What is a Kubernetes application?


Userlevel 1
Badge +2

Ok, one of the biggest questions that comes up when starting to protect Kubernetes is :

  • What should I protect?
  • What is a Kubernetes application?

This quickly becomes:

  • What does Metallic (and Commvault) protect with Kubernetes?
  • What is a Kubernetes application when configuring Metallic?

 

Let's start with what we protect:

  • We protect Kubernetes stateful and stateless applications
  • We protect Persistent Volumes and Persistent Volume Claims
  • We protect all API resources related to the application (more on that later)

 

So did we leave anything out - well yes, they are some things we can't protect, and some things we don't protect (by default).

 

We can't protect:

 

We don't protect (but can protect if the customer applies a label selector)

 

But lets get to the more fun stuff.... what do we protect...

 

Let's start in Commvault Command Center where we show our Kubernetes applications by:

  • Applications
  • Labels
  • Volumes

 

 

 

So we can see a bunch of folders in our  list there - those are Kubernetes Namespaces

 

If we open up a namespace - we can see the applications that Commvault has detected

 

 

Now what does Commvault consider an applicaiton?

 

Commvault will display the following Kubernetes API resources as 'applications' in Command Center:

 

Commvault will not display - replicasetsjobs, operators, or HELM charts as applications.

 

Lets take a look at each one....

 

Deployments

 

If I take the following deployment example from the Kubernetes documentation:

https://kubernetes.io/docs/concepts/workloads/controllers/deployment/

 

apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80

 

Now I deploy on my cluster

 

# kubectl create namespace examples
namespace/examples created

 

# kubectl apply -f deployment-example.yaml --namespace examples
deployment.apps/nginx-deployment created

 

Now let's have a look in our Command Center UI

 

 

Our nginx-deployment is running, this was the name of the application from our manifest  file above.

 

Specifically, this line in the YAML manifest. Our Kind : Deployment line is a flag to Commvault that is an ‘application’. If it has a persistent volume claim, we know it is a stateful application.

 

apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment

 

Statefulset

 

Ok, so let's try a statefulset, first a definition from the Kubernetes docs at https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/

 

 

Statefulsets

Manages the deployment and scaling of a set of Podsand provides guarantees about the ordering and uniqueness of these Pods.

Like a Deployment, a StatefulSet manages Pods that are based on an identical container spec. Unlike a Deployment, a StatefulSet maintains a sticky identity for each of their Pods. These pods are created from the same spec, but are not interchangeable: each has a persistent identifier that it maintains across any rescheduling.

 

We will use the example here:

StatefulSets | Kubernetes 

 

apiVersion: v1
kind: Service
metadata:
name: nginx
labels:
app: nginx
spec:
ports:
- port: 80
name: web
clusterIP: None
selector:
app: nginx
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: web
spec:
selector:
matchLabels:
app: nginx # has to match .spec.template.metadata.labels
serviceName: "nginx"
replicas: 3 # by default is 1
template:
metadata:
labels:
app: nginx # has to match .spec.selector.matchLabels
spec:
terminationGracePeriodSeconds: 10
containers:
- name: nginx
image: k8s.gcr.io/nginx-slim:0.8
ports:
- containerPort: 80
name: web
volumeMounts:
- name: www
mountPath: /usr/share/nginx/html
volumeClaimTemplates:
- metadata:
name: www
spec:
accessModes: [ "ReadWriteOnce" ]
storageClassName: "my-storage-class"
resources:
requests:
storage: 1Gi

 

Lets deploy it on our cluster, into the examples namespace

 

# kubectl apply -f statefulset-example.yaml --namespace examples
service/nginx created
statefulset.apps/web created

 

Now, looking at our examples namespace in Command Center...

 

 

We can see we have a new application called web, which is our newly created statefulset - the "web" name can be found in the original manifest (see below for extract). It is the Kind: StatefulSet that flagged this as an application for Metallic/Commvault.

 

apiVersion: apps/v1
kind: StatefulSet
metadata:
name: web
spec: selector:

 

DaemonSets

 

Our final application type is a daemonset

 

From the manual…https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/

 

DaemonSet ensures that all (or some) Nodes run a copy of a Pod. As nodes are added to the cluster, Pods are added to them. As nodes are removed from the cluster, those Pods are garbage collected. Deleting a DaemonSet will clean up the Pods it created.

Some typical uses of a DaemonSet are:

  • running a cluster storage daemon on every node
  • running a logs collection daemon on every node
  • running a node monitoring daemon on every node

 

Let's use the example from here:

DaemonSet | Kubernetes 

 

apiVersion: apps/v1
kind: DaemonSet
metadata:
name: fluentd-elasticsearch
namespace: kube-system
labels:
k8s-app: fluentd-logging
spec:
selector:
matchLabels:
name: fluentd-elasticsearch
template:
metadata:
labels:
name: fluentd-elasticsearch
spec:
tolerations:
# this toleration is to have the daemonset runnable on master nodes
# remove it if your masters can't run pods
- key: node-role.kubernetes.io/master
effect: NoSchedule
containers:
- name: fluentd-elasticsearch
image: quay.io/fluentd_elasticsearch/fluentd:v2.5.2
resources:
limits:
memory: 200Mi
requests:
cpu: 100m
memory: 200Mi
volumeMounts:
- name: varlog
mountPath: /var/log
- name: varlibdockercontainers
mountPath: /var/lib/docker/containers
readOnly: true
terminationGracePeriodSeconds: 30
volumes:
- name: varlog
hostPath:
path: /var/log
- name: varlibdockercontainers
hostPath:
path: /var/lib/docker/containers

 

Let's apply it to our cluster...

 

# kubectl apply -f daemonset-example.yaml --namespace examples
daemonset.apps/fluentd-elasticsearch created

 

Now if we take a look in Command Center

 

 

We can see we have a new fluentd-elasticsearch application (daemonset) running. It was the kind: DaemonSet that flagged this as an application that can be protected. Presence of a persistent volume (PV) is the other indicator that this is a ‘stateful’ app.

 

apiVersion: apps/v1
kind: DaemonSet
metadata:
name: fluentd-elasticsearch
namespace: kube-system

 

So that is the basic rundown of what an application is within Commvault Kubernetes backup...

 

But Commvault protects much more than just these applications....

 

We are protecting the persistent volumes attached to the applications.

We are protecting the API resources associated with the application

 

How do you see the api resources Commvault can protect - run kubectl api-resources

 

On my Kubernetes 1.21 vanilla cluster - these are api resources we protect.

 

# kubectl api-resources
NAME SHORTNAMES APIVERSION NAMESPACED KIND
bindings v1 true Binding
componentstatuses cs v1 false ComponentStatus
configmaps cm v1 true ConfigMap
endpoints ep v1 true Endpoints
events ev v1 true Event
limitranges limits v1 true LimitRange
namespaces ns v1 false Namespace
nodes no v1 false Node
persistentvolumeclaims pvc v1 true PersistentVolumeClaim
persistentvolumes pv v1 false PersistentVolume
pods po v1 true Pod
podtemplates v1 true PodTemplate
replicationcontrollers rc v1 true ReplicationController
resourcequotas quota v1 true ResourceQuota
secrets v1 true Secret
serviceaccounts sa v1 true ServiceAccount
services svc v1 true Service
mutatingwebhookconfigurations admissionregistration.k8s.io/v1 false MutatingWebhookConfiguration
validatingwebhookconfigurations admissionregistration.k8s.io/v1 false ValidatingWebhookConfiguration
customresourcedefinitions crd,crds apiextensions.k8s.io/v1 false CustomResourceDefinition
apiservices apiregistration.k8s.io/v1 false APIService
controllerrevisions apps/v1 true ControllerRevision
daemonsets ds apps/v1 true DaemonSet
deployments deploy apps/v1 true Deployment
replicasets rs apps/v1 true ReplicaSet
statefulsets sts apps/v1 true StatefulSet
tokenreviews authentication.k8s.io/v1 false TokenReview
localsubjectaccessreviews authorization.k8s.io/v1 true LocalSubjectAccessReview
selfsubjectaccessreviews authorization.k8s.io/v1 false SelfSubjectAccessReview
selfsubjectrulesreviews authorization.k8s.io/v1 false SelfSubjectRulesReview
subjectaccessreviews authorization.k8s.io/v1 false SubjectAccessReview
horizontalpodautoscalers hpa autoscaling/v1 true HorizontalPodAutoscaler
cronjobs cj batch/v1 true CronJob
jobs batch/v1 true Job
cephblockpools ceph.rook.io/v1 true CephBlockPool
cephclients ceph.rook.io/v1 true CephClient
cephclusters ceph.rook.io/v1 true CephCluster
cephfilesystems ceph.rook.io/v1 true CephFilesystem
cephnfses nfs ceph.rook.io/v1 true CephNFS
cephobjectrealms ceph.rook.io/v1 true CephObjectRealm
cephobjectstores ceph.rook.io/v1 true CephObjectStore
cephobjectstoreusers rcou,objectuser ceph.rook.io/v1 true CephObjectStoreUser
cephobjectzonegroups ceph.rook.io/v1 true CephObjectZoneGroup
cephobjectzones ceph.rook.io/v1 true CephObjectZone
cephrbdmirrors ceph.rook.io/v1 true CephRBDMirror
certificatesigningrequests csr certificates.k8s.io/v1 false CertificateSigningRequest
leases coordination.k8s.io/v1 true Lease
endpointslices discovery.k8s.io/v1 true EndpointSlice
events ev events.k8s.io/v1 true Event
ingresses ing extensions/v1beta1 true Ingress
flowschemas flowcontrol.apiserver.k8s.io/v1beta1 false FlowSchema
prioritylevelconfigurations flowcontrol.apiserver.k8s.io/v1beta1 false PriorityLevelConfiguration
ingressclasses networking.k8s.io/v1 false IngressClass
ingresses ing networking.k8s.io/v1 true Ingress
networkpolicies netpol networking.k8s.io/v1 true NetworkPolicy
runtimeclasses node.k8s.io/v1 false RuntimeClass
objectbucketclaims obc,obcs objectbucket.io/v1alpha1 true ObjectBucketClaim
objectbuckets ob,obs objectbucket.io/v1alpha1 false ObjectBucket
poddisruptionbudgets pdb policy/v1 true PodDisruptionBudget
podsecuritypolicies psp policy/v1beta1 false PodSecurityPolicy
clusterrolebindings rbac.authorization.k8s.io/v1 false ClusterRoleBinding
clusterroles rbac.authorization.k8s.io/v1 false ClusterRole
rolebindings rbac.authorization.k8s.io/v1 true RoleBinding
roles rbac.authorization.k8s.io/v1 true Role
volumes rv rook.io/v1alpha2 true Volume
priorityclasses pc scheduling.k8s.io/v1 false PriorityClass
volumesnapshotclasses snapshot.storage.k8s.io/v1 false VolumeSnapshotClass
volumesnapshotcontents snapshot.storage.k8s.io/v1 false VolumeSnapshotContent
volumesnapshots snapshot.storage.k8s.io/v1 true VolumeSnapshot
csidrivers storage.k8s.io/v1 false CSIDriver
csinodes storage.k8s.io/v1 false CSINode
csistoragecapacities storage.k8s.io/v1beta1 true CSIStorageCapacity
storageclasses sc storage.k8s.io/v1 false StorageClass
volumeattachments storage.k8s.io/v1

 


0 replies

Be the first to reply!

Reply