Plan a set of backups


This page describes how to create a Backup for GKE backup plan, which is used for backing up your workloads in Google Kubernetes Engine (GKE).

Backup plans provide the configuration, location, and management functions for a sequence of backups. A backup plan contains a backup configuration including the source cluster, the selection of which workloads to back up, and the region in which backup artifacts produced under this plan are stored.

You can create one or more backup plans for each cluster. There are two main reasons why you might want more than one backup plan for a cluster:

  • You want to store your backup artifacts in multiple regions. In this case, create a backup plan for each region in which you want to store backups.
  • You want to partition the backups of your cluster, for example:

    • Instead of one very large backup taken at a single time of the day, you want multiple smaller backups distributed throughout the day.
    • You want to back up some portions of your cluster more often than others (such as daily backups for some namespaces and hourly backups for others).

We recommend that every cluster has at least one backup plan.

We also recommend that you define a cron schedule for the backup plan, so that backups are automatically created according to that schedule. You can also manually back up your workloads. After you create a backup plan, you can create a backup from that plan.

Before you begin

Required roles

To get the permissions that you need to create and manage a backup plan, ask your administrator to grant you the Backup for GKE Backup Admin (roles/gkebackup.backupAdmin), which is a subset of Backup for GKE Admin (roles/gkebackup.admin) IAM role on your project. For more information about granting roles, see Manage access.

You might also be able to get the required permissions through custom roles or other predefined roles.

Create a backup plan

Create a backup plan by using the gcloud CLI or the Google Cloud console.

gcloud

To create a backup plan with a schedule, run the following command:

gcloud beta container backup-restore backup-plans create BACKUP_PLAN \
    --project=PROJECT_ID \
    --location=LOCATION \
    --cluster=CLUSTER \
    --all-namespaces \
    --include-secrets \
    --include-volume-data \
    --encryption-key=ENCRYPTION_KEY
    --cron-schedule=SCHEDULE \
    --backup-retain-days=RETAIN_DAYS \
    --backup-delete-lock-days=DELETE_LOCK_DAYS \
    --locked

Replace the following:

  • BACKUP_PLAN: the name of the backup plan that you want to create.
  • PROJECT_ID: the ID of your Google Cloud project.
  • LOCATION: the compute region for the resource, for example us-central1. See About resource locations.
  • CLUSTER: the relative path to the cluster:
    • Regional clusters: projects/PROJECT_ID/locations/REGION/clusters/CLUSTER_NAME
    • Zonal clusters: projects/PROJECT_ID/locations/ZONE/clusters/CLUSTER_NAME
  • CLUSTER_NAME: the name of the cluster to back up.
  • --all-namespaces: backs up all namespaces for the cluster.

    Alternatively, specify:

    • --selected-applications with a list of ProtectedApplications as NAMESPACE1/APP1,NAMESPACE2/APP2,... to back up.
    • --selected-namespaces with a list of namespaces as NAMESPACE1,NAMESPACE2,... to back up.

    You must specify one of these options when creating a backup plan.

  • --include-secrets: (Optional) includes Secret resources if they are in the scope of the backup.

  • --include-volume-data: (Optional) includes persistent volume data in the backup. Omit this flag if you want to create empty volumes during restore.

  • ENCRYPTION_KEY: (Optional) defines the path to a customer-managed encryption key. See About CMEK encryption.

  • SCHEDULE: (Optional) defines a schedule that automatically creates backups and supports standard cron syntax. For example "10 3 * * *" creates a backup at 3:10 AM every day. All times are interpreted as UTC. The minimum interval between scheduled backups is 10 minutes.

  • RETAIN_DAYS: (Required if SCHEDULE is set) the number of days to keep the backup. Backups for this plan are automatically deleted after this period expires.

  • DELETE_LOCK_DAYS: (Optional) the number of days during which backups cannot be deleted. If this value is set, then backups created for that plan cannot be deleted (either automatically or manually) until that lifetime expires.

  • --locked: (Optional) locks the retention policy for the backup plan.

For the full list of options, refer to the gcloud beta container backup-restore backup-plans create documentation.

Create a BackupPlan for all namespaces with a daily schedule

The following command creates a BackupPlan to schedule daily backup for all namespaces at 5:20 AM every day. Backups are retained for 7 days and locked for 3 days after creation:

gcloud beta container backup-restore backup-plans create BACKUP_PLAN \
    --location=LOCATION \
    --cluster=CLUSTER \
    --all-namespaces \
    --include-secrets \
    --include-volume-data \
    --cron-schedule="20 5 * * *" \
    --backup-retain-days=7 \
    --backup-delete-lock-days=3 \
    --locked

Create a BackupPlan for a selected namespace with an hourly schedule

The following command creates a BackupPlan to schedule hourly backup for the selected namespace ( my-ns ) at minute 15 every hour. Backups are retained for 3 days after creation:

gcloud beta container backup-restore backup-plans create BACKUP_PLAN \
    --location=LOCATION \
    --cluster=CLUSTER \
    --selected-namespaces=my-ns \
    --include-secrets \
    --include-volume-data \
    --cron-schedule="15 * * * *" \
    --backup-retain-days=3

Create a BackupPlan for a selected ProtectedApplication

The following command creates a BackupPlan to select the ProtectedApplication ( my-ns/my-app ).

gcloud beta container backup-restore backup-plans create BACKUP_PLAN \
    --location=LOCATION \
    --cluster=CLUSTER \
    --selected-applications=my-ns1/my-app1,my-ns2/my-app2 \
    --include-secrets \
    --include-volume-data

Console

Use the following instructions to create a backup plan in the Google Cloud console:

  1. Go to the Google Kubernetes Engine page in the Google Cloud console.

    Go to Google Kubernetes Engine

  2. In the navigation menu, click Backup for GKE.

  3. Click Create a backup plan.

  4. In the Plan details section, do the following:

    1. Select the cluster to back up.
    2. Enter the backup plan name and optional description.
    3. Choose a location for the backup.
  5. In the Backup schedule section, in the CRON string field, enter an expression using standard cron syntax. For example, 10 3 * * * creates a backup at 3:10 AM every day. All times are interpreted as UTC. The minimum interval between scheduled backups is 10 minutes.

  6. In the Retention policy section, do the following:

    1. Set the number of days to retain the backup before the backup is automatically deleted.
    2. Set the number of days during which backups cannot be deleted.
    3. To lock the retention policy, click the lock icon to turn the lock from Off to On.
  7. In the Configure backup scope and encryption section, do the following:

    1. Select the scope for the backup plan:

      • Click Entire cluster (including all namespaces) to back up all namespaced resources in the backup.
      • Click Selected namespaces within this cluster to choose the namespaces you want to include in the backup plan.
      • Click Selected protected applications within this cluster to add resources by specifying the namespace and application name.
    2. Click the Secrets checkbox to include Kubernetes Secret resources.

    3. Click the Persistent volume data checkbox if you want the volume data in your backup. If you choose to skip volume data, you cannot restore volume data during restore. However, you will have two options to choose volume data when restoring: Provision new volumes or Reuse existing volumes.

    4. To enable CMEK encryption, you must first grant the access to the appropriate CMEK keys (see About CMEK encryption).

      1. Click the Use a customer-managed encryption key checkbox to select a key.
  8. Review the backup plan details and click Create plan.

Terraform

Create a google_gke_backup_backup_plan resource.

resource "google_gke_backup_backup_plan" "basic" {
   name = "BACKUP_PLAN"
   cluster = google_container_cluster.CLUSTER.id
   location = "LOCATION"
   retention_policy {
     backup_retain_days = 7
   }
   backup_schedule {
     cron_schedule = "17 3 * * *"
   }
   backup_config {
     include_volume_data = true
     include_secrets = true
     all_namespaces = true
   }
}

Replace the following:

  • BACKUP_PLAN: the name of the backup plan that you want to create.
  • CLUSTER: the name of your google_container_cluster resource.
  • LOCATION - the region where you want to store the backups.

For more information, see gke_backup_backup_plan.

View a backup plan

View a backup plan and its details by using the gcloud CLI or the Google Cloud console.

gcloud

To list all the backup plans within the project and region, run the following command:

gcloud beta container backup-restore backup-plans list \
    --project=PROJECT_ID \
    --location=LOCATION

For list commands only, you can provide - as the value for any parameters except PROJECT_ID. The - value acts as a wildcard. The - value is the default for any parameter if you don't specify a command-line option or set a property.

For the full list of options, refer to the gcloud beta container backup-restore backup-plans list documentation.

To see the details of a backup plan, run the following command:

gcloud beta container backup-restore backup-plans describe BACKUP_PLAN \
     --project=PROJECT_ID \
     --location=LOCATION

For the full list of options, refer to the gcloud beta container backup-restore backup-plans describe documentation.

Console

Use the following instructions to view a backup plan in the Google Cloud console:

  1. Go to the Google Kubernetes Engine page in the Google Cloud console.

    Go to Google Kubernetes Engine.

  2. In the navigation menu, click Backup for GKE.

  3. Click the Backup Plans tab.

  4. Expand the cluster and click the plan name.

  5. Click the Details tab to see the plan details.

Update a backup plan

Update a backup plan by using the gcloud CLI or the Google Cloud console.

gcloud

To update a backup plan, for example by adding a new description, run the following command:

gcloud beta container backup-restore backup-plans update BACKUP_PLAN \
    --project=PROJECT_ID \
    --location=LOCATION \
    --description=DESCRIPTION

For the full list of options, refer to the gcloud beta container backup-restore backup-plans update documentation.

Console

Use the following instructions to update a backup plan in the Google Cloud console:

  1. Go to the Google Kubernetes Engine page in the Google Cloud console.

    Go to Google Kubernetes Engine

  2. In the navigation menu, click Backup for GKE.

  3. Click the Backup Plans tab.

  4. Expand the cluster and click the plan name.

  5. Click the Details tab to edit the plan details.

  6. Click Edit to edit a plan section and click Save changes.

Pause a backup schedule

You can pause your backup schedule. While the schedule is paused, automatic backups are not created. You can still create backups manually.

gcloud

To pause a backup schedule, run the following command:

gcloud beta container backup-restore backup-plans update BACKUP_PLAN \
    --project=PROJECT_ID \
    --location=LOCATION \
    --paused

For the full list of options, refer to the gcloud beta container backup-restore backup-plans update documentation.

Console

Use the following instructions to pause a backup schedule in the Google Cloud console:

  1. Go to the Google Kubernetes Engine page in the Google Cloud console.

    Go to Google Kubernetes Engine

  2. In the navigation menu, click Backup for GKE.

  3. Click the Backup Plans tab.

  4. Expand the cluster and click the plan name.

  5. Click Pause Schedule and then click Pause Schedule in the confirmation dialog.

Delete a backup plan

You can delete a backup plan by using the gcloud CLI or the Google Cloud console. You cannot delete a backup plan if the plan contains any backups.

gcloud

To delete a backup plan, run the following command:

gcloud beta container backup-restore backup-plans delete BACKUP_PLAN \
    --project=PROJECT_ID \
    --location=LOCATION

For the full list of options, refer to the gcloud beta container backup-restore backup-plans delete documentation.

Console

Use the following instructions to delete a backup plan in the Google Cloud console:

  1. Go to the Google Kubernetes Engine page in the Google Cloud console.

    Go to Google Kubernetes Engine

  2. In the navigation menu, click Backup for GKE.

  3. Click the Backup Plans tab.

  4. Expand the cluster and click the plan name.

  5. Click Delete plan.

  6. Type the backup plan name and then click Delete backup plan in the confirmation dialog.

What's next