search

28 Working with Elastic Kubernetes Service (EKS)

Back up and restore entire EKS clusters and selected Namespaces.

The N2W platform provides a built-in Kubernetes backup and recovery solution for AWS EKS clusters. This capability gives you the ability to protect Kubernetes resources, namespaces, and persistent volumes, while allowing you to manage backups and restores directly from N2W, just like any other AWS resource.

N2W supports backing up entire EKS clusters or selected namespaces, which is useful for:

  • Application-level protection

  • Avoiding system or control-pane namespaces

Restore the backups to the same or different EKS clusters with the same namespace or a different one, at your choice.

hashtag
28.1 Overview

N2W simplifies Kubernetes backup and restore workflows. You can:

  • Add EKS Cluster or Namespaces to a policy like any other AWS resource.

  • Back up entire an entire EKS Cluster, including:

    • All namespaces

    • Cluster-scoped resources

    • EBS snapshots of Persistent volumes

    • Kubernetes manifests (to S3)

  • Back up specific Namespaces only

  • Restore anywhere:

    • To the same cluster

    • To a new cluster

    • And rename namespaces.

  • Combine EKS backups with other AWS services in a single policy. In the same policy, you can back up:

    • An EKS namespace containing a WordPress deployment together with

    • The associated AWS RDS database instance

hashtag
28.2 Prerequisites

Before adding EKS resources to a CPM policy, the following steps must be completed:

  1. Install Velero on each EKS cluster you want to protect.

Velero is an open-source tool that provides backup and restore for Kubernetes clusters. It backs up Kubernetes resources and persistent volumes, saves them in S3-compatible storage, and lets you safely restore clusters when needed.

Velero must be installed on:

  • Every source EKS cluster you back up.

  • Every destination EKS cluster you restore into.

circle-check

See Appendix H for the Velero Installation Guide.

  1. Configure the Velero backup storage (S3).

During Velero installation, specify:

  • An S3 bucket that stores your Kubernetes manifests.

  • The velero-plugin-for-aws, which enables Velero to create EBS snapshots.

  1. Ensure that the following IAM permissions and access are set:

  • Kubernetes RBAC (EKS Access Entry & Policies). Configure an EKS Access Entry for the EC2 instance's IAM role with appropriate policies:

    • Required: Velero Namespace Admin Access

      • Policy: AmazonEKSClusterAdminPolicy

      • Scope: namespace - specifically the velero namespace

      • Purpose: Allows creating and managing Velero backup/restore resources

    • Optional: Cluster-Wide Read Access

      • Policy: AmazonEKSViewPolicy

      • Scope: cluster

      • Purpose: Enables viewing pods, deployments, and services across all namespaces for monitoring and observability

  • Velero S3 and IAM Roles for Service Accounts (IRSA) Configuration. Ensure that the Velero pod uses IRSA with permissions to:

    • Access the Velero backup S3 bucket

    • Create and manage EBS snapshots

    • The IAM role trust policy must allow the Velero Service Account to assume the role via the cluster’s OIDC provider

    • IRSA requires an OIDC identity provider to be associated with the EKS cluster

  1. Ensure Network connectivity between the VPC and EKS API endpoint.

  2. Set EKS Access Entry: Associate the IAM role with EKS access policies.

  3. Enable Security Group: Allow outbound HTTPS (port 443) to the EKS cluster API endpoint.

hashtag
28.3 Creating EKS Policies

To define EKS policies, see section ‎4.2. Select EKS Clusters or EKS Namespaces from the Backup Targets menu.

hashtag
28.4 Recovering EKS

N2W supports flexible restore operations for EKS:

  • Restore the entire EKS cluster backup, which includes:

    • All namespaces

    • All workloads and resources

    • Persistent volumes

    • Optional cluster-scoped resources

  • Restore only selected namespaces, which allows restoring workloads into the same cluster or into a different EKS cluster:

    • One or multiple namespaces

    • Optionally rename namespaces during recovery

  • During recovery, you can choose whether to restore Cluster-Scoped Resources, such as:

    • ClusterRoles

    • ClusterRoleBindings

    • CustomResourceDefinitions (CRDs)

When to enable the Cluster-Scoped Resources option:

Scenario

Recommendation

Restoring into the same cluster

Usually leave unchecked

Restoring into a new empty EKS cluster

Recommended to enable

To recover EKS clusters or EKS namespaces:

  1. In the Backup Monitor, select the AWS Cloud button.

  2. In the Search backups box, enter a string to search by. The string can be part of the resource ID or part of the resource tag value.

  3. To filter by resource type, select a resource type in the By Instance list, such as EKS Cluster.

  4. Select and then choose a backup in the list and then select Recover. A list of clusters opens.

  5. Select a Cluster Name.

To recover namespaces:

  1. To recover specific namespaces, select the Namespaces tab.

    1. To include Cluster-Scoped Resources, select Include Cluster Resources.

    2. In the Namespace Name list, select one or more Names.

    3. For each Name, change the Target Namespace Name, if required.

  2. Select Recover.

Previous27 Using Wasabi StorageNextAppendix A -Recommended Configuration for Copy to S3

Last updated

Was this helpful?