Kubernetes Backup and Restore: Install Velero on AWS

Kubernetes backup velero helm install aws

3 min read | by Jordi Prats

Velero is an open-source tool that helps you backup, restore, and migrate Kubernetes resources and volumes. It provides a simple and reliable way to protect your Kubernetes applications and data from data loss or disasters. Although Velero supports multiple cloud providers, in this post we are just going to see how to install it on AWS (both using IRSA and an explicit IAM role)

AWS permissions

In order to allow Velero to handle Snapshots (for PersistentVolumes) and being able to backup data to a S3 bucket, we'll need to add the following permissions, setting the S3 bucket we want to use:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeVolumes",
                "ec2:DescribeSnapshots",
                "ec2:CreateTags",
                "ec2:CreateVolume",
                "ec2:CreateSnapshot",
                "ec2:DeleteSnapshot"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:PutObject",
                "s3:AbortMultipartUpload",
                "s3:ListMultipartUploadParts"
            ],
            "Resource": [
                "arn:aws:s3:::BUCKET_NAME/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::BUCKET_NAME"
            ]
        }
    ]
}

AWS IAM user

Assuming we have attached the previous policy to an IAM user, we can configure velero to use it's static credentials by creating a file an aws config file as follows:

$ cat velero_aws_user_cred
[default]
aws_access_key_id=AACCESSKEY
aws_secret_access_key=SeCr3t

With this file present in the current directory we can use helm to install velero (after adjusting the values for bucket name and region region to our needs):

helm repo add vmware-tanzu https://vmware-tanzu.github.io/helm-charts
helm install velero vmware-tanzu/velero \
--namespace velero --create-namespace \
--set-file 'credentials.secretContents.cloud=./velero_aws_user_cred' \
--set 'configuration.provider=aws' \
--set 'configuration.backupStorageLocation.bucket=BUCKET_NAME' \
--set 'configuration.backupStorageLocation.config.region=us-west-2' \
--set 'configuration.volumeSnapshotLocation.name=default' \
--set 'configuration.volumeSnapshotLocation.config.region=us-west-2' \
--set 'initContainers[0].name=velero-plugin-for-aws' \
--set 'initContainers[0].image=velero/velero-plugin-for-aws' \
--set 'initContainers[0].volumeMounts[0].mountPath=/target' \
--set 'initContainers[0].volumeMounts[0].name=plugins'

We'll see how the AWS credentials will be pushed into this secret:

$ kubectl get secrets velero -n velero
NAME     TYPE     DATA   AGE
velero   Opaque   1      78s

AWS IAM Role (IRSA)

If we want to use IRSA we'll just need to make sure it has the correct annotation, to do se we can use the following command (updating as well the region, bucket name and role ARN)

helm repo add vmware-tanzu https://vmware-tanzu.github.io/helm-charts
helm install velero vmware-tanzu/velero \
--namespace velero --create-namespace \
--set 'configuration.provider=aws' \
--set 'serviceAccount.server.annotations.eks\.amazonaws\.com/role-arn=arn:aws:iam::<AWS_ACCOUNT_ID>:role/<IAM_ROLE_NAME>' \
--set 'configuration.backupStorageLocation.bucket=S3_BUCKET' \
--set 'configuration.backupStorageLocation.config.region=us-west-2' \
--set 'configuration.volumeSnapshotLocation.name=default' \
--set 'configuration.volumeSnapshotLocation.config.region=us-west-2' \
--set 'initContainers[0].name=velero-plugin-for-aws' \
--set 'initContainers[0].image=velero/velero-plugin-for-aws' \
--set 'initContainers[0].volumeMounts[0].mountPath=/target' \
--set 'initContainers[0].volumeMounts[0].name=plugins'

This will annotate Velero's ServiceAccount to use the role ARN we are setting:

$ kubectl describe sa velero-server
Name:                velero-server
Namespace:           velero
Labels:              app.kubernetes.io/instance=velero
                     app.kubernetes.io/managed-by=Helm
                     app.kubernetes.io/name=velero
                     helm.sh/chart=velero-3.1.6
Annotations:         eks.amazonaws.com/role-arn: arn:aws:iam::<AWS_ACCOUNT_ID>:role/<IAM_ROLE_NAME>
                     meta.helm.sh/release-name: velero
                     meta.helm.sh/release-namespace: velero
Image pull secrets:  <none>
Mountable secrets:   <none>
Tokens:              <none>
Events:              <none>

Conclusion

Either way, both methods provide secure authentication for Velero to interact with AWS services: IAM User provides more fine-grained control over permissions but requires managing access keys, while IAM Role offers a more secure and seamless integration with AWS services but requires additional configuration and an additional trust policy to make it work.

Posted on 12/04/2023

Categories