Skip to content

Backup and Restore

The following are instructions for backing up and restoring the Kubernetes cluster in GKE environments.

Setup Backup and Restore

Create a backup and restore process for disaster recovery of the Kubernetes cluster.

This example creates a Google Cloud Storage (GCS) bucket, a service account, and a role to use with Velero to backup the Kubernetes cluster.

Create the Bucket

Use the following commands to add the name of the bucket and then create the bucket.

BUCKET=<bucket_name>

gsutil mb gs://$BUCKET//

Create a Service Account

Use the following commands to create a Google Service Account for the backup.

gcloud config list

PROJECT_ID=$(gcloud config get-value project)

GSA_NAME=backup-server # Service Account name 
GSA_DISPLAY_NAME="Backup service account" # Service Account title 
SERVER_ROLE_TITLE="BackupServerRole" # Service Role Title (should not contain spaces)
SERVER_ROLE=backupServerRole # Server Role name 

gcloud iam service-accounts create $GSA_NAME --display-name "$GSA_DISPLAY_NAME" 

gcloud iam service-accounts list 

SERVICE_ACCOUNT_EMAIL=$(gcloud iam service-accounts list \
  --filter="displayName:$GSA_DISPLAY_NAME" \
  --format 'value(email)')

Create a Custom Role for the Backup

Use the following commands to create a custom role, with the proper permissions, for the Backup account.

ROLE_PERMISSIONS=(compute.disks.get,compute.disks.create,compute.disks.createSnapshot,compute.snapshots.get,compute.snapshots.create,compute.snapshots.useReadOnly,compute.snapshots.delete,compute.zones.get,storage.objects.create,storage.objects.delete,storage.objects.get,storage.objects.list,iam.serviceAccounts.signBlob)

gcloud iam roles create $SERVER_ROLE \
    --project $PROJECT_ID \
    --title $SERVER_ROLE_TITLE \
    --permissions "$(IFS=","; echo "${ROLE_PERMISSIONS[*]}")"

gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member serviceAccount:$SERVICE_ACCOUNT_EMAIL \
    --role projects/$PROJECT_ID/roles/$SERVER_ROLE

gsutil iam ch serviceAccount:$SERVICE_ACCOUNT_EMAIL:objectAdmin gs://${BUCKET}

gsutil iam ch serviceAccount:$SERVICE_ACCOUNT_EMAIL:admin gs://${BUCKET}

Bind Backup Service Account

Get the Service Account of the Backup created by RADM.

This example uses Velero for the backup process.

Get Service Account created by RADM

Use the following commands to get the Service Account of the backup created by RADM.

KSA_NAME=rafay-velero-sa # Do not change the name

NAMESPACE=velero # Do not change the name

Add IAM Policy Binding

Use the following commands to add an IAM Policy Binding to bind the Backup Kubernetes Service Account to a Google Cloud Service Account.

gcloud iam service-accounts add-iam-policy-binding \
    --role roles/iam.workloadIdentityUser \
    --member "serviceAccount:$PROJECT_ID.svc.id.goog[$NAMESPACE/$KSA_NAME]" \
    $GSA_NAME@$PROJECT_ID.iam.gserviceaccount.com