Home > Data Protection > PowerProtect Data Manager > Dell PowerProtect Data Manager: Protecting Kubernetes Workloads > Adding a Kubernetes cluster asset source
Adding a Kubernetes cluster as an asset source in PowerProtect Data Manager enables you to protect namespaces and persistent volume claims (PVCs) within the cluster. You can use the asset sources window in the PowerProtect Data Manager UI to add a Kubernetes cluster asset source.
Before adding a Kubernetes cluster as an asset source with Data Manager, see the PowerProtect Data Manager Kubernetes User Guide on Dell Support at PowerProtect Data Manager Info Hub: Product Documents and Information.
An asset source must be enabled in PowerProtect Data Manager before you can add and register the asset source for the protection of assets.
The Kubernetes asset source can be enabled from the PowerProtect Data Manager UI. Click Infrastructure > Asset Sources, and click + (plus) to view the New Asset Source tab. In the pane for the asset source that you want to add, click Enable Source. The Asset Sources window updates to display a tab for the new asset source.
A Kubernetes cluster can be added as an asset source in PowerProtect Data Manager to protect the namespaces and PVCs within the cluster.
Note: Discovery of a Kubernetes cluster discovers namespaces that contain volumes from both container storage interface (CSI) and non-CSI based storage. However, backup and recovery are supported only from CSI-based storage. Also, only PVCs with the VolumeMode Filesystem are supported.
Name: Cluster name
Address: The fully qualified domain name (FQDN) or the IP address of the Kubernetes API server.
Note: We recommend using the FQDN instead of the IP address.
Port: Specify the port to use for communication when not using the default port, 443.
Note: The use of any port other than 443 or 6443 requires you to open the port on PowerProtect Data Manager first to enable outgoing communication.
Host Credentials: The service account must have the following privileges:
Note: The admin-user service account in the kube-system namespace contains all these privileges. You can provide the token of this account, or an existing similar service account. Alternatively, create a service account that is bound to a cluster role that contains these privileges, and then provide the token of this service account.
If you do not want to provide a service account with cluster-admin privileges, download the YAML files from the PowerProtect Data Manager UI Downloads window by clicking the System Settings icon and selecting Downloads. These files provide the definition of the cluster role with the required privileges required for PowerProtect Data Manager. Follow the instructions in the README.txt within the tar file to create the required clusterroles and clusterrolebindings, and to provide the token of the service account created in the YAML files. The README.txt file also provides instructions for manually creating the secret for ppdm-discovery-serviceaccount, which is required in Kubernetes versions 1.24 and later.
When adding the Kubernetes cluster as an asset source, a PowerProtect controller is installed on the cluster. This controller is also used to install Velero with the DD object-store plug-in and the vSphere plug-in.
For more details, see the PowerProtect Data Manager Kubernetes User Guide on Dell Support at PowerProtect Data Manager Info Hub: Product Documents and Information.
The namespaces in the Kubernetes cluster appear in the Kubernetes tab of the Assets window.
If the Kubernetes cluster is set up in high availability mode and the Kubernetes API server is not configured to send the root certificate as part of the TLS communication setup, backup and restore operations might fail. To resolve this issue, the Kubernetes cluster root certificate needs to be added to the PowerProtect Data Manager server. The root certificate can be added in the PowerProtect Data Manager UI as shown here.
The root certificate can be obtained by running the following command:
On AWS EKS, run aws eks describe-cluster --region region --name Kubernetes cluster name --query "cluster.certificateAuthority.data" --output certificate file name
For other distributions, run kubectl config view --flatten or its equivalent and obtain the Base64 encoded root certificate from the certificate-authority-data field for the cluster.
Note: This step is only required for other distributions when certificate-related errors occur while adding the Kubernetes cluster asset source.
Within the PowerProtect Data Manager UI, you can add controller configurations for a Kubernetes cluster.
When adding Network Interface Cards (NICs), setting DNS configuration for pods, or creating custom ports, you might want to update the PowerProtect Controller, Velero, and cProxy pod configurations to apply additional attributes or change existing attributes.
When adding the Kubernetes cluster as an asset source, in the PowerProtect Data Manager UI, you can update the PowerProtect Controller configuration, Velero configuration, or cProxy configuration fields, which can be used to add NICs or set the DNS configuration for pods.
Pod information is specified in Advanced Options when adding or editing the Kubernetes cluster asset source in the PowerProtect Data Manager UI.
Starting with Data Manager version 19.14, Data Manager schedules jobs in each Kubernetes cluster based on the concurrency configuration of the cluster. Concurrency can be set using the controller configuration parameters ppdm.backup.concurrency and ppdm.restore.concurrency.
Number of concurrent namespace backup jobs per cluster: The default value is 5, the minimum value is 1, and the maximum value is 50.
Number of concurrent namespace restore jobs per cluster: The default value is 2, the minimum value is 1, and the maximum value is 20.
Note: Increasing the value increases the load on the Kubernetes cluster.
You can select the file system agent instead of the default VMware Virtual Disk Development Kit (VDDK) by setting the controller configuration parameter k8s.ppdm.vspherecsi.use.fsagent to true.
Note: This functionality is supported with vSphere 7.0U3 and later. vSphere CSI Driver version 2.5.0 or later is required.
For more information about the controller configuration, see the PowerProtect Data Manager Kubernetes User Guide on Dell Support at PowerProtect Data Manager Info Hub: Product Documents and Information.