Contact UsGet started

Managed Service for Kubernetes cluster backups in Object Storage

Written by
Updated at May 7, 2025

The Yandex Cloud infrastructure provides secure storage and replication for data in Managed Service for Kubernetes clusters. However, you can back up data from Managed Service for Kubernetes cluster node groups at any time and store them in Yandex Object Storage or other types of storage.

You can create backups of Managed Service for Kubernetes cluster node group data using Velero. It supports Yandex Cloud disks through the Kubernetes CSI driver and helps create disk and volume snapshots.

If installed manually, Velero allows you to use nfs, emptyDir, local, or any other volume type without built-in support for snapshots. To use one of these volume types, install Velero with the restic plugin. Velero installed from Cloud Marketplace does not include the restic plugin.

In this article, you will learn how to create a backup of a Managed Service for Kubernetes cluster node group using Velero, save it in Object Storage, and restore it in a different cluster’s node group:

  1. Create a backup of your Managed Service for Kubernetes node group.
  2. Restore a node group of another Managed Service for Kubernetes cluster from a backup.

If you no longer need the resources you created, delete them.

The support cost includes:

Getting started

Set up your infrastructure

  1. Create security groups for the Managed Service for Kubernetes cluster and its node groups.

    You must configure these security groups for each cluster and node group.

    Warning

    The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.

  2. Create two Managed Service for Kubernetes clusters. When creating them, specify the security groups prepared earlier.

    One Managed Service for Kubernetes cluster is for creating a node group backup and the other one, for restoring data from the backup.

    If you intend to use your clusters within the Yandex Cloud network, there is no need to allocate a public IP address to them. To allow connections from outside the network, assign a public IP to the clusters.

  3. Create a node group in each cluster. When creating node groups, allocate each group a public IP address and specify the security groups prepared earlier.

  4. Create a bucket in Object Storage.

  5. Create a service account with the compute.admin role for the folder to work with Velero.

  6. Grant the service account READ and WRITE permissions to a bucket in Object Storage. To do this, configure the bucket ACL.

  7. Create a static access key for the service account and save its ID and value. You will not be able to get the secret key again.

  1. If you do not have Terraform yet, install it.

  2. Get the authentication credentials. You can add them to environment variables or specify them later in the provider configuration file.

  3. Configure and initialize a provider. There is no need to create a provider configuration file manually, you can download it.

  4. Place the configuration file in a separate working directory and specify the parameter values. If you did not add the authentication credentials to environment variables, specify them in the configuration file.

  5. Download the velero-backup.tf configuration file to the same working directory.

    This file describes:

    • Network.

    • Subnet.

    • Two Managed Service for Kubernetes clusters and their node groups.

    • Service account required to use Managed Service for Kubernetes clusters and node groups.

    • Security groups which contain rules required for the Managed Service for Kubernetes cluster and its node groups.

      Both clusters will use these security groups.

      Warning

      The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.

    • Service account with the compute.admin role to work with Velero.

    • Static access key for the service account used to work with Velero.

    • Bucket in Object Storage.

  6. In the velero-backup.tf file, specify the following:

    • folder_id: ID of the folder to create resources in.
    • k8s_version: Kubernetes version 1.22 or higher.
    • zone_a_v4_cidr_blocks: CIDR of the subnet to host the Managed Service for Kubernetes clusters.
    • sa_name_k8s: Name of the Managed Service for Kubernetes cluster service account.
    • sa_name_velero: Name of the service account to work with Velero.
    • storage_sa_id: ID of the service account with the storage.admin role. It will be used to create a bucket in Object Storage with READ and WRITE permissions in the ACL for the sa_name_velero service account.
    • bucket_name: Bucket name in Object Storage.

  7. Run the terraform init command in the directory with the configuration file. This command initializes the provider specified in the configuration files and enables you to use the provider resources and data sources.

  8. Check that the Terraform configuration files are correct using this command:

    terraform validate

    If there are any errors in the configuration files, Terraform will point them out.

  9. Create the required infrastructure:

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

    All the required resources will be created in the specified folder. You can check resource availability and their settings in the management console.

  10. Get and save the ID and value of the static access key for the service account used to work with Velero.

    • Key ID:

      terraform output -raw access_key

    • Key value:

      terraform output -raw secret_key

Configure additional settings

  1. Select a Velero client for your platform based on the compatibility table.

  2. Download the Velero client, extract the archive contents, and install it. For more information about installation, see this Velero guide.

  3. Make sure you have installed the Velero client. To do this, run the following command:

    velero version

    Result:

    Client:
        Version: v1.10.3
        Git commit: 18ee078dffd9345df610e0ca9f61b31124e93f50

Backups

To back up Managed Service for Kubernetes node group data:

  1. Install kubectl and configure it to work with the first Managed Service for Kubernetes cluster.

    If a cluster has no public IP address assigned and kubectl is configured via the cluster's private IP address, run kubectl commands on a Yandex Cloud VM that is in the same network as the cluster.

  2. Install the Velero application as follows:

    Install the Velero application by following this guide. In the Object Storage bucket name field, specify the bucket you created earlier.

    Warning

    If the name of the namespace where Velero is installed is not velero, use the additional --namespace <Velero_application_namespace> parameter for all the commands that follow.

    Note

    Velero does not include the restic plugin for creating snapshots of nfs, emptyDir, local, and any other volume types without native snapshot support.

    1. If you do not have the Yandex Cloud CLI yet, install and initialize it.

      The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

    2. Create a service account for Velero to run.

    3. Assign it the storage.editor role to access Yandex Object Storage.

    4. Create a static access key for the service account in JSON format and save it to the sa-key.json file:

      yc iam access-key create \
   --service-account-name=<service_account_name> \
   --format=json > sa-key.json

    5. Create a file named credentials with the previously obtained static key data:

      [default]
aws_access_key_id=<key_ID>
aws_secret_access_key=<key_secret_part>

    6. Install the Velero server in the Managed Service for Kubernetes cluster:

      kubectl label volumesnapshotclasses.snapshot.storage.k8s.io yc-csi-snapclass \
velero.io/csi-volumesnapshot-class="true" && \
velero install \
  --backup-location-config s3Url=https://storage.yandexcloud.net,region=ru-central1 \
  --bucket <bucket_name> \
  --plugins velero/velero-plugin-for-aws:v1.5.2 \
  --provider aws \
  --secret-file <path_to_credentials_file> \
  --features=EnableCSI \
  --use-volume-snapshots=true \
  --snapshot-location-config region=ru-central1 \
  --uploader-type=restic

      Where:

      • --backup-location-config: Backup storage parameters, i.e., the URL of Object Storage storage and region.
      • --bucket: Name of the previously created Object Storage bucket for backup storage.
      • --plugins: Plugin images for AWS API compatibility.
      • --provider: Name of the object storage provider.
      • --secret-file: Full path to the file with static access key data.
      • --features: List of enabled features.
      • --snapshot-location-config: Availability zone to host disk snapshots.
      • --uploader-type=restic: Optionally, enables the restic plugin for creating snapshots of nfs, emptyDir, local, and any other volume types without native snapshot support.

      Result:

      CustomResourceDefinition/backups.velero.io: attempting to create resource
CustomResourceDefinition/backups.velero.io: already exists, proceeding
CustomResourceDefinition/backups.velero.io: created
...
Velero is installed! ⛵ Use 'kubectl logs deployment/velero -n velero' to view the status.

    7. Make sure the Velero pod state has changed to Running:

      kubectl get pods --namespace velero

  3. Make sure you have enough disk snapshot quota and disk size to create a backup. To do this, you can use the service for viewing quotas.

  4. Back up data from the Managed Service for Kubernetes cluster node group:

    velero backup create my-backup

    Result:

    Backup request "my-backup" submitted successfully.
Run `velero backup describe my-backup` or `velero backup logs my-backup` for more details.

  5. Wait for the backup to complete. You will see Completed under STATUS.

    velero backup get

    Result:

    NAME       STATUS     ERRORS  WARNINGS  CREATED                        EXPIRES  STORAGE LOCATION  SELECTOR
my-backup  Completed  0       0         2020-10-19 17:13:25 +0300 MSK  29d      default           <none>

Restoring data from a backup

To restore data from a Managed Service for Kubernetes cluster node group:

  1. Configure kubectl to work with the second Managed Service for Kubernetes cluster.

    If a cluster has no public IP address assigned and kubectl is configured via the cluster's private IP address, run kubectl commands on a Yandex Cloud VM that is in the same network as the cluster.

  2. Install the Velero application as follows:

    Install the Velero application by following this guide. In the Object Storage bucket name field, specify the bucket you created earlier.

    Warning

    If the name of the namespace where Velero is installed is not velero, use the additional --namespace <Velero_application_namespace> parameter for all the commands that follow.

    Note

    Velero does not include the restic plugin for creating snapshots of nfs, emptyDir, local, and any other volume types without native snapshot support.

    1. If you do not have the Yandex Cloud CLI yet, install and initialize it.

      The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

    2. Create a service account for Velero to run.

    3. Assign it the storage.editor role to access Yandex Object Storage.

    4. Create a static access key for the service account in JSON format and save it to the sa-key.json file:

      yc iam access-key create \
   --service-account-name=<service_account_name> \
   --format=json > sa-key.json

    5. Create a file named credentials with the previously obtained static key data:

      [default]
aws_access_key_id=<key_ID>
aws_secret_access_key=<key_secret_part>

    6. Install the Velero server in the Managed Service for Kubernetes cluster:

      kubectl label volumesnapshotclasses.snapshot.storage.k8s.io yc-csi-snapclass \
velero.io/csi-volumesnapshot-class="true" && \
velero install \
  --backup-location-config s3Url=https://storage.yandexcloud.net,region=ru-central1 \
  --bucket <bucket_name> \
  --plugins velero/velero-plugin-for-aws:v1.5.2 \
  --provider aws \
  --secret-file <path_to_credentials_file> \
  --features=EnableCSI \
  --use-volume-snapshots=true \
  --snapshot-location-config region=ru-central1 \
  --uploader-type=restic

      Where:

      • --backup-location-config: Backup storage parameters, i.e., the URL of Object Storage storage and region.
      • --bucket: Name of the previously created Object Storage bucket for backup storage.
      • --plugins: Plugin images for AWS API compatibility.
      • --provider: Name of the object storage provider.
      • --secret-file: Full path to the file with static access key data.
      • --features: List of enabled features.
      • --snapshot-location-config: Availability zone to host disk snapshots.
      • --uploader-type=restic: Optionally, enables the restic plugin for creating snapshots of nfs, emptyDir, local, and any other volume types without native snapshot support.

      Result:

      CustomResourceDefinition/backups.velero.io: attempting to create resource
CustomResourceDefinition/backups.velero.io: already exists, proceeding
CustomResourceDefinition/backups.velero.io: created
...
Velero is installed! ⛵ Use 'kubectl logs deployment/velero -n velero' to view the status.

    7. Make sure the Velero pod state has changed to Running:

      kubectl get pods --namespace velero

  3. Make sure the data backup is there in the new Managed Service for Kubernetes cluster:

    velero backup get

    Result:

    NAME       STATUS     ERRORS  WARNINGS  CREATED                        EXPIRES  STORAGE LOCATION  SELECTOR
my-backup  Completed  0       0         2020-10-19 17:13:25 +0300 MSK  29d      default           <none>

  4. Restore data from the backup:

    velero restore create my-restore \
  --exclude-namespaces velero \
  --from-backup my-backup

    Where:

    • --exclude-namespaces: List of namespaces to exclude from the recovery process.
    • --from-backup: Name of the backup for recovery.

    Result:

    Restore request "my-restore" submitted successfully.
Run `velero restore describe my-restore` or `velero restore logs my-restore` for more details.

  5. Wait for the backup restoration to complete. You will see Completed under STATUS.

    velero get restore

    Result:

    NAME        BACKUP     STATUS     STARTED                        COMPLETED                      ERRORS  WARNINGS  CREATED                        SELECTOR
my-restore  my-backup  Completed  2020-10-20 14:04:55 +0300 MSK  2020-10-20 14:05:22 +0300 MSK  0       23        2020-10-20 14:04:55 +0300 MSK  <none>

Delete the resources you created

If you no longer need the resources you created, delete them:

  1. In the terminal window, go to the directory containing the infrastructure plan.

    Warning

    Make sure the directory has no Terraform manifests with the resources you want to keep. Terraform deletes all resources that were created using the manifests in the current directory.

  2. Delete resources:

    1. Run this command:

      terraform destroy

    2. Confirm deleting the resources and wait for the operation to complete.

    All the resources described in the Terraform manifests will be deleted.

Previous
Backing up to Object Storage with Veritas Backup Exec
Next
Developing a custom integration in API Gateway