search

Velero

Setting up Cluster backup using Velero on AWS

hashtag
Create S3 bucket

Velero requires an object storage bucket to store backups in, preferrably unique to a single Kubernetes cluster (see the FAQarrow-up-right for more details). Create an S3 bucket, replacing placeholders appropriately:

BUCKET=<YOUR_BUCKET>
REGION=<YOUR_REGION>
aws s3api create-bucket \
    --bucket $BUCKET \
    --region $REGION \
    --create-bucket-configuration LocationConstraint=$REGION

NOTE: us-east-1 does not support a LocationConstraint. If your region is us-east-1, omit the bucket configuration:

aws s3api create-bucket \
    --bucket $BUCKET \
    --region us-east-1

hashtag
Create IAM user

For more information, see the AWS documentation on IAM usersarrow-up-right.

  1. Create the IAM user:

    aws iam create-user --user-name velero

    If you'll be using Velero to backup multiple clusters with multiple S3 buckets, it may be desirable to create a unique username per cluster rather than the default velero.

  2. Attach policies to give velero the necessary permissions:

    cat > velero-policy.json <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeVolumes",
                "ec2:DescribeSnapshots",
                "ec2:CreateTags",
                "ec2:CreateVolume",
                "ec2:CreateSnapshot",
                "ec2:DeleteSnapshot"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:PutObject",
                "s3:AbortMultipartUpload",
                "s3:ListMultipartUploadParts"
            ],
            "Resource": [
                "arn:aws:s3:::${BUCKET}/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::${BUCKET}"
            ]
        }
    ]
}
EOF
    aws iam put-user-policy \
  --user-name velero \
  --policy-name velero \
  --policy-document file://velero-policy.json

  3. Create an access key for the user:

    aws iam create-access-key --user-name velero

    The result should look like:

    {
  "AccessKey": {
        "UserName": "velero",
        "Status": "Active",
        "CreateDate": "2017-07-31T22:24:41.576Z",
        "SecretAccessKey": <AWS_SECRET_ACCESS_KEY>,
        "AccessKeyId": <AWS_ACCESS_KEY_ID>
  }
}

  4. Create a Velero-specific credentials file (credentials-velero) in your local directory:

    [default]
aws_access_key_id=<AWS_ACCESS_KEY_ID>
aws_secret_access_key=<AWS_SECRET_ACCESS_KEY>

    where the access key id and secret are the values returned from the create-access-key request.

hashtag
Install and start Velero

Install Velero, including all prerequisites, into the cluster and start the deployment. This will create a namespace called velero, and place a deployment named velero in it.

Additionally, you can specify --use-restic to enable restic support, and --wait to wait for the deployment to be ready.

(Optional) Specify additional configurable parametersarrow-up-right for the --backup-location-config flag.

(Optional) Specify additional configurable parametersarrow-up-right for the --snapshot-location-config flag.

(Optional) Specify CPU and memory resource requests and limitsarrow-up-right for the Velero/restic pods.

For more complex installation needs, use either the Helm chart, or add --dry-run -o yaml options for generating the YAML representation for the installation.

hashtag
ALTERNATIVE: Setup permissions using kube2iam

Kube2iamarrow-up-right is a Kubernetes application that allows managing AWS IAM permissions for pod via annotations rather than operating on API keys.

This path assumes you have kube2iam already running in your Kubernetes cluster. If that is not the case, please install it first, following the docs here: https://github.com/jtblin/kube2iamarrow-up-right

It can be set up for Velero by creating a role that will have required permissions, and later by adding the permissions annotation on the velero deployment to define which role it should use internally.

  1. Create a Trust Policy document to allow the role being used for EC2 management & assume kube2iam role:

  2. Create the IAM role:

  3. Attach policies to give velero the necessary permissions:

  4. Use the --pod-annotations argument on velero install to add the following annotation:

PreviousExecuting script on K8s NodesNextPrometheus

Last updated