Install Afi Backup for GKE cluster¶
Afi offers comprehensive protection for Google Kubernetes Engine (GKE) clusters and leverages native Google Cloud Platform (GCP) APIs to provide fast and reliable backup and recovery.
To start backing up your GKE cluster with Afi, you will need to:
- create an account on the Afi platform
- configure a service account that will be used by the Afi backup agent for GCP API access
- onboard a cluster under your Afi account
Please see the sections below for a step-by-step installation guide.
Create an Afi account¶
The preferred way of creating an Afi account if you plan to back up your Google Cloud Platform infrastucture is to sign up for Afi SaaS Backup on Google Cloud Marketplace as described in this guide.
You can also create an account directly at the Afi portal, but signing up for the Afi service through Google Cloud Marketplace is a more convenient option as this will allow you to pay for the Afi services together with your Google Cloud infrastructure products and will provide additional visibility on Google Cloud side for services that you are using.
Once your Afi account is created, you will be redirected to the Afi portal and can proceed to create a GCP service account as described in the next section before onboarding your GKE tenant.
Configure a GCP service account¶
The best approach to backup Kubernetes clusters running in Google Cloud Platform (GCP) is to give the Afi backup agent access to manage volume snapshots directly via GCP API instead of generic CSI API.
To use Google API for snapshot management, you need to create a service account with a custom role that allows snapshot-related operations, generate a custom installation chart with the service account credentials in the Afi portal and install the backup agent. The steps are described in details below.
Create a custom role¶
Below is the JSON description of a GCP IAM role required for snapshot management. Save it to a file named role.yaml
:
title: "k8sbackup"
description: "k8sbackup role"
stage: "ALPHA"
includedPermissions:
- compute.disks.create
- compute.disks.createSnapshot
- compute.disks.delete
- compute.disks.get
- compute.disks.list
- compute.disks.setLabels
- compute.snapshots.create
- compute.snapshots.delete
- compute.snapshots.get
- compute.snapshots.list
- compute.snapshots.setLabels
- compute.snapshots.useReadOnly
- compute.regionOperations.get
- compute.zoneOperations.get
- compute.globalOperations.get
- compute.zones.list
Create a custom role (replace ${project}
with your own GCP project name):
Create a service account and bind the role¶
Next you need to create GCP IAM service account k8sbackup-sa
and bind the role created in the previous section to this service account:
Bind the role to the service account (${k8sbackup-sa-email}
is an email identifier of the newly created service account in your GCP project ${project}
- k8sbackup-sa@${project}.iam.gserviceaccount.com
):
k8sbackup-sa-email=$(gcloud iam service-accounts list --filter "k8sbackup-sa" --format="value(email)")
gcloud projects add-iam-policy-binding ${project} \
--member serviceAccount:${k8sbackup-sa-email} \
--role projects/${project}/roles/k8sBackupRole
Generate and save service account credentials:
Onboard a GKE cluster in Afi¶
After a service account created, you can proceed with onboarding your GKE Kubernetes cluster in the Afi platform. Click on the Install button for the Kubernetes onboarding option in the pop-up window displayed in the Afi portal (click on the +Add data source button in the dropdown on top of the screen to open this dialog if you already have any tenants under your Afi account):
After selecting the Kubernetes onboarding option, the service will show you the installation instruction where you should:
- select Provider GCP for a GKE cluster;
- choose an Afi region which will serve as a default Afi data storage location for your backups and will be responsible for orchestrating Afi service activities related to your tenant;
- select default timezone for your tenant which will be used to generate pre-defined backup SLA policies;
- upload a service account credentials file create in the section above;
- click Download and proceed with the backup agent installation via the provided command.
When the backup agent installation is finished, please refresh your Afi portal UI and proceed with protecting your cluster as described here.
Sign up for the paid service¶
Once you onboard a GKE tenant to your Afi account, you will have a 14-day trial period to evaluate Afi functionality and can activate your paid service subscription when you are ready on the Licensing → Subscriptions tab in the Afi portal. Until the paid service subscription is activated, no service usage charges will be incurred on the Google Cloud side.