Preventive Service Planning
This document details the Kubernetes backup and restore requirements for IBM Spectrum Protect Plus Version 10.1.6.
This document is divided into linked sections for ease of navigation. Use the following links to jump to the section of the document that you require:
Beginning with IBM Spectrum Protect Plus V10.1.5, support was added to protect persistent volumes that are attached to containers in Kubernetes clusters by using the Kubernetes command line. In IBM Spectrum Protect Plus V10.1.6, backup support for containers is extended to the IBM Spectrum Protect Plus user interface.
Before you deploy IBM Spectrum Protect Plus V10.1.6 Kubernetes Backup Support in the Kubernetes environment, ensure that the system environment meets the requirements.
In V10.1.6, Kubernetes Backup Support is available only in English.
Docker containers are supported in Kubernetes Backup Support.
Table 1. Coverage matrix for supported operating systems on Linux® x86_64
|IBM Spectrum Protect Plus||RHEL 7.6||RHEL 7.7||RHEL 7.8|
IBM Spectrum Protect Plus V10.1.6 supports the following software and systems:
- Kubernetes v1.18 and later patches and updates
- Kubernetes v1.17 and later patches and updates
- Kubernetes v1.16 and later patches and updates
- Ceph Container Storage Interface (CSI) driver 1.2, 2.0, and 2.1 with Rados Block Device (RBD) storage
- Helm v2.16.1 and later
Restriction: Helm v3 is not supported.
If you are using the following Kubernetes and Ceph CSI driver versions, use IBM Spectrum Protect Plus V10.1.5:
- Kubernetes v1.13 and later patches and updates
- Kubernetes v1.14 and later patches and updates
- Kubernetes v1.15 and later patches and updates
- Ceph CSI driver 1.1 with RBD storage
For information about Kubernetes releases, see Kubernetes Release Versioning
To install and configure container backup support, you must deploy the Kubernetes Backup Support software in the Kubernetes environment. For instructions, see Installing Kubernetes Backup Support
- Backup operations for raw block volumes are not supported.
- To ensure that a restore request works correctly, do not manually delete any snapshots of volumes that are protected by Kubernetes Backup Support.
- You cannot restore a snapshot or copy backup to a different namespace or cluster.
- You cannot restore a snapshot or copy backup to the original persistent volume.
- You can restore a snapshot or copy backup only to a new persistent volume. The persistent volume claim (PVC) for the new volume is automatically created during the restore operation.
- A rollback to a previous version of Kubernetes Backup Support is not supported. In other words, you cannot use Kubernetes Backup Support V10.1.5 to restore data that was backed up by Kubernetes Backup Support V10.1.6.
- Upgrading the product from Kubernetes Backup Support V10.1.5 is not supported.
- Due to underlying changes in the BaaSReq object in Kubernetes Backup Support V10.1.6, you cannot use Kubernetes Backup Support V10.1.6 to restore data that was backed up by Kubernetes Backup Support V10.1.5.
- Kubernetes Backup Support protects only persistent storage that was allocated by a storage plug-in that supports the CSI.
- You must be running a Kubernetes cluster with CSI support.
- Persistent storage must be provided by the CSI driver, which must support CSI snapshot capabilities.
- CSI snapshot support must be enabled on the
- The Kubernetes command line tool
kubectlmust be accessible on the installation host and in the local path.
- Only formatted volumes can be mounted to the data mover for copy operations.
- Optional: To help optimize product performance and scalability, ensure that Kubernetes Metrics Server v0.3.5 or later is installed and running on your cluster. For instructions, see Verifying whether the metrics server is running
- For Kubernetes v1.16, copy backup and snapshot restore operations require the
VolumeSnapshotDataSourcealpha feature to be enabled. To enable the
VolumeSnapshotDataSourcealpha feature, you must patch the Kubernetes scheduler, controller, and API server. For instructions, see Enabling the
- A storage class must be defined for the persistent volumes that are being protected.
- The target image registry must be accessible from the Kubernetes cluster. The target image registry can be a local image registry or an external image registry. For an external image registry, you can configure the image pull secret to secure your environment. For instructions, see Creating an image-pull secret for use with an external registry
- The host that is used to install Kubernetes Backup Support must be using a kubeconfig file with cluster-admin privileges, KUBECONFIG, and the Helm client must be installed.
- To create new cluster-wide resources, you must be logged in to the target cluster as a user with
- Ensure that Kubernetes Backup Support secrets that include user IDs, passwords, and keys are encrypted at rest in the
etcddistributed key-value store. For more information, see Encrypting Secret Data at Rest
- The Helm tool must be configured on the target cluster so that a new deployment can be run with the
helmcommand line. Deploying a package with Helm enables cluster-wide role-based access control (RBAC) rules and role bindings to be generated.
- For the Kubernetes cluster, to install Helm as root user with the Kubernetes administrative user account, run the following script, which is included in the installation package:
External, non-container components such as IBM Spectrum Protect Plus and the IBM Spectrum Protect Plus vSnap server must be provisioned and configured by the IBM Spectrum Protect Plus administrator:
- An administrative account for Kubernetes Backup Support must be configured on IBM Spectrum Protect Plus.
This administrative account can be configured as a global Lightweight Directory Access Protocol (LDAP) account in the data center. This global account is required for access to all external components that Kubernetes Backup Support operates with.
You must specify this account name in the
BAAS_ADMINparameter in the
baas_config.cfgconfiguration file before you deploy Kubernetes Backup Support. The
baas_config.cfgis located in the installer directory. For instructions, see Installing and deploying Kubernetes Backup Support images
- An IBM Spectrum Protect Plus instance must be deployed and licensed as a VMware virtual appliance.
Network connectivity must exist to and from the target cluster. The IBM Spectrum Protect Plus Internet Protocol (IP) address and port number must be specified in the
baas_config.cfgfile before you deploy Kubernetes Backup Support. Only one port (443) can be specified for use with all IBM Spectrum Protect Plus instances.
- An IBM Spectrum Protect Plus vSnap instance must be deployed as a VMware virtual appliance.
- Network connectivity must exist to and from the target Kubernetes cluster and IBM Spectrum Protect Plus vSnap instance.
- The vSnap instance must be configured as an external vSnap server for storing backups. For instructions, see Installing vSnap servers
- If backups are encrypted at rest, ensure that enough capacity is allocated for encryption on the vSnap server.
- Ensure that you specify the username for the IBM Spectrum Protect Plus administrative account in the
baas_config.cfgconfiguration file. For more information, see Installing and deploying Kubernetes Backup Support images
- To access the device that is associated with the persistent volume, the data mover container must be a privileged container.
- Depending on their role, enterprise application developers and backup administrators interact with different user interfaces to protect persistent data in containers, as described in User roles
Before you start a backup or restore operation:
- After Kubernetes Backup Support is installed, the application host for the Kubernetes Backup Support container is automatically registered upon startup of the cluster host in Kubernetes. When a cluster is registered with IBM Spectrum Protect Plus, an inventory of the resources in the cluster is automatically captured, enabling you to complete backup and restore jobs, and run reports.
- To protect persistent volumes that are attached to a Kubernetes cluster, create service level agreement (SLA) policies and create jobs for backup and restore operations in the IBM Spectrum Protect Plus user interface. If you do not plan to use the default SLA policy for containers, ensure that you configure an SLA policy. For instructions, see Creating an SLA policy for Kubernetes clusters
- Ensure that appropriate roles and resource groups are assigned to the user who runs the backup job. Before an IBM Spectrum Protect Plus user can implement backup and restore operations, roles and resource groups must be assigned to the user. For instructions, see Managing user access
- Backup requests are directed to PVCs for the volumes that you want to protect. Before you schedule a backup job, take the following actions:
- Ensure that the PVC exists within the specified namespace.
- Ensure that the PVC is formatted. PVCs must be formatted before they can be backed up. For a PVC to be formatted correctly, it must be mounted and written to. Backup operations of raw block volumes are not supported.
- Determine which SLA policy to assign to PVCs. For instructions about viewing the available SLA policies, see SLA policies
- If a PVC is associated with multiple SLA policies, ensure that the policies are not scheduled to run concurrently. Either schedule the SLA policies to run with a significant amount of time between them, or combine them into a single SLA policy.
Review the following information about creating backup and restore jobs:
- You can use the IBM Spectrum Protect Plus user interface to create jobs for backup and restore operations, and to expire or monitor Kubernetes Backup Support jobs and create reports. For instructions, see Backing up and restoring Kubernetes by clusters using the IBM Spectrum Protect Plus user interface
- As an application developer in a Kubernetes environment, you can submit Kubernetes Backup Support requests by using the Kubernetes command-line interface to back up and restore container data, and to query the status of Kubernetes Backup Support requests. For instructions, see Protecting containers by using the command line
Ensure that the following connectivity requirements are met:
- The secure file transfer protocol (SFTP) subsystem for Secure Shell (SSH) is enabled.
- The Secure Shell (SSH) service is running on Kubernetes NodePort services.
- Firewalls are configured to allow IBM Spectrum Protect Plus to connect data mover containers by using SSH over the NodePort port range of the Kubernetes cluster. The NodePort service allows the specific port in the NodePort range to be determined by Kubernetes at run time.
- IBM Spectrum Protect Plus uses the Network File System (NFS) protocol to mount storage volumes for backup and restore operations. Ensure that the native Linux NFS client is installed on the proxy host server.
- All servers, proxies, applications, and hypervisors that are added to the IBM Spectrum Protect Plus environment must be registered by using a Domain Name System (DNS) name or Internet Protocol (IP) address.
- If DNS names are used, they must be resolvable over the network by the IBM Spectrum Protect Plus virtual appliance server and the vSnap server. All IBM Spectrum Protect Plus components must also be resolvable by their DNS names.
- If DNS is not available, you must add the server to the
/etc/hostsfile on the IBM Spectrum Protect Plus virtual appliance by using the command line.
The following ports are used by IBM Spectrum Protect Plus agents.
|Assigned by the NodePort service in Kubernetes||Transmission Control Protocol (TCP)||IBM Spectrum Protect Plus virtual appliance1||Kubernetes||Used by IBM Spectrum Protect Plus to connect to the data mover container to deploy and run agents|
1 Refers to the IBM Spectrum Protect Plus server, which is a component of the IBM Spectrum Protect Plus virtual appliance, as described in Product components
For SSH connections between containers in the Kubernetes environment, port 22 is used. For all other connections, whether on the Kubernetes hosts or outside the cluster, the port that the NodePort service assigned at run time is used.
|111||TCP||Kubernetes||vSnap server||Allows Open Network Computing (ONC) clients to discover ports for communication with ONC servers|
|443||TCP||Kubernetes||vSnap server||Used for IBM Spectrum Protect Plus issued commands to run backup, restore, inventory, and other configuration operations|
|2049||TCP||Kubernetes||vSnap server||Used for NFS data transfer to and from vSnap servers|
|20048||TCP||Kubernetes||vSnap server||Mounts vSnap file systems on clients such as the VMware vStorage API for Data Protection (VADP) proxy, application servers, and virtualization datastores|
09 June 2020