Skip to content

BackupPolicy

A basic BackupPolicy looks like this:

apiVersion: k8sbackup.afi.ai/v1alpha1
kind: BackupPolicy
metadata:
  name: gold
spec:
  selectors: []
  repoRef: cloud
  schedule:
    fixed:
      hours: [4, 12, 20]
      daysOfWeek: [0, 1, 2, 3, 4, 5, 6]
  encryptionKey: default-encryption-key
  • selectors is a list of rules that choose manifests to include in a backup. An empty list of selectors means that all YAMLs in a namespace are included in backups.`
  • repoRef is the name of a repository that stores archives. At the moment a default repository for backup archives (cloud) is created on tenant onboarding and is used to store data in the Afi cloud. Coming updates will bring support for custom user-managed backup repositories.
  • schedule requests backups to run periodically. An empty schedule means that backups only run when triggered manually. When configuring a schedule, you can define a set of backup windows during a day (via hours list) and a set of week days when backups should be performed (via daysOfWeek list). hours enumeration starts from 0 for midnight (0-23) and daysOfWeek enumeration starts from 0 for Sunday (0 - Sunday, 1 - Monday, ... , 6 - Saturday). hours are interpreted according to a timezone specified during a cluster onboarding. Backups scheduled for a specific hour are expected to be launched within a 15 minutes backup window (i.e. backups scheduled for 0 hour, midnight, are expected to be launched within 00:00-00:15 backup window).
  • encryptionKey is a name of an encryption key used by this backup policy. Backup encryption keys are shown and managed on the Service → Settings → Secrets tab in the Afi portal. An encryption key created by Afi upon a cluster onboarding is named default-encryption-key (this name is a default one, but can be changed later).

You can list backup policies configured inside a Kubernetes cluster by running the following command (backup-agent is a namespace where the Afi backup agent is installed):

kubectl get backuppolicies

A new backup policy can be created by running the following command (an example backup policy YAML config is shown above):

kubectl apply -f my-custom-backup-policy.yaml

Selectors

This part of a backup policy is a list of filters that are applied to objects in a protected namespace to choose YAMLs to include into backups. Each selector is one of

include:
  namespaced: ...
  apiVersion: ...
  kind: ...
  name: ...
  labelSelector: ...

or

exclude:
  namespaced: ...
  apiVersion: ...
  kind: ...
  name: ...
  labelSelector: ...

An include selector add objects to a snapshot, an exclude selector removes them. Selectors are applied in the order of their definition.

Each selector field (apiVersion, kind, etc.) is optional. If it is blank, it matches any object.

Selectors are best explained by some real-life examples.

Backup only Secrets

selectors:
  - include:
      apiVersion: v1
      kind: Secret

Backup Secrets and ConfigMaps

selectors:
  - include:
      apiVersion: v1
      kind: Secret
  - include:
      apiVersion: v1
      kind: ConfigMap

Backup only application configuration, do not include persistent data

selectors:
  - include: {} # first, include everything
  - exclude:    # now exclude parts that we do not need
      apiVersion: v1
      kind: PersistentVolumeClaim

Or the other way around, backup only persistent data

selectors:
  - include:
      apiVersion: v1
      kind: PersistentVolumeClaim

Backup only manifests that are labeled with app.kubernetes.io/name: apache-spark-0

selectors:
  - include:
      labelSelector:
        matchLabels:
          - app.kubernetes.io/name: apache-spark-0

For detailed information on label selectors see https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ and https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#labelselector-v1-meta.