Backing Up and Restoring Tanzu Kubernetes Workloads Using Velero with Restic

Page last updated:

This topic provides an overview of how to back up and restore Kubernetes workloads deployed to TKGI clusters using Velero and Restic.

About Tanzu Kubernetes Workload Backup and Restore

Tanzu Kubernetes workload backup and restore is done using Velero and Restic software.

Velero is an open-source product that provides full backup and recovery of Kubernetes workloads. Restic is used as a companion tool with Velero to provide platform independent volume snapshots. Together, Velero and Restic support backup and recovery for all types of Kubernetes workloads deployed to Tanzu clusters.

Getting Started

To get started, install Velero and review the Velero Backup and Restore Scenarios.

Application Types

An application deployed to Kubernetes can be stateless or stateful. Velero with Restic can back up and restore both types, but the procedure may differ slightly. The examples demonstrate the differences and process for each type. See Scenarios for Backing Up and Restoring TKGI Workloads for a full list of examples.

In addition, an application may have a service attached or ingress enabled. See Services and Ingress for a summary of the available techniques for ensuring full restoration of functionality.

Services and Ingress

If a service is attached, the IP address may need to be static for backup and restore to work as expected.

Velero backup and restore is agnostic of NSX-T objects. To restore applications with same IP address, there are two mechanism available with TKGI:

  • Create a Kubernetes load balancer service with a static IP address by specifying the loadBalancerIP in the YAML file.
  • Deploy a Kubernetes cluster with a static IP address for pod ingress by defining network profile.

Storage Types

Tanzu Kubernetes clusters support two persistence providers: VMware Cloud Provider (vCP) and the Container Storage Interface (CSI).

vCP is VMware’s Kubernetes storage plugin that allows cluster nodes on vSphere to interact with vCenter to support Kubernetes Persistent Volume objects. CSI is open-source software that enables Kubernetes implementations to provide a standard interface for storage systems, without having to create drivers for each system.

The provider is defined in the storage class. Velero with Restic backup and restore is slightly different depending on the type of persistence provider.

The VMware Cloud Provider (vCP) StorageClass provisioner only works with TKGI:

kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: demo-sts-sc
provisioner: kubernetes.io/vsphere-volume
parameters:
  diskformat: thin

The Container Storage Interface (CSI) StorageClass provisioner works with TKGI, TKGM, and TKGS.

kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: guestbook-sc-csi
  annotations:
    storageclass.kubernetes.io/is-default-class: "true"
provisioner: csi.vsphere.vmware.com
parameters:
  datastoreurl: "ds:///vmfs/volumes/vsan:52d8eb4842dbf493-41523be9cd4ff7b7/"

Tanzu Kubernetes Workload Backup and Restore Requirements

This section lists the requirements for using Velero and Restic for Kubernetes workload backup and recovery.

Cluster Configuration

A Velero pod and a Restic pod are installed on the Kubernetes cluster. To use Velero and Restic for Kubernetes workload backup and recovery with TKGI, you must configure each target cluster as follows:

  1. Enable the Allow Privileged option in the plan configuration so that Restic is able to mount the hostpath.
  2. Change the hostPath from /var/lib/kubelet/pods to /var/vcap/data/kubelet/pods.

The examples provided in this section demonstrate how to perform these actions.

Note: Enabling the Allow Privileged option means that all containers in the cluster will run in privileged mode. Pod Security Policy provides a privileged parameter that can be used to enable or disable Pods running in privileged mode. As a best practice, if you enable Allow Privileged, define PSP to limit which Pods run in privileged mode. If you are implementing PSP for privileged pods, you must enable Allow Privileged mode. For more information, see Enabling and Configuring Pod Security Policies.

Object Store

You need to provide an object store for Velero backups. Velero supports a number of object store providers. Minio is an S3-compatible object store that is easy to install and use. This documentation uses the Minio server installed on a Linux VM as the backup destination for the example scenarios.

Velero CLI

To perform Velero backup and recovery, you install the Velero CLI on a client VM. This can be the TKGI client VM or an administrator laptop.

Velero Version

Refer to the Release Notes for the supported Velero version.

Air-Gapped Environment

When you run the Velero CLI to install Velero on the Kubernetes cluster, Velero and Restic pods are deployed to the cluster. To install the prods, the instructions assume that the cluster environment has internet access, including the client where the Velero CLI is installed as well as the Kubernetes cluster. In case the environment has no internet access, you use can use a private container registry to install Velero pods onto the target cluster. See Air-gapped deployments.


Please send any feedback you have to pks-feedback@pivotal.io.