- Notes, cautions, and warnings
- Preface
- Getting started
- About asset sources, assets, and storage in PowerProtect Data Manager
- About Kubernetes cluster asset sources and namespace assets
- About Tanzu Kubernetes guest clusters and Supervisor clusters
- Prerequisites
- Roadmap for Kubernetes cluster protection
- Roadmap for Tanzu Kubernetes guest cluster protection
- Updating PowerProtect Data Manager from version 19.13 to the latest version in a Kubernetes environment
- Supported Internet Protocol versions
- Security configuration
- Enabling the Kubernetes cluster
- Adding a Kubernetes cluster asset source
- Prerequisites to Tanzu Kubernetes guest cluster protection
- Prerequisites to Kubernetes cluster discovery
- Enable an asset source
- Delete an asset source
- Add a VMware vCenter server
- Add a Kubernetes cluster
- Controller configurations
- Customizing the PowerProtect Data Manager pod configuration
- Add a VM Direct Engine for virtual machine, Kubernetes cluster, or NAS protection
- Managing storage, assets, and protection for Kubernetes clusters
- Protection policies for Kubernetes namespace protection
- Supported protection policy purposes
- Supported protection policy objectives
- Replication triggers
- Roadmap for planning a protection policy
- Before you add a protection policy for Kubernetes namespace protection
- Add a protection policy for Kubernetes namespace protection
- Extended retention for protection policies
- Add a service-level agreement
- Protection rules
- Edit the retention period for asset copies
- Delete asset backup copies
- Export data for deleted backup copies
- Remove asset copy records from the PowerProtect Data Manager database
- Using the PowerFlex volumegroup snapshot extension
- Protecting PVCs in PowerScale access zones
- Protection policies for Kubernetes namespace protection
- Restoring Kubernetes namespaces and PVCs
- Best practices and troubleshooting
- PPDMK8SDIAG diagnostics tool
- Configuration changes required for use of optimized data path and first class disks
- Recommendations and considerations when using a Kubernetes cluster
- Support Network File System (NFS) root squashing
- Update the Velero or OADP version used by PowerProtect Data Manager
- VM Direct protection engine overview
- Troubleshooting Kubernetes cluster issues
- Troubleshooting network setup issues
- powerprotect-controller pod not created due to security policy configuration
- Restore to original cannot be completed when datastore containing FCD is shared across vCenter servers
- Specify volumesnapshotclass for v1 CSI snapshots
- Enabling protection when the vSphere CSI driver is installed as a process
- Considerations when protecting nonsnapshot CSI volumes
- Pod configuration not updated in Velero deployment when field is omitted from patch string
- Backups fail or hang on OpenShift after a new PowerProtect Data Manager deployment
- Restore of imagestream and imagestreamtags cannot be completed on OpenShift
- Data protection operations for high availability Kubernetes cluster might fail when API server not configured to send ROOT certificate
- Kubernetes cluster on Amazon Elastic Kubernetes Service certificate considerations
- Removing PowerProtect Data Manager components from a Kubernetes cluster
- Increase the number of worker threads in Supervisor cluster backup-driver if Velero timeout occurs
- Velero pod backup and restore might fail if namespace being protected contains a large number of resources
- vSphere CSI backups might fail when the File System agent is used as the data mover
- Pull images from Docker Hub as authenticated user if Docker pull limits reached
- Warning displays when temporary persistent volumes not deleted by CSI driver before timeout
- Application-consistent database backups in Kubernetes
- About application-consistent database backups in Kubernetes
- Obtain and deploy the CLI package
- About application templates
- Deploy application templates
- Perform application-consistent backups
- Verify application-consistent backups
- Disaster recovery considerations
- Granular-level restore considerations
- Log truncation considerations
- Glossary
PowerProtect Data Manager 19.17 Kubernetes User Guide
Recommendations and considerations when using a Kubernetes cluster
Review the following information that is related to the deployment, configuration, and use of the Kubernetes cluster as an asset source in PowerProtect Data Manager:
Performance and scale limits
The following limits have been tested successfully with PowerProtect Data Manager.
NOTE:These numbers are not maximum or hard limits, but should be considered when scaling your environment.
| Configuration | Tested limits |
|---|---|
| Number of namespaces in a cluster | 300, with 1,000 resources per namespace |
| Number of vSphere CSI PVCs in a cluster | 250 |
Factors that can impact backup performance
The following factors can impact the Kubernetes namespace and PVC backup performance:
- The number of Kubernetes resources in a namespace.
- The number of PVCs in a namespace.
- The performance of the storage system that contains the persistent volumes.
Enable concurrent multi-streaming in File System agent for protecting large volumes
The File System agent is the default data mover that PowerProtect Data Manager uses for protecting persistent volumes that are provisioned by CSI drivers other than the vSphere Container Storage Interface (CSI) driver. For volumes larger than 100 GB, PowerProtect Data Manager can protect PVCs using multiple File System agent streams. To enable this functionality, you can add the annotation ppdm.config.fsagent/streaming_mode: concurrent to the PVC, which the controller then passes to the cProxy. Adding this annotation can improve performance and reduce backup latency by up to 50%.
The number of required streams is calculated dynamically, and will not exceed eight streams to avoid impact to CPU performance. Configuration of the chunk size impacts the stream count calculation.
NOTE:Multiple streams are enabled only for sub-trees with a size greater than the chunk size. No chunking occurs if the volume is a root folder with no sub-folders that contains only flat files. The default chunk size is 50 GB.
Add line to the custom-ports file when not using port 443 or 6443 for the Kubernetes API server
If a Kubernetes API server listens on a port other than 443 or 6443, an update is required to the PowerProtect Data Manager firewall to allow outgoing communication on the port being used. Before you add the Kubernetes cluster as an asset source, perform the following steps to ensure that the port is open:
- Log in to PowerProtect Data Manager, and change the user to root.
- Add a line to the file /etc/sysconfig/scripts/custom-ports that includes the port number that you want to open.
- Run the command service SuSEfirewall2 restart.
This procedure should be performed after a PowerProtect Data Manager update, restart, or server disaster recovery.
Log locations for Kubernetes asset backup and restore operations and pod networking
All session logs for Kubernetes asset protection operations are pulled into the /logs/external-components/k8s folder on the PowerProtect Data Manager host.
Parallel backup and restore performance considerations
To throttle system performance, the default settings for PowerProtect Data Manager data protection are five parallel namespace backups and two parallel namespace restores per Kubernetes cluster. You can change the ppdm.backup.concurrency and ppdm.restore.concurrency settings in the controller configuration for the Kubernetes cluster asset source, as described in the section Controller configurations. You can queue up to 100 namespace backups across protection policies in PowerProtect Data Manager.
You can also enable the k8s.ppdm.enable.parallel.pvc.backup setting to concurrently back up a maximum of 5 PVCs per namespace. If parallel PVC backup is enabled with the k8s.ppdm.enable.parallel.pvc.backup setting, in the case of vSphere CSI volumes, one cProxy is started per namespace. For non-vSphere CSI volumes, up to five cProxies will be started per namespace.
Refer to the section Resource requirements of PowerProtect Data Manager components on Kubernetes cluster to determine the overhead on the Kubernetes cluster with the higher concurrency settings before making any changes.
Resource requirements of PowerProtect Data Manager components on Kubernetes cluster
At any time during backup, with the default backup and restore concurrency settings the typical footprint of PowerProtect Data Manager components (Velero, PowerProtect Controller, cProxy) is less than 2 GB RAM Memory and four CPU cores. Utilization of this resource only peaks during backups.
The following resource limits are defined on the PowerProtect PODs, which are part of the PowerProtect Data Manager stack:
- Velero maximum resource usage: 1 CPU core, 256 MB memory
- PowerProtect Controller maximum resource usage: 1 CPU core, 256 MB memory
- PowerProtect cProxy pods: Each cProxy pod typically consumes less than 300 MB memory and less than 0.8 CPU cores. These pods are created and terminated within the backup and restore job.
- One cProxy pod is started for each namespace with PVCs that is backed up or restored.
Only Persistent Volumes with VolumeMode Filesystem supported
Backup and recovery of Kubernetes cluster assets in PowerProtect Data Manager is only supported for Persistent Volumes with the VolumeMode Filesystem.
Objects using PVC scaled down before starting the restore
The following activities occur before a PVC restore to the original namespace or an existing namespace when PowerProtect Data Manager detects that the PVC is in use by a Pod, Deployment, StatefulSet, DaemonSet, ReplicaSet, or Replication Controller:
- PowerProtect Data Manager scales down any objects using the PVC.
- PowerProtect Data Manager deletes the daemonSet and any Pods using PVCs.
Upon completion of the PVC restore, any objects that were scaled down are scaled back up, and any objects that were deleted are re-created. Ensure that you shut down any Kubernetes jobs that actively use the PVC before running a restore.
NOTE: If
PowerProtect Data Manager is unable to reset the configuration changes due to a controller crash, it is recommended to delete the
Pod,
Deployment,
StatefulSet,
DaemonSet,
ReplicaSet, or
Replication Controller from the namespace, and then perform a Restore to Original again on the same namespace.
Restore to a different existing namespace can result in mismatch between UID of pod and UID persistent volume files
A PowerProtect Data Manager restore of files in persistent volumes restores the UID and GID along with the contents. When performing a restore to a different namespace that already exists, and the pod consuming the persistent volume is running with restricted Security Context Constraints (SCC) on OpenShift, the UID assigned to the pod upon restore might not match the UID of the files in the persistent volumes. This UID mismatch might result in a pod startup failure.
For namespaces with pods running with restricted SCC, it is recommended to use one of the following restore options:
- Restore to a new namespace where PowerProtect Data Manager restores the namespace resource as well.
- Restore to the original namespace if this namespace still exists.
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\