Velero for Kubernetes Backup: Install & Configure

This article is part of a series of blog posts on using Velero for Kubernetes backup, restore, migration & disaster recovery.

All articles in this series explore Velero in the context of AWS Elastic Kubernetes Service (EKS).

Stay tuned as we publish more articles in the coming weeks & months. Here’s a sneak preview of what’s to come:

  1. An Introduction to Velero for Kubernetes Backup & Restore
  2. Velero for Kubernetes Backup: Install & Configure
  3. Backup & Restore Stateless Workloads with Velero for Kubernetes
  4. Velero for Kubernetes: Backup & Restore Stateful Workloads with AWS EBS Snapshots
  5. Velero for Kubernetes: Backup & Restore Stateful Workloads with Restic for Velero
  6. Monitoring Velero Kubernetes Backups & Automated Alerting for Backup Failures

Introduction

We got introduced to Velero in the last article in this series. In this post, we will learn to install & configure Velero on an AWS EKS-hosted Kubernetes cluster.

Resource Requirements

Velero runs as a deployment in your cluster. Restic, the optional file backup companion for Velero, runs as a DaemonSet.

By default, the Velero & Restic pods have the following resource requirements:

ResourceVelero PodRestic Pod
CPU Request500m500m
Memory Request128Mi512Mi
CPU Limit1000m (1 CPU)1000m (1 CPU)
Memory Limit512Mi1024Mi

Prerequisites

We will install Velero on AWS EKS with the AWS plugin for Velero. The plugin takes care of uploading backups to S3 & managing EBS snapshots.

As such, it needs permissions to perform these tasks in AWS. You can provide permissions to Velero in 2 ways:

  1. Either create an IAM user & provide its access keys to Velero.
  2. Or create an IAM role & configure Velero to use this role for any AWS operations.

AWS Permissions

The IAM user/role you create for Velero, must have these permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeVolumes",
                "ec2:DescribeSnapshots",
                "ec2:CreateTags",
                "ec2:CreateVolume",
                "ec2:CreateSnapshot",
                "ec2:DeleteSnapshot"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:PutObject",
                "s3:AbortMultipartUpload",
                "s3:ListMultipartUploadParts"
            ],
            "Resource": [
                "arn:aws:s3:::${BUCKET}/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::${BUCKET}"
            ]
        }
    ]
}

The first set of permissions is for managing disk snapshots, while the rest are for managing backup objects in S3.

If you use an IAM role instead of an IAM user, ensure your EKS cluster’s EC2 nodes have permissions to assume this role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::ACCOUNT_ID:role/velero"
        }
    ]
}

Install Velero

Velero can be installed in 2 ways:

  1. Either use Velero CLI’s velero install command.
  2. Or install Velero’s Helm chart from VMware Tanzu.

We will use the Helm chart way in this article.

First, add the VMware Tanzu Helm repo:

helm repo add vmware-tanzu \
    https://vmware-tanzu.github.io/helm-charts

Install Velero with IAM User

If you’re providing AWS access to Velero using an IAM user, first save the user’s access keys in a file, say ~/velero-credentials:

[default]
aws_access_key_id=...
aws_secret_access_key=...

Now, install Velero as follows:

helm install velero vmware-tanzu/velero \
--namespace velero --create-namespace \
--set-file 'credentials.secretContents.cloud=~/velero-credentials' \
--set 'configuration.provider=aws' \
--set 'configuration.backupStorageLocation.bucket=S3_BUCKET' \
--set 'configuration.backupStorageLocation.config.region=ap-south-1' \
--set 'configuration.volumeSnapshotLocation.name=default' \
--set 'configuration.volumeSnapshotLocation.config.region=ap-south-1' \
--set 'initContainers[0].name=velero-plugin-for-aws' \
--set 'initContainers[0].image=velero/velero-plugin-for-aws' \
--set 'initContainers[0].volumeMounts[0].mountPath=/target' \
--set 'initContainers[0].volumeMounts[0].name=plugins'

Replace S3_BUCKET above with the name of the bucket you create for Velero backups.

Note that:

  1. We’re installing Velero in a new velero namespace.
  2. We’re configuring it for the ap-south-1 Mumbai region.

Install Velero with IAM Role

If you chose the IAM role way of granting access, use this command instead to install Velero:

helm install velero vmware-tanzu/velero \
--namespace velero --create-namespace \
--set 'configuration.provider=aws' \
--set 'podAnnotations.iam\.amazonaws\.com/role=ROLE_ARN' \
--set 'configuration.backupStorageLocation.bucket=S3_BUCKET' \
--set 'configuration.backupStorageLocation.config.region=ap-south-1' \
--set 'configuration.volumeSnapshotLocation.name=default' \
--set 'configuration.volumeSnapshotLocation.config.region=ap-south-1' \
--set 'initContainers[0].name=velero-plugin-for-aws' \
--set 'initContainers[0].image=velero/velero-plugin-for-aws' \
--set 'initContainers[0].volumeMounts[0].mountPath=/target' \
--set 'initContainers[0].volumeMounts[0].name=plugins'

Replace ROLE_ARN & S3_BUCKET above with the respective values for your account.

Velero’s Cluster Resources

Installation is now complete!

Wait for the Velero resources to come up:

> kubectl get all --namespace velero

NAME                         READY   STATUS    RESTARTS   AGE
pod/velero-6cd66487f-bn7x8   1/1     Running   0          18h

NAME             TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
service/velero   ClusterIP   10.100.138.20   <none>        8085/TCP   21h

NAME                     READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/velero   1/1     1            1           21h

NAME                               DESIRED   CURRENT   READY   AGE
replicaset.apps/velero-6cd66487f   1         1         1       21h

Uninstall Velero

If you ever need to uninstall Velero, here are the commands to do so:

helm uninstall velero -n velero

kubectl delete namespace velero

kubectl delete crds -l component=velero

The last command is necessary because Velero’s CRDs are not uninstalled during helm uninstall.

Conclusion

In this article, we learnt how to install Velero using its Helm chart.

In the next article in this series, we will try our hands on a simple backup & restore scenario.

About the Author ✍🏻

Harish KM is a Principal DevOps Engineer at QloudX & a top-ranked AWS Ambassador since 2020. 👨🏻‍💻

With over a decade of industry experience as everything from a full-stack engineer to a cloud architect, Harish has built many world-class solutions for clients around the world! 👷🏻‍♂️

With over 20 certifications in cloud (AWS, Azure, GCP), containers (Kubernetes, Docker) & DevOps (Terraform, Ansible, Jenkins), Harish is an expert in a multitude of technologies. 📚

These days, his focus is on the fascinating world of DevOps & how it can transform the way we do things! 🚀

Leave a Reply

Your email address will not be published. Required fields are marked *