BlueXP Blog

Secure your Kubernetes deployment the NetApp way

Written by Niyaz Mohamed, Principal Technical Marketing Engineer | Aug 26, 2021 11:44:15 AM

Organizations are moving away from large applications to small service-based models, such as Azure Kubernetes Service (AKS), so that you can upgrade, scale, and manage each component independently (with backward compatibility). As AKS is becoming our new norm for deploying applications, it is important to have a safety net for applications running on Kubernetes. The AKS best practices guidance clearly calls out the need for backup, stating that you should “Back up your data using an appropriate tool for your storage type” and “Verify the integrity and security of those backups”.

Here are some of the common scenarios that can lead to data loss or recovery challenges.

  • Events such as the following:
    • An accidental deletion of a namespace
    • An application roll-out introduces a critical bug that deletes the associated persistent volume
    • A Kubernetes API upgrade fails, and you need to revert back
    • A cluster transition into an unrecoverable state
    • A cluster becomes inaccessible due to a natural disaster
    • Network failures
  • Replicating an environment for testing, development, or staging before rolling out a major upgrade or for debugging purposes
  • Migrating a namespace cluster from one environment to another

The application data (persistent volumes) needs to be protected along with additional cluster resources and configurations. When applications store and consume data persisted on files, you should do regular backups or make snapshot copies.

Astra Control Service gives you the capability to protect your applications that run on AKS and leverage Azure NetApp Files for storage. It also gives your organization the capability to run high-performance and throughput workloads with the highest level of data protection.

It is simple to get started and takes just a few minutes to achieve data protection. In this blog, we use a document management portal as a demonstration application, which allows you to upload documents of any size and stores the associated metadata on a MySQL database. The setup requires the following pre-requisites:

  • An AKS cluster running AKS 1.19 or later
  • Azure NetApp Files configured with a 4 TB capacity pool
  • An Astra Control Service account

Create an AKS cluster:

You can create an AKS cluster either by using the az aks create command or from the portal. By using the kubectl command, you can manage an AKS cluster and after creation, you can connect to the cluster by using the following commands from the shell:

az account set --subscription a03cfa5e-a235-4b83-9945-6aafa420e1e4 az aks get-credentials --resource-group neemo.rg --name nimo-demo-astra kubectl get nodes -o wide

Configure Azure NetApp Files

After you log in to the Azure Portal and access Azure NetApp Files, you verify that you have access to the Azure NetApp Files service and register the Azure NetApp Files Resource Provider by using the az provider register --namespace Microsoft.NetApp –wait command. After registration, you create a NetApp account and a capacity pool with the required size and verify that you have configured a delegated subnet with the appropriate routes in place.

Run the demonstration application

You can run the application by using two manifests that include the following Kubernetes deployments:

  • A sample document manager application
  • A MySQL instance

This creates the following two Kubernetes services:

  • An internal service for the MySQL instance
  • An external service to access the document manager application from the internet

Now you can perform the following steps to complete the deployment:

  1. Create five files named docmgr.dpl.yaml, docmgr.svc.yaml, mysql.dpl.yaml, mysql.svc.yaml and mysql.pvc.yaml (You can also combine into to a single yaml file).
  2. Copy in the appropriate YAML definition from here.
  3. Deploy the application by using the kubectl applycommand, and specify the name of the YAML manifest as follows:
    • kubectl apply -f docmgr.dpl.yaml
    • kubectl apply -f docmgr.svc.yaml
    • kubectl apply -f mysql.pvc.yaml
    • kubectl apply -f mysql.dpl.yaml
    • kubectl apply -f mysql.svc.yaml

Your system displays output similar to the following:

Test the application

When the application is running, AKS exposes the application front end to the internet which can take a few minutes to complete. You can see the document management portal in action by opening a web browser to the service external IP address.

Backup the application

When the application is running, it is important to protect the data with appropriate recovery points by using the following procedure in the intuitive UI provided by Astra.

  1. Log in to https://astra.netapp.io/.
  2. On the dashboard, selectManage Kubernetes compute.
  3. Add the compute by selecting the appropriate provider and service principal and selecting Discover Compute.

Note: Astra requires an Azure Service Principal account with Contributor role access to the subscription hosting the Kubernetes clusters.

  1. Select your cluster and select Configure Storage.
  2. Select the appropriate storage class that will be used by the applications. During this step, the Trident provisioner is installed and the selected storage class is marked as default.
  3. Finally, review the selection and select Add compute.

Note: Astra Control Service automatically creates a blob container for application backups, creates an admin account on the cluster, and sets the default storage class that was specified. This process takes approximately five minutes.

After the compute is discovered and the applications are installed, you can set up the protection policy. With Astra Control, you can manage applications at the namespace level or by the Kubernetes label. To quickly manage an application, simply select Apps and from the dashboard select Discovered > Manage.

You can also protect the applications by using an automated protection policy to take snapshot copies and backups, or on an ad hoc basis. Astra recognises the MySQL application, and it is quiesced before a snapshot copy or backup operation so that an application-consistent snapshot copy or backup is taken.

The snapshot copy process leverages the snapshot copy technology which provides a point-in-time copy of the application. It is stored on the same provisioned volume as the application and can be used as quick recovery points. The snapshot copy process takes minutes and, regardless of size, has zero impact on the volume performance or network bandwidth. On the other hand, backups are stored on a blob container in Azure. The backup operation can be slower to complete compared to the local snapshot copies because there is data movement to the associated blob. However, you can access them across regions in the cloud to support application migrations.

We recommend that you create a protection policy to meet your service level agreement, the associated recovery point objective, and the recovery time objective time. You can easily do this from the portal by selecting Apps > Data Protection > Configure Protection Policy. This provides a safety net and gives you the capability to recover your data from your snapshot copies or backups, depending on the disaster scenario.

Restore the application

Now let us simulate a disaster scenario where a namespace is accidentally deleted.

In this scenario, you can use Astra Control Service to restore the application configuration and persistent storage from a snapshot copy or backup with two steps, by first selecting the appropriate snapshot copy and then confirming the operation. After you complete these steps, you should see that the document manager namespace is back and the docmgr and mysql pods are running again.

To verify that the data was not lost, start up the docmgr UI and verify that the documents were uploaded before the namespace was deleted.

Takeaways

In this blog, we discuss the importance of backing up data and having a good disaster recovery strategy to help you recover from time consuming and wrenching data-loss occurrences. We also describe a demonstration application. In conclusion, based on your deployment model and the state of the application, you can protect any service-oriented application by using Astra Control.

Getting Started

Astra Control Service provides rich features that give you the capability to better manage your data. To access this fantastic service and learn how easy it is to manage, protect, clone and restore your data, get started today with our free plan.