Protecting an Air-Gapped Kubernetes Cluster

To protect a Kubernetes cluster that does not have external connectivity, you can add entity settings. You must add the entity settings to all access nodes that require an air-gapped configuration.

To perform backups and other operations for Kubernetes, Commvault pulls a Docker image for a temporary worker pod that performs data movement. For more information, see "Docker Hub" in System Requirements for Kubernetes.

If your Kubernetes cluster does not have external connectivity, you can download the Docker image and push it to your private container registry. For an example process for setting up a private registry server, see Deploy a registry server in the Docker docs.

Important

If you use a private container registry, implement regular security scanning. If vulnerabilities are found, update the image.

Commvault is committed to the security of your data and ensures that the docker image that the Commvault software uses is scanned with Clair before each release and that no critical security vulnerabilities exist in the image.

Before You Begin

Verify that the correct image for your version of Commvault is available in your private container registry:

Commvault release

Docker Hub image

Platform Release 2023 and more recent releases

oraclelinux:9

Platform Release 2022Eā€“Feature Release 24

centos:8

Feature Release 20

debian:stretch-slim

Procedure

  1. From the navigation pane, go to Manage > System.

  2. Click the Settings tile.

    The Settings page appears.

  3. Click Add, and then select Entity settings.

    The Add entity settings dialog box appears.

  4. To all access nodes that require an air-gapped configuration, add the entity settings as follows:

Name

Entity

Category

Type

Value

sK8sUseImageRegistry

The Kubernetes access node

VirtualServer

String

Enter Custom.

sK8sImageRegistryUrl

The Kubernetes access node

VirtualServer

String

Enter the private container registry URL.

For example, enter cvregistry.cv.com:5000.

Do not include a scheme or protocol (HTTP, HTTPS). Commvault uses https:// to access the container registry.

sK8sImageSecretName (optional)

The Kubernetes access node

VirtualServer

String

To authenticate with the image registry, enter the ImagePullSecret for the container.

For example, enter regcred.

sK8sWorkerImageName

The Kubernetes access node

VirtualServer

String

Enter the name of the container image for the Commvault worker pod type.

For example, enter centos:8.

Caution

Use only a supported image, as documented in the preceding "Before You Begin" section.

Do not use a custom container or a hardened container.

Results

Starting with the next backup, the Commvault downloads the worker pod container image from your private container registry.

Loading...