This page describes how to perform a cross-project backup in Google Kubernetes Engine (GKE) using the Backup for GKE service.
Overview
Cross-project backups let you decouple the backup project lifecycle from the cluster project. You can get access-controlled backups separately in a different project than the cluster project.
Limitations
You cannot migrate existing backup plans to perform cross-project backups.
Pricing
For pricing details, see Pricing for cross-project backups and restores .
Before you begin
-
Before you start, make sure that you have performed the following tasks:
- Enable the Google Kubernetes Engine API. Enable Google Kubernetes Engine API
- If you want to use the Google Cloud CLI for this task, install
and then initialize
the
gcloud CLI. If you previously installed the gcloud CLI, get the latest
version by running
gcloud components update.
-
Enable the Backup for GKE API in the project that contains the cluster you want to back up and the project where you want to store the backup. For more information, see Enable the Backup for GKE API .
-
Enable the Backup for GKE add-on in the cluster you want to backup. For more information, see Enable Backup for GKE for a cluster .
Required roles
To get the permissions that
you need to create and manage a cross-project backup,
ask your administrator to grant you the
Backup for GKE Backup Admin ( roles/gkebackup.backupAdmin
), which is a subset of Backup for GKE Admin ( roles/gkebackup.admin
)
IAM role on your project.
For more information about granting roles, see Manage access to projects, folders, and organizations
.
You might also be able to get the required permissions through custom roles or other predefined roles .
Set up service accounts
If needed, create per-project service accounts to perform operations on your projects.
Using Google Cloud CLI, run the following commands to set up a service account:
-
Create a service account by running the
gcloud beta services identity createcommand:gcloud beta services identity create \ --service = gkebackup.googleapis.com \ --project = CLUSTER_PROJECT_ID gcloud projects add-iam-policy-binding CLUSTER_PROJECT_ID \ --member = serviceAccount:service- CLUSTER_PROJECT_NUMBER @gcp-sa-gkebackup.iam.gserviceaccount.com \ --role = roles/gkebackup.serviceAgent \ gcloud beta services identity create \ --service = gkebackup.googleapis.com \ --project = BACKUP_PROJECT_ID gcloud projects add-iam-policy-binding BACKUP_PROJECT_ID \ --member = serviceAccount:service- BACKUP_PROJECT_NUMBER @gcp-sa-gkebackup.iam.gserviceaccount.com \ --role = roles/gkebackup.serviceAgentReplace the following:
-
CLUSTER_PROJECT_ID: the alphanumeric name of your Google Cloud project that you want to create. For example,cluster-project-id. -
CLUSTER_PROJECT_NUMBER: the unique numeric identifier for your Google Cloud project. For example,123456789012. -
BACKUP_PROJECT_ID: the alphanumeric name of the Google Cloud project where your backup will be stored. For example,backup-project-id. -
BACKUP_PROJECT_NUMBER: the unique numeric identifier of the project where your backup will be stored. For example,123456789012.
-
-
Allow the backup project's service account to perform backups in the cluster project by running the
gcloud projects add-iam-policy-bindingcommand:gcloud projects add-iam-policy-binding CLUSTER_PROJECT_ID \ --member = serviceAccount:service- BACKUP_PROJECT_NUMBER @gcp-sa-gkebackup.iam.gserviceaccount.com \ --role = roles/gkebackup.serviceAgentReplace the following:
-
CLUSTER_PROJECT_ID: the alphanumeric name of your Google Cloud project. For example,cluster-project-id. -
BACKUP_PROJECT_NUMBER: the unique numeric identifier of the project where your backup will be stored. For example,123456789012.
-
-
Allow the cluster project's agent to access
gkebackup.googleapis.comin the backup project by running thegcloud projects add-iam-policy-bindingcommand:gcloud projects add-iam-policy-binding BACKUP_PROJECT_ID \ --member serviceAccount:service- CLUSTER_PROJECT_NUMBER @container-engine-robot.iam.gserviceaccount.com \ --role "roles/gkebackup.crossProjectServiceAgent"Replace the following:
-
BACKUP_PROJECT_ID: the alphanumeric name of the Google Cloud project where your backup will be stored. For example,backup-project-id. -
CLUSTER_PROJECT_NUMBER: the unique numeric identifier for your Google Cloud project. For example,123456789012.
-
Create a backup channel
After you set up service accounts, you must create a backup channel in the same project and region as the cluster that you want to back up. After you create a backup channel, you can back up clusters in the project and region to the destination project.
gcloud
To create a backup channel, run the gcloud beta container backup-restore backup-channels create
command
using Google Cloud CLI:
gcloud
beta
container
backup-restore
backup-channels
create
BACKUP_CHANNEL_NAME
\
--project =
CLUSTER_PROJECT_ID
\
--location =
CLUSTER_LOCATION
\
--destination-project =
projects/ BACKUP_PROJECT_NUMBER
Replace the following:
-
BACKUP_CHANNEL_NAME: the name of the backup channel you want to create. For example,my-backup-channel-name. -
CLUSTER_PROJECT_ID: the alphanumeric name of your Google Cloud project where the cluster is located. For example,cluster-project-id. -
CLUSTER_LOCATION: the region where the cluster is located. For example,us-central1. -
BACKUP_PROJECT_NUMBER: the unique numeric identifier of the project where the backup will be stored.
Console
To create a backup channel in the Google Cloud console, use the following instructions:
-
In the Google Cloud console, go to the Google Kubernetes Enginepage.
-
From the Resource Managementmenu, click Backup for GKE.
-
Click the Backup channelstab.
-
In the Backup channelstab, click Create a backup channel.
-
Using the Cluster projectfield, make sure you've selected the correct cluster project.
-
Using the Regionmenu, select the region where your clusters are located.
-
Using the Backup projectfield, select the project to which you want to allow backups.
-
In the Backup channel namefield, enter a name for your backup channel.
-
Optional: in the Backup channel descriptionfield, enter a brief description for the backup channel.
-
Click Next.
-
Validate the service account permissions on the cluster and backup projects.
-
Click Create.
Create a backup plan
After you create a backup channel, you must create the backup plan. If the
cluster being backed up resides in a different project, the backup plan is
automatically bound to an existing backup channel. The backup_channel
field
in the backup plan shows the backup channel that the backup plan is bound to.
Before you begin
Before you create a backup plan, see Plan a set of backups .
Create a backup plan
To create a backup plan in the backup project using the Google Cloud console, use the following instructions:
-
In the Google Cloud console, go to the Google Kubernetes Enginepage.
-
From the Resource Managementmenu, click Backup for GKE.
-
Open the backup project you want to create the backup plan in.
-
Click Create a backup plan.
-
Select the Configure cross-project backupscheckbox.
-
In the Cluster projectfield, choose the project containing your source cluster.
-
From the Clustermenu, select the region of the cluster.
-
In the Backup plan namefield, enter a name for the backup plan.
-
In the Backup projectfield, enter the name of the backup project you want to store your backups in.
-
In the Regionfield, enter the location where your backups will be stored. If no backup channel is found, click Create backup channel, follow the prompts to create a backup channel, and click Create.
-
Click View backup channel details.
-
Click Validate permissions.
-
Complete the remaining steps as described in Create a backup plan .
-
Click Create plan.
View a backup channel
Use the instructions in the following sections to view backup channels.
View all backup channels within a project and region
gcloud
To view all backup channels within a project and region, run
the gcloud beta container backup-restore backup-channels list
command
using Google Cloud CLI:
gcloud
beta
container
backup-restore
backup-channels
list
\
--project =
CLUSTER_PROJECT_ID
\
--location =
CLUSTER_LOCATION
Replace the following:
-
CLUSTER_PROJECT_ID: the alphanumeric name of your Google Cloud project where the cluster is located. For example,cluster-project-id. -
CLUSTER_LOCATION: the region where the cluster is located. For example,us-central1.
Console
To view all backup channels within a project and region in the Google Cloud console, use the following instructions:
-
In the Google Cloud console of your cluster project, go to the Google Kubernetes Enginepage.
-
From the Resource Managementmenu, click Backup for GKE.
-
Click the Backup channelstab.
-
Use the project and region menu to filter the list of backup channels.
The filtered list displays all backup channels in the selected project and region.
View details of a backup channel
gcloud
To view the details of a backup channel, run the gcloud beta container backup-restore backup-channels describe
command
using Google Cloud CLI:
gcloud
beta
container
backup-restore
backup-channels
describe
BACKUP_CHANNEL_NAME
\
--project =
CLUSTER_PROJECT_ID
\
--location =
CLUSTER_LOCATION
Replace the following:
-
BACKUP_CHANNEL_NAME: the name of the backup channel you want to view. For example,my-backup-channel-name. -
CLUSTER_PROJECT_ID: the alphanumeric name of your Google Cloud project where the cluster is located. For example,cluster-project-id. -
CLUSTER_LOCATION: the region where the cluster is located. For example,us-central1.
Console
To view details of a backup channel in the Google Cloud console, use the following instructions:
-
In the Google Cloud console of your cluster project, go to the Google Kubernetes Enginepage.
-
From the Resource Managementmenu, click Backup for GKE.
-
Click the Backup channelstab.
-
Use the project and region menu to filter the list of backup channels.
-
Click the name of the backup channel you want to view. A page with the details of that backup channel opens.
View the backup plans bound to a backup channel
To view the backup plans that are bound to a backup
channel, run the gcloud beta container backup-restore backup-plan-bindings list
command using Google Cloud CLI:
gcloud
beta
container
backup-restore
backup-plan-bindings
list
\
--backup-channel =
BACKUP_CHANNEL_NAME
\
--project =
CLUSTER_PROJECT_ID
\
--location =
CLUSTER_LOCATION
Replace the following:
-
BACKUP_CHANNEL_NAME: the name of the backup channel you want to view. For example,my-backup-channel-name. -
CLUSTER_PROJECT_ID: the alphanumeric name of your Google Cloud project where the cluster is located. For example,cluster-project-id. -
CLUSTER_LOCATION: the region where the cluster is located. For example,us-central1.
Manage backup channels
The following sections describe how to manage backup channels after you create them.
Update a backup channel
Use the following instructions to update a backup channel. Note that you can only modify the description of an existing backup channel. All other fields cannot be modified.
gcloud
To update the description of a backup channel, run the gcloud beta container backup-restore backup-channels update
command
using Google Cloud CLI:
gcloud
beta
container
backup-restore
backup-channels
update
BACKUP_CHANNEL_NAME
\
--project =
CLUSTER_PROJECT_ID
\
--location =
CLUSTER_LOCATION
\
--description =
DESCRIPTION
Replace the following:
-
BACKUP_CHANNEL_NAME: the name of the backup channel you want to update. For example,my-backup-channel-name. -
CLUSTER_PROJECT_ID: the alphanumeric name of your Google Cloud project where the cluster is located. For example,cluster-project-id. -
CLUSTER_LOCATION: the region where the cluster is located. For example,us-central1. -
DESCRIPTION: the description you want to update.
Console
To update a backup channel in the Google Cloud console, use the following instructions:
-
In the Google Cloud console of your cluster project, go to the Google Kubernetes Enginepage.
-
From the Resource Managementmenu, click Backup for GKE.
-
Click the Backup channelstab.
-
In the Backup channelspage, click the backup channel you want to update. Note that you can only update the description of an existing backup channel. All other fields cannot be modified.
The Backup Channel Detailspage appears.
-
Click Validate permissions.
-
In the Backup channel detailssections, click the Edit descriptionicon.
The Edit descriptiondialog displays.
-
In the Descriptionfield, enter the updated description, then click Save changes.
Delete a backup channel
You can only delete a backup channel if it does not contain any active backup plans. If active backup plans are bound to it, you must first deactivate or delete the backup plans before you can delete the backup channel.
gcloud
To delete a backup channel, run the gcloud beta container backup-restore backup-channels delete
command using
Google Cloud CLI:
gcloud
beta
container
backup-restore
backup-channels
delete
BACKUP_CHANNEL_NAME
\
--project =
CLUSTER_PROJECT_ID
\
--location =
CLUSTER_LOCATION
Replace the following:
-
BACKUP_CHANNEL_NAME: the name of the backup channel you want to delete. For example,my-backup-channel-name. -
CLUSTER_PROJECT_ID: the alphanumeric name of your Google Cloud project where the cluster is located. For example,cluster-project-id. -
CLUSTER_LOCATION: the region where the cluster is located. For example,us-central1.
Console
To delete a backup channel in the Google Cloud console, use the following instructions:
-
In the Google Cloud console of your cluster project, go to the Google Kubernetes Enginepage.
-
From the Resource Managementmenu, click Backup for GKE.
-
Click the Backup channelstab.
-
In the Backup channelspage, click the backup channel you want to delete.
-
Click Delete channel.
A dialog appears asking you to confirm that you want to delete the backup channel.
-
In the Backup channel namefield, enter the name of the backup channel to confirm delete.
-
Click Confirm.
What's next
-
Learn how to perform a cross-project restore .
-
Learn more about planning a set of restores .
