Skip to content

Backup

Direct snapshot access for AWS, Azure and GCP

The best approach to backup Kubernetes clusters running in Amazon Web Services (AWS), Azure platform or Google Cloud Platform is to give the Afi backup agent access to manage volume snapshots directly via the corresponding cloud provider API instead of generic CSI API. Please follow one of the guides below to configure direct snapshot access:

Backup configuration

After you have installed the Afi backup agent in your cluster, you need to perform two more steps to protect your configuration and data:

  • configure a backup policy (or review the predefined ones);
  • assign a backup policy to namespaces that you want to backup.

You can create and manage backup policies on the Service → Settings → SLA tab in the Afi portal. By default, Afi creates two predefined backup policies, gold and silver. Both back up the whole of protected namespaces. Gold runs 3 times a day, and silver runs once a day. You can create as many custom backup policies as you need.

We strongly recommend that you use one of the predefined backup policies. These policies snapshot complete application configuration and all persistent volumes, which is the safest default. If you create your own backup policies, please ensure they omit no components of your application. In any case, we recommend periodicly testing recovery from backups to verify that everything works as expected.

Backup policies

A backup policy settings available for configuration include:

  • Which namespaced and cluster-scoped objects should be backed up. It is possible to include or exclude objects based on their labels, API version, kind, and name.
  • Backup schedule (please note that backup schedule is configured relative to the timezone specified during the cluster onboarding).
  • Archiving settings that specify how long backups should be kept after a resource is removed.
  • Encryption settings (by default, the backups are encrypted with Afi-managed encryption key).

For example, you can create a custom backup policy that backups up only object with labels deployment=prod and version=beta. Click on + Rule button in policy settings to add an additional include or exclude rule:

Backup policy label selectors
Custom backup policy

A note on custom backup policies

Afi recommends to limit the use of selectors in backup policies. Prefer policies that back up everything. You still have an option to select objects granularly during a restore, and that is a more secure option. If you forget to include some object into a backup, it is gone for good. If you forget to include an object to a restore, just fix selectors in the restore specification, and rerun.

Good usecases for backup policies with user-defined selectors are "back up only application configuration", "back up only persistent data".

Protecting namespaces with backup policies

Once you have decided which backup policy to use, you can go to the Service → Protection tab, select namespaces that you want to protect and assign a backup policy to these namespaces. Also, you can enable automatic protection of all namespaces in your cluster by a backup policy of your choice on the Service → Settings → SLA tab (see Automatically protect new resources option).

Assign a backup policy

Once a namespace is protected, you can launch a backup manually by clicking on the following button:

Run backup

Backup monitoring

You can enable reports on the Configuration → Reports tab to receive periodic emails with backup and licensing status of your clusters. In case of a failure or a warning in a status report, you can review the affected backups or restores on the Activity → Tasks tab (select Status = Failed or Status = Warning to filter only failed or warning tasks).