, a new storage unit in the format
policy namehost nameunique identifier is created in the storage system upon policy completion. For example,
testvmplc-ppdm-daily-123cd.
Network Interface—Select a network interface from the list, if applicable.
Retention Lock—Move the
Retention Lock slider to the right to enable retention locking for these backups on the selected system.
PowerProtect Data Manager uses Governance mode for retention locking, which means that the lock can be reverted at any time if necessary. Moving the
Retention Lock slider on or off applies to the current backup copy only, and does not impact the retention lock setting for existing backup copies.
NOTE Primary backups are assigned a default retention lock period of 14 days. Replicated backups, however, are not assigned a default retention lock period. If you enable
Retention Lock for a replicated backup, ensure that you set the
Retain For field in the
Add Replication dialog to a minimum number of 14 days so that the replicated backup does not expire before the primary backup.
SLA—Select an existing service level agreement that you want to apply to this
objective from the list, or select
Add to create an SLA within the
Add Service Level Agreement wizard.
Click
Save to save your changes and return to the
Objectives page.
The
Objectives page updates to display the name and location of the target storage system under
Primary Backup.
After completing the
objective, you can change any details by clicking
Edit next to the
objective.
Optionally, extend the retention period for a primary backup:
Extended retention provides more information about
Extend Retention functionality.
Click
Extend Retention next to
Primary Backup.
An entry for
Extend Retention is created below
Primary Backup.
Under
Extend Retention, click
Add.
The
Add Extended Retention dialog appears.
Extend the retention of a full primary backup copy every—Specify the preferred recurrence for the extended retention backup
objective.
Repeat on—Depending on the frequency of the full backup schedule, specify the day of the week, the date of the month, or the date of the year that the extended retention backup occurs.
Retain For—Specify the retention period for the backup. You can retain an extended retention backup for a maximum of 70 years.
Click
Save to save your changes and return to the
Objectives page.
Optionally, replicate the backups:
NOTE
To enable replication, ensure that you add remote
protection storage as the replication location. The
PowerProtect Data Manager Administration and User Guide provides detailed instructions about adding remote
protection storage.
When creating multiple replicas for the same protection policy, it is recommended to select a different storage system for each copy. If you select a storage unit that is the target of another
objective for the same policy, the UI issues a warning. The
PowerProtect Data Manager Administration and User Guide provides information about replicating to shared
protection storage to support
PowerProtect Cyber Recovery. Verify the storage targets and the use case before you continue.
For replicas of centralized backups, when you set retention periods for different backup types, any undefined types use the full backup retention period. For example, if you do not define a log backup in the primary
objective, the log backup for the replication
objective is also undefined. After you run a manual log backup, replicas of that log backup use the same retention period as the full backup.
Replication after backup completion is not available for replication objectives that are based on extended retention.
Click
Replicate next to
Primary Backup or
Extend Retention. An entry for
Replicate is created to the right of the primary or extended retention backup
objective.
NOTEPowerProtect Data Manager supports replicating an extended retention backup only if the primary backup already has one or more replication
objectives. Also, for replication of an extended retention backup, you can only select from the
protection storage systems to which the primary
objective replicates.
For example, if there are six
protection storage systems available (DD1-DD6), and the primary backup is on DD1:
Replicate1, which is based on the primary backup, replicates to DD2.
Replicate2, which is based on the primary backup, replicates to DD3.
Extended retention backup is backed up to DD1.
Replicate3, which is based on the extended retention backup, must replicate to DD2 or DD3.
Under
Replicate, click
Add.
The
Add Replication dialog appears.
Select a storage target:
Storage Name—Select a destination from the list of
protection storage. Or, select
Add to add a
protection storage system and complete the details in the
Storage Target window.
Storage Unit—Select an existing storage unit on the
protection storage system. Or, select
New to automatically create a storage unit.
Network Interface—Select a network interface from the list, if applicable.
Retention Lock—Move the
Retention Lock slider to the right to enable retention locking for these replicas.
SLA—Select an existing replication service level agreement that you want to apply to this schedule from the list. Or, select
Add to create a replication SLA within the
Add Service Level Agreement wizard.
The
PowerProtect Data Manager Administration and User Guide provides more information about replication targets, such as SLAs.
To replicate after the backup finishes, move the
Replicate immediately upon backup completion slider to on.
For scheduled replication, move the
Replicate immediately upon backup completion slider to off, and then complete the schedule details in the
Add Replication dialog.
For replication of the primary backup, the schedule frequency can be every day, week, month, or
x hours. For replication of the extended retention backup, the schedule frequency can be every day, week, month, year, or
x hours.
For daily, weekly, and monthly schedules, the numeric value cannot be modified. For hourly, however, you can edit the numeric value. For example, if you set
Create a Full backup every 4 hours, you can set a value of anywhere from 1 to 12 hours.
All replicas of the primary backup
objective use the same retention period and, by default, this retention period is inherited from the
Retain For value of the synthetic-full backup schedule.
To specify a different retention period for specific replicas, clear
Set the same retention time for all replicated copies, click
Edit, change the value in the
Retain For field, and then click
Save.
CAUTION Setting a shorter retention period for replicas of incremental, differential, or log backups than for the corresponding full backup may result in being unable to recover from those replicas.
This retention period is applied to all the replicated copies (synthetic full and full) of this primary backup
objective.
Click
Save to save your changes and return to the
Objectives page.
Optionally, to move backups from
protection storage to
Cloud Tier, add a Cloud
objective for the primary, replication, or extended retention
objective:
NOTE To move a backup or replica to
Cloud Tier,
objectives must have a retention time of 14 days or more.
PowerProtect Data Manager also requires the discovery of
protection storage with a configured Cloud unit.
Click
Cloud Tier next to
Primary Backup or
Extend Retention. Or, if adding a Cloud
objective for a replication
objective that you have added, click
Cloud Tier under
Replicate.
An entry for
Cloud Tier is created to the right of the primary or extended retention backup
objective, or below the replication
objective.
Under the entry for
Cloud Tier, click
Add.
The
Add Cloud Tier Backup dialog appears, with summary information for the parent
objective to indicate whether you are adding this
Cloud Tierobjective for the primary backup
objective, the extended retention backup
objective, or the replication
objective.
Complete the
objective details in the
Add Cloud Tier Backup dialog, and then click
Save to save your changes and return to the
Objectives page.
The
PowerProtect Data Manager Administration and User Guide provides detailed instructions for adding a Cloud
objective for a primary, replication, or extended retention
objective.
Click
Next.
The
Summary page appears.
Review the protection policy group configuration details, and then click
Finish. Except for the protection policy type, you can click
Edit next to any details to change the policy information.
An informational message appears to confirm that
PowerProtect Data Manager has saved the protection policy.
When the new protection policy is created and assets are added to the protection policy,
PowerProtect Data Manager performs backups according to the backup schedule.
Click
OK to exit the window, or click
Go to Jobs to open the
Jobs window.
From the
Jobs window, you can monitor the progress of the new Kubernetes cluster protection policy backup and associated tasks. You can also cancel any in-progress or queued job or task.
NOTE If a Kubernetes cluster is running on vSphere and using vSphere CSI storage, the job details indicate that the optimized data path is being used for the backup.
Next steps
If the backup fails with the error
Failed to create Proxy Pods. Creating Pod exceeds safeguard limit of 10 minutes, verify that the CSI driver is functioning properly, such that the driver can create snapshots and a PVC from the
VolumeSnapshot datasource. Also, ensure that you clean up any orphan
VolumeSnapshot resources that still exist in the namespace.
Data is not available for the Topic
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\