Completing the Guided Setup for Kubernetes

Updated

Use the Kubernetes guided setup to add the Kubernetes cluster that you want to protect to Commvault. The best way to ensure that the entire cluster is protected entails exiting the guided setup at step 4, "Add Application Group". This topic documents how to do that.

About the "Default" Application Group and Namespace-Centric Protection

When you exit the guided setup at step 4, "Add Application Group", an application group named "default" is created. The default application group uses the recommended namespace-centric protection method to protect your entire cluster.

Default application groups that were created before Commvault Platform Release 2022E use application-centric protection. After upgrading your CommServe server, MediaAgents, and Kubernetes access nodes to Commvault Platform Release 2022E, existing default application groups are automatically upgraded to use namespace-centric protection.

A default application group can be created only when you add a cluster to Commvault. After you add a cluster, you can't create a default application group for the cluster.

Verify That Your Environment Is Ready

Identify a Service Account

Identify a service account that Commvault can use to perform data management operations. You can use an existing service account or create a new one.

Use an Existing Service Account

  1. To list the existing service accounts on the cluster, run the following command:

    kubectl get sa -A
  2. To get the token for a service account, run the following command:

    kubectl describe sa service_account_name [ -n namespace]
  3. To extract the secret for the token, run the following command:

    kubectl get secrets -n namespace -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='service_account_name')].data.token}"| base64 --decode

    Example command:

    kubectl get secrets -n default -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='cvbackup')].data.token}"|base64 --decode

    Example output:

    eyJhbGciOiJSUzI1NiIsImtpZCI6ImZWeFBuS3pHZk1HNHk3S19Ja3dRV0xrT05iQ05jVEZrQURYSmtDWGU2c2MifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImN2YmFja3VwLXRva2VuLXE0OHNzIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImN2YmFja3VwIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiODI4ZDYwNzgtOWU5MS00MzljLTg5NjUtYWY0YjU0ZjliNmY5Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6Y3ZiYWNrdXAifQ.thssaep0B_4gGd3baESAt2YMCuSQr5sG67F04r1Rh0LFd0vu6wLytoXqu1W9SiGhSDY4I-Tyw3WfJyoZ9PuQyauYPLJsGPMzKVaXaW_Ivz9QOM6mzCr5BYfzjB8ZiSKaxCRAn-pu9gNfJAoRL9mHtm8LhBQUerFYLtp9DtVmq_bPPbdMjFOsR2x3s3ueUptaIKW2vjmkpYQNkW_Xi0O_gbfPhM4Z0s1_vaPH3i8OGPNF7xSGD59YF7IiG3CtaFepN0p_zKV-p_bdmZZvOBc_86BToHamZyJSiF7m2RB2tB4ztqo6GjC_fK6Fg30Ls_XlPW-YSA-teXuXJ3hy29KFCg

Create a Service Account

If you don't already have a service account, run the following commands to create a new service account with a ClusterRoleBinding. For more information, see Creating a Kubernetes Custom ClusterRole and Service Account for Commvault.

  1. Create the account.

    • Command to run:

      kubectl create sa service_account_name
    • Example command for creating a cluster-wide account on Azure Kubernetes Service (AKS):

      k8admin@Azure:~$ kubectl create sa cvbackup 
    • Example output:

      serviceaccount/cvbackup created
  2. Create a ClusterRoleBinding for the service account.

    • Command to run:

      kubectl create clusterrolebinding clusterrolebinding_name --clusterrole=cluster-admin --serviceaccount=namespace:serviceaccount_name
    • Example command:

      $ kubectl create clusterrolebinding default-sa-crb --clusterrole=cluster-admin --serviceaccount=default:cvbackup
    • Example output:

      clusterrolebinding.rbac.authorization.k8s.io/default-sa-crb created
  3. If your cluster is Kubernetes 1.24 or a more recent release, create a secret for the service account by running the following command:

    $cat << EOF | kubectl create -f -

    apiVersion: v1

    kind: Secret

    metadata:

    name: secret_name

    annotations:

    kubernetes.io/service-account.name: service_account_name

    type: kubernetes.io/service-account-token

    EOF

    Kubernetes 1.24 and more recent releases do not create a secret when you create a service account.

  4. Get the service account token.

    • Example command to get the service account token for the service account that you created:

      k8admin@Azure:~$ kubectl get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='cvbackup')].data.token}"|base64 --decode
    • Example output:

      eyJhbGciOiJSUzI1NiIsImtpZCI6InVlSkZTWF9feV9KR1lVZUR4a01PcTltbUdWdmlYdGVselU1aDZGX2VGV28ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImN2YmFja3VwLXRva2VuLTh6aGdjIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImN2YmFja3VwIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiODliYTM1NzEtMzdiNC00ZGM3LTlkMDItNGYyYzhiYTQ5MDhiIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6Y3ZiYWNrdXAifQ.i8BNk__E4qGWNMSi2KsVzbx1rbcn09U6J6MRsJThLIq6vfDDnjY8LafUt7Udqu2kHleIgS_MCqyD9PogZODfErO0cWCo8p4LUztI0agcOtOFj555RFQmmBH3fON-o08JBpmXGBCRXYY4rf-B5pKzjRF_8ywKCwMRxE9ET1OyHItx063uRCSxYHnnrslDLNjL2nQDgI7AdWTYrbK-IrROr5BAuJNr7hD3jQ2Fl6gmBdBSa5RZAXaBz4zGT6AK0rKefbbOeEHQEGj4hoxxA6mr00RO-IRWfa39ibUQSr3x-Frw3iy_M8V9-Wuw-v-de2808RboOaEFwSd4i3xyDT6-M7XwZmobBW6suppORbW6QVS3Rvqj1qtetyFOZ9inp8oZe5vQNMmzHkmenpnB6PjxHM2wssSjJ9YRB50_FAnlpMLT5WNpSzcg32jsLT9KKgYKeh1qbiXt1Ya62oeQKQnbrEzzKz8nqLFY-Tw6vqbhhUA9ZJ0Hasf3hX1kckiQXuVgLOnA5ZLU1gFqOgmMjtAOYKupahpNAjyjz71rBXwaXhO39goiHfIdc_1ivEvbL0D1KI7twBdDBfeRK_FSoM-RAZNYF6x_oIF83kNpk-wk9qRhWwe6XeJvYMZrqSqwtY07oY-VpJhb5wKQbI3wYjQdjTUBqCivSbvAj5drrKVNR5A

Go to the Guided Setup

  1. From the navigation pane, go to Guided setup.

    The Welcome page appears.

  2. On the Protect tab, at the bottom of the page, click More.

  3. Click the Kubernetes tile, and then select Configure.

    The access node page of the guided setup appears.

Select Access Nodes

Access nodes are virtual machines, cloud instances, or physical servers that run backups and other operations.

  1. From the Access nodes list, select the access nodes to use for the cluster.

    To ensure high availability for data management operations, select multiple access nodes. With multiple access nodes, Commvault performs load balancing and automatically recovers from access node outages. For optimal performance of data management operations, select access nodes that have a round trip time (RTT) between the access nodes and the Kubernetes cluster of less than 1 millisecond.

  2. To add a Windows x86 64-bit Windows access node, click the add button .

    The Commvault software downloads and installs the Virtual Server package that is required for Kubernetes access nodes.

    To add a Linux access node, see Adding an Access Node for Kubernetes.

  3. If the access nodes that you want to select are not listed, click the refresh button .

  4. Click Next.

    The Select Plan page appears.

Select a Server Plan

After you exit the guided setup at step 4, "Add Application Group", your selection of a server plan is not preserved. Later in this topic, you will select a server plan again, for the default application group that is created. If you create a new server plan at this point in the guided setup, you can select that server plan.

  1. Select the server plan to back up the cluster and applications.

    If you don't already have a server plan that you can use, to create one, click the add button .

  2. Click Next.

    The Add Application Group page appears.

Add the Cluster

Specify the Kubernetes API server (control plane endpoint) and the service account for the cluster.

  1. In the Kubernetes API server box, enter the API server URL and port number in the following format:

    https://servername:port

    To get the URL, run the following command:

    kubectl cluster-info

    In the following example output, the Kubernetes control plane is running at https://k8s-123-4.your.domain:6443, so you would enter https://k8s-123-4.your.domain:6443 in the Kubernetes API server box.

    If your control plane is running on port 443, you don't have to include the port number.

    Kubernetes control plane is running at https://k8s-123-4.your.domain:6443

    CoreDNS is running at https://k8s-123-4.your.domain:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
  2. In Name, enter a descriptive name for the cluster.

  3. For Authentication Type, leave Service account selected.

  4. In Service account, enter the name of a service account to access the cluster for backups and other operations.

  5. In Service token, enter the service account token.

  6. If you want to verify that you selected the correct access nodes and server plan for the cluster, click the Previous button.

    After you click Next, you the Commvault software adds the cluster, and you can't change the access nodes or server plan until after you complete the guided setup.

  7. Click Next.

    The Commvault software adds the cluster. To view the cluster, go to Protect > Kubernetes.

    The Add Application Group page appears.

    Note: If you receive an "Unable to create a cluster with the details provided" error, do the following:

    • Verify that you entered the API server endpoint, service account, and service account token values correctly.

    • Verify that the access nodes you selected can access the API server endpoint. To check connectivity to the endpoint for an access node, log onto the access node, and then—using a browser or curl—connect to the kube-apiserver endpoint.

Exit the Guided Setup to Create a Default Application Group

The best way to ensure that the entire cluster is protected is to exit the guided setup at this point. When you exit the guided setup, the Commvault software creates a "default" application group that uses namespace-centric protection to protect the entire cluster.

  1. On the Add Application group page, click Cancel.

    A confirmation message appears.

  2. Click Exit Wizard.

    The cluster is added to the Commvault software, and an application group named "default" is created.

    The cluster overview page appears.

Select a Server Plan for the Default Application Group

You must assign a server plan to the default application group so that backups will run as specified by the server plan.

You can use region-based storage with Kubernetes. If you use region-based storage, you must update the Workload region setting for the cluster.

  1. On the cluster overview page, click the Application groups tab.

  2. Click the default application group.

    The default application group overview page appears.

  3. In the Summary section, for Plan, click Edit, and then select the server plan that you want to use for the application group.

Perform a Test Backup and Restore

Scheduled backups run according to the server plan that you selected. To verify that data protection operations can complete successfully, perform an on-demand test backup and restore.

  1. On the Application groups tab of the cluster page, in the row for the application group, click the action button , and then select Back up.

    The Select backup level dialog box appears.

  2. Leave Incremental selected.

    If no full backup exists, Commvault automatically performs a full backup.

  3. Click OK.

  4. After the backup completes, on the Application groups tab, in the row for the application group, click the action button , and then click Restore.

    The Select restore type page appears.

  5. Select Namespace and cluster level so that all API resources in the application namespace are restored.

    The other restore types are as follows:

    • To restore application files and folders, select Application files.

    • To restore application manifests (YAML), select Application manifests.

    • To restore applications, select Full application.

      The Restore page appears.

  6. Select the namespaces to restore.

    The Size column shows the protected size of any persistent storage (PersistsentVolumeClaims) within the namespace. For stateless applications, the Size column shows 0 B.

    The Modified column shows the date and time of the most recent backup time, in the local time of the CommServe server.

  7. Click Restore.

    The Restore options dialog box appears.

  8. For Type, select In place.

    The In place option restores the namespaces to the original cluster.

  9. Move the Unconditionally overwrite if it already exists toggle key to the right.

    A confirmation message appears.

    Caution: Commvault deletes the existing namespace and/or applications before restoring the data.

  10. To accept the risk and continue, click Yes.

  11. Click Submit.

For more information, see the following: