This page describes how to back up and restore an admin cluster, including its etcd data, secrets and certificates, using the gkectl command. You can also back up and restore an admin cluster manually.
Back up an admin cluster
You can set up admin cluster backups so they are automatically performed before and after cluster creation, update and upgrade for user and admin clusters. You can also perform an on-demand backup whenever you deem it necessary.
An admin cluster backup includes the following:
- Admin cluster etcd data
- Secrets
- Certificates
- Always-on secrets encryption keys and config files if always-on secrets encryption feature is enabled
The size of a backup can range from 3 MB–100 MB depending on the size of the cluster.
Enable the admin cluster backup feature
By default this feature is disabled. To enable the admin cluster backup feature:
- Add the following section to the admin cluster configuration file: - clusterBackup: datastore: DATASTORE - Replace DATASTORE with the datastore where you want to store the backup. The datastore must be in the same datacenter as the admin cluster. - For non HA admin cluster, backups are located in the "anthos-backup/DATADISK_PATH" directory of the specified datastore. - For HA admin cluster, backups are located in "anthos/ADMIN_CLUSTER_NAME/backup" directory of the specified datastore. 
- Update the admin cluster: - gkectl update admin --kubeconfig ADMIN_CLUSTER_KUBECONFIG --config ADMIN_CLUSTER_CONFIG - Replace: - ADMIN_CLUSTER_KUBECONFIG with the path of your admin cluster kubeconfig file.
- ADMIN_CLUSTER_CONFIG with the path of your admin cluster configuration file.
 
Disable the admin cluster backup feature
- Remove the - clusterBackupsection from the admin cluster configuration file.- clusterBackup: datastore: DATASTORE 
- Update the admin cluster with this change, using this command: - gkectl update admin --kubeconfig ADMIN_CLUSTER_KUBECONFIG --config ADMIN_CLUSTER_CONFIG 
Update the backup datastore
You can update the datastore where backups are stored by updating clusterBackup.datastore to reflect the new location. The new datastore must be in the same datacenter as the admin cluster.
- Edit the admin cluster configuration file to change the - clusterBackup.datastorevalue.- clusterBackup: datastore: new-datastore 
- Update the admin cluster with this change, using this command: - gkectl update admin --kubeconfig ADMIN_CLUSTER_KUBECONFIG --config ADMIN_CLUSTER_CONFIG 
On-demand backup
To trigger an on-demand admin cluster backup, run the following command:
gkectl  backup admin --kubeconfig ADMIN_CLUSTER_KUBECONFIG --config ADMIN_CLUSTER_CONFIG
   
Limit on number of backups
You can have a maximum total of six backups, divided into a maximum of three on-demand backups, and a maximum of three backups from cluster update, upgrade or create operations. These backups are automatically rotated should these limits be exceeded. No manual intervention is necessary.
Restore an admin cluster
You should restore an admin cluster only when it is completely broken with data loss or corruption. For example,
- The admin master data disk is lost or corrupted.
- The admin cluster's etcd is lost or corrupted.
- The admin cluster's control plane secrets and certificates are lost or corrupted.
Do not use this approach to restore a working admin cluster to an arbitrary previous state. This restore feature should not be used as a way to revert admin cluster operations such as a cluster update or cluster upgrade.
Do not use this approach to restore HA admin cluster. For HA admin cluster we only support gkectl repair admin-master, but not gkectl repair admin-master --restore-from-backup.
To recreate the admin cluster from a backup, run the following command:
  gkectl repair admin-master --kubeconfig ADMIN_CLUSTER_KUBECONFIG --config ADMIN_CLUSTER_CONFIG --restore-from-backup
  
This command retrieves all of the backups of this admin cluster from the datastore defined in the clusterBackup section of the admin cluster configuration file, and it prompts you to select the one from which you want to use to restore the admin cluster.