|
| 1 | +--- |
| 2 | +title: Azure Kubernetes Service (AKS) backup using Azure Backup overview |
| 3 | +description: This article explains the concept of Azure Kubernetes Service (AKS) backup using Azure Backup. |
| 4 | +ms.topic: conceptual |
| 5 | +ms.service: backup |
| 6 | +ms.date: 03/03/2023 |
| 7 | +author: jyothisuri |
| 8 | +ms.author: jsuri |
| 9 | +--- |
| 10 | + |
| 11 | +# Overview of Azure Kubernetes Service backup using Azure Backup (preview) |
| 12 | + |
| 13 | +Azure Backup now allows you to back up AKS clusters (cluster resources and persistent volumes attached to the cluster) using a backup extension, which must be installed in the cluster. Backup vault communicates with the cluster via this Backup Extension to perform backup and restore operations. |
| 14 | + |
| 15 | +## Least privilege security models |
| 16 | + |
| 17 | +This section explains the least privilege security models required for a Backup vault (to have Trusted Access enabled) to communicate with the AKS cluster. |
| 18 | + |
| 19 | +### Backup Extension |
| 20 | + |
| 21 | +- The extension enables backup and restore capabilities for the containerized workloads and persistent volumes used by the workloads running in AKS clusters. |
| 22 | + |
| 23 | +- Backup Extension is installed in its own namespace *dataprotection-microsoft* by default. It's installed with cluster wide scope that allows the extension to access all the cluster resources. During the extension installation, it also creates a User-assigned Managed Identity (Extension Identity) in the Node Pool resource group. |
| 24 | + |
| 25 | +- Backup Extension uses a blob container (provided in input during installation) as a default location for backup storage. To access this blob container, the Extension Identity requires *Storage Account Contributor* role on the storage account that has the container. |
| 26 | + |
| 27 | +- You need to install Backup Extension on both the source cluster to be backed up and the target cluster where the restore will happen. |
| 28 | + |
| 29 | +Learn [how to manage the operation to install Backup Extension using Azure CLI](azure-kubernetes-service-cluster-manage-backups.md#manage-operations). |
| 30 | + |
| 31 | +### Trusted Access |
| 32 | + |
| 33 | +Many Azure services depend on *clusterAdmin kubeconfig* and the *publicly accessible kube-apiserver endpoint* to access AKS clusters. The **AKS Trusted Access** feature enables you to bypass the private endpoint restriction. Without using Microsoft Azure Active Directory (Azure AD) application, this feature enables you to give explicit consent to your system-assigned identity of allowed resources to access your AKS clusters using an Azure resource RoleBinding. The Trusted Access feature allows you to access AKS clusters with different configurations, which aren't limited to private clusters, clusters with local accounts disabled, Azure AD clusters, and authorized IP range clusters. |
| 34 | + |
| 35 | +Your Azure resources access AKS clusters through the AKS regional gateway using system-assigned managed identity authentication. The managed identity must have the appropriate Kubernetes permissions assigned via an Azure resource role. |
| 36 | + |
| 37 | +For AKS backup, the Backup vault accesses your AKS clusters via Trusted Access to configure backups and restores. The Backup vault is assigned a pre-defined role **Microsoft.DataProtection/backupVaults/backup-operator** in the AKS cluster, allowing it to only perform specific backup operations. |
| 38 | + |
| 39 | +Learn [how to enable Trusted Access](azure-kubernetes-service-cluster-manage-backups.md#enable-trusted-access). |
| 40 | + |
| 41 | +### AKS Cluster |
| 42 | + |
| 43 | +To enable backup for an AKS cluster, see the following prerequisites: . |
| 44 | + |
| 45 | +- AKS backup uses CSI drivers snapshot capabilities to perform backups of persistent volumes. CSI Driver support is available for AKS clusters with Kubernetes version *1.21.1* or later. |
| 46 | + |
| 47 | + >[!Note] |
| 48 | + >- Currently, AKS backup only supports backup of Azure Disk-based persistent volumes (enabled by CSI driver). If you're using Azure File Share and Azure Blob type persistent volumes in your AKS clusters, you can configure backups for them via the Azure Backup solutions available for [Azure File Share](azure-file-share-backup-overview.md) and [Azure Blob](blob-backup-overview.md). |
| 49 | + >- In Tree, volumes aren't supported by AKS backup; only CSI driver based volumes can be backed up. You can [migrate from tree volumes to CSI driver based Persistent Volumes](../aks/csi-migrate-in-tree-volumes.md). |
| 50 | +
|
| 51 | +- Before installing Backup Extension in the AKS cluster, ensure that the CSI drivers and snapshots are enabled for your cluster. If disabled, see [these steps to enable them](../aks/csi-storage-drivers.md#enable-csi-storage-drivers-on-an-existing-cluster). |
| 52 | + |
| 53 | +- Backup Extension uses the AKS cluster’s Managed System Identity to perform backup operations. So, ASK backup doesn't support AKS clusters using Service Principal. You can [update your AKS cluster to use Managed System Identity](../aks/use-managed-identity.md#update-an-aks-cluster-to-use-a-managed-identity). |
| 54 | + |
| 55 | + >[!Note] |
| 56 | + >Only Managed System Identity based AKS clusters are supported by AKS backup. The support for User Identity based AKS clusters is currently not available. |
| 57 | +
|
| 58 | +- The Backup Extension during installation fetches Container Images stored in Microsoft Container Registry (MCR). If you enable a firewall on the AKS cluster, the extension installation process might fail due to access issues on the Registry. Learn [how to allow MCR access from the firewall](../container-registry/container-registry-firewall-access-rules.md#configure-client-firewall-rules-for-mcr). |
| 59 | + |
| 60 | +## Required roles and permissions |
| 61 | + |
| 62 | +To perform AKS backup and restore operations as a user, you need to have specific roles on the AKS cluster, Backup vault, Storage account, and Snapshot resource group. |
| 63 | + |
| 64 | +| Scope | Preferred role | Description | |
| 65 | +| --- | --- | --- | |
| 66 | +| AKS Cluster | Owner | Allows you to install Backup Extension, enable *Trusted Access* and grant permissions to Backup vault over the cluster. | |
| 67 | +| Backup vault resource group | Backup Contributor | Allows you to create Backup vault in a resource group, create backup policy, configure backup, and restore and assign missing roles required for Backup operations. | |
| 68 | +| Storage account | Owner | Allows you to perform read and write operations on the storage account and assign required roles to other Azure resources as a part of backup operations. | |
| 69 | +| Snapshot resource group | Owner | Allows you to perform read and write operations on the Snapshot resource group and assign required roles to other Azure resources as part of backup operations. | |
| 70 | + |
| 71 | +>[!Note] |
| 72 | +>Owner role on an Azure resource allows you to perform Azure RBAC operations of that resource. If it's not available, the *resource owner* must provide the required roles to the Backup vault and AKS cluster before initiating the backup or restore operations. |
| 73 | +
|
| 74 | +Also, as part of the backup and restore operations, the following roles are assigned to the AKS cluster, Backup Extension Identity, and Backup vault. |
| 75 | + |
| 76 | +| Role | Assigned To | Assigned on | Description | |
| 77 | +| --- | --- | --- | --- | |
| 78 | +| Reader | Backup vault | AKS cluster | Allows the Backup vault to perform *List* and *Read* operations on AKS cluster. | |
| 79 | +| Reader | Backup vault | Snapshot resource group | Allows the Backup vault to perform *List* and *Read* operations on snapshot resource group. | |
| 80 | +| Disk Snapshot Contributor | AKS cluster | Snapshot resource group | Allows AKS cluster to store persistent volume snapshots in the resource group. | |
| 81 | +| Storage Account Contributor | Extension Identity | Storage account | Allows Backup Extension to store cluster resource backups in the blob container. | |
| 82 | + |
| 83 | +>[!Note] |
| 84 | +>AKS backup allows you to assign these roles during backup and restore processes through the Azure portal with a single click. |
| 85 | +
|
| 86 | +## Next steps |
| 87 | + |
| 88 | +- [Supported scenarios for Azure Kubernetes Service cluster backup (preview)](azure-kubernetes-service-cluster-backup-support-matrix.md) |
| 89 | +- [Back up Azure Kubernetes Service cluster (preview)](azure-kubernetes-service-cluster-backup.md) |
| 90 | +- [Restore Azure Kubernetes Service cluster (preview)](azure-kubernetes-service-cluster-restore.md) |
| 91 | +- [Manage Azure Kubernetes Service cluster backups (preview)](azure-kubernetes-service-cluster-manage-backups.md) |
| 92 | + |
0 commit comments