Home > Storage > PowerFlex > White Papers > SUSE Rancher and RKE2 Kubernetes cluster using CSI Driver on Dell PowerFlex > Integrating SUSE Rancher managed Kubernetes cluster with PowerProtect Data Manager
PowerProtect Data Manager integrates with SUSE Rancher managed Kubernetes cluster for data protection in the following ways:
The following diagram shows the SUSE Rancher-managed RKE2 downstream cluster with three RKE2 nodes, RKE2 – Node 1, RKE2 – Node 2, and RKE2 – Node 3:
Each RKE2 node holds all roles such as controlplane, etcd, and worker that is managed by the Rancher management server. PowerFlex is the default storage class for the Kubernetes cluster workloads that are integrated through the PowerFlex CSI driver. An external load balancer is configured as the front-end cluster endpoint for the RKE2 nodes. The PowerProtect Data Manager accesses the integration and discovery of the RKE2 downstream cluster assets for data protection using the load balancer Virtual IP.
Note: Figure 11 is the high-level integration architecture for this white paper. Use Figure 10 as a best practice reference architecture.
RKE2 supports x509 authentication strategy, and also a list of SANs can be defined to add to the Kubernetes API Server PKI certificates. The optional load balancer configuration is done when there are multiple RKE2 nodes available with controlplane and etcd in an RKE2 downstream cluster.
For example, you can connect to a Kubernetes cluster API server through a load balancer instead of a single RKE2 node.
Before integrating the RKE2 downstream cluster with PowerProtect Data Manager, ensure that the following requirements are configured:
Perform the following steps to add the load balancer details to the RKE2 downstream cluster:
5. Click Save to save the configuration file. The cluster takes a few minutes to update the configuration.
The following image shows the sample YAML cluster configuration file after adding the load balancer IP address.
The service account must have the following privileges:
Note: The admin-user service account in the kube system namespace contains all the privileges. You can use the token of this account or an existing similar service account. Alternatively, you can create a service account that is bound to a cluster role that contains these privileges and provide the token of this service account.
kubectl create serviceaccount dashboard -n default kubectl create clusterrolebinding dashboard-admin -n default --clusterrole=cluster-admin --serviceaccount=default:dashboard |
kubectl get secret $(kubectl get serviceaccount dashboard -o jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64 –decode |
The Kubernetes asset source must be enabled on PowerProtect Data Manager UI before adding and registering the asset source for the protection of assets.
Perform the following steps to enable the asset source:
PowerProtect Data Manager is used to protect the Kubernetes environment by adding an RKE2 downstream cluster that is managed by the SUSE Rancher as an asset source and discovering namespaces as assets for data protection operations. A Kubernetes cluster can be added as an asset source in PowerProtect Data Manager to protect the namespaces and PVCs within the cluster.
Note: The use of any port other than 443 or 6443 requires opening the port on PowerProtect Data Manager.
When you add a RKE2 downstream cluster, the cluster information appears in the table, and automatic discovery of the namespace assets is initiated.
Once the discovery is successful, the namespace assets appear as assets in the Kubernetes tab in the Assets window.
Protection policies define sets of objectives that apply to specific periods of time. These objectives drive configuration, active protection, and copy-data-management operations that satisfy the business requirements for the specified data. Each plan type has its own set of user objectives. Users with the system admin role can create protection policies.
PowerProtect Data Manager provides the following options when creating a Kubernetes cluster protection policy:
Also, the admin can select namespaces and associated PVCs statically or dynamically for inclusion or exclusion in protection policies, along with schedules, retention, and other protection operations.
Figure 15. PowerProtect Data Manager policy configuration window
For more information about creating a protection policy for Kubernetes namespace protection, see PowerProtect Data Manager Kubernetes User Guide.
Apart from the scheduled backup option, PowerProtect Data Manager supports the option to perform manual backups. With PowerFlex CSI, only full backup type is supported for Kubernetes protection.
For more information about performing backup and recovery of Kubernetes workloads using PowerProtect Data Manager, see PowerProtect Data Manager Kubernetes User Guide.
For example, a sample MySQL application is deployed on the Rancher Kubernetes cluster with the namespace “mysql-clus2”.
The namespace is composed of MySQL pod as shown in the following sample:
The following Rancher UI shows the MySQL application pod in the namespace mysql-clus2:
Sample database employeedetails and respective table has been created on a MySQL application pod belonging to namespace mysql-clus2 as shown in the following figure.
We will now backup the namespace mysql-clus2 and respective PVCs with PowerProtect Data Manager.
The following image shows that the protection job is completed successfully for the mysql-clus2 namespace:
The following image shows the protection copy available for the namespace mysql-clus2:
After protection under the Kubernetes cluster protection policy, restoration of namespace and PVCs can be done from individual namespace backups.
Use the following recovery options:
Restore to original namespace: Restore to the original namespace on the original cluster.
Restore to new namespace: Create a namespace and restore to this location on the original cluster or a different cluster.
Restore to existing namespace: Restore to an existing namespace in the original cluster or a different cluster.
In the following sample restore, the PVCs that are backed up within the namespace mysql-clus2 are restored to the new namespace mysql-clus2-restore:
The following image shows that the restore job completed successfully.
The following sample shows the new namespace mysql-clus2-restore created successfully during the restore.
The restored MySQL application in the namespace mysql-clus2-restore is displayed as follows in the Rancher management UI.
Same database employeedetails and the respective table that was created on the MySQL application pod belonging to namespace mysql-clus2 is now available with the restored namespace mysql-clus2-restore.
This confirms the successful backup and recovery of namespaces and PVCs that are available in the RKE2 downstream cluster using PowerProtect Data Manager.
For more information about performing backup and recovery of Kubernetes workloads using PowerProtect Data Manager, see PowerProtect Data Manager Kubernetes User Guide