Protect Kubernetes Sources, PVCs, and Namespaces

Once you have registered your Kubernetes source, you're ready to protect the Kubernetes sources, PVCs, and namespaces.

Cohesity supports the backup of PVCs, Kubernetes cluster resources and metadata of the Kubernetes namespaces. Cohesity uses the Data Mover pod that will be deployed in the Kubernetes cluster for backing up the PVCs of the Kubernetes namespaces.

Cohesity supports the backup of PVCs with the volumeMode set to Filesystem.

The supported file systems include ext3, ext4, xfs, vxfs, ReiserFS, autofs, cvfs, zfs, fuse.mfs, nfs, nfs3, cifs, gpfs, and mmfs.

Cohesity also supports the backup of PVCs with CSI drivers using CSI volume snapshotting capability.

After registering the Kubernetes cluster as a source on the Cohesity cluster, you can start configuring your backups. Cohesity recommends the first full and an incremental forever approach for the backup. However, you can do periodic full backups, based on your requirements.

The temporary pods created during backups by Cohesity will have their priority class set to the specified value for the source. Additionally, the labels and annotations will be applied to the temporary pods.

To protect your Kubernetes cluster sources:

  1. In DataProtect as a Service, navigate to Sources, find the Kubernetes source name and then click Protect.

  2. Click Add Objects. Browse through the Kubernetes namespaces and select the namespaces that you want to protect.

    Each namespace is treated as a separate bject for protection. You can create individual Object protection policies for each namespace. Additionally, you can select multiple namespaces and configure protection for each one independently. All selected namespaces will be backed up in parallel, ensuring efficient and scalable data protection.

  3. Use the checkboxes to select the Objects you want to protect. To protect the whole source, click the checkbox above the column.

  4. Click Continue.

  5. In the New Protection dialog, select a Policy that matches the schedule and retention period you need. If the existing policies do not meet your needs, you can create a new policy with the settings you need.

  6. To change or configure any of the additional settings, select More Options and perform the steps below or else, click Protect.

  7. In the Start Time field, select the time and time zone to start the protection run. This option is available only if the selected policy is set to Backup Daily. The current time is displayed by default, but you can change it. Enter the hour and minutes or use the up and down arrows on your keyboard. Verify the AM or PM setting. The default time zone is the browser's time zone. You can change the time zone of the protection run by selecting a different time zone.

  8. Cohesity supports protecting PVCs with the snapshot and restore feature of Container Storage Interface (CSI) drivers on CSI volumes. This option is disabled by default in your Cohesity protection job. To enable this feature, turn ON the Leverage CSI snapshot toggle. Once enabled, Cohesity clusters will begin utilizing snapshots captured by CSI drivers to protect the PVCs. These snapshots are crash-consistent, meaning that the PVC is in the same state as it was during the crash.

  9. If you need to change any of the additional settings, click the down arrow icon next to Additional Settings and click Edit.

  10. Click Protect.

  11. Cohesity DataProtect as a Service starts backing up the Objects you selected. You can monitor the status of the backup on the Activity page.

    The backups start immediately after you protect the Objects, regardless of the time you set for the protection run.

Advanced Settings

Advance Settings Description

Pause Future Runs

 

 Enable Pause Future Runs to stop protection runs of the Object from executing. Once you enable this option, no protection runs will be scheduled for this Object.
End Date Enable End Date and select the date when the Object stops capturing snapshots. An Object run that starts prior to this date runs until completion even if it completes after this date.
QoS Policy

 Select an appropriate quality of service (QoS) policy.

Cohesity recommends specifying Backup HDD, which is the default.

  • Backup HDD: The Cohesity cluster writes the data directly to an HDD drive for this Object.
  • Backup SSD: The Cohesity cluster writes the data directly to an SSD drive for this Object. Only specify this policy if you need fast ingest speed for a small number of Objects.
  • Backup Auto: (Applicable only for Cohesity C6000 series) The Cohesity cluster writes the data to both SSDs and HDDs. The distribution of data will be based on the current usage of SSD and HDD. This policy tries to achieve a similar backup performance as the Backup SSD policy and reduces the SSD wear-out compared to the Backup SSD policy.

For best performance, Cohesity recommends the Backup Target SSD policy. If necessary, you can change the policy at any time later. But it doesn’t change or take effect on the currently running task.
Alerts

Select one or more of the following settings if you want alerts to be created for the following triggers:

  • Success: Creates an informational alert when an Object completes successfully. Emails are not sent when informational alerts are created.
  • Failure: Creates a critical alert if the Object fails to complete. Emails are sent when critical alerts are created.
  • SLA Violation: Creates a warning alert if the takes longer than the time period specified in the SLA field. Emails are sent when warning alerts are created. For more information, see Alerts.
Email Recipients You can add email addresses to an Object to notify the email recipients when alerts are triggered for the protection run.
Priority

Select a priority for the Object ProtectionGroupxecution. Cohesity supports concurrent backups.

However, if the number of protection runs exceeds the ability to process runs, this will be the priority of implementation of the runs:

  1. High-priority protection runs
  2. Medium-priority protection runs
  3. Low-priority protection runs
SLA

The service-level agreement (SLA) defines how long the administrator expects an Object run to take.

  • Full: Enter the number of minutes you expect a full backup Object run takes to complete. A full backup captures the entire Object (all blocks).
  • Incremental: Enter the number of minutes you expect an incremental backup Object run takes to complete. An incremental backup captures only the differences (changed blocks) since the last run.

Users with similar SLAs can be grouped together and a custom policy and Object can be created to achieve different SLAs.
Description Enter a brief description about the Object.

Create or Use an Existing Protection Policy

A Protection Policy is a reusable set of settings. It enables you to define how and when Kubernetes namespaces are protected, replicated, and archived. A standard policy provides various settings that you can configure for an Object.

Create a Protection Policy with the settings listed in the Policy Settings for Kubernetes. For detailed instructions on how to create a Protection Policy, see Policies.

Policy Settings for Kubernetes

The following table lists the applicable policy settings for Kubernetes:

Field Description
DataLock

If applicable, add a DataLock for compliance and regulatory requirements, to ensure that your protected data, including local backups, archives, and replication, cannot be modified until the DataLock expiration.

Once applied, a DataLocked Snapshot will be deleted only after its retention period expires. A DataLock prevents all users, including those who have the Data Security role in Cohesity Data Cloud, from modifying or deleting any Snapshots that were generated by the Objects that use this Policy. Only users with the Data Security role can add, modify, or remove a DataLock from a Policy.
Backup Defines when backups are captured, how long they are retained and the type of backup to capture.
Periodic Full Backup Use this option to choose when to run a periodic full backup.
Extended Retention Add this to retain a subset of snapshots (backups) for longer than defined by the protection schedule.
Quiet Times

Quiet times define time periods when new protection runs are not started. For example, you might want to configure hourly backups that run during weekdays but not on Saturdays or Sundays. Quiet times only prevent new protection runs from starting during the specified time period. The protection runs that started before the quiet times are not affected and will continue to run.

For example, if a protection run starts at 12:45 AM on Saturday morning and there is a weekend quiet time that starts at 1 AM on Saturday morning, the protection run will continue to run past 1 AM. No new protection runs are started during the quiet times.
Retry Options Use this option to customize the retry settings for capturing Snapshots. By default, the Cohesity cluster attempts to capture Snapshots three times before the Object fails. The default time between retries is five minutes. You can customize the number of retries and how long to wait between each attempt.

Use an Existing Protection Policy

You can edit an existing Protection Policy and configure it with applicable policy settings for Kubernetes cluster. In this case, all the policy settings apart from the settings applicable to Kubernetes cluster are ignored.

To use an existing Protection Policy:

  1. In DataProtect as a Service, navigate to the Policies page..
  2. On the Policies page, select the policy that you plan to edit.
  3. On the Policy Details page, click Edit and configure the applicable policy settings for Kubernetes cluster. For information on the applicable policy settings, see Policy Settings for Kubernetes.
  4. Click Save.

The updated policy settings are applied to the Objects in the next protection run.

Next > When the first protection run completes, you will be ready to recover Kubernetes if and when you need to.