NetBackup™ for Kubernetes Administrator's Guide

Last Published:
Product(s): NetBackup & Alta Data Protection (11.0)
  1. Overview of NetBackup for Kubernetes
    1.  
      Overview
    2.  
      Features of NetBackup support for Kubernetes
  2. Deploying and configuring the NetBackup Kubernetes operator
    1.  
      Prerequisites for NetBackup Kubernetes Operator deployment
    2.  
      Deploy service package on NetBackup Kubernetes operator
    3.  
      Port requirements for Kubernetes operator deployment
    4.  
      Upgrade the NetBackup Kubernetes operator
    5.  
      Delete the NetBackup Kubernetes operator
    6.  
      Configure NetBackup Kubernetes data mover
    7.  
      Automated configuration of NetBackup protection for Kubernetes
    8. Customize Kubernetes workload
      1.  
        Prerequisites for backup from snapshot and restore from backup operations
      2.  
        DTE client settings supported in Kubernetes
      3.  
        Customization of datamover properties
    9.  
      Troubleshooting NetBackup servers with short names
    10.  
      Data mover pod schedule mechanism support
    11.  
      Validating accelerator storage class
  3. Deploying certificates on NetBackup Kubernetes operator
    1.  
      Deploy certificates on the Kubernetes operator
    2.  
      Perform Host-ID-based certificate operations
    3.  
      Perform ECA certificate operations
    4.  
      Identify certificate types
  4. Managing Kubernetes assets
    1.  
      Add a Kubernetes cluster
    2. Configure settings
      1.  
        Change resource limits for Kuberentes resource types
      2.  
        Configure autodiscovery frequency
      3.  
        Configure permissions
      4.  
        Asset cleanup
    3.  
      Add protection to the assets
    4. Scan for malware
      1.  
        Assets by workload type
  5. Managing Kubernetes intelligent groups
    1.  
      About intelligent group
    2.  
      Create an intelligent group
    3.  
      Delete an intelligent group
    4.  
      Edit an intelligent group
  6. Managing Kubernetes policies
    1.  
      Create a policy
  7. Protecting Kubernetes assets
    1.  
      Protect an intelligent group
    2.  
      Remove protection from an intelligent group
    3.  
      Configure backup schedule
    4.  
      Configure backup options
    5.  
      Configure backups
    6.  
      Configure Auto Image Replication (A.I.R.) and duplication
    7.  
      Configure storage units
    8.  
      Volume mode support
    9.  
      Configure application consistent backup
  8. Managing image groups
    1. About image groups
      1.  
        Image expire
      2.  
        Image copy
  9. Protecting Rancher managed clusters in NetBackup
    1.  
      Add Rancher managed RKE cluster in NetBackup using automated configuration
    2.  
      Add Rancher managed RKE cluster manually in NetBackup
  10. Recovering Kubernetes assets
    1.  
      Explore and validate recovery points
    2.  
      Restore from snapshot
    3.  
      Restore from backup copy
  11. About incremental backup and restore
    1.  
      Incremental backup and restore support for Kubernetes
  12. Enabling accelerator based backup
    1.  
      About NetBackup Accelerator support for Kubernetes workloads
    2.  
      Controlling disk space for track logs on primary server
    3.  
      Effect of storage class behavior on Accelerator
    4.  
      About Accelerator forced rescan
    5.  
      Warnings and probable reason for Accelerator backup failures
  13. Enabling FIPS mode in Kubernetes
    1.  
      Enable Federal Information Processing Standards (FIPS) mode in Kubernetes
  14. About Openshift Virtualization support
    1.  
      OpenShift Virtualization support
    2.  
      Application consistent virtual machines backup
    3.  
      Troubleshooting for virtualization
  15. Troubleshooting Kubernetes issues
    1.  
      Error during the primary server upgrade: NBCheck fails
    2.  
      Error during an old image restore: Operation fails
    3.  
      Error during persistent volume recovery API
    4.  
      Error during restore: Final job status shows partial failure
    5.  
      Error during restore on the same namespace
    6.  
      Datamover pods exceed the Kubernetes resource limit
    7.  
      Error during restore: Job fails on the highly loaded cluster
    8.  
      Custom Kubernetes role created for specific clusters cannot view the jobs
    9.  
      Openshift creates blank non-selected PVCs while restoring applications installed from OperatorHub
    10.  
      NetBackup Kubernetes operator become unresponsive if PID limit exceeds on the Kubernetes node
    11.  
      Failure during edit cluster in NetBackup Kubernetes 10.1
    12.  
      Backup or restore fails for large sized PVC
    13.  
      Restore of namespace file mode PVCs to different file system partially fails
    14.  
      Restore from backup copy fails with image inconsistency error
    15.  
      Connectivity checks between NetBackup primary, media, and Kubernetes servers.
    16.  
      Error during accelerator backup when there is no space available for track log
    17.  
      Error during accelerator backup due to track log PVC creation failure
    18.  
      Error during accelerator backup due to invalid accelerator storage class
    19.  
      Error occurred during track log pod start
    20.  
      Failed to setup the data mover instance for track log PVC operation
    21.  
      Error to read track log storage class from configmap

Enable Federal Information Processing Standards (FIPS) mode in Kubernetes

NetBackup Kubernetes 10.3 release provides FIPS support for RedHat based NetBackup deployments. All the Kubernetes workload component involved in NetBackup, Kubernetes operator and Data mover must run in FIPS mode. To achieve the FIPS support, there are certain requirements that needs to be met across all these components.

System requirements

Following are the system requirements for FIPS support in NetBackup Kubernetes workload.

Name

Parameters

NetBackup Primary and Media

  • Both Primary and Media must be deployed on the NetBackup10.2.1 with underlying RHEL-8system which is enabled with FIPS.

  • RHEL OS version must be greater than RHEL8.

    • You can check version of RedHat machine using the following command:

      cat /etc/Redhat-release

    • You can check if underlying system have FIPS enabled using the following command:

      FIPS-MODE-SETUP--CHECK

    • For more details, you can check man page entry of the following command:

      fips-mode-setup

Kubernetes Cluster

  • Kubernetes cluster must be deployed with FIPS enabled mode.

  • The process to deploy Kubernetes cluster in FIPS mode is vendor dependent.

  • For example, deploying Openshift with FIPS Enabled

Configuration parameters

Following are the configuration parameters for FIPS mode in NetBackup Kubernetes workload.

Configuration

Parameters

NetBackup Primary and Media

Enabling NetBackup process to run in FIPS mode:

  • Update <Netbackup-Installation-Path>/netbackup/bp.conf with the following key:

    NB_FIPS_MODE = ENABLE

  • For more information on NetBackup in FIPS mode, refer to the Configure the FIPS mode in your NetBackup domain section in the NetBackup™Security and Encryption Guide

NetBackup Kubernetes Operator

Do any of the following to enable FIPS mode:

  • Update the value of parameter fipsMode to ENABLE in values.yaml file from the Helm Chart.

  • Update the value of parameter NB_FIPS_MODE to ENABLE in backup-operator.

Note:

Make sure that all the systems on which NetBackup Kubernetes workload runs are FIPS compliant.

Troubleshooting for FIPS

Impact on the Automated Image Replication (AIR) operation:

  • For AIR on FIPS enabled environment, you need to do the additional configuration.

  • Update the <KB-Article>on the support site.

  • Run the following commands in the command-line interface (CLI):

    /usr/openv/java/jre/bin/keytool/keytool -storetype BCFKS -providerpath

    /usr/openv/wmc/webserver/lib/ccj-3.0.1.jar -providerclass com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider -importcert -trustcacerts -file <target CA certificate file (pem encoded)> -keystore

    NB_INSTALL_DIR/var/global/wsl/credentials/cacerts.bcfks -storepass <password from the /usr/openv/var/global/jkskey file>

    -alias <alias name of the trusted certificate entry to be added>