Preparing for Google Kubernetes Engine application protection

Before you start protecting your Google Kubernetes Engine (GKE) applications, you must prepare your environment for application data protection.

Prerequisite

The HYCU Managed Service Account (HMSA) must have the Compute Admin, Service Account User, Storage Admin, and Kubernetes Engine Admin roles granted on the Google Cloud projects with the Kubernetes clusters on which the GKE applications that you plan to protect are deployed.

For instructions on how to grant permissions to service accounts, see Google Cloud documentation.

Limitations

  • Protecting applications running on GKE clusters that were created by using the Autopilot mode of operation is not supported.

  • R‑Cloud does not support protecting applications that are configured in a subnet where Google Private Access is enabled and that are at the same time running on one of the following clusters:
    • A public GKE cluster without an internal IP address.
    • A private GKE cluster with the selected Access control plane using its external IP address option without an internal IP address.
  • For applications using volumes: Only GCE persistent disk volumes and CSI volumes are supported.

Preparing your environment for GKE application data protection includes the following tasks:

Task Instructions
  1. Get familiar with your data protection environment specifics.

Getting familiar with your data protection environment specifics
  1. Make sure appropriate labels are applied on all resource objects.

Applying labels on resource objects
  1. Make sure your GKE applications are discovered in R‑Cloud.

Discovering applications
  1. Configure GKE application backup options.

Configuring GKE application backup options

Getting familiar with your data protection environment specifics

When setting up your environment for data protection, you must get familiar with all prerequisites, limitations, considerations, and/or recommendations that are specific to protecting Google Kubernetes Engine applications.

Prerequisite

The data mover must have access to the applications that you want to protect and to the targets that store the protected data. To ensure this, configure application backup options so that the data mover uses the appropriate subnet. For instructions, see Configuring GKE application backup options.

Tip  You can check under which subnet the applications and the targets are accessible in your cloud provider management console.

Applying labels on resource objects

To ensure that your GKE applications are successfully discovered and protected, appropriate metadata labels must be applied on the following:

  • Resource objects: Make sure the following is defined:

    • app.kubernetes.io/name: <AppName> label in the .yaml file of the resource object

      Note  Specifying this label is recommended by R‑Cloud. However, you can also use app: <AppName>.

    • Namespace in the metadata of the resource object
  • Persistent volume objects: By applying labels, you ensure that persistent volumes can be discovered and linked to Google Compute Engine disks, which is required for zone/region identification:

    Example   

    topology.kubernetes.io/zone=us-east-1c
    topology.kubernetes.io/zone=us-east-1c__us-east-1b (for replicated disks)
    topology.kubernetes.io/region=us-east-1

    Note  For persistent volumes that use a Container Storage Interface (CSI) provider, the zone/region is specified in the volume handle (for example, volumeHandle: projects/<ProjectID>/zones/<Zone>/disks/<DiskName>).

    The following deprecated Kubernetes labels are also supported:

    failure-domain.beta.kubernetes.io/region=<RegionName>
    failure-domain.beta.kubernetes.io/zone=<ZoneName>

For details on labels, see Kubernetes documentation.

Discovering applications

After you enable the HMSA, the process of application discovery starts automatically. When the application discovery task completes, the discovered applications are listed in the Applications panel. An automatic application synchronization task is performed every 15 minutes. You can update the application list manually at any time by navigating to the Applications panel and clicking Synchronize Refresh.

Consideration

Before a GKE application can be discovered, the Kubernetes cluster on which it is deployed must be discovered by R‑Cloud. This is an automated task that is performed every 15 minutes.

Configuring GKE application backup options

You can adjust GKE application protection to the needs of your data protection environment by configuring application backup options.

Backup options

Backup option Description
Pre/post Scripts Enables you to specify the pre-snapshot and post-snapshot scripts to perform necessary actions before and/or after the snapshot of an application is created.
Data Movers

Enables you to specify the region, the zone, and the subnet where you want R‑Cloud to create a data mover during the backup. By default, the data mover is created in the Google Cloud project of the GKE cluster on which the application is running.

Prerequisites

  • Only if you plan to use pre-snapshot and post-snapshot scripts.

    • The script must be located in a bucket to which the HMSA has access.

    • The #!/usr/bin/env python3 header must be specified in the script.

    • The following line of code must be present in the script:

      os.environ['GOOGLE_APPLICATION_CREDENTIALS'] = '/tmp/hycu/serviceAccount.json'

  • Only if you plan to configure backup options for multiple applications. All applications must have the same values set for each option that you plan to configure.

Limitations

  • You cannot specify a different subnet for the data mover if you are protecting applications running on a private GKE cluster with the disabled Access control plane using its external IP address option.

  • Only if you plan to use pre-snapshot and post-snapshot scripts.

    • Only Python scripts are supported.
    • For making API calls, you can use only the following Python libraries:

      • googleapiclient for Google Cloud API calls
      • kubernetes for Kubernetes API calls

Recommendation

If you plan to use targets for storing the protected data, optimize the egress data costs by configuring application backup options so that the data mover uses the same or the nearest available region as the target that stores the protected data.

Procedure

  1. In the Applications panel, select the applications for which you want to configure backup options.
  2. Click Configuration Configuration. The Application Configuration dialog box opens.
  3. Depending on whether you want to specify the pre-snapshot and post-snapshot scripts for a single application or multiple applications, or specify the data mover location and subnet, do the following:

    • Only if you want to specify the pre-snapshot and post-snapshot scripts for a single application. On the Pre/post Scripts tab, specify the scripts to perform necessary actions before and/or after the snapshot of the application is created:

      • In the Pre-snapshot Script field, enter the path to the script that R‑Cloud will run before it creates the snapshot of the application.

      • In the Post-snapshot Script field, enter the path to the script that R‑Cloud will run after it creates the snapshot of the application.

      Important  When entering the path to the script, make sure to enter it correctly, including lowercase and uppercase letters, as the path is case sensitive. You must specify the path in the following format:

      gs://bucket-name/script.py parameter1 parameter2 ...

      Example  The following is an example of the first lines of a pre-snapshot script:

      #!/usr/bin/env python3 import os import kubernetes

      os.environ'GOOGLE_APPLICATION_CREDENTIALS'] = '/tmp/hycu/serviceAccount.json'

    • Only if you want to specify the pre-snapshot and post-snapshot scripts for multiple applications. On the Pre/post Scripts tab, do the following:

      1. Specify the scripts to perform necessary actions before and/or after the snapshot of the application is created. To do so, choose one of the following:

        • If you want to use a new script, select Add Add New, enter the path to the script, and then click Save.

        • If any of the selected applications already have a pre-snapshot or post-snapshot script set and you want to use the same script for all other selected applications, select the preferred script.

      2. Only if any of the selected applications already have a pre-snapshot or post-snapshot script set. Select the Override these applications check box if you want the specified script to be used for all the selected applications.

      Important  When entering the path to the script, make sure to enter it correctly, including lowercase and uppercase letters, as the path is case sensitive. You must specify the path in the following format:

      gs://bucket-name/script.py parameter1 parameter2 ...

      Example  The following is an example of the first lines of a pre-snapshot script:

      #!/usr/bin/env python3 import os import kubernetes

      os.environ'GOOGLE_APPLICATION_CREDENTIALS'] = '/tmp/hycu/serviceAccount.json'

    • Only if you want to specify the data mover location and subnet. On the Data Movers configuration tab, provide the following information:

      1. From the Region drop-down menu, select the preferred region.

      2. From the Zone drop-down menu, select the preferred zone.

      3. From the Subnet drop-down menu, select the preferred subnet. By default, the data mover is created in the default subnet of the preferred region and zone.

  4. Click Save.