Before we get carried away creating pods, services, deployments etc, let's spare a thought for security... (DevSecPenguinOps, here we come!). In the context of this recipe, security refers to safe-guarding your data from accidental loss, as well as malicious impact.
Now that we're playing in the deep end with Kubernetes, we'll need a Cloud-native backup solution...
It bears repeating though - don't be like Cameron. Backup your stuff.
This recipe employs a clever tool (miracle2k/k8s-snapshots), running inside your cluster, to trigger automated snapshots of your persistent volumes, using your cloud provider's APIs.
- Kubernetes cluster with either AWS or GKE (currently, but apparently other providers are easy to implement)
- Geek-Fu required : 🐒🐒 (medium - minor adjustments may be required)
Create RoleBinding (GKE only)¶
If you're running GKE, run the following to create a RoleBinding, allowing your user to grant rights-it-doesn't-currently-have to the service account responsible for creating the snapshots:
kubectl create clusterrolebinding your-user-cluster-admin-binding \ --clusterrole=cluster-admin --user=<your user@yourdomain>
Why do we have to do this? Check this blog post for details
If your cluster is RBAC-enabled (it probably is), you'll need to create a ClusterRole and ClusterRoleBinding to allow k8s_snapshots to see your PVs and friends:
Deploy the pod¶
Ready? Run the following to create a deployment in to the kube-system namespace:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
Confirm your pod is running and happy by running
kubectl get pods -n kubec-system, and
kubectl -n kube-system logs k8s-snapshots<tab-to-auto-complete>
Pick PVs to snapshot¶
k8s-snapshots relies on annotations to tell it how frequently to snapshot your PVs. A PV requires the
backup.kubernetes.io/deltas annotation in order to be snapshotted.
From the k8s-snapshots README:
1 2 3 4 5 6 7
To add the annotation to an existing PV, run something like this:
To add the annotation to a new PV, add the following annotation to your PVC:
Here's an example of the PVC for the UniFi recipe, which includes 7 daily snapshots of the PV:
1 2 3 4 5 6 7 8 9 10 11 12 13
And here's what my snapshot list looks like after a few days:
Snapshot a non-Kubernetes volume (optional)¶
If you're running traditional compute instances with your cloud provider (I do this for my poor man's load balancer), you might want to backup these volumes as well.
To do so, first create a custom resource,
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Then identify the volume ID of your volume, and create an appropriate
1 2 3 4 5 6 7 8 9 10 11 12
Example syntaxes for the SnapshotRule for different providers can be found at https://github.com/miracle2k/k8s-snapshots/tree/master/examples
Still with me? Good. Move on to understanding Helm charts...
- Start - Why Kubernetes?
- Design - How does it fit together?
- Cluster - Setup a basic cluster
- Load Balancer Setup inbound access
- Snapshots (this page) - Automatically backup your persistent data
- Helm - Uber-recipes from fellow geeks
- Traefik - Traefik Ingress via Helm
- I've submitted 2 PRs to the k8s-snapshots repo. The first updates the README for GKE RBAC requirements, and the second fixes a minor typo.
Tip your waiter (support me) 👏¶
Did you receive excellent service? Want to make your waiter happy? (..and support development of current and future recipes!) See the support page for (free or paid) ways to say thank you! 👏