Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products

PowerProtect Data Manager 19.15 Kubernetes User Guide

Add a Kubernetes cluster

Perform the following steps to add a Kubernetes cluster as an asset source in the PowerProtect Data Manager UI. When added, PowerProtect Data Manager automatically deploys resources on the cluster that enable the backup and recovery of namespaces.

Prerequisites

  • You must have Administrator privileges.
  • If your environment has firewall or other restrictions that might prevent pulling of the required images from Docker Hub, review the section "Pulling images from Docker Hub to a local registry" in the topic "Prerequisites to Kubernetes cluster discovery."
  • If adding a Kubernetes guest cluster for vSphere CSI-based Persistent Volume Claims (PVCs), add a VM Direct protection engine in the vCenter Server where the Tanzu Kubernetes guest cluster is located.

About this task

NOTE:Discovery of a Kubernetes cluster discovers namespaces that contain volumes from both container storage interface (CSI) and non-CSI based storage. However, backup and recovery are supported only from CSI-based storage. Also, only PVCs with the VolumeMode Filesystem are supported.

Steps

  1. From the left navigation pane, select Infrastructure > Asset Sources.
  2. In the Asset Sources window, select the Kubernetes cluster tab.
  3. Click Add.
  4. In the Add Kubernetes dialog box, specify the source attributes:
    1. Tanzu Cluster—If adding a Kubernetes Tanzu guest cluster for protection of vSphere CSI-based PVCs, move the slider to the right.
    2. Select vCenter—For a Kubernetes Tanzu guest cluster asset source, select the vCenter Server that contains the guest cluster from the list.
      NOTE:Selecting a vCenter Server changes the method used for the Kubernetes protection policy backup. Instead of cProxy, a VM proxy (the VM Direct engine) will be used for the management and transfer of backup data, similar to what is used for virtual machine protection policies.
    3. Name—the cluster name
    4. FQDN/IP—the fully qualified domain name (FQDN) or the IP address of the Kubernetes API server.
      NOTE:It is recommended that you use the FQDN instead of the IP address.
    5. Port —specify the port to use for communication when not using the default port, 443.
      NOTE:The use of any port other than 443 or 6443 requires you to open the port on PowerProtect Data Manager first to enable outgoing communication. Before you add Kubernetes as an asset source, add the required ports. The PowerProtect Data Manager Security Configuration Guide provides more information.
  5. From the Host Credentials list, select an existing set of credentials, or select Add Credentials to add the service account token for the Kubernetes cluster, and then click Save.
    The service account must have the following privileges:
    • Get/Create/Update/List CustomResourceDefinitions
    • Get/Create/Update ClusterRoleBinding for 'cluster-admin' role
    • Create/Update 'powerprotect' namespace
    • Get/List/Create/Update/Delete/List
    • Get/List/Create/Update/Delete all kinds of resources inside 'powerprotect' namespace
    • Get/List/Watch all namespaces in the cluster as well as PV, PVC, storageclass, deployments and pods in all these namespaces
    NOTE:The admin-user service account in the kube-system namespace contains all these privileges. You can provide the token of this account, or an existing similar service account. Alternatively, create a service account that is bound to a cluster role that contains these privileges, and then provide the token of this service account.

    If you do not want to provide a service account with cluster-admin privileges, download the yaml files from the PowerProtect Data Manager UI Downloads window by clicking settings icon and selecting Downloads. These files provide the definition of the cluster role with the required privileges required for PowerProtect Data Manager. Follow the instructions in the README.txt within the tar file to create the required clusterroles and clusterrolebindings, and to provide the token of the service account created in the yaml files. The README.txt file also provides instructions for manually creating the secret for ppdm-discovery-serviceaccount, which is required in Kubernetes versions 1.24 and later.

  6. By default, the Kubernetes cluster discovery occurs automatically after adding the cluster as an asset source, and subsequent discoveries are incremental. If you want to schedule a full discovery at a certain time every day, move the Schedule Discovery slider to the right, and then specify a time.
  7. Optionally, click the down arrow to expand Advanced Options, and then specify the following:
    1. If the Kubernetes clusters are deployed in a vSphere environment where the VMware CSI driver has been deployed automatically by the Kubernetes distribution, the CSI driver secret may not be available in the Kubernetes cluster. If this applies, move the VMware CSI Driver as process slider to the right, and then select the vCenter Server asset source.
    2. If required, upload the text of the Kubernetes cluster root certificate in Base64 format. You can obtain the root certificate by running the following command:
      • On AWS EKS, run aws eks describe-cluster --region region --name Kubernetes cluster name --query "cluster.certificateAuthority.data" --output certificate file name
      • For other distributions, run kubectl config view --flatten or its equivalent and obtain the Base64 encoded root certificate from the certificate-authority-data field for the cluster.
        NOTE:This step is only required for other distributions when certificate-related errors occur while adding the Kubernetes cluster asset source.
    3. Add a key and value for each Controller Configuration that you want to configure. Click + for each additional entry. You can specify up to eight controller configurations. Controller Configurations provides more information about the available options.
    4. If adding network interface cards (NICs) or setting the DNS configuration for pods, update the PowerProtect Controller configuration, Velero configuration, or cProxy configuration by specifying additional attributes or changing existing attributes in these fields. Customizing the PowerProtect Data Manager pod configuration provides information about creating sample yaml files for applying these changes.
    NOTE:When updates to Advanced Options result in changes to the configuration of PowerProtect Data Manager components in the Kubernetes cluster, the interruption of running protection activities can occur.
  8. Next to Certificate, click Verify to review the certificate and token information, and then click Accept.
    Upon successful validation, the status for the new credentials updates to indicate Accepted.
  9. Click Save.
    The Kubernetes cluster information that you entered now appears as an entry on the Asset Sources window, with a Discovery status of Unknown.
    NOTE:Although PowerProtect Data Manager automatically synchronizes with the Kubernetes cluster to perform the initial discovery under most circumstances, certain conditions might require you to initiate a manual discovery.
  10. (Optional) If you want to initiate a manual discovery, select the Kubernetes cluster, and then click Discover.
    Incremental discovery for a Kubernetes cluster in PowerProtect Data Manager is not supported. You can perform an on-demand (ad hoc) discovery at any time or set a scheduled discovery to update with changes in the Kubernetes cluster.
    NOTE:Discovery time is based on networking bandwidth. The resources that are involved in the discovery process impact performance each time you initiate a discovery. It might appear that PowerProtect Data Manager is not updating the Asset Sources data while the discovery is in progress.
  11. Verify that the Discovery Status column indicates OK, and then go to the Assets window.

Results

Upon adding the Kubernetes cluser as an asset source, a PowerProtect controller is installed on the cluster, which is also used to install Velero with the DD Object store plug-in and the vSphere plug-in. The namespaces in the Kubernetes cluster will appear in the Kubernetes tab of the Assets window. To view more details within this window, click search icon next to an entry. Also, if a namespace has associated PVCs that you want to exclude from a policy, you can click the link in the PVCs Exclusion column.
NOTE:If namespace assets are not discovered after adding a Kubernetes cluster asset source, ensure that the bearer token that is provided for the Kubernetes asset source belongs to a service account that has the privileges as specified in step 5.

Next steps

Create Kubernetes protection policies to back up namespaces and PVCs.


Rate this content

Accurate
Useful
Easy to understand
Was this article helpful?
0/3000 characters
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please select whether the article was helpful or not.
  Comments cannot contain these special characters: <>()\