NetBackup™ for Kubernetes Administrator's Guide

Last Published:
Product(s): NetBackup & Alta Data Protection (11.0)
  1. Overview of NetBackup for Kubernetes
    1.  
      Overview
    2.  
      Features of NetBackup support for Kubernetes
  2. Deploying and configuring the NetBackup Kubernetes operator
    1.  
      Prerequisites for NetBackup Kubernetes Operator deployment
    2.  
      Deploy service package on NetBackup Kubernetes operator
    3.  
      Port requirements for Kubernetes operator deployment
    4.  
      Upgrade the NetBackup Kubernetes operator
    5.  
      Delete the NetBackup Kubernetes operator
    6.  
      Configure NetBackup Kubernetes data mover
    7.  
      Automated configuration of NetBackup protection for Kubernetes
    8. Customize Kubernetes workload
      1.  
        Prerequisites for backup from snapshot and restore from backup operations
      2.  
        DTE client settings supported in Kubernetes
      3.  
        Customization of datamover properties
    9.  
      Troubleshooting NetBackup servers with short names
    10.  
      Data mover pod schedule mechanism support
    11.  
      Validating accelerator storage class
  3. Deploying certificates on NetBackup Kubernetes operator
    1.  
      Deploy certificates on the Kubernetes operator
    2.  
      Perform Host-ID-based certificate operations
    3.  
      Perform ECA certificate operations
    4.  
      Identify certificate types
  4. Managing Kubernetes assets
    1.  
      Add a Kubernetes cluster
    2. Configure settings
      1.  
        Change resource limits for Kuberentes resource types
      2.  
        Configure autodiscovery frequency
      3.  
        Configure permissions
      4.  
        Asset cleanup
    3.  
      Add protection to the assets
    4. Scan for malware
      1.  
        Assets by workload type
  5. Managing Kubernetes intelligent groups
    1.  
      About intelligent group
    2.  
      Create an intelligent group
    3.  
      Delete an intelligent group
    4.  
      Edit an intelligent group
  6. Managing Kubernetes policies
    1.  
      Create a policy
  7. Protecting Kubernetes assets
    1.  
      Protect an intelligent group
    2.  
      Remove protection from an intelligent group
    3.  
      Configure backup schedule
    4.  
      Configure backup options
    5.  
      Configure backups
    6.  
      Configure Auto Image Replication (A.I.R.) and duplication
    7.  
      Configure storage units
    8.  
      Volume mode support
    9.  
      Configure application consistent backup
  8. Managing image groups
    1. About image groups
      1.  
        Image expire
      2.  
        Image copy
  9. Protecting Rancher managed clusters in NetBackup
    1.  
      Add Rancher managed RKE cluster in NetBackup using automated configuration
    2.  
      Add Rancher managed RKE cluster manually in NetBackup
  10. Recovering Kubernetes assets
    1.  
      Explore and validate recovery points
    2.  
      Restore from snapshot
    3.  
      Restore from backup copy
  11. About incremental backup and restore
    1.  
      Incremental backup and restore support for Kubernetes
  12. Enabling accelerator based backup
    1.  
      About NetBackup Accelerator support for Kubernetes workloads
    2.  
      Controlling disk space for track logs on primary server
    3.  
      Effect of storage class behavior on Accelerator
    4.  
      About Accelerator forced rescan
    5.  
      Warnings and probable reason for Accelerator backup failures
  13. Enabling FIPS mode in Kubernetes
    1.  
      Enable Federal Information Processing Standards (FIPS) mode in Kubernetes
  14. About Openshift Virtualization support
    1.  
      OpenShift Virtualization support
    2.  
      Application consistent virtual machines backup
    3.  
      Troubleshooting for virtualization
  15. Troubleshooting Kubernetes issues
    1.  
      Error during the primary server upgrade: NBCheck fails
    2.  
      Error during an old image restore: Operation fails
    3.  
      Error during persistent volume recovery API
    4.  
      Error during restore: Final job status shows partial failure
    5.  
      Error during restore on the same namespace
    6.  
      Datamover pods exceed the Kubernetes resource limit
    7.  
      Error during restore: Job fails on the highly loaded cluster
    8.  
      Custom Kubernetes role created for specific clusters cannot view the jobs
    9.  
      Openshift creates blank non-selected PVCs while restoring applications installed from OperatorHub
    10.  
      NetBackup Kubernetes operator become unresponsive if PID limit exceeds on the Kubernetes node
    11.  
      Failure during edit cluster in NetBackup Kubernetes 10.1
    12.  
      Backup or restore fails for large sized PVC
    13.  
      Restore of namespace file mode PVCs to different file system partially fails
    14.  
      Restore from backup copy fails with image inconsistency error
    15.  
      Connectivity checks between NetBackup primary, media, and Kubernetes servers.
    16.  
      Error during accelerator backup when there is no space available for track log
    17.  
      Error during accelerator backup due to track log PVC creation failure
    18.  
      Error during accelerator backup due to invalid accelerator storage class
    19.  
      Error occurred during track log pod start
    20.  
      Failed to setup the data mover instance for track log PVC operation
    21.  
      Error to read track log storage class from configmap

Perform Host-ID-based certificate operations

Ensure that the primary server is configure in the NBCA mode. To check if the NBCA mode is on, run the command: /usr/openv/netbackup/bin/nbcertcmd -getSecConfig -caUsage.

The output looks like this:

NBCA: ON
ECA: OFF

HostID based certificate specification looks like this:

apiVersion: netbackup.veritas.com/v1
kind: BackupServerCert
metadata:
  name: backupservercert-sample
  namespace: kops-ns
spec:
  clusterName: cluster.sample.com:port
  backupServer: primaryserver.sample.domain.com
  certificateOperation: Create | Update | Remove
  certificateType: NBCA
  nbcaAttributes:
    nbcaCreateOptions:
      secretName: "Secret name consists of token and fingerprint"
    nbcaUpdateOptions:
      secretName: "Secret name consists of token and fingerprint"
      force: true
    nbcaRemoveOptions:
      hostID: "hostId of the nbca certificate. You can view on Netbackup UI"

Table: HostID based certificate operations

Operation type

Options and comments

Create

secretName: Name of the secret which contains a token and fingerprint.

Remove

hostID: Host identification of the NBCA certificate.

Update

secretName: Name of the secret which contains a token and fingerprint.

Creating a HostID based certificate for Kubernetes operator

You can create a HostID based certificate for Kubernetes operator using the following procedure.

To create HostID based certificate for Kubernetes operator

  1. On the backup server run the following command and get the SHA-256 fingerprint.

    /usr/openv/netbackup/bin/nbcertcmd -listCACertDetails

  2. To create an authorization token, refer to the Creating authorization tokens section in the NetBackup™ Security and Encryption Guide.
  3. To create a reissue token, if required, refer to the Creating a reissue token section in the NetBackup™ Security and Encryption Guide.
  4. Create a secret with token and fingerprint.
  5. Provide a token as it is mandatory irrespective of security level.

    Token-fingerprint-secret.yaml looks like this:

    apiVersion: v1
kind: Secret
metadata:
  name: secret-name
  namespace: kops-ns
type: Opaque
stringData:
  token: "Authorization token | Reissue token"
  fingerprint: "SHA256 Fingerprint"

    • Copy the Token-fingerprint-secret.yaml file text.

    • Open the text editor and paste the yaml file text.

    • Then, save the text with the yaml file extension to the home directory from where the Kubernetes clusters are accessible.

  6. To create the Token-fingerprint-secret.yaml file, run the command: kubectl create -f Token-fingerprint-secret.yaml
  7. Create a backupservercert object with the

    nbcaCreateOptions and then specify a secret name.

    nbca-create-backupservercert.yaml looks like this:

    apiVersion: netbackup.veritas.com/v1
kind: BackupServerCert
metadata:
  name: backupserver-nbca-create
  namespace: kops-ns
spec:
  clusterName: cluster.sample.com:port
  backupServer: backupserver.sample.domain.com
  certificateOperation: Create
  certificateType: NBCA
  nbcaAttributes:
    nbcaCreateOptions:
      secretName: nbcaSecretName with token and fingerprint

    • Copy the nbca-create-backupservercert.yaml file text.

    • Open the text editor and paste the yaml file text.

    • Then, save the text with the yaml file extension to the home directory from where the Kubernetes clusters are accessible.

  8. To create the nbca-create-backupservercert.yaml file, run the command: kubectl create -f nbca-create-backupservercert.yaml
  9. Once the certificate is created, check custom resource status. If the custom resource status is successful, you can run Backup from Snapshot jobs.

    Note:

    You need to check that the BackupServerCert custom resource status is successful before initiating Backup from Snapshot or Restore from Backup Copy operations.

    Note:

    To renew host ID based certificate: NetBackup host ID certificate checks if it's due for renew after 24 hours cycle. Certificates get automatically renewed 180 days (6 months) before expiration date.

    Note:

    Ensure to check whether the NetBackup primary server clock and the NetBackup Kubernetes operator clock are in sync. For more details on the CheckClockSkew errors, refer to the Implication of clock skew on certificate validity section in the NetBackup™ Security and Encryption Guide.

Removing primary server certificate from Kubernetes operator

You can remove a certificate from a primary server if the server is not used for running the backup and restore operations.

To remove primary server certificate from Kubernetes operator.

  1. Log on to the NetBackup web UI and get a hostID for the certificate that you want to remove.

    To get the HostID for the certificate, refer to the Viewing host ID-based certificate details section in the NetBackup™ Security and Encryption Guide.

  2. Create a backupservercert with operation type remove.

    nbca-remove-backupservercert.yaml file looks like this:

    apiVersion: netbackup.veritas.com/v1
kind: BackupServerCert
metadata:
  name: backupserver-nbca-domain.com
  namespace: kops-ns
spec:
  clusterName: cluster.sample.com:port 
  backupServer: backupserver.sample.domain.com
  certificateOperation: Remove
  certificateType: NBCA
  nbcaAttributes:
    nbcaRemoveOptions:
      hostID: nbcahostID

    • Copy the nbca-remove-backupservercert.yaml file text.

    • Open the text editor and paste the yaml file text.

    • Then, save the text with the yaml file extension to the home directory from where the Kubernetes clusters are accessible.

  3. To create the nbca-remove-backupservercert.yaml file, run the command: kubectl create -f nbca-remove-backupservercert.yaml
  4. To revoke the certificate, refer to the Revoking a host ID-based certificate section in the NetBackup™ Security and Encryption Guide.

    Note:

    Once the nbca-remove-backupservercert.yaml is applied, certificates are removed from the Kubernetes operator's local certificate store. But it's still present and valid in the NetBackup database. So, the certificate needs to be revoked.

Updating primary server certificates

Following is the scenario when you may want to update the certificates assuming that the certificates are readable and present in the Kubernetes operator:

When certificates present on the Netbackup Kubernetes operator are revoked, then certificates can be reissued with update operation. To resolve this issue, either you can update the server certificate or you can remove the server certificate and then create a new certificate.

Note:

If update certificate operation fails, you must remove the certificate first and then create a new certificate.

To update a primary server certificate on Kubernetes operator:

  1. Create a backupservercert object with the update operation:

    nbca-update-backupservercert.yaml file looks like this:

    apiVersion: netbackup.veritas.com/v1
kind: BackupServerCert
metadata:
  name: backupserver-nbca-update
  namespace:kops-ns
spec:
  clusterName: cluster.sample.com:port
  backupServer: backupserver.sample.domain.com
  certificateOperation: Update
  certificateType: NBCA
  nbcaAttributes:
    nbcaUpdateOptions:
    secretName: "Name of secret containing 
token and fingerprint"
    force: true

    • Copy the nbca-update-backupservercert.yaml file text.

    • Open the text editor and paste the yaml file text.

    • Then, save the text with the yaml file extension to the home directory from where the Kubernetes clusters are accessible.

  2. To create the nbca-udpate-backupservercert.yaml file, run the command: kubectl create -f nbca-update-backupservercert.yaml
  3. Once the backupservercert object is created, then check the custom resource status.