Preventive Service Planning
This document details the Kubernetes Backup Support requirements for IBM Spectrum Protect Plus Version 10.1.5.
This document is divided into linked sections for ease of navigation. Use the following links to jump to the section of the document that you require.
Before you deploy IBM Spectrum Protect Plus Kubernetes Backup Support in the Kubernetes environment, ensure that the system environment meets the outlined requirements.
Kubernetes Backup Support is available only in English in IBM Spectrum Protect Plus Version 10.1.5.
Docker containers are supported in Kubernetes Backup Support.
On Linux® x86_64:
- Red Hat Enterprise Linux (RHEL) 7.6
- RHEL 7.7
- Kubernetes v1.13 and later patches and updates
- Kubernetes v1.14 and later patches and updates
- Kubernetes v1.15 and later patches and updates
- Kubernetes v1.16 and later patches and updates
- Ceph Container Storage Interface (CSI) driver 1.1 with Rados Block Device (RBD) storage
To install and configure container backup support, the backup administrator must deploy the Kubernetes Backup Support software in the Kubernetes environment. For instructions, see Installing Kubernetes Backup Support
- Kubernetes Backup Support protects only persistent storage that was allocated by a storage plug-in that supports the Container Storage Interface (CSI).
- Only formatted volumes can be mounted to the data mover for copy operations.
- Ensure that Kubernetes Metrics Server 0.3.5 or later is installed and running on your cluster. The metrics server is required for the Kubernetes Backup Support scheduler to determine the resources that are used for multiple concurrent data mover instances. For more information, see Verifying whether the metrics server is running
- Copy backup and snapshot restore operations require the
VolumeSnapshotDataSourcealpha feature to be enabled. To enable the
VolumeSnapshotDataSourcealpha feature, you must patch the Kubernetes scheduler, controller, and API server. For instructions, see Enabling the
- Ensure that the following cluster prerequisites are met:
- You must be running a Kubernetes cluster with CSI support.
- Persistent storage must be provided by the CSI driver, which must support CSI snapshot capabilities.
- A storage class must be defined for the persistent volumes that are being protected.
- The Kubernetes command line tool
kubectlmust be accessible on the installation host and in the local path.
- CSI snapshot support must be enabled on the
- The target image registry must be accessible from the Kubernetes cluster. The target image registry can be a local image registry or an external image registry. For an external image registry, you can configure the image pull secret to secure your environment.
- The Kubernetes Backup Support product installation package must be on the primary node or another administration node. The administration node must have similar access to the primary node with regards to Docker, the
kubectltool, and the cluster image registry.
- To create new cluster-wide resources, you must be logged in to the target cluster as a user with
- Ensure that Kubernetes Backup Support secrets that include user IDs, passwords, and keys are encrypted at rest in the
etcddistributed key-value store. For more information, see Encrypting Secret Data at Rest
The Helm tool must be configured on the target cluster so that a new deployment can be run with the
helm command line. Deploying a package with Helm enables cluster-wide role-based access control (RBAC) rules and role bindings to be generated.
For the Kubernetes cluster, to install Helm as root user with the Kubernetes administrative user account, run the following script, which is included in the installation package:
IBM Spectrum Protect Plus prerequisites
External, non-container components such as IBM Spectrum Protect Plus and the IBM Spectrum Protect Plus vSnap server must be provisioned and configured by the IBM Spectrum Protect Plus administrator.
- An administrative account for Kubernetes Backup Support must be configured on IBM Spectrum Protect Plus.
This administrative account can be configured as a global Lightweight Directory Access Protocol (LDAP) account in the data center. This global account is required for access to all external components that Kubernetes Backup Support operates with.
You must specify this account name in the
BAAS_ADMINparameter in the
baas_config.cfgconfiguration file before you deploy Kubernetes Backup Support. The
baas_config.cfgis located in the installer directory. For instructions, see Installing and deploying Kubernetes Backup Support images
- An IBM Spectrum Protect Plus instance must be deployed and licensed as a VMware virtual appliance.
Network connectivity must exist to and from the target cluster. The IBM Spectrum Protect Plus Internet Protocol (IP) address and port number must be specified in the
baas_config.cfgfile before you deploy Kubernetes Backup Support. Only one port (443) can be specified for use with all IBM Spectrum Protect Plus instances.
- An IBM Spectrum Protect Plus vSnap instance must be deployed as a VMware virtual appliance.
- Network connectivity must exist to and from the target Kubernetes cluster and IBM Spectrum Protect Plus vSnap instance.
- The vSnap instance must be configured as an external vSnap server for storing backups. For instructions, see Installing vSnap servers
- If backups are encrypted at rest, ensure that enough capacity is allocated for encryption on the vSnap server.
- Ensure that the following connectivity criteria are in place:
- SSH service is running on Kubernetes NodePort services.
- Firewalls must be configured to allow IBM Spectrum Protect Plus to connect data mover containers by using SSH over the NodePort port range of the Kubernetes cluster. The NodePort service allows the specific port in the NodePort range to be determined by Kubernetes at run time.
- The server can be registered by using a Domain Name System (DNS) name or Internet Protocol (IP) address. DNS names must be resolvable by IBM Spectrum Protect Plus.
Ensure that you specify the username for the IBM Spectrum Protect Plus administrative account and data mover in the
baas_config.cfg configuration file. For more information, see Installing and deploying Kubernetes Backup Support images
To access the device that is associated with the persistent volume, the data mover container must be a privileged container.
The following ports are used by IBM Spectrum Protect Plus agents. The ports use secure connections (HTTPS or SSL).
|Assigned by the NodePort service in Kubernetes||TCP||IBM Spectrum Protect Plus virtual appliance1||Kubernetes||Used by IBM Spectrum Protect Plus to connect to the data mover container to deploy and run agents.|
1Refers to the IBM Spectrum Protect Plus server, which is a component of the IBM Spectrum Protect Plus virtual appliance.
For SSH connections between containers in the Kubernetes environment, port 22 is used. For everywhere else, whether on the Kubernetes hosts or outside the cluster, the port that the NodePort service assigned at run time is used.
|111||TCP||Kubernetes||vSnap server||Allows pen Network Computing (ONC) clients to discover ports for communication with ONC servers|
|443||TCP||Kubernetes||vSnap server||Used for IBM Spectrum Protect Plus issued commands to run backup, restore, inventory, and other configuration operations|
|2049||TCP||Kubernetes||vSnap server||Used for Network File System (NFS) data transfer to and from vSnap servers|
|20048||TCP||Kubernetes||vSnap server||Mounts vSnap file systems on clients such as the VADP proxy, application servers, and virtualization data stores|
01 July 2021