When you update a Kubernetes cluster, you can update many settings, including etcd backups, roles and permissions, and access nodes.
After you add a cluster to Commvault, you cannot modify the Kubernetes API server URL. To modify the URL, delete the cluster from Commvault, and then add it again.
Go to the Cluster
-
From the navigation pane, go to Protect > Kubernetes.
The Overview page appears.
-
On the Clusters tab, click the cluster.
The cluster page appears.
Modify the Service Account or Service Account Token
Commvault validates the service account and service account token with one of the access nodes that is configured for the cluster. If the access node cannot authenticate with the provided credentials, an error occurs and the changes are not saved.
-
On the Overview tab, in the upper-right area of the General section, click the edit button .
The Edit cluster details dialog box appears.
-
Modify the service account or service account token.
-
Click Save.
Modify the Workload Region
The workload region determines where the backups are stored and replicated, based on the location of the Kubernetes cluster and applications.
-
On the Overview tab, in the General section, for Workload region, click the edit button .
-
Select the region.
-
Click Save.
Disable Backups, Temporarily or Indefinitely
When backups are disabled, the cluster is not included in SLA calculations.
You can also disable backups for individual application groups and applications.
-
On the Configuration tab, in the Activity control section, move the Data backup toggle to the left.
An Enable after a delay link appears.
-
To enable backups again after a delay, click the Enable after a delay link, and then enter the amount of time to delay.
Disable Restores, Temporarily or Indefinitely
If you disable restores, applications and other data cannot be restored.
You can also disable restores for individual applications (but not for application groups).
Note
Disabling restores does not prevent the administrator from attempting a restore, but the restore fails with a "Data activity disabled for client" message.
-
On the Configuration tab, in the Activity control section, move the Data restore toggle to the left.
An Enable after a delay link appears.
-
To enable restores again after a delay, click the Enable after a delay link, and then enter the amount of time to delay.
Enable etcd Backups
For detailed information about etcd backups, see Enabling Kubernetes etcd Key Value Store Backups.
-
On the Configuration tab, in the etcd protection section, move the etcd protection toggle to the right.
The etcd protection backup plan dialog box appears.
-
From the Plan list, select the backup plan to use for the etcd (system generated) application group that the Commvault software will create to protect etcd.
-
Click Save.
Create Resource Modifiers
You can use resource modifiers to add, delete, and modify fields in the Kubernetes resource YAMLs that you restore. Resource modifiers are useful when you need to modify the restore content to match the destination environment. For information, see Creating Reusable Resource Modifiers for Kubernetes.
Configure Restore Exclusions
You can exclude Kubernetes applications or resources from an application group so that they are not backed up. Applications are supported API resources or objects (such as Secrets, ConfigMaps, Namespaces, and StorageClasses) that can be listed, created, or re-created using the Kubernetes API server.
-
On the Configuration tab, in the Advanced options section, for Restore exclusions, click Configure.
The Restore exclusions dialog box appears.
-
From the Filter list, select an existing restore filter or click the Add new filter + option.
If you add a new resource filter during restore operation, then it is added to the cv-config namespace.
Note
Commvault needs the
cv-config
namespace and a custom CRDcvresourcefilters.k8s.cv.io
to be present on the cluster. If the namespace and CRD are not present, when you create your resource filter, the software automatically creates a new namespace calledcv-config
and deploys a new CustomResourceDefinition (CRD) to your cluster. -
In the Exclusions area, from the Exclude list, select Exclude by rule.
The Add rule dialog box appears.
-
Configure the rule(s) based on the resource Kind, Group, Version, Namespace, and Name.
To exclude sub-resources that match the rule criteria, move the Exclude dependencies toggle to the right.
-
Click Save.
Specify a Different Image Registry (Such as for an Air-Gapped Cluster)
To perform backups and other operations for Kubernetes, Commvault pulls a Docker image for a temporary worker pod that performs data movement. For more information, see "Docker Hub" in System Requirements for Kubernetes.
If your Kubernetes cluster does not have external connectivity, you can download the Docker image and push it to your private container registry. For an example process for setting up a private registry server, see "Deploy a registry server" in the Docker docs.
Important
If you use a private container registry, implement regular security scanning. If vulnerabilities are found, update the image.
Commvault is committed to the security of your data and ensures that the docker image that the Commvault software uses is scanned with Clair before each release and that no critical security vulnerabilities exist in the image.
Procedure
-
On the Configuration tab, in the Advanced options section, for Image registry settings, click the edit button .
The Image registry settings dialog box appears.
-
In Image registry URL, enter the private container registry URL.
-
If you pull from a private registry, in Image pull secret, enter the image pull secret.
-
Click Save.
Results
Starting with the next backup, the Commvault downloads the worker pod container image from your private container registry.
Configuring a Namespace for Commvault Resources
You can configure a namespace where Commvault resources such as resource modifiers, CvTasks, CvTaskSets are created.
By default, resource modifiers, CvTasks, and CvTaskSets are created in a namespace called "cv-config".
Procedure
-
On the Configuration tab, in the Advanced options section, for Configuration namespace, click the edit button .
-
Enter the name of the namespace.
-
Click Submit.
Results
Resources such as resource modifiers, pre- and post-script resources (CvTaskSet, CvTask) are configured to be created and fetched from this configuration namespace.
Increasing the Time That Commvault Temporary Pods Wait for Kubernetes Activities
You can increase the amount of time that Commvault temporary pods wait for Kubernetes activities to complete so that backups and other operations do not time out or fail. This adjustment is helpful in large-scale Kubernetes clusters and managed cloud environments where system load can delay the time to create storage snapshots or to schedule temporary Commvault worker pods.
-
On the Configuration tab, in the Advanced options section, for Wait timeout for job steps, click the edit button .
-
Specify the settings as follows:
-
Snapshot cleanup: The time in minutes to wait after the volumesnapshot is deleted. For example, enter 5.
-
Cluster resource cleanup: The time in minutes to wait for the resources that are created on the cluster to be deleted. For example, enter 3.
-
Snapshot ready: The time in minutes to wait for the volume snapshot to be readyToUse=true before exiting. For example, enter 5.
-
Worker pod startup: The time in minutes to wait for the worker pod to be in the running state. For example, enter 1.
-
-
Click Save.
Modify the Access Nodes
- On the Configuration tab, in the Access node section, click Actions > Edit, and then select the access nodes or access node groups to use for the cluster.
Assign Roles to Users or User Groups
To allow a user or user group to perform data management operations on a cluster, create a security association between the user or user group and one of the following pre-defined roles:
-
View: Provide read-only access to application group configuration, job history, and reporting data
-
VM End User: Provide self-service backup, recover both in-place and out-of-place
Procedure
-
On the Configuration tab, in the Security section, click edit button .
The Security dialog box appears.
-
On the Associations tab, enter the name of the user or user group, select the role to assign, and then click Add.
-
Click Save.
Related Topics
-
For information about roles, see Roles Overview.
-
For information about operating multi-tenanted Commvault environments with tenant admins and tenant users, see Multi-Tenanted Environments with Kubernetes.
Assign Owners and Permissions
In multi-tenanted environments, you can assign an end user to be an owner for individual containerized applications, and then the owner can log on to their applications to perform backup, recovery, and reporting.
Procedure
-
On the Configuration tab, in the Security section, click Edit.
The Security dialog box appears.
-
On the Owners tab, enter the name of the user or user group to assign as an owner.
-
Under Permissions, select the permissions to give to the owner.
-
Click Save.
Related Topics
For more information about permissions, see User Permissions for Kubernetes Operations.
Modify the Tags
You can create and apply tags to cluster. A tag is a key and an optional value that you can use to categorize clusters. Tags are useful for managing and reporting in large environments.
Note
On the Clusters page, the Tags column shows "No tags", even for clusters that have tags. To view the tags for a cluster, go to the cluster properties page. This is a known issue.
Before You Begin
You must have the Tag Management permission.
Procedure
-
On Configuration tab, in the Tags section, click the edit button .
The Manage tags dialog box appears.
-
In Tag name, enter a name for the tag.
-
To assign a value, in Tag value, enter the value.
-
Click Save.
Related Topics
-
For information about known issues, see Restrictions and Known Issues for Kubernetes.
-
For information about permissions for roles, see Managing Roles.