Deploying Velero with AWS S3 bucket
You can deploy Velero on Kubernetes with AWS S3 as the backup storage backend. Using AWS S3 provides a reliable, scalable, and secure solution for backing up and restoring your Kubernetes Clusters, including Persistent Volume Claims (PVCs).
Before you begin
- Amazon Web Services (AWS) Command Line Interface (CLI)
- For installation information, see Installing or updating to the latest version of the AWS CLI.
- Velero CLI
- For installation information, see Velero Basic Install.
Procedure
-
Create an AWS S3 bucket.
You can create an S3 bucket through the GUI or throught the CLI.
- Through AWS GUI
- Login to the AWS Console. Search S3 and click Create bucket.
- Assign a unique name to the bucket. Buckets must be named using lowercase.
- Select an AWS region.
- Under Object Ownership, ensure that Keep ACLs disabled is selected.
- Under Block ALL public access, accept the default values that keep all four checkboxes selected.
- Under Bucket versioning, select Enable It > Create bucket.
- Click your new bucket and select .
- Click the
- Under the Permissions tab, in Bucket
Policy, click Edit and paste the following
JSON:
{ "Version": "2012-10-17", "Statement": [{ "Sid": "VeleroBucketPolicy", "Effect": "Allow", "Principal": {"AWS": "*"}, "Action": ["s3:GetObject","s3:DeleteObject","s3:PutObject","s3:AbortMultipartUpload","s3:ListMultipartUploadParts"], "Resource": "arn:aws:s3:::<BUCKET-NAME>*" },{ "Sid": "VeleroListBucket", "Effect": "Allow", "Principal": {"AWS": "*"}, "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::<BUCKET-NAME>" }] } - Click .
Your Velero-ready S3 bucket is complete and you are ready to configure Velero for your BackupStorageLocation configuration.
- Through AWS CLI
- Create a bucket in an AWS
region:
aws s3api create-bucket \ --bucket <Bucket Name> \ --region <Bucket Region> - Enable public access
block:
aws s3api put-public-access-block \ --bucket <Bucket Name> \ --public-access-block-configuration \ "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true" - Enable
versioning:
aws s3api put-bucket-versioning \ --bucket <Bucket Name> \ --versioning-configuration Status=Enabled - Enable bucket policy for
Velero:
cat > bucket-policy.json <<EOF { "Version": "2012-10-17", "Statement": [{ "Sid": "VeleroBucketPolicy", "Effect": "Allow", "Principal": {"AWS": "*"}, "Action": ["s3:GetObject", "s3:DeleteObject", "s3:PutObject", "s3:AbortMultipartUpload", "s3:ListMultipartUploadParts"], "Resource": "arn:aws:s3:::<Bucket Name>/*" }, { "Sid": "VeleroListBucket", "Effect": "Allow", "Principal": {"AWS": "*"}, "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::<Bucket Name>" }] } EOF aws s3api put-bucket-policy \ --bucket <Bucket Name> \ --policy file://bucket-policy.json
- Create a bucket in an AWS
region:
- Through AWS GUI
-
Create IAM Policies.
Create IAM Policy #1 (Velero EC2/S3 Permissions)
-
Login to the AWS Console and select .
- Paste the shared policy into the JSON
tab:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeVolumes", "ec2:DescribeSnapshots", "ec2:CreateTags", "ec2:CreateVolume", "ec2:CreateSnapshot", "ec2:DeleteSnapshot" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:DeleteObject", "s3:PutObject", "s3:AbortMultipartUpload", "s3:ListMultipartUploadParts" ], "Resource": [ "arn:aws:s3:::<Bucket Name>/*" ] }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::<Bucket Name>" ] } ] } - Name the policy and then click Create policy.
Create IAM Policy #2 (Assume Role policy)-
Login to the AWS Console and select .
- Paste the shared policy into the JSON
tab:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowSvcUsertoDescEC2Roles", "Effect": "Allow", "Action": [ "ec2:Describe*", "iam:ListRoles" ], "Resource": "*" }, { "Sid": "AllowSvcUser2assumeEKSRole", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::<Account ID>:role/<Role Name i.e, HCLSW_AWS_AMBER_EKS_VELERO_BACKUP_SVC_ROLE>" } ] } - Name the policy and then click Create policy.
-
-
Create the IAM Role.
- Click .
- Under Trusted entity, select Another AWS Account and enter the Account ID.
- Click . For Policy Name, select the Velero EC2/S3 Permissions policy.
- Under Name, select Role Name.
- Under Role ARN, enter
arn:aws:iam::<Account ID>:role/<Role Name> - Click Create Role.
-
Create the IAM User
- Click .
- Click . For Policy Name, select the Assume Role policy.
- Under Access, select Programmatic Access
- Under Name, select User Name.
- Click Create User.
-
Create the Kubernetes secret.
Use the secret_gen.sh script to create the Kubernetes secret.
sh hcl-devopsplan-prod/files/secret_gen.shAfter running the script, it will prompt for shared details.Namespace: <Namespace where installing velero i.e., backup> AWS Access Key ID: <AWS Access Key ID> AWS Secret Access Key: <AWS Secret Access Key> Role ARN: <AWS Role ARN i.e., arn:aws:iam::<Account ID>:role/<Role Name i.e, HCLSW_AWS_AMBER_EKS_VELERO_BACKUP_SVC_ROLE> -
Modify the values file.
Modify the values-s3bucket.yaml file. That is located at
hcl-devopsplan-prod/values-s3bucket.yaml.velero: bucket: "<Bucket Name>" region: "<Bucket Region i.e., us-east-1>" configuration: uploaderType: "kopia" initContainers: - name: velero-plugin-for-aws image: velero/velero-plugin-for-aws:v1.9.1 volumeMounts: - mountPath: /target name: plugins credentials: existingSecret: credentials-velero awsAccessKeyId: "<Access key ID>" awsSecretAccessKey: "<Secret access key>" roleARN: "<Role ARN of the Role>" minioEnabled: false backupRestore: minio: enabled: false -
Install Velero
Use the
helm upgradecommand to install Velero.helm upgrade --install backup ./hcl-devopsplan-prod \ -f hcl-devopsplan-prod/values-backup.yaml \ -f hcl-devopsplan-prod/values-s3bucket.yaml \ --set global.imagePullSecrets={hcl-entitlement-key} \ -n backup -
Verify the installation:
To verify installation, run the following command:
kubectl get pods -n backup velero backup-location get -n backup