Skip to main content

Velero for Kubernetes (EKS)

Velero is an open source tool to safely backup and restore, perform disaster recovery, and migrate Kubernetes cluster resources and persistent volumes.

Prerequisites

  • S3 Bucket
  • EKS cluster with a namespace called velero
  • Existing OpenID Connect provider URL https://oidc.eks.<REGION>.amazonaws.com/id/XXXXXXXXXXXXXXXXXXXXXXXX
  1. Download the latest Velero version

Mac

#macOs settings

wget https://github.com/vmware-tanzu/velero/releases/download/v1.10.0/velero-v1.9.5-darwin-amd64.tar.gz
tar -xvf velero-v1.9.5-darwin-amd64.tar.gz
cp velero-v1.9.5-darwin-amd64/velero /usr/local/bin

Linux

wget https://github.com/vmware-tanzu/velero/releases/download/v1.2.0/velero-v1.2.0-linux-amd64.tar.gz
tar -zxvf velero-v1.2.0-linux-amd64.tar.gz
cp velero-v1.2.0-linux-amd64/velero /usr/local/bin

  1. Create an S3 Bucket , Set up IAM Role and Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:CreateSnapshot",
"ec2:DeleteSnapshot"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::<S3-BUCKET-NAME>/<SUB-FOLDER-NAME>/*",
"arn:aws:s3:::<S3-BUCKET-NAME>/*"
]
},
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": [
"arn:aws:s3:::<S3-BUCKET-NAME>/<SUB-FOLDER-NAME>/*",
"arn:aws:s3:::<S3-BUCKET-NAME>/*"
]
}
]
}
  1. Attach policy to IAM role with trust relationship policy document:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<AWS-ACCOUNT-ID>:oidc-provider/oidc.eks.<REGION>.amazonaws.com/id/XXXXXXXXXXXXXXXXXXXXXXXX"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.<REGION>.amazonaws.com/id/XXXXXXXXXXXXXXXXXXXXXXXX:sub": "system:serviceaccount:velero:velero",
"oidc.eks.<REGION>.amazonaws.com/id/XXXXXXXXXXXXXXXXXXXXXXXX:aud": "sts.amazonaws.com"
}
}
}
]
}
  1. Attach bucket policy to the bucket
#bucket_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<AWS-ACCOUNT-ID>:role/<IAM-ROLE-NAME>"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::<S3-BUCKET-NAME>",
"arn:aws:s3:::<S3-BUCKET-NAME>/*"
]
}
]
}
aws s3api put-bucket-policy --bucket <S3-BUCKET-NAME> --policy file://bucket_policy.json

  1. Create service account
apiVersion: v1
kind: ServiceAccount
metadata:
name: velero
namespace: velero
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::<AWS-ACCOUNT-ID>:role/<IAM-ROLE-NAME>

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: velero-namespace-access
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
resourceNames: ["velero-repo-credentials"]
- apiGroups: ["apps"]
resources: ["daemonsets"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["namespaces", "pods"]
verbs: ["get", "list", "watch"]
- apiGroups: ["velero.io"]
resources: ["*"]
verbs: ["*"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: velero-namespace-access-binding
subjects:
- kind: ServiceAccount
name: velero
namespace: velero
roleRef:
kind: ClusterRole
name: velero-namespace-access
apiGroup: rbac.authorization.k8s.io
  1. Install Velero
 velero install --provider aws --plugins velero/velero-plugin-for-aws:v1.0.0 \
--bucket "<S3-BUCKET-NAME>" \
--prefix "<SUB-FOLDER-NAME>"\
--backup-location-config region="<AWS-REGION>" \
--snapshot-location-config region="<AWS-REGION>" \
--no-secret --use-node-agent \
--pod-annotations "iam.amazonaws.com/role=arn:aws:iam::<AWS-ACCOUNT-ID>:role/<IAM-ROLE-NAME>" \
--service-account-name velero
  1. Make sure BackupStorageLocation is available or backup won't work
kubectl get BackupStorageLocation -A
NAMESPACE NAME PHASE LAST VALIDATED AGE DEFAULT
velero default Available 52s 110m true
  1. Basic commands
kubectl get backups.velero.io --all-namespaces
kubectl get schedules.velero.io --all-namespaces
velero schedule delete <schedule-names>
velero backup delete <example-backup>
velero backup create staging --include-namespaces staging --ttl 24h0m0s
velero restore create --from-backup staging
NAME      STATUS      ERRORS   WARNINGS   CREATED                         EXPIRES   STORAGE LOCATION   SELECTOR
staging Completed 0 0 2024-07-17 14:27:01 +0100 WAT 23h default <none>

References

  1. https://velero.io/docs/v1.0.0/aws-config/