NetBackup™ Deployment Guide for Azure Kubernetes Services (AKS) Cluster
- Introduction to NetBackup on AKS
- Deployment with environment operators
- Assessing cluster configuration before deployment
- Deploying NetBackup
- Preparing the environment for NetBackup installation on AKS
- Recommendations of NetBackup deployment on AKS
- Limitations of NetBackup deployment on AKS
- About primary server CR and media server CR
- Monitoring the status of the CRs
- Updating the CRs
- Deleting the CRs
- Configuring NetBackup IT Analytics for NetBackup deployment
- Managing NetBackup deployment using VxUpdate
- Migrating the node pool for primary or media servers
- Deploying MSDP Scaleout
- Monitoring NetBackup
- Monitoring MSDP Scaleout
- Managing the Load Balancer service
- Performing catalog backup and recovery
- Managing MSDP Scaleout
- About MSDP Scaleout maintenance
- Uninstalling MSDP Scaleout from AKS
- Troubleshooting
- View the list of operator resources
- View the list of product resources
- View operator logs
- View primary logs
- Pod restart failure due to liveness probe time-out
- Socket connection failure
- Resolving an invalid license key issue
- Resolving an issue where external IP address is not assigned to a NetBackup server's load balancer services
- Resolving the issue where the NetBackup server pod is not scheduled for long time
- Resolving an issue where the Storage class does not exist
- Resolving an issue where the primary server or media server deployment does not proceed
- Resolving an issue of failed probes
- Resolving token issues
- Resolving an issue related to insufficient storage
- Resolving an issue related to invalid nodepool
- Resolving a token expiry issue
- Resolve an issue related to inconsistency in file ownership
- Resolve an issue related to KMS database
- Resolve an issue related to pulling an image from the container registry
- Resolving an issue related to recovery of data
- Check primary server status
- Pod status field shows as pending
- Ensure that the container is running the patched image
- Getting EEB information from an image, a running container, or persistent data
- Appendix A. CR template
User roles and permissions
Note the following for user authentication:
An Administrator must define the custom user credentials by creating a secret; and then provide the secret name at the time of primary server deployment.
A custom user is assigned the role of a NetBackup Security Administrator and can access the NetBackup Web UI after deployment.
A custom user will be persisted during the pods restart or upgrade.
For the custom user, you can change only the password after the deployment. The changed password will be persisted. If the username is changed after the deployment, an error message will be logged in the Operator pod.
You can delete the secret after the primary server deployment. In that case, if you want to deploy or scale the media servers, you must create a new secret with the same username which was used in the primary server CR. The password can be the same or different. If you change the password, it is also changed in the primary server pod, and gets persisted.
Do not create a local user in the pods (using the kubectl exec or useradd commands) as this user may or may not be persisted.
The Azure Active Directory user is supported through Single Sign-on (SSO). For the detailed user integration information, refer to the NetBackup Administrator's Guide Volume I.
An user is available in primary server container. This user is used as while creating data collector policy for data collection on NetBackup IT Analytics portal.
Service account that is used for this deployment is and it is defined in the
operator_deployment.yaml.NetBackup runs most of the primary server services and daemons as non-root user and only and are supported as a service account user.
ClusterRole named is set in the NetBackup Operator to define the cluster wide permissions to the resources. This is defined in the
operator_deployment.yaml.Appropriate roles and AKS specific permissions are set to the cluster at the time of cluster creation.
After successful deployment of the primary and media servers, the operator creates a custom Kubernetes role with name
<resourceNamePrefix>-adminwhereasresourceNamePrefixis given in primary server or media server CR specification.The following permissions are provided in the respective namespaces:
Resource name
API group
Allowed operations
ConfigMaps
default
Create
Delete
Get
List
Patch
Update
Watch
Nodes
default
Get
List
This role can be assigned to the NetBackup Administrator to view the pods that were created, and to execute into them. For more information on the access control, see Kubernetes Access Control Documentation.
Note:
One role would be created, only if primary and media servers are in same namespace with the same resource name prefix.
Your AKS cluster must have the RBAC enabled. To view the permissions set for the AKS cluster, use one of the following methods and verify if enbleRBAC is set to :
Run the following command:
az resource show -g <resource group name> -n <cluster name> --resource-type
Microsoft.ContainerService/ManagedClusters --query properties.enableRBAC
Run the az aks list command.
You can check the cluster's resource details at
resources.azure.comand verify if enableRBAC is set to .
NetBackup Operator deployment uses a serviceAccount and it must have the following permissions:
Table:
Resource Name | API Group | Allowed Operations |
|---|---|---|
ConfigMaps | default |
|
Nodes | default |
|
PersistentVolumeClaims | default |
|
Pods | default |
|
Pods/exec | default |
|
Secret | default |
|
Services | default |
|
StatefulSet | app |
|
Jobs | batch |
|
Primary servers | netbackup.veritas.com |
|
PrimaryServers/status | netbackup.veritas.com |
|
Media servers | netbackup.veritas.com |
|
MediaServers/status | netbackup.veritas.com |
|
Secrets | netbackup.veritas.com | Watch |
Secrets/status | netbackup.veritas.com |
|
Roles | rbac.authorization.k8s.io |
|
Storageclasses | storage.k8s.io |
|