Velero for Kubernetes Backup: Install & Configure
This article is part of a series of blog posts on using Velero for Kubernetes backup, restore, migration & disaster recovery.
All articles in this series explore Velero in the context of AWS Elastic Kubernetes Service (EKS).
Stay tuned as we publish more articles in the coming weeks & months. Here’s a sneak preview of what’s to come:
- An Introduction to Velero for Kubernetes Backup & Restore
- Velero for Kubernetes Backup: Install & Configure
- Backup & Restore Stateless Workloads with Velero for Kubernetes
- Velero for Kubernetes: Backup & Restore Stateful Workloads with AWS EBS Snapshots
- Velero for Kubernetes: Backup & Restore Stateful Workloads with Restic for Velero
- Monitoring Velero Kubernetes Backups & Automated Alerting for Backup Failures
Introduction
We got introduced to Velero in the last article in this series. In this post, we will learn to install & configure Velero on an AWS EKS-hosted Kubernetes cluster.
Resource Requirements
Velero runs as a deployment in your cluster. Restic, the optional file backup companion for Velero, runs as a DaemonSet.
By default, the Velero & Restic pods have the following resource requirements:
Resource | Velero Pod | Restic Pod |
---|---|---|
CPU Request | 500m | 500m |
Memory Request | 128Mi | 512Mi |
CPU Limit | 1000m (1 CPU) | 1000m (1 CPU) |
Memory Limit | 512Mi | 1024Mi |
Prerequisites
We will install Velero on AWS EKS with the AWS plugin for Velero. The plugin takes care of uploading backups to S3 & managing EBS snapshots.
As such, it needs permissions to perform these tasks in AWS. You can provide permissions to Velero in 2 ways:
- Either create an IAM user & provide its access keys to Velero.
- Or create an IAM role & configure Velero to use this role for any AWS operations.
AWS Permissions
The IAM user/role you create for Velero, must have these permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:CreateSnapshot",
"ec2:DeleteSnapshot"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::${BUCKET}/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::${BUCKET}"
]
}
]
}
The first set of permissions is for managing disk snapshots, while the rest are for managing backup objects in S3.
If you use an IAM role instead of an IAM user, ensure your EKS cluster’s EC2 nodes have permissions to assume this role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNT_ID:role/velero"
}
]
}
Install Velero
Velero can be installed in 2 ways:
- Either use Velero CLI’s
velero install
command. - Or install Velero’s Helm chart from VMware Tanzu.
We will use the Helm chart way in this article.
First, add the VMware Tanzu Helm repo:
helm repo add vmware-tanzu \
https://vmware-tanzu.github.io/helm-charts
Install Velero with IAM User
If you’re providing AWS access to Velero using an IAM user, first save the user’s access keys in a file, say ~/velero-credentials
:
[default]
aws_access_key_id=...
aws_secret_access_key=...
Now, install Velero as follows:
helm install velero vmware-tanzu/velero \
--namespace velero --create-namespace \
--set-file 'credentials.secretContents.cloud=~/velero-credentials' \
--set 'configuration.provider=aws' \
--set 'configuration.backupStorageLocation.bucket=S3_BUCKET' \
--set 'configuration.backupStorageLocation.config.region=ap-south-1' \
--set 'configuration.volumeSnapshotLocation.name=default' \
--set 'configuration.volumeSnapshotLocation.config.region=ap-south-1' \
--set 'initContainers[0].name=velero-plugin-for-aws' \
--set 'initContainers[0].image=velero/velero-plugin-for-aws' \
--set 'initContainers[0].volumeMounts[0].mountPath=/target' \
--set 'initContainers[0].volumeMounts[0].name=plugins'
Replace S3_BUCKET
above with the name of the bucket you create for Velero backups.
Note that:
- We’re installing Velero in a new
velero
namespace. - We’re configuring it for the
ap-south-1
Mumbai region.
Install Velero with IAM Role
If you chose the IAM role way of granting access, use this command instead to install Velero:
helm install velero vmware-tanzu/velero \
--namespace velero --create-namespace \
--set 'configuration.provider=aws' \
--set 'podAnnotations.iam\.amazonaws\.com/role=ROLE_ARN' \
--set 'configuration.backupStorageLocation.bucket=S3_BUCKET' \
--set 'configuration.backupStorageLocation.config.region=ap-south-1' \
--set 'configuration.volumeSnapshotLocation.name=default' \
--set 'configuration.volumeSnapshotLocation.config.region=ap-south-1' \
--set 'initContainers[0].name=velero-plugin-for-aws' \
--set 'initContainers[0].image=velero/velero-plugin-for-aws' \
--set 'initContainers[0].volumeMounts[0].mountPath=/target' \
--set 'initContainers[0].volumeMounts[0].name=plugins'
Replace ROLE_ARN
& S3_BUCKET
above with the respective values for your account.
Velero’s Cluster Resources
Installation is now complete!
Wait for the Velero resources to come up:
> kubectl get all --namespace velero
NAME READY STATUS RESTARTS AGE
pod/velero-6cd66487f-bn7x8 1/1 Running 0 18h
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/velero ClusterIP 10.100.138.20 <none> 8085/TCP 21h
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/velero 1/1 1 1 21h
NAME DESIRED CURRENT READY AGE
replicaset.apps/velero-6cd66487f 1 1 1 21h
Uninstall Velero
If you ever need to uninstall Velero, here are the commands to do so:
helm uninstall velero -n velero
kubectl delete namespace velero
kubectl delete crds -l component=velero
The last command is necessary because Velero’s CRDs are not uninstalled during helm uninstall
.
Conclusion
In this article, we learnt how to install Velero using its Helm chart.
In the next article in this series, we will try our hands on a simple backup & restore scenario.
About the Author ✍🏻
Harish KM is a Principal DevOps Engineer at QloudX & a top-ranked AWS Ambassador since 2020. 👨🏻💻
With over a decade of industry experience as everything from a full-stack engineer to a cloud architect, Harish has built many world-class solutions for clients around the world! 👷🏻♂️
With over 20 certifications in cloud (AWS, Azure, GCP), containers (Kubernetes, Docker) & DevOps (Terraform, Ansible, Jenkins), Harish is an expert in a multitude of technologies. 📚
These days, his focus is on the fascinating world of DevOps & how it can transform the way we do things! 🚀