You can run Kubernetes on Google Cloud Platform in either:
- Kubernetes on Google Compute Engine virtual machines
- Google Kubernetes Engine
If you do not have the gcloud and gsutil CLIs locally installed, follow the user guide to set them up.
-
Download the latest official release's tarball for your client platform.
We strongly recommend that you use an official release of Velero. The tarballs for each release contain the
velerocommand-line client. The code in the master branch of the Velero repository is under active development and is not guaranteed to be stable! -
Extract the tarball:
tar -xvf <RELEASE-TARBALL-NAME>.tar.gz -C /dir/to/extract/to
We'll refer to the directory you extracted to as the "Velero directory" in subsequent steps.
-
Move the
velerobinary from the Velero directory to somewhere in your PATH.
Velero requires an object storage bucket in which to store backups, preferably unique to a single Kubernetes cluster (see the FAQ for more details). Create a GCS bucket, replacing the <YOUR_BUCKET> placeholder with the name of your bucket:
BUCKET=<YOUR_BUCKET>
gsutil mb gs://$BUCKET/To integrate Velero with GCP, create a Velero-specific Service Account:
-
View your current config settings:
gcloud config list
Store the
projectvalue from the results in the environment variable$PROJECT_ID.PROJECT_ID=$(gcloud config get-value project) -
Create a service account:
gcloud iam service-accounts create velero \ --display-name "Velero service account"If you'll be using Velero to backup multiple clusters with multiple GCS buckets, it may be desirable to create a unique username per cluster rather than the default
velero.Then list all accounts and find the
veleroaccount you just created:gcloud iam service-accounts list
Set the
$SERVICE_ACCOUNT_EMAILvariable to match itsemailvalue.SERVICE_ACCOUNT_EMAIL=$(gcloud iam service-accounts list \ --filter="displayName:Velero service account" \ --format 'value(email)')
-
Attach policies to give
velerothe necessary permissions to function:ROLE_PERMISSIONS=( compute.disks.get compute.disks.create compute.disks.createSnapshot compute.snapshots.get compute.snapshots.create compute.snapshots.useReadOnly compute.snapshots.delete compute.zones.get ) gcloud iam roles create velero.server \ --project $PROJECT_ID \ --title "Velero Server" \ --permissions "$(IFS=","; echo "${ROLE_PERMISSIONS[*]}")" gcloud projects add-iam-policy-binding $PROJECT_ID \ --member serviceAccount:$SERVICE_ACCOUNT_EMAIL \ --role projects/$PROJECT_ID/roles/velero.server gsutil iam ch serviceAccount:$SERVICE_ACCOUNT_EMAIL:objectAdmin gs://${BUCKET} -
Create a service account key, specifying an output file (
credentials-velero) in your local directory:gcloud iam service-accounts keys create credentials-velero \ --iam-account $SERVICE_ACCOUNT_EMAIL
If you run Google Kubernetes Engine (GKE), make sure that your current IAM user is a cluster-admin. This role is required to create RBAC objects. See the GKE documentation for more information.
Install Velero, including all prerequisites, into the cluster and start the deployment. This will create a namespace called velero, and place a deployment named velero in it.
velero install \
--provider gcp \
--bucket $BUCKET \
--secret-file ./credentials-veleroAdditionally, you can specify --use-restic to enable restic support, and --wait to wait for the deployment to be ready.
(Optional) Specify --snapshot-location-config snapshotLocation=<YOUR_LOCATION> to keep snapshots in a specific availability zone. See the VolumeSnapshotLocation definition for details.
(Optional) Specify additional configurable parameters for the --backup-location-config flag.
(Optional) Specify additional configurable parameters for the --snapshot-location-config flag.
For more complex installation needs, use either the Helm chart, or add --dry-run -o yaml options for generating the YAML representation for the installation.
If you run the nginx example, in file examples/nginx-app/with-pv.yaml:
* Replace `<YOUR_STORAGE_CLASS_NAME>` with `standard`. This is GCP's default `StorageClass` name.