一、Velero简介
Velero 是vmware开源的一个云原生的灾难恢复和迁移工具,它本身也是开源的,采用Go语言编写,可以安全的备份、恢复和迁移Kubernetes集群资源数据。
Velero 支持标准的K8S集群,既可以是私有云平台也可以是公有云,除了灾备之外它还能做资源移转,支持把容器应用从一个集群迁移到另一个集群。
Velero 的工作方式就是把kubernetes中的数据备份到对象存储以实现高可用和持久化,默认的备份保存时间为720小时,并在需要的时候进行下载和恢复。
官网:https://velero.io/
1.1 Velero与etcd快照备份的区别
- etcd 快照是全局备份,即使一个资源对象需要恢复,也需要做全局恢复到备份的状态,即会影响其它namespace中pod运行服务。
- Velero可以有针对性的备份,比如按照namespace单独备份、只备份特定的资源对象等,在恢复的时候只恢复特定的namespace或资源对象,从而不影响其它namespace中pod运行服务。
- velero支持ceph、oss等对象存储,etcd 快照是一个为本地文件。
- velero支持任务计划实现周期备份,但etcd 快照需要基于cronjob实现周期备份。
1.2 Velero备份流程
- Velero 客户端调用Kubernetes API Server创建Backup任务;
- Backup 控制器基于watch 机制通过API Server获取到备份任务;
- Backup 控制器开始执行备份动作,其会通过请求API Server获取需要备份的数据;
- Backup 控制器将获取到的数据备份到指定的对象存储。
二、部署
2.1 部署minio
docker run –name minio \
-p 9000:9000 -p 9999:9999 \
-v /miniodata:/data \
myharbor.belkuy.top/base/minio:20221126 server /data \
--console-address "0.0.0.0:9999" --address "0.0.0.0:9000"
通过9999端口登陆web页面。
创建bucket
2.2 部署velero
2.2.1 部署velero
wget https://github.com/vmware-tanzu/velero/releases/download/v1.10.0/velero-v1.10.0-linux-amd64.tar.gz
tar xvf velero-v1.10.0-linux-amd64.tar.gz
cp velero-v1.10.0-linux-amd64/velero /usr/local/bin/
velero version
2.2.2 配置velero认证环境
# 工作目录
mkdir /data/velero -p
# 认证文件
cd /data/velero
cat >> velero-auth.txt << EOF
[default]
aws_access_key_id = admin
aws_secret_access_key = 12345678
EOF
# 准备user-csr文件
cat >> awsuser-csr.json << EOF
{
"CN": "awsuser",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
# 准备证书签发环境
apt install golang-cfssl
mv cfssl-certinfo_1.6.1_linux_amd64 cfssl-certinfo
mv cfssl_1.6.1_linux_amd64 cfssl
mv cfssljson_1.6.1_linux_amd64 cfssljson
cp cfssl-certinfo cfssl cfssljson /usr/local/bin/
chmod a+x /usr/local/bin/cfssl*
# 执行证书签发
/usr/local/bin/cfssl gencert \
-ca=/etc/kubernetes/ssl/ca.pem -ca-key=/etc/kubernetes/ssl/ca-key.pem \
-cnotallow=/etc/kubeasz/clusters/k8s-cluster1/ssl/ca-config.json \
-profile=kubernetes ./awsuser-csr.json | cfssljson -bare awsuser
# 分发证书到api-server证书路径
cp awsuser-key.pem /etc/kubernetes/ssl/
cp awsuser.pem /etc/kubernetes/ssl/
# 生成集群认证config文件
export KUBE_APISERVER="https://172.31.7.101:6443"
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubecnotallow=./awsuser.kubeconfig
# 设置客户端证书认证
kubectl config set-credentials awsuser \
--client-certificate=/etc/kubernetes/ssl/awsuser.pem \
--client-key=/etc/kubernetes/ssl/awsuser-key.pem \
--embed-certs=true \
--kubecnotallow=./awsuser.kubeconfig
# 设置上下文参数
kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=awsuser \
--namespace=velero-system \
--kubecnotallow=./awsuser.kubeconfig
# 设置默认上下文
kubectl config use-context kubernetes --kubecnotallow=awsuser.kubeconfig
# k8s集群中创建awsuser账户
kubectl create clusterrolebinding awsuser --clusterrole=cluster-admin --user=awsuser
# 创建namespace
kubectl create ns velero-system
# 执行安装
velero --kubeconfig ./awsuser.kubeconfig install \
--provider aws \
--plugins myharbor.belkuy.top/base/velero-plugin-for-aws:v1.3.1 \
--bucket velerodata \
--secret-file ./velero-auth.txt \
--use-volume-snapshots=false \
--namespace velero-system \
--backup-location-config reginotallow=minio,s3ForcePathStyle="true",s3Url=http://192.168.33.110:9000
# 验证安装
kubectl get pod -n velero-system
2.2.3 备份命名空间
- 对default ns进行备份
velero backup create default-backup-`date +%Y%m%d%H%M%S` \
--include-cluster-resources=true \
--include-namespaces default \
--kubecnotallow=./awsuser.kubeconfig \
--namespace velero-system
Backup request "default-backup-20230212224538" submitted successfully.
Run `velero backup describe default-backup-20230212223219` or `velero backup logs default-backup-20230212223219` for more details.
- 验证备份
velero backup describe default-backup-20230212223219 \
--kubecnotallow=./awsuser.kubeconfig \
--namespace velero-system
- 删除pod并验证数据恢复
# kubectl get pod
NAME READY STATUS RESTARTS AGE
busybox 1/1 Running 0 5m22s
# kubectl delete pod busybox -n default
pod " busybox" deleted
# velero restore create \
--from-backup default-backup-20230212223219 \
--wait --kubecnotallow=./awsuser.kubeconfig \
--namespace velero-system
Restore request "default-backup-20230212223219-20230212223758" submitted successfully.
Waiting for restore to complete. You may safely press ctrl-c to stop waiting - your restore will continue in the background.
.................
Restore completed with status: Completed. You may check for more information using the commands `velero restore describe default-backup-20230212223219-20230212223758` and `velero restore logs default-backup-20230212223219-20230212223758`.
- 验证恢复后的pod是否存在
# kubectl get pod
NAME READY STATUS RESTARTS AGE
busybox 1/1 Running 0 17s
2.2.4 备份指定资源对象
备份指定namespace中的pod或特定资源
velero backup create pod-backup-202207222335 \
--include-clusterresources=true \
--ordered-resources 'pods=myserver/net-test1,defafut/net-test1' \
--namespace velero-system \
--include-namespaces=myserver,defafut
2.2.5 批量备份所有命名空间
创建脚本 ns-back.sh
#!/bin/bash
NS_NAME=`kubectl get ns | awk '{if (NR>2){print}}' | awk '{print $1}'`
DATE=`date +%Y%m%d%H%M%S`
cd /data/velero/
for i in $NS_NAME;do
velero backup create ${i}-ns-backup-${DATE} \
--include-cluster-resources=true \
--include-namespaces ${i} \
--kubeconfig=/root/.kube/config \
--namespace velero-system
done
