Completing the Guided Setup for Kubernetes

Use the Kubernetes guided setup to add the Kubernetes cluster that you want to protect to Commvault. The best way to ensure that the entire cluster is protected entails exiting the guided setup at step 4, "Add Application Group". This topic documents how to do that.

About the "Default" Application Group and Namespace-Centric Protection

When you exit the guided setup at step 4, "Add Application Group", an application group named "default" is created. The default application group uses the recommended namespace-centric protection method to protect your entire cluster.

Default application groups that were created before Commvault Platform Release 2022E use application-centric protection. After upgrading your CommServe server, MediaAgents, and Kubernetes access nodes to Commvault Platform Release 2022E, existing default application groups are automatically upgraded to use namespace-centric protection.

A default application group can be created only when you add a cluster to Commvault. After you add a cluster, you can't create a default application group for the cluster.

Verify That Your Environment Is Ready

• Verify that the cluster is running a supported distribution and release.

• Before you add the cluster, validate your Kubernetes environment.

• To add the cluster, you must have the following:

  • At least one access node that meets the requirements. Access nodes run backups and other operations.

  • A Kubernetes service account and token for the cluster that meet the requirements.

Identify a Service Account

Identify a service account that Commvault can use to perform data management operations. You can use an existing service account or create a new one.

Use an Existing Service Account

1. To list the existing service accounts on the cluster, run the following command:

   kubectl get sa -A

2. To get the token for a service account, run the following command:

    
   kubectl describe sa service_account_name [ -n namespace]

3. To extract the secret for the token, run the following command:

    
   kubectl get secrets -n namespace -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='service_account_name')].data.token}"| base64 --decode

   Example command:

   kubectl get secrets -n default -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='cvbackup')].data.token}"|base64 --decode

   Example output:

   eyJhbGciOiJSUzI1NiIsImtpZCI6ImZWeFBuS3pHZk1HNHk3S19Ja3dRV0xrT05iQ05jVEZrQURYSmtDWGU2c2MifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImN2YmFja3VwLXRva2VuLXE0OHNzIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImN2YmFja3VwIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiODI4ZDYwNzgtOWU5MS00MzljLTg5NjUtYWY0YjU0ZjliNmY5Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6Y3ZiYWNrdXAifQ.thssaep0B_4gGd3baESAt2YMCuSQr5sG67F04r1Rh0LFd0vu6wLytoXqu1W9SiGhSDY4I-Tyw3WfJyoZ9PuQyauYPLJsGPMzKVaXaW_Ivz9QOM6mzCr5BYfzjB8ZiSKaxCRAn-pu9gNfJAoRL9mHtm8LhBQUerFYLtp9DtVmq_bPPbdMjFOsR2x3s3ueUptaIKW2vjmkpYQNkW_Xi0O_gbfPhM4Z0s1_vaPH3i8OGPNF7xSGD59YF7IiG3CtaFepN0p_zKV-p_bdmZZvOBc_86BToHamZyJSiF7m2RB2tB4ztqo6GjC_fK6Fg30Ls_XlPW-YSA-teXuXJ3hy29KFCg

Create a Service Account

If you don't already have a service account, run the following commands to create a new service account with a ClusterRoleBinding. For more information, see Creating a Kubernetes Custom ClusterRole and Service Account for Commvault.

1. Create the account.

   • Command to run:

      
     kubectl create sa service_account_name

   • Example command for creating a cluster-wide account on Azure Kubernetes Service (AKS):

     k8admin@Azure:~$ kubectl create sa cvbackup

   • Example output:

     serviceaccount/cvbackup created

2. Create a ClusterRoleBinding for the service account.

   • Command to run:

      
     kubectl create clusterrolebinding clusterrolebinding_name --clusterrole=cluster-admin --serviceaccount=namespace:serviceaccount_name

   • Example command:

     kubectl create clusterrolebinding default-sa-crb --clusterrole=cluster-admin --serviceaccount=default:cvbackup

   • Example output:

     clusterrolebinding.rbac.authorization.k8s.io/default-sa-crb created

3. If your cluster is Kubernetes 1.24 or a more recent release, create a secret for the service account by running the following command (because these releases do not create a secret when you create a service account):

    
   cat << EOF | kubectl create -f -
   apiVersion: v1
   kind: Secret
   metadata:
     name: secret_name
     namespace: service_account_namespace
     annotations:
       kubernetes.io/service-account.name: service_account_name
   type: kubernetes.io/service-account-token
   EOF

   where

   • secret_name = cvbackup

   • service_account_namespace = default

   • service_account_name = cvbackup

4. Get the service account token.

   • Example command to get the service account token for the service account that you created:

     kubectl get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='cvbackup')].data.token}"|base64 --decode

   • Example output:

     eyJhbGciOiJSUzI1NiIsImtpZCI6InVlSkZTWF9feV9KR1lVZUR4a01PcTltbUdWdmlYdGVselU1aDZGX2VGV28ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImN2YmFja3VwLXRva2VuLTh6aGdjIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImN2YmFja3VwIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiODliYTM1NzEtMzdiNC00ZGM3LTlkMDItNGYyYzhiYTQ5MDhiIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6Y3ZiYWNrdXAifQ.i8BNk__E4qGWNMSi2KsVzbx1rbcn09U6J6MRsJThLIq6vfDDnjY8LafUt7Udqu2kHleIgS_MCqyD9PogZODfErO0cWCo8p4LUztI0agcOtOFj555RFQmmBH3fON-o08JBpmXGBCRXYY4rf-B5pKzjRF_8ywKCwMRxE9ET1OyHItx063uRCSxYHnnrslDLNjL2nQDgI7AdWTYrbK-IrROr5BAuJNr7hD3jQ2Fl6gmBdBSa5RZAXaBz4zGT6AK0rKefbbOeEHQEGj4hoxxA6mr00RO-IRWfa39ibUQSr3x-Frw3iy_M8V9-Wuw-v-de2808RboOaEFwSd4i3xyDT6-M7XwZmobBW6suppORbW6QVS3Rvqj1qtetyFOZ9inp8oZe5vQNMmzHkmenpnB6PjxHM2wssSjJ9YRB50_FAnlpMLT5WNpSzcg32jsLT9KKgYKeh1qbiXt1Ya62oeQKQnbrEzzKz8nqLFY-Tw6vqbhhUA9ZJ0Hasf3hX1kckiQXuVgLOnA5ZLU1gFqOgmMjtAOYKupahpNAjyjz71rBXwaXhO39goiHfIdc_1ivEvbL0D1KI7twBdDBfeRK_FSoM-RAZNYF6x_oIF83kNpk-wk9qRhWwe6XeJvYMZrqSqwtY07oY-VpJhb5wKQbI3wYjQdjTUBqCivSbvAj5drrKVNR5A

Go to the Guided Setup

1. From the navigation pane, go to Guided setup.

   The Welcome page appears.

2. On the Protect tab, at the bottom of the page, click More.

3. Click the Kubernetes tile, and then select Configure.

   The Access Node page of the guided setup appears.

Select Access Nodes

Access nodes run backups and other operations.

1. From the Access nodes list, select the access nodes to use for the cluster.

   To ensure high availability for data management operations, select multiple access nodes. With multiple access nodes, Commvault performs load balancing and automatically recovers from access node outages. For optimal performance of data management operations, select access nodes that have a round trip time (RTT) between the access nodes and the Kubernetes cluster of less than 1 millisecond.

   To have the Commvault software automatically select access nodes, select the Automatic option. For information, see Automatic Access Node Selection for Virtualization.

2. To add a Windows x86 64-bit Windows access node, click the add button .

   The Commvault software downloads and installs the Virtual Server package that is required for Kubernetes access nodes.

   To add a Linux access node, see Adding an Access Node for Kubernetes.

3. If the access nodes that you want to select are not listed, click the refresh button .

4. Click Next.

   The Plan page of the guided setup appears.

Select a Server Plan

After you exit the guided setup at step 4, "Add Application Group", your selection of a server plan is not preserved. Later in this topic, you will select a server plan again, for the default application group that is created. If you create a new server plan at this point in the guided setup, you can select that server plan.

1. Select the server plan to back up the cluster and applications.

   If you don't already have a server plan that you can use, to create one, click the add button .

2. Click Next.

   The Add Cluster page of the guided setup appears.

Add the Cluster

Specify the Kubernetes API server (control plane endpoint) and the service account for the cluster.

1. In the Kubernetes API server box, enter the API server URL and port number in the following format:

   https://servername:port

   To get the URL, run the following command:

   kubectl cluster-info

   In the following example output, the Kubernetes control plane is running at https://k8s-123-4.your.domain:6443, so you would enter https://k8s-123-4.your.domain:6443 in the Kubernetes API server box.

   If your control plane is running on port 443, you don't have to include the port number.

    
   Kubernetes control plane is running at https://k8s-123-4.your.domain:6443
   CoreDNS is running at https://k8s-123-4.your.domain:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy

2. In Name, enter a descriptive name for the cluster.

3. For Authentication Type, leave Service account selected.

4. In Service account, enter the name of a service account to access the cluster for backups and other operations.

5. In Service token, enter the service account token.

6. If you want to verify that you selected the correct access nodes and server plan for the cluster, click the Previous button.

   After you click Next, you the Commvault software adds the cluster, and you can't change the access nodes or server plan until after you complete the configuration wizard.

7. Click Next.

   The Commvault software adds the cluster. To view the cluster, go to Protect > Kubernetes.

   The Add Application Group page appears.

   Note

   If you receive an "Unable to create a cluster with the details provided" error, do the following:

   • Verify that you entered the API server endpoint, service account, and service account token values correctly.

   • Verify that the access nodes you selected can access the API server endpoint. To check connectivity to the endpoint for an access node, log onto the access node, and then—using a browser or curl—connect to the kube-apiserver endpoint.

Exit the Guided Setup to Create a Default Application Group

The best way to ensure that the entire cluster is protected is to exit the guided setup at this point. When you exit the guided setup, the Commvault software creates a "default" application group that uses namespace-centric protection to protect the entire cluster.

1. On the Add Application group page, click Cancel.

   A confirmation message appears.

2. Click Exit Wizard.

   The cluster is added to the Commvault software, and an application group named "default" is created.

   The cluster overview page appears.

Select a Server Plan for the Default Application Group

You must assign a server plan to the default application group so that backups will run as specified by the server plan.

You can use region-based storage with Kubernetes. If you use region-based storage, you must update the Workload region setting for the cluster.

1. On the cluster overview page, click the Application groups tab.

2. Click the default application group.

   The default application group overview page appears.

3. In the Summary section, for Plan, click Edit, and then select the server plan that you want to use for the application group.

Perform a Test Backup and Restore

Scheduled backups run according to the server plan that you selected. To verify that data protection operations can complete successfully, perform an on-demand test backup and restore.

1. On the Application groups tab of the cluster page, in the row for the application group, click the action button , and then select Back up.

   The Select backup level dialog box appears.

2. Leave Incremental selected.

   If no full backup exists, Commvault automatically performs a full backup.

3. Click OK.

4. After the backup completes, on the Application groups tab, in the row for the application group, click the action button , and then click Restore.

   The Select restore type page appears.

5. Select Namespace and cluster level so that all API resources in the application namespace are restored.

   The other restore types are as follows:

   • To restore application files and folders, select Application files.

   • To restore application manifests (YAML), select Application manifests.

   • To restore applications, select Full application.

   The Restore page appears.

6. Select the namespaces to restore.

   The Size column shows the protected size of any persistent storage (PersistsentVolumeClaims) within the namespace. For stateless applications, the Size column shows 0 B.

   The Modified column shows the date and time of the most recent backup time, in the local time of the CommServe server.

7. Click Restore.

   The Restore options dialog box appears.

8. For Type, select In place.

   The In place option restores the namespaces to the original cluster.

9. Move the Unconditionally overwrite if it already exists toggle key to the right.

   A confirmation message appears.

   Caution

   Commvault deletes the existing namespace and/or applications before restoring the data.

10. To accept the risk and continue, click Yes.

11. Click Submit.

Related Topics

For more information, see the following:

• Adding a Kubernetes Cluster

• Adding an Access Node for Kubernetes

• Creating a Server Plan

• Creating an Application Group for Kubernetes