# 28 Working with Elastic Kubernetes Service (EKS) The N2W platform provides a built-in Kubernetes backup and recovery solution for AWS EKS clusters. This capability gives you the ability to protect Kubernetes resources, namespaces, and persistent volumes, while allowing you to manage backups and restores directly from N2W, just like any other AWS resource. N2W supports backing up entire EKS clusters or selected namespaces, which is useful for: * Application-level protection * Avoiding system or control-pane namespaces Restore the backups to the same or different EKS clusters with the same namespace or a different one, at your choice. ### 28.1 Overview N2W simplifies Kubernetes backup and restore workflows. You can: * Add EKS Cluster or Namespaces to a policy like any other AWS resource. * Back up entire an **entire** EKS Cluster, including: * All namespaces * Cluster-scoped resources * EBS snapshots of Persistent volumes * Kubernetes manifests (to S3) * Back up specific Namespaces only * Restore anywhere: * To the same cluster * To a new cluster * And rename namespaces. * Combine EKS backups with other AWS services in a single policy. In the same policy, you can back up: * An EKS namespace containing a WordPress deployment\ **together with** * The associated AWS RDS database instance ### 28.2 Prerequisites Before adding EKS resources to a CPM policy, the following steps must be completed: 1. **Install Velero on each EKS cluster you want to protect.** Velero is an open-source tool that provides backup and restore for Kubernetes clusters.\ It backs up Kubernetes resources and persistent volumes, saves them in S3-compatible storage, and lets you safely restore clusters when needed. Velero must be installed on: * Every source EKS cluster you back up. * Every destination EKS cluster you restore into. {% hint style="success" %} See [Appendix H](https://docs.n2ws.com/user-guide/appendix-h-velero-installation-guide) for the *Velero Installation Guide*. {% endhint %} 2. **Configure the Velero backup storage (S3).** During Velero installation, specify: * An S3 bucket that stores your Kubernetes manifests. * The velero-plugin-for-aws, which enables Velero to create EBS snapshots. 3. **Ensure that the following IAM permissions and access are set:** * Kubernetes RBAC (EKS Access Entry & Policies). Configure an EKS Access Entry for the EC2 instance's IAM role with appropriate policies: * **Required**: Velero Namespace Admin Access * Policy: AmazonEKSClusterAdminPolicy * Scope: namespace - specifically the velero namespace * Purpose: Allows creating and managing Velero backup/restore resources * **Optional**: Cluster-Wide Read Access * Policy: AmazonEKSViewPolicy * Scope: cluster * Purpose: Enables viewing pods, deployments, and services across all namespaces for monitoring and observability * **Velero S3 and** IAM Roles for Service Accounts (**IRSA) Configuration**. Ensure that the Velero pod uses IRSA with permissions to: * Access the Velero backup S3 bucket * Create and manage EBS snapshots * The IAM role trust policy must allow the Velero Service Account to assume the role via the cluster’s OIDC provider * IRSA requires an OIDC identity provider to be associated with the EKS cluster 4. **Ensure Network connectivity** between the VPC and EKS API endpoint. 5. **Set EKS Access Entry**: Associate the IAM role with EKS access policies. 6. **Enable Security Group**: Allow outbound HTTPS (port 443) to the EKS cluster API endpoint. ### 28.3 Creating EKS Policies To define EKS policies, see section ‎[4.2](https://docs.n2ws.com/user-guide/4-defining-backup-policies#id-4-2-policies). Select **EKS Clusters** or **EKS Namespaces** from the **Backup Targets** menu. ### 28.4 Recovering EKS N2W supports flexible restore operations for EKS: * Restore the **entire** EKS cluster backup, which includes: * All namespaces * All workloads and resources * Persistent volumes * Optional cluster-scoped resources * Restore only **selected** namespaces, which allows restoring workloads into the same cluster or into a different EKS cluster: * One or multiple namespaces * Optionally rename namespaces during recovery * During recovery, you can choose whether to restore Cluster-Scoped Resources, such as: * ClusterRoles * ClusterRoleBindings * CustomResourceDefinitions (CRDs) When to enable the Cluster-Scoped Resources option: | **Scenario** | **Recommendation** | | ---------------------------------------- | --------------------------- | | Restoring into the *same* cluster | Usually **leave unchecked** | | Restoring into a *new* empty EKS cluster | **Recommended to enable** | **To recover EKS clusters or EKS namespaces:** 1. In the **Backup Monitor**, select the AWS **Cloud** button. 2. In the **Search backups** box, enter a string to search by. The string can be part of the resource ID or part of the resource tag value. 3. To filter by resource type, select a resource type in the **By Instance** list, such as EKS Cluster. 4. Select and then choose a backup in the list and then select![](https://1476770828-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F5oB64hgFIX2jdQ2O72cF%2Fuploads%2FrXONj2WbPythBMtwae5A%2Fimage.png?alt=media\&token=537fa967-f5a1-4870-8358-7df18a1c1c68) **Recover.** A list of clusters opens. 5. Select a **Cluster Name.**
**To recover namespaces:** 1. To recover specific namespaces, select the **Namespaces** tab**.** 1. To include Cluster-Scoped Resources, select **Include Cluster Resources**. 2. In the **Namespace Name** list, select one or more **Names**. 3. For each **Name**, change the **Target Namespace Name**, if required. 2. Select![](https://1476770828-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F5oB64hgFIX2jdQ2O72cF%2Fuploads%2FdPUWRmDK5h4RxcnTSnIu%2Fimage.png?alt=media\&token=3eaee9eb-f982-4d97-a662-7064757f5345) **Recover.**