Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
  • Blog
  • Pricing
  • Documentation
Yandex project
© 2025 Yandex.Cloud LLC
Yandex Object Storage
    • All tutorials
    • Getting statistics on object queries with S3 Select
    • Getting website traffic statistics with S3 Select
    • Getting statistics on object queries using Yandex Query
    • Generating a resource-by-resource cost breakdown report using S3 Select
    • Server-side encryption
    • Integrating an L7 load balancer with CDN and Object Storage
    • Blue-green and canary deployment of service versions
    • Analyzing logs in DataLens
    • Mounting buckets to the file system of Yandex Data Processing hosts
    • Using Object Storage in Yandex Data Processing
    • Importing data from Object Storage, processing and exporting to Managed Service for ClickHouse®
    • Mounting a bucket as a disk in Windows
    • Migrating data from Yandex Data Streams using Yandex Data Transfer
    • Using hybrid storage in Yandex Managed Service for ClickHouse®
    • Loading data from Yandex Managed Service for OpenSearch to Yandex Object Storage using Yandex Data Transfer
    • Automatically copying objects from one bucket to another
    • Recognizing audio files in a bucket on a regular basis
    • Training a model in Yandex DataSphere on data from Object Storage
    • Connecting to Object Storage from VPC
    • Migrating data to Yandex Managed Service for PostgreSQL using Yandex Data Transfer
    • Uploading data to Yandex Managed Service for Greenplum® using Yandex Data Transfer
    • Uploading data to Yandex Managed Service for ClickHouse® using Yandex Data Transfer
    • Uploading data to Yandex Managed Service for YDB using Yandex Data Transfer
    • Exchanging data between Yandex Managed Service for ClickHouse® and Yandex Data Processing
    • Uploading data from Yandex Managed Service for YDB using Yandex Data Transfer
    • Hosting a static Gatsby website in Object Storage
    • Migrating a database from Managed Service for PostgreSQL to Object Storage
    • Exchanging data between Yandex Managed Service for ClickHouse® and Yandex Data Processing
    • Importing data from Yandex Managed Service for PostgreSQL to Yandex Data Processing using Sqoop
    • Importing data from Yandex Managed Service for MySQL® to Yandex Data Processing using Sqoop
    • Migrating data from Yandex Object Storage to Yandex Managed Service for MySQL® using Yandex Data Transfer
    • Migrating a database from Yandex Managed Service for MySQL® to Yandex Object Storage
    • Exporting Greenplum® data to a cold storage in Yandex Object Storage
    • Loading data from Yandex Direct to a Yandex Managed Service for ClickHouse® data mart using Yandex Cloud Functions, Yandex Object Storage, and Yandex Data Transfer
    • Migrating data from Elasticsearch to Yandex Managed Service for OpenSearch
    • Uploading Terraform states to Object Storage
    • Locking Terraform states using Managed Service for YDB
    • Visualizing Yandex Query data
    • Publishing game updates
    • VM backups using Hystax Acura
    • Backing up to Object Storage with CloudBerry Desktop Backup
    • Backing up to Object Storage with Duplicati
    • Backing up to Object Storage with Bacula
    • Backing up to Yandex Object Storage with Veeam Backup
    • Backing up to Object Storage with Veritas Backup Exec
    • Managed Service for Kubernetes cluster backups in Object Storage
    • Developing a custom integration in API Gateway
    • URL shortener
    • Storing application runtime logs
    • Developing a skill for Alice and a website with authorization
    • Creating an interactive serverless application using WebSocket
    • Deploying a web application using the Java Servlet API
    • Developing a Telegram bot
    • Replicating logs to Object Storage using Fluent Bit
    • Replicating logs to Object Storage using Data Streams
    • Uploading audit logs to ArcSight SIEM
    • Exporting audit logs to SIEM Splunk systems
    • Creating an MLFlow server for logging experiments and artifacts
    • Operations with data using Yandex Query
    • Federated data queries using Query
    • Recognizing text in image archives using Vision OCR
    • Converting a video to a GIF in Python
    • Automating tasks using Managed Service for Apache Airflow™
    • Processing files with usage details in Yandex Cloud Billing
    • Deploying a web app with JWT authorization in API Gateway and authentication in Firebase
    • Searching for Yandex Cloud events in Yandex Query
    • Searching for Yandex Cloud events in Object Storage
    • Creating an external table from a bucket table using a configuration file
    • Migrating databases from Google BigQuery to Managed Service for ClickHouse®
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • Bucket logs
  • Release notes
  • FAQ

In this article:

  • Required paid resources
  • Getting started
  • Set up your infrastructure
  • Configure additional settings
  • Backups
  • Restoring data from a backup
  • Delete the resources you created
  1. Tutorials
  2. Managed Service for Kubernetes cluster backups in Object Storage

Managed Service for Kubernetes cluster backups in Object Storage

Written by
Yandex Cloud
Updated at May 7, 2025
  • Required paid resources
  • Getting started
    • Set up your infrastructure
    • Configure additional settings
  • Backups
  • Restoring data from a backup
  • Delete the resources you created

The Yandex Cloud infrastructure provides secure storage and replication for data in Managed Service for Kubernetes clusters. However, you can back up data from Managed Service for Kubernetes cluster node groups at any time and store them in Yandex Object Storage or other types of storage.

You can create backups of Managed Service for Kubernetes cluster node group data using Velero. It supports Yandex Cloud disks through the Kubernetes CSI driver and helps create disk and volume snapshots.

If installed manually, Velero allows you to use nfs, emptyDir, local, or any other volume type without built-in support for snapshots. To use one of these volume types, install Velero with the restic plugin. Velero installed from Cloud Marketplace does not include the restic plugin.

In this article, you will learn how to create a backup of a Managed Service for Kubernetes cluster node group using Velero, save it in Object Storage, and restore it in a different cluster’s node group:

  1. Create a backup of your Managed Service for Kubernetes node group.
  2. Restore a node group of another Managed Service for Kubernetes cluster from a backup.

If you no longer need the resources you created, delete them.

Required paid resourcesRequired paid resources

The support cost includes:

  • Fee for each Managed Service for Kubernetes cluster: Using the master and outgoing traffic (see Managed Service for Kubernetes pricing).
  • VM fee (two node groups and a VM for managing a cluster with no public access): Using computing resources, OS, and storage (see Compute Cloud pricing).
  • Fee for public IP addresses for the cluster nodes (see Virtual Private Cloud pricing).
  • Object Storage bucket fee: Storing data and performing operations with it (see Object Storage pricing).

Getting startedGetting started

Set up your infrastructureSet up your infrastructure

Manually
Terraform
  1. Create security groups for the Managed Service for Kubernetes cluster and its node groups.

    You must configure these security groups for each cluster and node group.

    Warning

    The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.

  2. Create two Managed Service for Kubernetes clusters. When creating them, specify the security groups prepared earlier.

    One Managed Service for Kubernetes cluster is for creating a node group backup and the other one, for restoring data from the backup.

    If you intend to use your clusters within the Yandex Cloud network, there is no need to allocate a public IP address to them. To allow connections from outside the network, assign a public IP to the clusters.

  3. Create a node group in each cluster. When creating node groups, allocate each group a public IP address and specify the security groups prepared earlier.

  4. Create a bucket in Object Storage.

  5. Create a service account with the compute.admin role for the folder to work with Velero.

  6. Grant the service account READ and WRITE permissions to a bucket in Object Storage. To do this, configure the bucket ACL.

  7. Create a static access key for the service account and save its ID and value. You will not be able to get the secret key again.

  1. If you do not have Terraform yet, install it.

  2. Get the authentication credentials. You can add them to environment variables or specify them later in the provider configuration file.

  3. Configure and initialize a provider. There is no need to create a provider configuration file manually, you can download it.

  4. Place the configuration file in a separate working directory and specify the parameter values. If you did not add the authentication credentials to environment variables, specify them in the configuration file.

  5. Download the velero-backup.tf configuration file to the same working directory.

    This file describes:

    • Network.

    • Subnet.

    • Two Managed Service for Kubernetes clusters and their node groups.

    • Service account required to use Managed Service for Kubernetes clusters and node groups.

    • Security groups which contain rules required for the Managed Service for Kubernetes cluster and its node groups.

      Both clusters will use these security groups.

      Warning

      The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.

    • Service account with the compute.admin role to work with Velero.

    • Static access key for the service account used to work with Velero.

    • Bucket in Object Storage.

  6. In the velero-backup.tf file, specify the following:

    • folder_id: ID of the folder to create resources in.
    • k8s_version: Kubernetes version 1.22 or higher.
    • zone_a_v4_cidr_blocks: CIDR of the subnet to host the Managed Service for Kubernetes clusters.
    • sa_name_k8s: Name of the Managed Service for Kubernetes cluster service account.
    • sa_name_velero: Name of the service account to work with Velero.
    • storage_sa_id: ID of the service account with the storage.admin role. It will be used to create a bucket in Object Storage with READ and WRITE permissions in the ACL for the sa_name_velero service account.
    • bucket_name: Bucket name in Object Storage.
  7. Run the terraform init command in the directory with the configuration file. This command initializes the provider specified in the configuration files and enables you to use the provider resources and data sources.

  8. Check that the Terraform configuration files are correct using this command:

    terraform validate
    

    If there are any errors in the configuration files, Terraform will point them out.

  9. Create the required infrastructure:

    1. Run this command to view the planned changes:

      terraform plan
      

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply
        
      2. Confirm updating the resources.

      3. Wait for the operation to complete.

    All the required resources will be created in the specified folder. You can check resource availability and their settings in the management console.

  10. Get and save the ID and value of the static access key for the service account used to work with Velero.

    • Key ID:

      terraform output -raw access_key
      
    • Key value:

      terraform output -raw secret_key
      

Configure additional settingsConfigure additional settings

  1. Select a Velero client for your platform based on the compatibility table.

  2. Download the Velero client, extract the archive contents, and install it. For more information about installation, see this Velero guide.

  3. Make sure you have installed the Velero client. To do this, run the following command:

    velero version
    

    Result:

    Client:
            Version: v1.10.3
            Git commit: 18ee078dffd9345df610e0ca9f61b31124e93f50
    

BackupsBackups

To back up Managed Service for Kubernetes node group data:

  1. Install kubectl and configure it to work with the first Managed Service for Kubernetes cluster.

    If a cluster has no public IP address assigned and kubectl is configured via the cluster's private IP address, run kubectl commands on a Yandex Cloud VM that is in the same network as the cluster.

  2. Install the Velero application as follows:

    Yandex Cloud Marketplace
    Manually

    Install the Velero application by following this guide. In the Object Storage bucket name field, specify the bucket you created earlier.

    Warning

    If the name of the namespace where Velero is installed is not velero, use the additional --namespace <Velero_application_namespace> parameter for all the commands that follow.

    Note

    Velero does not include the restic plugin for creating snapshots of nfs, emptyDir, local, and any other volume types without native snapshot support.

    1. If you do not have the Yandex Cloud CLI yet, install and initialize it.

      The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

    2. Create a service account for Velero to run.

    3. Assign it the storage.editor role to access Yandex Object Storage.

    4. Create a static access key for the service account in JSON format and save it to the sa-key.json file:

      yc iam access-key create \
         --service-account-name=<service_account_name> \
         --format=json > sa-key.json
      
    5. Create a file named credentials with the previously obtained static key data:

      [default]
      aws_access_key_id=<key_ID>
      aws_secret_access_key=<key_secret_part>
      
    6. Install the Velero server in the Managed Service for Kubernetes cluster:

      kubectl label volumesnapshotclasses.snapshot.storage.k8s.io yc-csi-snapclass \
      velero.io/csi-volumesnapshot-class="true" && \
      velero install \
        --backup-location-config s3Url=https://storage.yandexcloud.net,region=ru-central1 \
        --bucket <bucket_name> \
        --plugins velero/velero-plugin-for-aws:v1.5.2 \
        --provider aws \
        --secret-file <path_to_credentials_file> \
        --features=EnableCSI \
        --use-volume-snapshots=true \
        --snapshot-location-config region=ru-central1 \
        --uploader-type=restic
      

      Where:

      • --backup-location-config: Backup storage parameters, i.e., the URL of Object Storage storage and region.
      • --bucket: Name of the previously created Object Storage bucket for backup storage.
      • --plugins: Plugin images for AWS API compatibility.
      • --provider: Name of the object storage provider.
      • --secret-file: Full path to the file with static access key data.
      • --features: List of enabled features.
      • --snapshot-location-config: Availability zone to host disk snapshots.
      • --uploader-type=restic: Optionally, enables the restic plugin for creating snapshots of nfs, emptyDir, local, and any other volume types without native snapshot support.

      Result:

      CustomResourceDefinition/backups.velero.io: attempting to create resource
      CustomResourceDefinition/backups.velero.io: already exists, proceeding
      CustomResourceDefinition/backups.velero.io: created
      ...
      Velero is installed! ⛵ Use 'kubectl logs deployment/velero -n velero' to view the status.
      
    7. Make sure the Velero pod state has changed to Running:

      kubectl get pods --namespace velero
      
  3. Make sure you have enough disk snapshot quota and disk size to create a backup. To do this, you can use the service for viewing quotas.

  4. Back up data from the Managed Service for Kubernetes cluster node group:

    velero backup create my-backup
    

    Result:

    Backup request "my-backup" submitted successfully.
    Run `velero backup describe my-backup` or `velero backup logs my-backup` for more details.
    
  5. Wait for the backup to complete. You will see Completed under STATUS.

    velero backup get
    

    Result:

    NAME       STATUS     ERRORS  WARNINGS  CREATED                        EXPIRES  STORAGE LOCATION  SELECTOR
    my-backup  Completed  0       0         2020-10-19 17:13:25 +0300 MSK  29d      default           <none>
    

Restoring data from a backupRestoring data from a backup

To restore data from a Managed Service for Kubernetes cluster node group:

  1. Configure kubectl to work with the second Managed Service for Kubernetes cluster.

    If a cluster has no public IP address assigned and kubectl is configured via the cluster's private IP address, run kubectl commands on a Yandex Cloud VM that is in the same network as the cluster.

  2. Install the Velero application as follows:

    Yandex Cloud Marketplace
    Manually

    Install the Velero application by following this guide. In the Object Storage bucket name field, specify the bucket you created earlier.

    Warning

    If the name of the namespace where Velero is installed is not velero, use the additional --namespace <Velero_application_namespace> parameter for all the commands that follow.

    Note

    Velero does not include the restic plugin for creating snapshots of nfs, emptyDir, local, and any other volume types without native snapshot support.

    1. If you do not have the Yandex Cloud CLI yet, install and initialize it.

      The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

    2. Create a service account for Velero to run.

    3. Assign it the storage.editor role to access Yandex Object Storage.

    4. Create a static access key for the service account in JSON format and save it to the sa-key.json file:

      yc iam access-key create \
         --service-account-name=<service_account_name> \
         --format=json > sa-key.json
      
    5. Create a file named credentials with the previously obtained static key data:

      [default]
      aws_access_key_id=<key_ID>
      aws_secret_access_key=<key_secret_part>
      
    6. Install the Velero server in the Managed Service for Kubernetes cluster:

      kubectl label volumesnapshotclasses.snapshot.storage.k8s.io yc-csi-snapclass \
      velero.io/csi-volumesnapshot-class="true" && \
      velero install \
        --backup-location-config s3Url=https://storage.yandexcloud.net,region=ru-central1 \
        --bucket <bucket_name> \
        --plugins velero/velero-plugin-for-aws:v1.5.2 \
        --provider aws \
        --secret-file <path_to_credentials_file> \
        --features=EnableCSI \
        --use-volume-snapshots=true \
        --snapshot-location-config region=ru-central1 \
        --uploader-type=restic
      

      Where:

      • --backup-location-config: Backup storage parameters, i.e., the URL of Object Storage storage and region.
      • --bucket: Name of the previously created Object Storage bucket for backup storage.
      • --plugins: Plugin images for AWS API compatibility.
      • --provider: Name of the object storage provider.
      • --secret-file: Full path to the file with static access key data.
      • --features: List of enabled features.
      • --snapshot-location-config: Availability zone to host disk snapshots.
      • --uploader-type=restic: Optionally, enables the restic plugin for creating snapshots of nfs, emptyDir, local, and any other volume types without native snapshot support.

      Result:

      CustomResourceDefinition/backups.velero.io: attempting to create resource
      CustomResourceDefinition/backups.velero.io: already exists, proceeding
      CustomResourceDefinition/backups.velero.io: created
      ...
      Velero is installed! ⛵ Use 'kubectl logs deployment/velero -n velero' to view the status.
      
    7. Make sure the Velero pod state has changed to Running:

      kubectl get pods --namespace velero
      
  3. Make sure the data backup is there in the new Managed Service for Kubernetes cluster:

    velero backup get
    

    Result:

    NAME       STATUS     ERRORS  WARNINGS  CREATED                        EXPIRES  STORAGE LOCATION  SELECTOR
    my-backup  Completed  0       0         2020-10-19 17:13:25 +0300 MSK  29d      default           <none>
    
  4. Restore data from the backup:

    velero restore create my-restore \
      --exclude-namespaces velero \
      --from-backup my-backup
    

    Where:

    • --exclude-namespaces: List of namespaces to exclude from the recovery process.
    • --from-backup: Name of the backup for recovery.

    Result:

    Restore request "my-restore" submitted successfully.
    Run `velero restore describe my-restore` or `velero restore logs my-restore` for more details.
    
  5. Wait for the backup restoration to complete. You will see Completed under STATUS.

    velero get restore
    

    Result:

    NAME        BACKUP     STATUS     STARTED                        COMPLETED                      ERRORS  WARNINGS  CREATED                        SELECTOR
    my-restore  my-backup  Completed  2020-10-20 14:04:55 +0300 MSK  2020-10-20 14:05:22 +0300 MSK  0       23        2020-10-20 14:04:55 +0300 MSK  <none>
    

Delete the resources you createdDelete the resources you created

If you no longer need the resources you created, delete them:

Manually
Terraform
  • Delete the Managed Service for Kubernetes clusters.
  • If you reserved public static IP addresses for the Managed Service for Kubernetes clusters, delete them.
  • Delete the Object Storage bucket.
  • Delete the service account used to work with Velero.
  1. In the terminal window, go to the directory containing the infrastructure plan.

    Warning

    Make sure the directory has no Terraform manifests with the resources you want to keep. Terraform deletes all resources that were created using the manifests in the current directory.

  2. Delete resources:

    1. Run this command:

      terraform destroy
      
    2. Confirm deleting the resources and wait for the operation to complete.

    All the resources described in the Terraform manifests will be deleted.

Was the article helpful?

Previous
Backing up to Object Storage with Veritas Backup Exec
Next
Developing a custom integration in API Gateway
Yandex project
© 2025 Yandex.Cloud LLC