Self-service Backup & Restore
You can protect your namespace application with IBM Fusion Backup & Restore even as an application user without cluster rights or a user without IBM Fusion administration rights. Application owners can create IBM Fusion Backup & Restore Custom Resource (CRs) within the application’s namespace to self-manage their application’s backup and restore needs without the involvement of a cluster or IBM Fusion Backup & Restore administrator.
- This feature is only supported for applications on the hub cluster by using Custom Resources (CRs) and not through IBM Fusion user interface. As a IBM Fusion Backup & Restore administrator, you can continue to manage backup of applications on a spoke cluster.
- Support for service protection do not backup these CRs that are outside IBM Fusion namespace
All self-service Backup & Restore CRs, including scheduled Backup CRs exist in the namespace of the application.
To create Backup & Restore CRs in the application’s namespace, you need to be an application namespace administrator, an application user, or service account with granted permission to the namespace. Application namespace administrators can directly create Backup & Restore CRs within their application namespace.
Non-admin application users and service accounts need the namespace administrator to first grant IBM Fusion Backup & Restore permissions through a standard OpenShift RoleBindings. The RoleBindings grant permissions for the user or service account in the application’s namespace with the specific Backup & Restore Role.
Each of the Backup & Restore CRs have an ‘admin’, ‘crdview’, ‘edit’, and ‘view’ Roles available for them. They are named in the following format:
<CR Name>.data-protection.isf.ibm.com-v1alpha1-<Role>
Role | CR |
---|---|
backuppolicies.data-protection.isf.ibm.com |
Backup Policy |
backups.data-protection.isf.ibm.com |
Backup |
backupstoragelocations.data-protection.isf.ibm.com |
Backup Storage Location |
deletebackuprequets.data-protection.isf.ibm.com |
Delete Backup Request |
policyassignments.data-protection.isf.ibm.com |
Policy Assignment |
recipes.spp-data-protection.isf.ibm.com |
Recipe |
recoverbackupcrs.data-protection.isf.ibm.com |
Recover Backup CRs |
restores.data-protection.isf.ibm.com |
Restore |
backups.data-protection.isf.ibm.com-v1alpha1-admin
backups.data-protection.isf.ibm.com-v1alpha1-crdview
backups.data-protection.isf.ibm.com-v1alpha1-edit
backups.data-protection.isf.ibm.com-v1alpha1-view
backuppolicy
or
backupstoragelocation
that is in another namespace, then specify it in
"namespace/BP" or "namespace/BSL" format. The user must have permissions for the namespace that is
specific for the BSL or BP.RoleBindings can be created with a mix of permissions to achieve the desired level of management. For example, the application administrator wants to restrict Restore actions while allowing another user to perform all other Backup actions. To achieve this, the application administrator must create RoleBindings in the application's namespace for that other user with all Backup & Restore administrative roles except the Restore CR. To create the RoleBindings, see OpenShift documentation.
As an example, consider the following screen shot of the OpenShift® RoleBinding creation page showing the process of creating a RoleBinding for the user1 user identity in the namespace1 namespace with the `view` Backup & Restore PolicyAssignment Role.
The same RoleBinding can be created from the oc command line:
oc create rolebinding User1PolicyView --role=backuppolicies.data-protection.isf.ibm.com-v1alpha1-view --user=user1 -n namespace1
Service Accounts
It is a time-consuming process to create RoleBindings to multiple users individually. The Service Accounts provide another option for the self-service capability to a broad group of non-admin users. When creating a RoleBinding, you can select ServiceAccount option in the Subject section instead of an individual user. For more information about service accounts, see OpenShift documentation.
RecoverBackupCRs
If an application’s namespace gets accidentally deleted or corrupted, the Backup & Restore CRs may prevent any potential recovery of the application from backups. It prevents the potential recovery of the application through an Backup CR.
Any successful RecoverBackupCRs
action always recreates any prior Backup CRs.
Recovery of other Backup & Restore CRs can be specified
as options.
Example RecoverBackupCRs
CR:
apiVersion: data-protection.isf.ibm.com/v1alpha1
kind: RecoverBackupCRs
metadata:
name: example
namespace: <replacement namespace>
spec:
application: <deleted application namespace>
reassignPolicies: true
recreateDeleteBackupRequestCRs: false
recreateRestoreCRs: false
All spec fields are optional.
application
Name of the deleted application’s namespace. If not specified, the Backup & Restore service makes use of the application name from the
metadata.namespace
field.reassignPolicies
:Boolean to recreate any prior Policy Assignment CRs or not. Default is false.
recreateDeleteBackupRequestCRs
:Boolean to recreate any prior
DeleteBackupRequest
CRs or not. Default is false.recreateRestoreCRs
Boolean to recreate any prior Restore CRs or not. Default is false.
- Create a replacement application namespace
- Re-create the Backup & Restore RoleBindings that is same as the original namespace.
- Create a
RecoverBackupCRs
CR in the replacement namespace that refers to the original namespace.
The Backup & Restore service detects the presence of this CR and performs verification checks to ensure that the administrative RoleBindings in the new namespace matches the deleted application. If it matches, then the Backup & Restore service recreates from its metadata all the relevant Backup & Restore. The desired Backup CR can then be used to restore the application from a prior backup.
Custom Backup & Restore Administrator
Another mode of operation for managing the Backup & Restore service is to grant a non-admin user the admin of the Backup & Restore service. To do this, create the RoleBindings of the user in the IBM Fusion namespace with the Backup & Restore admin Roles.
This user does not have IBM Fusion user interface access but can manage Backup & Restore activity of all applications on both hub and spoke clusters through Backup & Restore CRs within the IBM Fusion namespace.