> Commvault Cloud > Kubernetes > Configuration

Updating a Kubernetes Cluster

When you update a Kubernetes cluster, you can update many settings, including Kubernetes API server URL, Service Account, Service Account Token, etcd backups, roles and permissions, and backup gateways.

Go to the Cluster

  1. From the Command Center navigation pane, go to Protect > Kubernetes.

    The Overview page appears.

  2. On the Clusters tab, click the cluster.

    The cluster page appears.

Modify the Credential, Kubernetes API Server, Service Account or Service Account Token

Commvault Cloud validates the service account and service account token with one of the backup gateways that is configured for the cluster. If the backup gateway cannot authenticate with the provided credentials, an error occurs and the changes are not saved.

  1. On the Overview tab, in the upper-right area of the General section, click the edit button edit button outline grey/gray pencil.

    The Edit cluster details dialog box appears.

  2. To modify the credential, next to Credential, click the edit button edit button outline grey/gray pencil.

    The Edit credential dialog box appears.

    You can also modify the credential from the Credential Vault page. For more information, see Updating the Credentials in a Credential Entity.

  3. Modify the Credential name, Kubernetes API server, Service account or Service token.

  4. Click Save.

  5. To select new credential for the cluster, select one from the Credential list.

  6. Click Save.

Modify the Workload Region

The workload region determines where the backups are stored and replicated, based on the location of the Kubernetes cluster and applications.

  1. On the Overview tab, in the General section, for Workload region, click the edit button edit button outline grey/gray pencil.

  2. Select the region.

  3. Click Save.

Disable Backups, Temporarily or Indefinitely

When backups are disabled, the cluster is not included in SLA calculations.

You can also disable backups for individual application groups and applications.

  1. On the Configuration tab, in the Activity control section, move the Data backup toggle to the left.

    An Enable after a delay link appears.

  2. To enable backups again after a delay, click the Enable after a delay link, and then enter the amount of time to delay.

Disable Restores, Temporarily or Indefinitely

If you disable restores, applications and other data cannot be restored.

You can also disable restores for individual applications (but not for application groups).

Note

Disabling restores does not prevent the administrator from attempting a restore, but the restore fails with a "Data activity disabled for client" message.

  1. On the Configuration tab, in the Activity control section, move the Data restore toggle to the left.

    An Enable after a delay link appears.

  2. To enable restores again after a delay, click the Enable after a delay link, and then enter the amount of time to delay.

Enable etcd Backups

For detailed information about etcd backups, see Enabling Kubernetes etcd Key Value Store Backups.

  1. On the Configuration tab, in the etcd protection section, move the etcd protection toggle to the right.

    The etcd protection backup plan dialog box appears.

  2. From the Plan list, select the backup plan to use for the etcd (system generated) application group that the Commvault Cloud software will create to protect etcd.

  3. Click Save.

Create Resource Modifiers

You can use resource modifiers to add, delete, and modify fields in the Kubernetes resource YAMLs that you restore. Resource modifiers are useful when you need to modify the restore content to match the destination environment. For information, see Creating Reusable Resource Modifiers for Kubernetes.

Configure Restore Exclusions

You can exclude Kubernetes resources (such as applications and namespaces) or sub-resources (such as ConfigMaps, Secrets, Services, PersistentVolumeClaims, etc.) from an application group so that they are not backed up. Resources are objects that can be listed, created, or re-created using the Kubernetes API server, while sub-resources are objects associated with those resources.

  1. On the Configuration tab, in the Advanced options section, for Restore exclusions, click Configure.

    The Restore exclusions dialog box appears.

  2. From Filter list, select an existing restore filter from either the source or destination cluster or click + to add a new filter.

    If you add a new resource filter during restore operation, then it is added to the cv-config namespace.

    Note

    Commvault Cloud needs the cv-config namespace and a custom CRD cvresourcefilters.k8s.cv.io to be present on the cluster. If the namespace and CRD are not present, when you create your resource filter, the software automatically creates a new namespace called cv-config and deploys a new CustomResourceDefinition (CRD) to your cluster.

  3. In the Exclusions area, from the Exclude list, select Exclude by rule.

    The Add rule dialog box appears.

  4. From the list, select Kind, Group, Version, Namespace, Name, or Label, and then specify the rule.

  5. Click Save.

  6. To exclude sub-resources, move the Exclude sub-resources toggle key to the right.

    The Exclude sub-resources area appears.

  7. From the Exclude list, select Exclude by Rule

    The Add rule dialog box appears.

  8. From the list, select Kind, Group, Version, Namespace, Name, or Label, and then specify the rule.

  9. Click Save.

Specify a Different Image Registry (Such as for an Air-Gapped Cluster)

To perform backups and other operations for Kubernetes, Commvault Cloud pulls a Docker image for a temporary worker pod that performs data movement. For more information, see "Docker Hub" in System Requirements for Kubernetes.

If your Kubernetes cluster does not have external connectivity, you can download the Docker image and push it to your private container registry. For an example process for setting up a private registry server, see "Deploy a registry server" in the Docker docs.

Important

If you use a private container registry, implement regular security scanning. If vulnerabilities are found, update the image.

Commvault is committed to the security of your data and ensures that the docker image that the Commvault Cloud software uses is scanned with Clair before each release and that no critical security vulnerabilities exist in the image.

Procedure

  1. On the Configuration tab, in the Advanced options section, for Image registry settings, click the edit button edit button outline grey/gray pencil.

    The Image registry settings dialog box appears.

  2. In Image registry URL, enter the private container registry URL.

  3. If you pull from a private registry, in Image pull secret, enter the image pull secret.

  4. Click Save.

Results

Starting with the next backup, the Commvault Cloud downloads the worker pod container image from your private container registry.

Configuring a Namespace for Commvault Cloud Resources

You can configure a namespace where Commvault resources such as resource modifiers, CvTasks, CvTaskSets are created.

By default, resource modifiers, CvTasks, and CvTaskSets are created in a namespace called "cv-config".

Procedure

  1. On the Configuration tab, in the Advanced options section, for Configuration namespace, click the edit button edit button outline grey/gray pencil.

  2. Enter the name of the namespace.

  3. Click Submit.

Results

Resources such as resource modifiers, pre- and post-script resources (CvTaskSet, CvTask) are configured to be created and fetched from this configuration namespace.

Increasing the Time That Commvault Cloud Temporary Pods Wait for Kubernetes Activities

You can increase the amount of time that Commvault Cloud temporary pods wait for Kubernetes activities to complete so that backups and other operations do not time out or fail. This adjustment is helpful in large-scale Kubernetes clusters and managed cloud environments where system load can delay the time to create storage snapshots or to schedule temporary Commvault Cloud worker pods.

  1. On the Configuration tab, in the Advanced options section, for Wait timeout for job steps, click the edit button edit button outline grey/gray pencil.

  2. Specify the settings as follows:

    • Snapshot cleanup: The time in minutes to wait after the volumesnapshot is deleted. For example, enter 5.

    • Cluster resource cleanup: The time in minutes to wait for the resources that are created on the cluster to be deleted. For example, enter 3.

    • Snapshot ready: The time in minutes to wait for the volume snapshot to be readyToUse=true before exiting. For example, enter 5.

    • Worker pod startup: The time in minutes to wait for the worker pod to be in the running state. For example, enter 1.

  3. Click Save.

Disable SSL/TLS Certificate Verification

To skip the SSL certificate validation, in the SSL/TLS management area, move the Disable SSL/TLS certificate verification toggle to the right.

Note

If the SSL certificate validation is successful during cluster creation and the certificate expires, then backup and restore operations will fail. To resolve this, you can skip SSL certificate validation or manually add the certificate thumbprint.

To add a thumbprint, click the Edit button edit button outline grey/gray pencil next to SSL/TLS certificate thumbprint. In the Edit thumbprint dialog box, specify a valid thumbprint and click Save.

Modify the Backup Gateways

  • On the Configuration tab, in the Access nodes section, click Actions > Edit, and then select the backup gateways or backup gateway groups to use for the cluster.

Assign Roles to Users or User Groups

To allow a user or user group to perform data management operations on a cluster, create a security association between the user or user group and one of the following pre-defined roles:

  • View: Provide read-only access to application group configuration, job history, and reporting data

  • VM End User: Provide self-service backup, recover both in-place and out-of-place

Procedure

  1. On the Configuration tab, in the Security section, click edit button edit button outline grey/gray pencil.

    The Security dialog box appears.

  2. On the Associations tab, enter the name of the user or user group, select the role to assign, and then click Add.

  3. Click Save.

Assign Owners and Permissions

In multi-tenanted environments, you can assign an end user to be an owner for individual containerized applications, and then the owner can log on to their applications to perform backup, recovery, and reporting.

Procedure

  1. On the Configuration tab, in the Security section, click Edit.

    The Security dialog box appears.

  2. On the Owners tab, enter the name of the user or user group to assign as an owner.

  3. Under Permissions, select the permissions to give to the owner.

  4. Click Save.

For more information about permissions, see User Permissions for Kubernetes Operations.

Modify the Tags

You can create and apply tags to cluster. A tag is a key and an optional value that you can use to categorize clusters. Tags are useful for managing and reporting in large environments.

Note

On the Clusters page, the Tags column shows "No tags", even for clusters that have tags. To view the tags for a cluster, go to the cluster properties page. This is a known issue.

Before You Begin

You must have the Tag Management permission.

Procedure

  1. On Configuration tab, in the Tags section, click the edit button edit button outline grey/gray pencil.

    The Manage tags dialog box appears.

  2. In Tag name, enter a name for the tag.

  3. To assign a value, in Tag value, enter the value.

  4. Click Save.

×

Loading...