Install Velero backup solution for Kubernetes on GCP Google Kubernetes Engine (GKE). Perform backup and restore including persistent volume.
- GCP GKE Kubernetes cluster 1.7 or later
- MacOS (preferred), but Linux or Windows will work
- kubectl installed
- gcloud installed
Velero requires an object storage bucket in which to store backups, preferably unique to a single Kubernetes cluster.
-
Create a GCS bucket, replacing the <YOUR_BUCKET> placeholder with the name of your bucket:
BUCKET=<YOUR_BUCKET> gsutil mb gs://$BUCKET/
To integrate Velero with GCP, create a Velero-specific service account.
-
View your current config settings:
gcloud config list
Store the
project
value from the results in the environment variable$PROJECT_ID
.PROJECT_ID=$(gcloud config get-value project)
-
Create a service account:
gcloud iam service-accounts create velero --display-name "Velero service account"
If you'll be using Velero to backup multiple clusters with multiple GCS buckets, it may be desirable to create a unique username per cluster rather than the default
velero
.Then list all accounts and find the
velero
account you just created:gcloud iam service-accounts list
Set the
$SERVICE_ACCOUNT_EMAIL
variable to match itsemail
value.SERVICE_ACCOUNT_EMAIL=$(gcloud iam service-accounts list --filter="displayName:Velero service account" --format 'value(email)')
-
Attach policies to give
velero
the necessary permissions to function:ROLE_PERMISSIONS=( compute.disks.get compute.disks.create compute.disks.createSnapshot compute.snapshots.get compute.snapshots.create compute.snapshots.useReadOnly compute.snapshots.delete compute.zones.get )
gcloud iam roles create velero.server --project $PROJECT_ID --title "Velero Server" --permissions "$(IFS=","; echo "${ROLE_PERMISSIONS[*]}")"
gcloud projects add-iam-policy-binding $PROJECT_ID --member serviceAccount:$SERVICE_ACCOUNT_EMAIL --role projects/$PROJECT_ID/roles/velero.server
gsutil iam ch serviceAccount:$SERVICE_ACCOUNT_EMAIL:objectAdmin gs://${BUCKET}
-
Create a service account key, specifying an output file (
credentials-velero
) in your local directory:gcloud iam service-accounts keys create credentials-velero --iam-account $SERVICE_ACCOUNT_EMAIL
Prepare local computer. MacOS is used in this process, but other operating systems are ok.
-
Install Velero CLI on Mac with HomeBrew.
⇒ brew install velero
-
Download the Velero tarfile with examples.
-
Extract velero tarfile.
⇒ tar -xvf <RELEASE-TARBALL-NAME>.tar
-
Deploy Velero in Kubernetes cluster including the Velero plugin for GCP.
⇒ velero install --provider gcp --plugins velero/velero-plugin-for-gcp:v1.1.0 --bucket velero-sandbox-cnd --secret-file ./credentials-velero --use-volume-snapshots=true
-
Verify Velero deployment
⇒ kubectl -n velero get deployments
Ensure that 1/1 replicas are running.
Deploy an example application that uses persistent storage.
-
Change to Velero untarred directory (i.e. velero-v1.4.0-darwin-amd64).
⇒ cd velero-v1.4.0-darwin-amd64
-
Deploy example application.
⇒ kubectl apply -f examples/nginx-app/with-pv.yaml
-
Verify deployment.
⇒ kubectl -n nginx-example get deployments
-
Get name of persistent volume bound to the nginx-example.
⇒ kubectl get pv
-
Label persistent volume from previous step. Substitute actual persistent volume name for <PVC-NAME>.
⇒ kubectl label pv <PVC-NAME> velero.io/backup-name=<NAMESPACE-001>
-
Create a backup for any object that matches the app=nginx label selector:
⇒ velero backup create nginx-backup --selector app=nginx
-
(Optional) Create regularly scheduled backups based on a cron expression using the app=nginx label selector:
velero schedule create nginx-daily --schedule="0 1 * * *" --selector app=nginx
Alternatively, you can use some non-standard shorthand cron expressions:
velero schedule create nginx-daily --schedule="@daily" --selector app=nginx
-
Simulate a disaster:
kubectl delete namespace nginx-example
-
To check that the nginx deployment and service are gone, run:
kubectl get deployments --namespace=nginx-example kubectl get services --namespace=nginx-example kubectl get namespace/nginx-example
You should get no results.
-
Restore from backup:
velero restore create --from-backup nginx-backup
-
View restore details:
velero restore get
After the restore finishes, the output looks like the following:
NAME BACKUP STATUS WARNINGS ERRORS CREATED SELECTOR nginx-backup-20170727200524 nginx-backup Completed 0 0 2017-07-27 20:05:24 +0000 UTC <none>
NOTE: The restore can take a few moments to finish. During this time, the STATUS column reads InProgress.
After a successful restore, the STATUS column is Completed, and WARNINGS and ERRORS are 0. All objects in the nginx-example namespace should be just as they were before you deleted them.
-
If there are errors or warnings, you can look at them in detail:
velero restore describe <RESTORE_NAME>
If you want to delete any backups you created, including data in object storage and persistent volume snapshots.
-
Delete backup
⇒ velero backup delete BACKUP_NAME
-
Cleanup example deployment
⇒ kubectl delete -f examples/nginx-app/base.yaml
If you would like to completely remove Velero from cluster, follow these steps.
-
Uninstall velero from cluster
⇒ kubectl delete namespace/velero clusterrolebinding/velero ⇒ kubectl delete crds -l component=velero