Preparing for Google Kubernetes Engine application protection

Before you start protecting your Google Kubernetes Engine (GKE) applications, you must prepare your environment for application data protection.

Prerequisite

The HYCU Managed Service Account (HMSA) must have the Compute Admin, Service Account User, Storage Admin, and Kubernetes Engine Admin roles granted on the projects with the Kubernetes clusters on which the GKE applications that you plan to protect are deployed.

For instructions on how to grant permissions to service accounts, see Google Cloud documentation.

Limitations

  • Protecting applications running on GKE clusters that were created by using the Autopilot mode of operation is not supported.

  • R‑Cloud does not support protecting applications that are configured in a subnet where Google Private Access is enabled and that are at the same time running on one of the following clusters:
    • A public GKE cluster without an internal IP address.
    • A private GKE cluster with the selected Access control plane using its external IP address option without an internal IP address.
  • For applications using volumes: Only GCE persistent disk volumes and CSI volumes are supported.

Preparing your environment for GKE application data protection includes the following tasks:

Task Instructions
  1. Mandatory. Make sure appropriate labels are applied on all resource objects.

Applying labels on resource objects
  1. Mandatory. Make sure your GKE applications are discovered in R‑Cloud.

Discovering applications
  1. Optional. Configure GKE application backup options.

Configuring GKE application backup options

Applying labels on resource objects

To ensure that your GKE applications are successfully discovered and protected, appropriate metadata labels must be applied on the following:

  • Resource objects: Make sure the following is defined:

    • app.kubernetes.io/name: <AppName> label in the .yaml file of the resource object

      Note  Specifying this label is recommended by R‑Cloud. However, you can also use app: <AppName>.

    • Namespace in the metadata of the resource object
  • Persistent volume objects: By applying labels, you ensure that persistent volumes can be discovered and linked to Google Compute Engine disks, which is required for zone/region identification:

    Example   

    topology.kubernetes.io/zone=us-east-1c
    topology.kubernetes.io/zone=us-east-1c__us-east-1b (for replicated disks)
    topology.kubernetes.io/region=us-east-1

    Note  For persistent volumes that use a Container Storage Interface (CSI) provider, the zone/region is specified in the volume handle (for example, volumeHandle: projects/<ProjectID>/zones/<Zone>/disks/<DiskName>).

    The following deprecated Kubernetes labels are also supported:

    failure-domain.beta.kubernetes.io/region=<RegionName>
    failure-domain.beta.kubernetes.io/zone=<ZoneName>

For details on labels, see Kubernetes documentation.

Discovering applications

After you enable the HMSA, the process of application discovery starts automatically. When the application discovery task completes, the discovered applications are listed in the Applications panel. An automatic application synchronization task is performed every 15 minutes. You can update the application list manually at any time by navigating to the Applications panel and clicking Synchronize Refresh.

Consideration

Before a GKE application can be discovered, the Kubernetes cluster on which it is deployed must be discovered by R‑Cloud. This is an automated task that is performed every 15 minutes.

Configuring GKE application backup options

You can adjust GKE application protection to the needs of your data protection environment by configuring application backup options.

Backup options

Backup option Description
Pre/post scripts Enables you to specify the pre-snapshot and post-snapshot scripts to perform necessary actions before and/or after the snapshot of an application is created.
Temporary instance configuration

Enables you to specify the region, the zone, and the subnet where you want R‑Cloud to create a temporary instance during the backup. By default, the temporary instance is created in the project of the GKE cluster on which the application is running.

Prerequisites

  • Only if you plan to use pre-snapshot and post-snapshot scripts.

    • The script must be located in a bucket to which the HMSA has access.

    • The #!/usr/bin/env python3 header must be specified in the script.

    • The following line of code must be present in the script:

      os.environ['GOOGLE_APPLICATION_CREDENTIALS'] = '/tmp/hycu/serviceAccount.json'

  • Only if you plan to configure backup options for multiple applications. All applications must have the same values set for each option that you plan to configure.

Limitations

  • You cannot specify a different subnet for the temporary instance if you are protecting applications running on a private GKE cluster with the disabled Access control plane using its external IP address option.

  • Only if you plan to use pre-snapshot and post-snapshot scripts.

    • Only Python scripts are supported.
    • For making API calls, you can use only the following Python libraries:

      • googleapiclient for Google Cloud API calls
      • kubernetes for Kubernetes API calls

Procedure

  1. In the Applications panel, select the applications for which you want to configure backup options.
  2. Click Configuration Configuration. The Application Configuration dialog box opens.
  3. Depending on what you want to do, provide the required information:

    • Only if specifying the pre-snapshot and post-snapshot scripts. On the Pre/post scripts tab, specify the scripts to perform necessary actions before and/or after the snapshot of the application is created:

      • In the Pre-snapshot script field, enter the path to the script that R‑Cloud will run just before it creates the snapshot of the application.
      • In the Post-snapshot script field, enter the path to the script that R‑Cloud will run immediately after it creates the snapshot of the application.

      Important  When entering the path to the script, make sure to enter it correctly, including lowercase and uppercase letters, as the path is case sensitive. You must specify the path in the following format:

      gs://bucket-name/script.py parameter1 parameter2 ...

      Example  The following is an example of the first lines of a pre-snapshot script:

      #!/usr/bin/env python3
      import os
      import kubernetes
      
      os.environ['GOOGLE_APPLICATION_CREDENTIALS'] = '/tmp/hycu/serviceAccount.json'
    • Only if specifying the temporary instance location and subnet. On the Temporary instance configuration tab, provide the following information:

      1. From the Region drop-down menu, select the preferred region.

      2. From the Zone drop-down menu, select the preferred zone.

      3. From the Subnet drop-down menu, select the preferred subnet. By default, the temporary instance is created in the default subnet of the preferred region and zone.

  4. Click Save.