This page describes how to perform a cross-project backup in Google Kubernetes Engine (GKE) using the Backup for GKE service.
Overview
Cross-project backups let you decouple the backup project lifecycle from the cluster project. You can get access-controlled backups separately in a different project than the cluster project.
Limitations
You cannot migrate existing backup plans to perform cross-project backups.
Pricing
For pricing details, see Pricing for cross-project backups and restores.
Before you begin
-
Before you start, make sure you have performed the following tasks:
- Enable the Google Kubernetes Engine API. Enable Google Kubernetes Engine API
- If you want to use the Google Cloud CLI for this task,
install and then
initialize the
gcloud CLI. If you previously installed the gcloud CLI, get the latest
version by running
gcloud components update.
Enable the Backup for GKE add-on in the cluster you want to backup. For more information, see Enable Backup for GKE for a cluster.
Required roles
To get the permissions that
you need to create and manage a cross-project backup,
ask your administrator to grant you the
Backup for GKE Backup Admin (roles/gkebackup.backupAdmin), which is a subset of Backup for GKE Admin (roles/gkebackup.admin)
IAM role on your project.
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
Set up service accounts
If needed, create per-project service accounts to perform operations on your projects.
Using Google Cloud CLI, run the following commands to set up a service account:
Create a service account by running the
gcloud beta services identity createcommand:gcloud beta services identity create \ --service=gkebackup.googleapis.com \ --project=CLUSTER_PROJECT_ID gcloud projects add-iam-policy-binding CLUSTER_PROJECT_ID \ --member=serviceAccount:service-CLUSTER_PROJECT_NUMBER@gcp-sa-gkebackup.iam.gserviceaccount.com \ --role=roles/gkebackup.serviceAgent \ gcloud beta services identity create \ --service=gkebackup.googleapis.com \ --project=BACKUP_PROJECT_ID gcloud projects add-iam-policy-binding BACKUP_PROJECT_ID \ --member=serviceAccount:service-BACKUP_PROJECT_NUMBER@gcp-sa-gkebackup.iam.gserviceaccount.com \ --role=roles/gkebackup.serviceAgentReplace the following:
CLUSTER_PROJECT_ID: the alphanumeric name of your Google Cloud project that you want to create. For example,cluster-project-id.CLUSTER_PROJECT_NUMBER: the unique numeric identifier for your Google Cloud project. For example,123456789012.BACKUP_PROJECT_ID: the alphanumeric name of the Google Cloud project where your backup will be stored. For example,backup-project-id.BACKUP_PROJECT_NUMBER: the unique numeric identifier of the project where your backup will be stored. For example,123456789012.
Allow the backup project's service account to perform backups in the cluster project by running the
gcloud projects add-iam-policy-bindingcommand:gcloud projects add-iam-policy-binding CLUSTER_PROJECT_ID \ --member=serviceAccount:service-BACKUP_PROJECT_NUMBER@gcp-sa-gkebackup.iam.gserviceaccount.com \ --role=roles/gkebackup.serviceAgentReplace the following:
CLUSTER_PROJECT_ID: the alphanumeric name of your Google Cloud project. For example,cluster-project-id.BACKUP_PROJECT_NUMBER: the unique numeric identifier of the project where your backup will be stored. For example,123456789012.
Allow the cluster project's agent to access
gkebackup.googleapis.comin the backup project by running thegcloud projects add-iam-policy-bindingcommand:gcloud projects add-iam-policy-binding BACKUP_PROJECT_ID \ --member serviceAccount:service-CLUSTER_PROJECT_NUMBER@container-engine-robot.iam.gserviceaccount.com \ --role "roles/gkebackup.crossProjectServiceAgent"Replace the following:
BACKUP_PROJECT_ID: the alphanumeric name of the Google Cloud project where your backup will be stored. For example,backup-project-id.CLUSTER_PROJECT_NUMBER: the unique numeric identifier for your Google Cloud project. For example,123456789012.
Create a backup channel
After you set up service accounts, you must create a backup channel in the same project and region as the cluster that you want to back up. After you create a backup channel, you can back up clusters in the project and region to the destination project.
gcloud
To create a backup channel, run the
gcloud beta container backup-restore backup-channels create command
using Google Cloud CLI:
gcloud beta container backup-restore backup-channels create BACKUP_CHANNEL_NAME \
--project=CLUSTER_PROJECT_ID \
--location=CLUSTER_LOCATION \
--destination-project=projects/BACKUP_PROJECT_NUMBER
Replace the following:
BACKUP_CHANNEL_NAME: the name of the backup channel you want to create. For example,my-backup-channel-name.CLUSTER_PROJECT_ID: the alphanumeric name of your Google Cloud project where the cluster is located. For example,cluster-project-id.CLUSTER_LOCATION: the region where the cluster is located. For example,us-central1.BACKUP_PROJECT_NUMBER: the unique numeric identifier of the project where the backup will be stored.
Console
To create a manual backup in the Google Cloud console, use the following instructions:
In the Google Cloud console, go to the Google Kubernetes Engine page.
From the Resource Management menu, click Backup for GKE.
Click the Backup channels tab.
In the Backup channels tab, click Create a backup channel.
Using the Cluster project field, make sure you've selected the correct cluster project.
Using the Region menu, select the region where your clusters are located.
Using the Backup project field, select the project to which you want to allow backups.
In the Backup channel name field, enter a name for your backup channel.
Optional: in the Backup channel description field, enter a brief description for the backup channel.
Click Next.
Validate the P4SA permissions on the cluster and backup projects.
Click Create.
Create a backup plan
After you create a backup channel, you must create the backup plan. If the
cluster being backed up resides in a different project, the backup plan is
automatically bound to an existing backup channel. The backup_channel field
in the backup plan shows the backup channel that the backup plan is bound to.
Before you begin
Before you create a backup plan, see Plan a set of backups.
Create a backup plan
To create a backup plan in the backup project using the Google Cloud console, use the following instructions:
In the Google Cloud console, go to the Google Kubernetes Engine page.
From the Resource Management menu, click Backup for GKE.
Open the backup project you want to create the backup plan in.
Click Create a backup plan.
Select the Configure cross-project backups checkbox.
In the Cluster project field, choose the project containing your source cluster.
From the Cluster menu, select the region of the cluster.
In the Backup plan name field, enter a name for the backup plan.
In the Backup project field, enter the name of the backup project you want to store your backups in.
In the Region field, enter the location where your backups will be stored. If no backup channel is found, click Create backup channel, follow the prompts to create a backup channel, and click Create.
Click View backup channel details.
Click Validate permissions.
Complete the remaining steps as described in Create a backup plan.
Click Create plan.
View a backup channel
Use the instructions in the following sections to view backup channels.
View all backup channels within a project and region
gcloud
To view all backup channels within a project and region, run
the gcloud beta container backup-restore backup-channels list command
using Google Cloud CLI:
gcloud beta container backup-restore backup-channels list \
--project=CLUSTER_PROJECT_ID \
--location=CLUSTER_LOCATION
Replace the following:
CLUSTER_PROJECT_ID: the alphanumeric name of your Google Cloud project where the cluster is located. For example,cluster-project-id.CLUSTER_LOCATION: the region where the cluster is located. For example,us-central1.
Console
To view all backup channels within a project and region in the Google Cloud console, use the following instructions:
In the Google Cloud console, go to the Google Kubernetes Engine page.
From the Resource Management menu, click Backup for GKE.
Click the Backup channels tab.
Use the project and region menu to filter the list of backup channels.
The filtered list displays all backup channels in the selected project and region.
View details of a backup channel
gcloud
To view the details of a backup channel, run the
gcloud beta container backup-restore backup-channels describe command
using Google Cloud CLI:
gcloud beta container backup-restore backup-channels describe BACKUP_CHANNEL_NAME \
--project=CLUSTER_PROJECT_ID \
--location=CLUSTER_LOCATION
Replace the following:
BACKUP_CHANNEL_NAME: the name of the backup channel you want to view. For example,my-backup-channel-name.CLUSTER_PROJECT_ID: the alphanumeric name of your Google Cloud project where the cluster is located. For example,cluster-project-id.CLUSTER_LOCATION: the region where the cluster is located. For example,us-central1.
Console
To view details of a backup channel in the Google Cloud console, use the following instructions:
In the Google Cloud console, go to the Google Kubernetes Engine page.
From the Resource Management menu, click Backup for GKE.
Click the Backup channels tab.
Use the project and region menu to filter the list of backup channels.
Click the name of the backup channel you want to view. A page with the details of that backup channel opens.
View the backup plans from other projects bound to a backup channel
To view the backup plans from other projects that are bound to a backup
channel, run the gcloud beta container backup-restore backup-plan-bindings list
command using Google Cloud CLI:
gcloud beta container backup-restore backup-plan-bindings list \
--backup-channel=BACKUP_CHANNEL_NAME \
--project=CLUSTER_PROJECT_ID \
--location=CLUSTER_LOCATION
Replace the following:
BACKUP_CHANNEL_NAME: the name of the backup channel you want to view. For example,my-backup-channel-name.CLUSTER_PROJECT_ID: the alphanumeric name of your Google Cloud project where the cluster is located. For example,cluster-project-id.CLUSTER_LOCATION: the region where the cluster is located. For example,us-central1.
Manage backup channels
The following sections describe how to manage backup channels after you create them.
Update a backup channel
Use the following instructions to update a backup channel. Note that you can only modify the description of an existing backup channel. All other fields cannot be modified.
gcloud
To update the description of a backup channel, run the
gcloud beta container backup-restore backup-channels update command
using Google Cloud CLI:
gcloud beta container backup-restore backup-channels update BACKUP_CHANNEL_NAME \
--project=CLUSTER_PROJECT_ID \
--location=CLUSTER_LOCATION \
--description=DESCRIPTION
Replace the following:
BACKUP_CHANNEL_NAME: the name of the backup channel you want to update. For example,my-backup-channel-name.CLUSTER_PROJECT_ID: the alphanumeric name of your Google Cloud project where the cluster is located. For example,cluster-project-id.CLUSTER_LOCATION: the region where the cluster is located. For example,us-central1.DESCRIPTION: the description you want to update.
Console
To update a backup channel in the Google Cloud console, use the following instructions:
In the Google Cloud console, go to the Google Kubernetes Engine page.
From the Resource Management menu, click Backup for GKE.
Click the Backup channels tab.
In the Backup channels page, click the backup channel you want to update. Note that you can only update the description of an existing backup channel. All other fields cannot be modified.
The Backup Channel Details page appears.
Click Validate permissions.
In the Backup channel details sections, click the Edit description icon.
The Edit description dialog displays.
In the Description field, enter the updated description, then click Save changes.
Delete a backup channel
You can only delete a backup channel if it does not contain any active backup plans. If active backup plans are bound to it, you must first deactivate or delete the backup plans before you can delete the backup channel.
gcloud
To delete a backup channel, run the
gcloud beta container backup-restore backup-channels delete command using
Google Cloud CLI:
gcloud beta container backup-restore backup-channels delete BACKUP_CHANNEL_NAME \
--project=CLUSTER_PROJECT_ID \
--location=CLUSTER_LOCATION
Replace the following:
BACKUP_CHANNEL_NAME: the name of the backup channel you want to delete. For example,my-backup-channel-name.CLUSTER_PROJECT_ID: the alphanumeric name of your Google Cloud project where the cluster is located. For example,cluster-project-id.CLUSTER_LOCATION: the region where the cluster is located. For example,us-central1.
Console
To delete a backup channel in the Google Cloud console, use the following instructions:
In the Google Cloud console, go to the Google Kubernetes Engine page.
From the Resource Management menu, click Backup for GKE.
Click the Backup channels tab.
In the Backup channels page, click the backup channel you want to delete.
Click Delete channel.
A dialog appears asking you to confirm that you want to delete the backup channel.
In the Backup channel name field, enter the name of the backup channel to confirm delete.
Click Confirm.
What's next
Learn how to perform a cross-project restore.
Learn more about planning a set of restores.