IBM Support

Kubernetes Backup Support requirements: IBM Spectrum Protect Plus V10.1.5

Preventive Service Planning


Abstract

This document details the Kubernetes Backup Support requirements for IBM Spectrum Protect Plus Version 10.1.5.

Content

This document is divided into linked sections for ease of navigation. Use the following links to jump to the section of the document that you require.


General

Before you deploy IBM Spectrum Protect Plus Kubernetes Backup Support in the Kubernetes environment, ensure that the system environment meets the outlined requirements.

Kubernetes Backup Support is available only in English in IBM Spectrum Protect Plus Version 10.1.5.



 


Configuration

Container Versions

Docker containers are supported in Kubernetes Backup Support.

Operating Systems

On Linux® x86_64:

  • Red Hat Enterprise Linux (RHEL) 7.6
  • RHEL 7.7

Additional requirements

  • Kubernetes v1.13 and later patches and updates
  • Kubernetes v1.14 and later patches and updates
  • Kubernetes v1.15 and later patches and updates
  • Kubernetes v1.16 and later patches and updates
  • Ceph Container Storage Interface (CSI) driver 1.1 with Rados Block Device (RBD) storage

To install and configure container backup support, the backup administrator must deploy the Kubernetes Backup Support software in the Kubernetes environment. For instructions, see Installing Kubernetes Backup Support



 


Software

  • Kubernetes Backup Support protects only persistent storage that was allocated by a storage plug-in that supports the Container Storage Interface (CSI).
  • Only formatted volumes can be mounted to the data mover for copy operations.
  • Ensure that Kubernetes Metrics Server 0.3.5 or later is installed and running on your cluster. The metrics server is required for the Kubernetes Backup Support scheduler to determine the resources that are used for multiple concurrent data mover instances. For more information, see Verifying whether the metrics server is running
  • Copy backup and snapshot restore operations require the VolumeSnapshotDataSource alpha feature to be enabled. To enable the VolumeSnapshotDataSource alpha feature, you must patch the Kubernetes scheduler, controller, and API server. For instructions, see Enabling the VolumeSnapshotDataSource feature
  • Ensure that the following cluster prerequisites are met:
    • You must be running a Kubernetes cluster with CSI support.
    • Persistent storage must be provided by the CSI driver, which must support CSI snapshot capabilities.
    • A storage class must be defined for the persistent volumes that are being protected.
    • The Kubernetes command line tool kubectl must be accessible on the installation host and in the local path.
    • CSI snapshot support must be enabled on the kubectl command line.
    • The target image registry must be accessible from the Kubernetes cluster. The target image registry can be a local image registry or an external image registry. For an external image registry, you can configure the image pull secret to secure your environment.
    • The Kubernetes Backup Support product installation package must be on the primary node or another administration node. The administration node must have similar access to the primary node with regards to Docker, the kubectl tool, and the cluster image registry.
    • To create new cluster-wide resources, you must be logged in to the target cluster as a user with cluster-admin privileges.
    • Ensure that Kubernetes Backup Support secrets that include user IDs, passwords, and keys are encrypted at rest in the etcd distributed key-value store. For more information, see Encrypting Secret Data at Rest
       

Helm prerequisites

The Helm tool must be configured on the target cluster so that a new deployment can be run with the helm command line. Deploying a package with Helm enables cluster-wide role-based access control (RBAC) rules and role bindings to be generated.

For the Kubernetes cluster, to install Helm as root user with the Kubernetes administrative user account, run the following script, which is included in the installation package:

./helm_install_k8s.sh

IBM Spectrum Protect Plus prerequisites

External, non-container components such as IBM Spectrum Protect Plus and the IBM Spectrum Protect Plus vSnap server must be provisioned and configured by the IBM Spectrum Protect Plus administrator.

  • An administrative account for Kubernetes Backup Support must be configured on IBM Spectrum Protect Plus.
    This administrative account can be configured as a global Lightweight Directory Access Protocol (LDAP) account in the data center. This global account is required for access to all external components that Kubernetes Backup Support operates with.
    You must specify this account name in the BAAS_ADMIN parameter in the baas_config.cfg configuration file before you deploy Kubernetes Backup Support. The baas_config.cfg is located in the installer directory. For instructions, see Installing and deploying Kubernetes Backup Support images
  • An IBM Spectrum Protect Plus instance must be deployed and licensed as a VMware virtual appliance.
    Network connectivity must exist to and from the target cluster. The IBM Spectrum Protect Plus Internet Protocol (IP) address and port number must be specified in the baas_config.cfg file before you deploy Kubernetes Backup Support. Only one port (443) can be specified for use with all IBM Spectrum Protect Plus instances.
  • An IBM Spectrum Protect Plus vSnap instance must be deployed as a VMware virtual appliance.
    • Network connectivity must exist to and from the target Kubernetes cluster and IBM Spectrum Protect Plus vSnap instance.
    • The vSnap instance must be configured as an external vSnap server for storing backups. For instructions, see Installing vSnap servers
    • If backups are encrypted at rest, ensure that enough capacity is allocated for encryption on the vSnap server.



 


Connectivity

  • Ensure that the following connectivity criteria are in place:
    • SSH service is running on Kubernetes NodePort services.
    • Firewalls must be configured to allow IBM Spectrum Protect Plus to connect data mover containers by using SSH over the NodePort port range of the Kubernetes cluster. The NodePort service allows the specific port in the NodePort range to be determined by Kubernetes at run time.
    • The server can be registered by using a Domain Name System (DNS) name or Internet Protocol (IP) address. DNS names must be resolvable by IBM Spectrum Protect Plus.



 


Authentication and privileges

Ensure that you specify the username for the IBM Spectrum Protect Plus administrative account and data mover in the baas_config.cfg configuration file. For more information, see Installing and deploying Kubernetes Backup Support images
To access the device that is associated with the persistent volume, the data mover container must be a privileged container.



 


Ports

The following ports are used by IBM Spectrum Protect Plus agents. The ports use secure connections (HTTPS or SSL).

Table 1. Communication ports when the target is an IBM Spectrum Protect Plus agent
Port Protocol Initiator Target Description
Assigned by the NodePort service in Kubernetes TCP IBM Spectrum Protect Plus virtual appliance1 Kubernetes Used by IBM Spectrum Protect Plus to connect to the data mover container to deploy and run agents.

1Refers to the IBM Spectrum Protect Plus server, which is a component of the IBM Spectrum Protect Plus virtual appliance.

For SSH connections between containers in the Kubernetes environment, port 22 is used. For everywhere else, whether on the Kubernetes hosts or outside the cluster, the port that the NodePort service assigned at run time is used.
 

Table 2. Communication ports when the initiator is the IBM Spectrum Protect Plus agent
Port Protocol Initiator Target Description
111 TCP Kubernetes vSnap server Allows pen Network Computing (ONC) clients to discover ports for communication with ONC servers
443 TCP Kubernetes vSnap server Used for IBM Spectrum Protect Plus issued commands to run backup, restore, inventory, and other configuration operations
2049 TCP Kubernetes vSnap server Used for Network File System (NFS) data transfer to and from vSnap servers
20048 TCP Kubernetes vSnap server Mounts vSnap file systems on clients such as the VADP proxy, application servers, and virtualization data stores



 



 

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSNQFQ","label":"IBM Spectrum Protect Plus"},"Component":"Not Applicable","Platform":[{"code":"PF016","label":"Linux"}],"Version":"10.1.5","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]

Document Information

Modified date:
01 July 2021

UID

ibm11072136

Page Feedback