Manage Azure Kubernetes Service backups using Azure Backup
This article describes how to register resource providers on your subscriptions for using Backup Extension and Trusted Access. Also, it provides you with the Azure CLI commands to manage them.
Azure Backup now allows you to back up AKS clusters (cluster resources and persistent volumes attached to the cluster) using a backup extension, which must be installed in the cluster. AKS cluster requires Trusted Access enabled with Backup vault, so that the vault can communicate with the Backup Extension to perform backup and restore operations.
Resource provider registrations
- You must register these resource providers on the subscription before initiating any backup and restore operation.
- Once the registration is complete, you can perform backup and restore operations on all the cluster under the subscription.
Register the Backup Extension
To install Backup Extension, you need to register Microsoft.KubernetesConfiguration
resource provider on the subscription. To perform the registration, run the following command:
az provider register --namespace Microsoft.KubernetesConfiguration
The registration can take up to 10 minutes. To monitor the registration process, run the following command:
az provider show --name Microsoft.KubernetesConfiguration --output table
Backup Extension related operations
This section provides the set of Azure CLI commands to perform create, update, or delete operations on the Backup Extension. You can use the update command to change compute limits for the underlying Backup Extension Pods.
Install Backup Extension
To install the Backup Extension, run the following command:
az k8s-extension create --name azure-aks-backup --extension-type microsoft.dataprotection.kubernetes --scope cluster --cluster-type managedClusters --cluster-name <aksclustername> --resource-group <aksclusterrg> --release-train stable --configuration-settings blobContainer=<containername> storageAccount=<storageaccountname> storageAccountResourceGroup=<storageaccountrg> storageAccountSubscriptionId=<subscriptionid>
View Backup Extension installation status
To view the progress of Backup Extension installation, use the following command:
az k8s-extension show --name azure-aks-backup --cluster-type managedClusters --cluster-name <aksclustername> --resource-group <aksclusterrg>
Update resources in Backup Extension
To update blob container, CPU, and memory in the Backup Extension, use the following command:
az k8s-extension update --name azure-aks-backup --cluster-type managedClusters --cluster-name <aksclustername> --resource-group <aksclusterrg> --release-train stable --configuration-settings [blobContainer=<containername> storageAccount=<storageaccountname> storageAccountResourceGroup=<storageaccountrg> storageAccountSubscriptionId=<subscriptionid>] [cpuLimit=1] [memoryLimit=1Gi]
[]: denotes the 3 different sub-groups of updates possible (discard the brackets while using the command)
Delete Backup Extension installation operation
To stop the Backup Extension install operation, use the following command:
az k8s-extension delete --name azure-aks-backup --cluster-type managedClusters --cluster-name <aksclustername> --resource-group <aksclusterrg>
Grant permission on storage account
The backup extension creates a User Assigned Managed Identity in the cluster's managed resource group. This identity needs to be provided Storage Blob Data Contributor Permission on storage account by running the following command:
az role assignment create --assignee-object-id $(az k8s-extension show --name azure-aks-backup --cluster-name <aksclustername> --resource-group <aksclusterrg> --cluster-type managedClusters --query aksAssignedIdentity.principalId --output tsv) --role 'Storage Blob Data Contributor' --scope /subscriptions/<subscriptionid>/resourceGroups/<storageaccountrg>/providers/Microsoft.Storage/storageAccounts/<storageaccountname>
Trusted Access related operations
To enable Trusted Access between Backup vault and AKS cluster, use the following Azure CLI command:
az aks trustedaccess rolebinding create \
--resource-group <aksclusterrg> \
--cluster-name <aksclustername> \
--name <randomRoleBindingName> \
--source-resource-id $(az dataprotection backup-vault show --resource-group <vaultrg> --vault <VaultName> --query id -o tsv) \
--roles Microsoft.DataProtection/backupVaults/backup-operator
Learn more about other commands related to Trusted Access.
Monitor AKS backup related jobs with the completed with warnings status
When a scheduled or an on-demand backup or restore operation is performed, a job is created corresponding to the operation to track its progress. If there is a failure, these jobs allow you to identify error codes and fix issues to run a successful job later.
For AKS backup, backup and restore jobs can show the status Completed with Warnings. This status appears when the backup and restore operation isn't fully successful due to issues in user-defined configurations or internal state of the workload.
For example, if a backup job for an AKS cluster completes with the status Completed with Warnings, a restore point is created, but it does not have all the resources in the cluster backed up as per the backup configuration. The job shows warning details, providing the issues and resources that were impacted during the operation.
To view these warnings, select View Details next to Warning Details.
Learn how to identify and resolve the error.