- Notes, cautions, and warnings
- Preface
- PowerProtect Data Manager for Kubernetes Overview
- About asset sources, assets, and storage
- Prerequisites
- Supported Internet Protocol versions
- Port usage
- Role-based security
- Data-in-flight encryption
- Roadmap for Kubernetes cluster protection
- Roadmap for Tanzu Kubernetes guest cluster protection
- Updating PowerProtect Data Manager from version 19.9 or earlier to the latest version in a Kubernetes environment
- Enabling the Kubernetes Cluster
- Adding a Kubernetes cluster asset source
- Prerequisites to Tanzu Kubernetes guest cluster protection
- Prerequisites to Kubernetes cluster discovery
- Enable an asset source
- Delete an asset source
- Add a VMware vCenter Server
- Add a Kubernetes cluster
- Controller Configurations
- Customizing the PowerProtect Data Manager pod configuration
- Add a VM Direct Engine
- Managing Storage, Assets, and Protection for Kubernetes Clusters
- Add protection storage
- Replication triggers
- Add a protection policy for Kubernetes namespace protection
- Add a Cloud Tier objective to a protection policy
- Add a service-level agreement
- Extended retention (for protection policies created in PowerProtect Data Manager 19.11 and earlier)
- Edit the retention period for backup copies
- Delete backup copies
- Using the PowerFlex volumegroup snapshot extension
- Protecting PVCs in PowerScale access zones
- Restoring Kubernetes Namespaces and PVCs
- Kubernetes Cluster Best Practices and Troubleshooting
- Configuration changes required for use of optimized data path and first class disks
- Recommendations and considerations when using a Kubernetes cluster
- Support Network File System (NFS) root squashing
- Update the Velero or OADP version used by PowerProtect Data Manager
- VM Direct protection engine overview
- Troubleshooting network setup issues
- Troubleshooting Kubernetes cluster issues
- Specify volumesnapshotclass for v1 CSI snapshots
- Enabling protection when the vSphere CSI driver is installed as a process
- Pod configuration not updated in Velero deployment when hostNetwork field is omitted from patch string
- Backups fail or hang on OpenShift after a new PowerProtect Data Manager installation or update from a 19.9 or earlier release
- Data protection operations for high availability Kubernetes cluster might fail when API server not configured to send ROOT certificate
- Kubernetes cluster on Amazon Elastic Kubernetes Service certificate considerations
- Removing PowerProtect Data Manager components from a Kubernetes cluster
- Increase the number of worker threads in Supervisor cluster backup-driver if Velero timeout occurs
- Velero pod backup and restore might fail if namespace being protected contains a large number of resources
- Pull images from Docker Hub as authenticated user if Docker pull limits reached
- Application-Consistent Database Backups in Kubernetes
- About application-consistent database backups in Kubernetes
- Obtain and deploy the CLI package
- About application templates
- Deploy application templates
- Perform application-consistent backups
- Verify application-consistent backups
- Disaster recovery considerations
- Granular-level restore considerations
- Log truncation considerations
- – Glossary of Acronyms –
- AAG: Always On availability group
- ACL: access control list
- AD: Active Directory
- AKS: Azure Kubernetes Service
- ARM: Azure Resource Manager
- API: application programming interface
- AVS: Azure VMware Solution
- AWS: Amazon Web Services
- AZ: availability zone
- BBB: block-based backup
- CA: certificate authority
- CBT: Changed Block Tracking
- CDC: change data capture
- CIFS: Common Internet File System
- CLI: command-line interface
- CLR: Common Language Runtime
- CN: common name
- CPU: central processing unit
- CR: custom resource
- CRD: custom resource definition
- CSI: container storage interface
- CSV: Cluster Shared Volume
- DAG: database availability group
- DA: database administrator
- DBID: database identifier
- DDMC: DD Management Center
- DDOS: DD Operating System
- DDVE: DD Virtual Edition
- DFC: DD Boost over Fibre Channel
- DNS: Domain Name System
- DPC: Data Protection Central
- DRS: Distributed Resource Scheduler
- DR: disaster recovery
- DSA: Dell security advisory
- EBS: Elastic Block Store
- EC2: Elastic Compute Cloud
- eCDM: Enterprise Copy Data Management
- ECS: Elastic Cloud Storage
- EKS: Elastic Kubernetes Service
- ENI: Elastic Network Interface
- EFI: Extensible Firmware Interface
- EULA: end-user license agreement
- FC: Fibre Channel
- FCD: first class disk
- FCI: failover cluster instance
- FETB: front-end protected capacity by terabyte
- FLR: file-level restore
- FQDN: fully qualified domain name
- FTP: File Transfer Protocol
- GB: gigabyte
- Gb/s: gigabits per second
- GCP: Google Cloud Platform
- GCVE: Google Cloud Virtual Edition
- GID: group identifier
- GLR: granular-level restore
- GUI: graphical user interface
- GUID: globally unique identifier
- HA: High Availability
- HANA: high-performance analytic appliance
- HTML: Hypertext Markup Language
- HTTP: Hypertext Transfer Protocol
- HTTPS: Hypertext Transfer Protocol Secure
- IAM: identity and access management
- IDE: Integrated Device Electronics
- IP: Internet Protocol
- IPv4: Internet Protocol version 4
- IPv6: Internet Protocol version 6
- KB: kilobyte
- LAC: License Authorization Code
- LAN: local area network
- MB: megabyte
- ms: millisecond
- MTU: maximum transmission unit
- NAS: network-attached storage
- NBD: network block device
- NBDSSL: network block device over SSL
- NDMP: Network Data Management Protocol
- NFC: Network File Copy
- NFS: Network File System
- NIC: network interface card
- NTFS: New Technology File System
- NTP: Network Time Protocol
- OS: operating system
- OSS: open-source software
- OVA: Open Virtualization Appliance
- PCS: Protection Copy Set
- PDF: Portable Document Format
- PEM: Privacy-enhanced Electronic Mail
- PIN: personal identification number
- PIT: point in time
- PKCS: Public Key Cryptography Standards
- PSC: Platform Service Controller
- PVC (cloud computing): private virtual cloud
- PVC (Kubernetes): Persistent Volume Claim
- RAC: Real Application Clusters
- RAM: random-access memory
- RBAC: role-based access control
- ReFS: Resilient File System
- REST API: representational-state transfer API
- RHEL: RedHat Enterprise Linux
- RMAN: Recovery Manager
- RPO: recovery-point objective
- RSA: Rivest-Shamir-Adleman
- S3: Simple Storage Services
- SaaS: software as a service
- SAP: System Analysis Program Development
- SCSI: Small Computer System Interface
- SDDC: software-defined data center
- SELinux: Security-Enhanced Linux
- SFTP: Secure File Transfer Protocol
- SLA: service-level agreement
- SLES: SuSE Linux Enterprise Server
- SLO: service-level objective
- SPBM: Storage Policy Based Management
- SQL: Structured Query Language
- SRS: Secure Remote Services
- SSD: solid-state drive
- SSH: Secure Shell
- SSL: Secure Sockets Layer
- SSMS: SQL Server Management Studio
- SSVs: System Stable Values
- TB: terabyte
- TCP: Transmission Control Protocol
- TDE: Transparent Data Encryption
- TLS: Transport Layer Security
- TPM: Trusted Platform Module
- TSDM: Transparent Snapshot Data Mover
- T-SQL: Transact-SQL
- UAC: user account control
- UDP: User Datagram Protocol
- UI: user interface
- UID: user identifier
- UTC: Coordinated Universal Time
- VADP: VMware vStorage APIs for Storage Awareness
- VBS: virtualization-based security
- VCF: VMware Cloud Foundation
- vCLS: vSphere Cluster Service
- VCSA: vCenter Server Appliance
- vCSA: vCenter Server Appliance
- VDI: Virtual Device Interface
- vDisk: virtual disk
- vDS: virtual distributed switch
- vFRC: Virtual Flash Read Cache
- VGT: Virtual Guest Tagging
- VIB: vSphere Installation Bundle
- VLAN: virtual LAN
- VM: virtual machine
- VMC: VMware Cloud
- VMDK: virtual machine disk
- VNet: virtual network
- VPC: virtual private cloud
- vRSLCM: vRealize Suite Lifecycle Manager
- VST: Virtual Switch Tagging
- vTPM: Virtual Trusted Platform Module
- VVD: VMware Validated Design
- vVol: virtual volume
- WAN: wide area network
PowerProtect Data Manager 19.12 Kubernetes User Guide
Set up the velero-plugin-for-vSphere in the Supervisor cluster
The following one-time configuration is required to set up the velero-plugin-for-vSphere in the Supervisor cluster:
About this task
NOTE Where noted, some of these steps are specific to the vSphere version and the Supervisor cluster version that you have installed.
Steps
-
For vSphere versions 7.0 U3 and later, install the Velero vSphere Operator in the Supervisor cluster:
-
In the
vSphere Client, select a user with the
vSphere Administrator role, or an account with the following vSphere privileges:
- SupervisorServices.Manage
- Namespaces.Manage
- Namespaces.Configure
-
Select
Workload Management, and then click the
Services tab in the right pane.
The right pane displays the available services.
- Select Add a New Service.
- In the Supervisor cluster version 1.21 and earlier, upload the Velero vSphere Operator Supervisor 1.1.0 YAML. In the Supervisor cluster version 1.22 and later, upload the Velero vSphere Operator Supervisor 1.2.0 YAML. Operator YAML files can be obtained from the following link.
-
After the
Velero vSphere Operator Supervisor service is added, install the service on the Supervisor cluster.
Once installed, a new namespace svc-velero-vsphere-domain-xxx gets created automatically with vSphere pods. The Velero vSphere Operator service works with the velero-plugin-for-vSphere to support backup and restore of Kubernetes workloads, including the snapshotting of persistent volumes.
To verify the Velero vSphere Operator installation, from the vSphere Client home menu, select Inventory, and then select the vCenter cluster where Workload Management is enabled. Select , and confirm that the Velero vSphere Operator is installed and its status is Configured.
- Select to view the namespaces running in the Supervisor cluster. For a selected namespace, click the Compute tab in the right pane to display the vSphere pods and Tanzu guest clusters.
-
In the
vSphere Client, select a user with the
vSphere Administrator role, or an account with the following vSphere privileges:
-
For vSphere versions previous to 7.0 U3, enable the vSphere Operator in the Supervisor cluster, for example, the Velero vSphere Operator:
- In the left pane of the vSphere Client, select Workload Cluster, and then click the Configure tab in the right pane.
-
In the
Workload-Cluster window, scroll down and select
Supervisor Services.
The right pane displays the available services.
-
Select the
Velero vSphere Operator service, and then click
Enable.
Once enabled, the new Kubernetes namespace gets created automatically with its own vSphere pods running with Supervisor affinity, which allows the Supervisor cluster to perform backups using the FCD snapshot.
-
Add a Supervisor namespace for the Velero instance. This namespace is required for the
velero-plugin-for-vSphere:
- In the Workload Management window of the vSphere Client, click New Namespace to create a namespace with the name velero.
- After creating this namespace, select the namespace in the left navigation pane and configure storage and permissions.
- Specify the storage for the velero namespace.
- Provide the appropriate vCenter user with the edit permission/role on the velero namespace.
-
Download the
command line binary:
- For the Supervisor cluster version 1.21 and earlier, download the command line binary Velero vSphere Operator CLI v1.1.0.
- For the Supervisor cluster version 1.22 and later, download the command line binary Velero vSphere Operator CLI v1.2.0.
-
Log in to the Supervisor cluster:
- In the vSphere Client, navigate to , and select the Supervisor namespace. Select the Summary tab, and then select Open under Link to CLI Tools to download the two executable files kubectl (the standard Kubernetes CLI) and kubectl-vsphere (the vSphere Plugin for kubectl). These files help you to authenticate with the Supervisor Cluster and Tanzu Kubernetes clusters using your vCenter Single Sign-On credentials. These instructions are also provided in the following article.
-
Log in to Supervisor cluster by using the following command with the appropriate vCenter user:
kubectl-vsphere login --insecure-skip-tls-verify --server=supervisor-cluster-ip-address -- vsphere-username username
-
Switch the context to the Supervisor cluster by running the following command:
kubectl config use-context supervisor-cluster-ip-address
-
Use the
Velero vSphere Operator CLI to install the
velero-plugin-for-vSphere into the
velero namespace:
- For Supervisor cluster version 1.21 and earlier, run velero-vsphere install --namespace velero --plugins vsphereveleroplugin/velero-plugin-for-vsphere:v1.4.0 --no-secret --no-default-backup-location --use-volume-snapshots=false
- For Supervisor cluster version 1.22 and later, run velero-vsphere install --namespace velero --plugins vsphereveleroplugin/velero-plugin-for-vsphere:v1.4.0 --image velero/velero:v1.8.1 --no-secret --no-default-backup-location --use-volume-snapshots=false
-
Using the same command line, enable changed block tracking (CBT) in the guest clusters:
# velero-vsphere configure --enable-cbt-in-guestsOnce enabled, this setting is applied to the current cluster and all incoming guest clusters.NOTE In Tanzu Kubernetes clusters with vSphere version 7.0 U2 and later, the command to enable CBT might return the error Failed to configure CBT on all VMs in guest clusters. If this occurs, verify that you have logged in to the Supervisor cluster as a vCenter admin, and then perform the following steps:
- Edit the ConfigMap
vmware-system-tkg-system-service-accounts in the
vmware-system-tkg namespace on the Supervisor cluster to add the following line:
'system.serviceaccount.service-account-name.default: "true"'
Where the service-account-name matches the name of the namespace that is created after the Velero operator installation. To obtain this name (svc-velero-vsphere-domain-xyz), you can log in to the vSphere Client, or use the command kubectl get ns | grep svc-velero-vsphere.
- Restart the TKGS controller by running the command kubectl rollout restart deployment vmware[1]system-tkg-controller-manager -n vmware-system-tkg.
-
Retry the command velero-vsphere configure --enable-cbt-in-guests.
- Optionally, verify that CBT is enabled in guest cluster virtual machines in a Supervisor namespace by running the following command:
kubectl get virtualmachine -n guest-cluster-namespace
If CBT is enabled, the following command returns the value TRUE:
kubectl get virtualmachine guest-cluster-node-VM-name -n guest-cluster-namespace -o jsonpath='{.status.changeBlockTracking}'
- Edit the ConfigMap
vmware-system-tkg-system-service-accounts in the
vmware-system-tkg namespace on the Supervisor cluster to add the following line:
-
Verify that the
velero-plugin-for-vSphere installation was successful by running the following command:
kubectl -n velero get veleroservice default -o json | jq '.status'
A successful installation displays a status of Completed, along with the version.
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\