Velero for Kubernetes (EKS)
Velero is an open source tool to safely backup and restore, perform disaster recovery, and migrate Kubernetes cluster resources and persistent volumes.
Prerequisites
- S3 Bucket
- EKS cluster with a namespace called
velero
- Existing OpenID Connect provider URL
https://oidc.eks.<REGION>.amazonaws.com/id/XXXXXXXXXXXXXXXXXXXXXXXX
- Download the latest Velero version
Mac
#macOs settings
wget https://github.com/vmware-tanzu/velero/releases/download/v1.10.0/velero-v1.9.5-darwin-amd64.tar.gz
tar -xvf velero-v1.9.5-darwin-amd64.tar.gz
cp velero-v1.9.5-darwin-amd64/velero /usr/local/bin
Linux
wget https://github.com/vmware-tanzu/velero/releases/download/v1.2.0/velero-v1.2.0-linux-amd64.tar.gz
tar -zxvf velero-v1.2.0-linux-amd64.tar.gz
cp velero-v1.2.0-linux-amd64/velero /usr/local/bin
- Create an S3 Bucket , Set up IAM Role and Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:CreateSnapshot",
"ec2:DeleteSnapshot"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::<S3-BUCKET-NAME>/<SUB-FOLDER-NAME>/*",
"arn:aws:s3:::<S3-BUCKET-NAME>/*"
]
},
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": [
"arn:aws:s3:::<S3-BUCKET-NAME>/<SUB-FOLDER-NAME>/*",
"arn:aws:s3:::<S3-BUCKET-NAME>/*"
]
}
]
}
- Attach policy to IAM role with trust relationship policy document:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<AWS-ACCOUNT-ID>:oidc-provider/oidc.eks.<REGION>.amazonaws.com/id/XXXXXXXXXXXXXXXXXXXXXXXX"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.<REGION>.amazonaws.com/id/XXXXXXXXXXXXXXXXXXXXXXXX:sub": "system:serviceaccount:velero:velero",
"oidc.eks.<REGION>.amazonaws.com/id/XXXXXXXXXXXXXXXXXXXXXXXX:aud": "sts.amazonaws.com"
}
}
}
]
}
- Attach bucket policy to the bucket
#bucket_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<AWS-ACCOUNT-ID>:role/<IAM-ROLE-NAME>"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::<S3-BUCKET-NAME>",
"arn:aws:s3:::<S3-BUCKET-NAME>/*"
]
}
]
}
aws s3api put-bucket-policy --bucket <S3-BUCKET-NAME> --policy file://bucket_policy.json
- Create service account
apiVersion: v1
kind: ServiceAccount
metadata:
name: velero
namespace: velero
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::<AWS-ACCOUNT-ID>:role/<IAM-ROLE-NAME>
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: velero-namespace-access
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
resourceNames: ["velero-repo-credentials"]
- apiGroups: ["apps"]
resources: ["daemonsets"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["namespaces", "pods"]
verbs: ["get", "list", "watch"]
- apiGroups: ["velero.io"]
resources: ["*"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: velero-namespace-access-binding
subjects:
- kind: ServiceAccount
name: velero
namespace: velero
roleRef:
kind: ClusterRole
name: velero-namespace-access
apiGroup: rbac.authorization.k8s.io
- Install Velero
velero install --provider aws --plugins velero/velero-plugin-for-aws:v1.0.0 \
--bucket "<S3-BUCKET-NAME>" \
--prefix "<SUB-FOLDER-NAME>"\
--backup-location-config region="<AWS-REGION>" \
--snapshot-location-config region="<AWS-REGION>" \
--no-secret --use-node-agent \
--pod-annotations "iam.amazonaws.com/role=arn:aws:iam::<AWS-ACCOUNT-ID>:role/<IAM-ROLE-NAME>" \
--service-account-name velero
- Make sure
BackupStorageLocation
is available or backup won't work
kubectl get BackupStorageLocation -A
NAMESPACE NAME PHASE LAST VALIDATED AGE DEFAULT
velero default Available 52s 110m true
- Basic commands
kubectl get backups.velero.io --all-namespaces
kubectl get schedules.velero.io --all-namespaces
velero schedule delete <schedule-names>
velero backup delete <example-backup>
velero backup create staging --include-namespaces staging --ttl 24h0m0s
velero restore create --from-backup staging
NAME STATUS ERRORS WARNINGS CREATED EXPIRES STORAGE LOCATION SELECTOR
staging Completed 0 0 2024-07-17 14:27:01 +0100 WAT 23h default <none>