NetBackup™ for Kubernetes Administrator's Guide

Last Published:
Product(s): NetBackup & Alta Data Protection (10.5)
  1. Overview of NetBackup for Kubernetes
    1.  
      Overview
    2.  
      Features of NetBackup support for Kubernetes
  2. Deploying and configuring the NetBackup Kubernetes operator
    1.  
      Prerequisites for NetBackup Kubernetes Operator deployment
    2.  
      Deploy service package on NetBackup Kubernetes operator
    3.  
      Port requirements for Kubernetes operator deployment
    4.  
      Upgrade the NetBackup Kubernetes operator
    5.  
      Delete the NetBackup Kubernetes operator
    6.  
      Configure NetBackup Kubernetes data mover
    7.  
      Automated configuration of NetBackup protection for Kubernetes
    8. Configure settings for NetBackup snapshot operation
      1.  
        Kubernetes operators supported configuration parameters
      2.  
        Prerequisites for backup from snapshot and restore from backup operations
      3.  
        DTE client settings supported in Kubernetes
      4.  
        Customization of datamover properties
    9.  
      Troubleshooting NetBackup servers with short names
    10.  
      Data mover pod schedule mechanism support
    11.  
      Validating accelerator storage class
  3. Deploying certificates on NetBackup Kubernetes operator
    1.  
      Deploy certificates on the Kubernetes operator
    2.  
      Perform Host-ID-based certificate operations
    3.  
      Perform ECA certificate operations
    4.  
      Identify certificate types
  4. Managing Kubernetes assets
    1.  
      Add a Kubernetes cluster
    2. Configure settings
      1.  
        Change resource limits for Kuberentes resource types
      2.  
        Configure autodiscovery frequency
      3.  
        Configure permissions
    3.  
      Add protection to the assets
    4. Scan for malware
      1.  
        Assets by workload type
  5. Managing Kubernetes intelligent groups
    1.  
      About intelligent group
    2.  
      Create an intelligent group
    3.  
      Delete an intelligent group
    4.  
      Edit an intelligent group
  6. Managing Kubernetes policies
    1.  
      Create a policy
  7. Protecting Kubernetes assets
    1.  
      Protect an intelligent group
    2.  
      Remove protection from an intelligent group
    3.  
      Configure backup schedule
    4.  
      Configure backup options
    5.  
      Configure backups
    6.  
      Configure Auto Image Replication (A.I.R.) and duplication
    7.  
      Configure storage units
    8.  
      Volume mode support
    9.  
      Configure application consistent backup
  8. Managing image groups
    1. About image groups
      1.  
        Image expire
      2.  
        Image copy
  9. Protecting Rancher managed clusters in NetBackup
    1.  
      Add Rancher managed RKE cluster in NetBackup using automated configuration
    2.  
      Add Rancher managed RKE cluster manually in NetBackup
  10. Recovering Kubernetes assets
    1.  
      Explore and validate recovery points
    2.  
      Restore from snapshot
    3.  
      Restore from backup copy
  11. About incremental backup and restore
    1.  
      Incremental backup and restore support for Kubernetes
  12. Enabling accelerator based backup
    1.  
      About NetBackup Accelerator support for Kubernetes workloads
    2.  
      Controlling disk space for track logs on primary server
    3.  
      Effect of storage class behavior on Accelerator
    4.  
      About Accelerator forced rescan
    5.  
      Warnings and probable reason for Accelerator backup failures
  13. Enabling FIPS mode in Kubernetes
    1.  
      Enable Federal Information Processing Standards (FIPS) mode in Kubernetes
  14. About Openshift Virtualization support
    1.  
      OpenShift Virtualization support
    2.  
      Application consistent virtual machines backup
    3.  
      Troubleshooting for virtualization
  15. Troubleshooting Kubernetes issues
    1.  
      Error during the primary server upgrade: NBCheck fails
    2.  
      Error during an old image restore: Operation fails
    3.  
      Error during persistent volume recovery API
    4.  
      Error during restore: Final job status shows partial failure
    5.  
      Error during restore on the same namespace
    6.  
      Datamover pods exceed the Kubernetes resource limit
    7.  
      Error during restore: Job fails on the highly loaded cluster
    8.  
      Custom Kubernetes role created for specific clusters cannot view the jobs
    9.  
      Openshift creates blank non-selected PVCs while restoring applications installed from OperatorHub
    10.  
      NetBackup Kubernetes operator become unresponsive if PID limit exceeds on the Kubernetes node
    11.  
      Failure during edit cluster in NetBackup Kubernetes 10.1
    12.  
      Backup or restore fails for large sized PVC
    13.  
      Restore of namespace file mode PVCs to different file system partially fails
    14.  
      Restore from backup copy fails with image inconsistency error
    15.  
      Connectivity checks between NetBackup primary, media, and Kubernetes servers.
    16.  
      Error during accelerator backup when there is no space available for track log
    17.  
      Error during accelerator backup due to track log PVC creation failure
    18.  
      Error during accelerator backup due to invalid accelerator storage class
    19.  
      Error occurred during track log pod start
    20.  
      Failed to setup the data mover instance for track log PVC operation
    21.  
      Error to read track log storage class from configmap

Add Rancher managed RKE cluster manually in NetBackup

Follow the steps to add Rancher managed RKE cluster manually in NetBackup.

Kubernetes credential creation for NetBackup

Navigate to the NetBackup web UI > Credential Management > Named Credential > Add > Add credentials > select the credential store as NetBackup > select the Kubernetes in the Category field, enter the token and CA certificate which were extracted from the Global Rancher Management platform UI earlier and then save this credential.

To add Rancher managed RKE cluster manually in NetBackup

  1. External CA Cert: The External CA certificate is required for NetBackup to communicate successfully with the cluster, if there is a different CA (Certifying Authority) used to configure the certificates for external access.

    • Navigate to the Rancher Management Server UI > Open the left side panel Global Settings > Under cacerts, click the showcacerts button.

      Extract this complete CA certificate value in a temporary file

    • For example, <cacert-value-file>

  2. Service account CA Cert:

    Note:

    You must do the following the step as there is a different CA (Certifying Authority) configured for external access of the Kubernetes API server compared to the service account CA cert which is available within the cluster. Hence, these two CA certificates must be combined.

    To get the service account CA certificate, run the following commands on the Linux cluster host.

    • Get the service account secret name available on the Kubernetes operator's namespace using the following command:

      kubectl describe serviceaccount <kopsnamespace>-backup-server -n <kopsnamespace> | grep Tokens | cut -d ":" -f 2

    • Get the CA certificate in the base 64 decoded form from this service account secret using this command:

      kubectl get secret <output-from-previous-command> -n <kopsnamespace> -o jsonpath='{. data.ca\.crt}' | base64 -d

      Entire output of this command must be appended to the temporary file which we created in step 1.

  3. Append the output that was generated after Step 2 at the end of the <cacert-value-file> file. The necessary external and internal CA cert values have are extracted and available in the file <cacert-value-file>. The CA cert values are base 64 decoded form which you have to encode again while creating credentials on NetBackup.
  4. Token: Rancher Management Server UI > Open the left side panel > Under the EXPLORE CLUSTER section > Navigate to the cluster you want to protect > Kubeconfig icon on the top right corner.

    • Extract the token: value without the double quotes " " from the downloaded Kubeconfig file (using the Download KubeConfig) into a temporary file <token-value-file>.

    • Both these fields token and cacert are required in the base64 encoded form to add in the NetBackup credentials for Kubernetes.

    • To get the base64 encoded version of both these extracted values using the following base64 command: 

      #Use a Linux VM to encode the values for this step #Note: the flag -w0 has the zero digit and not a 0 Symbol. 
      #For CA cert: 
      Cat <cacert-value-file>| base64 -w0
      Paste this output in the CA certificate field in the NetBackup credentials creation page. 
      #For Token: 
       Paste this output in the Token field in the NetBackup web UI's credentials creation page. 
    • Use these values in the NetBackup web UI > Credential management >  Named Credentials > Add  to add the valid Rancher credentials in NetBackup.
    • Once the credentials are created, add the Kubernetes cluster in NetBackup using the name shown in the following cluster-info output.
To get cluster information output run  the following commands 
  1. The cluster info output must be in the following example format:[root@master-0~] # kubectl cluster-info
  2. Kubernetes control plane runs at https://<rancher-hostname>/k8s/clusters/c-m-zjrfft56
  3. CoreDNS runs at https://<rancher-hostname>/k8s/clusters/c-m-zjrfft56/api/v1/
    namespaces/kube-system/services/rke2-coredns-rke2-coredns:udp-53/proxy
  4. Extract the entire API server endpoint (https:// included) from the output mentioned which should be in the following pattern: https://<rancher-hostname>/k8s/clusters/c-m-zjrfft56 
  5. Add the entire rancher cluster name into NetBackup web UI > Workloads > Kubernetes > Kubernetes clusters  >Add .
  6. On the Add Kubernetes cluster page, select a option associated with URL or Endpoints to allow cluster addition based on the endpoints which contain (https://).
    Note: 
    You cannot edit the cluster names added using the endpoint-based approach. You can only delete and re-add such cluster names.
  7. Enter the cluster info output which is extracted above into the input field on the NetBackup web UI (Endpoint or URL).
  8. Proceed ahead and select or create the credentials which were prepared in steps 1 to 4.
  9. Once the credentials are validated and a cluster is added successfully. It will trigger an automated validation and discovery. 
  10. After a successful automated discovery, user attempts a manual credential validation and discovery to ensure that everything is working fine.
  11. Add a Rancher managed cluster in NetBackup.
  12. Create the backup server certificate secret and the data mover configmap to setup Backup from Snapshot (BFS) function.
    Then, proceed with the rest of the configuration steps as per the recommended setup guide.