Kubernetes Backup and Restore: Install Velero on AWS

Kubernetes backup velero helm install aws

3 min read | by Jordi Prats

Velero is an open-source tool that helps you backup, restore, and migrate Kubernetes resources and volumes. It provides a simple and reliable way to protect your Kubernetes applications and data from data loss or disasters. Although Velero supports multiple cloud providers, in this post we are just going to see how to install it on AWS (both using IRSA and an explicit IAM role)

AWS permissions

In order to allow Velero to handle Snapshots (for PersistentVolumes) and being able to backup data to a S3 bucket, we'll need to add the following permissions, setting the S3 bucket we want to use:

{  "Version": "2012-10-17",  "Statement": [  {  "Effect": "Allow",  "Action": [  "ec2:DescribeVolumes",  "ec2:DescribeSnapshots",  "ec2:CreateTags",  "ec2:CreateVolume",  "ec2:CreateSnapshot",  "ec2:DeleteSnapshot"  ],  "Resource": "*"  },  {  "Effect": "Allow",  "Action": [  "s3:GetObject",  "s3:DeleteObject",  "s3:PutObject",  "s3:AbortMultipartUpload",  "s3:ListMultipartUploadParts"  ],  "Resource": [  "arn:aws:s3:::BUCKET_NAME/*"  ]  },  {  "Effect": "Allow",  "Action": [  "s3:ListBucket"  ],  "Resource": [  "arn:aws:s3:::BUCKET_NAME"  ]  }  ] }

AWS IAM user

Assuming we have attached the previous policy to an IAM user, we can configure velero to use it's static credentials by creating a file an aws config file as follows:

$ cat velero_aws_user_cred [default] aws_access_key_id=AACCESSKEY aws_secret_access_key=SeCr3t

With this file present in the current directory we can use helm to install velero (after adjusting the values for bucket name and region region to our needs):

helm repo add vmware-tanzu https://vmware-tanzu.github.io/helm-charts helm install velero vmware-tanzu/velero \ --namespace velero --create-namespace \ --set-file 'credentials.secretContents.cloud=./velero_aws_user_cred' \ --set 'configuration.provider=aws' \ --set 'configuration.backupStorageLocation.bucket=BUCKET_NAME' \ --set 'configuration.backupStorageLocation.config.region=us-west-2' \ --set 'configuration.volumeSnapshotLocation.name=default' \ --set 'configuration.volumeSnapshotLocation.config.region=us-west-2' \ --set 'initContainers[0].name=velero-plugin-for-aws' \ --set 'initContainers[0].image=velero/velero-plugin-for-aws' \ --set 'initContainers[0].volumeMounts[0].mountPath=/target' \ --set 'initContainers[0].volumeMounts[0].name=plugins'

We'll see how the AWS credentials will be pushed into this secret:

$ kubectl get secrets velero -n velero NAME TYPE DATA AGE velero Opaque 1 78s

AWS IAM Role (IRSA)

If we want to use IRSA we'll just need to make sure it has the correct annotation, to do se we can use the following command (updating as well the region, bucket name and role ARN)

helm repo add vmware-tanzu https://vmware-tanzu.github.io/helm-charts helm install velero vmware-tanzu/velero \ --namespace velero --create-namespace \ --set 'configuration.provider=aws' \ --set 'serviceAccount.server.annotations.eks\.amazonaws\.com/role-arn=arn:aws:iam::<AWS_ACCOUNT_ID>:role/<IAM_ROLE_NAME>' \ --set 'configuration.backupStorageLocation.bucket=S3_BUCKET' \ --set 'configuration.backupStorageLocation.config.region=us-west-2' \ --set 'configuration.volumeSnapshotLocation.name=default' \ --set 'configuration.volumeSnapshotLocation.config.region=us-west-2' \ --set 'initContainers[0].name=velero-plugin-for-aws' \ --set 'initContainers[0].image=velero/velero-plugin-for-aws' \ --set 'initContainers[0].volumeMounts[0].mountPath=/target' \ --set 'initContainers[0].volumeMounts[0].name=plugins'

This will annotate Velero's ServiceAccount to use the role ARN we are setting:

$ kubectl describe sa velero-server Name: velero-server Namespace: velero Labels: app.kubernetes.io/instance=velero  app.kubernetes.io/managed-by=Helm  app.kubernetes.io/name=velero  helm.sh/chart=velero-3.1.6 Annotations: eks.amazonaws.com/role-arn: arn:aws:iam::<AWS_ACCOUNT_ID>:role/<IAM_ROLE_NAME>  meta.helm.sh/release-name: velero  meta.helm.sh/release-namespace: velero Image pull secrets: <none> Mountable secrets: <none> Tokens: <none> Events: <none>

Conclusion

Either way, both methods provide secure authentication for Velero to interact with AWS services: IAM User provides more fine-grained control over permissions but requires managing access keys, while IAM Role offers a more secure and seamless integration with AWS services but requires additional configuration and an additional trust policy to make it work.

Posted on 12/04/2023

Categories