A RetroSearch Logo

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Search Query:

Showing content from https://learn.microsoft.com/en-us/azure/backup/azure-kubernetes-service-cluster-backup-concept below:

Azure Kubernetes Service (AKS) backup using Azure Backup prerequisites - Azure Backup

This article describes the prerequisites for Azure Kubernetes Service (AKS) backup.

Azure Backup now allows you to back up AKS clusters (cluster resources and persistent volumes attached to the cluster) using a backup extension, which must be installed in the cluster. Backup vault communicates with the cluster via this Backup Extension to perform backup and restore operations. Based on the least privileged security model, a Backup vault must have Trusted Access enabled to communicate with the AKS cluster.

Backup Extension

Learn how to manage the operation to install Backup Extension using Azure CLI.

Trusted Access

Many Azure services depend on clusterAdmin kubeconfig and the publicly accessible kube-apiserver endpoint to access AKS clusters. The AKS Trusted Access feature enables you to bypass the private endpoint restriction. Without using Microsoft Entra application, this feature enables you to give explicit consent to your system-assigned identity of allowed resources to access your AKS clusters using an Azure resource RoleBinding. The feature allows you to access AKS clusters with different configurations, which aren't limited to private clusters, clusters with local accounts disabled, Microsoft Entra ID clusters, and authorized IP range clusters.

Your Azure resources access AKS clusters through the AKS regional gateway using system-assigned managed identity authentication. The managed identity must have the appropriate Kubernetes permissions assigned via an Azure resource role.

For AKS backup, the Backup vault accesses your AKS clusters via Trusted Access to configure backups and restores. The Backup vault is assigned a predefined role Microsoft.DataProtection/backupVaults/backup-operator in the AKS cluster, allowing it to only perform specific backup operations.

To enable Trusted Access between a Backup vault and an AKS cluster. Learn how to enable Trusted Access

Note

AKS Cluster

To enable backup for an AKS cluster, see the following prerequisites: .

Note

The Velero CRDs installed in the cluster are shared between AKS Backup and the customer’s own Velero installation. However, the versions used by each installation may differ, potentially leading to failures due to contractmismatches.

Additionally, custom Velero configurations created by the customer—such as a VolumeSnapshotClass for Velero CSI-based snapshotting—might interfere with the AKS Backup snapshotting setup.

Velero annotations containing velero.io applied to various resources in the cluster can also impact the behavior of AKS Backup in unsupported ways.

Required roles and permissions

To perform AKS backup and restore operations as a user, you need to have specific roles on the AKS cluster, Backup vault, Storage account, and Snapshot resource group.

Scope Preferred role Description AKS Cluster Owner Allows you to install Backup Extension, enable Trusted Access and grant permissions to Backup vault over the cluster. Backup vault resource group Backup Contributor Allows you to create Backup vault in a resource group, create backup policy, configure backup, and restore and assign missing roles required for Backup operations. Storage account Owner Allows you to perform read and write operations on the storage account and assign required roles to other Azure resources as a part of backup operations. Snapshot resource group Owner Allows you to perform read and write operations on the Snapshot resource group and assign required roles to other Azure resources as part of backup operations.

Note

Owner role on an Azure resource allows you to perform Azure RBAC operations of that resource. If it's not available, the resource owner must provide the required roles to the Backup vault and AKS cluster before initiating the backup or restore operations.

Also, as part of the backup and restore operations, the following roles are assigned to the AKS cluster, Backup Extension Identity, and Backup vault.

Role Assigned to Assigned on Description Reader Backup vault AKS cluster Allows the Backup vault to perform List and Read operations on AKS cluster. Reader Backup vault Snapshot resource group Allows the Backup vault to perform List and Read operations on snapshot resource group. Contributor AKS cluster Snapshot resource group Allows AKS cluster to store persistent volume snapshots in the resource group. Storage Blob Data Contributor Extension Identity Storage account Allows Backup Extension to store cluster resource backups in the blob container. Data Operator for Managed Disks Backup vault Snapshot Resource Group Allows Backup Vault service to move incremental snapshot data to the Vault. Disk Snapshot Contributor Backup vault Snapshot Resource Group Allows Backup Vault to access Disks snapshots and perform Vaulting operation. Storage Blob Data Reader Backup vault Storage Account Allow Backup Vault to access Blob Container with backup data stored to move to Vault. Contributor Backup vault Staging Resource Group Allows Backup Vault to hydrate backups as Disks stored in Vault Tier. Storage Account Contributor Backup vault Staging Storage Account Allows Backup Vault to hydrate backups stored in Vault Tier. Storage Blob Data Owner Backup vault Staging Storage Account Allows Backup Vault to copy cluster state in a blob container stored in Vault Tier.

Note

AKS backup allows you to assign these roles during backup and restore processes through the Azure portal with a single click.

Next steps

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4