Perform the following steps to add a Kubernetes cluster as an asset source in the
PowerProtect Data Manager UI. When added,
PowerProtect Data Manager automatically deploys resources on the cluster that enable the backup and recovery of namespaces.
Prerequisites
You must have Administrator privileges.
If your environment has firewall or other restrictions that might prevent pulling of the required images from Docker Hub, review the procedure in the section
Prerequisites to Kubernetes cluster discovery.
If adding a Kubernetes guest cluster for vSphere CSI-based Persistent Volume Claims (PVCs), add a
VM Direct protection engine in the vCenter Server where the Tanzu Kubernetes guest cluster is located.
About this task
NOTE Discovery of a Kubernetes cluster discovers namespaces that contain volumes from both container storage interface (CSI) and non-CSI based storage. However, backup and recovery are supported only from CSI-based storage. Also, only PVCs with the VolumeMode
Filesystem are supported.
Steps
From the left navigation pane, select
Infrastructure > Asset Sources.
In the
Asset Sources window, select the
Kubernetes cluster tab.
Click
Add.
In the
Add Kubernetes dialog box, specify the source attributes:
Tanzu Cluster—If adding a Kubernetes Tanzu guest cluster for protection of vSphere CSI-based PVCs, move the slider to the right.
Select vCenter—For a Kubernetes Tanzu guest cluster asset source, select the vCenter Server that contains the guest cluster from the list.
NOTE Selecting a vCenter Server changes the method used for the Kubernetes protection policy backup. Instead of cProxy, a VM proxy (the VM Direct engine) will be used for the management and transfer of backup data, similar to what is used for virtual machine protection policies.
Name—the cluster name
FQDN/IP—the fully qualified domain name (FQDN) or the IP address of the Kubernetes API server.
NOTE It is recommended that you use the FQDN instead of the IP address.
Port
—specify the port to use for communication when not using the default port, 443.
NOTE The use of any port other than 443 or 6443 requires you to open the port on
PowerProtect Data Manager first to enable outgoing communication. Before you add Kubernetes as an asset source, add the required ports. The
PowerProtect Data Manager Security Configuration Guide provides more information.
From the
Host Credentials list, select an existing set of credentials, or select
Add Credentials to add the service account token for the Kubernetes cluster, and then click
Save.
The service account must have the following privileges:
Get/Create/Update/List CustomResourceDefinitions
Get/Create/Update ClusterRoleBinding for 'cluster-admin' role
Create/Update 'powerprotect' namespace
Get/List/Create/Update/Delete/List
Get/List/Create/Update/Delete all kinds of resources inside 'powerprotect' namespace
Get/List/Watch all namespaces in the cluster as well as PV, PVC, storageclass, deployments and pods in all these namespaces
NOTE The
admin-user service account in the
kube-system namespace contains all these privileges. You can provide the token of this account, or an existing similar service account. Alternatively, create a service account that is bound to a cluster role that contains these privileges, and then provide the token of this service account.
If you do not want to provide a service account with cluster-admin privileges, download the yaml files from the
PowerProtect Data Manager UI
Downloads window by clicking the
System Settings icon and selecting
Downloads. These files provide the definition of the cluster role with the required privileges required for
PowerProtect Data Manager. Follow the instructions in the
README.txt within the tar file to create the required
clusterroles and
clusterrolebindings, and to provide the token of the service account created in the yaml files. The
README.txt file also provides instructions for manually creating the secret for
ppdm-discovery-serviceaccount, which is required in Kubernetes versions 1.24 and later.
By default, the Kubernetes cluster discovery occurs automatically after adding the cluster as an asset source, and subsequent discoveries are incremental. If you want to schedule a full discovery at a certain time every day, move the
Schedule Discovery slider to the right, and then specify a time.
Optionally, click the down arrow to expand
Advanced Options, and then specify the following:
If the Kubernetes clusters are deployed in a vSphere environment where the VMware CSI driver has been deployed automatically by the Kubernetes distribution, the CSI driver secret may not be available in the Kubernetes cluster. If this applies, move the
VMware CSI Driver as process slider to the right, and then select the vCenter Server asset source.
If required, upload the text of the Kubernetes cluster root certificate in Base64 format. You can obtain the root certificate by running the following command:
On AWS EKS, run
aws eks
describe-cluster --region
region --name
Kubernetes cluster name --query "cluster.certificateAuthority.data" --output
certificate file name
For other distributions, run
kubectl config view --flatten or its equivalent and obtain the Base64 encoded root certificate from the
certificate-authority-data field for the cluster.
NOTE This step is only required for other distributions when certificate-related errors occur while adding the Kubernetes cluster asset source.
Add a key and value for each
Controller Configuration that you want to configure. Click
+ for each additional entry. You can specify up to eight controller configurations.
Controller Configurations provides more information about the available options.
If adding network interface cards (NICs) or setting the DNS configuration for pods, update the
PowerProtect Controller configuration,
Velero configuration, or
cProxy configuration by specifying additional attributes or changing existing attributes in these fields.
Customizing the PowerProtect Data Manager pod configuration provides information about creating sample yaml files for applying these changes.
NOTE When updates to
Advanced Options result in changes to the configuration of
PowerProtect Data Manager components in the Kubernetes cluster, the interruption of running protection activities can occur.
Next to
Certificate, click
Verify to review the certificate and token information, and then click
Accept.
Upon successful validation, the status for the new credentials updates to indicate
Accepted.
Click
Save.
The Kubernetes cluster information that you entered now appears as an entry on the
Asset Sources window, with a Discovery status of
Unknown.
NOTE Although
PowerProtect Data Manager automatically synchronizes with the Kubernetes cluster to perform the initial discovery under most circumstances, certain conditions might require you to initiate a manual discovery.
(Optional) If you want to initiate a manual discovery, select the Kubernetes cluster, and then click
Discover.
Incremental discovery for a Kubernetes cluster in
PowerProtect Data Manager is not supported. You can perform an on-demand (ad hoc) discovery at any time or set a scheduled discovery to update with changes in the Kubernetes cluster.
NOTE Discovery time is based on networking bandwidth. The resources that are involved in the discovery process impact performance each time you initiate a discovery. It might appear that
PowerProtect Data Manager is not updating the Asset Sources data while the discovery is in progress.
Verify that the
Discovery Status column indicates
OK, and then go to the
Assets window.
Results
Upon adding the Kubernetes cluser as an asset source, a PowerProtect controller is installed on the cluster, which is also used to install Velero with the DD Object store plug-in and the vSphere plug-in. The namespaces in the Kubernetes cluster will appear in the
Kubernetes tab of the
Assets window. To view more details within this window, click the magnifying glass icon next to an entry. Also, if a namespace has associated PVCs that you want to exclude from a policy, you can click the link in the
PVCs Exclusion column.
NOTE If namespace assets are not discovered after adding a Kubernetes cluster asset source, ensure that the bearer token that is provided for the Kubernetes asset source belongs to a service account that has the privileges as specified in step 5.
Next steps
Create Kubernetes protection policies to back up namespaces and PVCs.
Data is not available for the Topic
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\