Manage Azure Kubernetes Service backups using Azure Backup
This article describes how to register resource providers on your subscriptions for using Backup Extension and Trusted Access. Also, it provides you with the Azure CLI commands to manage them.
Azure Backup now allows you to back up AKS clusters (cluster resources and persistent volumes attached to the cluster) using a backup extension, which must be installed in the cluster. AKS cluster requires Trusted Access enabled with Backup vault, so that the vault can communicate with the Backup Extension to perform backup and restore operations.
Resource provider registrations
- You must register these resource providers on the subscription before initiating any backup and restore operation.
- Once the registration is complete, you can perform backup and restore operations on all the cluster under the subscription.
Register the Backup Extension
To install Backup Extension, you need to register Microsoft.KubernetesConfiguration resource provider on the subscription. To perform the registration, run the following command:
az provider register --namespace Microsoft.KubernetesConfiguration
The registration may take up to 10 minutes. To monitor the registration process, run the following command:
az provider show -n Microsoft.KubernetesConfiguration -o table
Register the Trusted Access
To enable Trusted Access between the Backup vault and AKS cluster, you must register TrustedAccessPreview feature flag on Microsoft.ContainerService over the subscription. To perform the registration, run the following commands:
Enable the feature flag
To enable the feature flag follow these steps:
Install the aks-preview extension:
az extension add --name aks-previewUpdate to the latest version of the extension released:
az extension update --name aks-previewRegister the TrustedAccessPreview feature flag:
az feature register --namespace "Microsoft.ContainerService" --name "TrustedAccessPreview"It takes a few minutes for the status to show Registered.
Verify the registration status:
az feature show --namespace "Microsoft.ContainerService" --name "TrustedAccessPreview"When the status shows Registered, refresh the
Microsoft.ContainerServiceresource provider registration:az provider register --namespace Microsoft.ContainerService
Backup Extension related operations
This section provides the set of Azure CLI commands to perform create, update, or delete operations on the Backup Extension. You can use the update command to change compute limits for the underlying Backup Extension Pods.
Install Backup Extension
To install the Backup Extension, run the following command:
az k8s-extension create --name azure-aks-backup --extension-type microsoft.dataprotection.kubernetes --scope cluster --cluster-type managedClusters --cluster-name <aksclustername> --resource-group <aksclusterrg> --release-train stable --configuration-settings blobContainer=<containername> storageAccount=<storageaccountname> storageAccountResourceGroup=<storageaccountrg> storageAccountSubscriptionId=<subscriptionid>
View Backup Extension installation status
To view the progress of Backup Extension installation, use the following command:
az k8s-extension show --name azure-aks-backup --cluster-type managedClusters --cluster-name <aksclustername> --resource-group <aksclusterrg>
Update resources in Backup Extension
To update blob container, CPU, and memory in the Backup Extension, use the following command:
az k8s-extension update --name azure-aks-backup --cluster-type managedClusters --cluster-name <aksclustername> --resource-group <aksclusterrg> --release-train stable --configuration-settings [blobContainer=<containername> storageAccount=<storageaccountname> storageAccountResourceGroup=<storageaccountrg> storageAccountSubscriptionId=<subscriptionid>] [cpuLimit=1] [memoryLimit=1Gi]
[]: denotes the 3 different sub-groups of updates possible (discard the brackets while using the command)
Delete Backup Extension installation operation
To stop the Backup Extension install operation, use the following command:
az k8s-extension delete --name azure-aks-backup --cluster-type managedClusters --cluster-name <aksclustername> --resource-group <aksclusterrg>
Grant permission on storage account
To provide Storage Account Contributor Permission to the Extension Identity on storage account, run the following command:
az role assignment create --assignee-object-id $(az k8s-extension show --name azure-aks-backup --cluster-name <aksclustername> --resource-group <aksclusterrg> --cluster-type managedClusters --query aksAssignedIdentity.principalId --output tsv) --role 'Storage Blob Data Contributor' --scope /subscriptions/<subscriptionid>/resourceGroups/<storageaccountrg>/providers/Microsoft.Storage/storageAccounts/<storageaccountname>
Trusted Access related operations
To enable Trusted Access between Backup vault and AKS cluster, use the following Azure CLI command:
az aks trustedaccess rolebinding create \
-g <aksclusterrg> \
--cluster-name <aksclustername> \
-n <randomRoleBindingName> \
--source-resource-id $(az dataprotection backup-vault show -g <vaultrg> --vault <VaultName> --query id -o tsv) \
--roles Microsoft.DataProtection/backupVaults/backup-operator
Learn more about other commands related to Trusted Access.
Monitor AKS backup jobs completed with warnings
When a scheduled or an on-demand backup or restore operation is performed, a job is created corresponding to the operation to track its progress. In case of a failure, these jobs allow you to identify error codes and fix issues to run a successful job later.
For AKS backup, backup and restore jobs can show the status Completed with Warnings. This status appears when the backup and restore operation isn't fully successful due to issues in user-defined configurations or internal state of the workload.
For example, if a backup job for an AKS cluster completes with the status Completed with Warnings, a restore point will be created, but it might not have been able to back up all the resources in the cluster as per the backup configuration. The job will show warning details, providing the issues and resources that were impacted during the operation.
To view these warnings, select View Details next to Warning Details.
Learn how to identify and resolve the error.
Next steps
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for