05. kubernetes_protection_example.md

Kubernetes Examples

creating a Kubernetes Protection Policy

explaining inline Helps

get-help New-PPDMK8SBackupPolicy
get-help New-PPDMK8SBackupPolicy -Examples
get-help Add-PPDMinventory_sources -Examples

Creating a new Credential from a service account token

n k9s all, show secret. Note, in my env, secrets rotate and get published top an S3 Bucket

$TOKEN=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(((kubectl get secret -n powerprotect -o json | ConvertFrom-Json).items | Where-Object {$_.Metadata.name  -match  "ppdm-discovery" }).data.token))


$k8s_cluster="csi.pks.home.labbuildr.com"

$Securestring=ConvertTo-SecureString -AsPlainText -String "$TOKEN" -Force
$username="ppdmdiscovery"
$Credentials = New-Object System.Management.Automation.PSCredential($username, $Securestring)
$newcreds=New-PPDMcredentials -name "ppdm-discovery-$($k8s_cluster)" -type KUBERNETES -authmethod TOKEN -credentials $Credentials
$newcreds

Approve the Certifikates for the K8S Cluster

Get-PPDMcertificates -newhost $k8s_cluster -Port 8443 | Approve-PPDMcertificates

Add K8S Cluster as inventory Source

Hint ... get your vcenter id with

Get-PPDMinventory_sources -Type VCENTER

Add-PPDMinventory_sources -Type KUBERNETES -Hostname $k8s_cluster -Name $k8s_cluster -ID $newcreds.id -port 8443 -K8S_TYPE VANILLA_ON_VSPHERE -VCENTER_ID 69c8ac3a-3eca-55f1-a2e0-347e63a90540

oh, yes, we have a K8S Endpoint :-)

Get-PPDMkubernetes_clusters -Verbose

Create the Protection Policy

get-help New-PPDMK8SBackupPolicy -Examples
$Storage_system=Get-PPDMstorage_systems | where type -match DATA_DOMAIN_SYSTEM
$Storage_system
$Schedule=New-PPDMBackupSchedule -hourly -CreateCopyIntervalHrs 2 -RetentionUnit DAY -RetentionInterval 7
$Schedule | Convertto-Json -Depth 6
$Policy=New-PPDMK8SBackupPolicy -Schedule $Schedule -StorageSystemID $Storage_system.id -enabled -encrypted -Name CI_K8S_CLI

Assign Assets to PLC

Get-PPDMassets | ft
Get-PPDMassets | where { $_.name -match "wordpress" }
$AssetID=(Get-PPDMassets | where { $_.name -match "wordpress" -and $_.subtype -eq "K8S_NAMESPACE"}).id
$AssetID
Add-PPDMProtection_policy_assignment -AssetID $AssetID -id $Policy.id

Start the Protection of an asset

get-help Start-PPDMprotection
Start-PPDMprotection -PolicyObject $Policy -AssetIDs  $Asset.id
Get-PPDMactivities -PredefinedFilter QUEUED

Happy ? Happy !!!

Lets do a Restore !!!

We have multiple ways to restore a k8s Application / Namespace In the First Example, we restore to a new , Vanilla AKS Cluster Make sure that you have installed you CSI Drivers and Storage Classes Set up

kubectl get storageclasses
NAME                PROVISIONER                RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
default (default)   disk.csi.azure.com         Delete          Immediate           true                   22m
managed-premium     kubernetes.io/azure-disk   Delete          Immediate           false                  60m
managed-standard    kubernetes.io/azure-disk   Delete          Immediate           false                  60m

we use

$k8s_cluster="aksazs2"

and start the registration from above

once the cluster is registerd, prepare you restore

$targetInventorySourceID=(Get-PPDMkubernetes_clusters | where name -Match $aks_cluster).id
$myDate=(get-date).AddHours(-2)
$usedate=get-date $myDate -Format yyyy-MM-ddThh:mm:ssZ
$filter= 'endTime ge "'+$usedate+'"'
$Asset=(Get-PPDMassets | where { $_.name -eq "wordpress" -and $_.subtype -eq "K8S_NAMESPACE"})
$copy=Get-PPDMassetcopies -AssetID $Asset.id -filter $filter | Select-Object -First 1

That should give you a valid copy Restore to the New Cluster:

Restore-PPDMK8Scopies -CopyObject $copy -includeClusterResources -TO_ALTERNATE -namespace wordpress -targetInventorySourceId $targetInventorySourceID 

Example Backup with Kubernetes Protection Policies, backig up a Tanzu Kubernetes Grid Integrated edition

In this Use Case, we have one Protection Policy for Kubernetes. To get a Protection Policy for Kubernetes using powershell, type

Get-PPDMprotection_policies | where assetType -eq Kubernetes

You can also use the filter Query against the API:

Get-PPDMprotection_policies -filter {assetType eq "Kubernetes"}

you could ALSO scope the where-object to the name Parameter, in my Case i match to find Kube Backup Platform Services

Get-PPDMprotection_policies | where name -Match "Platform Services"

Get-PPDMprotection_policies -filter {name eq "Platform Services" and assetType eq "Kubernetes"}

The return object in both cases could be one or multiple objects, so you might identify the correct id

As the modules support Pipelining based on Pareameters, we can simply start the backup for the Policy by

Get-PPDMprotection_policies | where name -Match "Platform Services" | Start-PPDMprotection_policies

Or, symply start non-empty K8S Policies:

Get-PPDMprotection_policies | where { $_.assetType -eq "Kubernetes" -and $_.summary.numberOfAssets -gt 0 } | Start-PPDMprotection_policies

The Protection Policy will then fist be Queued. We can check with the command:

Get-PPDMactivities -PredefinedFilter QUEUED

With the ID from Above, you could also query the activity:

Get-PPDMactivities -id 2ce49319-0cf5-49e9-a20f-5c50f4d4ed89

in this case, we detect a failed activity.

we can, of course, use Get-PPDMactivities to detect Failed an Retryable Protections

Get-PPDMactivities -PredefinedFilter PROTECT_FAILED -days 1|  where { $_.actions.retryable -eq "True" }

to just retry the operation, we would use Restart-PPDMactivities and give any retryable Activity to it:

Get-PPDMactivities -PredefinedFilter PROTECT_FAILED -days 1|  where { $_.actions.retryable -eq "True" } | Restart-PPDMactivities

and very a running avtivity by either suing the new activity is, or scope a query to running:

Get-PPDMactivities -PredefinedFilter RUNNING

i can now scope the activities "finder" to find the First Object on the Succeded Policies and verify it is the same

Get-PPDMactivities -PredefinedFilter PROTECT_OK -days 1 | Select-Object -First 1