Amazon Web Services¶
The best approach to backup Kubernetes clusters running in Amazon Web Services (AWS) is to give the Afi backup agent access to manage volume snapshots directly via AWS API instead of generic CSI API. With this integration Afi uses changes block tracking API provided by AWS to perform fast and lightweight incremental backups.
You manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources. A policy is an object in AWS that, when associated with an identity or resource, defines their permissions. AWS evaluates these policies when an IAM principal (user or role) makes a request. Permissions in the policies determine whether the request is allowed or denied.
To use the AWS API for snapshot management, you need to create a service account with a custom IAM policy that allows snapshot-related operations, and share the service account credentials with the Afi backup agent. The steps are described in details below.
Create an IAM policy¶
Below is the JSON description of an AWS IAM policy required for snapshot management. Save it to a file named policy.json
:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateSnapshot",
"ec2:DeleteSnapshot",
"ec2:DescribeSnapshots",
"ec2:CreateVolume",
"ec2:DeleteVolume",
"ec2:DescribeVolumes",
"ec2:CreateTags",
"ec2:DeleteTags",
"ebs:ListSnapshotBlocks",
"ebs:ListChangedBlocks",
"ebs:GetSnapshotBlock"
],
"Resource": "*"
}
]
}
Create an IAM policy in your AWS account:
For more information, please see Creating IAM policies article in AWS documentation.
Create a service account and attach the policy¶
Create an AWS IAM user k8sbackup
:
Attach k8sbackup-policy
created in the previous section to the k8sbackup
user (replace ${AccountId}
with your AWS account id):
aws iam attach-user-policy \
--user-name k8sbackup \
--policy-arn arn:aws:iam::${AccountId}:policy/k8sbackup-policy
Create an access key for the k8sbackup
user and save AccessKeyld and SecretAccessKey values for later use:
For more information, please see Creating an IAM user article in the AWS documentation.
Create aws-api-key Secret and restart the backup agent¶
Create a Kubernetes Secret named aws-api-key
in the namespace where the Afi backup agent is installed:
kubectl -n backup-agent create secret generic aws-api-key \
--from-literal=access-key-id=${AccessKeyId} \
--from-literal=secret-access-key=${SecretAccessKey}
Restart a daemonset that makes snapshots of persistent volumes: