Velero
Setting up Cluster backup using Velero on AWS
Create S3 bucket
Velero requires an object storage bucket to store backups in, preferrably unique to a single Kubernetes cluster (see the FAQ for more details). Create an S3 bucket, replacing placeholders appropriately:
BUCKET=<YOUR_BUCKET>
REGION=<YOUR_REGION>
aws s3api create-bucket \
--bucket $BUCKET \
--region $REGION \
--create-bucket-configuration LocationConstraint=$REGIONNOTE: us-east-1 does not support a LocationConstraint. If your region is us-east-1, omit the bucket configuration:
aws s3api create-bucket \
--bucket $BUCKET \
--region us-east-1Create IAM user
For more information, see the AWS documentation on IAM users.
Create the IAM user:
aws iam create-user --user-name veleroIf you'll be using Velero to backup multiple clusters with multiple S3 buckets, it may be desirable to create a unique username per cluster rather than the default
velero.Attach policies to give
velerothe necessary permissions:cat > velero-policy.json <<EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeVolumes", "ec2:DescribeSnapshots", "ec2:CreateTags", "ec2:CreateVolume", "ec2:CreateSnapshot", "ec2:DeleteSnapshot" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:DeleteObject", "s3:PutObject", "s3:AbortMultipartUpload", "s3:ListMultipartUploadParts" ], "Resource": [ "arn:aws:s3:::${BUCKET}/*" ] }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::${BUCKET}" ] } ] } EOFaws iam put-user-policy \ --user-name velero \ --policy-name velero \ --policy-document file://velero-policy.jsonCreate an access key for the user:
aws iam create-access-key --user-name veleroThe result should look like:
{ "AccessKey": { "UserName": "velero", "Status": "Active", "CreateDate": "2017-07-31T22:24:41.576Z", "SecretAccessKey": <AWS_SECRET_ACCESS_KEY>, "AccessKeyId": <AWS_ACCESS_KEY_ID> } }Create a Velero-specific credentials file (
credentials-velero) in your local directory:[default] aws_access_key_id=<AWS_ACCESS_KEY_ID> aws_secret_access_key=<AWS_SECRET_ACCESS_KEY>where the access key id and secret are the values returned from the
create-access-keyrequest.
Install and start Velero
Install Velero, including all prerequisites, into the cluster and start the deployment. This will create a namespace called velero, and place a deployment named velero in it.
Additionally, you can specify --use-restic to enable restic support, and --wait to wait for the deployment to be ready.
(Optional) Specify additional configurable parameters for the --backup-location-config flag.
(Optional) Specify additional configurable parameters for the --snapshot-location-config flag.
(Optional) Specify CPU and memory resource requests and limits for the Velero/restic pods.
For more complex installation needs, use either the Helm chart, or add --dry-run -o yaml options for generating the YAML representation for the installation.
ALTERNATIVE: Setup permissions using kube2iam
Kube2iam is a Kubernetes application that allows managing AWS IAM permissions for pod via annotations rather than operating on API keys.
This path assumes you have
kube2iamalready running in your Kubernetes cluster. If that is not the case, please install it first, following the docs here: https://github.com/jtblin/kube2iam
It can be set up for Velero by creating a role that will have required permissions, and later by adding the permissions annotation on the velero deployment to define which role it should use internally.
Create a Trust Policy document to allow the role being used for EC2 management & assume kube2iam role:
Create the IAM role:
Attach policies to give
velerothe necessary permissions:Use the
--pod-annotationsargument onvelero installto add the following annotation:
Last updated
Was this helpful?