Kubernetes Requirements

To register Kubernetes and protect the namespaces of the Kubernetes container, ensure you meet the below software version, firewall considerations, minimum permissions, prerequisites, and considerations:

Supported Versions

Cohesity cluster supports data protection and recovery of the Kubernetes clusters. For supported versions of the Kubernetes clusters, see Supported Versions.

Minimum Permission

To register the Kubernetes cluster with the Cohesity cluster, you must provide the Bearer token ID of the Kubernetes service account. Ensure that the service account has the cluster-admin role on the Kubernetes cluster.

This Bearer token ID will be used for all communications with the Kubernetes API server.

Prerequisites

Ensure that you meet the following prerequisites to register and manage your Kubernetes cluster:

  • Valid Certificate with Subject Alternative Name (SAN) field —On the Cohesity cluster, install a valid certificate with the SAN field. The SAN field is used to specify additional host names (such as sites, IP addresses, and common names) to be protected by a single SSL certificate, such as a Multi-Domain or Extend Validation Multi-Domain Certificate. For more information, see Update SSL Certificates Using Cohesity CA or Customer CA certificate.

  • Create a Cohesity service account on Kubernetes to register Kubernetes on Cohesity cluster—For registering a Kubernetes cluster with the Cohesity cluster, you can either use a default service account with the cluster-admin role or a dedicated service account with the cluster-admin role account. Cohesity recommends you to create a dedicated account in the default namespace.

    For example, to create a 'cohesity' service account on Kubernetes, use the following command:

    kubectl create serviceaccount cohesity -n default

    Assign the cluster-admin role to the 'cohesity' service account using the following command:

    kubectl create clusterrolebinding cohesity-admin --clusterrole=cluster-admin --serviceaccount=default:cohesity

    The above example can be run from any client or workstation from which kubectl is typically run for a given Kubernetes cluster that is registered and protected by the Cohesity cluster.

    Custom roles can be used as an Early Access feature after contacting Cohesity support.

  • If you use a Kubernetes cluster 1.24 or later, run the following command to generate the Bearer Token ID or secret token for your service account. 

    cohesity@localhost:kubectl apply -f - <
apiVersion: v1
kind: Secret
metadata:
  name: cohesity-token
  annotations:
    kubernetes.io/service-account.name: cohesity
type: kubernetes.io/service-account-token
EOF

    Sample Ouput

    secret/cohesity-token created

  • Extract the Bearer token ID—To register the Kubernetes cluster with Cohesity cluster, you must have the Bearer token ID of the Kubernetes service account. Extract the Bearer token of the service account that has admin privileges on the Kubernetes cluster.

    Extract the Bearer token using the following command:

    kubectl describe secrets -n default cohesity-token | grep token: | awk '{print $2}' | head -1
eyJhbGciOiJSUzI1NiIsImtpZCI6IjRtZzBkX0VRLXMwV05veFdvcjR3eGw1N2c4MUk0RXlhWFBPdXBHNUVoTlkifQ.eyJpc3MiOiJrdWJqcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImNvaGVzaXR5LXRva2VuL2Y0ZG02Iiwia3ViZXJuZXRlcy5pbF9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImNvaGVzaXR5Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZDg4NmE5ZWMtMzQxYi00ZTM3LTg1MjktMzYxNGJiY2U0OTAxIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6Y29oZXNpdHeifQ.Of4nzdrTDsbxzHWbzskwk6_mdwSvduSLPhSivW3MdHJNcGMa6nGmn5iKUQqDG4oe1tu71w0r9rT1Cp8sGHOLxpjGEhaKSf7gIGX5fUbw2jY6m7gL1U-4zj5FrglJ9XdE1yE70qNE3nFL1QZexYjAW80_rjMBv0lW4unq1o2IO21e5PC31SIGMfs1rlSvToy4_vJEVFzX9E0e4ha1RSsEIYFjdwt3sgG6y-PGoR4UBgnNnBaMpmy6NXYToaChzteJw93HQyyRVGBFNYgNTinqc5edu_zyMdAl6Chba6q10ffjC_zjhU_Lm7wp31-BTMelg-1W_5b3uni4pCGD8EPGPw

  • Obtain the Cohesity Datamover Docker Image—To back up the PVCs of the Kubernetes namespaces, you must push the Cohesity Datamover image to an image registry accessible by your Kubernetes cluster.

    To install the Cohesity Datamover image:

    1. Obtain the Datamover image that matches closely with your Cohesity cluster version from the Cohesity Download page.

    2. To push the Datamover image to your Docker registry:

      1. Run the following command to log into your Docker image registry:

        docker login <your image registry server>.fqdn

        If prompted, enter the credentials that have the permissions to push the Cohesity Datamover image to your image registry. Skip this login command if your image registry does not require authentication to push images.

      2. Load the Datamover image:

        docker load --input cohesity-datamover-<your Datamover version>.tar

        Replace <your Datamover version> in the preceding command with the version in your Datamover image name.

        Example:

        docker load --input cohesity-datamover-6.6.0d_u6.tar
        docker load --input cohesity-datamover-6.8.1_u1.tar

      3. Run the following command, and from the command result, make a note of the Image ID of the Datamover image:

        docker images

      4. Tag the Datamover image with the Image ID you made a note of in step c:

        docker image tag <ID of your image> <your image registry server>.fqdn/path/cohesity-datamover:<your Datamover version>

      5. Push the Datamover image to your Docker registry:

        docker push <your image registry server>.fqdn/path/cohesity-datamover:<your Datamover version>

The preceding example assumes you use Docker to load, tag, push, and pull the Docker images. If you use Podman, replace docker with podman.

Considerations

  • Cohesity uses the third-party software Velero to facilitate the backup and restore of namespace data.

    If your Kubernetes clusters are of versions earlier than 1.16, use Velero 1.4. If your Kubernetes clusters are of versions 1.16 or later, use Velero 1.12. For more information, see Upgrade Velero and Datamover.

  • If Kubernetes is not accessed through the internet, you must provide the path to the registry from which Velero should be pulled.

  • Cohesity cluster only supports the backup of the user-created application namespaces of the Kubernetes cluster and does not support the backup of default or infrastructure namespaces such as kube-node-lease, kube-public, kube-system, and so on.
  • Cohesity supports restoring namespaces backed up from one Kubernetes cluster to a different Kubernetes cluster if the storage class of the Kubernetes clusters is the same.

  • Cohesity does not support Tanzu Kubernetes Grid Integrated Edition (TKGI).

  • Cohesity does not support data protection of Kubernetes clusters in private networks behind NAT gateways (Dynamic/Static NAT, Port Address Translation PAT).

Next > Register and Manage your Kubernetes Sources!