Preparing for Google Kubernetes Engine application protection
Before you start protecting your Google Kubernetes Engine (GKE) applications, you must prepare your environment for application data protection.
Prerequisite
The HYCU Managed Service Account (HMSA) must have the Compute Admin, Service Account User, Storage Admin, and Kubernetes Engine Admin roles granted on the Google Cloud projects with the Kubernetes clusters on which the GKE applications that you plan to protect are deployed.
For instructions on how to grant permissions to service accounts, see Google Cloud documentation.
Limitations
-
Protecting applications running on GKE clusters that were created by using the Autopilot mode of operation is not supported.
- R‑Cloud does not support protecting applications that are configured in a subnet where Google Private Access is enabled and that are at the same time running on one of the following clusters:
- A public GKE cluster without an internal IP address.
- A private GKE cluster with the selected Access control plane using its external IP address option without an internal IP address.
- For applications using volumes: Only GCE persistent disk volumes and CSI volumes are supported.
Preparing your environment for GKE application data protection includes the following tasks:
Task | Instructions |
---|---|
|
Getting familiar with your data protection environment specifics |
|
Applying labels on resource objects |
|
Discovering applications |
|
Configuring GKE application backup options |
Getting familiar with your data protection environment specifics
When setting up your environment for data protection, you must get familiar with all prerequisites, limitations, considerations, and/or recommendations that are specific to protecting Google Kubernetes Engine applications.
Prerequisite
The data mover must have access to the applications that you want to protect and to the targets that store the protected data. To ensure this, configure application backup options so that the data mover uses the appropriate subnet. For instructions, see Configuring GKE application backup options.
Tip You can check under which subnet the applications and the targets are accessible in your cloud provider management console.
Applying labels on resource objects
To ensure that your GKE applications are successfully discovered and protected, appropriate metadata labels must be applied on the following:
-
Resource objects: Make sure the following is defined:
-
app.kubernetes.io/name: <AppName>
label in the.yaml
file of the resource object Note Specifying this label is recommended by R‑Cloud. However, you can also use
app: <AppName>
. - Namespace in the metadata of the resource object
-
-
Persistent volume objects: By applying labels, you ensure that persistent volumes can be discovered and linked to Google Compute Engine disks, which is required for zone/region identification:
Example
topology.kubernetes.io/zone=us-east-1c
topology.kubernetes.io/zone=us-east-1c__us-east-1b
(for replicated disks)topology.kubernetes.io/region=us-east-1
Note For persistent volumes that use a Container Storage Interface (CSI) provider, the zone/region is specified in the volume handle (for example,
volumeHandle: projects/<ProjectID>/zones/<Zone>/disks/<DiskName>
).The following deprecated Kubernetes labels are also supported:
failure-domain.beta.kubernetes.io/region=<RegionName>
failure-domain.beta.kubernetes.io/zone=<ZoneName>
For details on labels, see Kubernetes documentation.
Discovering applications
After you enable the HMSA, the process of application discovery starts automatically. When the application discovery task completes, the discovered applications are listed in the Applications panel. An automatic application synchronization task is performed every 15 minutes. You can update the application list manually at any time by navigating to the Applications panel and clicking Refresh.
Consideration
Before a GKE application can be discovered, the Kubernetes cluster on which it is deployed must be discovered by R‑Cloud. This is an automated task that is performed every 15 minutes.
Configuring GKE application backup options
You can adjust GKE application protection to the needs of your data protection environment by configuring application backup options.
Backup options
Backup option | Description |
---|---|
Pre/post Scripts | Enables you to specify the pre-snapshot and post-snapshot scripts to perform necessary actions before and/or after the snapshot of an application is created. |
Data Movers |
Enables you to specify the region, the zone, and the subnet where you want R‑Cloud to create a data mover during the backup. By default, the data mover is created in the Google Cloud project of the GKE cluster on which the application is running. |
Prerequisites
-
Only if you plan to use pre-snapshot and post-snapshot scripts.
-
The script must be located in a bucket to which the HMSA has access.
-
The
#!/usr/bin/env python3
header must be specified in the script. -
The following line of code must be present in the script:
os.environ['GOOGLE_APPLICATION_CREDENTIALS'] = '/tmp/hycu/serviceAccount.json'
-
-
Only if you plan to configure backup options for multiple applications. All applications must have the same values set for each option that you plan to configure.
Limitations
-
You cannot specify a different subnet for the data mover if you are protecting applications running on a private GKE cluster with the disabled Access control plane using its external IP address option.
-
Only if you plan to use pre-snapshot and post-snapshot scripts.
- Only Python scripts are supported.
-
For making API calls, you can use only the following Python libraries:
googleapiclient
for Google Cloud API calls-
kubernetes
for Kubernetes API calls
Recommendation
If you plan to use targets for storing the protected data, optimize the egress data costs by configuring application backup options so that the data mover uses the same or the nearest available region as the target that stores the protected data.

To access the Applications panel, in the navigation pane, click Applications.
Procedure
- In the Applications panel, select the applications for which you want to configure backup options.
- Click
Configuration. The Application Configuration dialog box opens.
-
Depending on whether you want to specify the pre-snapshot and post-snapshot scripts for a single application or multiple applications, or specify the data mover location and subnet, do the following:
-
Only if you want to specify the pre-snapshot and post-snapshot scripts for a single application. On the Pre/post Scripts tab, specify the scripts to perform necessary actions before and/or after the snapshot of the application is created:
-
In the Pre-snapshot Script field, enter the path to the script that R‑Cloud will run before it creates the snapshot of the application.
-
In the Post-snapshot Script field, enter the path to the script that R‑Cloud will run after it creates the snapshot of the application.
Important When entering the path to the script, make sure to enter it correctly, including lowercase and uppercase letters, as the path is case sensitive. You must specify the path in the following format:
gs://bucket-name/script.py parameter1 parameter2 ...
Example The following is an example of the first lines of a pre-snapshot script:
#!/usr/bin/env python3 import os import kubernetes
os.environ'GOOGLE_APPLICATION_CREDENTIALS'] = '/tmp/hycu/serviceAccount.json'
-
-
Only if you want to specify the pre-snapshot and post-snapshot scripts for multiple applications. On the Pre/post Scripts tab, do the following:
-
Specify the scripts to perform necessary actions before and/or after the snapshot of the application is created. To do so, choose one of the following:
-
If you want to use a new script, select
Add New, enter the path to the script, and then click Save.
-
If any of the selected applications already have a pre-snapshot or post-snapshot script set and you want to use the same script for all other selected applications, select the preferred script.
-
-
Only if any of the selected applications already have a pre-snapshot or post-snapshot script set. Select the Override these applications check box if you want the specified script to be used for all the selected applications.
Important When entering the path to the script, make sure to enter it correctly, including lowercase and uppercase letters, as the path is case sensitive. You must specify the path in the following format:
gs://bucket-name/script.py parameter1 parameter2 ...
Example The following is an example of the first lines of a pre-snapshot script:
#!/usr/bin/env python3 import os import kubernetes
os.environ'GOOGLE_APPLICATION_CREDENTIALS'] = '/tmp/hycu/serviceAccount.json'
-
-
Only if you want to specify the data mover location and subnet. On the Data Movers configuration tab, provide the following information:
-
From the Region drop-down menu, select the preferred region.
-
From the Zone drop-down menu, select the preferred zone.
-
From the Subnet drop-down menu, select the preferred subnet. By default, the data mover is created in the default subnet of the preferred region and zone.
-
-
- Click Save.