Backing Up Your Amazon EKS Cluster with Velero

Kubernetes has become the backbone of modern cloud-native infrastructure, but managing mission-critical workloads requires robust disaster recovery strategies. When running applications on Amazon Elastic Kubernetes Service (EKS), ensuring that your cluster’s resources—deployments, services, persistent volumes, and configurations—are reliably backed up is essential. A single misconfiguration, accidental deletion, or infrastructure failure could disrupt your entire environment.

Velero (formerly Heptio Ark) is an open-source tool designed to simplify backup, restore, and migration of Kubernetes resources. It integrates seamlessly with cloud providers like AWS, allowing you to:

Back up entire clusters or specific namespaces.

Restore lost resources in minutes.

Migrate workloads between clusters or regions.

Schedule automated backups for peace of mind.

In this tutorial, you’ll learn how to set up Velero on an Amazon EKS cluster and configure backups to protect your applications and data. Let’s get started!

Prerequisites

Before you begin, ensure you have the following prerequisites:

An Amazon EKS cluster up and running.

The `kubectl` command-line tool installed on your local machine.

The `aws` command-line tool installed and configured with the necessary permissions.

Helm installed on your local machine.

A valid AWS account with the required permissions to create IAM roles and policies.

Create an S3 Bucket

Create a single S3 bucket for backups (replace my-eks-backups-bucket with a globally unique name):

REGION="us-west-2"
BUCKET_NAME="my-eks-backups-bucket"

aws s3api create-bucket \
  --bucket $BUCKET_NAME \
  --region $REGION \
  --create-bucket-configuration LocationConstraint=$REGION

# Enable versioning
aws s3api put-bucket-versioning \
  --bucket $BUCKET_NAME \
  --versioning-configuration Status=Enabled

Create an IAM Policy for Velero

Create a policy file velero-policy.json with the following content:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeVolumes",
        "ec2:DescribeSnapshots",
        "ec2:CreateTags",
        "ec2:CreateVolume",
        "ec2:CreateSnapshot",
        "ec2:DeleteSnapshot"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:ListBucket",
        "s3:DeleteObject"
      ],
      "Resource": [
        "arn:aws:s3:::$BUCKET_NAME/*",
        "arn:aws:s3:::$BUCKET_NAME"
      ]
    }
  ]
}

Replace $BUCKET_NAME with your bucket name (e.g., my-eks-backups-bucket).

Attach the Policy to an IAM User

Create an IAM user (e.g., velero-user).

Attach the policy to the user.

Generate AWS access keys for the user.

Deploy Velero with Helm

Store AWS Credentials in Kubernetes Secrets

Create a Kubernetes secret to store your AWS credentials:

kubectl create secret generic aws-credentials \
  --from-literal=aws_access_key_id=YOUR_ACCESS_KEY \
  --from-literal=aws_secret_access_key=YOUR_SECRET_KEY \
  -n velero

Create Custom Values File

Create a values.yaml file with the following content:

configuration:
  provider: aws
  backupStorageLocation:
    name: aws
    bucket: my-eks-backups-bucket  # Replace with your bucket name
    config:
      region: us-west-2            # Replace with your region
  volumeSnapshotLocation:
    name: aws
    config:
      region: us-west-2
credentials:
  useSecret: true
  existingSecret: aws-credentials
initContainers:
  - name: velero-plugin-for-aws
    image: velero/velero-plugin-for-aws:v1.7.0
    volumeMounts:
      - mountPath: /target
        name: plugins

Replace my-eks-backups-bucket with your S3 bucket name and us-west-2 with your AWS region.

Install Velero

helm repo add vmware-tanzu https://vmware-tanzu.github.io/helm-charts
helm repo update
helm install velero vmware-tanzu/velero \
  --namespace velero \
  --create-namespace \
  -f values.yaml

Verify Installation

1 2	kubectl get pods -n velero # Output: velero-xxxxx 1/1 Running

Perform a Backup

Create a backup of your EKS cluster:

1	velero backup create eks-backup-$(date +%F)

Check Backup Status

1	velero backup describe eks-backup-2025-02-02

Schedule Automated Backups

Create a daily backup schedule (excludes kube-system namespace):


velero schedule create daily-backup \
  --schedule="@every 24h" \
  --exclude-namespaces kube-system

List schedules:

1	velero schedule list

Restore from Backup

Restore the Entire Backup

1	velero restore create --from-backup eks-backup-2025-02-02

Verify Restoration

1	kubectl get all --all-namespaces

Cleanup

Delete Backups

1	velero backup delete eks-backup-2023-02-02

Uninstall Velero

1 2	helm uninstall velero -n velero kubectl delete ns velero

Delete the S3 Bucket

1	aws s3 rb s3://my-eks-backups-bucket --force

Best Practices

Follow these best practices to ensure your backups are reliable and secure:

Enable Bucket Encryption:

Use SSE-S3 or SSE-KMS to encrypt your S3 bucket.

aws s3api put-bucket-encryption \
  --bucket $BUCKET_NAME \
  --server-side-encryption-configuration '{
    "Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]
  }'

Use Restic for Persistent Volumes:

Add --default-volumes-to-restic to Velero commands to back up PVs.

Monitor Backups:

Check Velero logs:

1	kubectl logs -n velero deployment/velero -f

Test Restores:

Regularly restore backups to a test cluster to ensure integrity.

Conclusion

In this tutorial, you learned how to set up Velero on an Amazon EKS cluster to back up and restore your Kubernetes resources. By following best practices and automating backups, you can protect your applications and data from accidental deletions, misconfigurations, and infrastructure failures. Velero simplifies disaster recovery and ensures your cluster is resilient to unforeseen events. For more information, refer to the Velero documentation.