Preparing for Google Kubernetes Engine application protection

Before you start protecting your Google Kubernetes Engine (GKE) applications, get familiar with prerequisites, limitations, and procedures in this topic to prepare your environment for application data protection.

Prerequisite

The HYCU Managed Service Account (HMSA) must have the following roles granted on the projects with the Kubernetes clusters on which the GKE applications that you plan to protect are deployed:

  • Compute Admin (roles/compute.admin)

  • Service Account User (roles/iam.serviceAccountUser)
  • Storage Admin (roles/storage.admin)

  • Kubernetes Engine Admin (roles/container.admin)

For instructions on how to grant permissions to service accounts, see Google Cloud documentation.

Limitations

  • Protecting applications running on GKE clusters that were created by using the Autopilot mode of operation is not supported.

  • HYCU for Google Cloud does not support protecting applications that are running on a public GKE cluster or a private GKE cluster with the selected Access control plane using its external IP address option, and that are at the same time configured in a subnet where Google Private Access is enabled.
  • For applications using volumes: Only GCE persistent disk volumes and CSI volumes are supported.

Before you start protecting GKE applications, perform the following tasks:

Task Instructions
Mandatory. Make sure appropriate labels are applied on all resource objects. “Applying labels on resource objects”
Mandatory. Make sure your GKE applications are discovered in HYCU for Google Cloud. “Discovering applications”
Optional. Specify the location and the subnet for the temporary instance that HYCU for Google Cloud creates during the backup. “Configuring Google Kubernetes Engine application backup options”
Optional. Specify pre-backup and post-backup scripts. “Configuring Google Kubernetes Engine application backup options”

Applying labels on resource objects

To ensure that your GKE applications are successfully discovered and protected, appropriate metadata labels must be applied on the following:

  • Resource objects: Make sure the following is defined:

    • app.kubernetes.io/name: <AppName> label in the .yaml file of the resource object

      n Note  Specifying this label is recommended by HYCU for Google Cloud. However, you can also use app: <AppName>.

    • Namespace in the metadata of the resource object
  • Persistent volume objects: By applying labels, you ensure that persistent volumes can be discovered and linked to Google Compute Engine disks, which is required for zone/region identification:

    Example   

    topology.kubernetes.io/zone=us-east-1c
    topology.kubernetes.io/zone=us-east-1c__us-east-1b (for replicated disks)
    topology.kubernetes.io/region=us-east-1

    n Note  For persistent volumes that use a Container Storage Interface (CSI) provider, the zone/region is specified in the volume handle. (For example, volumeHandle: projects/<project-id>/zones/<zone>/disks/<disk-name>.)

    The following deprecated Kubernetes labels are also supported:

    failure-domain.beta.kubernetes.io/region=<RegionName>
    failure-domain.beta.kubernetes.io/zone=<ZoneName>

For details on labels, see Kubernetes documentation.

Discovering applications

After you enable the HMSA, the process of application discovery starts automatically. When the application discovery task completes, the discovered applications are listed in the Applications panel. An automatic application synchronization task is performed every 15 minutes. You can update the application list manually at any time by navigating to the Applications panel and clicking  Synchronize.

n Note  Before a GKE application can be discovered, the Kubernetes cluster on which it is deployed must be discovered by HYCU for Google Cloud. This is an automated task that is performed every 15 minutes.

Configuring Google Kubernetes Engine application backup options

You can adjust GKE application protection to the needs of your data protection environment by configuring application backup options.

Backup option Description
Specifying the temporary instance location and subnet

You can select the region, the zone, and the subnet where you want HYCU for Google Cloud to create a temporary instance during the backup. By default, the temporary instance is created in the project of the GKE cluster on which the application is running.

Running pre/post scripts These options allow you to specify the pre-backup and post-backup scripts to perform necessary actions before and after the backup of the application is performed.

Prerequisites

Only if you plan to use pre-snapshot and post-snapshot scripts.

  • The script must be located in a bucket to which the HMSA has access.
  • The #!/usr/bin/env python3 header must be specified in the script.
  • The following line of code must be present in the script:

    os.environ['GOOGLE_APPLICATION_CREDENTIALS'] = '/tmp/hycu/serviceAccount.json'

Limitations

  • You cannot specify a different subnet for the temporary instance if you are protecting applications running on a private GKE cluster with the disabled Access control plane using its external IP address option.

  • Only if you plan to use pre-snapshot and post-snapshot scripts.

    • Only Python scripts are supported.
    • For making API calls, you can use only the following Python libraries:

      • googleapiclient for Google Cloud API calls.
      • kubernetes for Kubernetes API calls.

Procedure

  1. In the Applications panel, select the application for which you want to configure backup options.
  2. Click  Configuration. The Application Configuration dialog box opens.
  3. Depending on what you want to do, provide the required information:

    • Only if specifying the temporary instance location and subnet.

      On the Temporary instance configuration tab, specify the region, the zone, and the subnet:

      1. From the Region drop-down menu, select the preferred region.

      2. From the Zone drop-down menu, select the preferred zone.

      3. From the Subnet drop-down menu, select the preferred subnet. By default, the temporary instance is created in the default subnet of the preferred region and zone.

    • Only if specifying pre-snapshot and post-snapshot scripts. Specify the scripts to perform necessary actions before and/or after the backup of the application is performed:

      • In the Pre‑Backup Script field, enter the path to the script that HYCU for Google Cloud will run just before it performs the backup of the application.
      • In the Post‑Backup Script field, enter the path to the script that HYCU for Google Cloud will run immediately after it performs the backup of the application.

      i Important  When entering the path to the script, make sure to enter it correctly, including lowercase and uppercase letters, as the path is case sensitive. You must specify the path in the following format:

      gs://bucket-name/script.py parameter1 parameter2 ...

      Example  The following is an example of the first lines of a pre-backup script:

      #!/usr/bin/env python3
      import os
      import kubernetes
      
      os.environ['GOOGLE_APPLICATION_CREDENTIALS'] = '/tmp/hycu/serviceAccount.json'
  4. Click Save.